Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Wed, 03 May 2017 17:41:53
Message-Id: 1493833296.0047162d944ddd8439be87b3e2f073680c16ea29.mpagano@gentoo
1 commit: 0047162d944ddd8439be87b3e2f073680c16ea29
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed May 3 17:41:36 2017 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed May 3 17:41:36 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=0047162d
7
8 Linux patch 4.4.66
9
10 0000_README | 4 +
11 1065_linux-4.4.66.patch | 1309 +++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 1313 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 3008fb4..d08d290 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -303,6 +303,10 @@ Patch: 1064_linux-4.4.65.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.4.65
21
22 +Patch: 1065_linux-4.4.66.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.4.66
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1065_linux-4.4.66.patch b/1065_linux-4.4.66.patch
31 new file mode 100644
32 index 0000000..1fe8b7a
33 --- /dev/null
34 +++ b/1065_linux-4.4.66.patch
35 @@ -0,0 +1,1309 @@
36 +diff --git a/Documentation/devicetree/bindings/clock/sunxi.txt b/Documentation/devicetree/bindings/clock/sunxi.txt
37 +index 8a47b77abfca..e8c74a6e738b 100644
38 +--- a/Documentation/devicetree/bindings/clock/sunxi.txt
39 ++++ b/Documentation/devicetree/bindings/clock/sunxi.txt
40 +@@ -18,6 +18,7 @@ Required properties:
41 + "allwinner,sun4i-a10-cpu-clk" - for the CPU multiplexer clock
42 + "allwinner,sun4i-a10-axi-clk" - for the AXI clock
43 + "allwinner,sun8i-a23-axi-clk" - for the AXI clock on A23
44 ++ "allwinner,sun4i-a10-gates-clk" - for generic gates on all compatible SoCs
45 + "allwinner,sun4i-a10-axi-gates-clk" - for the AXI gates
46 + "allwinner,sun4i-a10-ahb-clk" - for the AHB clock
47 + "allwinner,sun5i-a13-ahb-clk" - for the AHB clock on A13
48 +@@ -43,6 +44,7 @@ Required properties:
49 + "allwinner,sun6i-a31-apb0-gates-clk" - for the APB0 gates on A31
50 + "allwinner,sun7i-a20-apb0-gates-clk" - for the APB0 gates on A20
51 + "allwinner,sun8i-a23-apb0-gates-clk" - for the APB0 gates on A23
52 ++ "allwinner,sun8i-h3-apb0-gates-clk" - for the APB0 gates on H3
53 + "allwinner,sun9i-a80-apb0-gates-clk" - for the APB0 gates on A80
54 + "allwinner,sun4i-a10-apb1-clk" - for the APB1 clock
55 + "allwinner,sun9i-a80-apb1-clk" - for the APB1 bus clock on A80
56 +diff --git a/Makefile b/Makefile
57 +index ddaef04f528a..1cd052823c03 100644
58 +--- a/Makefile
59 ++++ b/Makefile
60 +@@ -1,6 +1,6 @@
61 + VERSION = 4
62 + PATCHLEVEL = 4
63 +-SUBLEVEL = 65
64 ++SUBLEVEL = 66
65 + EXTRAVERSION =
66 + NAME = Blurry Fish Butt
67 +
68 +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
69 +index b5ff87e6f4b7..aee1a77934cf 100644
70 +--- a/arch/arc/include/asm/entry-arcv2.h
71 ++++ b/arch/arc/include/asm/entry-arcv2.h
72 +@@ -16,6 +16,7 @@
73 + ;
74 + ; Now manually save: r12, sp, fp, gp, r25
75 +
76 ++ PUSH r30
77 + PUSH r12
78 +
79 + ; Saving pt_regs->sp correctly requires some extra work due to the way
80 +@@ -72,6 +73,7 @@
81 + POPAX AUX_USER_SP
82 + 1:
83 + POP r12
84 ++ POP r30
85 +
86 + .endm
87 +
88 +diff --git a/arch/arc/include/asm/ptrace.h b/arch/arc/include/asm/ptrace.h
89 +index 69095da1fcfd..47111d565a95 100644
90 +--- a/arch/arc/include/asm/ptrace.h
91 ++++ b/arch/arc/include/asm/ptrace.h
92 +@@ -84,7 +84,7 @@ struct pt_regs {
93 + unsigned long fp;
94 + unsigned long sp; /* user/kernel sp depending on where we came from */
95 +
96 +- unsigned long r12;
97 ++ unsigned long r12, r30;
98 +
99 + /*------- Below list auto saved by h/w -----------*/
100 + unsigned long r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11;
101 +diff --git a/arch/arm/mach-omap2/timer.c b/arch/arm/mach-omap2/timer.c
102 +index f86692dbcfd5..83fc403aec3c 100644
103 +--- a/arch/arm/mach-omap2/timer.c
104 ++++ b/arch/arm/mach-omap2/timer.c
105 +@@ -496,8 +496,7 @@ void __init omap_init_time(void)
106 + __omap_sync32k_timer_init(1, "timer_32k_ck", "ti,timer-alwon",
107 + 2, "timer_sys_ck", NULL, false);
108 +
109 +- if (of_have_populated_dt())
110 +- clocksource_probe();
111 ++ clocksource_probe();
112 + }
113 +
114 + #if defined(CONFIG_ARCH_OMAP3) || defined(CONFIG_SOC_AM43XX)
115 +@@ -505,6 +504,8 @@ void __init omap3_secure_sync32k_timer_init(void)
116 + {
117 + __omap_sync32k_timer_init(12, "secure_32k_fck", "ti,timer-secure",
118 + 2, "timer_sys_ck", NULL, false);
119 ++
120 ++ clocksource_probe();
121 + }
122 + #endif /* CONFIG_ARCH_OMAP3 */
123 +
124 +@@ -513,6 +514,8 @@ void __init omap3_gptimer_timer_init(void)
125 + {
126 + __omap_sync32k_timer_init(2, "timer_sys_ck", NULL,
127 + 1, "timer_sys_ck", "ti,timer-alwon", true);
128 ++
129 ++ clocksource_probe();
130 + }
131 + #endif
132 +
133 +diff --git a/arch/mips/kernel/crash.c b/arch/mips/kernel/crash.c
134 +index d434d5d5ae6e..610f0f3bdb34 100644
135 +--- a/arch/mips/kernel/crash.c
136 ++++ b/arch/mips/kernel/crash.c
137 +@@ -14,12 +14,22 @@ static int crashing_cpu = -1;
138 + static cpumask_t cpus_in_crash = CPU_MASK_NONE;
139 +
140 + #ifdef CONFIG_SMP
141 +-static void crash_shutdown_secondary(void *ignore)
142 ++static void crash_shutdown_secondary(void *passed_regs)
143 + {
144 +- struct pt_regs *regs;
145 ++ struct pt_regs *regs = passed_regs;
146 + int cpu = smp_processor_id();
147 +
148 +- regs = task_pt_regs(current);
149 ++ /*
150 ++ * If we are passed registers, use those. Otherwise get the
151 ++ * regs from the last interrupt, which should be correct, as
152 ++ * we are in an interrupt. But if the regs are not there,
153 ++ * pull them from the top of the stack. They are probably
154 ++ * wrong, but we need something to keep from crashing again.
155 ++ */
156 ++ if (!regs)
157 ++ regs = get_irq_regs();
158 ++ if (!regs)
159 ++ regs = task_pt_regs(current);
160 +
161 + if (!cpu_online(cpu))
162 + return;
163 +diff --git a/arch/mips/kernel/elf.c b/arch/mips/kernel/elf.c
164 +index 4a4d9e067c89..3afffc30ee12 100644
165 +--- a/arch/mips/kernel/elf.c
166 ++++ b/arch/mips/kernel/elf.c
167 +@@ -206,7 +206,7 @@ int arch_check_elf(void *_ehdr, bool has_interpreter,
168 + else if ((prog_req.fr1 && prog_req.frdefault) ||
169 + (prog_req.single && !prog_req.frdefault))
170 + /* Make sure 64-bit MIPS III/IV/64R1 will not pick FR1 */
171 +- state->overall_fp_mode = ((current_cpu_data.fpu_id & MIPS_FPIR_F64) &&
172 ++ state->overall_fp_mode = ((raw_current_cpu_data.fpu_id & MIPS_FPIR_F64) &&
173 + cpu_has_mips_r2_r6) ?
174 + FP_FR1 : FP_FR0;
175 + else if (prog_req.fr1)
176 +diff --git a/arch/mips/kernel/kgdb.c b/arch/mips/kernel/kgdb.c
177 +index de63d36af895..732d6171ac6a 100644
178 +--- a/arch/mips/kernel/kgdb.c
179 ++++ b/arch/mips/kernel/kgdb.c
180 +@@ -244,9 +244,6 @@ static int compute_signal(int tt)
181 + void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p)
182 + {
183 + int reg;
184 +- struct thread_info *ti = task_thread_info(p);
185 +- unsigned long ksp = (unsigned long)ti + THREAD_SIZE - 32;
186 +- struct pt_regs *regs = (struct pt_regs *)ksp - 1;
187 + #if (KGDB_GDB_REG_SIZE == 32)
188 + u32 *ptr = (u32 *)gdb_regs;
189 + #else
190 +@@ -254,25 +251,46 @@ void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p)
191 + #endif
192 +
193 + for (reg = 0; reg < 16; reg++)
194 +- *(ptr++) = regs->regs[reg];
195 ++ *(ptr++) = 0;
196 +
197 + /* S0 - S7 */
198 +- for (reg = 16; reg < 24; reg++)
199 +- *(ptr++) = regs->regs[reg];
200 ++ *(ptr++) = p->thread.reg16;
201 ++ *(ptr++) = p->thread.reg17;
202 ++ *(ptr++) = p->thread.reg18;
203 ++ *(ptr++) = p->thread.reg19;
204 ++ *(ptr++) = p->thread.reg20;
205 ++ *(ptr++) = p->thread.reg21;
206 ++ *(ptr++) = p->thread.reg22;
207 ++ *(ptr++) = p->thread.reg23;
208 +
209 + for (reg = 24; reg < 28; reg++)
210 + *(ptr++) = 0;
211 +
212 + /* GP, SP, FP, RA */
213 +- for (reg = 28; reg < 32; reg++)
214 +- *(ptr++) = regs->regs[reg];
215 +-
216 +- *(ptr++) = regs->cp0_status;
217 +- *(ptr++) = regs->lo;
218 +- *(ptr++) = regs->hi;
219 +- *(ptr++) = regs->cp0_badvaddr;
220 +- *(ptr++) = regs->cp0_cause;
221 +- *(ptr++) = regs->cp0_epc;
222 ++ *(ptr++) = (long)p;
223 ++ *(ptr++) = p->thread.reg29;
224 ++ *(ptr++) = p->thread.reg30;
225 ++ *(ptr++) = p->thread.reg31;
226 ++
227 ++ *(ptr++) = p->thread.cp0_status;
228 ++
229 ++ /* lo, hi */
230 ++ *(ptr++) = 0;
231 ++ *(ptr++) = 0;
232 ++
233 ++ /*
234 ++ * BadVAddr, Cause
235 ++ * Ideally these would come from the last exception frame up the stack
236 ++ * but that requires unwinding, otherwise we can't know much for sure.
237 ++ */
238 ++ *(ptr++) = 0;
239 ++ *(ptr++) = 0;
240 ++
241 ++ /*
242 ++ * PC
243 ++ * use return address (RA), i.e. the moment after return from resume()
244 ++ */
245 ++ *(ptr++) = p->thread.reg31;
246 + }
247 +
248 + void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
249 +diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h
250 +index 408b715c95a5..9d81579f3d54 100644
251 +--- a/arch/sparc/include/asm/pgtable_64.h
252 ++++ b/arch/sparc/include/asm/pgtable_64.h
253 +@@ -668,26 +668,27 @@ static inline unsigned long pmd_pfn(pmd_t pmd)
254 + return pte_pfn(pte);
255 + }
256 +
257 +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
258 +-static inline unsigned long pmd_dirty(pmd_t pmd)
259 ++#define __HAVE_ARCH_PMD_WRITE
260 ++static inline unsigned long pmd_write(pmd_t pmd)
261 + {
262 + pte_t pte = __pte(pmd_val(pmd));
263 +
264 +- return pte_dirty(pte);
265 ++ return pte_write(pte);
266 + }
267 +
268 +-static inline unsigned long pmd_young(pmd_t pmd)
269 ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE
270 ++static inline unsigned long pmd_dirty(pmd_t pmd)
271 + {
272 + pte_t pte = __pte(pmd_val(pmd));
273 +
274 +- return pte_young(pte);
275 ++ return pte_dirty(pte);
276 + }
277 +
278 +-static inline unsigned long pmd_write(pmd_t pmd)
279 ++static inline unsigned long pmd_young(pmd_t pmd)
280 + {
281 + pte_t pte = __pte(pmd_val(pmd));
282 +
283 +- return pte_write(pte);
284 ++ return pte_young(pte);
285 + }
286 +
287 + static inline unsigned long pmd_trans_huge(pmd_t pmd)
288 +diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
289 +index 3d3414c14792..965655afdbb6 100644
290 +--- a/arch/sparc/mm/init_64.c
291 ++++ b/arch/sparc/mm/init_64.c
292 +@@ -1493,7 +1493,7 @@ bool kern_addr_valid(unsigned long addr)
293 + if ((long)addr < 0L) {
294 + unsigned long pa = __pa(addr);
295 +
296 +- if ((addr >> max_phys_bits) != 0UL)
297 ++ if ((pa >> max_phys_bits) != 0UL)
298 + return false;
299 +
300 + return pfn_valid(pa >> PAGE_SHIFT);
301 +diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
302 +index 311bcf338f07..bfc587579dc3 100644
303 +--- a/arch/x86/kernel/ftrace.c
304 ++++ b/arch/x86/kernel/ftrace.c
305 +@@ -977,6 +977,18 @@ void prepare_ftrace_return(unsigned long self_addr, unsigned long *parent,
306 + unsigned long return_hooker = (unsigned long)
307 + &return_to_handler;
308 +
309 ++ /*
310 ++ * When resuming from suspend-to-ram, this function can be indirectly
311 ++ * called from early CPU startup code while the CPU is in real mode,
312 ++ * which would fail miserably. Make sure the stack pointer is a
313 ++ * virtual address.
314 ++ *
315 ++ * This check isn't as accurate as virt_addr_valid(), but it should be
316 ++ * good enough for this purpose, and it's fast.
317 ++ */
318 ++ if (unlikely((long)__builtin_frame_address(0) >= 0))
319 ++ return;
320 ++
321 + if (unlikely(ftrace_graph_is_dead()))
322 + return;
323 +
324 +diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c
325 +index f1ba6a092854..8846257d8792 100644
326 +--- a/arch/x86/xen/time.c
327 ++++ b/arch/x86/xen/time.c
328 +@@ -343,11 +343,11 @@ static int xen_vcpuop_set_next_event(unsigned long delta,
329 + WARN_ON(!clockevent_state_oneshot(evt));
330 +
331 + single.timeout_abs_ns = get_abs_timeout(delta);
332 +- single.flags = VCPU_SSHOTTMR_future;
333 ++ /* Get an event anyway, even if the timeout is already expired */
334 ++ single.flags = 0;
335 +
336 + ret = HYPERVISOR_vcpu_op(VCPUOP_set_singleshot_timer, cpu, &single);
337 +-
338 +- BUG_ON(ret != 0 && ret != -ETIME);
339 ++ BUG_ON(ret != 0);
340 +
341 + return ret;
342 + }
343 +diff --git a/crypto/testmgr.c b/crypto/testmgr.c
344 +index d4944318ca1f..5f15f45fcc9f 100644
345 +--- a/crypto/testmgr.c
346 ++++ b/crypto/testmgr.c
347 +@@ -488,6 +488,8 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
348 + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
349 + tcrypt_complete, &result);
350 +
351 ++ iv_len = crypto_aead_ivsize(tfm);
352 ++
353 + for (i = 0, j = 0; i < tcount; i++) {
354 + if (template[i].np)
355 + continue;
356 +@@ -508,7 +510,6 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
357 +
358 + memcpy(input, template[i].input, template[i].ilen);
359 + memcpy(assoc, template[i].assoc, template[i].alen);
360 +- iv_len = crypto_aead_ivsize(tfm);
361 + if (template[i].iv)
362 + memcpy(iv, template[i].iv, iv_len);
363 + else
364 +@@ -617,7 +618,7 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
365 + j++;
366 +
367 + if (template[i].iv)
368 +- memcpy(iv, template[i].iv, MAX_IVLEN);
369 ++ memcpy(iv, template[i].iv, iv_len);
370 + else
371 + memset(iv, 0, MAX_IVLEN);
372 +
373 +diff --git a/drivers/clk/sunxi/clk-simple-gates.c b/drivers/clk/sunxi/clk-simple-gates.c
374 +index 0214c6548afd..97cb4221de25 100644
375 +--- a/drivers/clk/sunxi/clk-simple-gates.c
376 ++++ b/drivers/clk/sunxi/clk-simple-gates.c
377 +@@ -98,6 +98,8 @@ static void __init sunxi_simple_gates_init(struct device_node *node)
378 + sunxi_simple_gates_setup(node, NULL, 0);
379 + }
380 +
381 ++CLK_OF_DECLARE(sun4i_a10_gates, "allwinner,sun4i-a10-gates-clk",
382 ++ sunxi_simple_gates_init);
383 + CLK_OF_DECLARE(sun4i_a10_apb0, "allwinner,sun4i-a10-apb0-gates-clk",
384 + sunxi_simple_gates_init);
385 + CLK_OF_DECLARE(sun4i_a10_apb1, "allwinner,sun4i-a10-apb1-gates-clk",
386 +diff --git a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
387 +index 7e9154c7f1db..d1c9525d81eb 100644
388 +--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
389 ++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
390 +@@ -2258,7 +2258,7 @@ static void kv_apply_state_adjust_rules(struct amdgpu_device *adev,
391 + if (pi->caps_stable_p_state) {
392 + stable_p_state_sclk = (max_limits->sclk * 75) / 100;
393 +
394 +- for (i = table->count - 1; i >= 0; i++) {
395 ++ for (i = table->count - 1; i >= 0; i--) {
396 + if (stable_p_state_sclk >= table->entries[i].clk) {
397 + stable_p_state_sclk = table->entries[i].clk;
398 + break;
399 +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
400 +index 25eab453f2b2..e7b96f1ac2c5 100644
401 +--- a/drivers/input/serio/i8042-x86ia64io.h
402 ++++ b/drivers/input/serio/i8042-x86ia64io.h
403 +@@ -685,6 +685,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
404 + DMI_MATCH(DMI_PRODUCT_NAME, "20046"),
405 + },
406 + },
407 ++ {
408 ++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */
409 ++ .matches = {
410 ++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
411 ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"),
412 ++ },
413 ++ },
414 + { }
415 + };
416 +
417 +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
418 +index 9be39988bf06..d81be5e471d0 100644
419 +--- a/drivers/md/raid1.c
420 ++++ b/drivers/md/raid1.c
421 +@@ -570,7 +570,7 @@ static int read_balance(struct r1conf *conf, struct r1bio *r1_bio, int *max_sect
422 + if (best_dist_disk < 0) {
423 + if (is_badblock(rdev, this_sector, sectors,
424 + &first_bad, &bad_sectors)) {
425 +- if (first_bad < this_sector)
426 ++ if (first_bad <= this_sector)
427 + /* Cannot use this */
428 + continue;
429 + best_good_sectors = first_bad - this_sector;
430 +diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
431 +index 082ff5608455..317ef63ee789 100644
432 +--- a/drivers/media/tuners/tuner-xc2028.c
433 ++++ b/drivers/media/tuners/tuner-xc2028.c
434 +@@ -1407,8 +1407,10 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
435 + memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
436 + if (p->fname) {
437 + priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
438 +- if (priv->ctrl.fname == NULL)
439 +- return -ENOMEM;
440 ++ if (priv->ctrl.fname == NULL) {
441 ++ rc = -ENOMEM;
442 ++ goto unlock;
443 ++ }
444 + }
445 +
446 + /*
447 +@@ -1440,6 +1442,7 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
448 + } else
449 + priv->state = XC2028_WAITING_FIRMWARE;
450 + }
451 ++unlock:
452 + mutex_unlock(&priv->lock);
453 +
454 + return rc;
455 +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
456 +index 7445da218bd9..cc1725616f9d 100644
457 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
458 ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
459 +@@ -2823,7 +2823,7 @@ static int liquidio_xmit(struct sk_buff *skb, struct net_device *netdev)
460 + if (!g) {
461 + netif_info(lio, tx_err, lio->netdev,
462 + "Transmit scatter gather: glist null!\n");
463 +- goto lio_xmit_failed;
464 ++ goto lio_xmit_dma_failed;
465 + }
466 +
467 + cmdsetup.s.gather = 1;
468 +@@ -2894,7 +2894,7 @@ static int liquidio_xmit(struct sk_buff *skb, struct net_device *netdev)
469 + else
470 + status = octnet_send_nic_data_pkt(oct, &ndata, xmit_more);
471 + if (status == IQ_SEND_FAILED)
472 +- goto lio_xmit_failed;
473 ++ goto lio_xmit_dma_failed;
474 +
475 + netif_info(lio, tx_queued, lio->netdev, "Transmit queued successfully\n");
476 +
477 +@@ -2908,12 +2908,13 @@ static int liquidio_xmit(struct sk_buff *skb, struct net_device *netdev)
478 +
479 + return NETDEV_TX_OK;
480 +
481 ++lio_xmit_dma_failed:
482 ++ dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr,
483 ++ ndata.datasize, DMA_TO_DEVICE);
484 + lio_xmit_failed:
485 + stats->tx_dropped++;
486 + netif_info(lio, tx_err, lio->netdev, "IQ%d Transmit dropped:%llu\n",
487 + iq_no, stats->tx_dropped);
488 +- dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr,
489 +- ndata.datasize, DMA_TO_DEVICE);
490 + recv_buffer_free(skb);
491 + return NETDEV_TX_OK;
492 + }
493 +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
494 +index 06c8bfeaccd6..40cd86614677 100644
495 +--- a/drivers/net/macvlan.c
496 ++++ b/drivers/net/macvlan.c
497 +@@ -1110,6 +1110,7 @@ static int macvlan_port_create(struct net_device *dev)
498 + static void macvlan_port_destroy(struct net_device *dev)
499 + {
500 + struct macvlan_port *port = macvlan_port_get_rtnl(dev);
501 ++ struct sk_buff *skb;
502 +
503 + dev->priv_flags &= ~IFF_MACVLAN_PORT;
504 + netdev_rx_handler_unregister(dev);
505 +@@ -1118,7 +1119,15 @@ static void macvlan_port_destroy(struct net_device *dev)
506 + * but we need to cancel it and purge left skbs if any.
507 + */
508 + cancel_work_sync(&port->bc_work);
509 +- __skb_queue_purge(&port->bc_queue);
510 ++
511 ++ while ((skb = __skb_dequeue(&port->bc_queue))) {
512 ++ const struct macvlan_dev *src = MACVLAN_SKB_CB(skb)->src;
513 ++
514 ++ if (src)
515 ++ dev_put(src->dev);
516 ++
517 ++ kfree_skb(skb);
518 ++ }
519 +
520 + kfree_rcu(port, rcu);
521 + }
522 +diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
523 +index e6cefd0e3262..84b9cca152eb 100644
524 +--- a/drivers/net/phy/dp83640.c
525 ++++ b/drivers/net/phy/dp83640.c
526 +@@ -1436,8 +1436,6 @@ static bool dp83640_rxtstamp(struct phy_device *phydev,
527 + skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT;
528 + skb_queue_tail(&dp83640->rx_queue, skb);
529 + schedule_delayed_work(&dp83640->ts_work, SKB_TIMESTAMP_TIMEOUT);
530 +- } else {
531 +- netif_rx_ni(skb);
532 + }
533 +
534 + return true;
535 +diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
536 +index bba0ca786aaa..851c0e121807 100644
537 +--- a/drivers/net/phy/phy.c
538 ++++ b/drivers/net/phy/phy.c
539 +@@ -538,7 +538,7 @@ void phy_stop_machine(struct phy_device *phydev)
540 + cancel_delayed_work_sync(&phydev->state_queue);
541 +
542 + mutex_lock(&phydev->lock);
543 +- if (phydev->state > PHY_UP)
544 ++ if (phydev->state > PHY_UP && phydev->state != PHY_HALTED)
545 + phydev->state = PHY_UP;
546 + mutex_unlock(&phydev->lock);
547 + }
548 +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
549 +index 88dbbeb8569b..f9b8c44677eb 100644
550 +--- a/drivers/regulator/core.c
551 ++++ b/drivers/regulator/core.c
552 +@@ -1519,6 +1519,7 @@ static int regulator_resolve_supply(struct regulator_dev *rdev)
553 + ret = regulator_enable(rdev->supply);
554 + if (ret < 0) {
555 + _regulator_put(rdev->supply);
556 ++ rdev->supply = NULL;
557 + return ret;
558 + }
559 + }
560 +diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
561 +index 898a570319f1..af60cc3714c1 100644
562 +--- a/drivers/usb/gadget/function/f_midi.c
563 ++++ b/drivers/usb/gadget/function/f_midi.c
564 +@@ -361,7 +361,9 @@ static int f_midi_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
565 + /* allocate a bunch of read buffers and queue them all at once. */
566 + for (i = 0; i < midi->qlen && err == 0; i++) {
567 + struct usb_request *req =
568 +- midi_alloc_ep_req(midi->out_ep, midi->buflen);
569 ++ midi_alloc_ep_req(midi->out_ep,
570 ++ max_t(unsigned, midi->buflen,
571 ++ bulk_out_desc.wMaxPacketSize));
572 + if (req == NULL)
573 + return -ENOMEM;
574 +
575 +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
576 +index 263002f0389d..7c23363ecf19 100644
577 +--- a/fs/ext4/xattr.c
578 ++++ b/fs/ext4/xattr.c
579 +@@ -233,6 +233,27 @@ ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh)
580 + return error;
581 + }
582 +
583 ++static int
584 ++__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
585 ++ void *end, const char *function, unsigned int line)
586 ++{
587 ++ struct ext4_xattr_entry *entry = IFIRST(header);
588 ++ int error = -EFSCORRUPTED;
589 ++
590 ++ if (((void *) header >= end) ||
591 ++ (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC)))
592 ++ goto errout;
593 ++ error = ext4_xattr_check_names(entry, end, entry);
594 ++errout:
595 ++ if (error)
596 ++ __ext4_error_inode(inode, function, line, 0,
597 ++ "corrupted in-inode xattr");
598 ++ return error;
599 ++}
600 ++
601 ++#define xattr_check_inode(inode, header, end) \
602 ++ __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
603 ++
604 + static inline int
605 + ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size)
606 + {
607 +@@ -344,7 +365,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
608 + header = IHDR(inode, raw_inode);
609 + entry = IFIRST(header);
610 + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
611 +- error = ext4_xattr_check_names(entry, end, entry);
612 ++ error = xattr_check_inode(inode, header, end);
613 + if (error)
614 + goto cleanup;
615 + error = ext4_xattr_find_entry(&entry, name_index, name,
616 +@@ -475,7 +496,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
617 + raw_inode = ext4_raw_inode(&iloc);
618 + header = IHDR(inode, raw_inode);
619 + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
620 +- error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
621 ++ error = xattr_check_inode(inode, header, end);
622 + if (error)
623 + goto cleanup;
624 + error = ext4_xattr_list_entries(dentry, IFIRST(header),
625 +@@ -991,8 +1012,7 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
626 + is->s.here = is->s.first;
627 + is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
628 + if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
629 +- error = ext4_xattr_check_names(IFIRST(header), is->s.end,
630 +- IFIRST(header));
631 ++ error = xattr_check_inode(inode, header, is->s.end);
632 + if (error)
633 + return error;
634 + /* Find the named attribute. */
635 +@@ -1293,6 +1313,10 @@ retry:
636 + last = entry;
637 + total_ino = sizeof(struct ext4_xattr_ibody_header);
638 +
639 ++ error = xattr_check_inode(inode, header, end);
640 ++ if (error)
641 ++ goto cleanup;
642 ++
643 + free = ext4_xattr_free_space(last, &min_offs, base, &total_ino);
644 + if (free >= isize_diff) {
645 + entry = IFIRST(header);
646 +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
647 +index 3a65e0132352..16462e702f96 100644
648 +--- a/fs/f2fs/super.c
649 ++++ b/fs/f2fs/super.c
650 +@@ -918,6 +918,79 @@ static loff_t max_file_size(unsigned bits)
651 + return result;
652 + }
653 +
654 ++static inline bool sanity_check_area_boundary(struct super_block *sb,
655 ++ struct f2fs_super_block *raw_super)
656 ++{
657 ++ u32 segment0_blkaddr = le32_to_cpu(raw_super->segment0_blkaddr);
658 ++ u32 cp_blkaddr = le32_to_cpu(raw_super->cp_blkaddr);
659 ++ u32 sit_blkaddr = le32_to_cpu(raw_super->sit_blkaddr);
660 ++ u32 nat_blkaddr = le32_to_cpu(raw_super->nat_blkaddr);
661 ++ u32 ssa_blkaddr = le32_to_cpu(raw_super->ssa_blkaddr);
662 ++ u32 main_blkaddr = le32_to_cpu(raw_super->main_blkaddr);
663 ++ u32 segment_count_ckpt = le32_to_cpu(raw_super->segment_count_ckpt);
664 ++ u32 segment_count_sit = le32_to_cpu(raw_super->segment_count_sit);
665 ++ u32 segment_count_nat = le32_to_cpu(raw_super->segment_count_nat);
666 ++ u32 segment_count_ssa = le32_to_cpu(raw_super->segment_count_ssa);
667 ++ u32 segment_count_main = le32_to_cpu(raw_super->segment_count_main);
668 ++ u32 segment_count = le32_to_cpu(raw_super->segment_count);
669 ++ u32 log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
670 ++
671 ++ if (segment0_blkaddr != cp_blkaddr) {
672 ++ f2fs_msg(sb, KERN_INFO,
673 ++ "Mismatch start address, segment0(%u) cp_blkaddr(%u)",
674 ++ segment0_blkaddr, cp_blkaddr);
675 ++ return true;
676 ++ }
677 ++
678 ++ if (cp_blkaddr + (segment_count_ckpt << log_blocks_per_seg) !=
679 ++ sit_blkaddr) {
680 ++ f2fs_msg(sb, KERN_INFO,
681 ++ "Wrong CP boundary, start(%u) end(%u) blocks(%u)",
682 ++ cp_blkaddr, sit_blkaddr,
683 ++ segment_count_ckpt << log_blocks_per_seg);
684 ++ return true;
685 ++ }
686 ++
687 ++ if (sit_blkaddr + (segment_count_sit << log_blocks_per_seg) !=
688 ++ nat_blkaddr) {
689 ++ f2fs_msg(sb, KERN_INFO,
690 ++ "Wrong SIT boundary, start(%u) end(%u) blocks(%u)",
691 ++ sit_blkaddr, nat_blkaddr,
692 ++ segment_count_sit << log_blocks_per_seg);
693 ++ return true;
694 ++ }
695 ++
696 ++ if (nat_blkaddr + (segment_count_nat << log_blocks_per_seg) !=
697 ++ ssa_blkaddr) {
698 ++ f2fs_msg(sb, KERN_INFO,
699 ++ "Wrong NAT boundary, start(%u) end(%u) blocks(%u)",
700 ++ nat_blkaddr, ssa_blkaddr,
701 ++ segment_count_nat << log_blocks_per_seg);
702 ++ return true;
703 ++ }
704 ++
705 ++ if (ssa_blkaddr + (segment_count_ssa << log_blocks_per_seg) !=
706 ++ main_blkaddr) {
707 ++ f2fs_msg(sb, KERN_INFO,
708 ++ "Wrong SSA boundary, start(%u) end(%u) blocks(%u)",
709 ++ ssa_blkaddr, main_blkaddr,
710 ++ segment_count_ssa << log_blocks_per_seg);
711 ++ return true;
712 ++ }
713 ++
714 ++ if (main_blkaddr + (segment_count_main << log_blocks_per_seg) !=
715 ++ segment0_blkaddr + (segment_count << log_blocks_per_seg)) {
716 ++ f2fs_msg(sb, KERN_INFO,
717 ++ "Wrong MAIN_AREA boundary, start(%u) end(%u) blocks(%u)",
718 ++ main_blkaddr,
719 ++ segment0_blkaddr + (segment_count << log_blocks_per_seg),
720 ++ segment_count_main << log_blocks_per_seg);
721 ++ return true;
722 ++ }
723 ++
724 ++ return false;
725 ++}
726 ++
727 + static int sanity_check_raw_super(struct super_block *sb,
728 + struct f2fs_super_block *raw_super)
729 + {
730 +@@ -947,6 +1020,14 @@ static int sanity_check_raw_super(struct super_block *sb,
731 + return 1;
732 + }
733 +
734 ++ /* check log blocks per segment */
735 ++ if (le32_to_cpu(raw_super->log_blocks_per_seg) != 9) {
736 ++ f2fs_msg(sb, KERN_INFO,
737 ++ "Invalid log blocks per segment (%u)\n",
738 ++ le32_to_cpu(raw_super->log_blocks_per_seg));
739 ++ return 1;
740 ++ }
741 ++
742 + /* Currently, support 512/1024/2048/4096 bytes sector size */
743 + if (le32_to_cpu(raw_super->log_sectorsize) >
744 + F2FS_MAX_LOG_SECTOR_SIZE ||
745 +@@ -965,6 +1046,23 @@ static int sanity_check_raw_super(struct super_block *sb,
746 + le32_to_cpu(raw_super->log_sectorsize));
747 + return 1;
748 + }
749 ++
750 ++ /* check reserved ino info */
751 ++ if (le32_to_cpu(raw_super->node_ino) != 1 ||
752 ++ le32_to_cpu(raw_super->meta_ino) != 2 ||
753 ++ le32_to_cpu(raw_super->root_ino) != 3) {
754 ++ f2fs_msg(sb, KERN_INFO,
755 ++ "Invalid Fs Meta Ino: node(%u) meta(%u) root(%u)",
756 ++ le32_to_cpu(raw_super->node_ino),
757 ++ le32_to_cpu(raw_super->meta_ino),
758 ++ le32_to_cpu(raw_super->root_ino));
759 ++ return 1;
760 ++ }
761 ++
762 ++ /* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */
763 ++ if (sanity_check_area_boundary(sb, raw_super))
764 ++ return 1;
765 ++
766 + return 0;
767 + }
768 +
769 +diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
770 +index ad4e2377dd63..5be1fa6b676d 100644
771 +--- a/fs/nfsd/nfssvc.c
772 ++++ b/fs/nfsd/nfssvc.c
773 +@@ -656,6 +656,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr)
774 + return nfserr;
775 + }
776 +
777 ++/*
778 ++ * A write procedure can have a large argument, and a read procedure can
779 ++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
780 ++ * reply that can both be larger than a page. The xdr code has taken
781 ++ * advantage of this assumption to be a sloppy about bounds checking in
782 ++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
783 ++ * problem, we enforce these assumptions here:
784 ++ */
785 ++static bool nfs_request_too_big(struct svc_rqst *rqstp,
786 ++ struct svc_procedure *proc)
787 ++{
788 ++ /*
789 ++ * The ACL code has more careful bounds-checking and is not
790 ++ * susceptible to this problem:
791 ++ */
792 ++ if (rqstp->rq_prog != NFS_PROGRAM)
793 ++ return false;
794 ++ /*
795 ++ * Ditto NFSv4 (which can in theory have argument and reply both
796 ++ * more than a page):
797 ++ */
798 ++ if (rqstp->rq_vers >= 4)
799 ++ return false;
800 ++ /* The reply will be small, we're OK: */
801 ++ if (proc->pc_xdrressize > 0 &&
802 ++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
803 ++ return false;
804 ++
805 ++ return rqstp->rq_arg.len > PAGE_SIZE;
806 ++}
807 ++
808 + int
809 + nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
810 + {
811 +@@ -668,6 +699,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
812 + rqstp->rq_vers, rqstp->rq_proc);
813 + proc = rqstp->rq_procinfo;
814 +
815 ++ if (nfs_request_too_big(rqstp, proc)) {
816 ++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
817 ++ *statp = rpc_garbage_args;
818 ++ return 1;
819 ++ }
820 + /*
821 + * Give the xdr decoder a chance to change this if it wants
822 + * (necessary in the NFSv4.0 compound case)
823 +diff --git a/include/uapi/linux/ipv6_route.h b/include/uapi/linux/ipv6_route.h
824 +index f6598d1c886e..316e838b7470 100644
825 +--- a/include/uapi/linux/ipv6_route.h
826 ++++ b/include/uapi/linux/ipv6_route.h
827 +@@ -34,7 +34,7 @@
828 + #define RTF_PREF(pref) ((pref) << 27)
829 + #define RTF_PREF_MASK 0x18000000
830 +
831 +-#define RTF_PCPU 0x40000000
832 ++#define RTF_PCPU 0x40000000 /* read-only: can not be set by user */
833 + #define RTF_LOCAL 0x80000000
834 +
835 +
836 +diff --git a/net/9p/client.c b/net/9p/client.c
837 +index ea79ee9a7348..f5feac4ff4ec 100644
838 +--- a/net/9p/client.c
839 ++++ b/net/9p/client.c
840 +@@ -2101,6 +2101,10 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
841 + trace_9p_protocol_dump(clnt, req->rc);
842 + goto free_and_error;
843 + }
844 ++ if (rsize < count) {
845 ++ pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize);
846 ++ count = rsize;
847 ++ }
848 +
849 + p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count);
850 +
851 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
852 +index 769cece9b00b..ae92131c4f89 100644
853 +--- a/net/core/neighbour.c
854 ++++ b/net/core/neighbour.c
855 +@@ -859,7 +859,8 @@ static void neigh_probe(struct neighbour *neigh)
856 + if (skb)
857 + skb = skb_clone(skb, GFP_ATOMIC);
858 + write_unlock(&neigh->lock);
859 +- neigh->ops->solicit(neigh, skb);
860 ++ if (neigh->ops->solicit)
861 ++ neigh->ops->solicit(neigh, skb);
862 + atomic_inc(&neigh->probes);
863 + kfree_skb(skb);
864 + }
865 +diff --git a/net/core/netpoll.c b/net/core/netpoll.c
866 +index 94acfc89ad97..440aa9f6e0a8 100644
867 +--- a/net/core/netpoll.c
868 ++++ b/net/core/netpoll.c
869 +@@ -105,15 +105,21 @@ static void queue_process(struct work_struct *work)
870 + while ((skb = skb_dequeue(&npinfo->txq))) {
871 + struct net_device *dev = skb->dev;
872 + struct netdev_queue *txq;
873 ++ unsigned int q_index;
874 +
875 + if (!netif_device_present(dev) || !netif_running(dev)) {
876 + kfree_skb(skb);
877 + continue;
878 + }
879 +
880 +- txq = skb_get_tx_queue(dev, skb);
881 +-
882 + local_irq_save(flags);
883 ++ /* check if skb->queue_mapping is still valid */
884 ++ q_index = skb_get_queue_mapping(skb);
885 ++ if (unlikely(q_index >= dev->real_num_tx_queues)) {
886 ++ q_index = q_index % dev->real_num_tx_queues;
887 ++ skb_set_queue_mapping(skb, q_index);
888 ++ }
889 ++ txq = netdev_get_tx_queue(dev, q_index);
890 + HARD_TX_LOCK(dev, txq, smp_processor_id());
891 + if (netif_xmit_frozen_or_stopped(txq) ||
892 + netpoll_start_xmit(skb, dev, txq) != NETDEV_TX_OK) {
893 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
894 +index da4d68d78590..375248b900ba 100644
895 +--- a/net/ipv4/route.c
896 ++++ b/net/ipv4/route.c
897 +@@ -2559,7 +2559,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
898 + skb_reset_network_header(skb);
899 +
900 + /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
901 +- ip_hdr(skb)->protocol = IPPROTO_ICMP;
902 ++ ip_hdr(skb)->protocol = IPPROTO_UDP;
903 + skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
904 +
905 + src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0;
906 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
907 +index 600dcda840d1..e1d51370977b 100644
908 +--- a/net/ipv4/tcp.c
909 ++++ b/net/ipv4/tcp.c
910 +@@ -2260,6 +2260,7 @@ int tcp_disconnect(struct sock *sk, int flags)
911 + tcp_init_send_head(sk);
912 + memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
913 + __sk_dst_reset(sk);
914 ++ tcp_saved_syn_free(tp);
915 +
916 + WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
917 +
918 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
919 +index 6c6161763c2f..97cb02dc5f02 100644
920 +--- a/net/ipv6/ip6_tunnel.c
921 ++++ b/net/ipv6/ip6_tunnel.c
922 +@@ -1049,7 +1049,7 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
923 + struct ip6_tnl *t = netdev_priv(dev);
924 + struct net *net = t->net;
925 + struct net_device_stats *stats = &t->dev->stats;
926 +- struct ipv6hdr *ipv6h = ipv6_hdr(skb);
927 ++ struct ipv6hdr *ipv6h;
928 + struct ipv6_tel_txoption opt;
929 + struct dst_entry *dst = NULL, *ndst = NULL;
930 + struct net_device *tdev;
931 +@@ -1061,26 +1061,28 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
932 +
933 + /* NBMA tunnel */
934 + if (ipv6_addr_any(&t->parms.raddr)) {
935 +- struct in6_addr *addr6;
936 +- struct neighbour *neigh;
937 +- int addr_type;
938 ++ if (skb->protocol == htons(ETH_P_IPV6)) {
939 ++ struct in6_addr *addr6;
940 ++ struct neighbour *neigh;
941 ++ int addr_type;
942 +
943 +- if (!skb_dst(skb))
944 +- goto tx_err_link_failure;
945 ++ if (!skb_dst(skb))
946 ++ goto tx_err_link_failure;
947 +
948 +- neigh = dst_neigh_lookup(skb_dst(skb),
949 +- &ipv6_hdr(skb)->daddr);
950 +- if (!neigh)
951 +- goto tx_err_link_failure;
952 ++ neigh = dst_neigh_lookup(skb_dst(skb),
953 ++ &ipv6_hdr(skb)->daddr);
954 ++ if (!neigh)
955 ++ goto tx_err_link_failure;
956 +
957 +- addr6 = (struct in6_addr *)&neigh->primary_key;
958 +- addr_type = ipv6_addr_type(addr6);
959 ++ addr6 = (struct in6_addr *)&neigh->primary_key;
960 ++ addr_type = ipv6_addr_type(addr6);
961 +
962 +- if (addr_type == IPV6_ADDR_ANY)
963 +- addr6 = &ipv6_hdr(skb)->daddr;
964 ++ if (addr_type == IPV6_ADDR_ANY)
965 ++ addr6 = &ipv6_hdr(skb)->daddr;
966 +
967 +- memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
968 +- neigh_release(neigh);
969 ++ memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
970 ++ neigh_release(neigh);
971 ++ }
972 + } else if (!(t->parms.flags &
973 + (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
974 + /* enable the cache only only if the routing decision does
975 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
976 +index d9843e5a667f..8361d73ab653 100644
977 +--- a/net/ipv6/ip6mr.c
978 ++++ b/net/ipv6/ip6mr.c
979 +@@ -774,7 +774,8 @@ failure:
980 + * Delete a VIF entry
981 + */
982 +
983 +-static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head)
984 ++static int mif6_delete(struct mr6_table *mrt, int vifi, int notify,
985 ++ struct list_head *head)
986 + {
987 + struct mif_device *v;
988 + struct net_device *dev;
989 +@@ -820,7 +821,7 @@ static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head)
990 + dev->ifindex, &in6_dev->cnf);
991 + }
992 +
993 +- if (v->flags & MIFF_REGISTER)
994 ++ if ((v->flags & MIFF_REGISTER) && !notify)
995 + unregister_netdevice_queue(dev, head);
996 +
997 + dev_put(dev);
998 +@@ -1330,7 +1331,6 @@ static int ip6mr_device_event(struct notifier_block *this,
999 + struct mr6_table *mrt;
1000 + struct mif_device *v;
1001 + int ct;
1002 +- LIST_HEAD(list);
1003 +
1004 + if (event != NETDEV_UNREGISTER)
1005 + return NOTIFY_DONE;
1006 +@@ -1339,10 +1339,9 @@ static int ip6mr_device_event(struct notifier_block *this,
1007 + v = &mrt->vif6_table[0];
1008 + for (ct = 0; ct < mrt->maxvif; ct++, v++) {
1009 + if (v->dev == dev)
1010 +- mif6_delete(mrt, ct, &list);
1011 ++ mif6_delete(mrt, ct, 1, NULL);
1012 + }
1013 + }
1014 +- unregister_netdevice_many(&list);
1015 +
1016 + return NOTIFY_DONE;
1017 + }
1018 +@@ -1551,7 +1550,7 @@ static void mroute_clean_tables(struct mr6_table *mrt, bool all)
1019 + for (i = 0; i < mrt->maxvif; i++) {
1020 + if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC))
1021 + continue;
1022 +- mif6_delete(mrt, i, &list);
1023 ++ mif6_delete(mrt, i, 0, &list);
1024 + }
1025 + unregister_netdevice_many(&list);
1026 +
1027 +@@ -1704,7 +1703,7 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
1028 + if (copy_from_user(&mifi, optval, sizeof(mifi_t)))
1029 + return -EFAULT;
1030 + rtnl_lock();
1031 +- ret = mif6_delete(mrt, mifi, NULL);
1032 ++ ret = mif6_delete(mrt, mifi, 0, NULL);
1033 + rtnl_unlock();
1034 + return ret;
1035 +
1036 +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
1037 +index 8bca90d6d915..a625f69a28dd 100644
1038 +--- a/net/ipv6/raw.c
1039 ++++ b/net/ipv6/raw.c
1040 +@@ -1144,8 +1144,7 @@ static int rawv6_ioctl(struct sock *sk, int cmd, unsigned long arg)
1041 + spin_lock_bh(&sk->sk_receive_queue.lock);
1042 + skb = skb_peek(&sk->sk_receive_queue);
1043 + if (skb)
1044 +- amount = skb_tail_pointer(skb) -
1045 +- skb_transport_header(skb);
1046 ++ amount = skb->len;
1047 + spin_unlock_bh(&sk->sk_receive_queue.lock);
1048 + return put_user(amount, (int __user *)arg);
1049 + }
1050 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
1051 +index 9f0aa255e288..6c91d5c4a92c 100644
1052 +--- a/net/ipv6/route.c
1053 ++++ b/net/ipv6/route.c
1054 +@@ -1758,6 +1758,10 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg)
1055 + int addr_type;
1056 + int err = -EINVAL;
1057 +
1058 ++ /* RTF_PCPU is an internal flag; can not be set by userspace */
1059 ++ if (cfg->fc_flags & RTF_PCPU)
1060 ++ goto out;
1061 ++
1062 + if (cfg->fc_dst_len > 128 || cfg->fc_src_len > 128)
1063 + goto out;
1064 + #ifndef CONFIG_IPV6_SUBTREES
1065 +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
1066 +index ec17cbe8a02b..d3dec414fd44 100644
1067 +--- a/net/l2tp/l2tp_core.c
1068 ++++ b/net/l2tp/l2tp_core.c
1069 +@@ -278,7 +278,8 @@ struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunn
1070 + }
1071 + EXPORT_SYMBOL_GPL(l2tp_session_find);
1072 +
1073 +-struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
1074 ++struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
1075 ++ bool do_ref)
1076 + {
1077 + int hash;
1078 + struct l2tp_session *session;
1079 +@@ -288,6 +289,9 @@ struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
1080 + for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1081 + hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
1082 + if (++count > nth) {
1083 ++ l2tp_session_inc_refcount(session);
1084 ++ if (do_ref && session->ref)
1085 ++ session->ref(session);
1086 + read_unlock_bh(&tunnel->hlist_lock);
1087 + return session;
1088 + }
1089 +@@ -298,7 +302,7 @@ struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
1090 +
1091 + return NULL;
1092 + }
1093 +-EXPORT_SYMBOL_GPL(l2tp_session_find_nth);
1094 ++EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
1095 +
1096 + /* Lookup a session by interface name.
1097 + * This is very inefficient but is only used by management interfaces.
1098 +diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
1099 +index 763e8e241ce3..555d962a62d2 100644
1100 +--- a/net/l2tp/l2tp_core.h
1101 ++++ b/net/l2tp/l2tp_core.h
1102 +@@ -243,7 +243,8 @@ out:
1103 + struct l2tp_session *l2tp_session_find(struct net *net,
1104 + struct l2tp_tunnel *tunnel,
1105 + u32 session_id);
1106 +-struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth);
1107 ++struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
1108 ++ bool do_ref);
1109 + struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname);
1110 + struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id);
1111 + struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth);
1112 +diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
1113 +index 2d6760a2ae34..d100aed3d06f 100644
1114 +--- a/net/l2tp/l2tp_debugfs.c
1115 ++++ b/net/l2tp/l2tp_debugfs.c
1116 +@@ -53,7 +53,7 @@ static void l2tp_dfs_next_tunnel(struct l2tp_dfs_seq_data *pd)
1117 +
1118 + static void l2tp_dfs_next_session(struct l2tp_dfs_seq_data *pd)
1119 + {
1120 +- pd->session = l2tp_session_find_nth(pd->tunnel, pd->session_idx);
1121 ++ pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx, true);
1122 + pd->session_idx++;
1123 +
1124 + if (pd->session == NULL) {
1125 +@@ -238,10 +238,14 @@ static int l2tp_dfs_seq_show(struct seq_file *m, void *v)
1126 + }
1127 +
1128 + /* Show the tunnel or session context */
1129 +- if (pd->session == NULL)
1130 ++ if (!pd->session) {
1131 + l2tp_dfs_seq_tunnel_show(m, pd->tunnel);
1132 +- else
1133 ++ } else {
1134 + l2tp_dfs_seq_session_show(m, pd->session);
1135 ++ if (pd->session->deref)
1136 ++ pd->session->deref(pd->session);
1137 ++ l2tp_session_dec_refcount(pd->session);
1138 ++ }
1139 +
1140 + out:
1141 + return 0;
1142 +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
1143 +index 2caaa84ce92d..665cc74df5c5 100644
1144 +--- a/net/l2tp/l2tp_netlink.c
1145 ++++ b/net/l2tp/l2tp_netlink.c
1146 +@@ -827,7 +827,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
1147 + goto out;
1148 + }
1149 +
1150 +- session = l2tp_session_find_nth(tunnel, si);
1151 ++ session = l2tp_session_get_nth(tunnel, si, false);
1152 + if (session == NULL) {
1153 + ti++;
1154 + tunnel = NULL;
1155 +@@ -837,8 +837,11 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
1156 +
1157 + if (l2tp_nl_session_send(skb, NETLINK_CB(cb->skb).portid,
1158 + cb->nlh->nlmsg_seq, NLM_F_MULTI,
1159 +- session, L2TP_CMD_SESSION_GET) < 0)
1160 ++ session, L2TP_CMD_SESSION_GET) < 0) {
1161 ++ l2tp_session_dec_refcount(session);
1162 + break;
1163 ++ }
1164 ++ l2tp_session_dec_refcount(session);
1165 +
1166 + si++;
1167 + }
1168 +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
1169 +index 1ad18c55064c..8ab9c5d74416 100644
1170 +--- a/net/l2tp/l2tp_ppp.c
1171 ++++ b/net/l2tp/l2tp_ppp.c
1172 +@@ -467,6 +467,10 @@ static void pppol2tp_session_close(struct l2tp_session *session)
1173 + static void pppol2tp_session_destruct(struct sock *sk)
1174 + {
1175 + struct l2tp_session *session = sk->sk_user_data;
1176 ++
1177 ++ skb_queue_purge(&sk->sk_receive_queue);
1178 ++ skb_queue_purge(&sk->sk_write_queue);
1179 ++
1180 + if (session) {
1181 + sk->sk_user_data = NULL;
1182 + BUG_ON(session->magic != L2TP_SESSION_MAGIC);
1183 +@@ -505,9 +509,6 @@ static int pppol2tp_release(struct socket *sock)
1184 + l2tp_session_queue_purge(session);
1185 + sock_put(sk);
1186 + }
1187 +- skb_queue_purge(&sk->sk_receive_queue);
1188 +- skb_queue_purge(&sk->sk_write_queue);
1189 +-
1190 + release_sock(sk);
1191 +
1192 + /* This will delete the session context via
1193 +@@ -1574,7 +1575,7 @@ static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd)
1194 +
1195 + static void pppol2tp_next_session(struct net *net, struct pppol2tp_seq_data *pd)
1196 + {
1197 +- pd->session = l2tp_session_find_nth(pd->tunnel, pd->session_idx);
1198 ++ pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx, true);
1199 + pd->session_idx++;
1200 +
1201 + if (pd->session == NULL) {
1202 +@@ -1701,10 +1702,14 @@ static int pppol2tp_seq_show(struct seq_file *m, void *v)
1203 +
1204 + /* Show the tunnel or session context.
1205 + */
1206 +- if (pd->session == NULL)
1207 ++ if (!pd->session) {
1208 + pppol2tp_seq_tunnel_show(m, pd->tunnel);
1209 +- else
1210 ++ } else {
1211 + pppol2tp_seq_session_show(m, pd->session);
1212 ++ if (pd->session->deref)
1213 ++ pd->session->deref(pd->session);
1214 ++ l2tp_session_dec_refcount(pd->session);
1215 ++ }
1216 +
1217 + out:
1218 + return 0;
1219 +@@ -1863,4 +1868,4 @@ MODULE_DESCRIPTION("PPP over L2TP over UDP");
1220 + MODULE_LICENSE("GPL");
1221 + MODULE_VERSION(PPPOL2TP_DRV_VERSION);
1222 + MODULE_ALIAS("pppox-proto-" __stringify(PX_PROTO_OL2TP));
1223 +-MODULE_ALIAS_L2TP_PWTYPE(11);
1224 ++MODULE_ALIAS_L2TP_PWTYPE(7);
1225 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
1226 +index d76800108ddb..f8d6a0ca9c03 100644
1227 +--- a/net/packet/af_packet.c
1228 ++++ b/net/packet/af_packet.c
1229 +@@ -3626,6 +3626,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
1230 + return -EBUSY;
1231 + if (copy_from_user(&val, optval, sizeof(val)))
1232 + return -EFAULT;
1233 ++ if (val > INT_MAX)
1234 ++ return -EINVAL;
1235 + po->tp_reserve = val;
1236 + return 0;
1237 + }
1238 +@@ -4150,6 +4152,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
1239 + rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
1240 + if (unlikely(rb->frames_per_block == 0))
1241 + goto out;
1242 ++ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
1243 ++ goto out;
1244 + if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
1245 + req->tp_frame_nr))
1246 + goto out;
1247 +diff --git a/net/rds/cong.c b/net/rds/cong.c
1248 +index e6144b8246fd..6641bcf7c185 100644
1249 +--- a/net/rds/cong.c
1250 ++++ b/net/rds/cong.c
1251 +@@ -299,7 +299,7 @@ void rds_cong_set_bit(struct rds_cong_map *map, __be16 port)
1252 + i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
1253 + off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
1254 +
1255 +- __set_bit_le(off, (void *)map->m_page_addrs[i]);
1256 ++ set_bit_le(off, (void *)map->m_page_addrs[i]);
1257 + }
1258 +
1259 + void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port)
1260 +@@ -313,7 +313,7 @@ void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port)
1261 + i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
1262 + off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
1263 +
1264 +- __clear_bit_le(off, (void *)map->m_page_addrs[i]);
1265 ++ clear_bit_le(off, (void *)map->m_page_addrs[i]);
1266 + }
1267 +
1268 + static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port)
1269 +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
1270 +index e384d6aefa3a..1090a52c03cd 100644
1271 +--- a/net/sched/act_mirred.c
1272 ++++ b/net/sched/act_mirred.c
1273 +@@ -36,14 +36,15 @@ static DEFINE_SPINLOCK(mirred_list_lock);
1274 + static void tcf_mirred_release(struct tc_action *a, int bind)
1275 + {
1276 + struct tcf_mirred *m = to_mirred(a);
1277 +- struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);
1278 ++ struct net_device *dev;
1279 +
1280 + /* We could be called either in a RCU callback or with RTNL lock held. */
1281 + spin_lock_bh(&mirred_list_lock);
1282 + list_del(&m->tcfm_list);
1283 +- spin_unlock_bh(&mirred_list_lock);
1284 ++ dev = rcu_dereference_protected(m->tcfm_dev, 1);
1285 + if (dev)
1286 + dev_put(dev);
1287 ++ spin_unlock_bh(&mirred_list_lock);
1288 + }
1289 +
1290 + static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = {
1291 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
1292 +index 5758818435f3..c96d666cef29 100644
1293 +--- a/net/sctp/socket.c
1294 ++++ b/net/sctp/socket.c
1295 +@@ -6394,6 +6394,9 @@ int sctp_inet_listen(struct socket *sock, int backlog)
1296 + if (sock->state != SS_UNCONNECTED)
1297 + goto out;
1298 +
1299 ++ if (!sctp_sstate(sk, LISTENING) && !sctp_sstate(sk, CLOSED))
1300 ++ goto out;
1301 ++
1302 + /* If backlog is zero, disable listening. */
1303 + if (!backlog) {
1304 + if (sctp_sstate(sk, CLOSED))
1305 +diff --git a/sound/core/seq/seq_lock.c b/sound/core/seq/seq_lock.c
1306 +index 3b693e924db7..12ba83367b1b 100644
1307 +--- a/sound/core/seq/seq_lock.c
1308 ++++ b/sound/core/seq/seq_lock.c
1309 +@@ -28,19 +28,16 @@
1310 + /* wait until all locks are released */
1311 + void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line)
1312 + {
1313 +- int max_count = 5 * HZ;
1314 ++ int warn_count = 5 * HZ;
1315 +
1316 + if (atomic_read(lockp) < 0) {
1317 + pr_warn("ALSA: seq_lock: lock trouble [counter = %d] in %s:%d\n", atomic_read(lockp), file, line);
1318 + return;
1319 + }
1320 + while (atomic_read(lockp) > 0) {
1321 +- if (max_count == 0) {
1322 +- pr_warn("ALSA: seq_lock: timeout [%d left] in %s:%d\n", atomic_read(lockp), file, line);
1323 +- break;
1324 +- }
1325 ++ if (warn_count-- == 0)
1326 ++ pr_warn("ALSA: seq_lock: waiting [%d left] in %s:%d\n", atomic_read(lockp), file, line);
1327 + schedule_timeout_uninterruptible(1);
1328 +- max_count--;
1329 + }
1330 + }
1331 +
1332 +diff --git a/sound/firewire/lib.h b/sound/firewire/lib.h
1333 +index f3f6f84c48d6..bb5f8cdea3e2 100644
1334 +--- a/sound/firewire/lib.h
1335 ++++ b/sound/firewire/lib.h
1336 +@@ -42,7 +42,7 @@ struct snd_fw_async_midi_port {
1337 +
1338 + struct snd_rawmidi_substream *substream;
1339 + snd_fw_async_midi_port_fill fill;
1340 +- unsigned int consume_bytes;
1341 ++ int consume_bytes;
1342 + };
1343 +
1344 + int snd_fw_async_midi_port_init(struct snd_fw_async_midi_port *port,
Report Message
Find on MARC Find on Google Groups