Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Wed, 03 May 2017 17:45:12
Message-Id: 1493833497.e5aa3de99df5f3ff814f0b0cdc8ea02c25dfb91f.mpagano@gentoo
1 commit: e5aa3de99df5f3ff814f0b0cdc8ea02c25dfb91f
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed May 3 17:44:57 2017 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed May 3 17:44:57 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e5aa3de9
7
8 Linux patch 4.9.26
9
10 0000_README | 4 +
11 1025_linux-4.9.26.patch | 1768 +++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 1772 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 6d83bcd..64923fd 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -143,6 +143,10 @@ Patch: 1024_linux-4.9.25.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.9.25
21
22 +Patch: 1025_linux-4.9.26.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.9.26
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1025_linux-4.9.26.patch b/1025_linux-4.9.26.patch
31 new file mode 100644
32 index 0000000..0346b91
33 --- /dev/null
34 +++ b/1025_linux-4.9.26.patch
35 @@ -0,0 +1,1768 @@
36 +diff --git a/Makefile b/Makefile
37 +index 8e18c63388c4..c09679c1a70d 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 4
42 + PATCHLEVEL = 9
43 +-SUBLEVEL = 25
44 ++SUBLEVEL = 26
45 + EXTRAVERSION =
46 + NAME = Roaring Lionus
47 +
48 +diff --git a/arch/arc/include/asm/atomic.h b/arch/arc/include/asm/atomic.h
49 +index b65930a49589..54b54da6384c 100644
50 +--- a/arch/arc/include/asm/atomic.h
51 ++++ b/arch/arc/include/asm/atomic.h
52 +@@ -17,10 +17,11 @@
53 + #include <asm/barrier.h>
54 + #include <asm/smp.h>
55 +
56 ++#define ATOMIC_INIT(i) { (i) }
57 ++
58 + #ifndef CONFIG_ARC_PLAT_EZNPS
59 +
60 + #define atomic_read(v) READ_ONCE((v)->counter)
61 +-#define ATOMIC_INIT(i) { (i) }
62 +
63 + #ifdef CONFIG_ARC_HAS_LLSC
64 +
65 +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
66 +index b5ff87e6f4b7..aee1a77934cf 100644
67 +--- a/arch/arc/include/asm/entry-arcv2.h
68 ++++ b/arch/arc/include/asm/entry-arcv2.h
69 +@@ -16,6 +16,7 @@
70 + ;
71 + ; Now manually save: r12, sp, fp, gp, r25
72 +
73 ++ PUSH r30
74 + PUSH r12
75 +
76 + ; Saving pt_regs->sp correctly requires some extra work due to the way
77 +@@ -72,6 +73,7 @@
78 + POPAX AUX_USER_SP
79 + 1:
80 + POP r12
81 ++ POP r30
82 +
83 + .endm
84 +
85 +diff --git a/arch/arc/include/asm/ptrace.h b/arch/arc/include/asm/ptrace.h
86 +index 69095da1fcfd..47111d565a95 100644
87 +--- a/arch/arc/include/asm/ptrace.h
88 ++++ b/arch/arc/include/asm/ptrace.h
89 +@@ -84,7 +84,7 @@ struct pt_regs {
90 + unsigned long fp;
91 + unsigned long sp; /* user/kernel sp depending on where we came from */
92 +
93 +- unsigned long r12;
94 ++ unsigned long r12, r30;
95 +
96 + /*------- Below list auto saved by h/w -----------*/
97 + unsigned long r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11;
98 +diff --git a/arch/mips/kernel/cevt-r4k.c b/arch/mips/kernel/cevt-r4k.c
99 +index 804d2a2a19fe..dd6a18bc10ab 100644
100 +--- a/arch/mips/kernel/cevt-r4k.c
101 ++++ b/arch/mips/kernel/cevt-r4k.c
102 +@@ -80,7 +80,7 @@ static unsigned int calculate_min_delta(void)
103 + }
104 +
105 + /* Sorted insert of 75th percentile into buf2 */
106 +- for (k = 0; k < i; ++k) {
107 ++ for (k = 0; k < i && k < ARRAY_SIZE(buf2); ++k) {
108 + if (buf1[ARRAY_SIZE(buf1) - 1] < buf2[k]) {
109 + l = min_t(unsigned int,
110 + i, ARRAY_SIZE(buf2) - 1);
111 +diff --git a/arch/mips/kernel/elf.c b/arch/mips/kernel/elf.c
112 +index 6430bff21fff..5c429d70e17f 100644
113 +--- a/arch/mips/kernel/elf.c
114 ++++ b/arch/mips/kernel/elf.c
115 +@@ -257,7 +257,7 @@ int arch_check_elf(void *_ehdr, bool has_interpreter, void *_interp_ehdr,
116 + else if ((prog_req.fr1 && prog_req.frdefault) ||
117 + (prog_req.single && !prog_req.frdefault))
118 + /* Make sure 64-bit MIPS III/IV/64R1 will not pick FR1 */
119 +- state->overall_fp_mode = ((current_cpu_data.fpu_id & MIPS_FPIR_F64) &&
120 ++ state->overall_fp_mode = ((raw_current_cpu_data.fpu_id & MIPS_FPIR_F64) &&
121 + cpu_has_mips_r2_r6) ?
122 + FP_FR1 : FP_FR0;
123 + else if (prog_req.fr1)
124 +diff --git a/arch/mips/kernel/kgdb.c b/arch/mips/kernel/kgdb.c
125 +index de63d36af895..732d6171ac6a 100644
126 +--- a/arch/mips/kernel/kgdb.c
127 ++++ b/arch/mips/kernel/kgdb.c
128 +@@ -244,9 +244,6 @@ static int compute_signal(int tt)
129 + void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p)
130 + {
131 + int reg;
132 +- struct thread_info *ti = task_thread_info(p);
133 +- unsigned long ksp = (unsigned long)ti + THREAD_SIZE - 32;
134 +- struct pt_regs *regs = (struct pt_regs *)ksp - 1;
135 + #if (KGDB_GDB_REG_SIZE == 32)
136 + u32 *ptr = (u32 *)gdb_regs;
137 + #else
138 +@@ -254,25 +251,46 @@ void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p)
139 + #endif
140 +
141 + for (reg = 0; reg < 16; reg++)
142 +- *(ptr++) = regs->regs[reg];
143 ++ *(ptr++) = 0;
144 +
145 + /* S0 - S7 */
146 +- for (reg = 16; reg < 24; reg++)
147 +- *(ptr++) = regs->regs[reg];
148 ++ *(ptr++) = p->thread.reg16;
149 ++ *(ptr++) = p->thread.reg17;
150 ++ *(ptr++) = p->thread.reg18;
151 ++ *(ptr++) = p->thread.reg19;
152 ++ *(ptr++) = p->thread.reg20;
153 ++ *(ptr++) = p->thread.reg21;
154 ++ *(ptr++) = p->thread.reg22;
155 ++ *(ptr++) = p->thread.reg23;
156 +
157 + for (reg = 24; reg < 28; reg++)
158 + *(ptr++) = 0;
159 +
160 + /* GP, SP, FP, RA */
161 +- for (reg = 28; reg < 32; reg++)
162 +- *(ptr++) = regs->regs[reg];
163 +-
164 +- *(ptr++) = regs->cp0_status;
165 +- *(ptr++) = regs->lo;
166 +- *(ptr++) = regs->hi;
167 +- *(ptr++) = regs->cp0_badvaddr;
168 +- *(ptr++) = regs->cp0_cause;
169 +- *(ptr++) = regs->cp0_epc;
170 ++ *(ptr++) = (long)p;
171 ++ *(ptr++) = p->thread.reg29;
172 ++ *(ptr++) = p->thread.reg30;
173 ++ *(ptr++) = p->thread.reg31;
174 ++
175 ++ *(ptr++) = p->thread.cp0_status;
176 ++
177 ++ /* lo, hi */
178 ++ *(ptr++) = 0;
179 ++ *(ptr++) = 0;
180 ++
181 ++ /*
182 ++ * BadVAddr, Cause
183 ++ * Ideally these would come from the last exception frame up the stack
184 ++ * but that requires unwinding, otherwise we can't know much for sure.
185 ++ */
186 ++ *(ptr++) = 0;
187 ++ *(ptr++) = 0;
188 ++
189 ++ /*
190 ++ * PC
191 ++ * use return address (RA), i.e. the moment after return from resume()
192 ++ */
193 ++ *(ptr++) = p->thread.reg31;
194 + }
195 +
196 + void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
197 +diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h
198 +index 1fb317fbc0b3..b6802b978140 100644
199 +--- a/arch/sparc/include/asm/pgtable_64.h
200 ++++ b/arch/sparc/include/asm/pgtable_64.h
201 +@@ -673,26 +673,27 @@ static inline unsigned long pmd_pfn(pmd_t pmd)
202 + return pte_pfn(pte);
203 + }
204 +
205 +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
206 +-static inline unsigned long pmd_dirty(pmd_t pmd)
207 ++#define __HAVE_ARCH_PMD_WRITE
208 ++static inline unsigned long pmd_write(pmd_t pmd)
209 + {
210 + pte_t pte = __pte(pmd_val(pmd));
211 +
212 +- return pte_dirty(pte);
213 ++ return pte_write(pte);
214 + }
215 +
216 +-static inline unsigned long pmd_young(pmd_t pmd)
217 ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE
218 ++static inline unsigned long pmd_dirty(pmd_t pmd)
219 + {
220 + pte_t pte = __pte(pmd_val(pmd));
221 +
222 +- return pte_young(pte);
223 ++ return pte_dirty(pte);
224 + }
225 +
226 +-static inline unsigned long pmd_write(pmd_t pmd)
227 ++static inline unsigned long pmd_young(pmd_t pmd)
228 + {
229 + pte_t pte = __pte(pmd_val(pmd));
230 +
231 +- return pte_write(pte);
232 ++ return pte_young(pte);
233 + }
234 +
235 + static inline unsigned long pmd_trans_huge(pmd_t pmd)
236 +diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
237 +index 37aa537b3ad8..bd7e2aa86c45 100644
238 +--- a/arch/sparc/mm/init_64.c
239 ++++ b/arch/sparc/mm/init_64.c
240 +@@ -1495,7 +1495,7 @@ bool kern_addr_valid(unsigned long addr)
241 + if ((long)addr < 0L) {
242 + unsigned long pa = __pa(addr);
243 +
244 +- if ((addr >> max_phys_bits) != 0UL)
245 ++ if ((pa >> max_phys_bits) != 0UL)
246 + return false;
247 +
248 + return pfn_valid(pa >> PAGE_SHIFT);
249 +diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
250 +index 8639bb2ae058..6bf09f5594b2 100644
251 +--- a/arch/x86/kernel/ftrace.c
252 ++++ b/arch/x86/kernel/ftrace.c
253 +@@ -983,6 +983,18 @@ void prepare_ftrace_return(unsigned long self_addr, unsigned long *parent,
254 + unsigned long return_hooker = (unsigned long)
255 + &return_to_handler;
256 +
257 ++ /*
258 ++ * When resuming from suspend-to-ram, this function can be indirectly
259 ++ * called from early CPU startup code while the CPU is in real mode,
260 ++ * which would fail miserably. Make sure the stack pointer is a
261 ++ * virtual address.
262 ++ *
263 ++ * This check isn't as accurate as virt_addr_valid(), but it should be
264 ++ * good enough for this purpose, and it's fast.
265 ++ */
266 ++ if (unlikely((long)__builtin_frame_address(0) >= 0))
267 ++ return;
268 ++
269 + if (unlikely(ftrace_graph_is_dead()))
270 + return;
271 +
272 +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
273 +index 25eab453f2b2..e7b96f1ac2c5 100644
274 +--- a/drivers/input/serio/i8042-x86ia64io.h
275 ++++ b/drivers/input/serio/i8042-x86ia64io.h
276 +@@ -685,6 +685,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
277 + DMI_MATCH(DMI_PRODUCT_NAME, "20046"),
278 + },
279 + },
280 ++ {
281 ++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */
282 ++ .matches = {
283 ++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
284 ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"),
285 ++ },
286 ++ },
287 + { }
288 + };
289 +
290 +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
291 +index 437e4807727d..90ed2e12d345 100644
292 +--- a/drivers/mmc/host/sdhci-msm.c
293 ++++ b/drivers/mmc/host/sdhci-msm.c
294 +@@ -524,9 +524,7 @@ static const struct sdhci_ops sdhci_msm_ops = {
295 + static const struct sdhci_pltfm_data sdhci_msm_pdata = {
296 + .quirks = SDHCI_QUIRK_BROKEN_CARD_DETECTION |
297 + SDHCI_QUIRK_NO_CARD_NO_RESET |
298 +- SDHCI_QUIRK_SINGLE_POWER_WRITE |
299 +- SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN,
300 +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
301 ++ SDHCI_QUIRK_SINGLE_POWER_WRITE,
302 + .ops = &sdhci_msm_ops,
303 + };
304 +
305 +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
306 +index a0dabd4038ba..7ab24c5262f3 100644
307 +--- a/drivers/net/can/usb/gs_usb.c
308 ++++ b/drivers/net/can/usb/gs_usb.c
309 +@@ -740,13 +740,18 @@ static const struct net_device_ops gs_usb_netdev_ops = {
310 + static int gs_usb_set_identify(struct net_device *netdev, bool do_identify)
311 + {
312 + struct gs_can *dev = netdev_priv(netdev);
313 +- struct gs_identify_mode imode;
314 ++ struct gs_identify_mode *imode;
315 + int rc;
316 +
317 ++ imode = kmalloc(sizeof(*imode), GFP_KERNEL);
318 ++
319 ++ if (!imode)
320 ++ return -ENOMEM;
321 ++
322 + if (do_identify)
323 +- imode.mode = GS_CAN_IDENTIFY_ON;
324 ++ imode->mode = GS_CAN_IDENTIFY_ON;
325 + else
326 +- imode.mode = GS_CAN_IDENTIFY_OFF;
327 ++ imode->mode = GS_CAN_IDENTIFY_OFF;
328 +
329 + rc = usb_control_msg(interface_to_usbdev(dev->iface),
330 + usb_sndctrlpipe(interface_to_usbdev(dev->iface),
331 +@@ -756,10 +761,12 @@ static int gs_usb_set_identify(struct net_device *netdev, bool do_identify)
332 + USB_RECIP_INTERFACE,
333 + dev->channel,
334 + 0,
335 +- &imode,
336 +- sizeof(imode),
337 ++ imode,
338 ++ sizeof(*imode),
339 + 100);
340 +
341 ++ kfree(imode);
342 ++
343 + return (rc > 0) ? 0 : rc;
344 + }
345 +
346 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
347 +index 81d8e3bd01b6..21ce0b701143 100644
348 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
349 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
350 +@@ -82,7 +82,7 @@
351 + #define MLX5E_VALID_NUM_MTTS(num_mtts) (MLX5_MTT_OCTW(num_mtts) <= U16_MAX)
352 +
353 + #define MLX5_UMR_ALIGN (2048)
354 +-#define MLX5_MPWRQ_SMALL_PACKET_THRESHOLD (128)
355 ++#define MLX5_MPWRQ_SMALL_PACKET_THRESHOLD (256)
356 +
357 + #define MLX5E_PARAMS_DEFAULT_LRO_WQE_SZ (64 * 1024)
358 + #define MLX5E_DEFAULT_LRO_TIMEOUT 32
359 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c
360 +index 90e81ae9f3bc..e034dbc4913d 100644
361 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c
362 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c
363 +@@ -563,6 +563,7 @@ int mlx5e_ethtool_get_all_flows(struct mlx5e_priv *priv, struct ethtool_rxnfc *i
364 + int idx = 0;
365 + int err = 0;
366 +
367 ++ info->data = MAX_NUM_OF_ETHTOOL_RULES;
368 + while ((!err || err == -ENOENT) && idx < info->rule_cnt) {
369 + err = mlx5e_ethtool_get_flow(priv, info, location);
370 + if (!err)
371 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
372 +index 55957246c0e8..b5d5519542e8 100644
373 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag.c
374 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
375 +@@ -294,7 +294,7 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
376 + struct netdev_notifier_changeupper_info *info)
377 + {
378 + struct net_device *upper = info->upper_dev, *ndev_tmp;
379 +- struct netdev_lag_upper_info *lag_upper_info;
380 ++ struct netdev_lag_upper_info *lag_upper_info = NULL;
381 + bool is_bonded;
382 + int bond_status = 0;
383 + int num_slaves = 0;
384 +@@ -303,7 +303,8 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
385 + if (!netif_is_lag_master(upper))
386 + return 0;
387 +
388 +- lag_upper_info = info->upper_info;
389 ++ if (info->linking)
390 ++ lag_upper_info = info->upper_info;
391 +
392 + /* The event may still be of interest if the slave does not belong to
393 + * us, but is enslaved to a master which has one or more of our netdevs
394 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
395 +index 7a196a07fa51..d776db79e325 100644
396 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
397 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
398 +@@ -966,7 +966,7 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
399 + if (err) {
400 + dev_err(&dev->pdev->dev, "Firmware over %d MS in initializing state, aborting\n",
401 + FW_INIT_TIMEOUT_MILI);
402 +- goto out_err;
403 ++ goto err_cmd_cleanup;
404 + }
405 +
406 + err = mlx5_core_enable_hca(dev, 0);
407 +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
408 +index 1a92de705199..a2d218b28c0e 100644
409 +--- a/drivers/net/ethernet/renesas/sh_eth.c
410 ++++ b/drivers/net/ethernet/renesas/sh_eth.c
411 +@@ -1059,12 +1059,70 @@ static struct mdiobb_ops bb_ops = {
412 + .get_mdio_data = sh_get_mdio,
413 + };
414 +
415 ++/* free Tx skb function */
416 ++static int sh_eth_tx_free(struct net_device *ndev, bool sent_only)
417 ++{
418 ++ struct sh_eth_private *mdp = netdev_priv(ndev);
419 ++ struct sh_eth_txdesc *txdesc;
420 ++ int free_num = 0;
421 ++ int entry;
422 ++ bool sent;
423 ++
424 ++ for (; mdp->cur_tx - mdp->dirty_tx > 0; mdp->dirty_tx++) {
425 ++ entry = mdp->dirty_tx % mdp->num_tx_ring;
426 ++ txdesc = &mdp->tx_ring[entry];
427 ++ sent = !(txdesc->status & cpu_to_le32(TD_TACT));
428 ++ if (sent_only && !sent)
429 ++ break;
430 ++ /* TACT bit must be checked before all the following reads */
431 ++ dma_rmb();
432 ++ netif_info(mdp, tx_done, ndev,
433 ++ "tx entry %d status 0x%08x\n",
434 ++ entry, le32_to_cpu(txdesc->status));
435 ++ /* Free the original skb. */
436 ++ if (mdp->tx_skbuff[entry]) {
437 ++ dma_unmap_single(&ndev->dev, le32_to_cpu(txdesc->addr),
438 ++ le32_to_cpu(txdesc->len) >> 16,
439 ++ DMA_TO_DEVICE);
440 ++ dev_kfree_skb_irq(mdp->tx_skbuff[entry]);
441 ++ mdp->tx_skbuff[entry] = NULL;
442 ++ free_num++;
443 ++ }
444 ++ txdesc->status = cpu_to_le32(TD_TFP);
445 ++ if (entry >= mdp->num_tx_ring - 1)
446 ++ txdesc->status |= cpu_to_le32(TD_TDLE);
447 ++
448 ++ if (sent) {
449 ++ ndev->stats.tx_packets++;
450 ++ ndev->stats.tx_bytes += le32_to_cpu(txdesc->len) >> 16;
451 ++ }
452 ++ }
453 ++ return free_num;
454 ++}
455 ++
456 + /* free skb and descriptor buffer */
457 + static void sh_eth_ring_free(struct net_device *ndev)
458 + {
459 + struct sh_eth_private *mdp = netdev_priv(ndev);
460 + int ringsize, i;
461 +
462 ++ if (mdp->rx_ring) {
463 ++ for (i = 0; i < mdp->num_rx_ring; i++) {
464 ++ if (mdp->rx_skbuff[i]) {
465 ++ struct sh_eth_rxdesc *rxdesc = &mdp->rx_ring[i];
466 ++
467 ++ dma_unmap_single(&ndev->dev,
468 ++ le32_to_cpu(rxdesc->addr),
469 ++ ALIGN(mdp->rx_buf_sz, 32),
470 ++ DMA_FROM_DEVICE);
471 ++ }
472 ++ }
473 ++ ringsize = sizeof(struct sh_eth_rxdesc) * mdp->num_rx_ring;
474 ++ dma_free_coherent(NULL, ringsize, mdp->rx_ring,
475 ++ mdp->rx_desc_dma);
476 ++ mdp->rx_ring = NULL;
477 ++ }
478 ++
479 + /* Free Rx skb ringbuffer */
480 + if (mdp->rx_skbuff) {
481 + for (i = 0; i < mdp->num_rx_ring; i++)
482 +@@ -1073,27 +1131,18 @@ static void sh_eth_ring_free(struct net_device *ndev)
483 + kfree(mdp->rx_skbuff);
484 + mdp->rx_skbuff = NULL;
485 +
486 +- /* Free Tx skb ringbuffer */
487 +- if (mdp->tx_skbuff) {
488 +- for (i = 0; i < mdp->num_tx_ring; i++)
489 +- dev_kfree_skb(mdp->tx_skbuff[i]);
490 +- }
491 +- kfree(mdp->tx_skbuff);
492 +- mdp->tx_skbuff = NULL;
493 +-
494 +- if (mdp->rx_ring) {
495 +- ringsize = sizeof(struct sh_eth_rxdesc) * mdp->num_rx_ring;
496 +- dma_free_coherent(NULL, ringsize, mdp->rx_ring,
497 +- mdp->rx_desc_dma);
498 +- mdp->rx_ring = NULL;
499 +- }
500 +-
501 + if (mdp->tx_ring) {
502 ++ sh_eth_tx_free(ndev, false);
503 ++
504 + ringsize = sizeof(struct sh_eth_txdesc) * mdp->num_tx_ring;
505 + dma_free_coherent(NULL, ringsize, mdp->tx_ring,
506 + mdp->tx_desc_dma);
507 + mdp->tx_ring = NULL;
508 + }
509 ++
510 ++ /* Free Tx skb ringbuffer */
511 ++ kfree(mdp->tx_skbuff);
512 ++ mdp->tx_skbuff = NULL;
513 + }
514 +
515 + /* format skb and descriptor buffer */
516 +@@ -1341,43 +1390,6 @@ static void sh_eth_dev_exit(struct net_device *ndev)
517 + update_mac_address(ndev);
518 + }
519 +
520 +-/* free Tx skb function */
521 +-static int sh_eth_txfree(struct net_device *ndev)
522 +-{
523 +- struct sh_eth_private *mdp = netdev_priv(ndev);
524 +- struct sh_eth_txdesc *txdesc;
525 +- int free_num = 0;
526 +- int entry;
527 +-
528 +- for (; mdp->cur_tx - mdp->dirty_tx > 0; mdp->dirty_tx++) {
529 +- entry = mdp->dirty_tx % mdp->num_tx_ring;
530 +- txdesc = &mdp->tx_ring[entry];
531 +- if (txdesc->status & cpu_to_le32(TD_TACT))
532 +- break;
533 +- /* TACT bit must be checked before all the following reads */
534 +- dma_rmb();
535 +- netif_info(mdp, tx_done, ndev,
536 +- "tx entry %d status 0x%08x\n",
537 +- entry, le32_to_cpu(txdesc->status));
538 +- /* Free the original skb. */
539 +- if (mdp->tx_skbuff[entry]) {
540 +- dma_unmap_single(&ndev->dev, le32_to_cpu(txdesc->addr),
541 +- le32_to_cpu(txdesc->len) >> 16,
542 +- DMA_TO_DEVICE);
543 +- dev_kfree_skb_irq(mdp->tx_skbuff[entry]);
544 +- mdp->tx_skbuff[entry] = NULL;
545 +- free_num++;
546 +- }
547 +- txdesc->status = cpu_to_le32(TD_TFP);
548 +- if (entry >= mdp->num_tx_ring - 1)
549 +- txdesc->status |= cpu_to_le32(TD_TDLE);
550 +-
551 +- ndev->stats.tx_packets++;
552 +- ndev->stats.tx_bytes += le32_to_cpu(txdesc->len) >> 16;
553 +- }
554 +- return free_num;
555 +-}
556 +-
557 + /* Packet receive function */
558 + static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota)
559 + {
560 +@@ -1620,7 +1632,7 @@ static void sh_eth_error(struct net_device *ndev, u32 intr_status)
561 + intr_status, mdp->cur_tx, mdp->dirty_tx,
562 + (u32)ndev->state, edtrr);
563 + /* dirty buffer free */
564 +- sh_eth_txfree(ndev);
565 ++ sh_eth_tx_free(ndev, true);
566 +
567 + /* SH7712 BUG */
568 + if (edtrr ^ sh_eth_get_edtrr_trns(mdp)) {
569 +@@ -1679,7 +1691,7 @@ static irqreturn_t sh_eth_interrupt(int irq, void *netdev)
570 + /* Clear Tx interrupts */
571 + sh_eth_write(ndev, intr_status & cd->tx_check, EESR);
572 +
573 +- sh_eth_txfree(ndev);
574 ++ sh_eth_tx_free(ndev, true);
575 + netif_wake_queue(ndev);
576 + }
577 +
578 +@@ -2307,7 +2319,7 @@ static int sh_eth_start_xmit(struct sk_buff *skb, struct net_device *ndev)
579 +
580 + spin_lock_irqsave(&mdp->lock, flags);
581 + if ((mdp->cur_tx - mdp->dirty_tx) >= (mdp->num_tx_ring - 4)) {
582 +- if (!sh_eth_txfree(ndev)) {
583 ++ if (!sh_eth_tx_free(ndev, true)) {
584 + netif_warn(mdp, tx_queued, ndev, "TxFD exhausted.\n");
585 + netif_stop_queue(ndev);
586 + spin_unlock_irqrestore(&mdp->lock, flags);
587 +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
588 +index d2e61e002926..f7c6a40aae81 100644
589 +--- a/drivers/net/macsec.c
590 ++++ b/drivers/net/macsec.c
591 +@@ -2709,7 +2709,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
592 + }
593 +
594 + #define MACSEC_FEATURES \
595 +- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
596 ++ (NETIF_F_SG | NETIF_F_HIGHDMA)
597 + static struct lock_class_key macsec_netdev_addr_lock_key;
598 +
599 + static int macsec_dev_init(struct net_device *dev)
600 +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
601 +index 26d6f0bbe14b..dc8ccac0a01d 100644
602 +--- a/drivers/net/macvlan.c
603 ++++ b/drivers/net/macvlan.c
604 +@@ -1140,6 +1140,7 @@ static int macvlan_port_create(struct net_device *dev)
605 + static void macvlan_port_destroy(struct net_device *dev)
606 + {
607 + struct macvlan_port *port = macvlan_port_get_rtnl(dev);
608 ++ struct sk_buff *skb;
609 +
610 + dev->priv_flags &= ~IFF_MACVLAN_PORT;
611 + netdev_rx_handler_unregister(dev);
612 +@@ -1148,7 +1149,15 @@ static void macvlan_port_destroy(struct net_device *dev)
613 + * but we need to cancel it and purge left skbs if any.
614 + */
615 + cancel_work_sync(&port->bc_work);
616 +- __skb_queue_purge(&port->bc_queue);
617 ++
618 ++ while ((skb = __skb_dequeue(&port->bc_queue))) {
619 ++ const struct macvlan_dev *src = MACVLAN_SKB_CB(skb)->src;
620 ++
621 ++ if (src)
622 ++ dev_put(src->dev);
623 ++
624 ++ kfree_skb(skb);
625 ++ }
626 +
627 + kfree_rcu(port, rcu);
628 + }
629 +diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
630 +index 7a240fce3a7e..4865221aa9ac 100644
631 +--- a/drivers/net/phy/dp83640.c
632 ++++ b/drivers/net/phy/dp83640.c
633 +@@ -1438,8 +1438,6 @@ static bool dp83640_rxtstamp(struct phy_device *phydev,
634 + skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT;
635 + skb_queue_tail(&dp83640->rx_queue, skb);
636 + schedule_delayed_work(&dp83640->ts_work, SKB_TIMESTAMP_TIMEOUT);
637 +- } else {
638 +- netif_rx_ni(skb);
639 + }
640 +
641 + return true;
642 +diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
643 +index 201ffa5fe4f7..a9be26f1f677 100644
644 +--- a/drivers/net/phy/phy.c
645 ++++ b/drivers/net/phy/phy.c
646 +@@ -552,16 +552,18 @@ int phy_mii_ioctl(struct phy_device *phydev, struct ifreq *ifr, int cmd)
647 + EXPORT_SYMBOL(phy_mii_ioctl);
648 +
649 + /**
650 +- * phy_start_aneg - start auto-negotiation for this PHY device
651 ++ * phy_start_aneg_priv - start auto-negotiation for this PHY device
652 + * @phydev: the phy_device struct
653 ++ * @sync: indicate whether we should wait for the workqueue cancelation
654 + *
655 + * Description: Sanitizes the settings (if we're not autonegotiating
656 + * them), and then calls the driver's config_aneg function.
657 + * If the PHYCONTROL Layer is operating, we change the state to
658 + * reflect the beginning of Auto-negotiation or forcing.
659 + */
660 +-int phy_start_aneg(struct phy_device *phydev)
661 ++static int phy_start_aneg_priv(struct phy_device *phydev, bool sync)
662 + {
663 ++ bool trigger = 0;
664 + int err;
665 +
666 + mutex_lock(&phydev->lock);
667 +@@ -586,10 +588,40 @@ int phy_start_aneg(struct phy_device *phydev)
668 + }
669 + }
670 +
671 ++ /* Re-schedule a PHY state machine to check PHY status because
672 ++ * negotiation may already be done and aneg interrupt may not be
673 ++ * generated.
674 ++ */
675 ++ if (phy_interrupt_is_valid(phydev) && (phydev->state == PHY_AN)) {
676 ++ err = phy_aneg_done(phydev);
677 ++ if (err > 0) {
678 ++ trigger = true;
679 ++ err = 0;
680 ++ }
681 ++ }
682 ++
683 + out_unlock:
684 + mutex_unlock(&phydev->lock);
685 ++
686 ++ if (trigger)
687 ++ phy_trigger_machine(phydev, sync);
688 ++
689 + return err;
690 + }
691 ++
692 ++/**
693 ++ * phy_start_aneg - start auto-negotiation for this PHY device
694 ++ * @phydev: the phy_device struct
695 ++ *
696 ++ * Description: Sanitizes the settings (if we're not autonegotiating
697 ++ * them), and then calls the driver's config_aneg function.
698 ++ * If the PHYCONTROL Layer is operating, we change the state to
699 ++ * reflect the beginning of Auto-negotiation or forcing.
700 ++ */
701 ++int phy_start_aneg(struct phy_device *phydev)
702 ++{
703 ++ return phy_start_aneg_priv(phydev, true);
704 ++}
705 + EXPORT_SYMBOL(phy_start_aneg);
706 +
707 + /**
708 +@@ -617,7 +649,7 @@ void phy_start_machine(struct phy_device *phydev)
709 + * state machine runs.
710 + */
711 +
712 +-static void phy_trigger_machine(struct phy_device *phydev, bool sync)
713 ++void phy_trigger_machine(struct phy_device *phydev, bool sync)
714 + {
715 + if (sync)
716 + cancel_delayed_work_sync(&phydev->state_queue);
717 +@@ -639,7 +671,7 @@ void phy_stop_machine(struct phy_device *phydev)
718 + cancel_delayed_work_sync(&phydev->state_queue);
719 +
720 + mutex_lock(&phydev->lock);
721 +- if (phydev->state > PHY_UP)
722 ++ if (phydev->state > PHY_UP && phydev->state != PHY_HALTED)
723 + phydev->state = PHY_UP;
724 + mutex_unlock(&phydev->lock);
725 + }
726 +@@ -1100,7 +1132,7 @@ void phy_state_machine(struct work_struct *work)
727 + mutex_unlock(&phydev->lock);
728 +
729 + if (needs_aneg)
730 +- err = phy_start_aneg(phydev);
731 ++ err = phy_start_aneg_priv(phydev, false);
732 + else if (do_suspend)
733 + phy_suspend(phydev);
734 +
735 +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
736 +index a2afb8ecb5bc..80ef4865cc8b 100644
737 +--- a/drivers/net/vrf.c
738 ++++ b/drivers/net/vrf.c
739 +@@ -1124,7 +1124,7 @@ static int vrf_fib_rule(const struct net_device *dev, __u8 family, bool add_it)
740 + goto nla_put_failure;
741 +
742 + /* rule only needs to appear once */
743 +- nlh->nlmsg_flags &= NLM_F_EXCL;
744 ++ nlh->nlmsg_flags |= NLM_F_EXCL;
745 +
746 + frh = nlmsg_data(nlh);
747 + memset(frh, 0, sizeof(*frh));
748 +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
749 +index 12f2252f6c98..953275b651bc 100644
750 +--- a/fs/ceph/inode.c
751 ++++ b/fs/ceph/inode.c
752 +@@ -2080,11 +2080,6 @@ int __ceph_setattr(struct inode *inode, struct iattr *attr)
753 + if (inode_dirty_flags)
754 + __mark_inode_dirty(inode, inode_dirty_flags);
755 +
756 +- if (ia_valid & ATTR_MODE) {
757 +- err = posix_acl_chmod(inode, attr->ia_mode);
758 +- if (err)
759 +- goto out_put;
760 +- }
761 +
762 + if (mask) {
763 + req->r_inode = inode;
764 +@@ -2098,13 +2093,11 @@ int __ceph_setattr(struct inode *inode, struct iattr *attr)
765 + ceph_cap_string(dirtied), mask);
766 +
767 + ceph_mdsc_put_request(req);
768 +- if (mask & CEPH_SETATTR_SIZE)
769 +- __ceph_do_pending_vmtruncate(inode);
770 +- ceph_free_cap_flush(prealloc_cf);
771 +- return err;
772 +-out_put:
773 +- ceph_mdsc_put_request(req);
774 + ceph_free_cap_flush(prealloc_cf);
775 ++
776 ++ if (err >= 0 && (mask & CEPH_SETATTR_SIZE))
777 ++ __ceph_do_pending_vmtruncate(inode);
778 ++
779 + return err;
780 + }
781 +
782 +@@ -2123,7 +2116,12 @@ int ceph_setattr(struct dentry *dentry, struct iattr *attr)
783 + if (err != 0)
784 + return err;
785 +
786 +- return __ceph_setattr(inode, attr);
787 ++ err = __ceph_setattr(inode, attr);
788 ++
789 ++ if (err >= 0 && (attr->ia_valid & ATTR_MODE))
790 ++ err = posix_acl_chmod(inode, attr->ia_mode);
791 ++
792 ++ return err;
793 + }
794 +
795 + /*
796 +diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
797 +index dba2ff8eaa68..452334694a5d 100644
798 +--- a/fs/nfsd/nfs3xdr.c
799 ++++ b/fs/nfsd/nfs3xdr.c
800 +@@ -358,6 +358,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
801 + {
802 + unsigned int len, v, hdr, dlen;
803 + u32 max_blocksize = svc_max_payload(rqstp);
804 ++ struct kvec *head = rqstp->rq_arg.head;
805 ++ struct kvec *tail = rqstp->rq_arg.tail;
806 +
807 + p = decode_fh(p, &args->fh);
808 + if (!p)
809 +@@ -367,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
810 + args->count = ntohl(*p++);
811 + args->stable = ntohl(*p++);
812 + len = args->len = ntohl(*p++);
813 ++ if ((void *)p > head->iov_base + head->iov_len)
814 ++ return 0;
815 + /*
816 + * The count must equal the amount of data passed.
817 + */
818 +@@ -377,9 +381,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
819 + * Check to make sure that we got the right number of
820 + * bytes.
821 + */
822 +- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
823 +- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
824 +- + rqstp->rq_arg.tail[0].iov_len - hdr;
825 ++ hdr = (void*)p - head->iov_base;
826 ++ dlen = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len - hdr;
827 + /*
828 + * Round the length of the data which was specified up to
829 + * the next multiple of XDR units and then compare that
830 +@@ -396,7 +399,7 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
831 + len = args->len = max_blocksize;
832 + }
833 + rqstp->rq_vec[0].iov_base = (void*)p;
834 +- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
835 ++ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
836 + v = 0;
837 + while (len > rqstp->rq_vec[v].iov_len) {
838 + len -= rqstp->rq_vec[v].iov_len;
839 +@@ -471,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p,
840 + /* first copy and check from the first page */
841 + old = (char*)p;
842 + vec = &rqstp->rq_arg.head[0];
843 ++ if ((void *)old > vec->iov_base + vec->iov_len)
844 ++ return 0;
845 + avail = vec->iov_len - (old - (char*)vec->iov_base);
846 + while (len && avail && *old) {
847 + *new++ = *old++;
848 +diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
849 +index a2b65fc56dd6..1645b977c9c6 100644
850 +--- a/fs/nfsd/nfssvc.c
851 ++++ b/fs/nfsd/nfssvc.c
852 +@@ -733,6 +733,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr)
853 + return nfserr;
854 + }
855 +
856 ++/*
857 ++ * A write procedure can have a large argument, and a read procedure can
858 ++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
859 ++ * reply that can both be larger than a page. The xdr code has taken
860 ++ * advantage of this assumption to be a sloppy about bounds checking in
861 ++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
862 ++ * problem, we enforce these assumptions here:
863 ++ */
864 ++static bool nfs_request_too_big(struct svc_rqst *rqstp,
865 ++ struct svc_procedure *proc)
866 ++{
867 ++ /*
868 ++ * The ACL code has more careful bounds-checking and is not
869 ++ * susceptible to this problem:
870 ++ */
871 ++ if (rqstp->rq_prog != NFS_PROGRAM)
872 ++ return false;
873 ++ /*
874 ++ * Ditto NFSv4 (which can in theory have argument and reply both
875 ++ * more than a page):
876 ++ */
877 ++ if (rqstp->rq_vers >= 4)
878 ++ return false;
879 ++ /* The reply will be small, we're OK: */
880 ++ if (proc->pc_xdrressize > 0 &&
881 ++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
882 ++ return false;
883 ++
884 ++ return rqstp->rq_arg.len > PAGE_SIZE;
885 ++}
886 ++
887 + int
888 + nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
889 + {
890 +@@ -745,6 +776,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
891 + rqstp->rq_vers, rqstp->rq_proc);
892 + proc = rqstp->rq_procinfo;
893 +
894 ++ if (nfs_request_too_big(rqstp, proc)) {
895 ++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
896 ++ *statp = rpc_garbage_args;
897 ++ return 1;
898 ++ }
899 + /*
900 + * Give the xdr decoder a chance to change this if it wants
901 + * (necessary in the NFSv4.0 compound case)
902 +diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
903 +index 41b468a6a90f..de07ff625777 100644
904 +--- a/fs/nfsd/nfsxdr.c
905 ++++ b/fs/nfsd/nfsxdr.c
906 +@@ -280,6 +280,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
907 + struct nfsd_writeargs *args)
908 + {
909 + unsigned int len, hdr, dlen;
910 ++ struct kvec *head = rqstp->rq_arg.head;
911 + int v;
912 +
913 + p = decode_fh(p, &args->fh);
914 +@@ -300,9 +301,10 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
915 + * Check to make sure that we got the right number of
916 + * bytes.
917 + */
918 +- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
919 +- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
920 +- - hdr;
921 ++ hdr = (void*)p - head->iov_base;
922 ++ if (hdr > head->iov_len)
923 ++ return 0;
924 ++ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
925 +
926 + /*
927 + * Round the length of the data which was specified up to
928 +@@ -316,7 +318,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
929 + return 0;
930 +
931 + rqstp->rq_vec[0].iov_base = (void*)p;
932 +- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
933 ++ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
934 + v = 0;
935 + while (len > rqstp->rq_vec[v].iov_len) {
936 + len -= rqstp->rq_vec[v].iov_len;
937 +diff --git a/include/linux/phy.h b/include/linux/phy.h
938 +index e25f1830fbcf..bd22670e2182 100644
939 +--- a/include/linux/phy.h
940 ++++ b/include/linux/phy.h
941 +@@ -806,6 +806,7 @@ void phy_change(struct work_struct *work);
942 + void phy_mac_interrupt(struct phy_device *phydev, int new_link);
943 + void phy_start_machine(struct phy_device *phydev);
944 + void phy_stop_machine(struct phy_device *phydev);
945 ++void phy_trigger_machine(struct phy_device *phydev, bool sync);
946 + int phy_ethtool_sset(struct phy_device *phydev, struct ethtool_cmd *cmd);
947 + int phy_ethtool_gset(struct phy_device *phydev, struct ethtool_cmd *cmd);
948 + int phy_ethtool_ksettings_get(struct phy_device *phydev,
949 +diff --git a/include/uapi/linux/ipv6_route.h b/include/uapi/linux/ipv6_route.h
950 +index f6598d1c886e..316e838b7470 100644
951 +--- a/include/uapi/linux/ipv6_route.h
952 ++++ b/include/uapi/linux/ipv6_route.h
953 +@@ -34,7 +34,7 @@
954 + #define RTF_PREF(pref) ((pref) << 27)
955 + #define RTF_PREF_MASK 0x18000000
956 +
957 +-#define RTF_PCPU 0x40000000
958 ++#define RTF_PCPU 0x40000000 /* read-only: can not be set by user */
959 + #define RTF_LOCAL 0x80000000
960 +
961 +
962 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
963 +index 85d1c9423ccb..7c9f94c53441 100644
964 +--- a/kernel/bpf/verifier.c
965 ++++ b/kernel/bpf/verifier.c
966 +@@ -1829,14 +1829,15 @@ static void find_good_pkt_pointers(struct bpf_verifier_state *state,
967 +
968 + for (i = 0; i < MAX_BPF_REG; i++)
969 + if (regs[i].type == PTR_TO_PACKET && regs[i].id == dst_reg->id)
970 +- regs[i].range = dst_reg->off;
971 ++ /* keep the maximum range already checked */
972 ++ regs[i].range = max(regs[i].range, dst_reg->off);
973 +
974 + for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
975 + if (state->stack_slot_type[i] != STACK_SPILL)
976 + continue;
977 + reg = &state->spilled_regs[i / BPF_REG_SIZE];
978 + if (reg->type == PTR_TO_PACKET && reg->id == dst_reg->id)
979 +- reg->range = dst_reg->off;
980 ++ reg->range = max(reg->range, dst_reg->off);
981 + }
982 + }
983 +
984 +diff --git a/net/9p/client.c b/net/9p/client.c
985 +index 3fc94a49ccd5..cf129fec7329 100644
986 +--- a/net/9p/client.c
987 ++++ b/net/9p/client.c
988 +@@ -2101,6 +2101,10 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
989 + trace_9p_protocol_dump(clnt, req->rc);
990 + goto free_and_error;
991 + }
992 ++ if (rsize < count) {
993 ++ pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize);
994 ++ count = rsize;
995 ++ }
996 +
997 + p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count);
998 +
999 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
1000 +index 9901e5b75a05..f45f6198851f 100644
1001 +--- a/net/core/neighbour.c
1002 ++++ b/net/core/neighbour.c
1003 +@@ -859,7 +859,8 @@ static void neigh_probe(struct neighbour *neigh)
1004 + if (skb)
1005 + skb = skb_clone(skb, GFP_ATOMIC);
1006 + write_unlock(&neigh->lock);
1007 +- neigh->ops->solicit(neigh, skb);
1008 ++ if (neigh->ops->solicit)
1009 ++ neigh->ops->solicit(neigh, skb);
1010 + atomic_inc(&neigh->probes);
1011 + kfree_skb(skb);
1012 + }
1013 +diff --git a/net/core/netpoll.c b/net/core/netpoll.c
1014 +index 53599bd0c82d..457f882b0f7b 100644
1015 +--- a/net/core/netpoll.c
1016 ++++ b/net/core/netpoll.c
1017 +@@ -105,15 +105,21 @@ static void queue_process(struct work_struct *work)
1018 + while ((skb = skb_dequeue(&npinfo->txq))) {
1019 + struct net_device *dev = skb->dev;
1020 + struct netdev_queue *txq;
1021 ++ unsigned int q_index;
1022 +
1023 + if (!netif_device_present(dev) || !netif_running(dev)) {
1024 + kfree_skb(skb);
1025 + continue;
1026 + }
1027 +
1028 +- txq = skb_get_tx_queue(dev, skb);
1029 +-
1030 + local_irq_save(flags);
1031 ++ /* check if skb->queue_mapping is still valid */
1032 ++ q_index = skb_get_queue_mapping(skb);
1033 ++ if (unlikely(q_index >= dev->real_num_tx_queues)) {
1034 ++ q_index = q_index % dev->real_num_tx_queues;
1035 ++ skb_set_queue_mapping(skb, q_index);
1036 ++ }
1037 ++ txq = netdev_get_tx_queue(dev, q_index);
1038 + HARD_TX_LOCK(dev, txq, smp_processor_id());
1039 + if (netif_xmit_frozen_or_stopped(txq) ||
1040 + netpoll_start_xmit(skb, dev, txq) != NETDEV_TX_OK) {
1041 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
1042 +index f0f462c0573d..fe008f1bd930 100644
1043 +--- a/net/core/skbuff.c
1044 ++++ b/net/core/skbuff.c
1045 +@@ -3076,22 +3076,32 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
1046 + if (sg && csum && (mss != GSO_BY_FRAGS)) {
1047 + if (!(features & NETIF_F_GSO_PARTIAL)) {
1048 + struct sk_buff *iter;
1049 ++ unsigned int frag_len;
1050 +
1051 + if (!list_skb ||
1052 + !net_gso_ok(features, skb_shinfo(head_skb)->gso_type))
1053 + goto normal;
1054 +
1055 +- /* Split the buffer at the frag_list pointer.
1056 +- * This is based on the assumption that all
1057 +- * buffers in the chain excluding the last
1058 +- * containing the same amount of data.
1059 ++ /* If we get here then all the required
1060 ++ * GSO features except frag_list are supported.
1061 ++ * Try to split the SKB to multiple GSO SKBs
1062 ++ * with no frag_list.
1063 ++ * Currently we can do that only when the buffers don't
1064 ++ * have a linear part and all the buffers except
1065 ++ * the last are of the same length.
1066 + */
1067 ++ frag_len = list_skb->len;
1068 + skb_walk_frags(head_skb, iter) {
1069 ++ if (frag_len != iter->len && iter->next)
1070 ++ goto normal;
1071 + if (skb_headlen(iter))
1072 + goto normal;
1073 +
1074 + len -= iter->len;
1075 + }
1076 ++
1077 ++ if (len != frag_len)
1078 ++ goto normal;
1079 + }
1080 +
1081 + /* GSO partial only requires that we trim off any excess that
1082 +@@ -3779,6 +3789,7 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
1083 + serr->ee.ee_errno = ENOMSG;
1084 + serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
1085 + serr->ee.ee_info = tstype;
1086 ++ serr->header.h4.iif = skb->dev ? skb->dev->ifindex : 0;
1087 + if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
1088 + serr->ee.ee_data = skb_shinfo(skb)->tskey;
1089 + if (sk->sk_protocol == IPPROTO_TCP &&
1090 +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
1091 +index 9826695ddfc6..4d37bdcbc2d5 100644
1092 +--- a/net/ipv4/ip_sockglue.c
1093 ++++ b/net/ipv4/ip_sockglue.c
1094 +@@ -474,16 +474,15 @@ static bool ipv4_datagram_support_cmsg(const struct sock *sk,
1095 + return false;
1096 +
1097 + /* Support IP_PKTINFO on tstamp packets if requested, to correlate
1098 +- * timestamp with egress dev. Not possible for packets without dev
1099 ++ * timestamp with egress dev. Not possible for packets without iif
1100 + * or without payload (SOF_TIMESTAMPING_OPT_TSONLY).
1101 + */
1102 +- if ((!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG)) ||
1103 +- (!skb->dev))
1104 ++ info = PKTINFO_SKB_CB(skb);
1105 ++ if (!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG) ||
1106 ++ !info->ipi_ifindex)
1107 + return false;
1108 +
1109 +- info = PKTINFO_SKB_CB(skb);
1110 + info->ipi_spec_dst.s_addr = ip_hdr(skb)->saddr;
1111 +- info->ipi_ifindex = skb->dev->ifindex;
1112 + return true;
1113 + }
1114 +
1115 +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
1116 +index 105c0748c52f..e612991c9185 100644
1117 +--- a/net/ipv4/ping.c
1118 ++++ b/net/ipv4/ping.c
1119 +@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
1120 + void ping_unhash(struct sock *sk)
1121 + {
1122 + struct inet_sock *isk = inet_sk(sk);
1123 ++
1124 + pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
1125 ++ write_lock_bh(&ping_table.lock);
1126 + if (sk_hashed(sk)) {
1127 +- write_lock_bh(&ping_table.lock);
1128 + hlist_nulls_del(&sk->sk_nulls_node);
1129 + sk_nulls_node_init(&sk->sk_nulls_node);
1130 + sock_put(sk);
1131 + isk->inet_num = 0;
1132 + isk->inet_sport = 0;
1133 + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
1134 +- write_unlock_bh(&ping_table.lock);
1135 + }
1136 ++ write_unlock_bh(&ping_table.lock);
1137 + }
1138 + EXPORT_SYMBOL_GPL(ping_unhash);
1139 +
1140 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
1141 +index 17e6fbf30448..6dbcb37753d7 100644
1142 +--- a/net/ipv4/route.c
1143 ++++ b/net/ipv4/route.c
1144 +@@ -2569,7 +2569,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
1145 + skb_reset_network_header(skb);
1146 +
1147 + /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
1148 +- ip_hdr(skb)->protocol = IPPROTO_ICMP;
1149 ++ ip_hdr(skb)->protocol = IPPROTO_UDP;
1150 + skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
1151 +
1152 + src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0;
1153 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
1154 +index 6a90a0e130dc..eb142ca71fc5 100644
1155 +--- a/net/ipv4/tcp.c
1156 ++++ b/net/ipv4/tcp.c
1157 +@@ -2297,6 +2297,7 @@ int tcp_disconnect(struct sock *sk, int flags)
1158 + tcp_init_send_head(sk);
1159 + memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
1160 + __sk_dst_reset(sk);
1161 ++ tcp_saved_syn_free(tp);
1162 +
1163 + WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
1164 +
1165 +diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
1166 +index f9038d6b109e..baea5df43598 100644
1167 +--- a/net/ipv4/tcp_cong.c
1168 ++++ b/net/ipv4/tcp_cong.c
1169 +@@ -167,12 +167,8 @@ void tcp_assign_congestion_control(struct sock *sk)
1170 + }
1171 + out:
1172 + rcu_read_unlock();
1173 ++ memset(icsk->icsk_ca_priv, 0, sizeof(icsk->icsk_ca_priv));
1174 +
1175 +- /* Clear out private data before diag gets it and
1176 +- * the ca has not been initialized.
1177 +- */
1178 +- if (ca->get_info)
1179 +- memset(icsk->icsk_ca_priv, 0, sizeof(icsk->icsk_ca_priv));
1180 + if (ca->flags & TCP_CONG_NEEDS_ECN)
1181 + INET_ECN_xmit(sk);
1182 + else
1183 +@@ -199,11 +195,10 @@ static void tcp_reinit_congestion_control(struct sock *sk,
1184 + tcp_cleanup_congestion_control(sk);
1185 + icsk->icsk_ca_ops = ca;
1186 + icsk->icsk_ca_setsockopt = 1;
1187 ++ memset(icsk->icsk_ca_priv, 0, sizeof(icsk->icsk_ca_priv));
1188 +
1189 +- if (sk->sk_state != TCP_CLOSE) {
1190 +- memset(icsk->icsk_ca_priv, 0, sizeof(icsk->icsk_ca_priv));
1191 ++ if (sk->sk_state != TCP_CLOSE)
1192 + tcp_init_congestion_control(sk);
1193 +- }
1194 + }
1195 +
1196 + /* Manage refcounts on socket close. */
1197 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
1198 +index 95dfcba38ff6..cffdbdbff3a2 100644
1199 +--- a/net/ipv6/addrconf.c
1200 ++++ b/net/ipv6/addrconf.c
1201 +@@ -3253,14 +3253,24 @@ static void addrconf_gre_config(struct net_device *dev)
1202 + static int fixup_permanent_addr(struct inet6_dev *idev,
1203 + struct inet6_ifaddr *ifp)
1204 + {
1205 +- if (!ifp->rt) {
1206 +- struct rt6_info *rt;
1207 ++ /* rt6i_ref == 0 means the host route was removed from the
1208 ++ * FIB, for example, if 'lo' device is taken down. In that
1209 ++ * case regenerate the host route.
1210 ++ */
1211 ++ if (!ifp->rt || !atomic_read(&ifp->rt->rt6i_ref)) {
1212 ++ struct rt6_info *rt, *prev;
1213 +
1214 + rt = addrconf_dst_alloc(idev, &ifp->addr, false);
1215 + if (unlikely(IS_ERR(rt)))
1216 + return PTR_ERR(rt);
1217 +
1218 ++ /* ifp->rt can be accessed outside of rtnl */
1219 ++ spin_lock(&ifp->lock);
1220 ++ prev = ifp->rt;
1221 + ifp->rt = rt;
1222 ++ spin_unlock(&ifp->lock);
1223 ++
1224 ++ ip6_rt_put(prev);
1225 + }
1226 +
1227 + if (!(ifp->flags & IFA_F_NOPREFIXROUTE)) {
1228 +@@ -3602,14 +3612,19 @@ static int addrconf_ifdown(struct net_device *dev, int how)
1229 + INIT_LIST_HEAD(&del_list);
1230 + list_for_each_entry_safe(ifa, tmp, &idev->addr_list, if_list) {
1231 + struct rt6_info *rt = NULL;
1232 ++ bool keep;
1233 +
1234 + addrconf_del_dad_work(ifa);
1235 +
1236 ++ keep = keep_addr && (ifa->flags & IFA_F_PERMANENT) &&
1237 ++ !addr_is_local(&ifa->addr);
1238 ++ if (!keep)
1239 ++ list_move(&ifa->if_list, &del_list);
1240 ++
1241 + write_unlock_bh(&idev->lock);
1242 + spin_lock_bh(&ifa->lock);
1243 +
1244 +- if (keep_addr && (ifa->flags & IFA_F_PERMANENT) &&
1245 +- !addr_is_local(&ifa->addr)) {
1246 ++ if (keep) {
1247 + /* set state to skip the notifier below */
1248 + state = INET6_IFADDR_STATE_DEAD;
1249 + ifa->state = 0;
1250 +@@ -3621,8 +3636,6 @@ static int addrconf_ifdown(struct net_device *dev, int how)
1251 + } else {
1252 + state = ifa->state;
1253 + ifa->state = INET6_IFADDR_STATE_DEAD;
1254 +-
1255 +- list_move(&ifa->if_list, &del_list);
1256 + }
1257 +
1258 + spin_unlock_bh(&ifa->lock);
1259 +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
1260 +index 8616d17cf08f..442ec1f39ed1 100644
1261 +--- a/net/ipv6/datagram.c
1262 ++++ b/net/ipv6/datagram.c
1263 +@@ -400,9 +400,6 @@ static inline bool ipv6_datagram_support_addr(struct sock_exterr_skb *serr)
1264 + * At one point, excluding local errors was a quick test to identify icmp/icmp6
1265 + * errors. This is no longer true, but the test remained, so the v6 stack,
1266 + * unlike v4, also honors cmsg requests on all wifi and timestamp errors.
1267 +- *
1268 +- * Timestamp code paths do not initialize the fields expected by cmsg:
1269 +- * the PKTINFO fields in skb->cb[]. Fill those in here.
1270 + */
1271 + static bool ip6_datagram_support_cmsg(struct sk_buff *skb,
1272 + struct sock_exterr_skb *serr)
1273 +@@ -414,14 +411,9 @@ static bool ip6_datagram_support_cmsg(struct sk_buff *skb,
1274 + if (serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL)
1275 + return false;
1276 +
1277 +- if (!skb->dev)
1278 ++ if (!IP6CB(skb)->iif)
1279 + return false;
1280 +
1281 +- if (skb->protocol == htons(ETH_P_IPV6))
1282 +- IP6CB(skb)->iif = skb->dev->ifindex;
1283 +- else
1284 +- PKTINFO_SKB_CB(skb)->ipi_ifindex = skb->dev->ifindex;
1285 +-
1286 + return true;
1287 + }
1288 +
1289 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
1290 +index f6ba45242851..116b4da06820 100644
1291 +--- a/net/ipv6/ip6_tunnel.c
1292 ++++ b/net/ipv6/ip6_tunnel.c
1293 +@@ -1037,7 +1037,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
1294 + struct ip6_tnl *t = netdev_priv(dev);
1295 + struct net *net = t->net;
1296 + struct net_device_stats *stats = &t->dev->stats;
1297 +- struct ipv6hdr *ipv6h = ipv6_hdr(skb);
1298 ++ struct ipv6hdr *ipv6h;
1299 + struct ipv6_tel_txoption opt;
1300 + struct dst_entry *dst = NULL, *ndst = NULL;
1301 + struct net_device *tdev;
1302 +@@ -1057,26 +1057,28 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
1303 +
1304 + /* NBMA tunnel */
1305 + if (ipv6_addr_any(&t->parms.raddr)) {
1306 +- struct in6_addr *addr6;
1307 +- struct neighbour *neigh;
1308 +- int addr_type;
1309 ++ if (skb->protocol == htons(ETH_P_IPV6)) {
1310 ++ struct in6_addr *addr6;
1311 ++ struct neighbour *neigh;
1312 ++ int addr_type;
1313 +
1314 +- if (!skb_dst(skb))
1315 +- goto tx_err_link_failure;
1316 ++ if (!skb_dst(skb))
1317 ++ goto tx_err_link_failure;
1318 +
1319 +- neigh = dst_neigh_lookup(skb_dst(skb),
1320 +- &ipv6_hdr(skb)->daddr);
1321 +- if (!neigh)
1322 +- goto tx_err_link_failure;
1323 ++ neigh = dst_neigh_lookup(skb_dst(skb),
1324 ++ &ipv6_hdr(skb)->daddr);
1325 ++ if (!neigh)
1326 ++ goto tx_err_link_failure;
1327 +
1328 +- addr6 = (struct in6_addr *)&neigh->primary_key;
1329 +- addr_type = ipv6_addr_type(addr6);
1330 ++ addr6 = (struct in6_addr *)&neigh->primary_key;
1331 ++ addr_type = ipv6_addr_type(addr6);
1332 +
1333 +- if (addr_type == IPV6_ADDR_ANY)
1334 +- addr6 = &ipv6_hdr(skb)->daddr;
1335 ++ if (addr_type == IPV6_ADDR_ANY)
1336 ++ addr6 = &ipv6_hdr(skb)->daddr;
1337 +
1338 +- memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
1339 +- neigh_release(neigh);
1340 ++ memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
1341 ++ neigh_release(neigh);
1342 ++ }
1343 + } else if (!(t->parms.flags &
1344 + (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
1345 + /* enable the cache only only if the routing decision does
1346 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
1347 +index 7f4265b1649b..117405dd07a3 100644
1348 +--- a/net/ipv6/ip6mr.c
1349 ++++ b/net/ipv6/ip6mr.c
1350 +@@ -774,7 +774,8 @@ static struct net_device *ip6mr_reg_vif(struct net *net, struct mr6_table *mrt)
1351 + * Delete a VIF entry
1352 + */
1353 +
1354 +-static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head)
1355 ++static int mif6_delete(struct mr6_table *mrt, int vifi, int notify,
1356 ++ struct list_head *head)
1357 + {
1358 + struct mif_device *v;
1359 + struct net_device *dev;
1360 +@@ -820,7 +821,7 @@ static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head)
1361 + dev->ifindex, &in6_dev->cnf);
1362 + }
1363 +
1364 +- if (v->flags & MIFF_REGISTER)
1365 ++ if ((v->flags & MIFF_REGISTER) && !notify)
1366 + unregister_netdevice_queue(dev, head);
1367 +
1368 + dev_put(dev);
1369 +@@ -1331,7 +1332,6 @@ static int ip6mr_device_event(struct notifier_block *this,
1370 + struct mr6_table *mrt;
1371 + struct mif_device *v;
1372 + int ct;
1373 +- LIST_HEAD(list);
1374 +
1375 + if (event != NETDEV_UNREGISTER)
1376 + return NOTIFY_DONE;
1377 +@@ -1340,10 +1340,9 @@ static int ip6mr_device_event(struct notifier_block *this,
1378 + v = &mrt->vif6_table[0];
1379 + for (ct = 0; ct < mrt->maxvif; ct++, v++) {
1380 + if (v->dev == dev)
1381 +- mif6_delete(mrt, ct, &list);
1382 ++ mif6_delete(mrt, ct, 1, NULL);
1383 + }
1384 + }
1385 +- unregister_netdevice_many(&list);
1386 +
1387 + return NOTIFY_DONE;
1388 + }
1389 +@@ -1552,7 +1551,7 @@ static void mroute_clean_tables(struct mr6_table *mrt, bool all)
1390 + for (i = 0; i < mrt->maxvif; i++) {
1391 + if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC))
1392 + continue;
1393 +- mif6_delete(mrt, i, &list);
1394 ++ mif6_delete(mrt, i, 0, &list);
1395 + }
1396 + unregister_netdevice_many(&list);
1397 +
1398 +@@ -1706,7 +1705,7 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
1399 + if (copy_from_user(&mifi, optval, sizeof(mifi_t)))
1400 + return -EFAULT;
1401 + rtnl_lock();
1402 +- ret = mif6_delete(mrt, mifi, NULL);
1403 ++ ret = mif6_delete(mrt, mifi, 0, NULL);
1404 + rtnl_unlock();
1405 + return ret;
1406 +
1407 +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
1408 +index 869ffc76befa..ced3817539c2 100644
1409 +--- a/net/ipv6/raw.c
1410 ++++ b/net/ipv6/raw.c
1411 +@@ -1171,8 +1171,7 @@ static int rawv6_ioctl(struct sock *sk, int cmd, unsigned long arg)
1412 + spin_lock_bh(&sk->sk_receive_queue.lock);
1413 + skb = skb_peek(&sk->sk_receive_queue);
1414 + if (skb)
1415 +- amount = skb_tail_pointer(skb) -
1416 +- skb_transport_header(skb);
1417 ++ amount = skb->len;
1418 + spin_unlock_bh(&sk->sk_receive_queue.lock);
1419 + return put_user(amount, (int __user *)arg);
1420 + }
1421 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
1422 +index 8d6c09f082c2..9f1bc756799a 100644
1423 +--- a/net/ipv6/route.c
1424 ++++ b/net/ipv6/route.c
1425 +@@ -1826,6 +1826,10 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg)
1426 + int addr_type;
1427 + int err = -EINVAL;
1428 +
1429 ++ /* RTF_PCPU is an internal flag; can not be set by userspace */
1430 ++ if (cfg->fc_flags & RTF_PCPU)
1431 ++ goto out;
1432 ++
1433 + if (cfg->fc_dst_len > 128 || cfg->fc_src_len > 128)
1434 + goto out;
1435 + #ifndef CONFIG_IPV6_SUBTREES
1436 +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
1437 +index a646f3481240..fecad1098cf8 100644
1438 +--- a/net/kcm/kcmsock.c
1439 ++++ b/net/kcm/kcmsock.c
1440 +@@ -1685,7 +1685,7 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
1441 + struct kcm_attach info;
1442 +
1443 + if (copy_from_user(&info, (void __user *)arg, sizeof(info)))
1444 +- err = -EFAULT;
1445 ++ return -EFAULT;
1446 +
1447 + err = kcm_attach_ioctl(sock, &info);
1448 +
1449 +@@ -1695,7 +1695,7 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
1450 + struct kcm_unattach info;
1451 +
1452 + if (copy_from_user(&info, (void __user *)arg, sizeof(info)))
1453 +- err = -EFAULT;
1454 ++ return -EFAULT;
1455 +
1456 + err = kcm_unattach_ioctl(sock, &info);
1457 +
1458 +@@ -1706,7 +1706,7 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
1459 + struct socket *newsock = NULL;
1460 +
1461 + if (copy_from_user(&info, (void __user *)arg, sizeof(info)))
1462 +- err = -EFAULT;
1463 ++ return -EFAULT;
1464 +
1465 + err = kcm_clone(sock, &info, &newsock);
1466 +
1467 +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
1468 +index a2ed3bda4ddc..e702cb95b89b 100644
1469 +--- a/net/l2tp/l2tp_core.c
1470 ++++ b/net/l2tp/l2tp_core.c
1471 +@@ -278,7 +278,8 @@ struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunn
1472 + }
1473 + EXPORT_SYMBOL_GPL(l2tp_session_find);
1474 +
1475 +-struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
1476 ++struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
1477 ++ bool do_ref)
1478 + {
1479 + int hash;
1480 + struct l2tp_session *session;
1481 +@@ -288,6 +289,9 @@ struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
1482 + for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1483 + hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
1484 + if (++count > nth) {
1485 ++ l2tp_session_inc_refcount(session);
1486 ++ if (do_ref && session->ref)
1487 ++ session->ref(session);
1488 + read_unlock_bh(&tunnel->hlist_lock);
1489 + return session;
1490 + }
1491 +@@ -298,7 +302,7 @@ struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
1492 +
1493 + return NULL;
1494 + }
1495 +-EXPORT_SYMBOL_GPL(l2tp_session_find_nth);
1496 ++EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
1497 +
1498 + /* Lookup a session by interface name.
1499 + * This is very inefficient but is only used by management interfaces.
1500 +diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
1501 +index 181e755c2fc4..e7233bad65e0 100644
1502 +--- a/net/l2tp/l2tp_core.h
1503 ++++ b/net/l2tp/l2tp_core.h
1504 +@@ -243,7 +243,8 @@ static inline struct l2tp_tunnel *l2tp_sock_to_tunnel(struct sock *sk)
1505 + struct l2tp_session *l2tp_session_find(struct net *net,
1506 + struct l2tp_tunnel *tunnel,
1507 + u32 session_id);
1508 +-struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth);
1509 ++struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
1510 ++ bool do_ref);
1511 + struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname);
1512 + struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id);
1513 + struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth);
1514 +diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
1515 +index 2d6760a2ae34..d100aed3d06f 100644
1516 +--- a/net/l2tp/l2tp_debugfs.c
1517 ++++ b/net/l2tp/l2tp_debugfs.c
1518 +@@ -53,7 +53,7 @@ static void l2tp_dfs_next_tunnel(struct l2tp_dfs_seq_data *pd)
1519 +
1520 + static void l2tp_dfs_next_session(struct l2tp_dfs_seq_data *pd)
1521 + {
1522 +- pd->session = l2tp_session_find_nth(pd->tunnel, pd->session_idx);
1523 ++ pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx, true);
1524 + pd->session_idx++;
1525 +
1526 + if (pd->session == NULL) {
1527 +@@ -238,10 +238,14 @@ static int l2tp_dfs_seq_show(struct seq_file *m, void *v)
1528 + }
1529 +
1530 + /* Show the tunnel or session context */
1531 +- if (pd->session == NULL)
1532 ++ if (!pd->session) {
1533 + l2tp_dfs_seq_tunnel_show(m, pd->tunnel);
1534 +- else
1535 ++ } else {
1536 + l2tp_dfs_seq_session_show(m, pd->session);
1537 ++ if (pd->session->deref)
1538 ++ pd->session->deref(pd->session);
1539 ++ l2tp_session_dec_refcount(pd->session);
1540 ++ }
1541 +
1542 + out:
1543 + return 0;
1544 +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
1545 +index ff750bb334fa..20669537816e 100644
1546 +--- a/net/l2tp/l2tp_ip.c
1547 ++++ b/net/l2tp/l2tp_ip.c
1548 +@@ -178,9 +178,10 @@ static int l2tp_ip_recv(struct sk_buff *skb)
1549 +
1550 + tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
1551 + tunnel = l2tp_tunnel_find(net, tunnel_id);
1552 +- if (tunnel != NULL)
1553 ++ if (tunnel) {
1554 + sk = tunnel->sock;
1555 +- else {
1556 ++ sock_hold(sk);
1557 ++ } else {
1558 + struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
1559 +
1560 + read_lock_bh(&l2tp_ip_lock);
1561 +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
1562 +index 1a65c9a517b6..a4b0c9232bf1 100644
1563 +--- a/net/l2tp/l2tp_ip6.c
1564 ++++ b/net/l2tp/l2tp_ip6.c
1565 +@@ -191,9 +191,10 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
1566 +
1567 + tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
1568 + tunnel = l2tp_tunnel_find(net, tunnel_id);
1569 +- if (tunnel != NULL)
1570 ++ if (tunnel) {
1571 + sk = tunnel->sock;
1572 +- else {
1573 ++ sock_hold(sk);
1574 ++ } else {
1575 + struct ipv6hdr *iph = ipv6_hdr(skb);
1576 +
1577 + read_lock_bh(&l2tp_ip6_lock);
1578 +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
1579 +index bf3117771822..9f66272b163b 100644
1580 +--- a/net/l2tp/l2tp_netlink.c
1581 ++++ b/net/l2tp/l2tp_netlink.c
1582 +@@ -844,7 +844,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
1583 + goto out;
1584 + }
1585 +
1586 +- session = l2tp_session_find_nth(tunnel, si);
1587 ++ session = l2tp_session_get_nth(tunnel, si, false);
1588 + if (session == NULL) {
1589 + ti++;
1590 + tunnel = NULL;
1591 +@@ -854,8 +854,11 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
1592 +
1593 + if (l2tp_nl_session_send(skb, NETLINK_CB(cb->skb).portid,
1594 + cb->nlh->nlmsg_seq, NLM_F_MULTI,
1595 +- session, L2TP_CMD_SESSION_GET) < 0)
1596 ++ session, L2TP_CMD_SESSION_GET) < 0) {
1597 ++ l2tp_session_dec_refcount(session);
1598 + break;
1599 ++ }
1600 ++ l2tp_session_dec_refcount(session);
1601 +
1602 + si++;
1603 + }
1604 +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
1605 +index 41d47bfda15c..1387f547a09e 100644
1606 +--- a/net/l2tp/l2tp_ppp.c
1607 ++++ b/net/l2tp/l2tp_ppp.c
1608 +@@ -450,6 +450,10 @@ static void pppol2tp_session_close(struct l2tp_session *session)
1609 + static void pppol2tp_session_destruct(struct sock *sk)
1610 + {
1611 + struct l2tp_session *session = sk->sk_user_data;
1612 ++
1613 ++ skb_queue_purge(&sk->sk_receive_queue);
1614 ++ skb_queue_purge(&sk->sk_write_queue);
1615 ++
1616 + if (session) {
1617 + sk->sk_user_data = NULL;
1618 + BUG_ON(session->magic != L2TP_SESSION_MAGIC);
1619 +@@ -488,9 +492,6 @@ static int pppol2tp_release(struct socket *sock)
1620 + l2tp_session_queue_purge(session);
1621 + sock_put(sk);
1622 + }
1623 +- skb_queue_purge(&sk->sk_receive_queue);
1624 +- skb_queue_purge(&sk->sk_write_queue);
1625 +-
1626 + release_sock(sk);
1627 +
1628 + /* This will delete the session context via
1629 +@@ -1554,7 +1555,7 @@ static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd)
1630 +
1631 + static void pppol2tp_next_session(struct net *net, struct pppol2tp_seq_data *pd)
1632 + {
1633 +- pd->session = l2tp_session_find_nth(pd->tunnel, pd->session_idx);
1634 ++ pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx, true);
1635 + pd->session_idx++;
1636 +
1637 + if (pd->session == NULL) {
1638 +@@ -1681,10 +1682,14 @@ static int pppol2tp_seq_show(struct seq_file *m, void *v)
1639 +
1640 + /* Show the tunnel or session context.
1641 + */
1642 +- if (pd->session == NULL)
1643 ++ if (!pd->session) {
1644 + pppol2tp_seq_tunnel_show(m, pd->tunnel);
1645 +- else
1646 ++ } else {
1647 + pppol2tp_seq_session_show(m, pd->session);
1648 ++ if (pd->session->deref)
1649 ++ pd->session->deref(pd->session);
1650 ++ l2tp_session_dec_refcount(pd->session);
1651 ++ }
1652 +
1653 + out:
1654 + return 0;
1655 +@@ -1843,4 +1848,4 @@ MODULE_DESCRIPTION("PPP over L2TP over UDP");
1656 + MODULE_LICENSE("GPL");
1657 + MODULE_VERSION(PPPOL2TP_DRV_VERSION);
1658 + MODULE_ALIAS_NET_PF_PROTO(PF_PPPOX, PX_PROTO_OL2TP);
1659 +-MODULE_ALIAS_L2TP_PWTYPE(11);
1660 ++MODULE_ALIAS_L2TP_PWTYPE(7);
1661 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
1662 +index 8ab0974f4ee2..cb76ff3088e9 100644
1663 +--- a/net/packet/af_packet.c
1664 ++++ b/net/packet/af_packet.c
1665 +@@ -3702,6 +3702,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
1666 + return -EBUSY;
1667 + if (copy_from_user(&val, optval, sizeof(val)))
1668 + return -EFAULT;
1669 ++ if (val > INT_MAX)
1670 ++ return -EINVAL;
1671 + po->tp_reserve = val;
1672 + return 0;
1673 + }
1674 +@@ -4247,6 +4249,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
1675 + rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
1676 + if (unlikely(rb->frames_per_block == 0))
1677 + goto out;
1678 ++ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
1679 ++ goto out;
1680 + if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
1681 + req->tp_frame_nr))
1682 + goto out;
1683 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
1684 +index 673442025bfd..14346dccc4fe 100644
1685 +--- a/net/sctp/socket.c
1686 ++++ b/net/sctp/socket.c
1687 +@@ -6861,6 +6861,9 @@ int sctp_inet_listen(struct socket *sock, int backlog)
1688 + if (sock->state != SS_UNCONNECTED)
1689 + goto out;
1690 +
1691 ++ if (!sctp_sstate(sk, LISTENING) && !sctp_sstate(sk, CLOSED))
1692 ++ goto out;
1693 ++
1694 + /* If backlog is zero, disable listening. */
1695 + if (!backlog) {
1696 + if (sctp_sstate(sk, CLOSED))
1697 +diff --git a/sound/core/seq/seq_lock.c b/sound/core/seq/seq_lock.c
1698 +index 3b693e924db7..12ba83367b1b 100644
1699 +--- a/sound/core/seq/seq_lock.c
1700 ++++ b/sound/core/seq/seq_lock.c
1701 +@@ -28,19 +28,16 @@
1702 + /* wait until all locks are released */
1703 + void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line)
1704 + {
1705 +- int max_count = 5 * HZ;
1706 ++ int warn_count = 5 * HZ;
1707 +
1708 + if (atomic_read(lockp) < 0) {
1709 + pr_warn("ALSA: seq_lock: lock trouble [counter = %d] in %s:%d\n", atomic_read(lockp), file, line);
1710 + return;
1711 + }
1712 + while (atomic_read(lockp) > 0) {
1713 +- if (max_count == 0) {
1714 +- pr_warn("ALSA: seq_lock: timeout [%d left] in %s:%d\n", atomic_read(lockp), file, line);
1715 +- break;
1716 +- }
1717 ++ if (warn_count-- == 0)
1718 ++ pr_warn("ALSA: seq_lock: waiting [%d left] in %s:%d\n", atomic_read(lockp), file, line);
1719 + schedule_timeout_uninterruptible(1);
1720 +- max_count--;
1721 + }
1722 + }
1723 +
1724 +diff --git a/sound/firewire/lib.h b/sound/firewire/lib.h
1725 +index f6769312ebfc..c3768cd494a5 100644
1726 +--- a/sound/firewire/lib.h
1727 ++++ b/sound/firewire/lib.h
1728 +@@ -45,7 +45,7 @@ struct snd_fw_async_midi_port {
1729 +
1730 + struct snd_rawmidi_substream *substream;
1731 + snd_fw_async_midi_port_fill fill;
1732 +- unsigned int consume_bytes;
1733 ++ int consume_bytes;
1734 + };
1735 +
1736 + int snd_fw_async_midi_port_init(struct snd_fw_async_midi_port *port,
1737 +diff --git a/sound/firewire/oxfw/oxfw.c b/sound/firewire/oxfw/oxfw.c
1738 +index e629b88f7d93..474b06d8acd1 100644
1739 +--- a/sound/firewire/oxfw/oxfw.c
1740 ++++ b/sound/firewire/oxfw/oxfw.c
1741 +@@ -226,11 +226,11 @@ static void do_registration(struct work_struct *work)
1742 + if (err < 0)
1743 + goto error;
1744 +
1745 +- err = detect_quirks(oxfw);
1746 ++ err = snd_oxfw_stream_discover(oxfw);
1747 + if (err < 0)
1748 + goto error;
1749 +
1750 +- err = snd_oxfw_stream_discover(oxfw);
1751 ++ err = detect_quirks(oxfw);
1752 + if (err < 0)
1753 + goto error;
1754 +
1755 +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
1756 +index 4c8ff298ad26..d5873eeae1aa 100644
1757 +--- a/sound/soc/intel/boards/bytcr_rt5640.c
1758 ++++ b/sound/soc/intel/boards/bytcr_rt5640.c
1759 +@@ -621,7 +621,7 @@ static struct snd_soc_dai_link byt_rt5640_dais[] = {
1760 + .codec_dai_name = "snd-soc-dummy-dai",
1761 + .codec_name = "snd-soc-dummy",
1762 + .platform_name = "sst-mfld-platform",
1763 +- .ignore_suspend = 1,
1764 ++ .nonatomic = true,
1765 + .dynamic = 1,
1766 + .dpcm_playback = 1,
1767 + .dpcm_capture = 1,
1768 +@@ -634,7 +634,6 @@ static struct snd_soc_dai_link byt_rt5640_dais[] = {
1769 + .codec_dai_name = "snd-soc-dummy-dai",
1770 + .codec_name = "snd-soc-dummy",
1771 + .platform_name = "sst-mfld-platform",
1772 +- .ignore_suspend = 1,
1773 + .nonatomic = true,
1774 + .dynamic = 1,
1775 + .dpcm_playback = 1,
1776 +@@ -661,6 +660,7 @@ static struct snd_soc_dai_link byt_rt5640_dais[] = {
1777 + | SND_SOC_DAIFMT_CBS_CFS,
1778 + .be_hw_params_fixup = byt_rt5640_codec_fixup,
1779 + .ignore_suspend = 1,
1780 ++ .nonatomic = true,
1781 + .dpcm_playback = 1,
1782 + .dpcm_capture = 1,
1783 + .init = byt_rt5640_init,
1784 +diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c
1785 +index 35f591eab3c9..eabff3a857d0 100644
1786 +--- a/sound/soc/intel/boards/bytcr_rt5651.c
1787 ++++ b/sound/soc/intel/boards/bytcr_rt5651.c
1788 +@@ -235,7 +235,6 @@ static struct snd_soc_dai_link byt_rt5651_dais[] = {
1789 + .codec_dai_name = "snd-soc-dummy-dai",
1790 + .codec_name = "snd-soc-dummy",
1791 + .platform_name = "sst-mfld-platform",
1792 +- .ignore_suspend = 1,
1793 + .nonatomic = true,
1794 + .dynamic = 1,
1795 + .dpcm_playback = 1,
1796 +@@ -249,7 +248,6 @@ static struct snd_soc_dai_link byt_rt5651_dais[] = {
1797 + .codec_dai_name = "snd-soc-dummy-dai",
1798 + .codec_name = "snd-soc-dummy",
1799 + .platform_name = "sst-mfld-platform",
1800 +- .ignore_suspend = 1,
1801 + .nonatomic = true,
1802 + .dynamic = 1,
1803 + .dpcm_playback = 1,
Report Message
Find on MARC Find on Google Groups