Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Wed, 30 Aug 2017 10:06:47
Message-Id: 1504087593.30030103dd1826abf4c3dbb3f9c6ba981a93dbfa.mpagano@gentoo
1 commit: 30030103dd1826abf4c3dbb3f9c6ba981a93dbfa
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Aug 30 10:06:33 2017 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Aug 30 10:06:33 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=30030103
7
8 Linux patch 4.9.46
9
10 0000_README | 4 +
11 1045_linux-4.9.46.patch | 3114 +++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 3118 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index e142b57..9af1e8a 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -223,6 +223,10 @@ Patch: 1044_linux-4.9.45.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.9.45
21
22 +Patch: 1045_linux-4.9.46.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.9.46
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1045_linux-4.9.46.patch b/1045_linux-4.9.46.patch
31 new file mode 100644
32 index 0000000..72e724f
33 --- /dev/null
34 +++ b/1045_linux-4.9.46.patch
35 @@ -0,0 +1,3114 @@
36 +diff --git a/Makefile b/Makefile
37 +index ccd6d91f616e..846ef1b57a02 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 4
42 + PATCHLEVEL = 9
43 +-SUBLEVEL = 45
44 ++SUBLEVEL = 46
45 + EXTRAVERSION =
46 + NAME = Roaring Lionus
47 +
48 +diff --git a/arch/arc/include/asm/cache.h b/arch/arc/include/asm/cache.h
49 +index b3410ff6a62d..4fd6272e6c01 100644
50 +--- a/arch/arc/include/asm/cache.h
51 ++++ b/arch/arc/include/asm/cache.h
52 +@@ -89,7 +89,9 @@ extern unsigned long perip_base, perip_end;
53 + #define ARC_REG_SLC_FLUSH 0x904
54 + #define ARC_REG_SLC_INVALIDATE 0x905
55 + #define ARC_REG_SLC_RGN_START 0x914
56 ++#define ARC_REG_SLC_RGN_START1 0x915
57 + #define ARC_REG_SLC_RGN_END 0x916
58 ++#define ARC_REG_SLC_RGN_END1 0x917
59 +
60 + /* Bit val in SLC_CONTROL */
61 + #define SLC_CTRL_IM 0x040
62 +diff --git a/arch/arc/mm/cache.c b/arch/arc/mm/cache.c
63 +index 8147583c4434..bbdfeb31dee6 100644
64 +--- a/arch/arc/mm/cache.c
65 ++++ b/arch/arc/mm/cache.c
66 +@@ -562,6 +562,7 @@ noinline void slc_op(phys_addr_t paddr, unsigned long sz, const int op)
67 + static DEFINE_SPINLOCK(lock);
68 + unsigned long flags;
69 + unsigned int ctrl;
70 ++ phys_addr_t end;
71 +
72 + spin_lock_irqsave(&lock, flags);
73 +
74 +@@ -591,8 +592,16 @@ noinline void slc_op(phys_addr_t paddr, unsigned long sz, const int op)
75 + * END needs to be setup before START (latter triggers the operation)
76 + * END can't be same as START, so add (l2_line_sz - 1) to sz
77 + */
78 +- write_aux_reg(ARC_REG_SLC_RGN_END, (paddr + sz + l2_line_sz - 1));
79 +- write_aux_reg(ARC_REG_SLC_RGN_START, paddr);
80 ++ end = paddr + sz + l2_line_sz - 1;
81 ++ if (is_pae40_enabled())
82 ++ write_aux_reg(ARC_REG_SLC_RGN_END1, upper_32_bits(end));
83 ++
84 ++ write_aux_reg(ARC_REG_SLC_RGN_END, lower_32_bits(end));
85 ++
86 ++ if (is_pae40_enabled())
87 ++ write_aux_reg(ARC_REG_SLC_RGN_START1, upper_32_bits(paddr));
88 ++
89 ++ write_aux_reg(ARC_REG_SLC_RGN_START, lower_32_bits(paddr));
90 +
91 + while (read_aux_reg(ARC_REG_SLC_CTRL) & SLC_CTRL_BUSY);
92 +
93 +diff --git a/arch/powerpc/include/asm/mmu_context.h b/arch/powerpc/include/asm/mmu_context.h
94 +index 0012f0353fd6..fe208b70b8b1 100644
95 +--- a/arch/powerpc/include/asm/mmu_context.h
96 ++++ b/arch/powerpc/include/asm/mmu_context.h
97 +@@ -75,9 +75,27 @@ static inline void switch_mm_irqs_off(struct mm_struct *prev,
98 + struct task_struct *tsk)
99 + {
100 + /* Mark this context has been used on the new CPU */
101 +- if (!cpumask_test_cpu(smp_processor_id(), mm_cpumask(next)))
102 ++ if (!cpumask_test_cpu(smp_processor_id(), mm_cpumask(next))) {
103 + cpumask_set_cpu(smp_processor_id(), mm_cpumask(next));
104 +
105 ++ /*
106 ++ * This full barrier orders the store to the cpumask above vs
107 ++ * a subsequent operation which allows this CPU to begin loading
108 ++ * translations for next.
109 ++ *
110 ++ * When using the radix MMU that operation is the load of the
111 ++ * MMU context id, which is then moved to SPRN_PID.
112 ++ *
113 ++ * For the hash MMU it is either the first load from slb_cache
114 ++ * in switch_slb(), and/or the store of paca->mm_ctx_id in
115 ++ * copy_mm_to_paca().
116 ++ *
117 ++ * On the read side the barrier is in pte_xchg(), which orders
118 ++ * the store to the PTE vs the load of mm_cpumask.
119 ++ */
120 ++ smp_mb();
121 ++ }
122 ++
123 + /* 32-bit keeps track of the current PGDIR in the thread struct */
124 + #ifdef CONFIG_PPC32
125 + tsk->thread.pgdir = next->pgd;
126 +diff --git a/arch/powerpc/include/asm/pgtable-be-types.h b/arch/powerpc/include/asm/pgtable-be-types.h
127 +index 49c0a5a80efa..68e087e807f8 100644
128 +--- a/arch/powerpc/include/asm/pgtable-be-types.h
129 ++++ b/arch/powerpc/include/asm/pgtable-be-types.h
130 +@@ -87,6 +87,7 @@ static inline bool pte_xchg(pte_t *ptep, pte_t old, pte_t new)
131 + unsigned long *p = (unsigned long *)ptep;
132 + __be64 prev;
133 +
134 ++ /* See comment in switch_mm_irqs_off() */
135 + prev = (__force __be64)__cmpxchg_u64(p, (__force unsigned long)pte_raw(old),
136 + (__force unsigned long)pte_raw(new));
137 +
138 +diff --git a/arch/powerpc/include/asm/pgtable-types.h b/arch/powerpc/include/asm/pgtable-types.h
139 +index e7f4f3e0fcde..41e9d0a6cbeb 100644
140 +--- a/arch/powerpc/include/asm/pgtable-types.h
141 ++++ b/arch/powerpc/include/asm/pgtable-types.h
142 +@@ -62,6 +62,7 @@ static inline bool pte_xchg(pte_t *ptep, pte_t old, pte_t new)
143 + {
144 + unsigned long *p = (unsigned long *)ptep;
145 +
146 ++ /* See comment in switch_mm_irqs_off() */
147 + return pte_val(old) == __cmpxchg_u64(p, pte_val(old), pte_val(new));
148 + }
149 + #endif
150 +diff --git a/arch/s390/kvm/sthyi.c b/arch/s390/kvm/sthyi.c
151 +index 05c98bb853cf..2f04ad1ea01c 100644
152 +--- a/arch/s390/kvm/sthyi.c
153 ++++ b/arch/s390/kvm/sthyi.c
154 +@@ -394,7 +394,7 @@ static int sthyi(u64 vaddr)
155 + "srl %[cc],28\n"
156 + : [cc] "=d" (cc)
157 + : [code] "d" (code), [addr] "a" (addr)
158 +- : "memory", "cc");
159 ++ : "3", "memory", "cc");
160 + return cc;
161 + }
162 +
163 +@@ -422,7 +422,7 @@ int handle_sthyi(struct kvm_vcpu *vcpu)
164 + VCPU_EVENT(vcpu, 3, "STHYI: fc: %llu addr: 0x%016llx", code, addr);
165 + trace_kvm_s390_handle_sthyi(vcpu, code, addr);
166 +
167 +- if (reg1 == reg2 || reg1 & 1 || reg2 & 1 || addr & ~PAGE_MASK)
168 ++ if (reg1 == reg2 || reg1 & 1 || reg2 & 1)
169 + return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION);
170 +
171 + if (code & 0xffff) {
172 +@@ -430,6 +430,9 @@ int handle_sthyi(struct kvm_vcpu *vcpu)
173 + goto out;
174 + }
175 +
176 ++ if (addr & ~PAGE_MASK)
177 ++ return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION);
178 ++
179 + /*
180 + * If the page has not yet been faulted in, we want to do that
181 + * now and not after all the expensive calculations.
182 +diff --git a/arch/sparc/kernel/pci_sun4v.c b/arch/sparc/kernel/pci_sun4v.c
183 +index 06981cc716b6..d04111a5c615 100644
184 +--- a/arch/sparc/kernel/pci_sun4v.c
185 ++++ b/arch/sparc/kernel/pci_sun4v.c
186 +@@ -1240,8 +1240,6 @@ static int pci_sun4v_probe(struct platform_device *op)
187 + * ATU group, but ATU hcalls won't be available.
188 + */
189 + hv_atu = false;
190 +- pr_err(PFX "Could not register hvapi ATU err=%d\n",
191 +- err);
192 + } else {
193 + pr_info(PFX "Registered hvapi ATU major[%lu] minor[%lu]\n",
194 + vatu_major, vatu_minor);
195 +diff --git a/arch/x86/events/intel/rapl.c b/arch/x86/events/intel/rapl.c
196 +index 970c1de3b86e..4c1b7ea18541 100644
197 +--- a/arch/x86/events/intel/rapl.c
198 ++++ b/arch/x86/events/intel/rapl.c
199 +@@ -161,7 +161,13 @@ static u64 rapl_timer_ms;
200 +
201 + static inline struct rapl_pmu *cpu_to_rapl_pmu(unsigned int cpu)
202 + {
203 +- return rapl_pmus->pmus[topology_logical_package_id(cpu)];
204 ++ unsigned int pkgid = topology_logical_package_id(cpu);
205 ++
206 ++ /*
207 ++ * The unsigned check also catches the '-1' return value for non
208 ++ * existent mappings in the topology map.
209 ++ */
210 ++ return pkgid < rapl_pmus->maxpkg ? rapl_pmus->pmus[pkgid] : NULL;
211 + }
212 +
213 + static inline u64 rapl_read_counter(struct perf_event *event)
214 +@@ -402,6 +408,8 @@ static int rapl_pmu_event_init(struct perf_event *event)
215 +
216 + /* must be done before validate_group */
217 + pmu = cpu_to_rapl_pmu(event->cpu);
218 ++ if (!pmu)
219 ++ return -EINVAL;
220 + event->cpu = pmu->cpu;
221 + event->pmu_private = pmu;
222 + event->hw.event_base = msr;
223 +@@ -585,6 +593,19 @@ static int rapl_cpu_online(unsigned int cpu)
224 + struct rapl_pmu *pmu = cpu_to_rapl_pmu(cpu);
225 + int target;
226 +
227 ++ if (!pmu) {
228 ++ pmu = kzalloc_node(sizeof(*pmu), GFP_KERNEL, cpu_to_node(cpu));
229 ++ if (!pmu)
230 ++ return -ENOMEM;
231 ++
232 ++ raw_spin_lock_init(&pmu->lock);
233 ++ INIT_LIST_HEAD(&pmu->active_list);
234 ++ pmu->pmu = &rapl_pmus->pmu;
235 ++ pmu->timer_interval = ms_to_ktime(rapl_timer_ms);
236 ++ rapl_hrtimer_init(pmu);
237 ++
238 ++ rapl_pmus->pmus[topology_logical_package_id(cpu)] = pmu;
239 ++ }
240 + /*
241 + * Check if there is an online cpu in the package which collects rapl
242 + * events already.
243 +@@ -598,27 +619,6 @@ static int rapl_cpu_online(unsigned int cpu)
244 + return 0;
245 + }
246 +
247 +-static int rapl_cpu_prepare(unsigned int cpu)
248 +-{
249 +- struct rapl_pmu *pmu = cpu_to_rapl_pmu(cpu);
250 +-
251 +- if (pmu)
252 +- return 0;
253 +-
254 +- pmu = kzalloc_node(sizeof(*pmu), GFP_KERNEL, cpu_to_node(cpu));
255 +- if (!pmu)
256 +- return -ENOMEM;
257 +-
258 +- raw_spin_lock_init(&pmu->lock);
259 +- INIT_LIST_HEAD(&pmu->active_list);
260 +- pmu->pmu = &rapl_pmus->pmu;
261 +- pmu->timer_interval = ms_to_ktime(rapl_timer_ms);
262 +- pmu->cpu = -1;
263 +- rapl_hrtimer_init(pmu);
264 +- rapl_pmus->pmus[topology_logical_package_id(cpu)] = pmu;
265 +- return 0;
266 +-}
267 +-
268 + static int rapl_check_hw_unit(bool apply_quirk)
269 + {
270 + u64 msr_rapl_power_unit_bits;
271 +@@ -804,28 +804,21 @@ static int __init rapl_pmu_init(void)
272 + * Install callbacks. Core will call them for each online cpu.
273 + */
274 +
275 +- ret = cpuhp_setup_state(CPUHP_PERF_X86_RAPL_PREP, "PERF_X86_RAPL_PREP",
276 +- rapl_cpu_prepare, NULL);
277 +- if (ret)
278 +- goto out;
279 +-
280 + ret = cpuhp_setup_state(CPUHP_AP_PERF_X86_RAPL_ONLINE,
281 + "AP_PERF_X86_RAPL_ONLINE",
282 + rapl_cpu_online, rapl_cpu_offline);
283 + if (ret)
284 +- goto out1;
285 ++ goto out;
286 +
287 + ret = perf_pmu_register(&rapl_pmus->pmu, "power", -1);
288 + if (ret)
289 +- goto out2;
290 ++ goto out1;
291 +
292 + rapl_advertise();
293 + return 0;
294 +
295 +-out2:
296 +- cpuhp_remove_state(CPUHP_AP_PERF_X86_RAPL_ONLINE);
297 + out1:
298 +- cpuhp_remove_state(CPUHP_PERF_X86_RAPL_PREP);
299 ++ cpuhp_remove_state(CPUHP_AP_PERF_X86_RAPL_ONLINE);
300 + out:
301 + pr_warn("Initialization failed (%d), disabled\n", ret);
302 + cleanup_rapl_pmus();
303 +@@ -836,7 +829,6 @@ module_init(rapl_pmu_init);
304 + static void __exit intel_rapl_exit(void)
305 + {
306 + cpuhp_remove_state_nocalls(CPUHP_AP_PERF_X86_RAPL_ONLINE);
307 +- cpuhp_remove_state_nocalls(CPUHP_PERF_X86_RAPL_PREP);
308 + perf_pmu_unregister(&rapl_pmus->pmu);
309 + cleanup_rapl_pmus();
310 + }
311 +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
312 +index 8e0a9fe86de4..f9dd22469388 100644
313 +--- a/arch/x86/include/asm/mmu_context.h
314 ++++ b/arch/x86/include/asm/mmu_context.h
315 +@@ -116,9 +116,7 @@ static inline int init_new_context(struct task_struct *tsk,
316 + mm->context.execute_only_pkey = -1;
317 + }
318 + #endif
319 +- init_new_context_ldt(tsk, mm);
320 +-
321 +- return 0;
322 ++ return init_new_context_ldt(tsk, mm);
323 + }
324 + static inline void destroy_context(struct mm_struct *mm)
325 + {
326 +diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
327 +index 649d8f2c1e40..91af75e37306 100644
328 +--- a/arch/x86/kvm/cpuid.c
329 ++++ b/arch/x86/kvm/cpuid.c
330 +@@ -456,7 +456,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
331 + entry->ecx &= kvm_cpuid_7_0_ecx_x86_features;
332 + cpuid_mask(&entry->ecx, CPUID_7_ECX);
333 + /* PKU is not yet implemented for shadow paging. */
334 +- if (!tdp_enabled)
335 ++ if (!tdp_enabled || !boot_cpu_has(X86_FEATURE_OSPKE))
336 + entry->ecx &= ~F(PKU);
337 + } else {
338 + entry->ebx = 0;
339 +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
340 +index e53bef6cf53c..0375c6024062 100644
341 +--- a/drivers/acpi/apei/ghes.c
342 ++++ b/drivers/acpi/apei/ghes.c
343 +@@ -1072,6 +1072,7 @@ static int ghes_remove(struct platform_device *ghes_dev)
344 + if (list_empty(&ghes_sci))
345 + unregister_acpi_hed_notifier(&ghes_notifier_sci);
346 + mutex_unlock(&ghes_list_mutex);
347 ++ synchronize_rcu();
348 + break;
349 + case ACPI_HEST_NOTIFY_NMI:
350 + ghes_nmi_remove(ghes);
351 +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
352 +index 79152dbc5528..51874695a730 100644
353 +--- a/drivers/acpi/ec.c
354 ++++ b/drivers/acpi/ec.c
355 +@@ -1728,7 +1728,7 @@ int __init acpi_ec_dsdt_probe(void)
356 + * functioning ECDT EC first in order to handle the events.
357 + * https://bugzilla.kernel.org/show_bug.cgi?id=115021
358 + */
359 +-int __init acpi_ec_ecdt_start(void)
360 ++static int __init acpi_ec_ecdt_start(void)
361 + {
362 + acpi_handle handle;
363 +
364 +@@ -1959,20 +1959,17 @@ static inline void acpi_ec_query_exit(void)
365 + int __init acpi_ec_init(void)
366 + {
367 + int result;
368 ++ int ecdt_fail, dsdt_fail;
369 +
370 + /* register workqueue for _Qxx evaluations */
371 + result = acpi_ec_query_init();
372 + if (result)
373 +- goto err_exit;
374 +- /* Now register the driver for the EC */
375 +- result = acpi_bus_register_driver(&acpi_ec_driver);
376 +- if (result)
377 +- goto err_exit;
378 ++ return result;
379 +
380 +-err_exit:
381 +- if (result)
382 +- acpi_ec_query_exit();
383 +- return result;
384 ++ /* Drivers must be started after acpi_ec_query_init() */
385 ++ ecdt_fail = acpi_ec_ecdt_start();
386 ++ dsdt_fail = acpi_bus_register_driver(&acpi_ec_driver);
387 ++ return ecdt_fail && dsdt_fail ? -ENODEV : 0;
388 + }
389 +
390 + /* EC driver currently not unloadable */
391 +diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h
392 +index 219b90bc0922..08b3ca0ead69 100644
393 +--- a/drivers/acpi/internal.h
394 ++++ b/drivers/acpi/internal.h
395 +@@ -185,7 +185,6 @@ typedef int (*acpi_ec_query_func) (void *data);
396 + int acpi_ec_init(void);
397 + int acpi_ec_ecdt_probe(void);
398 + int acpi_ec_dsdt_probe(void);
399 +-int acpi_ec_ecdt_start(void);
400 + void acpi_ec_block_transactions(void);
401 + void acpi_ec_unblock_transactions(void);
402 + int acpi_ec_add_query_handler(struct acpi_ec *ec, u8 query_bit,
403 +diff --git a/drivers/acpi/ioapic.c b/drivers/acpi/ioapic.c
404 +index 6d7ce6e12aaa..5e18ccf5ab57 100644
405 +--- a/drivers/acpi/ioapic.c
406 ++++ b/drivers/acpi/ioapic.c
407 +@@ -45,6 +45,12 @@ static acpi_status setup_res(struct acpi_resource *acpi_res, void *data)
408 + struct resource *res = data;
409 + struct resource_win win;
410 +
411 ++ /*
412 ++ * We might assign this to 'res' later, make sure all pointers are
413 ++ * cleared before the resource is added to the global list
414 ++ */
415 ++ memset(&win, 0, sizeof(win));
416 ++
417 + res->flags = 0;
418 + if (acpi_dev_filter_resource_type(acpi_res, IORESOURCE_MEM))
419 + return AE_OK;
420 +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
421 +index dd3786acba89..cf725d581cae 100644
422 +--- a/drivers/acpi/scan.c
423 ++++ b/drivers/acpi/scan.c
424 +@@ -2051,7 +2051,6 @@ int __init acpi_scan_init(void)
425 +
426 + acpi_gpe_apply_masked_gpes();
427 + acpi_update_all_gpes();
428 +- acpi_ec_ecdt_start();
429 +
430 + acpi_scan_initialized = true;
431 +
432 +diff --git a/drivers/android/binder.c b/drivers/android/binder.c
433 +index 3c71b982bf2a..15009b2b33c7 100644
434 +--- a/drivers/android/binder.c
435 ++++ b/drivers/android/binder.c
436 +@@ -1724,8 +1724,12 @@ static void binder_transaction(struct binder_proc *proc,
437 + list_add_tail(&t->work.entry, target_list);
438 + tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
439 + list_add_tail(&tcomplete->entry, &thread->todo);
440 +- if (target_wait)
441 +- wake_up_interruptible(target_wait);
442 ++ if (target_wait) {
443 ++ if (reply || !(t->flags & TF_ONE_WAY))
444 ++ wake_up_interruptible_sync(target_wait);
445 ++ else
446 ++ wake_up_interruptible(target_wait);
447 ++ }
448 + return;
449 +
450 + err_get_unused_fd_failed:
451 +@@ -2760,10 +2764,6 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
452 + /*pr_info("binder_ioctl: %d:%d %x %lx\n",
453 + proc->pid, current->pid, cmd, arg);*/
454 +
455 +- if (unlikely(current->mm != proc->vma_vm_mm)) {
456 +- pr_err("current mm mismatch proc mm\n");
457 +- return -EINVAL;
458 +- }
459 + trace_binder_ioctl(cmd, arg);
460 +
461 + ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
462 +@@ -2875,7 +2875,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
463 + const char *failure_string;
464 + struct binder_buffer *buffer;
465 +
466 +- if (proc->tsk != current)
467 ++ if (proc->tsk != current->group_leader)
468 + return -EINVAL;
469 +
470 + if ((vma->vm_end - vma->vm_start) > SZ_4M)
471 +@@ -2976,9 +2976,8 @@ static int binder_open(struct inode *nodp, struct file *filp)
472 + proc = kzalloc(sizeof(*proc), GFP_KERNEL);
473 + if (proc == NULL)
474 + return -ENOMEM;
475 +- get_task_struct(current);
476 +- proc->tsk = current;
477 +- proc->vma_vm_mm = current->mm;
478 ++ get_task_struct(current->group_leader);
479 ++ proc->tsk = current->group_leader;
480 + INIT_LIST_HEAD(&proc->todo);
481 + init_waitqueue_head(&proc->wait);
482 + proc->default_priority = task_nice(current);
483 +diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
484 +index 4e19bde4bbff..34adde169a78 100644
485 +--- a/drivers/gpu/drm/drm_atomic.c
486 ++++ b/drivers/gpu/drm/drm_atomic.c
487 +@@ -1386,6 +1386,9 @@ int drm_atomic_check_only(struct drm_atomic_state *state)
488 + if (config->funcs->atomic_check)
489 + ret = config->funcs->atomic_check(state->dev, state);
490 +
491 ++ if (ret)
492 ++ return ret;
493 ++
494 + if (!state->allow_modeset) {
495 + for_each_crtc_in_state(state, crtc, crtc_state, i) {
496 + if (drm_atomic_crtc_needs_modeset(crtc_state)) {
497 +@@ -1396,7 +1399,7 @@ int drm_atomic_check_only(struct drm_atomic_state *state)
498 + }
499 + }
500 +
501 +- return ret;
502 ++ return 0;
503 + }
504 + EXPORT_SYMBOL(drm_atomic_check_only);
505 +
506 +diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
507 +index 465bacd0a630..48e99ab525c3 100644
508 +--- a/drivers/gpu/drm/drm_gem.c
509 ++++ b/drivers/gpu/drm/drm_gem.c
510 +@@ -255,13 +255,13 @@ drm_gem_object_release_handle(int id, void *ptr, void *data)
511 + struct drm_gem_object *obj = ptr;
512 + struct drm_device *dev = obj->dev;
513 +
514 ++ if (dev->driver->gem_close_object)
515 ++ dev->driver->gem_close_object(obj, file_priv);
516 ++
517 + if (drm_core_check_feature(dev, DRIVER_PRIME))
518 + drm_gem_remove_prime_handles(obj, file_priv);
519 + drm_vma_node_revoke(&obj->vma_node, file_priv);
520 +
521 +- if (dev->driver->gem_close_object)
522 +- dev->driver->gem_close_object(obj, file_priv);
523 +-
524 + drm_gem_object_handle_unreference_unlocked(obj);
525 +
526 + return 0;
527 +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
528 +index 7316fc7fa0bd..a2ec6d8796a0 100644
529 +--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
530 ++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
531 +@@ -149,8 +149,8 @@ static void rcar_du_crtc_set_display_timing(struct rcar_du_crtc *rcrtc)
532 + rcar_du_group_write(rcrtc->group, rcrtc->index % 2 ? OTAR2 : OTAR, 0);
533 +
534 + /* Signal polarities */
535 +- value = ((mode->flags & DRM_MODE_FLAG_PVSYNC) ? 0 : DSMR_VSL)
536 +- | ((mode->flags & DRM_MODE_FLAG_PHSYNC) ? 0 : DSMR_HSL)
537 ++ value = ((mode->flags & DRM_MODE_FLAG_PVSYNC) ? DSMR_VSL : 0)
538 ++ | ((mode->flags & DRM_MODE_FLAG_PHSYNC) ? DSMR_HSL : 0)
539 + | DSMR_DIPM_DISP | DSMR_CSPM;
540 + rcar_du_crtc_write(rcrtc, DSMR, value);
541 +
542 +@@ -172,7 +172,7 @@ static void rcar_du_crtc_set_display_timing(struct rcar_du_crtc *rcrtc)
543 + mode->crtc_vsync_start - 1);
544 + rcar_du_crtc_write(rcrtc, VCR, mode->crtc_vtotal - 1);
545 +
546 +- rcar_du_crtc_write(rcrtc, DESR, mode->htotal - mode->hsync_start);
547 ++ rcar_du_crtc_write(rcrtc, DESR, mode->htotal - mode->hsync_start - 1);
548 + rcar_du_crtc_write(rcrtc, DEWR, mode->hdisplay);
549 + }
550 +
551 +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
552 +index cfc302c65b0b..c58602b638e4 100644
553 +--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c
554 ++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
555 +@@ -453,13 +453,13 @@ static int rcar_du_encoders_init_one(struct rcar_du_device *rcdu,
556 + }
557 +
558 + ret = rcar_du_encoder_init(rcdu, enc_type, output, encoder, connector);
559 +- of_node_put(encoder);
560 +- of_node_put(connector);
561 +-
562 + if (ret && ret != -EPROBE_DEFER)
563 + dev_warn(rcdu->dev,
564 +- "failed to initialize encoder %s (%d), skipping\n",
565 +- encoder->full_name, ret);
566 ++ "failed to initialize encoder %s on output %u (%d), skipping\n",
567 ++ of_node_full_name(encoder), output, ret);
568 ++
569 ++ of_node_put(encoder);
570 ++ of_node_put(connector);
571 +
572 + return ret;
573 + }
574 +diff --git a/drivers/i2c/busses/i2c-designware-platdrv.c b/drivers/i2c/busses/i2c-designware-platdrv.c
575 +index 0b42a12171f3..b42d95f09c68 100644
576 +--- a/drivers/i2c/busses/i2c-designware-platdrv.c
577 ++++ b/drivers/i2c/busses/i2c-designware-platdrv.c
578 +@@ -319,7 +319,7 @@ static void dw_i2c_plat_complete(struct device *dev)
579 + #endif
580 +
581 + #ifdef CONFIG_PM
582 +-static int dw_i2c_plat_suspend(struct device *dev)
583 ++static int dw_i2c_plat_runtime_suspend(struct device *dev)
584 + {
585 + struct platform_device *pdev = to_platform_device(dev);
586 + struct dw_i2c_dev *i_dev = platform_get_drvdata(pdev);
587 +@@ -343,11 +343,21 @@ static int dw_i2c_plat_resume(struct device *dev)
588 + return 0;
589 + }
590 +
591 ++#ifdef CONFIG_PM_SLEEP
592 ++static int dw_i2c_plat_suspend(struct device *dev)
593 ++{
594 ++ pm_runtime_resume(dev);
595 ++ return dw_i2c_plat_runtime_suspend(dev);
596 ++}
597 ++#endif
598 ++
599 + static const struct dev_pm_ops dw_i2c_dev_pm_ops = {
600 + .prepare = dw_i2c_plat_prepare,
601 + .complete = dw_i2c_plat_complete,
602 + SET_SYSTEM_SLEEP_PM_OPS(dw_i2c_plat_suspend, dw_i2c_plat_resume)
603 +- SET_RUNTIME_PM_OPS(dw_i2c_plat_suspend, dw_i2c_plat_resume, NULL)
604 ++ SET_RUNTIME_PM_OPS(dw_i2c_plat_runtime_suspend,
605 ++ dw_i2c_plat_resume,
606 ++ NULL)
607 + };
608 +
609 + #define DW_I2C_DEV_PMOPS (&dw_i2c_dev_pm_ops)
610 +diff --git a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
611 +index 60829340a82e..b60e5d87c257 100644
612 +--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
613 ++++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
614 +@@ -36,8 +36,6 @@ static int _hid_sensor_power_state(struct hid_sensor_common *st, bool state)
615 + s32 poll_value = 0;
616 +
617 + if (state) {
618 +- if (!atomic_read(&st->user_requested_state))
619 +- return 0;
620 + if (sensor_hub_device_open(st->hsdev))
621 + return -EIO;
622 +
623 +@@ -86,6 +84,9 @@ static int _hid_sensor_power_state(struct hid_sensor_common *st, bool state)
624 + &report_val);
625 + }
626 +
627 ++ pr_debug("HID_SENSOR %s set power_state %d report_state %d\n",
628 ++ st->pdev->name, state_val, report_val);
629 ++
630 + sensor_hub_get_feature(st->hsdev, st->power_state.report_id,
631 + st->power_state.index,
632 + sizeof(state_val), &state_val);
633 +@@ -107,6 +108,7 @@ int hid_sensor_power_state(struct hid_sensor_common *st, bool state)
634 + ret = pm_runtime_get_sync(&st->pdev->dev);
635 + else {
636 + pm_runtime_mark_last_busy(&st->pdev->dev);
637 ++ pm_runtime_use_autosuspend(&st->pdev->dev);
638 + ret = pm_runtime_put_autosuspend(&st->pdev->dev);
639 + }
640 + if (ret < 0) {
641 +@@ -201,8 +203,6 @@ int hid_sensor_setup_trigger(struct iio_dev *indio_dev, const char *name,
642 + /* Default to 3 seconds, but can be changed from sysfs */
643 + pm_runtime_set_autosuspend_delay(&attrb->pdev->dev,
644 + 3000);
645 +- pm_runtime_use_autosuspend(&attrb->pdev->dev);
646 +-
647 + return ret;
648 + error_unreg_trigger:
649 + iio_trigger_unregister(trig);
650 +diff --git a/drivers/iio/imu/adis16480.c b/drivers/iio/imu/adis16480.c
651 +index 8cf84d3488b2..12898424d838 100644
652 +--- a/drivers/iio/imu/adis16480.c
653 ++++ b/drivers/iio/imu/adis16480.c
654 +@@ -696,7 +696,7 @@ static const struct adis16480_chip_info adis16480_chip_info[] = {
655 + .gyro_max_val = IIO_RAD_TO_DEGREE(22500),
656 + .gyro_max_scale = 450,
657 + .accel_max_val = IIO_M_S_2_TO_G(12500),
658 +- .accel_max_scale = 5,
659 ++ .accel_max_scale = 10,
660 + },
661 + [ADIS16485] = {
662 + .channels = adis16485_channels,
663 +diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
664 +index 518e8a7bd5f9..f26807c75be4 100644
665 +--- a/drivers/input/mouse/alps.c
666 ++++ b/drivers/input/mouse/alps.c
667 +@@ -1212,14 +1212,24 @@ static int alps_decode_ss4_v2(struct alps_fields *f,
668 +
669 + case SS4_PACKET_ID_TWO:
670 + if (priv->flags & ALPS_BUTTONPAD) {
671 +- f->mt[0].x = SS4_BTL_MF_X_V2(p, 0);
672 ++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
673 ++ f->mt[0].x = SS4_PLUS_BTL_MF_X_V2(p, 0);
674 ++ f->mt[1].x = SS4_PLUS_BTL_MF_X_V2(p, 1);
675 ++ } else {
676 ++ f->mt[0].x = SS4_BTL_MF_X_V2(p, 0);
677 ++ f->mt[1].x = SS4_BTL_MF_X_V2(p, 1);
678 ++ }
679 + f->mt[0].y = SS4_BTL_MF_Y_V2(p, 0);
680 +- f->mt[1].x = SS4_BTL_MF_X_V2(p, 1);
681 + f->mt[1].y = SS4_BTL_MF_Y_V2(p, 1);
682 + } else {
683 +- f->mt[0].x = SS4_STD_MF_X_V2(p, 0);
684 ++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
685 ++ f->mt[0].x = SS4_PLUS_STD_MF_X_V2(p, 0);
686 ++ f->mt[1].x = SS4_PLUS_STD_MF_X_V2(p, 1);
687 ++ } else {
688 ++ f->mt[0].x = SS4_STD_MF_X_V2(p, 0);
689 ++ f->mt[1].x = SS4_STD_MF_X_V2(p, 1);
690 ++ }
691 + f->mt[0].y = SS4_STD_MF_Y_V2(p, 0);
692 +- f->mt[1].x = SS4_STD_MF_X_V2(p, 1);
693 + f->mt[1].y = SS4_STD_MF_Y_V2(p, 1);
694 + }
695 + f->pressure = SS4_MF_Z_V2(p, 0) ? 0x30 : 0;
696 +@@ -1236,16 +1246,27 @@ static int alps_decode_ss4_v2(struct alps_fields *f,
697 +
698 + case SS4_PACKET_ID_MULTI:
699 + if (priv->flags & ALPS_BUTTONPAD) {
700 +- f->mt[2].x = SS4_BTL_MF_X_V2(p, 0);
701 ++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
702 ++ f->mt[0].x = SS4_PLUS_BTL_MF_X_V2(p, 0);
703 ++ f->mt[1].x = SS4_PLUS_BTL_MF_X_V2(p, 1);
704 ++ } else {
705 ++ f->mt[2].x = SS4_BTL_MF_X_V2(p, 0);
706 ++ f->mt[3].x = SS4_BTL_MF_X_V2(p, 1);
707 ++ }
708 ++
709 + f->mt[2].y = SS4_BTL_MF_Y_V2(p, 0);
710 +- f->mt[3].x = SS4_BTL_MF_X_V2(p, 1);
711 + f->mt[3].y = SS4_BTL_MF_Y_V2(p, 1);
712 + no_data_x = SS4_MFPACKET_NO_AX_BL;
713 + no_data_y = SS4_MFPACKET_NO_AY_BL;
714 + } else {
715 +- f->mt[2].x = SS4_STD_MF_X_V2(p, 0);
716 ++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
717 ++ f->mt[0].x = SS4_PLUS_STD_MF_X_V2(p, 0);
718 ++ f->mt[1].x = SS4_PLUS_STD_MF_X_V2(p, 1);
719 ++ } else {
720 ++ f->mt[0].x = SS4_STD_MF_X_V2(p, 0);
721 ++ f->mt[1].x = SS4_STD_MF_X_V2(p, 1);
722 ++ }
723 + f->mt[2].y = SS4_STD_MF_Y_V2(p, 0);
724 +- f->mt[3].x = SS4_STD_MF_X_V2(p, 1);
725 + f->mt[3].y = SS4_STD_MF_Y_V2(p, 1);
726 + no_data_x = SS4_MFPACKET_NO_AX;
727 + no_data_y = SS4_MFPACKET_NO_AY;
728 +@@ -2535,8 +2556,8 @@ static int alps_set_defaults_ss4_v2(struct psmouse *psmouse,
729 +
730 + memset(otp, 0, sizeof(otp));
731 +
732 +- if (alps_get_otp_values_ss4_v2(psmouse, 0, &otp[0][0]) ||
733 +- alps_get_otp_values_ss4_v2(psmouse, 1, &otp[1][0]))
734 ++ if (alps_get_otp_values_ss4_v2(psmouse, 1, &otp[1][0]) ||
735 ++ alps_get_otp_values_ss4_v2(psmouse, 0, &otp[0][0]))
736 + return -1;
737 +
738 + alps_update_device_area_ss4_v2(otp, priv);
739 +diff --git a/drivers/input/mouse/alps.h b/drivers/input/mouse/alps.h
740 +index dbfd26073e1a..793123717145 100644
741 +--- a/drivers/input/mouse/alps.h
742 ++++ b/drivers/input/mouse/alps.h
743 +@@ -91,6 +91,10 @@ enum SS4_PACKET_ID {
744 + ((_b[1 + _i * 3] << 5) & 0x1F00) \
745 + )
746 +
747 ++#define SS4_PLUS_STD_MF_X_V2(_b, _i) (((_b[0 + (_i) * 3] << 4) & 0x0070) | \
748 ++ ((_b[1 + (_i) * 3] << 4) & 0x0F80) \
749 ++ )
750 ++
751 + #define SS4_STD_MF_Y_V2(_b, _i) (((_b[1 + (_i) * 3] << 3) & 0x0010) | \
752 + ((_b[2 + (_i) * 3] << 5) & 0x01E0) | \
753 + ((_b[2 + (_i) * 3] << 4) & 0x0E00) \
754 +@@ -100,6 +104,10 @@ enum SS4_PACKET_ID {
755 + ((_b[0 + (_i) * 3] >> 3) & 0x0010) \
756 + )
757 +
758 ++#define SS4_PLUS_BTL_MF_X_V2(_b, _i) (SS4_PLUS_STD_MF_X_V2(_b, _i) | \
759 ++ ((_b[0 + (_i) * 3] >> 4) & 0x0008) \
760 ++ )
761 ++
762 + #define SS4_BTL_MF_Y_V2(_b, _i) (SS4_STD_MF_Y_V2(_b, _i) | \
763 + ((_b[0 + (_i) * 3] >> 3) & 0x0008) \
764 + )
765 +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
766 +index 98d4e515587a..681dce15fbc8 100644
767 +--- a/drivers/input/mouse/elan_i2c_core.c
768 ++++ b/drivers/input/mouse/elan_i2c_core.c
769 +@@ -1234,6 +1234,7 @@ static const struct acpi_device_id elan_acpi_id[] = {
770 + { "ELAN0000", 0 },
771 + { "ELAN0100", 0 },
772 + { "ELAN0600", 0 },
773 ++ { "ELAN0602", 0 },
774 + { "ELAN0605", 0 },
775 + { "ELAN0608", 0 },
776 + { "ELAN0605", 0 },
777 +diff --git a/drivers/input/mouse/trackpoint.c b/drivers/input/mouse/trackpoint.c
778 +index 354d47ecd66a..ce6ff9b301bb 100644
779 +--- a/drivers/input/mouse/trackpoint.c
780 ++++ b/drivers/input/mouse/trackpoint.c
781 +@@ -265,7 +265,8 @@ static int trackpoint_start_protocol(struct psmouse *psmouse, unsigned char *fir
782 + if (ps2_command(&psmouse->ps2dev, param, MAKE_PS2_CMD(0, 2, TP_READ_ID)))
783 + return -1;
784 +
785 +- if (param[0] != TP_MAGIC_IDENT)
786 ++ /* add new TP ID. */
787 ++ if (!(param[0] & TP_MAGIC_IDENT))
788 + return -1;
789 +
790 + if (firmware_id)
791 +diff --git a/drivers/input/mouse/trackpoint.h b/drivers/input/mouse/trackpoint.h
792 +index 5617ed3a7d7a..88055755f82e 100644
793 +--- a/drivers/input/mouse/trackpoint.h
794 ++++ b/drivers/input/mouse/trackpoint.h
795 +@@ -21,8 +21,9 @@
796 + #define TP_COMMAND 0xE2 /* Commands start with this */
797 +
798 + #define TP_READ_ID 0xE1 /* Sent for device identification */
799 +-#define TP_MAGIC_IDENT 0x01 /* Sent after a TP_READ_ID followed */
800 ++#define TP_MAGIC_IDENT 0x03 /* Sent after a TP_READ_ID followed */
801 + /* by the firmware ID */
802 ++ /* Firmware ID includes 0x1, 0x2, 0x3 */
803 +
804 +
805 + /*
806 +diff --git a/drivers/leds/trigger/ledtrig-heartbeat.c b/drivers/leds/trigger/ledtrig-heartbeat.c
807 +index c9f386213e9e..410c39c62dc7 100644
808 +--- a/drivers/leds/trigger/ledtrig-heartbeat.c
809 ++++ b/drivers/leds/trigger/ledtrig-heartbeat.c
810 +@@ -19,7 +19,6 @@
811 + #include <linux/sched.h>
812 + #include <linux/leds.h>
813 + #include <linux/reboot.h>
814 +-#include <linux/suspend.h>
815 + #include "../leds.h"
816 +
817 + static int panic_heartbeats;
818 +@@ -155,30 +154,6 @@ static struct led_trigger heartbeat_led_trigger = {
819 + .deactivate = heartbeat_trig_deactivate,
820 + };
821 +
822 +-static int heartbeat_pm_notifier(struct notifier_block *nb,
823 +- unsigned long pm_event, void *unused)
824 +-{
825 +- int rc;
826 +-
827 +- switch (pm_event) {
828 +- case PM_SUSPEND_PREPARE:
829 +- case PM_HIBERNATION_PREPARE:
830 +- case PM_RESTORE_PREPARE:
831 +- led_trigger_unregister(&heartbeat_led_trigger);
832 +- break;
833 +- case PM_POST_SUSPEND:
834 +- case PM_POST_HIBERNATION:
835 +- case PM_POST_RESTORE:
836 +- rc = led_trigger_register(&heartbeat_led_trigger);
837 +- if (rc)
838 +- pr_err("could not re-register heartbeat trigger\n");
839 +- break;
840 +- default:
841 +- break;
842 +- }
843 +- return NOTIFY_DONE;
844 +-}
845 +-
846 + static int heartbeat_reboot_notifier(struct notifier_block *nb,
847 + unsigned long code, void *unused)
848 + {
849 +@@ -193,10 +168,6 @@ static int heartbeat_panic_notifier(struct notifier_block *nb,
850 + return NOTIFY_DONE;
851 + }
852 +
853 +-static struct notifier_block heartbeat_pm_nb = {
854 +- .notifier_call = heartbeat_pm_notifier,
855 +-};
856 +-
857 + static struct notifier_block heartbeat_reboot_nb = {
858 + .notifier_call = heartbeat_reboot_notifier,
859 + };
860 +@@ -213,14 +184,12 @@ static int __init heartbeat_trig_init(void)
861 + atomic_notifier_chain_register(&panic_notifier_list,
862 + &heartbeat_panic_nb);
863 + register_reboot_notifier(&heartbeat_reboot_nb);
864 +- register_pm_notifier(&heartbeat_pm_nb);
865 + }
866 + return rc;
867 + }
868 +
869 + static void __exit heartbeat_trig_exit(void)
870 + {
871 +- unregister_pm_notifier(&heartbeat_pm_nb);
872 + unregister_reboot_notifier(&heartbeat_reboot_nb);
873 + atomic_notifier_chain_unregister(&panic_notifier_list,
874 + &heartbeat_panic_nb);
875 +diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
876 +index 551786f58e59..ba652d8a2b93 100644
877 +--- a/drivers/net/ethernet/mellanox/mlx4/main.c
878 ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
879 +@@ -430,7 +430,7 @@ static int mlx4_dev_cap(struct mlx4_dev *dev, struct mlx4_dev_cap *dev_cap)
880 + /* Virtual PCI function needs to determine UAR page size from
881 + * firmware. Only master PCI function can set the uar page size
882 + */
883 +- if (enable_4k_uar)
884 ++ if (enable_4k_uar || !dev->persist->num_vfs)
885 + dev->uar_page_shift = DEFAULT_UAR_PAGE_SHIFT;
886 + else
887 + dev->uar_page_shift = PAGE_SHIFT;
888 +@@ -2269,7 +2269,7 @@ static int mlx4_init_hca(struct mlx4_dev *dev)
889 +
890 + dev->caps.max_fmr_maps = (1 << (32 - ilog2(dev->caps.num_mpts))) - 1;
891 +
892 +- if (enable_4k_uar) {
893 ++ if (enable_4k_uar || !dev->persist->num_vfs) {
894 + init_hca.log_uar_sz = ilog2(dev->caps.num_uars) +
895 + PAGE_SHIFT - DEFAULT_UAR_PAGE_SHIFT;
896 + init_hca.uar_page_sz = DEFAULT_UAR_PAGE_SHIFT - 12;
897 +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
898 +index aee3fd2b6538..4ca82bd8c4f0 100644
899 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
900 ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
901 +@@ -871,8 +871,7 @@ static int nfp_net_tx(struct sk_buff *skb, struct net_device *netdev)
902 + return NETDEV_TX_OK;
903 +
904 + err_unmap:
905 +- --f;
906 +- while (f >= 0) {
907 ++ while (--f >= 0) {
908 + frag = &skb_shinfo(skb)->frags[f];
909 + dma_unmap_page(&nn->pdev->dev,
910 + tx_ring->txbufs[wr_idx].dma_addr,
911 +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
912 +index c234ee43b6ef..24222a5d8df2 100644
913 +--- a/drivers/ntb/ntb_transport.c
914 ++++ b/drivers/ntb/ntb_transport.c
915 +@@ -176,14 +176,12 @@ struct ntb_transport_qp {
916 + u64 rx_err_ver;
917 + u64 rx_memcpy;
918 + u64 rx_async;
919 +- u64 dma_rx_prep_err;
920 + u64 tx_bytes;
921 + u64 tx_pkts;
922 + u64 tx_ring_full;
923 + u64 tx_err_no_buf;
924 + u64 tx_memcpy;
925 + u64 tx_async;
926 +- u64 dma_tx_prep_err;
927 + };
928 +
929 + struct ntb_transport_mw {
930 +@@ -256,8 +254,6 @@ enum {
931 + #define QP_TO_MW(nt, qp) ((qp) % nt->mw_count)
932 + #define NTB_QP_DEF_NUM_ENTRIES 100
933 + #define NTB_LINK_DOWN_TIMEOUT 10
934 +-#define DMA_RETRIES 20
935 +-#define DMA_OUT_RESOURCE_TO msecs_to_jiffies(50)
936 +
937 + static void ntb_transport_rxc_db(unsigned long data);
938 + static const struct ntb_ctx_ops ntb_transport_ops;
939 +@@ -518,12 +514,6 @@ static ssize_t debugfs_read(struct file *filp, char __user *ubuf, size_t count,
940 + out_offset += snprintf(buf + out_offset, out_count - out_offset,
941 + "free tx - \t%u\n",
942 + ntb_transport_tx_free_entry(qp));
943 +- out_offset += snprintf(buf + out_offset, out_count - out_offset,
944 +- "DMA tx prep err - \t%llu\n",
945 +- qp->dma_tx_prep_err);
946 +- out_offset += snprintf(buf + out_offset, out_count - out_offset,
947 +- "DMA rx prep err - \t%llu\n",
948 +- qp->dma_rx_prep_err);
949 +
950 + out_offset += snprintf(buf + out_offset, out_count - out_offset,
951 + "\n");
952 +@@ -625,7 +615,7 @@ static int ntb_transport_setup_qp_mw(struct ntb_transport_ctx *nt,
953 + if (!mw->virt_addr)
954 + return -ENOMEM;
955 +
956 +- if (qp_count % mw_count && mw_num + 1 < qp_count / mw_count)
957 ++ if (mw_num < qp_count % mw_count)
958 + num_qps_mw = qp_count / mw_count + 1;
959 + else
960 + num_qps_mw = qp_count / mw_count;
961 +@@ -770,8 +760,6 @@ static void ntb_qp_link_down_reset(struct ntb_transport_qp *qp)
962 + qp->tx_err_no_buf = 0;
963 + qp->tx_memcpy = 0;
964 + qp->tx_async = 0;
965 +- qp->dma_tx_prep_err = 0;
966 +- qp->dma_rx_prep_err = 0;
967 + }
968 +
969 + static void ntb_qp_link_cleanup(struct ntb_transport_qp *qp)
970 +@@ -933,10 +921,8 @@ static void ntb_transport_link_work(struct work_struct *work)
971 + ntb_free_mw(nt, i);
972 +
973 + /* if there's an actual failure, we should just bail */
974 +- if (rc < 0) {
975 +- ntb_link_disable(ndev);
976 ++ if (rc < 0)
977 + return;
978 +- }
979 +
980 + out:
981 + if (ntb_link_is_up(ndev, NULL, NULL) == 1)
982 +@@ -1002,7 +988,7 @@ static int ntb_transport_init_queue(struct ntb_transport_ctx *nt,
983 + qp->event_handler = NULL;
984 + ntb_qp_link_down_reset(qp);
985 +
986 +- if (qp_count % mw_count && mw_num + 1 < qp_count / mw_count)
987 ++ if (mw_num < qp_count % mw_count)
988 + num_qps_mw = qp_count / mw_count + 1;
989 + else
990 + num_qps_mw = qp_count / mw_count;
991 +@@ -1125,8 +1111,8 @@ static int ntb_transport_probe(struct ntb_client *self, struct ntb_dev *ndev)
992 + qp_count = ilog2(qp_bitmap);
993 + if (max_num_clients && max_num_clients < qp_count)
994 + qp_count = max_num_clients;
995 +- else if (mw_count < qp_count)
996 +- qp_count = mw_count;
997 ++ else if (nt->mw_count < qp_count)
998 ++ qp_count = nt->mw_count;
999 +
1000 + qp_bitmap &= BIT_ULL(qp_count) - 1;
1001 +
1002 +@@ -1314,7 +1300,6 @@ static int ntb_async_rx_submit(struct ntb_queue_entry *entry, void *offset)
1003 + struct dmaengine_unmap_data *unmap;
1004 + dma_cookie_t cookie;
1005 + void *buf = entry->buf;
1006 +- int retries = 0;
1007 +
1008 + len = entry->len;
1009 + device = chan->device;
1010 +@@ -1343,22 +1328,11 @@ static int ntb_async_rx_submit(struct ntb_queue_entry *entry, void *offset)
1011 +
1012 + unmap->from_cnt = 1;
1013 +
1014 +- for (retries = 0; retries < DMA_RETRIES; retries++) {
1015 +- txd = device->device_prep_dma_memcpy(chan,
1016 +- unmap->addr[1],
1017 +- unmap->addr[0], len,
1018 +- DMA_PREP_INTERRUPT);
1019 +- if (txd)
1020 +- break;
1021 +-
1022 +- set_current_state(TASK_INTERRUPTIBLE);
1023 +- schedule_timeout(DMA_OUT_RESOURCE_TO);
1024 +- }
1025 +-
1026 +- if (!txd) {
1027 +- qp->dma_rx_prep_err++;
1028 ++ txd = device->device_prep_dma_memcpy(chan, unmap->addr[1],
1029 ++ unmap->addr[0], len,
1030 ++ DMA_PREP_INTERRUPT);
1031 ++ if (!txd)
1032 + goto err_get_unmap;
1033 +- }
1034 +
1035 + txd->callback_result = ntb_rx_copy_callback;
1036 + txd->callback_param = entry;
1037 +@@ -1603,7 +1577,6 @@ static int ntb_async_tx_submit(struct ntb_transport_qp *qp,
1038 + struct dmaengine_unmap_data *unmap;
1039 + dma_addr_t dest;
1040 + dma_cookie_t cookie;
1041 +- int retries = 0;
1042 +
1043 + device = chan->device;
1044 + dest = qp->tx_mw_phys + qp->tx_max_frame * entry->tx_index;
1045 +@@ -1625,21 +1598,10 @@ static int ntb_async_tx_submit(struct ntb_transport_qp *qp,
1046 +
1047 + unmap->to_cnt = 1;
1048 +
1049 +- for (retries = 0; retries < DMA_RETRIES; retries++) {
1050 +- txd = device->device_prep_dma_memcpy(chan, dest,
1051 +- unmap->addr[0], len,
1052 +- DMA_PREP_INTERRUPT);
1053 +- if (txd)
1054 +- break;
1055 +-
1056 +- set_current_state(TASK_INTERRUPTIBLE);
1057 +- schedule_timeout(DMA_OUT_RESOURCE_TO);
1058 +- }
1059 +-
1060 +- if (!txd) {
1061 +- qp->dma_tx_prep_err++;
1062 ++ txd = device->device_prep_dma_memcpy(chan, dest, unmap->addr[0], len,
1063 ++ DMA_PREP_INTERRUPT);
1064 ++ if (!txd)
1065 + goto err_get_unmap;
1066 +- }
1067 +
1068 + txd->callback_result = ntb_tx_copy_callback;
1069 + txd->callback_param = entry;
1070 +diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
1071 +index b432153a6c5a..0f63a36a519e 100644
1072 +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
1073 ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
1074 +@@ -45,6 +45,7 @@ static struct usb_device_id rtw_usb_id_tbl[] = {
1075 + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
1076 + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
1077 + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
1078 ++ {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
1079 + {} /* Terminating entry */
1080 + };
1081 +
1082 +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
1083 +index 789ff1df2d8d..581712534c93 100644
1084 +--- a/fs/cifs/dir.c
1085 ++++ b/fs/cifs/dir.c
1086 +@@ -183,15 +183,20 @@ build_path_from_dentry(struct dentry *direntry)
1087 + }
1088 +
1089 + /*
1090 ++ * Don't allow path components longer than the server max.
1091 + * Don't allow the separator character in a path component.
1092 + * The VFS will not allow "/", but "\" is allowed by posix.
1093 + */
1094 + static int
1095 +-check_name(struct dentry *direntry)
1096 ++check_name(struct dentry *direntry, struct cifs_tcon *tcon)
1097 + {
1098 + struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
1099 + int i;
1100 +
1101 ++ if (unlikely(direntry->d_name.len >
1102 ++ tcon->fsAttrInfo.MaxPathNameComponentLength))
1103 ++ return -ENAMETOOLONG;
1104 ++
1105 + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {
1106 + for (i = 0; i < direntry->d_name.len; i++) {
1107 + if (direntry->d_name.name[i] == '\\') {
1108 +@@ -489,10 +494,6 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
1109 + return finish_no_open(file, res);
1110 + }
1111 +
1112 +- rc = check_name(direntry);
1113 +- if (rc)
1114 +- return rc;
1115 +-
1116 + xid = get_xid();
1117 +
1118 + cifs_dbg(FYI, "parent inode = 0x%p name is: %pd and dentry = 0x%p\n",
1119 +@@ -505,6 +506,11 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
1120 + }
1121 +
1122 + tcon = tlink_tcon(tlink);
1123 ++
1124 ++ rc = check_name(direntry, tcon);
1125 ++ if (rc)
1126 ++ goto out_free_xid;
1127 ++
1128 + server = tcon->ses->server;
1129 +
1130 + if (server->ops->new_lease_key)
1131 +@@ -765,7 +771,7 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
1132 + }
1133 + pTcon = tlink_tcon(tlink);
1134 +
1135 +- rc = check_name(direntry);
1136 ++ rc = check_name(direntry, pTcon);
1137 + if (rc)
1138 + goto lookup_out;
1139 +
1140 +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
1141 +index 7c1c6c39d582..0437e5fdba56 100644
1142 +--- a/fs/cifs/smb2pdu.c
1143 ++++ b/fs/cifs/smb2pdu.c
1144 +@@ -2930,8 +2930,8 @@ copy_fs_info_to_kstatfs(struct smb2_fs_full_size_info *pfs_inf,
1145 + kst->f_bsize = le32_to_cpu(pfs_inf->BytesPerSector) *
1146 + le32_to_cpu(pfs_inf->SectorsPerAllocationUnit);
1147 + kst->f_blocks = le64_to_cpu(pfs_inf->TotalAllocationUnits);
1148 +- kst->f_bfree = le64_to_cpu(pfs_inf->ActualAvailableAllocationUnits);
1149 +- kst->f_bavail = le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits);
1150 ++ kst->f_bfree = kst->f_bavail =
1151 ++ le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits);
1152 + return;
1153 + }
1154 +
1155 +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
1156 +index 4e7a56a0a9b6..2c4f7a22e128 100644
1157 +--- a/fs/nfsd/nfs4xdr.c
1158 ++++ b/fs/nfsd/nfs4xdr.c
1159 +@@ -129,7 +129,7 @@ static void next_decode_page(struct nfsd4_compoundargs *argp)
1160 + argp->p = page_address(argp->pagelist[0]);
1161 + argp->pagelist++;
1162 + if (argp->pagelen < PAGE_SIZE) {
1163 +- argp->end = argp->p + (argp->pagelen>>2);
1164 ++ argp->end = argp->p + XDR_QUADLEN(argp->pagelen);
1165 + argp->pagelen = 0;
1166 + } else {
1167 + argp->end = argp->p + (PAGE_SIZE>>2);
1168 +@@ -1246,9 +1246,7 @@ nfsd4_decode_write(struct nfsd4_compoundargs *argp, struct nfsd4_write *write)
1169 + argp->pagelen -= pages * PAGE_SIZE;
1170 + len -= pages * PAGE_SIZE;
1171 +
1172 +- argp->p = (__be32 *)page_address(argp->pagelist[0]);
1173 +- argp->pagelist++;
1174 +- argp->end = argp->p + XDR_QUADLEN(PAGE_SIZE);
1175 ++ next_decode_page(argp);
1176 + }
1177 + argp->p += XDR_QUADLEN(len);
1178 +
1179 +diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
1180 +index 31e1d639abed..dc81e5287ebf 100644
1181 +--- a/include/asm-generic/vmlinux.lds.h
1182 ++++ b/include/asm-generic/vmlinux.lds.h
1183 +@@ -59,6 +59,22 @@
1184 + /* Align . to a 8 byte boundary equals to maximum function alignment. */
1185 + #define ALIGN_FUNCTION() . = ALIGN(8)
1186 +
1187 ++/*
1188 ++ * LD_DEAD_CODE_DATA_ELIMINATION option enables -fdata-sections, which
1189 ++ * generates .data.identifier sections, which need to be pulled in with
1190 ++ * .data. We don't want to pull in .data..other sections, which Linux
1191 ++ * has defined. Same for text and bss.
1192 ++ */
1193 ++#ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION
1194 ++#define TEXT_MAIN .text .text.[0-9a-zA-Z_]*
1195 ++#define DATA_MAIN .data .data.[0-9a-zA-Z_]*
1196 ++#define BSS_MAIN .bss .bss.[0-9a-zA-Z_]*
1197 ++#else
1198 ++#define TEXT_MAIN .text
1199 ++#define DATA_MAIN .data
1200 ++#define BSS_MAIN .bss
1201 ++#endif
1202 ++
1203 + /*
1204 + * Align to a 32 byte boundary equal to the
1205 + * alignment gcc 4.5 uses for a struct
1206 +@@ -198,12 +214,9 @@
1207 +
1208 + /*
1209 + * .data section
1210 +- * LD_DEAD_CODE_DATA_ELIMINATION option enables -fdata-sections generates
1211 +- * .data.identifier which needs to be pulled in with .data, but don't want to
1212 +- * pull in .data..stuff which has its own requirements. Same for bss.
1213 + */
1214 + #define DATA_DATA \
1215 +- *(.data .data.[0-9a-zA-Z_]*) \
1216 ++ *(DATA_MAIN) \
1217 + *(.ref.data) \
1218 + *(.data..shared_aligned) /* percpu related */ \
1219 + MEM_KEEP(init.data) \
1220 +@@ -436,16 +449,17 @@
1221 + VMLINUX_SYMBOL(__security_initcall_end) = .; \
1222 + }
1223 +
1224 +-/* .text section. Map to function alignment to avoid address changes
1225 ++/*
1226 ++ * .text section. Map to function alignment to avoid address changes
1227 + * during second ld run in second ld pass when generating System.map
1228 +- * LD_DEAD_CODE_DATA_ELIMINATION option enables -ffunction-sections generates
1229 +- * .text.identifier which needs to be pulled in with .text , but some
1230 +- * architectures define .text.foo which is not intended to be pulled in here.
1231 +- * Those enabling LD_DEAD_CODE_DATA_ELIMINATION must ensure they don't have
1232 +- * conflicting section names, and must pull in .text.[0-9a-zA-Z_]* */
1233 ++ *
1234 ++ * TEXT_MAIN here will match .text.fixup and .text.unlikely if dead
1235 ++ * code elimination is enabled, so these sections should be converted
1236 ++ * to use ".." first.
1237 ++ */
1238 + #define TEXT_TEXT \
1239 + ALIGN_FUNCTION(); \
1240 +- *(.text.hot .text .text.fixup .text.unlikely) \
1241 ++ *(.text.hot TEXT_MAIN .text.fixup .text.unlikely) \
1242 + *(.ref.text) \
1243 + MEM_KEEP(init.text) \
1244 + MEM_KEEP(exit.text) \
1245 +@@ -613,7 +627,7 @@
1246 + BSS_FIRST_SECTIONS \
1247 + *(.bss..page_aligned) \
1248 + *(.dynbss) \
1249 +- *(.bss .bss.[0-9a-zA-Z_]*) \
1250 ++ *(BSS_MAIN) \
1251 + *(COMMON) \
1252 + }
1253 +
1254 +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
1255 +index a13b031dc6b8..3101141661a1 100644
1256 +--- a/include/linux/bpf_verifier.h
1257 ++++ b/include/linux/bpf_verifier.h
1258 +@@ -40,6 +40,7 @@ struct bpf_reg_state {
1259 + */
1260 + s64 min_value;
1261 + u64 max_value;
1262 ++ bool value_from_signed;
1263 + };
1264 +
1265 + enum bpf_stack_slot_type {
1266 +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
1267 +index ba1cad7b97cf..965cc5693a46 100644
1268 +--- a/include/linux/cpuhotplug.h
1269 ++++ b/include/linux/cpuhotplug.h
1270 +@@ -10,7 +10,6 @@ enum cpuhp_state {
1271 + CPUHP_PERF_X86_PREPARE,
1272 + CPUHP_PERF_X86_UNCORE_PREP,
1273 + CPUHP_PERF_X86_AMD_UNCORE_PREP,
1274 +- CPUHP_PERF_X86_RAPL_PREP,
1275 + CPUHP_PERF_BFIN,
1276 + CPUHP_PERF_POWER,
1277 + CPUHP_PERF_SUPERH,
1278 +diff --git a/include/linux/fs.h b/include/linux/fs.h
1279 +index 2f63d44368bd..dd88ded27fc8 100644
1280 +--- a/include/linux/fs.h
1281 ++++ b/include/linux/fs.h
1282 +@@ -941,9 +941,9 @@ static inline struct file *get_file(struct file *f)
1283 + /* Page cache limit. The filesystems should put that into their s_maxbytes
1284 + limits, otherwise bad things can happen in VM. */
1285 + #if BITS_PER_LONG==32
1286 +-#define MAX_LFS_FILESIZE (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
1287 ++#define MAX_LFS_FILESIZE ((loff_t)ULONG_MAX << PAGE_SHIFT)
1288 + #elif BITS_PER_LONG==64
1289 +-#define MAX_LFS_FILESIZE ((loff_t)0x7fffffffffffffffLL)
1290 ++#define MAX_LFS_FILESIZE ((loff_t)LLONG_MAX)
1291 + #endif
1292 +
1293 + #define FL_POSIX 1
1294 +diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
1295 +index 6c70444da3b9..b83507c0640c 100644
1296 +--- a/include/linux/ptr_ring.h
1297 ++++ b/include/linux/ptr_ring.h
1298 +@@ -340,9 +340,9 @@ static inline void *ptr_ring_consume_bh(struct ptr_ring *r)
1299 + __PTR_RING_PEEK_CALL_v; \
1300 + })
1301 +
1302 +-static inline void **__ptr_ring_init_queue_alloc(int size, gfp_t gfp)
1303 ++static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp)
1304 + {
1305 +- return kzalloc(ALIGN(size * sizeof(void *), SMP_CACHE_BYTES), gfp);
1306 ++ return kcalloc(size, sizeof(void *), gfp);
1307 + }
1308 +
1309 + static inline int ptr_ring_init(struct ptr_ring *r, int size, gfp_t gfp)
1310 +@@ -417,7 +417,8 @@ static inline int ptr_ring_resize(struct ptr_ring *r, int size, gfp_t gfp,
1311 + * In particular if you consume ring in interrupt or BH context, you must
1312 + * disable interrupts/BH when doing so.
1313 + */
1314 +-static inline int ptr_ring_resize_multiple(struct ptr_ring **rings, int nrings,
1315 ++static inline int ptr_ring_resize_multiple(struct ptr_ring **rings,
1316 ++ unsigned int nrings,
1317 + int size,
1318 + gfp_t gfp, void (*destroy)(void *))
1319 + {
1320 +@@ -425,7 +426,7 @@ static inline int ptr_ring_resize_multiple(struct ptr_ring **rings, int nrings,
1321 + void ***queues;
1322 + int i;
1323 +
1324 +- queues = kmalloc(nrings * sizeof *queues, gfp);
1325 ++ queues = kmalloc_array(nrings, sizeof(*queues), gfp);
1326 + if (!queues)
1327 + goto noqueues;
1328 +
1329 +diff --git a/include/linux/skb_array.h b/include/linux/skb_array.h
1330 +index f4dfade428f0..be8b902b5845 100644
1331 +--- a/include/linux/skb_array.h
1332 ++++ b/include/linux/skb_array.h
1333 +@@ -162,7 +162,8 @@ static inline int skb_array_resize(struct skb_array *a, int size, gfp_t gfp)
1334 + }
1335 +
1336 + static inline int skb_array_resize_multiple(struct skb_array **rings,
1337 +- int nrings, int size, gfp_t gfp)
1338 ++ int nrings, unsigned int size,
1339 ++ gfp_t gfp)
1340 + {
1341 + BUILD_BUG_ON(offsetof(struct skb_array, ring));
1342 + return ptr_ring_resize_multiple((struct ptr_ring **)rings,
1343 +diff --git a/include/net/ip.h b/include/net/ip.h
1344 +index d3a107850a41..51c6b9786c46 100644
1345 +--- a/include/net/ip.h
1346 ++++ b/include/net/ip.h
1347 +@@ -339,7 +339,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
1348 + !forwarding)
1349 + return dst_mtu(dst);
1350 +
1351 +- return min(dst->dev->mtu, IP_MAX_MTU);
1352 ++ return min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU);
1353 + }
1354 +
1355 + static inline unsigned int ip_skb_dst_mtu(struct sock *sk,
1356 +@@ -351,7 +351,7 @@ static inline unsigned int ip_skb_dst_mtu(struct sock *sk,
1357 + return ip_dst_mtu_maybe_forward(skb_dst(skb), forwarding);
1358 + }
1359 +
1360 +- return min(skb_dst(skb)->dev->mtu, IP_MAX_MTU);
1361 ++ return min(READ_ONCE(skb_dst(skb)->dev->mtu), IP_MAX_MTU);
1362 + }
1363 +
1364 + u32 ip_idents_reserve(u32 hash, int segs);
1365 +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
1366 +index e6aa0a249672..f18fc1a0321f 100644
1367 +--- a/include/net/sch_generic.h
1368 ++++ b/include/net/sch_generic.h
1369 +@@ -768,8 +768,11 @@ static inline struct Qdisc *qdisc_replace(struct Qdisc *sch, struct Qdisc *new,
1370 + old = *pold;
1371 + *pold = new;
1372 + if (old != NULL) {
1373 +- qdisc_tree_reduce_backlog(old, old->q.qlen, old->qstats.backlog);
1374 ++ unsigned int qlen = old->q.qlen;
1375 ++ unsigned int backlog = old->qstats.backlog;
1376 ++
1377 + qdisc_reset(old);
1378 ++ qdisc_tree_reduce_backlog(old, qlen, backlog);
1379 + }
1380 + sch_tree_unlock(sch);
1381 +
1382 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
1383 +index 8ce679d36c58..779c871c5dcd 100644
1384 +--- a/kernel/bpf/verifier.c
1385 ++++ b/kernel/bpf/verifier.c
1386 +@@ -139,7 +139,7 @@ struct bpf_verifier_stack_elem {
1387 + struct bpf_verifier_stack_elem *next;
1388 + };
1389 +
1390 +-#define BPF_COMPLEXITY_LIMIT_INSNS 65536
1391 ++#define BPF_COMPLEXITY_LIMIT_INSNS 98304
1392 + #define BPF_COMPLEXITY_LIMIT_STACK 1024
1393 +
1394 + struct bpf_call_arg_meta {
1395 +@@ -682,12 +682,13 @@ static int check_ctx_access(struct bpf_verifier_env *env, int off, int size,
1396 + return -EACCES;
1397 + }
1398 +
1399 +-static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
1400 ++static bool __is_pointer_value(bool allow_ptr_leaks,
1401 ++ const struct bpf_reg_state *reg)
1402 + {
1403 +- if (env->allow_ptr_leaks)
1404 ++ if (allow_ptr_leaks)
1405 + return false;
1406 +
1407 +- switch (env->cur_state.regs[regno].type) {
1408 ++ switch (reg->type) {
1409 + case UNKNOWN_VALUE:
1410 + case CONST_IMM:
1411 + return false;
1412 +@@ -696,6 +697,11 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
1413 + }
1414 + }
1415 +
1416 ++static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
1417 ++{
1418 ++ return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]);
1419 ++}
1420 ++
1421 + static int check_ptr_alignment(struct bpf_verifier_env *env,
1422 + struct bpf_reg_state *reg, int off, int size)
1423 + {
1424 +@@ -1467,6 +1473,65 @@ static int evaluate_reg_alu(struct bpf_verifier_env *env, struct bpf_insn *insn)
1425 + return 0;
1426 + }
1427 +
1428 ++static int evaluate_reg_imm_alu_unknown(struct bpf_verifier_env *env,
1429 ++ struct bpf_insn *insn)
1430 ++{
1431 ++ struct bpf_reg_state *regs = env->cur_state.regs;
1432 ++ struct bpf_reg_state *dst_reg = &regs[insn->dst_reg];
1433 ++ struct bpf_reg_state *src_reg = &regs[insn->src_reg];
1434 ++ u8 opcode = BPF_OP(insn->code);
1435 ++ s64 imm_log2 = __ilog2_u64((long long)dst_reg->imm);
1436 ++
1437 ++ /* BPF_X code with src_reg->type UNKNOWN_VALUE here. */
1438 ++ if (src_reg->imm > 0 && dst_reg->imm) {
1439 ++ switch (opcode) {
1440 ++ case BPF_ADD:
1441 ++ /* dreg += sreg
1442 ++ * where both have zero upper bits. Adding them
1443 ++ * can only result making one more bit non-zero
1444 ++ * in the larger value.
1445 ++ * Ex. 0xffff (imm=48) + 1 (imm=63) = 0x10000 (imm=47)
1446 ++ * 0xffff (imm=48) + 0xffff = 0x1fffe (imm=47)
1447 ++ */
1448 ++ dst_reg->imm = min(src_reg->imm, 63 - imm_log2);
1449 ++ dst_reg->imm--;
1450 ++ break;
1451 ++ case BPF_AND:
1452 ++ /* dreg &= sreg
1453 ++ * AND can not extend zero bits only shrink
1454 ++ * Ex. 0x00..00ffffff
1455 ++ * & 0x0f..ffffffff
1456 ++ * ----------------
1457 ++ * 0x00..00ffffff
1458 ++ */
1459 ++ dst_reg->imm = max(src_reg->imm, 63 - imm_log2);
1460 ++ break;
1461 ++ case BPF_OR:
1462 ++ /* dreg |= sreg
1463 ++ * OR can only extend zero bits
1464 ++ * Ex. 0x00..00ffffff
1465 ++ * | 0x0f..ffffffff
1466 ++ * ----------------
1467 ++ * 0x0f..00ffffff
1468 ++ */
1469 ++ dst_reg->imm = min(src_reg->imm, 63 - imm_log2);
1470 ++ break;
1471 ++ case BPF_SUB:
1472 ++ case BPF_MUL:
1473 ++ case BPF_RSH:
1474 ++ case BPF_LSH:
1475 ++ /* These may be flushed out later */
1476 ++ default:
1477 ++ mark_reg_unknown_value(regs, insn->dst_reg);
1478 ++ }
1479 ++ } else {
1480 ++ mark_reg_unknown_value(regs, insn->dst_reg);
1481 ++ }
1482 ++
1483 ++ dst_reg->type = UNKNOWN_VALUE;
1484 ++ return 0;
1485 ++}
1486 ++
1487 + static int evaluate_reg_imm_alu(struct bpf_verifier_env *env,
1488 + struct bpf_insn *insn)
1489 + {
1490 +@@ -1475,6 +1540,9 @@ static int evaluate_reg_imm_alu(struct bpf_verifier_env *env,
1491 + struct bpf_reg_state *src_reg = &regs[insn->src_reg];
1492 + u8 opcode = BPF_OP(insn->code);
1493 +
1494 ++ if (BPF_SRC(insn->code) == BPF_X && src_reg->type == UNKNOWN_VALUE)
1495 ++ return evaluate_reg_imm_alu_unknown(env, insn);
1496 ++
1497 + /* dst_reg->type == CONST_IMM here, simulate execution of 'add' insn.
1498 + * Don't care about overflow or negative values, just add them
1499 + */
1500 +@@ -1530,10 +1598,24 @@ static void adjust_reg_min_max_vals(struct bpf_verifier_env *env,
1501 + }
1502 +
1503 + /* We don't know anything about what was done to this register, mark it
1504 +- * as unknown.
1505 ++ * as unknown. Also, if both derived bounds came from signed/unsigned
1506 ++ * mixed compares and one side is unbounded, we cannot really do anything
1507 ++ * with them as boundaries cannot be trusted. Thus, arithmetic of two
1508 ++ * regs of such kind will get invalidated bounds on the dst side.
1509 + */
1510 +- if (min_val == BPF_REGISTER_MIN_RANGE &&
1511 +- max_val == BPF_REGISTER_MAX_RANGE) {
1512 ++ if ((min_val == BPF_REGISTER_MIN_RANGE &&
1513 ++ max_val == BPF_REGISTER_MAX_RANGE) ||
1514 ++ (BPF_SRC(insn->code) == BPF_X &&
1515 ++ ((min_val != BPF_REGISTER_MIN_RANGE &&
1516 ++ max_val == BPF_REGISTER_MAX_RANGE) ||
1517 ++ (min_val == BPF_REGISTER_MIN_RANGE &&
1518 ++ max_val != BPF_REGISTER_MAX_RANGE) ||
1519 ++ (dst_reg->min_value != BPF_REGISTER_MIN_RANGE &&
1520 ++ dst_reg->max_value == BPF_REGISTER_MAX_RANGE) ||
1521 ++ (dst_reg->min_value == BPF_REGISTER_MIN_RANGE &&
1522 ++ dst_reg->max_value != BPF_REGISTER_MAX_RANGE)) &&
1523 ++ regs[insn->dst_reg].value_from_signed !=
1524 ++ regs[insn->src_reg].value_from_signed)) {
1525 + reset_reg_range_values(regs, insn->dst_reg);
1526 + return;
1527 + }
1528 +@@ -1542,10 +1624,12 @@ static void adjust_reg_min_max_vals(struct bpf_verifier_env *env,
1529 + * do our normal operations to the register, we need to set the values
1530 + * to the min/max since they are undefined.
1531 + */
1532 +- if (min_val == BPF_REGISTER_MIN_RANGE)
1533 +- dst_reg->min_value = BPF_REGISTER_MIN_RANGE;
1534 +- if (max_val == BPF_REGISTER_MAX_RANGE)
1535 +- dst_reg->max_value = BPF_REGISTER_MAX_RANGE;
1536 ++ if (opcode != BPF_SUB) {
1537 ++ if (min_val == BPF_REGISTER_MIN_RANGE)
1538 ++ dst_reg->min_value = BPF_REGISTER_MIN_RANGE;
1539 ++ if (max_val == BPF_REGISTER_MAX_RANGE)
1540 ++ dst_reg->max_value = BPF_REGISTER_MAX_RANGE;
1541 ++ }
1542 +
1543 + switch (opcode) {
1544 + case BPF_ADD:
1545 +@@ -1555,10 +1639,17 @@ static void adjust_reg_min_max_vals(struct bpf_verifier_env *env,
1546 + dst_reg->max_value += max_val;
1547 + break;
1548 + case BPF_SUB:
1549 ++ /* If one of our values was at the end of our ranges, then the
1550 ++ * _opposite_ value in the dst_reg goes to the end of our range.
1551 ++ */
1552 ++ if (min_val == BPF_REGISTER_MIN_RANGE)
1553 ++ dst_reg->max_value = BPF_REGISTER_MAX_RANGE;
1554 ++ if (max_val == BPF_REGISTER_MAX_RANGE)
1555 ++ dst_reg->min_value = BPF_REGISTER_MIN_RANGE;
1556 + if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE)
1557 +- dst_reg->min_value -= min_val;
1558 ++ dst_reg->min_value -= max_val;
1559 + if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE)
1560 +- dst_reg->max_value -= max_val;
1561 ++ dst_reg->max_value -= min_val;
1562 + break;
1563 + case BPF_MUL:
1564 + if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE)
1565 +@@ -1808,6 +1899,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
1566 + * register as unknown.
1567 + */
1568 + if (env->allow_ptr_leaks &&
1569 ++ BPF_CLASS(insn->code) == BPF_ALU64 && opcode == BPF_ADD &&
1570 + (dst_reg->type == PTR_TO_MAP_VALUE ||
1571 + dst_reg->type == PTR_TO_MAP_VALUE_ADJ))
1572 + dst_reg->type = PTR_TO_MAP_VALUE_ADJ;
1573 +@@ -1876,38 +1968,63 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
1574 + struct bpf_reg_state *false_reg, u64 val,
1575 + u8 opcode)
1576 + {
1577 ++ bool value_from_signed = true;
1578 ++ bool is_range = true;
1579 ++
1580 + switch (opcode) {
1581 + case BPF_JEQ:
1582 + /* If this is false then we know nothing Jon Snow, but if it is
1583 + * true then we know for sure.
1584 + */
1585 + true_reg->max_value = true_reg->min_value = val;
1586 ++ is_range = false;
1587 + break;
1588 + case BPF_JNE:
1589 + /* If this is true we know nothing Jon Snow, but if it is false
1590 + * we know the value for sure;
1591 + */
1592 + false_reg->max_value = false_reg->min_value = val;
1593 ++ is_range = false;
1594 + break;
1595 + case BPF_JGT:
1596 +- /* Unsigned comparison, the minimum value is 0. */
1597 +- false_reg->min_value = 0;
1598 ++ value_from_signed = false;
1599 ++ /* fallthrough */
1600 + case BPF_JSGT:
1601 ++ if (true_reg->value_from_signed != value_from_signed)
1602 ++ reset_reg_range_values(true_reg, 0);
1603 ++ if (false_reg->value_from_signed != value_from_signed)
1604 ++ reset_reg_range_values(false_reg, 0);
1605 ++ if (opcode == BPF_JGT) {
1606 ++ /* Unsigned comparison, the minimum value is 0. */
1607 ++ false_reg->min_value = 0;
1608 ++ }
1609 + /* If this is false then we know the maximum val is val,
1610 + * otherwise we know the min val is val+1.
1611 + */
1612 + false_reg->max_value = val;
1613 ++ false_reg->value_from_signed = value_from_signed;
1614 + true_reg->min_value = val + 1;
1615 ++ true_reg->value_from_signed = value_from_signed;
1616 + break;
1617 + case BPF_JGE:
1618 +- /* Unsigned comparison, the minimum value is 0. */
1619 +- false_reg->min_value = 0;
1620 ++ value_from_signed = false;
1621 ++ /* fallthrough */
1622 + case BPF_JSGE:
1623 ++ if (true_reg->value_from_signed != value_from_signed)
1624 ++ reset_reg_range_values(true_reg, 0);
1625 ++ if (false_reg->value_from_signed != value_from_signed)
1626 ++ reset_reg_range_values(false_reg, 0);
1627 ++ if (opcode == BPF_JGE) {
1628 ++ /* Unsigned comparison, the minimum value is 0. */
1629 ++ false_reg->min_value = 0;
1630 ++ }
1631 + /* If this is false then we know the maximum value is val - 1,
1632 + * otherwise we know the mimimum value is val.
1633 + */
1634 + false_reg->max_value = val - 1;
1635 ++ false_reg->value_from_signed = value_from_signed;
1636 + true_reg->min_value = val;
1637 ++ true_reg->value_from_signed = value_from_signed;
1638 + break;
1639 + default:
1640 + break;
1641 +@@ -1915,6 +2032,12 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
1642 +
1643 + check_reg_overflow(false_reg);
1644 + check_reg_overflow(true_reg);
1645 ++ if (is_range) {
1646 ++ if (__is_pointer_value(false, false_reg))
1647 ++ reset_reg_range_values(false_reg, 0);
1648 ++ if (__is_pointer_value(false, true_reg))
1649 ++ reset_reg_range_values(true_reg, 0);
1650 ++ }
1651 + }
1652 +
1653 + /* Same as above, but for the case that dst_reg is a CONST_IMM reg and src_reg
1654 +@@ -1924,39 +2047,64 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
1655 + struct bpf_reg_state *false_reg, u64 val,
1656 + u8 opcode)
1657 + {
1658 ++ bool value_from_signed = true;
1659 ++ bool is_range = true;
1660 ++
1661 + switch (opcode) {
1662 + case BPF_JEQ:
1663 + /* If this is false then we know nothing Jon Snow, but if it is
1664 + * true then we know for sure.
1665 + */
1666 + true_reg->max_value = true_reg->min_value = val;
1667 ++ is_range = false;
1668 + break;
1669 + case BPF_JNE:
1670 + /* If this is true we know nothing Jon Snow, but if it is false
1671 + * we know the value for sure;
1672 + */
1673 + false_reg->max_value = false_reg->min_value = val;
1674 ++ is_range = false;
1675 + break;
1676 + case BPF_JGT:
1677 +- /* Unsigned comparison, the minimum value is 0. */
1678 +- true_reg->min_value = 0;
1679 ++ value_from_signed = false;
1680 ++ /* fallthrough */
1681 + case BPF_JSGT:
1682 ++ if (true_reg->value_from_signed != value_from_signed)
1683 ++ reset_reg_range_values(true_reg, 0);
1684 ++ if (false_reg->value_from_signed != value_from_signed)
1685 ++ reset_reg_range_values(false_reg, 0);
1686 ++ if (opcode == BPF_JGT) {
1687 ++ /* Unsigned comparison, the minimum value is 0. */
1688 ++ true_reg->min_value = 0;
1689 ++ }
1690 + /*
1691 + * If this is false, then the val is <= the register, if it is
1692 + * true the register <= to the val.
1693 + */
1694 + false_reg->min_value = val;
1695 ++ false_reg->value_from_signed = value_from_signed;
1696 + true_reg->max_value = val - 1;
1697 ++ true_reg->value_from_signed = value_from_signed;
1698 + break;
1699 + case BPF_JGE:
1700 +- /* Unsigned comparison, the minimum value is 0. */
1701 +- true_reg->min_value = 0;
1702 ++ value_from_signed = false;
1703 ++ /* fallthrough */
1704 + case BPF_JSGE:
1705 ++ if (true_reg->value_from_signed != value_from_signed)
1706 ++ reset_reg_range_values(true_reg, 0);
1707 ++ if (false_reg->value_from_signed != value_from_signed)
1708 ++ reset_reg_range_values(false_reg, 0);
1709 ++ if (opcode == BPF_JGE) {
1710 ++ /* Unsigned comparison, the minimum value is 0. */
1711 ++ true_reg->min_value = 0;
1712 ++ }
1713 + /* If this is false then constant < register, if it is true then
1714 + * the register < constant.
1715 + */
1716 + false_reg->min_value = val + 1;
1717 ++ false_reg->value_from_signed = value_from_signed;
1718 + true_reg->max_value = val;
1719 ++ true_reg->value_from_signed = value_from_signed;
1720 + break;
1721 + default:
1722 + break;
1723 +@@ -1964,6 +2112,12 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
1724 +
1725 + check_reg_overflow(false_reg);
1726 + check_reg_overflow(true_reg);
1727 ++ if (is_range) {
1728 ++ if (__is_pointer_value(false, false_reg))
1729 ++ reset_reg_range_values(false_reg, 0);
1730 ++ if (__is_pointer_value(false, true_reg))
1731 ++ reset_reg_range_values(true_reg, 0);
1732 ++ }
1733 + }
1734 +
1735 + static void mark_map_reg(struct bpf_reg_state *regs, u32 regno, u32 id,
1736 +@@ -2390,6 +2544,7 @@ static int check_cfg(struct bpf_verifier_env *env)
1737 + env->explored_states[t + 1] = STATE_LIST_MARK;
1738 + } else {
1739 + /* conditional jump with two edges */
1740 ++ env->explored_states[t] = STATE_LIST_MARK;
1741 + ret = push_insn(t, t + 1, FALLTHROUGH, env);
1742 + if (ret == 1)
1743 + goto peek_stack;
1744 +@@ -2548,6 +2703,12 @@ static bool states_equal(struct bpf_verifier_env *env,
1745 + rcur->type != NOT_INIT))
1746 + continue;
1747 +
1748 ++ /* Don't care about the reg->id in this case. */
1749 ++ if (rold->type == PTR_TO_MAP_VALUE_OR_NULL &&
1750 ++ rcur->type == PTR_TO_MAP_VALUE_OR_NULL &&
1751 ++ rold->map_ptr == rcur->map_ptr)
1752 ++ continue;
1753 ++
1754 + if (rold->type == PTR_TO_PACKET && rcur->type == PTR_TO_PACKET &&
1755 + compare_ptrs_to_packet(rold, rcur))
1756 + continue;
1757 +@@ -2682,6 +2843,9 @@ static int do_check(struct bpf_verifier_env *env)
1758 + goto process_bpf_exit;
1759 + }
1760 +
1761 ++ if (need_resched())
1762 ++ cond_resched();
1763 ++
1764 + if (log_level && do_print_state) {
1765 + verbose("\nfrom %d to %d:", prev_insn_idx, insn_idx);
1766 + print_verifier_state(&env->cur_state);
1767 +diff --git a/kernel/events/core.c b/kernel/events/core.c
1768 +index f5a693589d66..c774773ac3a4 100644
1769 +--- a/kernel/events/core.c
1770 ++++ b/kernel/events/core.c
1771 +@@ -9786,28 +9786,27 @@ SYSCALL_DEFINE5(perf_event_open,
1772 + goto err_context;
1773 +
1774 + /*
1775 +- * Do not allow to attach to a group in a different
1776 +- * task or CPU context:
1777 ++ * Make sure we're both events for the same CPU;
1778 ++ * grouping events for different CPUs is broken; since
1779 ++ * you can never concurrently schedule them anyhow.
1780 + */
1781 +- if (move_group) {
1782 +- /*
1783 +- * Make sure we're both on the same task, or both
1784 +- * per-cpu events.
1785 +- */
1786 +- if (group_leader->ctx->task != ctx->task)
1787 +- goto err_context;
1788 ++ if (group_leader->cpu != event->cpu)
1789 ++ goto err_context;
1790 +
1791 +- /*
1792 +- * Make sure we're both events for the same CPU;
1793 +- * grouping events for different CPUs is broken; since
1794 +- * you can never concurrently schedule them anyhow.
1795 +- */
1796 +- if (group_leader->cpu != event->cpu)
1797 +- goto err_context;
1798 +- } else {
1799 +- if (group_leader->ctx != ctx)
1800 +- goto err_context;
1801 +- }
1802 ++ /*
1803 ++ * Make sure we're both on the same task, or both
1804 ++ * per-CPU events.
1805 ++ */
1806 ++ if (group_leader->ctx->task != ctx->task)
1807 ++ goto err_context;
1808 ++
1809 ++ /*
1810 ++ * Do not allow to attach to a group in a different task
1811 ++ * or CPU context. If we're moving SW events, we'll fix
1812 ++ * this up later, so allow that.
1813 ++ */
1814 ++ if (!move_group && group_leader->ctx != ctx)
1815 ++ goto err_context;
1816 +
1817 + /*
1818 + * Only a group leader can be exclusive or pinned
1819 +diff --git a/kernel/fork.c b/kernel/fork.c
1820 +index 59faac4de181..50bf262cc427 100644
1821 +--- a/kernel/fork.c
1822 ++++ b/kernel/fork.c
1823 +@@ -766,6 +766,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
1824 + mm_init_cpumask(mm);
1825 + mm_init_aio(mm);
1826 + mm_init_owner(mm, p);
1827 ++ RCU_INIT_POINTER(mm->exe_file, NULL);
1828 + mmu_notifier_mm_init(mm);
1829 + clear_tlb_flush_pending(mm);
1830 + #if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
1831 +diff --git a/kernel/time/timer.c b/kernel/time/timer.c
1832 +index 944ad64277a6..df445cde8a1e 100644
1833 +--- a/kernel/time/timer.c
1834 ++++ b/kernel/time/timer.c
1835 +@@ -201,6 +201,7 @@ struct timer_base {
1836 + bool migration_enabled;
1837 + bool nohz_active;
1838 + bool is_idle;
1839 ++ bool must_forward_clk;
1840 + DECLARE_BITMAP(pending_map, WHEEL_SIZE);
1841 + struct hlist_head vectors[WHEEL_SIZE];
1842 + } ____cacheline_aligned;
1843 +@@ -891,13 +892,19 @@ get_target_base(struct timer_base *base, unsigned tflags)
1844 +
1845 + static inline void forward_timer_base(struct timer_base *base)
1846 + {
1847 +- unsigned long jnow = READ_ONCE(jiffies);
1848 ++ unsigned long jnow;
1849 +
1850 + /*
1851 +- * We only forward the base when it's idle and we have a delta between
1852 +- * base clock and jiffies.
1853 ++ * We only forward the base when we are idle or have just come out of
1854 ++ * idle (must_forward_clk logic), and have a delta between base clock
1855 ++ * and jiffies. In the common case, run_timers will take care of it.
1856 + */
1857 +- if (!base->is_idle || (long) (jnow - base->clk) < 2)
1858 ++ if (likely(!base->must_forward_clk))
1859 ++ return;
1860 ++
1861 ++ jnow = READ_ONCE(jiffies);
1862 ++ base->must_forward_clk = base->is_idle;
1863 ++ if ((long)(jnow - base->clk) < 2)
1864 + return;
1865 +
1866 + /*
1867 +@@ -973,6 +980,11 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
1868 + * same array bucket then just return:
1869 + */
1870 + if (timer_pending(timer)) {
1871 ++ /*
1872 ++ * The downside of this optimization is that it can result in
1873 ++ * larger granularity than you would get from adding a new
1874 ++ * timer with this expiry.
1875 ++ */
1876 + if (timer->expires == expires)
1877 + return 1;
1878 +
1879 +@@ -983,6 +995,7 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
1880 + * dequeue/enqueue dance.
1881 + */
1882 + base = lock_timer_base(timer, &flags);
1883 ++ forward_timer_base(base);
1884 +
1885 + clk = base->clk;
1886 + idx = calc_wheel_index(expires, clk);
1887 +@@ -999,6 +1012,7 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
1888 + }
1889 + } else {
1890 + base = lock_timer_base(timer, &flags);
1891 ++ forward_timer_base(base);
1892 + }
1893 +
1894 + timer_stats_timer_set_start_info(timer);
1895 +@@ -1028,12 +1042,10 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
1896 + spin_lock(&base->lock);
1897 + WRITE_ONCE(timer->flags,
1898 + (timer->flags & ~TIMER_BASEMASK) | base->cpu);
1899 ++ forward_timer_base(base);
1900 + }
1901 + }
1902 +
1903 +- /* Try to forward a stale timer base clock */
1904 +- forward_timer_base(base);
1905 +-
1906 + timer->expires = expires;
1907 + /*
1908 + * If 'idx' was calculated above and the base time did not advance
1909 +@@ -1150,6 +1162,7 @@ void add_timer_on(struct timer_list *timer, int cpu)
1910 + WRITE_ONCE(timer->flags,
1911 + (timer->flags & ~TIMER_BASEMASK) | cpu);
1912 + }
1913 ++ forward_timer_base(base);
1914 +
1915 + debug_activate(timer, timer->expires);
1916 + internal_add_timer(base, timer);
1917 +@@ -1538,10 +1551,16 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem)
1918 + if (!is_max_delta)
1919 + expires = basem + (u64)(nextevt - basej) * TICK_NSEC;
1920 + /*
1921 +- * If we expect to sleep more than a tick, mark the base idle:
1922 ++ * If we expect to sleep more than a tick, mark the base idle.
1923 ++ * Also the tick is stopped so any added timer must forward
1924 ++ * the base clk itself to keep granularity small. This idle
1925 ++ * logic is only maintained for the BASE_STD base, deferrable
1926 ++ * timers may still see large granularity skew (by design).
1927 + */
1928 +- if ((expires - basem) > TICK_NSEC)
1929 ++ if ((expires - basem) > TICK_NSEC) {
1930 ++ base->must_forward_clk = true;
1931 + base->is_idle = true;
1932 ++ }
1933 + }
1934 + spin_unlock(&base->lock);
1935 +
1936 +@@ -1651,6 +1670,19 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h)
1937 + {
1938 + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
1939 +
1940 ++ /*
1941 ++ * must_forward_clk must be cleared before running timers so that any
1942 ++ * timer functions that call mod_timer will not try to forward the
1943 ++ * base. idle trcking / clock forwarding logic is only used with
1944 ++ * BASE_STD timers.
1945 ++ *
1946 ++ * The deferrable base does not do idle tracking at all, so we do
1947 ++ * not forward it. This can result in very large variations in
1948 ++ * granularity for deferrable timers, but they can be deferred for
1949 ++ * long periods due to idle.
1950 ++ */
1951 ++ base->must_forward_clk = false;
1952 ++
1953 + __run_timers(base);
1954 + if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active)
1955 + __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF]));
1956 +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
1957 +index 5dcb99281259..41805fb3c661 100644
1958 +--- a/kernel/trace/bpf_trace.c
1959 ++++ b/kernel/trace/bpf_trace.c
1960 +@@ -203,10 +203,36 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
1961 + fmt_cnt++;
1962 + }
1963 +
1964 +- return __trace_printk(1/* fake ip will not be printed */, fmt,
1965 +- mod[0] == 2 ? arg1 : mod[0] == 1 ? (long) arg1 : (u32) arg1,
1966 +- mod[1] == 2 ? arg2 : mod[1] == 1 ? (long) arg2 : (u32) arg2,
1967 +- mod[2] == 2 ? arg3 : mod[2] == 1 ? (long) arg3 : (u32) arg3);
1968 ++/* Horrid workaround for getting va_list handling working with different
1969 ++ * argument type combinations generically for 32 and 64 bit archs.
1970 ++ */
1971 ++#define __BPF_TP_EMIT() __BPF_ARG3_TP()
1972 ++#define __BPF_TP(...) \
1973 ++ __trace_printk(1 /* Fake ip will not be printed. */, \
1974 ++ fmt, ##__VA_ARGS__)
1975 ++
1976 ++#define __BPF_ARG1_TP(...) \
1977 ++ ((mod[0] == 2 || (mod[0] == 1 && __BITS_PER_LONG == 64)) \
1978 ++ ? __BPF_TP(arg1, ##__VA_ARGS__) \
1979 ++ : ((mod[0] == 1 || (mod[0] == 0 && __BITS_PER_LONG == 32)) \
1980 ++ ? __BPF_TP((long)arg1, ##__VA_ARGS__) \
1981 ++ : __BPF_TP((u32)arg1, ##__VA_ARGS__)))
1982 ++
1983 ++#define __BPF_ARG2_TP(...) \
1984 ++ ((mod[1] == 2 || (mod[1] == 1 && __BITS_PER_LONG == 64)) \
1985 ++ ? __BPF_ARG1_TP(arg2, ##__VA_ARGS__) \
1986 ++ : ((mod[1] == 1 || (mod[1] == 0 && __BITS_PER_LONG == 32)) \
1987 ++ ? __BPF_ARG1_TP((long)arg2, ##__VA_ARGS__) \
1988 ++ : __BPF_ARG1_TP((u32)arg2, ##__VA_ARGS__)))
1989 ++
1990 ++#define __BPF_ARG3_TP(...) \
1991 ++ ((mod[2] == 2 || (mod[2] == 1 && __BITS_PER_LONG == 64)) \
1992 ++ ? __BPF_ARG2_TP(arg3, ##__VA_ARGS__) \
1993 ++ : ((mod[2] == 1 || (mod[2] == 0 && __BITS_PER_LONG == 32)) \
1994 ++ ? __BPF_ARG2_TP((long)arg3, ##__VA_ARGS__) \
1995 ++ : __BPF_ARG2_TP((u32)arg3, ##__VA_ARGS__)))
1996 ++
1997 ++ return __BPF_TP_EMIT();
1998 + }
1999 +
2000 + static const struct bpf_func_proto bpf_trace_printk_proto = {
2001 +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
2002 +index 4f7ea8446bb5..6e432ed7d0fe 100644
2003 +--- a/kernel/trace/ftrace.c
2004 ++++ b/kernel/trace/ftrace.c
2005 +@@ -876,6 +876,10 @@ static int profile_graph_entry(struct ftrace_graph_ent *trace)
2006 +
2007 + function_profile_call(trace->func, 0, NULL, NULL);
2008 +
2009 ++ /* If function graph is shutting down, ret_stack can be NULL */
2010 ++ if (!current->ret_stack)
2011 ++ return 0;
2012 ++
2013 + if (index >= 0 && index < FTRACE_RETFUNC_DEPTH)
2014 + current->ret_stack[index].subtime = 0;
2015 +
2016 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
2017 +index 53c308068e39..7379f735a9f4 100644
2018 +--- a/kernel/trace/trace.c
2019 ++++ b/kernel/trace/trace.c
2020 +@@ -7767,4 +7767,4 @@ __init static int clear_boot_tracer(void)
2021 + }
2022 +
2023 + fs_initcall(tracer_init_tracefs);
2024 +-late_initcall(clear_boot_tracer);
2025 ++late_initcall_sync(clear_boot_tracer);
2026 +diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
2027 +index 9daa9b3bc6d9..0193f58c45f0 100644
2028 +--- a/kernel/trace/trace_events_filter.c
2029 ++++ b/kernel/trace/trace_events_filter.c
2030 +@@ -1926,6 +1926,10 @@ static int create_filter(struct trace_event_call *call,
2031 + if (err && set_str)
2032 + append_filter_err(ps, filter);
2033 + }
2034 ++ if (err && !set_str) {
2035 ++ free_event_filter(filter);
2036 ++ filter = NULL;
2037 ++ }
2038 + create_filter_finish(ps);
2039 +
2040 + *filterp = filter;
2041 +diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c
2042 +index 0a689bbb78ef..305039b122fa 100644
2043 +--- a/kernel/trace/tracing_map.c
2044 ++++ b/kernel/trace/tracing_map.c
2045 +@@ -221,16 +221,19 @@ void tracing_map_array_free(struct tracing_map_array *a)
2046 + if (!a)
2047 + return;
2048 +
2049 +- if (!a->pages) {
2050 +- kfree(a);
2051 +- return;
2052 +- }
2053 ++ if (!a->pages)
2054 ++ goto free;
2055 +
2056 + for (i = 0; i < a->n_pages; i++) {
2057 + if (!a->pages[i])
2058 + break;
2059 + free_page((unsigned long)a->pages[i]);
2060 + }
2061 ++
2062 ++ kfree(a->pages);
2063 ++
2064 ++ free:
2065 ++ kfree(a);
2066 + }
2067 +
2068 + struct tracing_map_array *tracing_map_array_alloc(unsigned int n_elts,
2069 +diff --git a/mm/madvise.c b/mm/madvise.c
2070 +index 253b1533fba5..63a12162f4c6 100644
2071 +--- a/mm/madvise.c
2072 ++++ b/mm/madvise.c
2073 +@@ -331,8 +331,8 @@ static int madvise_free_pte_range(pmd_t *pmd, unsigned long addr,
2074 + pte_offset_map_lock(mm, pmd, addr, &ptl);
2075 + goto out;
2076 + }
2077 +- put_page(page);
2078 + unlock_page(page);
2079 ++ put_page(page);
2080 + pte = pte_offset_map_lock(mm, pmd, addr, &ptl);
2081 + pte--;
2082 + addr -= PAGE_SIZE;
2083 +diff --git a/mm/memblock.c b/mm/memblock.c
2084 +index ccec42c12ba8..42b98af6a415 100644
2085 +--- a/mm/memblock.c
2086 ++++ b/mm/memblock.c
2087 +@@ -311,7 +311,7 @@ void __init memblock_discard(void)
2088 + __memblock_free_late(addr, size);
2089 + }
2090 +
2091 +- if (memblock.memory.regions == memblock_memory_init_regions) {
2092 ++ if (memblock.memory.regions != memblock_memory_init_regions) {
2093 + addr = __pa(memblock.memory.regions);
2094 + size = PAGE_ALIGN(sizeof(struct memblock_region) *
2095 + memblock.memory.max);
2096 +diff --git a/mm/shmem.c b/mm/shmem.c
2097 +index 7ee5444ffb6d..004e0f87e8a8 100644
2098 +--- a/mm/shmem.c
2099 ++++ b/mm/shmem.c
2100 +@@ -3810,7 +3810,7 @@ int __init shmem_init(void)
2101 + }
2102 +
2103 + #ifdef CONFIG_TRANSPARENT_HUGE_PAGECACHE
2104 +- if (has_transparent_hugepage() && shmem_huge < SHMEM_HUGE_DENY)
2105 ++ if (has_transparent_hugepage() && shmem_huge > SHMEM_HUGE_DENY)
2106 + SHMEM_SB(shm_mnt->mnt_sb)->huge = shmem_huge;
2107 + else
2108 + shmem_huge = 0; /* just in case it was patched */
2109 +@@ -3871,7 +3871,7 @@ static ssize_t shmem_enabled_store(struct kobject *kobj,
2110 + return -EINVAL;
2111 +
2112 + shmem_huge = huge;
2113 +- if (shmem_huge < SHMEM_HUGE_DENY)
2114 ++ if (shmem_huge > SHMEM_HUGE_DENY)
2115 + SHMEM_SB(shm_mnt->mnt_sb)->huge = shmem_huge;
2116 + return count;
2117 + }
2118 +diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
2119 +index fbf251fef70f..4d6b94d7ce5f 100644
2120 +--- a/net/bluetooth/bnep/core.c
2121 ++++ b/net/bluetooth/bnep/core.c
2122 +@@ -484,16 +484,16 @@ static int bnep_session(void *arg)
2123 + struct net_device *dev = s->dev;
2124 + struct sock *sk = s->sock->sk;
2125 + struct sk_buff *skb;
2126 +- wait_queue_t wait;
2127 ++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
2128 +
2129 + BT_DBG("");
2130 +
2131 + set_user_nice(current, -15);
2132 +
2133 +- init_waitqueue_entry(&wait, current);
2134 + add_wait_queue(sk_sleep(sk), &wait);
2135 + while (1) {
2136 +- set_current_state(TASK_INTERRUPTIBLE);
2137 ++ /* Ensure session->terminate is updated */
2138 ++ smp_mb__before_atomic();
2139 +
2140 + if (atomic_read(&s->terminate))
2141 + break;
2142 +@@ -515,9 +515,8 @@ static int bnep_session(void *arg)
2143 + break;
2144 + netif_wake_queue(dev);
2145 +
2146 +- schedule();
2147 ++ wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2148 + }
2149 +- __set_current_state(TASK_RUNNING);
2150 + remove_wait_queue(sk_sleep(sk), &wait);
2151 +
2152 + /* Cleanup session */
2153 +@@ -666,7 +665,7 @@ int bnep_del_connection(struct bnep_conndel_req *req)
2154 + s = __bnep_get_session(req->dst);
2155 + if (s) {
2156 + atomic_inc(&s->terminate);
2157 +- wake_up_process(s->task);
2158 ++ wake_up_interruptible(sk_sleep(s->sock->sk));
2159 + } else
2160 + err = -ENOENT;
2161 +
2162 +diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
2163 +index 9e59b6654126..1152ce34dad4 100644
2164 +--- a/net/bluetooth/cmtp/core.c
2165 ++++ b/net/bluetooth/cmtp/core.c
2166 +@@ -280,16 +280,16 @@ static int cmtp_session(void *arg)
2167 + struct cmtp_session *session = arg;
2168 + struct sock *sk = session->sock->sk;
2169 + struct sk_buff *skb;
2170 +- wait_queue_t wait;
2171 ++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
2172 +
2173 + BT_DBG("session %p", session);
2174 +
2175 + set_user_nice(current, -15);
2176 +
2177 +- init_waitqueue_entry(&wait, current);
2178 + add_wait_queue(sk_sleep(sk), &wait);
2179 + while (1) {
2180 +- set_current_state(TASK_INTERRUPTIBLE);
2181 ++ /* Ensure session->terminate is updated */
2182 ++ smp_mb__before_atomic();
2183 +
2184 + if (atomic_read(&session->terminate))
2185 + break;
2186 +@@ -306,9 +306,8 @@ static int cmtp_session(void *arg)
2187 +
2188 + cmtp_process_transmit(session);
2189 +
2190 +- schedule();
2191 ++ wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2192 + }
2193 +- __set_current_state(TASK_RUNNING);
2194 + remove_wait_queue(sk_sleep(sk), &wait);
2195 +
2196 + down_write(&cmtp_session_sem);
2197 +@@ -393,7 +392,7 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
2198 + err = cmtp_attach_device(session);
2199 + if (err < 0) {
2200 + atomic_inc(&session->terminate);
2201 +- wake_up_process(session->task);
2202 ++ wake_up_interruptible(sk_sleep(session->sock->sk));
2203 + up_write(&cmtp_session_sem);
2204 + return err;
2205 + }
2206 +@@ -431,7 +430,11 @@ int cmtp_del_connection(struct cmtp_conndel_req *req)
2207 +
2208 + /* Stop session thread */
2209 + atomic_inc(&session->terminate);
2210 +- wake_up_process(session->task);
2211 ++
2212 ++ /* Ensure session->terminate is updated */
2213 ++ smp_mb__after_atomic();
2214 ++
2215 ++ wake_up_interruptible(sk_sleep(session->sock->sk));
2216 + } else
2217 + err = -ENOENT;
2218 +
2219 +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
2220 +index 0bec4588c3c8..1fc076420d1e 100644
2221 +--- a/net/bluetooth/hidp/core.c
2222 ++++ b/net/bluetooth/hidp/core.c
2223 +@@ -36,6 +36,7 @@
2224 + #define VERSION "1.2"
2225 +
2226 + static DECLARE_RWSEM(hidp_session_sem);
2227 ++static DECLARE_WAIT_QUEUE_HEAD(hidp_session_wq);
2228 + static LIST_HEAD(hidp_session_list);
2229 +
2230 + static unsigned char hidp_keycode[256] = {
2231 +@@ -1068,12 +1069,12 @@ static int hidp_session_start_sync(struct hidp_session *session)
2232 + * Wake up session thread and notify it to stop. This is asynchronous and
2233 + * returns immediately. Call this whenever a runtime error occurs and you want
2234 + * the session to stop.
2235 +- * Note: wake_up_process() performs any necessary memory-barriers for us.
2236 ++ * Note: wake_up_interruptible() performs any necessary memory-barriers for us.
2237 + */
2238 + static void hidp_session_terminate(struct hidp_session *session)
2239 + {
2240 + atomic_inc(&session->terminate);
2241 +- wake_up_process(session->task);
2242 ++ wake_up_interruptible(&hidp_session_wq);
2243 + }
2244 +
2245 + /*
2246 +@@ -1180,7 +1181,9 @@ static void hidp_session_run(struct hidp_session *session)
2247 + struct sock *ctrl_sk = session->ctrl_sock->sk;
2248 + struct sock *intr_sk = session->intr_sock->sk;
2249 + struct sk_buff *skb;
2250 ++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
2251 +
2252 ++ add_wait_queue(&hidp_session_wq, &wait);
2253 + for (;;) {
2254 + /*
2255 + * This thread can be woken up two ways:
2256 +@@ -1188,12 +1191,10 @@ static void hidp_session_run(struct hidp_session *session)
2257 + * session->terminate flag and wakes this thread up.
2258 + * - Via modifying the socket state of ctrl/intr_sock. This
2259 + * thread is woken up by ->sk_state_changed().
2260 +- *
2261 +- * Note: set_current_state() performs any necessary
2262 +- * memory-barriers for us.
2263 + */
2264 +- set_current_state(TASK_INTERRUPTIBLE);
2265 +
2266 ++ /* Ensure session->terminate is updated */
2267 ++ smp_mb__before_atomic();
2268 + if (atomic_read(&session->terminate))
2269 + break;
2270 +
2271 +@@ -1227,11 +1228,22 @@ static void hidp_session_run(struct hidp_session *session)
2272 + hidp_process_transmit(session, &session->ctrl_transmit,
2273 + session->ctrl_sock);
2274 +
2275 +- schedule();
2276 ++ wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2277 + }
2278 ++ remove_wait_queue(&hidp_session_wq, &wait);
2279 +
2280 + atomic_inc(&session->terminate);
2281 +- set_current_state(TASK_RUNNING);
2282 ++
2283 ++ /* Ensure session->terminate is updated */
2284 ++ smp_mb__after_atomic();
2285 ++}
2286 ++
2287 ++static int hidp_session_wake_function(wait_queue_t *wait,
2288 ++ unsigned int mode,
2289 ++ int sync, void *key)
2290 ++{
2291 ++ wake_up_interruptible(&hidp_session_wq);
2292 ++ return false;
2293 + }
2294 +
2295 + /*
2296 +@@ -1244,7 +1256,8 @@ static void hidp_session_run(struct hidp_session *session)
2297 + static int hidp_session_thread(void *arg)
2298 + {
2299 + struct hidp_session *session = arg;
2300 +- wait_queue_t ctrl_wait, intr_wait;
2301 ++ DEFINE_WAIT_FUNC(ctrl_wait, hidp_session_wake_function);
2302 ++ DEFINE_WAIT_FUNC(intr_wait, hidp_session_wake_function);
2303 +
2304 + BT_DBG("session %p", session);
2305 +
2306 +@@ -1254,8 +1267,6 @@ static int hidp_session_thread(void *arg)
2307 + set_user_nice(current, -15);
2308 + hidp_set_timer(session);
2309 +
2310 +- init_waitqueue_entry(&ctrl_wait, current);
2311 +- init_waitqueue_entry(&intr_wait, current);
2312 + add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
2313 + add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
2314 + /* This memory barrier is paired with wq_has_sleeper(). See
2315 +diff --git a/net/dccp/proto.c b/net/dccp/proto.c
2316 +index 9fe25bf63296..b68168fcc06a 100644
2317 +--- a/net/dccp/proto.c
2318 ++++ b/net/dccp/proto.c
2319 +@@ -24,6 +24,7 @@
2320 + #include <net/checksum.h>
2321 +
2322 + #include <net/inet_sock.h>
2323 ++#include <net/inet_common.h>
2324 + #include <net/sock.h>
2325 + #include <net/xfrm.h>
2326 +
2327 +@@ -170,6 +171,15 @@ const char *dccp_packet_name(const int type)
2328 +
2329 + EXPORT_SYMBOL_GPL(dccp_packet_name);
2330 +
2331 ++static void dccp_sk_destruct(struct sock *sk)
2332 ++{
2333 ++ struct dccp_sock *dp = dccp_sk(sk);
2334 ++
2335 ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
2336 ++ dp->dccps_hc_tx_ccid = NULL;
2337 ++ inet_sock_destruct(sk);
2338 ++}
2339 ++
2340 + int dccp_init_sock(struct sock *sk, const __u8 ctl_sock_initialized)
2341 + {
2342 + struct dccp_sock *dp = dccp_sk(sk);
2343 +@@ -179,6 +189,7 @@ int dccp_init_sock(struct sock *sk, const __u8 ctl_sock_initialized)
2344 + icsk->icsk_syn_retries = sysctl_dccp_request_retries;
2345 + sk->sk_state = DCCP_CLOSED;
2346 + sk->sk_write_space = dccp_write_space;
2347 ++ sk->sk_destruct = dccp_sk_destruct;
2348 + icsk->icsk_sync_mss = dccp_sync_mss;
2349 + dp->dccps_mss_cache = 536;
2350 + dp->dccps_rate_last = jiffies;
2351 +@@ -201,10 +212,7 @@ void dccp_destroy_sock(struct sock *sk)
2352 + {
2353 + struct dccp_sock *dp = dccp_sk(sk);
2354 +
2355 +- /*
2356 +- * DCCP doesn't use sk_write_queue, just sk_send_head
2357 +- * for retransmissions
2358 +- */
2359 ++ __skb_queue_purge(&sk->sk_write_queue);
2360 + if (sk->sk_send_head != NULL) {
2361 + kfree_skb(sk->sk_send_head);
2362 + sk->sk_send_head = NULL;
2363 +@@ -222,8 +230,7 @@ void dccp_destroy_sock(struct sock *sk)
2364 + dp->dccps_hc_rx_ackvec = NULL;
2365 + }
2366 + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
2367 +- ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
2368 +- dp->dccps_hc_rx_ccid = dp->dccps_hc_tx_ccid = NULL;
2369 ++ dp->dccps_hc_rx_ccid = NULL;
2370 +
2371 + /* clean up feature negotiation state */
2372 + dccp_feat_list_purge(&dp->dccps_featneg);
2373 +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
2374 +index 7563831fa432..38c1c979ecb1 100644
2375 +--- a/net/ipv4/fib_semantics.c
2376 ++++ b/net/ipv4/fib_semantics.c
2377 +@@ -1044,15 +1044,17 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
2378 + fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
2379 + if (!fi)
2380 + goto failure;
2381 +- fib_info_cnt++;
2382 + if (cfg->fc_mx) {
2383 + fi->fib_metrics = kzalloc(sizeof(*fi->fib_metrics), GFP_KERNEL);
2384 +- if (!fi->fib_metrics)
2385 +- goto failure;
2386 ++ if (unlikely(!fi->fib_metrics)) {
2387 ++ kfree(fi);
2388 ++ return ERR_PTR(err);
2389 ++ }
2390 + atomic_set(&fi->fib_metrics->refcnt, 1);
2391 +- } else
2392 ++ } else {
2393 + fi->fib_metrics = (struct dst_metrics *)&dst_default_metrics;
2394 +-
2395 ++ }
2396 ++ fib_info_cnt++;
2397 + fi->fib_net = net;
2398 + fi->fib_protocol = cfg->fc_protocol;
2399 + fi->fib_scope = cfg->fc_scope;
2400 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
2401 +index 6cd49fd17ac0..6a5b7783932e 100644
2402 +--- a/net/ipv4/route.c
2403 ++++ b/net/ipv4/route.c
2404 +@@ -1247,7 +1247,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst)
2405 + if (mtu)
2406 + return mtu;
2407 +
2408 +- mtu = dst->dev->mtu;
2409 ++ mtu = READ_ONCE(dst->dev->mtu);
2410 +
2411 + if (unlikely(dst_metric_locked(dst, RTAX_MTU))) {
2412 + if (rt->rt_uses_gateway && mtu > 576)
2413 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
2414 +index 32c540145c17..c03850771a4e 100644
2415 +--- a/net/ipv4/tcp_input.c
2416 ++++ b/net/ipv4/tcp_input.c
2417 +@@ -3036,8 +3036,7 @@ void tcp_rearm_rto(struct sock *sk)
2418 + /* delta may not be positive if the socket is locked
2419 + * when the retrans timer fires and is rescheduled.
2420 + */
2421 +- if (delta > 0)
2422 +- rto = delta;
2423 ++ rto = max(delta, 1);
2424 + }
2425 + inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, rto,
2426 + TCP_RTO_MAX);
2427 +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
2428 +index 4345ee39f180..ff389591a340 100644
2429 +--- a/net/ipv6/ip6_fib.c
2430 ++++ b/net/ipv6/ip6_fib.c
2431 +@@ -897,6 +897,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
2432 + }
2433 + nsiblings = iter->rt6i_nsiblings;
2434 + fib6_purge_rt(iter, fn, info->nl_net);
2435 ++ if (fn->rr_ptr == iter)
2436 ++ fn->rr_ptr = NULL;
2437 + rt6_release(iter);
2438 +
2439 + if (nsiblings) {
2440 +@@ -909,6 +911,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
2441 + if (rt6_qualify_for_ecmp(iter)) {
2442 + *ins = iter->dst.rt6_next;
2443 + fib6_purge_rt(iter, fn, info->nl_net);
2444 ++ if (fn->rr_ptr == iter)
2445 ++ fn->rr_ptr = NULL;
2446 + rt6_release(iter);
2447 + nsiblings--;
2448 + } else {
2449 +@@ -997,7 +1001,7 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt,
2450 + /* Create subtree root node */
2451 + sfn = node_alloc();
2452 + if (!sfn)
2453 +- goto st_failure;
2454 ++ goto failure;
2455 +
2456 + sfn->leaf = info->nl_net->ipv6.ip6_null_entry;
2457 + atomic_inc(&info->nl_net->ipv6.ip6_null_entry->rt6i_ref);
2458 +@@ -1013,12 +1017,12 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt,
2459 +
2460 + if (IS_ERR(sn)) {
2461 + /* If it is failed, discard just allocated
2462 +- root, and then (in st_failure) stale node
2463 ++ root, and then (in failure) stale node
2464 + in main tree.
2465 + */
2466 + node_free(sfn);
2467 + err = PTR_ERR(sn);
2468 +- goto st_failure;
2469 ++ goto failure;
2470 + }
2471 +
2472 + /* Now link new subtree to main tree */
2473 +@@ -1032,7 +1036,7 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt,
2474 +
2475 + if (IS_ERR(sn)) {
2476 + err = PTR_ERR(sn);
2477 +- goto st_failure;
2478 ++ goto failure;
2479 + }
2480 + }
2481 +
2482 +@@ -1074,22 +1078,22 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt,
2483 + atomic_inc(&pn->leaf->rt6i_ref);
2484 + }
2485 + #endif
2486 +- if (!(rt->dst.flags & DST_NOCACHE))
2487 +- dst_free(&rt->dst);
2488 ++ goto failure;
2489 + }
2490 + return err;
2491 +
2492 +-#ifdef CONFIG_IPV6_SUBTREES
2493 +- /* Subtree creation failed, probably main tree node
2494 +- is orphan. If it is, shoot it.
2495 ++failure:
2496 ++ /* fn->leaf could be NULL if fn is an intermediate node and we
2497 ++ * failed to add the new route to it in both subtree creation
2498 ++ * failure and fib6_add_rt2node() failure case.
2499 ++ * In both cases, fib6_repair_tree() should be called to fix
2500 ++ * fn->leaf.
2501 + */
2502 +-st_failure:
2503 + if (fn && !(fn->fn_flags & (RTN_RTINFO|RTN_ROOT)))
2504 + fib6_repair_tree(info->nl_net, fn);
2505 + if (!(rt->dst.flags & DST_NOCACHE))
2506 + dst_free(&rt->dst);
2507 + return err;
2508 +-#endif
2509 + }
2510 +
2511 + /*
2512 +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
2513 +index 391c3cbd2eed..101ed6c42808 100644
2514 +--- a/net/irda/af_irda.c
2515 ++++ b/net/irda/af_irda.c
2516 +@@ -2223,7 +2223,7 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
2517 + {
2518 + struct sock *sk = sock->sk;
2519 + struct irda_sock *self = irda_sk(sk);
2520 +- struct irda_device_list list;
2521 ++ struct irda_device_list list = { 0 };
2522 + struct irda_device_info *discoveries;
2523 + struct irda_ias_set * ias_opt; /* IAS get/query params */
2524 + struct ias_object * ias_obj; /* Object in IAS */
2525 +diff --git a/net/key/af_key.c b/net/key/af_key.c
2526 +index 2e1050ec2cf0..94bf810ad242 100644
2527 +--- a/net/key/af_key.c
2528 ++++ b/net/key/af_key.c
2529 +@@ -228,7 +228,7 @@ static int pfkey_broadcast_one(struct sk_buff *skb, struct sk_buff **skb2,
2530 + #define BROADCAST_ONE 1
2531 + #define BROADCAST_REGISTERED 2
2532 + #define BROADCAST_PROMISC_ONLY 4
2533 +-static int pfkey_broadcast(struct sk_buff *skb,
2534 ++static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
2535 + int broadcast_flags, struct sock *one_sk,
2536 + struct net *net)
2537 + {
2538 +@@ -278,7 +278,7 @@ static int pfkey_broadcast(struct sk_buff *skb,
2539 + rcu_read_unlock();
2540 +
2541 + if (one_sk != NULL)
2542 +- err = pfkey_broadcast_one(skb, &skb2, GFP_KERNEL, one_sk);
2543 ++ err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk);
2544 +
2545 + kfree_skb(skb2);
2546 + kfree_skb(skb);
2547 +@@ -311,7 +311,7 @@ static int pfkey_do_dump(struct pfkey_sock *pfk)
2548 + hdr = (struct sadb_msg *) pfk->dump.skb->data;
2549 + hdr->sadb_msg_seq = 0;
2550 + hdr->sadb_msg_errno = rc;
2551 +- pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
2552 ++ pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
2553 + &pfk->sk, sock_net(&pfk->sk));
2554 + pfk->dump.skb = NULL;
2555 + }
2556 +@@ -355,7 +355,7 @@ static int pfkey_error(const struct sadb_msg *orig, int err, struct sock *sk)
2557 + hdr->sadb_msg_len = (sizeof(struct sadb_msg) /
2558 + sizeof(uint64_t));
2559 +
2560 +- pfkey_broadcast(skb, BROADCAST_ONE, sk, sock_net(sk));
2561 ++ pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ONE, sk, sock_net(sk));
2562 +
2563 + return 0;
2564 + }
2565 +@@ -1396,7 +1396,7 @@ static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, const struct sadb_
2566 +
2567 + xfrm_state_put(x);
2568 +
2569 +- pfkey_broadcast(resp_skb, BROADCAST_ONE, sk, net);
2570 ++ pfkey_broadcast(resp_skb, GFP_KERNEL, BROADCAST_ONE, sk, net);
2571 +
2572 + return 0;
2573 + }
2574 +@@ -1483,7 +1483,7 @@ static int key_notify_sa(struct xfrm_state *x, const struct km_event *c)
2575 + hdr->sadb_msg_seq = c->seq;
2576 + hdr->sadb_msg_pid = c->portid;
2577 +
2578 +- pfkey_broadcast(skb, BROADCAST_ALL, NULL, xs_net(x));
2579 ++ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xs_net(x));
2580 +
2581 + return 0;
2582 + }
2583 +@@ -1596,7 +1596,7 @@ static int pfkey_get(struct sock *sk, struct sk_buff *skb, const struct sadb_msg
2584 + out_hdr->sadb_msg_reserved = 0;
2585 + out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
2586 + out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
2587 +- pfkey_broadcast(out_skb, BROADCAST_ONE, sk, sock_net(sk));
2588 ++ pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
2589 +
2590 + return 0;
2591 + }
2592 +@@ -1701,8 +1701,8 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad
2593 + return -ENOBUFS;
2594 + }
2595 +
2596 +- pfkey_broadcast(supp_skb, BROADCAST_REGISTERED, sk, sock_net(sk));
2597 +-
2598 ++ pfkey_broadcast(supp_skb, GFP_KERNEL, BROADCAST_REGISTERED, sk,
2599 ++ sock_net(sk));
2600 + return 0;
2601 + }
2602 +
2603 +@@ -1720,7 +1720,8 @@ static int unicast_flush_resp(struct sock *sk, const struct sadb_msg *ihdr)
2604 + hdr->sadb_msg_errno = (uint8_t) 0;
2605 + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
2606 +
2607 +- return pfkey_broadcast(skb, BROADCAST_ONE, sk, sock_net(sk));
2608 ++ return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk,
2609 ++ sock_net(sk));
2610 + }
2611 +
2612 + static int key_notify_sa_flush(const struct km_event *c)
2613 +@@ -1741,7 +1742,7 @@ static int key_notify_sa_flush(const struct km_event *c)
2614 + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
2615 + hdr->sadb_msg_reserved = 0;
2616 +
2617 +- pfkey_broadcast(skb, BROADCAST_ALL, NULL, c->net);
2618 ++ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
2619 +
2620 + return 0;
2621 + }
2622 +@@ -1798,7 +1799,7 @@ static int dump_sa(struct xfrm_state *x, int count, void *ptr)
2623 + out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
2624 +
2625 + if (pfk->dump.skb)
2626 +- pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
2627 ++ pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
2628 + &pfk->sk, sock_net(&pfk->sk));
2629 + pfk->dump.skb = out_skb;
2630 +
2631 +@@ -1886,7 +1887,7 @@ static int pfkey_promisc(struct sock *sk, struct sk_buff *skb, const struct sadb
2632 + new_hdr->sadb_msg_errno = 0;
2633 + }
2634 +
2635 +- pfkey_broadcast(skb, BROADCAST_ALL, NULL, sock_net(sk));
2636 ++ pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ALL, NULL, sock_net(sk));
2637 + return 0;
2638 + }
2639 +
2640 +@@ -2219,7 +2220,7 @@ static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_ev
2641 + out_hdr->sadb_msg_errno = 0;
2642 + out_hdr->sadb_msg_seq = c->seq;
2643 + out_hdr->sadb_msg_pid = c->portid;
2644 +- pfkey_broadcast(out_skb, BROADCAST_ALL, NULL, xp_net(xp));
2645 ++ pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xp_net(xp));
2646 + return 0;
2647 +
2648 + }
2649 +@@ -2439,7 +2440,7 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
2650 + out_hdr->sadb_msg_errno = 0;
2651 + out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
2652 + out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
2653 +- pfkey_broadcast(out_skb, BROADCAST_ONE, sk, xp_net(xp));
2654 ++ pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, xp_net(xp));
2655 + err = 0;
2656 +
2657 + out:
2658 +@@ -2695,7 +2696,7 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
2659 + out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
2660 +
2661 + if (pfk->dump.skb)
2662 +- pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
2663 ++ pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
2664 + &pfk->sk, sock_net(&pfk->sk));
2665 + pfk->dump.skb = out_skb;
2666 +
2667 +@@ -2752,7 +2753,7 @@ static int key_notify_policy_flush(const struct km_event *c)
2668 + hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
2669 + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
2670 + hdr->sadb_msg_reserved = 0;
2671 +- pfkey_broadcast(skb_out, BROADCAST_ALL, NULL, c->net);
2672 ++ pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
2673 + return 0;
2674 +
2675 + }
2676 +@@ -2814,7 +2815,7 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb
2677 + void *ext_hdrs[SADB_EXT_MAX];
2678 + int err;
2679 +
2680 +- pfkey_broadcast(skb_clone(skb, GFP_KERNEL),
2681 ++ pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
2682 + BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
2683 +
2684 + memset(ext_hdrs, 0, sizeof(ext_hdrs));
2685 +@@ -3036,7 +3037,8 @@ static int key_notify_sa_expire(struct xfrm_state *x, const struct km_event *c)
2686 + out_hdr->sadb_msg_seq = 0;
2687 + out_hdr->sadb_msg_pid = 0;
2688 +
2689 +- pfkey_broadcast(out_skb, BROADCAST_REGISTERED, NULL, xs_net(x));
2690 ++ pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
2691 ++ xs_net(x));
2692 + return 0;
2693 + }
2694 +
2695 +@@ -3226,7 +3228,8 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
2696 + xfrm_ctx->ctx_len);
2697 + }
2698 +
2699 +- return pfkey_broadcast(skb, BROADCAST_REGISTERED, NULL, xs_net(x));
2700 ++ return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
2701 ++ xs_net(x));
2702 + }
2703 +
2704 + static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
2705 +@@ -3424,7 +3427,8 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
2706 + n_port->sadb_x_nat_t_port_port = sport;
2707 + n_port->sadb_x_nat_t_port_reserved = 0;
2708 +
2709 +- return pfkey_broadcast(skb, BROADCAST_REGISTERED, NULL, xs_net(x));
2710 ++ return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
2711 ++ xs_net(x));
2712 + }
2713 +
2714 + #ifdef CONFIG_NET_KEY_MIGRATE
2715 +@@ -3616,7 +3620,7 @@ static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
2716 + }
2717 +
2718 + /* broadcast migrate message to sockets */
2719 +- pfkey_broadcast(skb, BROADCAST_ALL, NULL, &init_net);
2720 ++ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
2721 +
2722 + return 0;
2723 +
2724 +diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
2725 +index 5b9c884a452e..dde64c4565d2 100644
2726 +--- a/net/netfilter/nf_nat_core.c
2727 ++++ b/net/netfilter/nf_nat_core.c
2728 +@@ -225,20 +225,21 @@ find_appropriate_src(struct net *net,
2729 + .tuple = tuple,
2730 + .zone = zone
2731 + };
2732 +- struct rhlist_head *hl;
2733 ++ struct rhlist_head *hl, *h;
2734 +
2735 + hl = rhltable_lookup(&nf_nat_bysource_table, &key,
2736 + nf_nat_bysource_params);
2737 +- if (!hl)
2738 +- return 0;
2739 +
2740 +- ct = container_of(hl, typeof(*ct), nat_bysource);
2741 ++ rhl_for_each_entry_rcu(ct, h, hl, nat_bysource) {
2742 ++ nf_ct_invert_tuplepr(result,
2743 ++ &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
2744 ++ result->dst = tuple->dst;
2745 +
2746 +- nf_ct_invert_tuplepr(result,
2747 +- &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
2748 +- result->dst = tuple->dst;
2749 ++ if (in_range(l3proto, l4proto, result, range))
2750 ++ return 1;
2751 ++ }
2752 +
2753 +- return in_range(l3proto, l4proto, result, range);
2754 ++ return 0;
2755 + }
2756 +
2757 + /* For [FUTURE] fragmentation handling, we want the least-used
2758 +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
2759 +index 4e03f64709bc..05d9f42fc309 100644
2760 +--- a/net/openvswitch/actions.c
2761 ++++ b/net/openvswitch/actions.c
2762 +@@ -1240,6 +1240,7 @@ int ovs_execute_actions(struct datapath *dp, struct sk_buff *skb,
2763 + goto out;
2764 + }
2765 +
2766 ++ OVS_CB(skb)->acts_origlen = acts->orig_len;
2767 + err = do_execute_actions(dp, skb, key,
2768 + acts->actions, acts->actions_len);
2769 +
2770 +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
2771 +index 4d67ea856067..453f806afe6e 100644
2772 +--- a/net/openvswitch/datapath.c
2773 ++++ b/net/openvswitch/datapath.c
2774 +@@ -383,7 +383,7 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb,
2775 + }
2776 +
2777 + static size_t upcall_msg_size(const struct dp_upcall_info *upcall_info,
2778 +- unsigned int hdrlen)
2779 ++ unsigned int hdrlen, int actions_attrlen)
2780 + {
2781 + size_t size = NLMSG_ALIGN(sizeof(struct ovs_header))
2782 + + nla_total_size(hdrlen) /* OVS_PACKET_ATTR_PACKET */
2783 +@@ -400,7 +400,7 @@ static size_t upcall_msg_size(const struct dp_upcall_info *upcall_info,
2784 +
2785 + /* OVS_PACKET_ATTR_ACTIONS */
2786 + if (upcall_info->actions_len)
2787 +- size += nla_total_size(upcall_info->actions_len);
2788 ++ size += nla_total_size(actions_attrlen);
2789 +
2790 + /* OVS_PACKET_ATTR_MRU */
2791 + if (upcall_info->mru)
2792 +@@ -467,7 +467,8 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
2793 + else
2794 + hlen = skb->len;
2795 +
2796 +- len = upcall_msg_size(upcall_info, hlen - cutlen);
2797 ++ len = upcall_msg_size(upcall_info, hlen - cutlen,
2798 ++ OVS_CB(skb)->acts_origlen);
2799 + user_skb = genlmsg_new(len, GFP_ATOMIC);
2800 + if (!user_skb) {
2801 + err = -ENOMEM;
2802 +diff --git a/net/openvswitch/datapath.h b/net/openvswitch/datapath.h
2803 +index ab85c1cae255..e19ace428e38 100644
2804 +--- a/net/openvswitch/datapath.h
2805 ++++ b/net/openvswitch/datapath.h
2806 +@@ -100,12 +100,14 @@ struct datapath {
2807 + * @input_vport: The original vport packet came in on. This value is cached
2808 + * when a packet is received by OVS.
2809 + * @mru: The maximum received fragement size; 0 if the packet is not
2810 ++ * @acts_origlen: The netlink size of the flow actions applied to this skb.
2811 + * @cutlen: The number of bytes from the packet end to be removed.
2812 + * fragmented.
2813 + */
2814 + struct ovs_skb_cb {
2815 + struct vport *input_vport;
2816 + u16 mru;
2817 ++ u16 acts_origlen;
2818 + u32 cutlen;
2819 + };
2820 + #define OVS_CB(skb) ((struct ovs_skb_cb *)(skb)->cb)
2821 +diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
2822 +index a1aec0a6c789..50030519a89b 100644
2823 +--- a/net/sched/act_ipt.c
2824 ++++ b/net/sched/act_ipt.c
2825 +@@ -41,6 +41,7 @@ static int ipt_init_target(struct xt_entry_target *t, char *table,
2826 + {
2827 + struct xt_tgchk_param par;
2828 + struct xt_target *target;
2829 ++ struct ipt_entry e = {};
2830 + int ret = 0;
2831 +
2832 + target = xt_request_find_target(AF_INET, t->u.user.name,
2833 +@@ -51,6 +52,7 @@ static int ipt_init_target(struct xt_entry_target *t, char *table,
2834 + t->u.kernel.target = target;
2835 + memset(&par, 0, sizeof(par));
2836 + par.table = table;
2837 ++ par.entryinfo = &e;
2838 + par.target = target;
2839 + par.targinfo = t->data;
2840 + par.hook_mask = hook;
2841 +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
2842 +index ff27a85a71a9..195a3b2d9afc 100644
2843 +--- a/net/sched/sch_api.c
2844 ++++ b/net/sched/sch_api.c
2845 +@@ -277,9 +277,6 @@ static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle)
2846 + void qdisc_hash_add(struct Qdisc *q)
2847 + {
2848 + if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) {
2849 +- struct Qdisc *root = qdisc_dev(q)->qdisc;
2850 +-
2851 +- WARN_ON_ONCE(root == &noop_qdisc);
2852 + ASSERT_RTNL();
2853 + hash_add_rcu(qdisc_dev(q)->qdisc_hash, &q->hash, q->handle);
2854 + }
2855 +diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
2856 +index bc5e99584e41..ea8a56f76b32 100644
2857 +--- a/net/sched/sch_sfq.c
2858 ++++ b/net/sched/sch_sfq.c
2859 +@@ -434,6 +434,7 @@ sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
2860 + qdisc_drop(head, sch, to_free);
2861 +
2862 + slot_queue_add(slot, skb);
2863 ++ qdisc_tree_reduce_backlog(sch, 0, delta);
2864 + return NET_XMIT_CN;
2865 + }
2866 +
2867 +@@ -465,8 +466,10 @@ sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
2868 + /* Return Congestion Notification only if we dropped a packet
2869 + * from this flow.
2870 + */
2871 +- if (qlen != slot->qlen)
2872 ++ if (qlen != slot->qlen) {
2873 ++ qdisc_tree_reduce_backlog(sch, 0, dropped - qdisc_pkt_len(skb));
2874 + return NET_XMIT_CN;
2875 ++ }
2876 +
2877 + /* As we dropped a packet, better let upper stack know this */
2878 + qdisc_tree_reduce_backlog(sch, 1, dropped);
2879 +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
2880 +index 0c090600f377..ca4a63e3eadd 100644
2881 +--- a/net/sctp/ipv6.c
2882 ++++ b/net/sctp/ipv6.c
2883 +@@ -512,7 +512,9 @@ static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr,
2884 + {
2885 + addr->sa.sa_family = AF_INET6;
2886 + addr->v6.sin6_port = port;
2887 ++ addr->v6.sin6_flowinfo = 0;
2888 + addr->v6.sin6_addr = *saddr;
2889 ++ addr->v6.sin6_scope_id = 0;
2890 + }
2891 +
2892 + /* Compare addresses exactly.
2893 +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
2894 +index a4bc98265d88..266a30c8b88b 100644
2895 +--- a/net/sunrpc/svcsock.c
2896 ++++ b/net/sunrpc/svcsock.c
2897 +@@ -408,6 +408,9 @@ static void svc_data_ready(struct sock *sk)
2898 + dprintk("svc: socket %p(inet %p), busy=%d\n",
2899 + svsk, sk,
2900 + test_bit(XPT_BUSY, &svsk->sk_xprt.xpt_flags));
2901 ++
2902 ++ /* Refer to svc_setup_socket() for details. */
2903 ++ rmb();
2904 + svsk->sk_odata(sk);
2905 + if (!test_and_set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags))
2906 + svc_xprt_enqueue(&svsk->sk_xprt);
2907 +@@ -424,6 +427,9 @@ static void svc_write_space(struct sock *sk)
2908 + if (svsk) {
2909 + dprintk("svc: socket %p(inet %p), write_space busy=%d\n",
2910 + svsk, sk, test_bit(XPT_BUSY, &svsk->sk_xprt.xpt_flags));
2911 ++
2912 ++ /* Refer to svc_setup_socket() for details. */
2913 ++ rmb();
2914 + svsk->sk_owspace(sk);
2915 + svc_xprt_enqueue(&svsk->sk_xprt);
2916 + }
2917 +@@ -748,8 +754,12 @@ static void svc_tcp_listen_data_ready(struct sock *sk)
2918 + dprintk("svc: socket %p TCP (listen) state change %d\n",
2919 + sk, sk->sk_state);
2920 +
2921 +- if (svsk)
2922 ++ if (svsk) {
2923 ++ /* Refer to svc_setup_socket() for details. */
2924 ++ rmb();
2925 + svsk->sk_odata(sk);
2926 ++ }
2927 ++
2928 + /*
2929 + * This callback may called twice when a new connection
2930 + * is established as a child socket inherits everything
2931 +@@ -782,6 +792,8 @@ static void svc_tcp_state_change(struct sock *sk)
2932 + if (!svsk)
2933 + printk("svc: socket %p: no user data\n", sk);
2934 + else {
2935 ++ /* Refer to svc_setup_socket() for details. */
2936 ++ rmb();
2937 + svsk->sk_ostate(sk);
2938 + if (sk->sk_state != TCP_ESTABLISHED) {
2939 + set_bit(XPT_CLOSE, &svsk->sk_xprt.xpt_flags);
2940 +@@ -1368,12 +1380,18 @@ static struct svc_sock *svc_setup_socket(struct svc_serv *serv,
2941 + return ERR_PTR(err);
2942 + }
2943 +
2944 +- inet->sk_user_data = svsk;
2945 + svsk->sk_sock = sock;
2946 + svsk->sk_sk = inet;
2947 + svsk->sk_ostate = inet->sk_state_change;
2948 + svsk->sk_odata = inet->sk_data_ready;
2949 + svsk->sk_owspace = inet->sk_write_space;
2950 ++ /*
2951 ++ * This barrier is necessary in order to prevent race condition
2952 ++ * with svc_data_ready(), svc_listen_data_ready() and others
2953 ++ * when calling callbacks above.
2954 ++ */
2955 ++ wmb();
2956 ++ inet->sk_user_data = svsk;
2957 +
2958 + /* Initialize the socket */
2959 + if (sock->type == SOCK_DGRAM)
2960 +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
2961 +index 1fd464764765..aedc476fac02 100644
2962 +--- a/net/tipc/netlink_compat.c
2963 ++++ b/net/tipc/netlink_compat.c
2964 +@@ -258,13 +258,15 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
2965 + arg = nlmsg_new(0, GFP_KERNEL);
2966 + if (!arg) {
2967 + kfree_skb(msg->rep);
2968 ++ msg->rep = NULL;
2969 + return -ENOMEM;
2970 + }
2971 +
2972 + err = __tipc_nl_compat_dumpit(cmd, msg, arg);
2973 +- if (err)
2974 ++ if (err) {
2975 + kfree_skb(msg->rep);
2976 +-
2977 ++ msg->rep = NULL;
2978 ++ }
2979 + kfree_skb(arg);
2980 +
2981 + return err;
2982 +diff --git a/sound/core/control.c b/sound/core/control.c
2983 +index fb096cb20a80..995cde48c1be 100644
2984 +--- a/sound/core/control.c
2985 ++++ b/sound/core/control.c
2986 +@@ -1156,7 +1156,7 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
2987 + mutex_lock(&ue->card->user_ctl_lock);
2988 + change = ue->tlv_data_size != size;
2989 + if (!change)
2990 +- change = memcmp(ue->tlv_data, new_data, size);
2991 ++ change = memcmp(ue->tlv_data, new_data, size) != 0;
2992 + kfree(ue->tlv_data);
2993 + ue->tlv_data = new_data;
2994 + ue->tlv_data_size = size;
2995 +diff --git a/sound/firewire/iso-resources.c b/sound/firewire/iso-resources.c
2996 +index f0e4d502d604..066b5df666f4 100644
2997 +--- a/sound/firewire/iso-resources.c
2998 ++++ b/sound/firewire/iso-resources.c
2999 +@@ -210,9 +210,14 @@ EXPORT_SYMBOL(fw_iso_resources_update);
3000 + */
3001 + void fw_iso_resources_free(struct fw_iso_resources *r)
3002 + {
3003 +- struct fw_card *card = fw_parent_device(r->unit)->card;
3004 ++ struct fw_card *card;
3005 + int bandwidth, channel;
3006 +
3007 ++ /* Not initialized. */
3008 ++ if (r->unit == NULL)
3009 ++ return;
3010 ++ card = fw_parent_device(r->unit)->card;
3011 ++
3012 + mutex_lock(&r->mutex);
3013 +
3014 + if (r->allocated) {
3015 +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
3016 +index c15c51bea26d..f2e4e99ce651 100644
3017 +--- a/sound/pci/hda/patch_conexant.c
3018 ++++ b/sound/pci/hda/patch_conexant.c
3019 +@@ -854,6 +854,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
3020 + SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
3021 + SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
3022 + SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),
3023 ++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo G50-70", CXT_FIXUP_STEREO_DMIC),
3024 + SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC),
3025 + SND_PCI_QUIRK_VENDOR(0x17aa, "Thinkpad", CXT_FIXUP_THINKPAD_ACPI),
3026 + SND_PCI_QUIRK(0x1c06, 0x2011, "Lemote A1004", CXT_PINCFG_LEMOTE_A1004),
3027 +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
3028 +index 95c2749ac8a3..286efc3a6116 100644
3029 +--- a/sound/usb/quirks.c
3030 ++++ b/sound/usb/quirks.c
3031 +@@ -1309,10 +1309,13 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe,
3032 + && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
3033 + mdelay(20);
3034 +
3035 +- /* Zoom R16/24 needs a tiny delay here, otherwise requests like
3036 +- * get/set frequency return as failed despite actually succeeding.
3037 ++ /* Zoom R16/24, Logitech H650e, Jabra 550a needs a tiny delay here,
3038 ++ * otherwise requests like get/set frequency return as failed despite
3039 ++ * actually succeeding.
3040 + */
3041 +- if (chip->usb_id == USB_ID(0x1686, 0x00dd) &&
3042 ++ if ((chip->usb_id == USB_ID(0x1686, 0x00dd) ||
3043 ++ chip->usb_id == USB_ID(0x046d, 0x0a46) ||
3044 ++ chip->usb_id == USB_ID(0x0b0e, 0x0349)) &&
3045 + (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
3046 + mdelay(1);
3047 + }
3048 +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
3049 +index 6c50d9f8e210..6a6f44dd594b 100644
3050 +--- a/tools/perf/util/probe-event.c
3051 ++++ b/tools/perf/util/probe-event.c
3052 +@@ -163,7 +163,7 @@ static struct map *kernel_get_module_map(const char *module)
3053 +
3054 + /* A file path -- this is an offline module */
3055 + if (module && strchr(module, '/'))
3056 +- return machine__findnew_module_map(host_machine, 0, module);
3057 ++ return dso__new_map(module);
3058 +
3059 + if (!module)
3060 + module = "kernel";
3061 +@@ -173,6 +173,7 @@ static struct map *kernel_get_module_map(const char *module)
3062 + if (strncmp(pos->dso->short_name + 1, module,
3063 + pos->dso->short_name_len - 2) == 0 &&
3064 + module[pos->dso->short_name_len - 2] == '\0') {
3065 ++ map__get(pos);
3066 + return pos;
3067 + }
3068 + }
3069 +@@ -188,15 +189,6 @@ struct map *get_target_map(const char *target, bool user)
3070 + return kernel_get_module_map(target);
3071 + }
3072 +
3073 +-static void put_target_map(struct map *map, bool user)
3074 +-{
3075 +- if (map && user) {
3076 +- /* Only the user map needs to be released */
3077 +- map__put(map);
3078 +- }
3079 +-}
3080 +-
3081 +-
3082 + static int convert_exec_to_group(const char *exec, char **result)
3083 + {
3084 + char *ptr1, *ptr2, *exec_copy;
3085 +@@ -412,7 +404,7 @@ static int find_alternative_probe_point(struct debuginfo *dinfo,
3086 + }
3087 +
3088 + out:
3089 +- put_target_map(map, uprobes);
3090 ++ map__put(map);
3091 + return ret;
3092 +
3093 + }
3094 +@@ -2944,7 +2936,7 @@ static int find_probe_trace_events_from_map(struct perf_probe_event *pev,
3095 + }
3096 +
3097 + out:
3098 +- put_target_map(map, pev->uprobes);
3099 ++ map__put(map);
3100 + free(syms);
3101 + return ret;
3102 +
3103 +@@ -3437,10 +3429,7 @@ int show_available_funcs(const char *target, struct strfilter *_filter,
3104 + return ret;
3105 +
3106 + /* Get a symbol map */
3107 +- if (user)
3108 +- map = dso__new_map(target);
3109 +- else
3110 +- map = kernel_get_module_map(target);
3111 ++ map = get_target_map(target, user);
3112 + if (!map) {
3113 + pr_err("Failed to get a map for %s\n", (target) ? : "kernel");
3114 + return -EINVAL;
3115 +@@ -3472,9 +3461,7 @@ int show_available_funcs(const char *target, struct strfilter *_filter,
3116 + }
3117 +
3118 + end:
3119 +- if (user) {
3120 +- map__put(map);
3121 +- }
3122 ++ map__put(map);
3123 + exit_probe_symbol_maps();
3124 +
3125 + return ret;
3126 +diff --git a/tools/testing/selftests/ntb/ntb_test.sh b/tools/testing/selftests/ntb/ntb_test.sh
3127 +index a676d3eefefb..b3c48fc6ea4b 100755
3128 +--- a/tools/testing/selftests/ntb/ntb_test.sh
3129 ++++ b/tools/testing/selftests/ntb/ntb_test.sh
3130 +@@ -305,7 +305,7 @@ function perf_test()
3131 + echo "Running remote perf test $WITH DMA"
3132 + write_file "" $REMOTE_PERF/run
3133 + echo -n " "
3134 +- read_file $LOCAL_PERF/run
3135 ++ read_file $REMOTE_PERF/run
3136 + echo " Passed"
3137 +
3138 + _modprobe -r ntb_perf
3139 +@@ -326,6 +326,10 @@ function ntb_tool_tests()
3140 + link_test $LOCAL_TOOL $REMOTE_TOOL
3141 + link_test $REMOTE_TOOL $LOCAL_TOOL
3142 +
3143 ++ #Ensure the link is up on both sides before continuing
3144 ++ write_file Y $LOCAL_TOOL/link_event
3145 ++ write_file Y $REMOTE_TOOL/link_event
3146 ++
3147 + for PEER_TRANS in $(ls $LOCAL_TOOL/peer_trans*); do
3148 + PT=$(basename $PEER_TRANS)
3149 + write_file $MW_SIZE $LOCAL_TOOL/$PT
Report Message
Find on MARC Find on Google Groups