Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Tue, 08 Feb 2022 18:03:16
Message-Id: 1644343379.9475a8840b940d677e55c021ec40042dfa3d013c.mpagano@gentoo
1 commit: 9475a8840b940d677e55c021ec40042dfa3d013c
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Feb 8 18:02:59 2022 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Feb 8 18:02:59 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=9475a884
7
8 Linux patch 4.9.300
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1299_linux-4.9.300.patch | 1470 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1474 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 671be5e2..ca366421 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -1239,6 +1239,10 @@ Patch: 1298_linux-4.9.299.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.299
23
24 +Patch: 1299_linux-4.9.300.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.300
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1299_linux-4.9.300.patch b/1299_linux-4.9.300.patch
33 new file mode 100644
34 index 00000000..897a4e72
35 --- /dev/null
36 +++ b/1299_linux-4.9.300.patch
37 @@ -0,0 +1,1470 @@
38 +diff --git a/Makefile b/Makefile
39 +index 99d37c23495ef..52e73f525a442 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 9
45 +-SUBLEVEL = 299
46 ++SUBLEVEL = 300
47 + EXTRAVERSION =
48 + NAME = Roaring Lionus
49 +
50 +diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
51 +index d80fbf0884ffa..bc6c85788b84f 100644
52 +--- a/arch/powerpc/kernel/Makefile
53 ++++ b/arch/powerpc/kernel/Makefile
54 +@@ -14,6 +14,7 @@ CFLAGS_prom_init.o += -fPIC
55 + CFLAGS_btext.o += -fPIC
56 + endif
57 +
58 ++CFLAGS_setup_32.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
59 + CFLAGS_cputable.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
60 + CFLAGS_prom_init.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
61 + CFLAGS_btext.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
62 +diff --git a/arch/powerpc/lib/Makefile b/arch/powerpc/lib/Makefile
63 +index 309361e865233..3e3370d126aea 100644
64 +--- a/arch/powerpc/lib/Makefile
65 ++++ b/arch/powerpc/lib/Makefile
66 +@@ -9,6 +9,9 @@ ccflags-$(CONFIG_PPC64) := $(NO_MINIMAL_TOC)
67 + CFLAGS_REMOVE_code-patching.o = $(CC_FLAGS_FTRACE)
68 + CFLAGS_REMOVE_feature-fixups.o = $(CC_FLAGS_FTRACE)
69 +
70 ++CFLAGS_code-patching.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
71 ++CFLAGS_feature-fixups.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
72 ++
73 + obj-y += string.o alloc.o crtsavres.o code-patching.o \
74 + feature-fixups.o
75 +
76 +diff --git a/arch/s390/hypfs/hypfs_vm.c b/arch/s390/hypfs/hypfs_vm.c
77 +index 012919d9833bb..9fed1308670dc 100644
78 +--- a/arch/s390/hypfs/hypfs_vm.c
79 ++++ b/arch/s390/hypfs/hypfs_vm.c
80 +@@ -19,6 +19,7 @@
81 +
82 + static char local_guest[] = " ";
83 + static char all_guests[] = "* ";
84 ++static char *all_groups = all_guests;
85 + static char *guest_query;
86 +
87 + struct diag2fc_data {
88 +@@ -61,10 +62,11 @@ static int diag2fc(int size, char* query, void *addr)
89 +
90 + memcpy(parm_list.userid, query, NAME_LEN);
91 + ASCEBC(parm_list.userid, NAME_LEN);
92 +- parm_list.addr = (unsigned long) addr ;
93 ++ memcpy(parm_list.aci_grp, all_groups, NAME_LEN);
94 ++ ASCEBC(parm_list.aci_grp, NAME_LEN);
95 ++ parm_list.addr = (unsigned long)addr;
96 + parm_list.size = size;
97 + parm_list.fmt = 0x02;
98 +- memset(parm_list.aci_grp, 0x40, NAME_LEN);
99 + rc = -1;
100 +
101 + diag_stat_inc(DIAG_STAT_X2FC);
102 +diff --git a/drivers/edac/altera_edac.c b/drivers/edac/altera_edac.c
103 +index 6037efa94c9ba..6d10bbc65ad3f 100644
104 +--- a/drivers/edac/altera_edac.c
105 ++++ b/drivers/edac/altera_edac.c
106 +@@ -363,7 +363,7 @@ static int altr_sdram_probe(struct platform_device *pdev)
107 + if (irq < 0) {
108 + edac_printk(KERN_ERR, EDAC_MC,
109 + "No irq %d in DT\n", irq);
110 +- return -ENODEV;
111 ++ return irq;
112 + }
113 +
114 + /* Arria10 has a 2nd IRQ */
115 +diff --git a/drivers/edac/xgene_edac.c b/drivers/edac/xgene_edac.c
116 +index bf19b6e3bd129..771927d2b5ded 100644
117 +--- a/drivers/edac/xgene_edac.c
118 ++++ b/drivers/edac/xgene_edac.c
119 +@@ -1936,7 +1936,7 @@ static int xgene_edac_probe(struct platform_device *pdev)
120 + irq = platform_get_irq(pdev, i);
121 + if (irq < 0) {
122 + dev_err(&pdev->dev, "No IRQ resource\n");
123 +- rc = -EINVAL;
124 ++ rc = irq;
125 + goto out_err;
126 + }
127 + rc = devm_request_irq(&pdev->dev, irq,
128 +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
129 +index ce32f41fc28aa..94fded3daaa30 100644
130 +--- a/drivers/gpu/drm/msm/msm_drv.c
131 ++++ b/drivers/gpu/drm/msm/msm_drv.c
132 +@@ -297,7 +297,7 @@ static int msm_init_vram(struct drm_device *dev)
133 + of_node_put(node);
134 + if (ret)
135 + return ret;
136 +- size = r.end - r.start;
137 ++ size = r.end - r.start + 1;
138 + DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start);
139 +
140 + /* if we have no IOMMU, then we need to use carveout allocator.
141 +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
142 +index f3c30b2a788e8..8bff14ae16b0e 100644
143 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
144 ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
145 +@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
146 + *addr += bios->imaged_addr;
147 + }
148 +
149 +- if (unlikely(*addr + size >= bios->size)) {
150 ++ if (unlikely(*addr + size > bios->size)) {
151 + nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
152 + return false;
153 + }
154 +diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c
155 +index 1e9f029a328a6..d899ae5470fa2 100644
156 +--- a/drivers/hwmon/lm90.c
157 ++++ b/drivers/hwmon/lm90.c
158 +@@ -265,7 +265,7 @@ static const struct lm90_params lm90_params[] = {
159 + .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT
160 + | LM90_HAVE_BROKEN_ALERT,
161 + .alert_alarms = 0x7c,
162 +- .max_convrate = 8,
163 ++ .max_convrate = 7,
164 + },
165 + [lm86] = {
166 + .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT,
167 +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
168 +index a3279f303b499..45c809f3d24f4 100644
169 +--- a/drivers/iommu/amd_iommu_init.c
170 ++++ b/drivers/iommu/amd_iommu_init.c
171 +@@ -28,6 +28,7 @@
172 + #include <linux/amd-iommu.h>
173 + #include <linux/export.h>
174 + #include <linux/iommu.h>
175 ++#include <linux/iopoll.h>
176 + #include <asm/pci-direct.h>
177 + #include <asm/iommu.h>
178 + #include <asm/gart.h>
179 +@@ -715,6 +716,7 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu)
180 + status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET);
181 + if (status & (MMIO_STATUS_GALOG_RUN_MASK))
182 + break;
183 ++ udelay(10);
184 + }
185 +
186 + if (i >= LOOP_TIMEOUT)
187 +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
188 +index 1df7f5da8411f..d412d942cbdaf 100644
189 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
190 ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
191 +@@ -494,7 +494,9 @@ static void xgbe_stop_timers(struct xgbe_prv_data *pdata)
192 + if (!channel->tx_ring)
193 + break;
194 +
195 ++ /* Deactivate the Tx timer */
196 + del_timer_sync(&channel->tx_timer);
197 ++ channel->tx_timer_active = 0;
198 + }
199 + }
200 +
201 +@@ -1966,6 +1968,14 @@ read_again:
202 + buf2_len = xgbe_rx_buf2_len(rdata, packet, len);
203 + len += buf2_len;
204 +
205 ++ if (buf2_len > rdata->rx.buf.dma_len) {
206 ++ /* Hardware inconsistency within the descriptors
207 ++ * that has resulted in a length underflow.
208 ++ */
209 ++ error = 1;
210 ++ goto skip_data;
211 ++ }
212 ++
213 + if (!skb) {
214 + skb = xgbe_create_skb(pdata, napi, rdata,
215 + buf1_len);
216 +@@ -1995,8 +2005,10 @@ skip_data:
217 + if (!last || context_next)
218 + goto read_again;
219 +
220 +- if (!skb)
221 ++ if (!skb || error) {
222 ++ dev_kfree_skb(skb);
223 + goto next_packet;
224 ++ }
225 +
226 + /* Be sure we don't exceed the configured MTU */
227 + max_len = netdev->mtu + ETH_HLEN;
228 +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
229 +index 774b9db0c811f..0d3baa86cf176 100644
230 +--- a/drivers/net/macsec.c
231 ++++ b/drivers/net/macsec.c
232 +@@ -3230,6 +3230,15 @@ static int macsec_newlink(struct net *net, struct net_device *dev,
233 +
234 + macsec->real_dev = real_dev;
235 +
236 ++ /* send_sci must be set to true when transmit sci explicitly is set */
237 ++ if ((data && data[IFLA_MACSEC_SCI]) &&
238 ++ (data && data[IFLA_MACSEC_INC_SCI])) {
239 ++ u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
240 ++
241 ++ if (!send_sci)
242 ++ return -EINVAL;
243 ++ }
244 ++
245 + if (data && data[IFLA_MACSEC_ICV_LEN])
246 + icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
247 + mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
248 +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
249 +index 0cf5324d493e8..52ed3da64f01d 100644
250 +--- a/drivers/net/usb/ipheth.c
251 ++++ b/drivers/net/usb/ipheth.c
252 +@@ -173,7 +173,7 @@ static int ipheth_alloc_urbs(struct ipheth_device *iphone)
253 + if (tx_buf == NULL)
254 + goto free_rx_urb;
255 +
256 +- rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE,
257 ++ rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN,
258 + GFP_KERNEL, &rx_urb->transfer_dma);
259 + if (rx_buf == NULL)
260 + goto free_tx_buf;
261 +@@ -198,7 +198,7 @@ error_nomem:
262 +
263 + static void ipheth_free_urbs(struct ipheth_device *iphone)
264 + {
265 +- usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf,
266 ++ usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone->rx_buf,
267 + iphone->rx_urb->transfer_dma);
268 + usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf,
269 + iphone->tx_urb->transfer_dma);
270 +@@ -371,7 +371,7 @@ static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags)
271 +
272 + usb_fill_bulk_urb(dev->rx_urb, udev,
273 + usb_rcvbulkpipe(udev, dev->bulk_in),
274 +- dev->rx_buf, IPHETH_BUF_SIZE,
275 ++ dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN,
276 + ipheth_rcvbulk_callback,
277 + dev);
278 + dev->rx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
279 +diff --git a/drivers/rtc/rtc-mc146818-lib.c b/drivers/rtc/rtc-mc146818-lib.c
280 +index 18a6f15e313d8..86b8858917b62 100644
281 +--- a/drivers/rtc/rtc-mc146818-lib.c
282 ++++ b/drivers/rtc/rtc-mc146818-lib.c
283 +@@ -82,7 +82,7 @@ unsigned int mc146818_get_time(struct rtc_time *time)
284 + time->tm_year += real_year - 72;
285 + #endif
286 +
287 +- if (century > 20)
288 ++ if (century > 19)
289 + time->tm_year += (century - 19) * 100;
290 +
291 + /*
292 +diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c
293 +index f7630cf581cd9..fd622021748f8 100644
294 +--- a/drivers/s390/scsi/zfcp_fc.c
295 ++++ b/drivers/s390/scsi/zfcp_fc.c
296 +@@ -518,6 +518,8 @@ static void zfcp_fc_adisc_handler(void *data)
297 + goto out;
298 + }
299 +
300 ++ /* re-init to undo drop from zfcp_fc_adisc() */
301 ++ port->d_id = ntoh24(adisc_resp->adisc_port_id);
302 + /* port is good, unblock rport without going through erp */
303 + zfcp_scsi_schedule_rport_register(port);
304 + out:
305 +@@ -531,6 +533,7 @@ static int zfcp_fc_adisc(struct zfcp_port *port)
306 + struct zfcp_fc_req *fc_req;
307 + struct zfcp_adapter *adapter = port->adapter;
308 + struct Scsi_Host *shost = adapter->scsi_host;
309 ++ u32 d_id;
310 + int ret;
311 +
312 + fc_req = kmem_cache_zalloc(zfcp_fc_req_cache, GFP_ATOMIC);
313 +@@ -555,7 +558,15 @@ static int zfcp_fc_adisc(struct zfcp_port *port)
314 + fc_req->u.adisc.req.adisc_cmd = ELS_ADISC;
315 + hton24(fc_req->u.adisc.req.adisc_port_id, fc_host_port_id(shost));
316 +
317 +- ret = zfcp_fsf_send_els(adapter, port->d_id, &fc_req->ct_els,
318 ++ d_id = port->d_id; /* remember as destination for send els below */
319 ++ /*
320 ++ * Force fresh GID_PN lookup on next port recovery.
321 ++ * Must happen after request setup and before sending request,
322 ++ * to prevent race with port->d_id re-init in zfcp_fc_adisc_handler().
323 ++ */
324 ++ port->d_id = 0;
325 ++
326 ++ ret = zfcp_fsf_send_els(adapter, d_id, &fc_req->ct_els,
327 + ZFCP_FC_CTELS_TMO);
328 + if (ret)
329 + kmem_cache_free(zfcp_fc_req_cache, fc_req);
330 +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
331 +index 68cc332bd6cba..b3dae8a4e5fc4 100644
332 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
333 ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
334 +@@ -79,7 +79,7 @@ static int bnx2fc_bind_pcidev(struct bnx2fc_hba *hba);
335 + static void bnx2fc_unbind_pcidev(struct bnx2fc_hba *hba);
336 + static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface,
337 + struct device *parent, int npiv);
338 +-static void bnx2fc_destroy_work(struct work_struct *work);
339 ++static void bnx2fc_port_destroy(struct fcoe_port *port);
340 +
341 + static struct bnx2fc_hba *bnx2fc_hba_lookup(struct net_device *phys_dev);
342 + static struct bnx2fc_interface *bnx2fc_interface_lookup(struct net_device
343 +@@ -521,7 +521,8 @@ static int bnx2fc_l2_rcv_thread(void *arg)
344 +
345 + static void bnx2fc_recv_frame(struct sk_buff *skb)
346 + {
347 +- u32 fr_len;
348 ++ u64 crc_err;
349 ++ u32 fr_len, fr_crc;
350 + struct fc_lport *lport;
351 + struct fcoe_rcv_info *fr;
352 + struct fc_stats *stats;
353 +@@ -553,6 +554,11 @@ static void bnx2fc_recv_frame(struct sk_buff *skb)
354 + skb_pull(skb, sizeof(struct fcoe_hdr));
355 + fr_len = skb->len - sizeof(struct fcoe_crc_eof);
356 +
357 ++ stats = per_cpu_ptr(lport->stats, get_cpu());
358 ++ stats->RxFrames++;
359 ++ stats->RxWords += fr_len / FCOE_WORD_TO_BYTE;
360 ++ put_cpu();
361 ++
362 + fp = (struct fc_frame *)skb;
363 + fc_frame_init(fp);
364 + fr_dev(fp) = lport;
365 +@@ -604,16 +610,15 @@ static void bnx2fc_recv_frame(struct sk_buff *skb)
366 + return;
367 + }
368 +
369 +- stats = per_cpu_ptr(lport->stats, smp_processor_id());
370 +- stats->RxFrames++;
371 +- stats->RxWords += fr_len / FCOE_WORD_TO_BYTE;
372 ++ fr_crc = le32_to_cpu(fr_crc(fp));
373 +
374 +- if (le32_to_cpu(fr_crc(fp)) !=
375 +- ~crc32(~0, skb->data, fr_len)) {
376 +- if (stats->InvalidCRCCount < 5)
377 ++ if (unlikely(fr_crc != ~crc32(~0, skb->data, fr_len))) {
378 ++ stats = per_cpu_ptr(lport->stats, get_cpu());
379 ++ crc_err = (stats->InvalidCRCCount++);
380 ++ put_cpu();
381 ++ if (crc_err < 5)
382 + printk(KERN_WARNING PFX "dropping frame with "
383 + "CRC error\n");
384 +- stats->InvalidCRCCount++;
385 + kfree_skb(skb);
386 + return;
387 + }
388 +@@ -884,9 +889,6 @@ static void bnx2fc_indicate_netevent(void *context, unsigned long event,
389 + __bnx2fc_destroy(interface);
390 + }
391 + mutex_unlock(&bnx2fc_dev_lock);
392 +-
393 +- /* Ensure ALL destroy work has been completed before return */
394 +- flush_workqueue(bnx2fc_wq);
395 + return;
396 +
397 + default:
398 +@@ -1194,8 +1196,8 @@ static int bnx2fc_vport_destroy(struct fc_vport *vport)
399 + mutex_unlock(&n_port->lp_mutex);
400 + bnx2fc_free_vport(interface->hba, port->lport);
401 + bnx2fc_port_shutdown(port->lport);
402 ++ bnx2fc_port_destroy(port);
403 + bnx2fc_interface_put(interface);
404 +- queue_work(bnx2fc_wq, &port->destroy_work);
405 + return 0;
406 + }
407 +
408 +@@ -1504,7 +1506,6 @@ static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface,
409 + port->lport = lport;
410 + port->priv = interface;
411 + port->get_netdev = bnx2fc_netdev;
412 +- INIT_WORK(&port->destroy_work, bnx2fc_destroy_work);
413 +
414 + /* Configure fcoe_port */
415 + rc = bnx2fc_lport_config(lport);
416 +@@ -1632,8 +1633,8 @@ static void __bnx2fc_destroy(struct bnx2fc_interface *interface)
417 + bnx2fc_interface_cleanup(interface);
418 + bnx2fc_stop(interface);
419 + list_del(&interface->list);
420 ++ bnx2fc_port_destroy(port);
421 + bnx2fc_interface_put(interface);
422 +- queue_work(bnx2fc_wq, &port->destroy_work);
423 + }
424 +
425 + /**
426 +@@ -1674,15 +1675,12 @@ netdev_err:
427 + return rc;
428 + }
429 +
430 +-static void bnx2fc_destroy_work(struct work_struct *work)
431 ++static void bnx2fc_port_destroy(struct fcoe_port *port)
432 + {
433 +- struct fcoe_port *port;
434 + struct fc_lport *lport;
435 +
436 +- port = container_of(work, struct fcoe_port, destroy_work);
437 + lport = port->lport;
438 +-
439 +- BNX2FC_HBA_DBG(lport, "Entered bnx2fc_destroy_work\n");
440 ++ BNX2FC_HBA_DBG(lport, "Entered %s, destroying lport %p\n", __func__, lport);
441 +
442 + bnx2fc_if_destroy(lport);
443 + }
444 +@@ -2522,9 +2520,6 @@ static void bnx2fc_ulp_exit(struct cnic_dev *dev)
445 + __bnx2fc_destroy(interface);
446 + mutex_unlock(&bnx2fc_dev_lock);
447 +
448 +- /* Ensure ALL destroy work has been completed before return */
449 +- flush_workqueue(bnx2fc_wq);
450 +-
451 + bnx2fc_ulp_stop(hba);
452 + /* unregister cnic device */
453 + if (test_and_clear_bit(BNX2FC_CNIC_REGISTERED, &hba->reg_with_cnic))
454 +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c
455 +index d521adf6ac245..40820904f76c0 100644
456 +--- a/drivers/spi/spi-bcm-qspi.c
457 ++++ b/drivers/spi/spi-bcm-qspi.c
458 +@@ -546,7 +546,7 @@ static void bcm_qspi_chip_select(struct bcm_qspi *qspi, int cs)
459 + u32 rd = 0;
460 + u32 wr = 0;
461 +
462 +- if (qspi->base[CHIP_SELECT]) {
463 ++ if (cs >= 0 && qspi->base[CHIP_SELECT]) {
464 + rd = bcm_qspi_read(qspi, CHIP_SELECT, 0);
465 + wr = (rd & ~0xff) | (1 << cs);
466 + if (rd == wr)
467 +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
468 +index dd0bf25d45502..348f136d9e134 100644
469 +--- a/drivers/spi/spi-mt65xx.c
470 ++++ b/drivers/spi/spi-mt65xx.c
471 +@@ -440,7 +440,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id)
472 + else
473 + mdata->state = MTK_SPI_IDLE;
474 +
475 +- if (!master->can_dma(master, master->cur_msg->spi, trans)) {
476 ++ if (!master->can_dma(master, NULL, trans)) {
477 + if (trans->rx_buf) {
478 + cnt = mdata->xfer_len / 4;
479 + ioread32_rep(mdata->base + SPI_RX_DATA_REG,
480 +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
481 +index 1ab9bd4335421..67e5b587a1062 100644
482 +--- a/drivers/tty/n_gsm.c
483 ++++ b/drivers/tty/n_gsm.c
484 +@@ -329,6 +329,7 @@ static struct tty_driver *gsm_tty_driver;
485 + #define GSM1_ESCAPE_BITS 0x20
486 + #define XON 0x11
487 + #define XOFF 0x13
488 ++#define ISO_IEC_646_MASK 0x7F
489 +
490 + static const struct tty_port_operations gsm_port_ops;
491 +
492 +@@ -547,7 +548,8 @@ static int gsm_stuff_frame(const u8 *input, u8 *output, int len)
493 + int olen = 0;
494 + while (len--) {
495 + if (*input == GSM1_SOF || *input == GSM1_ESCAPE
496 +- || *input == XON || *input == XOFF) {
497 ++ || (*input & ISO_IEC_646_MASK) == XON
498 ++ || (*input & ISO_IEC_646_MASK) == XOFF) {
499 + *output++ = GSM1_ESCAPE;
500 + *output++ = *input++ ^ GSM1_ESCAPE_BITS;
501 + olen++;
502 +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
503 +index 550f2f0523d84..3973bbd5ee553 100644
504 +--- a/drivers/tty/serial/8250/8250_pci.c
505 ++++ b/drivers/tty/serial/8250/8250_pci.c
506 +@@ -5238,8 +5238,30 @@ static struct pci_device_id serial_pci_tbl[] = {
507 + { PCI_VENDOR_ID_INTASHIELD, PCI_DEVICE_ID_INTASHIELD_IS400,
508 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */
509 + pbn_b2_4_115200 },
510 ++ /* Brainboxes Devices */
511 + /*
512 +- * BrainBoxes UC-260
513 ++ * Brainboxes UC-101
514 ++ */
515 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0BA1,
516 ++ PCI_ANY_ID, PCI_ANY_ID,
517 ++ 0, 0,
518 ++ pbn_b2_2_115200 },
519 ++ /*
520 ++ * Brainboxes UC-235/246
521 ++ */
522 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0AA1,
523 ++ PCI_ANY_ID, PCI_ANY_ID,
524 ++ 0, 0,
525 ++ pbn_b2_1_115200 },
526 ++ /*
527 ++ * Brainboxes UC-257
528 ++ */
529 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0861,
530 ++ PCI_ANY_ID, PCI_ANY_ID,
531 ++ 0, 0,
532 ++ pbn_b2_2_115200 },
533 ++ /*
534 ++ * Brainboxes UC-260/271/701/756
535 + */
536 + { PCI_VENDOR_ID_INTASHIELD, 0x0D21,
537 + PCI_ANY_ID, PCI_ANY_ID,
538 +@@ -5247,7 +5269,81 @@ static struct pci_device_id serial_pci_tbl[] = {
539 + pbn_b2_4_115200 },
540 + { PCI_VENDOR_ID_INTASHIELD, 0x0E34,
541 + PCI_ANY_ID, PCI_ANY_ID,
542 +- PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
543 ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
544 ++ pbn_b2_4_115200 },
545 ++ /*
546 ++ * Brainboxes UC-268
547 ++ */
548 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0841,
549 ++ PCI_ANY_ID, PCI_ANY_ID,
550 ++ 0, 0,
551 ++ pbn_b2_4_115200 },
552 ++ /*
553 ++ * Brainboxes UC-275/279
554 ++ */
555 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0881,
556 ++ PCI_ANY_ID, PCI_ANY_ID,
557 ++ 0, 0,
558 ++ pbn_b2_8_115200 },
559 ++ /*
560 ++ * Brainboxes UC-302
561 ++ */
562 ++ { PCI_VENDOR_ID_INTASHIELD, 0x08E1,
563 ++ PCI_ANY_ID, PCI_ANY_ID,
564 ++ 0, 0,
565 ++ pbn_b2_2_115200 },
566 ++ /*
567 ++ * Brainboxes UC-310
568 ++ */
569 ++ { PCI_VENDOR_ID_INTASHIELD, 0x08C1,
570 ++ PCI_ANY_ID, PCI_ANY_ID,
571 ++ 0, 0,
572 ++ pbn_b2_2_115200 },
573 ++ /*
574 ++ * Brainboxes UC-313
575 ++ */
576 ++ { PCI_VENDOR_ID_INTASHIELD, 0x08A3,
577 ++ PCI_ANY_ID, PCI_ANY_ID,
578 ++ 0, 0,
579 ++ pbn_b2_2_115200 },
580 ++ /*
581 ++ * Brainboxes UC-320/324
582 ++ */
583 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A61,
584 ++ PCI_ANY_ID, PCI_ANY_ID,
585 ++ 0, 0,
586 ++ pbn_b2_1_115200 },
587 ++ /*
588 ++ * Brainboxes UC-346
589 ++ */
590 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0B02,
591 ++ PCI_ANY_ID, PCI_ANY_ID,
592 ++ 0, 0,
593 ++ pbn_b2_4_115200 },
594 ++ /*
595 ++ * Brainboxes UC-357
596 ++ */
597 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A81,
598 ++ PCI_ANY_ID, PCI_ANY_ID,
599 ++ 0, 0,
600 ++ pbn_b2_2_115200 },
601 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A83,
602 ++ PCI_ANY_ID, PCI_ANY_ID,
603 ++ 0, 0,
604 ++ pbn_b2_2_115200 },
605 ++ /*
606 ++ * Brainboxes UC-368
607 ++ */
608 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0C41,
609 ++ PCI_ANY_ID, PCI_ANY_ID,
610 ++ 0, 0,
611 ++ pbn_b2_4_115200 },
612 ++ /*
613 ++ * Brainboxes UC-420/431
614 ++ */
615 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0921,
616 ++ PCI_ANY_ID, PCI_ANY_ID,
617 ++ 0, 0,
618 + pbn_b2_4_115200 },
619 + /*
620 + * Perle PCI-RAS cards
621 +diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
622 +index f325019887b23..766941a6e1aa8 100644
623 +--- a/drivers/tty/serial/stm32-usart.c
624 ++++ b/drivers/tty/serial/stm32-usart.c
625 +@@ -389,7 +389,7 @@ static void stm32_start_tx(struct uart_port *port)
626 + {
627 + struct circ_buf *xmit = &port->state->xmit;
628 +
629 +- if (uart_circ_empty(xmit))
630 ++ if (uart_circ_empty(xmit) && !port->x_char)
631 + return;
632 +
633 + stm32_transmit_chars(port);
634 +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
635 +index 2246731d96b0e..a4b2313607995 100644
636 +--- a/drivers/usb/core/hcd.c
637 ++++ b/drivers/usb/core/hcd.c
638 +@@ -1668,6 +1668,13 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
639 + urb->hcpriv = NULL;
640 + INIT_LIST_HEAD(&urb->urb_list);
641 + atomic_dec(&urb->use_count);
642 ++ /*
643 ++ * Order the write of urb->use_count above before the read
644 ++ * of urb->reject below. Pairs with the memory barriers in
645 ++ * usb_kill_urb() and usb_poison_urb().
646 ++ */
647 ++ smp_mb__after_atomic();
648 ++
649 + atomic_dec(&urb->dev->urbnum);
650 + if (atomic_read(&urb->reject))
651 + wake_up(&usb_kill_urb_queue);
652 +@@ -1777,6 +1784,13 @@ static void __usb_hcd_giveback_urb(struct urb *urb)
653 +
654 + usb_anchor_resume_wakeups(anchor);
655 + atomic_dec(&urb->use_count);
656 ++ /*
657 ++ * Order the write of urb->use_count above before the read
658 ++ * of urb->reject below. Pairs with the memory barriers in
659 ++ * usb_kill_urb() and usb_poison_urb().
660 ++ */
661 ++ smp_mb__after_atomic();
662 ++
663 + if (unlikely(atomic_read(&urb->reject)))
664 + wake_up(&usb_kill_urb_queue);
665 + usb_put_urb(urb);
666 +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
667 +index 6785ebc078047..ec8921d09e321 100644
668 +--- a/drivers/usb/core/urb.c
669 ++++ b/drivers/usb/core/urb.c
670 +@@ -684,6 +684,12 @@ void usb_kill_urb(struct urb *urb)
671 + if (!(urb && urb->dev && urb->ep))
672 + return;
673 + atomic_inc(&urb->reject);
674 ++ /*
675 ++ * Order the write of urb->reject above before the read
676 ++ * of urb->use_count below. Pairs with the barriers in
677 ++ * __usb_hcd_giveback_urb() and usb_hcd_submit_urb().
678 ++ */
679 ++ smp_mb__after_atomic();
680 +
681 + usb_hcd_unlink_urb(urb, -ENOENT);
682 + wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0);
683 +@@ -725,6 +731,12 @@ void usb_poison_urb(struct urb *urb)
684 + if (!urb)
685 + return;
686 + atomic_inc(&urb->reject);
687 ++ /*
688 ++ * Order the write of urb->reject above before the read
689 ++ * of urb->use_count below. Pairs with the barriers in
690 ++ * __usb_hcd_giveback_urb() and usb_hcd_submit_urb().
691 ++ */
692 ++ smp_mb__after_atomic();
693 +
694 + if (!urb->dev || !urb->ep)
695 + return;
696 +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c
697 +index 1c5745f7abea1..16142c321df8e 100644
698 +--- a/drivers/usb/gadget/function/f_sourcesink.c
699 ++++ b/drivers/usb/gadget/function/f_sourcesink.c
700 +@@ -587,6 +587,7 @@ static int source_sink_start_ep(struct f_sourcesink *ss, bool is_in,
701 +
702 + if (is_iso) {
703 + switch (speed) {
704 ++ case USB_SPEED_SUPER_PLUS:
705 + case USB_SPEED_SUPER:
706 + size = ss->isoc_maxpacket *
707 + (ss->isoc_mult + 1) *
708 +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
709 +index ec2b7f5c900c2..801351f360da6 100644
710 +--- a/drivers/usb/storage/unusual_devs.h
711 ++++ b/drivers/usb/storage/unusual_devs.h
712 +@@ -2308,6 +2308,16 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x9999,
713 + USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init,
714 + US_FL_SCM_MULT_TARG ),
715 +
716 ++/*
717 ++ * Reported by DocMAX <mail@××××××××××.de>
718 ++ * and Thomas Weißschuh <linux@××××××××××.net>
719 ++ */
720 ++UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999,
721 ++ "VIA Labs, Inc.",
722 ++ "VL817 SATA Bridge",
723 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
724 ++ US_FL_IGNORE_UAS),
725 ++
726 + UNUSUAL_DEV( 0x2116, 0x0320, 0x0001, 0x0001,
727 + "ST",
728 + "2A",
729 +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
730 +index a0f20a048347c..c87558f120fb9 100644
731 +--- a/fs/ext4/inline.c
732 ++++ b/fs/ext4/inline.c
733 +@@ -1123,7 +1123,15 @@ static void ext4_restore_inline_data(handle_t *handle, struct inode *inode,
734 + struct ext4_iloc *iloc,
735 + void *buf, int inline_size)
736 + {
737 +- ext4_create_inline_data(handle, inode, inline_size);
738 ++ int ret;
739 ++
740 ++ ret = ext4_create_inline_data(handle, inode, inline_size);
741 ++ if (ret) {
742 ++ ext4_msg(inode->i_sb, KERN_EMERG,
743 ++ "error restoring inline_data for inode -- potential data loss! (inode %lu, error %d)",
744 ++ inode->i_ino, ret);
745 ++ return;
746 ++ }
747 + ext4_write_inline_data(inode, iloc, buf, 0, inline_size);
748 + ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
749 + }
750 +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
751 +index d405b5a14073a..24e854dfb3c25 100644
752 +--- a/fs/nfs/dir.c
753 ++++ b/fs/nfs/dir.c
754 +@@ -1602,6 +1602,24 @@ out:
755 +
756 + no_open:
757 + res = nfs_lookup(dir, dentry, lookup_flags);
758 ++ if (!res) {
759 ++ inode = d_inode(dentry);
760 ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
761 ++ !S_ISDIR(inode->i_mode))
762 ++ res = ERR_PTR(-ENOTDIR);
763 ++ else if (inode && S_ISREG(inode->i_mode))
764 ++ res = ERR_PTR(-EOPENSTALE);
765 ++ } else if (!IS_ERR(res)) {
766 ++ inode = d_inode(res);
767 ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
768 ++ !S_ISDIR(inode->i_mode)) {
769 ++ dput(res);
770 ++ res = ERR_PTR(-ENOTDIR);
771 ++ } else if (inode && S_ISREG(inode->i_mode)) {
772 ++ dput(res);
773 ++ res = ERR_PTR(-EOPENSTALE);
774 ++ }
775 ++ }
776 + if (switched) {
777 + d_lookup_done(dentry);
778 + if (!res)
779 +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
780 +index 524d98e3bcf5b..d9381ca0ac479 100644
781 +--- a/fs/nfsd/nfs4state.c
782 ++++ b/fs/nfsd/nfs4state.c
783 +@@ -3424,8 +3424,10 @@ nfsd4_setclientid_confirm(struct svc_rqst *rqstp,
784 + status = nfserr_clid_inuse;
785 + if (client_has_state(old)
786 + && !same_creds(&unconf->cl_cred,
787 +- &old->cl_cred))
788 ++ &old->cl_cred)) {
789 ++ old = NULL;
790 + goto out;
791 ++ }
792 + status = mark_client_expired_locked(old);
793 + if (status) {
794 + old = NULL;
795 +diff --git a/fs/udf/inode.c b/fs/udf/inode.c
796 +index 50607673a6a92..fab5a9506bcf2 100644
797 +--- a/fs/udf/inode.c
798 ++++ b/fs/udf/inode.c
799 +@@ -259,10 +259,6 @@ int udf_expand_file_adinicb(struct inode *inode)
800 + char *kaddr;
801 + struct udf_inode_info *iinfo = UDF_I(inode);
802 + int err;
803 +- struct writeback_control udf_wbc = {
804 +- .sync_mode = WB_SYNC_NONE,
805 +- .nr_to_write = 1,
806 +- };
807 +
808 + WARN_ON_ONCE(!inode_is_locked(inode));
809 + if (!iinfo->i_lenAlloc) {
810 +@@ -306,8 +302,10 @@ int udf_expand_file_adinicb(struct inode *inode)
811 + iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG;
812 + /* from now on we have normal address_space methods */
813 + inode->i_data.a_ops = &udf_aops;
814 ++ set_page_dirty(page);
815 ++ unlock_page(page);
816 + up_write(&iinfo->i_data_sem);
817 +- err = inode->i_data.a_ops->writepage(page, &udf_wbc);
818 ++ err = filemap_fdatawrite(inode->i_mapping);
819 + if (err) {
820 + /* Restore everything back so that we don't lose data... */
821 + lock_page(page);
822 +@@ -319,6 +317,7 @@ int udf_expand_file_adinicb(struct inode *inode)
823 + unlock_page(page);
824 + iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;
825 + inode->i_data.a_ops = &udf_adinicb_aops;
826 ++ iinfo->i_lenAlloc = inode->i_size;
827 + up_write(&iinfo->i_data_sem);
828 + }
829 + put_page(page);
830 +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
831 +index 2aacafe2bce58..a92fb5c5704f2 100644
832 +--- a/include/linux/netdevice.h
833 ++++ b/include/linux/netdevice.h
834 +@@ -2237,6 +2237,7 @@ struct packet_type {
835 + struct net_device *);
836 + bool (*id_match)(struct packet_type *ptype,
837 + struct sock *sk);
838 ++ struct net *af_packet_net;
839 + void *af_packet_priv;
840 + struct list_head list;
841 + };
842 +diff --git a/include/net/ip.h b/include/net/ip.h
843 +index f987eaf999004..c762fd047ef4c 100644
844 +--- a/include/net/ip.h
845 ++++ b/include/net/ip.h
846 +@@ -377,19 +377,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
847 + {
848 + struct iphdr *iph = ip_hdr(skb);
849 +
850 ++ /* We had many attacks based on IPID, use the private
851 ++ * generator as much as we can.
852 ++ */
853 ++ if (sk && inet_sk(sk)->inet_daddr) {
854 ++ iph->id = htons(inet_sk(sk)->inet_id);
855 ++ inet_sk(sk)->inet_id += segs;
856 ++ return;
857 ++ }
858 + if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) {
859 +- /* This is only to work around buggy Windows95/2000
860 +- * VJ compression implementations. If the ID field
861 +- * does not change, they drop every other packet in
862 +- * a TCP stream using header compression.
863 +- */
864 +- if (sk && inet_sk(sk)->inet_daddr) {
865 +- iph->id = htons(inet_sk(sk)->inet_id);
866 +- inet_sk(sk)->inet_id += segs;
867 +- } else {
868 +- iph->id = 0;
869 +- }
870 ++ iph->id = 0;
871 + } else {
872 ++ /* Unfortunately we need the big hammer to get a suitable IPID */
873 + __ip_select_ident(net, iph, segs);
874 + }
875 + }
876 +diff --git a/include/net/netfilter/nf_nat_l4proto.h b/include/net/netfilter/nf_nat_l4proto.h
877 +index 12f4cc841b6ed..630f0f5c3fa35 100644
878 +--- a/include/net/netfilter/nf_nat_l4proto.h
879 ++++ b/include/net/netfilter/nf_nat_l4proto.h
880 +@@ -64,7 +64,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
881 + struct nf_conntrack_tuple *tuple,
882 + const struct nf_nat_range *range,
883 + enum nf_nat_manip_type maniptype,
884 +- const struct nf_conn *ct, u16 *rover);
885 ++ const struct nf_conn *ct);
886 +
887 + int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[],
888 + struct nf_nat_range *range);
889 +diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c
890 +index 1896386e16bbe..78e354b1c593b 100644
891 +--- a/kernel/power/wakelock.c
892 ++++ b/kernel/power/wakelock.c
893 +@@ -38,23 +38,19 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active)
894 + {
895 + struct rb_node *node;
896 + struct wakelock *wl;
897 +- char *str = buf;
898 +- char *end = buf + PAGE_SIZE;
899 ++ int len = 0;
900 +
901 + mutex_lock(&wakelocks_lock);
902 +
903 + for (node = rb_first(&wakelocks_tree); node; node = rb_next(node)) {
904 + wl = rb_entry(node, struct wakelock, node);
905 + if (wl->ws.active == show_active)
906 +- str += scnprintf(str, end - str, "%s ", wl->name);
907 ++ len += sysfs_emit_at(buf, len, "%s ", wl->name);
908 + }
909 +- if (str > buf)
910 +- str--;
911 +-
912 +- str += scnprintf(str, end - str, "\n");
913 ++ len += sysfs_emit_at(buf, len, "\n");
914 +
915 + mutex_unlock(&wakelocks_lock);
916 +- return (str - buf);
917 ++ return len;
918 + }
919 +
920 + #if CONFIG_PM_WAKELOCKS_LIMIT > 0
921 +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
922 +index 17cfd9f8e98e0..cff87c465bcb0 100644
923 +--- a/net/bluetooth/hci_event.c
924 ++++ b/net/bluetooth/hci_event.c
925 +@@ -4967,6 +4967,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
926 + struct hci_ev_le_advertising_info *ev = ptr;
927 + s8 rssi;
928 +
929 ++ if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) {
930 ++ bt_dev_err(hdev, "Malicious advertising data.");
931 ++ break;
932 ++ }
933 ++
934 + if (ev->length <= HCI_MAX_AD_LENGTH &&
935 + ev->data + ev->length <= skb_tail_pointer(skb)) {
936 + rssi = ev->data[ev->length];
937 +@@ -4978,11 +4983,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
938 + }
939 +
940 + ptr += sizeof(*ev) + ev->length + 1;
941 +-
942 +- if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
943 +- bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
944 +- break;
945 +- }
946 + }
947 +
948 + hci_dev_unlock(hdev);
949 +diff --git a/net/can/bcm.c b/net/can/bcm.c
950 +index 369326715b9c6..bfb5072234687 100644
951 +--- a/net/can/bcm.c
952 ++++ b/net/can/bcm.c
953 +@@ -761,21 +761,21 @@ static struct bcm_op *bcm_find_op(struct list_head *ops,
954 + static void bcm_remove_op(struct bcm_op *op)
955 + {
956 + if (op->tsklet.func) {
957 +- while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) ||
958 +- test_bit(TASKLET_STATE_RUN, &op->tsklet.state) ||
959 +- hrtimer_active(&op->timer)) {
960 +- hrtimer_cancel(&op->timer);
961 ++ do {
962 + tasklet_kill(&op->tsklet);
963 +- }
964 ++ hrtimer_cancel(&op->timer);
965 ++ } while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) ||
966 ++ test_bit(TASKLET_STATE_RUN, &op->tsklet.state) ||
967 ++ hrtimer_active(&op->timer));
968 + }
969 +
970 + if (op->thrtsklet.func) {
971 +- while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) ||
972 +- test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) ||
973 +- hrtimer_active(&op->thrtimer)) {
974 +- hrtimer_cancel(&op->thrtimer);
975 ++ do {
976 + tasklet_kill(&op->thrtsklet);
977 +- }
978 ++ hrtimer_cancel(&op->thrtimer);
979 ++ } while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) ||
980 ++ test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) ||
981 ++ hrtimer_active(&op->thrtimer));
982 + }
983 +
984 + if ((op->frames) && (op->frames != &op->sframe))
985 +diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c
986 +index 14d09345f00d9..913b7c366cd4c 100644
987 +--- a/net/core/net-procfs.c
988 ++++ b/net/core/net-procfs.c
989 +@@ -208,12 +208,23 @@ static const struct file_operations softnet_seq_fops = {
990 + .release = seq_release,
991 + };
992 +
993 +-static void *ptype_get_idx(loff_t pos)
994 ++static void *ptype_get_idx(struct seq_file *seq, loff_t pos)
995 + {
996 ++ struct list_head *ptype_list = NULL;
997 + struct packet_type *pt = NULL;
998 ++ struct net_device *dev;
999 + loff_t i = 0;
1000 + int t;
1001 +
1002 ++ for_each_netdev_rcu(seq_file_net(seq), dev) {
1003 ++ ptype_list = &dev->ptype_all;
1004 ++ list_for_each_entry_rcu(pt, ptype_list, list) {
1005 ++ if (i == pos)
1006 ++ return pt;
1007 ++ ++i;
1008 ++ }
1009 ++ }
1010 ++
1011 + list_for_each_entry_rcu(pt, &ptype_all, list) {
1012 + if (i == pos)
1013 + return pt;
1014 +@@ -234,22 +245,40 @@ static void *ptype_seq_start(struct seq_file *seq, loff_t *pos)
1015 + __acquires(RCU)
1016 + {
1017 + rcu_read_lock();
1018 +- return *pos ? ptype_get_idx(*pos - 1) : SEQ_START_TOKEN;
1019 ++ return *pos ? ptype_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
1020 + }
1021 +
1022 + static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1023 + {
1024 ++ struct net_device *dev;
1025 + struct packet_type *pt;
1026 + struct list_head *nxt;
1027 + int hash;
1028 +
1029 + ++*pos;
1030 + if (v == SEQ_START_TOKEN)
1031 +- return ptype_get_idx(0);
1032 ++ return ptype_get_idx(seq, 0);
1033 +
1034 + pt = v;
1035 + nxt = pt->list.next;
1036 ++ if (pt->dev) {
1037 ++ if (nxt != &pt->dev->ptype_all)
1038 ++ goto found;
1039 ++
1040 ++ dev = pt->dev;
1041 ++ for_each_netdev_continue_rcu(seq_file_net(seq), dev) {
1042 ++ if (!list_empty(&dev->ptype_all)) {
1043 ++ nxt = dev->ptype_all.next;
1044 ++ goto found;
1045 ++ }
1046 ++ }
1047 ++
1048 ++ nxt = ptype_all.next;
1049 ++ goto ptype_all;
1050 ++ }
1051 ++
1052 + if (pt->type == htons(ETH_P_ALL)) {
1053 ++ptype_all:
1054 + if (nxt != &ptype_all)
1055 + goto found;
1056 + hash = 0;
1057 +@@ -278,7 +307,8 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
1058 +
1059 + if (v == SEQ_START_TOKEN)
1060 + seq_puts(seq, "Type Device Function\n");
1061 +- else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) {
1062 ++ else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) &&
1063 ++ (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) {
1064 + if (pt->type == htons(ETH_P_ALL))
1065 + seq_puts(seq, "ALL ");
1066 + else
1067 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
1068 +index 012143f313a87..d5cad076daf50 100644
1069 +--- a/net/core/rtnetlink.c
1070 ++++ b/net/core/rtnetlink.c
1071 +@@ -2454,9 +2454,9 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh)
1072 + {
1073 + struct net *net = sock_net(skb->sk);
1074 + const struct rtnl_link_ops *ops;
1075 +- const struct rtnl_link_ops *m_ops = NULL;
1076 ++ const struct rtnl_link_ops *m_ops;
1077 + struct net_device *dev;
1078 +- struct net_device *master_dev = NULL;
1079 ++ struct net_device *master_dev;
1080 + struct ifinfomsg *ifm;
1081 + char kind[MODULE_NAME_LEN];
1082 + char ifname[IFNAMSIZ];
1083 +@@ -2487,6 +2487,8 @@ replay:
1084 + dev = NULL;
1085 + }
1086 +
1087 ++ master_dev = NULL;
1088 ++ m_ops = NULL;
1089 + if (dev) {
1090 + master_dev = netdev_master_upper_dev_get(dev);
1091 + if (master_dev)
1092 +diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c
1093 +index 936371340dc37..c24a1945392a5 100644
1094 +--- a/net/ieee802154/nl802154.c
1095 ++++ b/net/ieee802154/nl802154.c
1096 +@@ -1474,7 +1474,7 @@ static int nl802154_send_key(struct sk_buff *msg, u32 cmd, u32 portid,
1097 +
1098 + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd);
1099 + if (!hdr)
1100 +- return -1;
1101 ++ return -ENOBUFS;
1102 +
1103 + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex))
1104 + goto nla_put_failure;
1105 +@@ -1665,7 +1665,7 @@ static int nl802154_send_device(struct sk_buff *msg, u32 cmd, u32 portid,
1106 +
1107 + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd);
1108 + if (!hdr)
1109 +- return -1;
1110 ++ return -ENOBUFS;
1111 +
1112 + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex))
1113 + goto nla_put_failure;
1114 +@@ -1843,7 +1843,7 @@ static int nl802154_send_devkey(struct sk_buff *msg, u32 cmd, u32 portid,
1115 +
1116 + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd);
1117 + if (!hdr)
1118 +- return -1;
1119 ++ return -ENOBUFS;
1120 +
1121 + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex))
1122 + goto nla_put_failure;
1123 +@@ -2020,7 +2020,7 @@ static int nl802154_send_seclevel(struct sk_buff *msg, u32 cmd, u32 portid,
1124 +
1125 + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd);
1126 + if (!hdr)
1127 +- return -1;
1128 ++ return -ENOBUFS;
1129 +
1130 + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex))
1131 + goto nla_put_failure;
1132 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
1133 +index 589fd0904e0de..bd53136c28262 100644
1134 +--- a/net/ipv4/ip_output.c
1135 ++++ b/net/ipv4/ip_output.c
1136 +@@ -159,12 +159,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk,
1137 + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
1138 + iph->saddr = saddr;
1139 + iph->protocol = sk->sk_protocol;
1140 +- if (ip_dont_fragment(sk, &rt->dst)) {
1141 ++ /* Do not bother generating IPID for small packets (eg SYNACK) */
1142 ++ if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) {
1143 + iph->frag_off = htons(IP_DF);
1144 + iph->id = 0;
1145 + } else {
1146 + iph->frag_off = 0;
1147 +- __ip_select_ident(net, iph, 1);
1148 ++ /* TCP packets here are SYNACK with fat IPv4/TCP options.
1149 ++ * Avoid using the hashed IP ident generator.
1150 ++ */
1151 ++ if (sk->sk_protocol == IPPROTO_TCP)
1152 ++ iph->id = (__force __be16)prandom_u32();
1153 ++ else
1154 ++ __ip_select_ident(net, iph, 1);
1155 + }
1156 +
1157 + if (opt && opt->opt.optlen) {
1158 +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
1159 +index af75c0a8238ef..88ad1b6b38029 100644
1160 +--- a/net/ipv4/raw.c
1161 ++++ b/net/ipv4/raw.c
1162 +@@ -706,6 +706,7 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1163 + int ret = -EINVAL;
1164 + int chk_addr_ret;
1165 +
1166 ++ lock_sock(sk);
1167 + if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_in))
1168 + goto out;
1169 + chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);
1170 +@@ -718,7 +719,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1171 + inet->inet_saddr = 0; /* Use device */
1172 + sk_dst_reset(sk);
1173 + ret = 0;
1174 +-out: return ret;
1175 ++out:
1176 ++ release_sock(sk);
1177 ++ return ret;
1178 + }
1179 +
1180 + /*
1181 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
1182 +index 4e18ce5b939ac..322171a344c09 100644
1183 +--- a/net/ipv6/ip6_tunnel.c
1184 ++++ b/net/ipv6/ip6_tunnel.c
1185 +@@ -1007,12 +1007,12 @@ int ip6_tnl_xmit_ctl(struct ip6_tnl *t,
1186 + ldev = dev_get_by_index_rcu(net, p->link);
1187 +
1188 + if (unlikely(!ipv6_chk_addr(net, laddr, ldev, 0)))
1189 +- pr_warn("%s xmit: Local address not yet configured!\n",
1190 +- p->name);
1191 ++ pr_warn_ratelimited("%s xmit: Local address not yet configured!\n",
1192 ++ p->name);
1193 + else if (!ipv6_addr_is_multicast(raddr) &&
1194 + unlikely(ipv6_chk_addr(net, raddr, NULL, 0)))
1195 +- pr_warn("%s xmit: Routing loop! Remote address found on this node!\n",
1196 +- p->name);
1197 ++ pr_warn_ratelimited("%s xmit: Routing loop! Remote address found on this node!\n",
1198 ++ p->name);
1199 + else
1200 + ret = 1;
1201 + rcu_read_unlock();
1202 +diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
1203 +index 7d7466dbf6633..a4f709a3cbacc 100644
1204 +--- a/net/netfilter/nf_nat_proto_common.c
1205 ++++ b/net/netfilter/nf_nat_proto_common.c
1206 +@@ -38,12 +38,12 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
1207 + struct nf_conntrack_tuple *tuple,
1208 + const struct nf_nat_range *range,
1209 + enum nf_nat_manip_type maniptype,
1210 +- const struct nf_conn *ct,
1211 +- u16 *rover)
1212 ++ const struct nf_conn *ct)
1213 + {
1214 +- unsigned int range_size, min, max, i;
1215 ++ unsigned int range_size, min, max, i, attempts;
1216 + __be16 *portptr;
1217 +- u_int16_t off;
1218 ++ u16 off;
1219 ++ static const unsigned int max_attempts = 128;
1220 +
1221 + if (maniptype == NF_NAT_MANIP_SRC)
1222 + portptr = &tuple->src.u.all;
1223 +@@ -84,17 +84,31 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
1224 + } else if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
1225 + off = prandom_u32();
1226 + } else {
1227 +- off = *rover;
1228 ++ off = prandom_u32();
1229 + }
1230 +
1231 +- for (i = 0; ; ++off) {
1232 ++ attempts = range_size;
1233 ++ if (attempts > max_attempts)
1234 ++ attempts = max_attempts;
1235 ++
1236 ++ /* We are in softirq; doing a search of the entire range risks
1237 ++ * soft lockup when all tuples are already used.
1238 ++ *
1239 ++ * If we can't find any free port from first offset, pick a new
1240 ++ * one and try again, with ever smaller search window.
1241 ++ */
1242 ++another_round:
1243 ++ for (i = 0; i < attempts; i++, off++) {
1244 + *portptr = htons(min + off % range_size);
1245 +- if (++i != range_size && nf_nat_used_tuple(tuple, ct))
1246 +- continue;
1247 +- if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL))
1248 +- *rover = off;
1249 +- return;
1250 ++ if (!nf_nat_used_tuple(tuple, ct))
1251 ++ return;
1252 + }
1253 ++
1254 ++ if (attempts >= range_size || attempts < 16)
1255 ++ return;
1256 ++ attempts /= 2;
1257 ++ off = prandom_u32();
1258 ++ goto another_round;
1259 + }
1260 + EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple);
1261 +
1262 +diff --git a/net/netfilter/nf_nat_proto_dccp.c b/net/netfilter/nf_nat_proto_dccp.c
1263 +index 15c47b246d0d0..e7d27c0833932 100644
1264 +--- a/net/netfilter/nf_nat_proto_dccp.c
1265 ++++ b/net/netfilter/nf_nat_proto_dccp.c
1266 +@@ -20,8 +20,6 @@
1267 + #include <net/netfilter/nf_nat_l3proto.h>
1268 + #include <net/netfilter/nf_nat_l4proto.h>
1269 +
1270 +-static u_int16_t dccp_port_rover;
1271 +-
1272 + static void
1273 + dccp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1274 + struct nf_conntrack_tuple *tuple,
1275 +@@ -29,8 +27,7 @@ dccp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1276 + enum nf_nat_manip_type maniptype,
1277 + const struct nf_conn *ct)
1278 + {
1279 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1280 +- &dccp_port_rover);
1281 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1282 + }
1283 +
1284 + static bool
1285 +diff --git a/net/netfilter/nf_nat_proto_sctp.c b/net/netfilter/nf_nat_proto_sctp.c
1286 +index cbc7ade1487b2..b839373716e84 100644
1287 +--- a/net/netfilter/nf_nat_proto_sctp.c
1288 ++++ b/net/netfilter/nf_nat_proto_sctp.c
1289 +@@ -14,8 +14,6 @@
1290 +
1291 + #include <net/netfilter/nf_nat_l4proto.h>
1292 +
1293 +-static u_int16_t nf_sctp_port_rover;
1294 +-
1295 + static void
1296 + sctp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1297 + struct nf_conntrack_tuple *tuple,
1298 +@@ -23,8 +21,7 @@ sctp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1299 + enum nf_nat_manip_type maniptype,
1300 + const struct nf_conn *ct)
1301 + {
1302 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1303 +- &nf_sctp_port_rover);
1304 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1305 + }
1306 +
1307 + static bool
1308 +diff --git a/net/netfilter/nf_nat_proto_tcp.c b/net/netfilter/nf_nat_proto_tcp.c
1309 +index 4f8820fc51480..882e79c6df734 100644
1310 +--- a/net/netfilter/nf_nat_proto_tcp.c
1311 ++++ b/net/netfilter/nf_nat_proto_tcp.c
1312 +@@ -18,8 +18,6 @@
1313 + #include <net/netfilter/nf_nat_l4proto.h>
1314 + #include <net/netfilter/nf_nat_core.h>
1315 +
1316 +-static u16 tcp_port_rover;
1317 +-
1318 + static void
1319 + tcp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1320 + struct nf_conntrack_tuple *tuple,
1321 +@@ -27,8 +25,7 @@ tcp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1322 + enum nf_nat_manip_type maniptype,
1323 + const struct nf_conn *ct)
1324 + {
1325 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1326 +- &tcp_port_rover);
1327 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1328 + }
1329 +
1330 + static bool
1331 +diff --git a/net/netfilter/nf_nat_proto_udp.c b/net/netfilter/nf_nat_proto_udp.c
1332 +index b1e627227b6e2..ed91bdd8857c1 100644
1333 +--- a/net/netfilter/nf_nat_proto_udp.c
1334 ++++ b/net/netfilter/nf_nat_proto_udp.c
1335 +@@ -17,8 +17,6 @@
1336 + #include <net/netfilter/nf_nat_l3proto.h>
1337 + #include <net/netfilter/nf_nat_l4proto.h>
1338 +
1339 +-static u16 udp_port_rover;
1340 +-
1341 + static void
1342 + udp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1343 + struct nf_conntrack_tuple *tuple,
1344 +@@ -26,8 +24,7 @@ udp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1345 + enum nf_nat_manip_type maniptype,
1346 + const struct nf_conn *ct)
1347 + {
1348 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1349 +- &udp_port_rover);
1350 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1351 + }
1352 +
1353 + static bool
1354 +diff --git a/net/netfilter/nf_nat_proto_udplite.c b/net/netfilter/nf_nat_proto_udplite.c
1355 +index 58340c97bd836..8be265378de99 100644
1356 +--- a/net/netfilter/nf_nat_proto_udplite.c
1357 ++++ b/net/netfilter/nf_nat_proto_udplite.c
1358 +@@ -17,8 +17,6 @@
1359 + #include <net/netfilter/nf_nat_l3proto.h>
1360 + #include <net/netfilter/nf_nat_l4proto.h>
1361 +
1362 +-static u16 udplite_port_rover;
1363 +-
1364 + static void
1365 + udplite_unique_tuple(const struct nf_nat_l3proto *l3proto,
1366 + struct nf_conntrack_tuple *tuple,
1367 +@@ -26,8 +24,7 @@ udplite_unique_tuple(const struct nf_nat_l3proto *l3proto,
1368 + enum nf_nat_manip_type maniptype,
1369 + const struct nf_conn *ct)
1370 + {
1371 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1372 +- &udplite_port_rover);
1373 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1374 + }
1375 +
1376 + static bool
1377 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
1378 +index 370d0a4af1f97..8e62b05efe297 100644
1379 +--- a/net/packet/af_packet.c
1380 ++++ b/net/packet/af_packet.c
1381 +@@ -1705,6 +1705,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
1382 + match->prot_hook.dev = po->prot_hook.dev;
1383 + match->prot_hook.func = packet_rcv_fanout;
1384 + match->prot_hook.af_packet_priv = match;
1385 ++ match->prot_hook.af_packet_net = read_pnet(&match->net);
1386 + match->prot_hook.id_match = match_fanout_group;
1387 + list_add(&match->list, &fanout_list);
1388 + }
1389 +@@ -1718,7 +1719,10 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
1390 + err = -ENOSPC;
1391 + if (atomic_read(&match->sk_ref) < PACKET_FANOUT_MAX) {
1392 + __dev_remove_pack(&po->prot_hook);
1393 +- po->fanout = match;
1394 ++
1395 ++ /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */
1396 ++ WRITE_ONCE(po->fanout, match);
1397 ++
1398 + po->rollover = rollover;
1399 + rollover = NULL;
1400 + atomic_inc(&match->sk_ref);
1401 +@@ -3310,6 +3314,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
1402 + po->prot_hook.func = packet_rcv_spkt;
1403 +
1404 + po->prot_hook.af_packet_priv = sk;
1405 ++ po->prot_hook.af_packet_net = sock_net(sk);
1406 +
1407 + if (proto) {
1408 + po->prot_hook.type = proto;
1409 +@@ -3893,7 +3898,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
1410 + }
1411 + case PACKET_FANOUT_DATA:
1412 + {
1413 +- if (!po->fanout)
1414 ++ /* Paired with the WRITE_ONCE() in fanout_add() */
1415 ++ if (!READ_ONCE(po->fanout))
1416 + return -EINVAL;
1417 +
1418 + return fanout_set_data(po, optval, optlen);
1419 +diff --git a/sound/soc/fsl/pcm030-audio-fabric.c b/sound/soc/fsl/pcm030-audio-fabric.c
1420 +index ec731223cab3d..72d4548994842 100644
1421 +--- a/sound/soc/fsl/pcm030-audio-fabric.c
1422 ++++ b/sound/soc/fsl/pcm030-audio-fabric.c
1423 +@@ -90,16 +90,21 @@ static int pcm030_fabric_probe(struct platform_device *op)
1424 + dev_err(&op->dev, "platform_device_alloc() failed\n");
1425 +
1426 + ret = platform_device_add(pdata->codec_device);
1427 +- if (ret)
1428 ++ if (ret) {
1429 + dev_err(&op->dev, "platform_device_add() failed: %d\n", ret);
1430 ++ platform_device_put(pdata->codec_device);
1431 ++ }
1432 +
1433 + ret = snd_soc_register_card(card);
1434 +- if (ret)
1435 ++ if (ret) {
1436 + dev_err(&op->dev, "snd_soc_register_card() failed: %d\n", ret);
1437 ++ platform_device_del(pdata->codec_device);
1438 ++ platform_device_put(pdata->codec_device);
1439 ++ }
1440 +
1441 + platform_set_drvdata(op, pdata);
1442 +-
1443 + return ret;
1444 ++
1445 + }
1446 +
1447 + static int pcm030_fabric_remove(struct platform_device *op)
1448 +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
1449 +index 90acdf4d90ed6..4da6f66ea3a21 100644
1450 +--- a/sound/soc/soc-ops.c
1451 ++++ b/sound/soc/soc-ops.c
1452 +@@ -327,13 +327,27 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
1453 + if (sign_bit)
1454 + mask = BIT(sign_bit + 1) - 1;
1455 +
1456 +- val = ((ucontrol->value.integer.value[0] + min) & mask);
1457 ++ val = ucontrol->value.integer.value[0];
1458 ++ if (mc->platform_max && val > mc->platform_max)
1459 ++ return -EINVAL;
1460 ++ if (val > max - min)
1461 ++ return -EINVAL;
1462 ++ if (val < 0)
1463 ++ return -EINVAL;
1464 ++ val = (val + min) & mask;
1465 + if (invert)
1466 + val = max - val;
1467 + val_mask = mask << shift;
1468 + val = val << shift;
1469 + if (snd_soc_volsw_is_stereo(mc)) {
1470 +- val2 = ((ucontrol->value.integer.value[1] + min) & mask);
1471 ++ val2 = ucontrol->value.integer.value[1];
1472 ++ if (mc->platform_max && val2 > mc->platform_max)
1473 ++ return -EINVAL;
1474 ++ if (val2 > max - min)
1475 ++ return -EINVAL;
1476 ++ if (val2 < 0)
1477 ++ return -EINVAL;
1478 ++ val2 = (val2 + min) & mask;
1479 + if (invert)
1480 + val2 = max - val2;
1481 + if (reg == reg2) {
1482 +@@ -427,8 +441,15 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
1483 + int err = 0;
1484 + unsigned int val, val_mask, val2 = 0;
1485 +
1486 ++ val = ucontrol->value.integer.value[0];
1487 ++ if (mc->platform_max && val > mc->platform_max)
1488 ++ return -EINVAL;
1489 ++ if (val > max - min)
1490 ++ return -EINVAL;
1491 ++ if (val < 0)
1492 ++ return -EINVAL;
1493 + val_mask = mask << shift;
1494 +- val = (ucontrol->value.integer.value[0] + min) & mask;
1495 ++ val = (val + min) & mask;
1496 + val = val << shift;
1497 +
1498 + err = snd_soc_component_update_bits(component, reg, val_mask, val);
1499 +@@ -894,6 +915,8 @@ int snd_soc_put_xr_sx(struct snd_kcontrol *kcontrol,
1500 + unsigned int i, regval, regmask;
1501 + int err;
1502 +
1503 ++ if (val < mc->min || val > mc->max)
1504 ++ return -EINVAL;
1505 + if (invert)
1506 + val = max - val;
1507 + val &= mask;
Report Message
Find on MARC Find on Google Groups