Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Sat, 29 Sep 2018 13:32:49
Message-Id: 1538227930.256fa88d67f14d3a6ccc69d94cc038a01c2c9f56.mpagano@gentoo
1 commit: 256fa88d67f14d3a6ccc69d94cc038a01c2c9f56
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sat Sep 29 13:32:10 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sat Sep 29 13:32:10 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=256fa88d
7
8 Linux patch 4.4.159
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1158_linux-4.4.159.patch | 678 +++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 682 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 7661927..9f263b4 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -675,6 +675,10 @@ Patch: 1157_linux-4.4.158.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.4.158
23
24 +Patch: 1158_linux-4.4.159.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.4.159
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1158_linux-4.4.159.patch b/1158_linux-4.4.159.patch
33 new file mode 100644
34 index 0000000..4bfdf07
35 --- /dev/null
36 +++ b/1158_linux-4.4.159.patch
37 @@ -0,0 +1,678 @@
38 +diff --git a/Makefile b/Makefile
39 +index d07a6283b67e..06d5c6a6a0f6 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 4
45 +-SUBLEVEL = 158
46 ++SUBLEVEL = 159
47 + EXTRAVERSION =
48 + NAME = Blurry Fish Butt
49 +
50 +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
51 +index dccd0c2e9023..3028d9b028c7 100644
52 +--- a/arch/arm64/kernel/entry.S
53 ++++ b/arch/arm64/kernel/entry.S
54 +@@ -649,6 +649,9 @@ work_pending:
55 + bl do_notify_resume
56 + b ret_to_user
57 + work_resched:
58 ++#ifdef CONFIG_TRACE_IRQFLAGS
59 ++ bl trace_hardirqs_off // the IRQs are off here, inform the tracing code
60 ++#endif
61 + bl schedule
62 +
63 + /*
64 +diff --git a/arch/x86/xen/pmu.c b/arch/x86/xen/pmu.c
65 +index 724a08740a04..9c7358110d32 100644
66 +--- a/arch/x86/xen/pmu.c
67 ++++ b/arch/x86/xen/pmu.c
68 +@@ -477,7 +477,7 @@ static void xen_convert_regs(const struct xen_pmu_regs *xen_regs,
69 + irqreturn_t xen_pmu_irq_handler(int irq, void *dev_id)
70 + {
71 + int err, ret = IRQ_NONE;
72 +- struct pt_regs regs;
73 ++ struct pt_regs regs = {0};
74 + const struct xen_pmu_data *xenpmu_data = get_xenpmu_data();
75 + uint8_t xenpmu_flags = get_xenpmu_flags();
76 +
77 +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
78 +index ababdaabe870..1855b475cc0b 100644
79 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
80 ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
81 +@@ -253,12 +253,16 @@ nouveau_connector_detect(struct drm_connector *connector, bool force)
82 + nv_connector->edid = NULL;
83 + }
84 +
85 +- /* Outputs are only polled while runtime active, so acquiring a
86 +- * runtime PM ref here is unnecessary (and would deadlock upon
87 +- * runtime suspend because it waits for polling to finish).
88 ++ /* Outputs are only polled while runtime active, so resuming the
89 ++ * device here is unnecessary (and would deadlock upon runtime suspend
90 ++ * because it waits for polling to finish). We do however, want to
91 ++ * prevent the autosuspend timer from elapsing during this operation
92 ++ * if possible.
93 + */
94 +- if (!drm_kms_helper_is_poll_worker()) {
95 +- ret = pm_runtime_get_sync(connector->dev->dev);
96 ++ if (drm_kms_helper_is_poll_worker()) {
97 ++ pm_runtime_get_noresume(dev->dev);
98 ++ } else {
99 ++ ret = pm_runtime_get_sync(dev->dev);
100 + if (ret < 0 && ret != -EACCES)
101 + return conn_status;
102 + }
103 +@@ -329,10 +333,8 @@ detect_analog:
104 +
105 + out:
106 +
107 +- if (!drm_kms_helper_is_poll_worker()) {
108 +- pm_runtime_mark_last_busy(connector->dev->dev);
109 +- pm_runtime_put_autosuspend(connector->dev->dev);
110 +- }
111 ++ pm_runtime_mark_last_busy(dev->dev);
112 ++ pm_runtime_put_autosuspend(dev->dev);
113 +
114 + return conn_status;
115 + }
116 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
117 +index e4541c6bf3d3..4564ecf71181 100644
118 +--- a/drivers/hid/hid-core.c
119 ++++ b/drivers/hid/hid-core.c
120 +@@ -2011,6 +2011,9 @@ static const struct hid_device_id hid_have_special_driver[] = {
121 + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS3_CONTROLLER) },
122 + { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER) },
123 + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER) },
124 ++ { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) },
125 ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) },
126 ++ { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE) },
127 + { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE) },
128 + { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE) },
129 + { HID_USB_DEVICE(USB_VENDOR_ID_STEELSERIES, USB_DEVICE_ID_STEELSERIES_SRWS1) },
130 +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
131 +index 60e2c9faa95f..00d8366a614e 100644
132 +--- a/drivers/hid/hid-ids.h
133 ++++ b/drivers/hid/hid-ids.h
134 +@@ -879,6 +879,8 @@
135 + #define USB_DEVICE_ID_SONY_PS3_BDREMOTE 0x0306
136 + #define USB_DEVICE_ID_SONY_PS3_CONTROLLER 0x0268
137 + #define USB_DEVICE_ID_SONY_PS4_CONTROLLER 0x05c4
138 ++#define USB_DEVICE_ID_SONY_PS4_CONTROLLER_2 0x09cc
139 ++#define USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE 0x0ba0
140 + #define USB_DEVICE_ID_SONY_MOTION_CONTROLLER 0x03d5
141 + #define USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER 0x042f
142 + #define USB_DEVICE_ID_SONY_BUZZ_CONTROLLER 0x0002
143 +diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
144 +index 21febbb0d84e..6f3d47185bf0 100644
145 +--- a/drivers/hid/hid-sony.c
146 ++++ b/drivers/hid/hid-sony.c
147 +@@ -2460,6 +2460,12 @@ static const struct hid_device_id sony_devices[] = {
148 + .driver_data = DUALSHOCK4_CONTROLLER_USB },
149 + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER),
150 + .driver_data = DUALSHOCK4_CONTROLLER_BT },
151 ++ { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2),
152 ++ .driver_data = DUALSHOCK4_CONTROLLER_USB },
153 ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2),
154 ++ .driver_data = DUALSHOCK4_CONTROLLER_BT },
155 ++ { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE),
156 ++ .driver_data = DUALSHOCK4_CONTROLLER_USB },
157 + { }
158 + };
159 + MODULE_DEVICE_TABLE(hid, sony_devices);
160 +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
161 +index 53aa7515f542..04206c600098 100644
162 +--- a/drivers/infiniband/hw/cxgb4/qp.c
163 ++++ b/drivers/infiniband/hw/cxgb4/qp.c
164 +@@ -1183,6 +1183,12 @@ static void flush_qp(struct c4iw_qp *qhp)
165 +
166 + t4_set_wq_in_error(&qhp->wq);
167 + if (qhp->ibqp.uobject) {
168 ++
169 ++ /* for user qps, qhp->wq.flushed is protected by qhp->mutex */
170 ++ if (qhp->wq.flushed)
171 ++ return;
172 ++
173 ++ qhp->wq.flushed = 1;
174 + t4_set_cq_in_error(&rchp->cq);
175 + spin_lock_irqsave(&rchp->comp_handler_lock, flag);
176 + (*rchp->ibcq.comp_handler)(&rchp->ibcq, rchp->ibcq.cq_context);
177 +diff --git a/drivers/net/appletalk/ipddp.c b/drivers/net/appletalk/ipddp.c
178 +index 2e4649655181..4e98e5aff7c5 100644
179 +--- a/drivers/net/appletalk/ipddp.c
180 ++++ b/drivers/net/appletalk/ipddp.c
181 +@@ -284,8 +284,12 @@ static int ipddp_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
182 + case SIOCFINDIPDDPRT:
183 + spin_lock_bh(&ipddp_route_lock);
184 + rp = __ipddp_find_route(&rcp);
185 +- if (rp)
186 +- memcpy(&rcp2, rp, sizeof(rcp2));
187 ++ if (rp) {
188 ++ memset(&rcp2, 0, sizeof(rcp2));
189 ++ rcp2.ip = rp->ip;
190 ++ rcp2.at = rp->at;
191 ++ rcp2.flags = rp->flags;
192 ++ }
193 + spin_unlock_bh(&ipddp_route_lock);
194 +
195 + if (rp) {
196 +diff --git a/drivers/net/ethernet/hp/hp100.c b/drivers/net/ethernet/hp/hp100.c
197 +index 3daf2d4a7ca0..884aa809baac 100644
198 +--- a/drivers/net/ethernet/hp/hp100.c
199 ++++ b/drivers/net/ethernet/hp/hp100.c
200 +@@ -2636,7 +2636,7 @@ static int hp100_login_to_vg_hub(struct net_device *dev, u_short force_relogin)
201 + /* Wait for link to drop */
202 + time = jiffies + (HZ / 10);
203 + do {
204 +- if (~(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST))
205 ++ if (!(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST))
206 + break;
207 + if (!in_interrupt())
208 + schedule_timeout_interruptible(1);
209 +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
210 +index 3270b4333668..0a4bd73caae5 100644
211 +--- a/drivers/net/xen-netfront.c
212 ++++ b/drivers/net/xen-netfront.c
213 +@@ -892,7 +892,11 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
214 + BUG_ON(pull_to <= skb_headlen(skb));
215 + __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
216 + }
217 +- BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS);
218 ++ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
219 ++ queue->rx.rsp_cons = ++cons;
220 ++ kfree_skb(nskb);
221 ++ return ~0U;
222 ++ }
223 +
224 + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
225 + skb_frag_page(nfrag),
226 +@@ -1029,6 +1033,8 @@ err:
227 + skb->len += rx->status;
228 +
229 + i = xennet_fill_frags(queue, skb, &tmpq);
230 ++ if (unlikely(i == ~0U))
231 ++ goto err;
232 +
233 + if (rx->flags & XEN_NETRXF_csum_blank)
234 + skb->ip_summed = CHECKSUM_PARTIAL;
235 +diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c
236 +index 1e1e59423889..3df47c1b04ec 100644
237 +--- a/drivers/platform/x86/alienware-wmi.c
238 ++++ b/drivers/platform/x86/alienware-wmi.c
239 +@@ -463,6 +463,7 @@ static acpi_status alienware_hdmi_command(struct hdmi_args *in_args,
240 + if (obj && obj->type == ACPI_TYPE_INTEGER)
241 + *out_data = (u32) obj->integer.value;
242 + }
243 ++ kfree(output.pointer);
244 + return status;
245 +
246 + }
247 +diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
248 +index 47e249dccb5f..b380bc7ee10a 100644
249 +--- a/drivers/target/iscsi/iscsi_target_auth.c
250 ++++ b/drivers/target/iscsi/iscsi_target_auth.c
251 +@@ -26,18 +26,6 @@
252 + #include "iscsi_target_nego.h"
253 + #include "iscsi_target_auth.h"
254 +
255 +-static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
256 +-{
257 +- int j = DIV_ROUND_UP(len, 2), rc;
258 +-
259 +- rc = hex2bin(dst, src, j);
260 +- if (rc < 0)
261 +- pr_debug("CHAP string contains non hex digit symbols\n");
262 +-
263 +- dst[j] = '\0';
264 +- return j;
265 +-}
266 +-
267 + static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
268 + {
269 + int i;
270 +@@ -241,9 +229,16 @@ static int chap_server_compute_md5(
271 + pr_err("Could not find CHAP_R.\n");
272 + goto out;
273 + }
274 ++ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
275 ++ pr_err("Malformed CHAP_R\n");
276 ++ goto out;
277 ++ }
278 ++ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
279 ++ pr_err("Malformed CHAP_R\n");
280 ++ goto out;
281 ++ }
282 +
283 + pr_debug("[server] Got CHAP_R=%s\n", chap_r);
284 +- chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
285 +
286 + tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC);
287 + if (IS_ERR(tfm)) {
288 +@@ -348,9 +343,7 @@ static int chap_server_compute_md5(
289 + pr_err("Could not find CHAP_C.\n");
290 + goto out;
291 + }
292 +- pr_debug("[server] Got CHAP_C=%s\n", challenge);
293 +- challenge_len = chap_string_to_hex(challenge_binhex, challenge,
294 +- strlen(challenge));
295 ++ challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
296 + if (!challenge_len) {
297 + pr_err("Unable to convert incoming challenge\n");
298 + goto out;
299 +@@ -359,6 +352,11 @@ static int chap_server_compute_md5(
300 + pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
301 + goto out;
302 + }
303 ++ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
304 ++ pr_err("Malformed CHAP_C\n");
305 ++ goto out;
306 ++ }
307 ++ pr_debug("[server] Got CHAP_C=%s\n", challenge);
308 + /*
309 + * During mutual authentication, the CHAP_C generated by the
310 + * initiator must not match the original CHAP_C generated by
311 +diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
312 +index 97d5a74558a3..a86bc7afb3b2 100644
313 +--- a/drivers/tty/vt/vt_ioctl.c
314 ++++ b/drivers/tty/vt/vt_ioctl.c
315 +@@ -31,6 +31,8 @@
316 + #include <asm/io.h>
317 + #include <asm/uaccess.h>
318 +
319 ++#include <linux/nospec.h>
320 ++
321 + #include <linux/kbd_kern.h>
322 + #include <linux/vt_kern.h>
323 + #include <linux/kbd_diacr.h>
324 +@@ -703,6 +705,8 @@ int vt_ioctl(struct tty_struct *tty,
325 + if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)
326 + ret = -ENXIO;
327 + else {
328 ++ vsa.console = array_index_nospec(vsa.console,
329 ++ MAX_NR_CONSOLES + 1);
330 + vsa.console--;
331 + console_lock();
332 + ret = vc_allocate(vsa.console);
333 +diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c
334 +index 6d17f31a31d7..8eb768bbf5b5 100644
335 +--- a/fs/ext4/dir.c
336 ++++ b/fs/ext4/dir.c
337 +@@ -74,7 +74,7 @@ int __ext4_check_dir_entry(const char *function, unsigned int line,
338 + else if (unlikely(rlen < EXT4_DIR_REC_LEN(de->name_len)))
339 + error_msg = "rec_len is too small for name_len";
340 + else if (unlikely(((char *) de - buf) + rlen > size))
341 +- error_msg = "directory entry across range";
342 ++ error_msg = "directory entry overrun";
343 + else if (unlikely(le32_to_cpu(de->inode) >
344 + le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count)))
345 + error_msg = "inode out of bounds";
346 +@@ -83,18 +83,16 @@ int __ext4_check_dir_entry(const char *function, unsigned int line,
347 +
348 + if (filp)
349 + ext4_error_file(filp, function, line, bh->b_blocknr,
350 +- "bad entry in directory: %s - offset=%u(%u), "
351 +- "inode=%u, rec_len=%d, name_len=%d",
352 +- error_msg, (unsigned) (offset % size),
353 +- offset, le32_to_cpu(de->inode),
354 +- rlen, de->name_len);
355 ++ "bad entry in directory: %s - offset=%u, "
356 ++ "inode=%u, rec_len=%d, name_len=%d, size=%d",
357 ++ error_msg, offset, le32_to_cpu(de->inode),
358 ++ rlen, de->name_len, size);
359 + else
360 + ext4_error_inode(dir, function, line, bh->b_blocknr,
361 +- "bad entry in directory: %s - offset=%u(%u), "
362 +- "inode=%u, rec_len=%d, name_len=%d",
363 +- error_msg, (unsigned) (offset % size),
364 +- offset, le32_to_cpu(de->inode),
365 +- rlen, de->name_len);
366 ++ "bad entry in directory: %s - offset=%u, "
367 ++ "inode=%u, rec_len=%d, name_len=%d, size=%d",
368 ++ error_msg, offset, le32_to_cpu(de->inode),
369 ++ rlen, de->name_len, size);
370 +
371 + return 1;
372 + }
373 +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
374 +index c449bc089c94..1e7a9774119c 100644
375 +--- a/fs/ext4/inline.c
376 ++++ b/fs/ext4/inline.c
377 +@@ -1756,6 +1756,7 @@ int empty_inline_dir(struct inode *dir, int *has_inline_data)
378 + {
379 + int err, inline_size;
380 + struct ext4_iloc iloc;
381 ++ size_t inline_len;
382 + void *inline_pos;
383 + unsigned int offset;
384 + struct ext4_dir_entry_2 *de;
385 +@@ -1783,8 +1784,9 @@ int empty_inline_dir(struct inode *dir, int *has_inline_data)
386 + goto out;
387 + }
388 +
389 ++ inline_len = ext4_get_inline_size(dir);
390 + offset = EXT4_INLINE_DOTDOT_SIZE;
391 +- while (offset < dir->i_size) {
392 ++ while (offset < inline_len) {
393 + de = ext4_get_inline_entry(dir, &iloc, offset,
394 + &inline_pos, &inline_size);
395 + if (ext4_check_dir_entry(dir, NULL, de,
396 +diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
397 +index 0a512aa81bf7..4c9d799955d1 100644
398 +--- a/fs/ext4/mmp.c
399 ++++ b/fs/ext4/mmp.c
400 +@@ -48,7 +48,6 @@ static int write_mmp_block(struct super_block *sb, struct buffer_head *bh)
401 + */
402 + sb_start_write(sb);
403 + ext4_mmp_csum_set(sb, mmp);
404 +- mark_buffer_dirty(bh);
405 + lock_buffer(bh);
406 + bh->b_end_io = end_buffer_write_sync;
407 + get_bh(bh);
408 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
409 +index d2421fd38833..783280ebc2fe 100644
410 +--- a/fs/ext4/resize.c
411 ++++ b/fs/ext4/resize.c
412 +@@ -18,6 +18,7 @@
413 +
414 + int ext4_resize_begin(struct super_block *sb)
415 + {
416 ++ struct ext4_sb_info *sbi = EXT4_SB(sb);
417 + int ret = 0;
418 +
419 + if (!capable(CAP_SYS_RESOURCE))
420 +@@ -28,7 +29,7 @@ int ext4_resize_begin(struct super_block *sb)
421 + * because the user tools have no way of handling this. Probably a
422 + * bad time to do it anyways.
423 + */
424 +- if (EXT4_SB(sb)->s_sbh->b_blocknr !=
425 ++ if (EXT4_B2C(sbi, sbi->s_sbh->b_blocknr) !=
426 + le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block)) {
427 + ext4_warning(sb, "won't resize using backup superblock at %llu",
428 + (unsigned long long)EXT4_SB(sb)->s_sbh->b_blocknr);
429 +@@ -1954,6 +1955,26 @@ retry:
430 + }
431 + }
432 +
433 ++ /*
434 ++ * Make sure the last group has enough space so that it's
435 ++ * guaranteed to have enough space for all metadata blocks
436 ++ * that it might need to hold. (We might not need to store
437 ++ * the inode table blocks in the last block group, but there
438 ++ * will be cases where this might be needed.)
439 ++ */
440 ++ if ((ext4_group_first_block_no(sb, n_group) +
441 ++ ext4_group_overhead_blocks(sb, n_group) + 2 +
442 ++ sbi->s_itb_per_group + sbi->s_cluster_ratio) >= n_blocks_count) {
443 ++ n_blocks_count = ext4_group_first_block_no(sb, n_group);
444 ++ n_group--;
445 ++ n_blocks_count_retry = 0;
446 ++ if (resize_inode) {
447 ++ iput(resize_inode);
448 ++ resize_inode = NULL;
449 ++ }
450 ++ goto retry;
451 ++ }
452 ++
453 + /* extend the last group */
454 + if (n_group == o_group)
455 + add = n_blocks_count - o_blocks_count;
456 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
457 +index 8d18f6142da5..a3d905abbaa9 100644
458 +--- a/fs/ext4/super.c
459 ++++ b/fs/ext4/super.c
460 +@@ -4024,11 +4024,13 @@ no_journal:
461 + block = ext4_count_free_clusters(sb);
462 + ext4_free_blocks_count_set(sbi->s_es,
463 + EXT4_C2B(sbi, block));
464 ++ ext4_superblock_csum_set(sb);
465 + err = percpu_counter_init(&sbi->s_freeclusters_counter, block,
466 + GFP_KERNEL);
467 + if (!err) {
468 + unsigned long freei = ext4_count_free_inodes(sb);
469 + sbi->s_es->s_free_inodes_count = cpu_to_le32(freei);
470 ++ ext4_superblock_csum_set(sb);
471 + err = percpu_counter_init(&sbi->s_freeinodes_counter, freei,
472 + GFP_KERNEL);
473 + }
474 +diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
475 +index fe50ded1b4ce..272269f1c310 100644
476 +--- a/fs/ocfs2/buffer_head_io.c
477 ++++ b/fs/ocfs2/buffer_head_io.c
478 +@@ -336,6 +336,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
479 + * for this bh as it's not marked locally
480 + * uptodate. */
481 + status = -EIO;
482 ++ clear_buffer_needs_validate(bh);
483 + put_bh(bh);
484 + bhs[i] = NULL;
485 + continue;
486 +diff --git a/include/net/nfc/hci.h b/include/net/nfc/hci.h
487 +index 316694dafa5b..008f466d1da7 100644
488 +--- a/include/net/nfc/hci.h
489 ++++ b/include/net/nfc/hci.h
490 +@@ -87,7 +87,7 @@ struct nfc_hci_pipe {
491 + * According to specification 102 622 chapter 4.4 Pipes,
492 + * the pipe identifier is 7 bits long.
493 + */
494 +-#define NFC_HCI_MAX_PIPES 127
495 ++#define NFC_HCI_MAX_PIPES 128
496 + struct nfc_hci_init_data {
497 + u8 gate_count;
498 + struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES];
499 +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
500 +index fdaa88f38aec..74b20e3ab8c6 100644
501 +--- a/kernel/trace/ring_buffer.c
502 ++++ b/kernel/trace/ring_buffer.c
503 +@@ -1513,6 +1513,8 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
504 + tmp_iter_page = first_page;
505 +
506 + do {
507 ++ cond_resched();
508 ++
509 + to_remove_page = tmp_iter_page;
510 + rb_inc_page(cpu_buffer, &tmp_iter_page);
511 +
512 +diff --git a/mm/shmem.c b/mm/shmem.c
513 +index 1b11ccc0a3b7..8e506a45a6ef 100644
514 +--- a/mm/shmem.c
515 ++++ b/mm/shmem.c
516 +@@ -1464,6 +1464,8 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode
517 + mpol_shared_policy_init(&info->policy, NULL);
518 + break;
519 + }
520 ++
521 ++ lockdep_annotate_inode_mutex_key(inode);
522 + } else
523 + shmem_free_inode(sb);
524 + return inode;
525 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
526 +index f60b93627876..78dc184072e8 100644
527 +--- a/net/core/neighbour.c
528 ++++ b/net/core/neighbour.c
529 +@@ -1140,6 +1140,12 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
530 + lladdr = neigh->ha;
531 + }
532 +
533 ++ /* Update confirmed timestamp for neighbour entry after we
534 ++ * received ARP packet even if it doesn't change IP to MAC binding.
535 ++ */
536 ++ if (new & NUD_CONNECTED)
537 ++ neigh->confirmed = jiffies;
538 ++
539 + /* If entry was valid and address is not changed,
540 + do not change entry state, if new one is STALE.
541 + */
542 +@@ -1163,15 +1169,12 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
543 + }
544 + }
545 +
546 +- /* Update timestamps only once we know we will make a change to the
547 ++ /* Update timestamp only once we know we will make a change to the
548 + * neighbour entry. Otherwise we risk to move the locktime window with
549 + * noop updates and ignore relevant ARP updates.
550 + */
551 +- if (new != old || lladdr != neigh->ha) {
552 +- if (new & NUD_CONNECTED)
553 +- neigh->confirmed = jiffies;
554 ++ if (new != old || lladdr != neigh->ha)
555 + neigh->updated = jiffies;
556 +- }
557 +
558 + if (new != old) {
559 + neigh_del_timer(neigh);
560 +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
561 +index 967a47ff78a4..b12721ecb0b6 100644
562 +--- a/net/ipv4/af_inet.c
563 ++++ b/net/ipv4/af_inet.c
564 +@@ -1280,6 +1280,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb,
565 + if (encap)
566 + skb_reset_inner_headers(skb);
567 + skb->network_header = (u8 *)iph - skb->head;
568 ++ skb_reset_mac_len(skb);
569 + } while ((skb = skb->next));
570 +
571 + out:
572 +diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
573 +index 9e2ea4ae840d..244b9fec9d4d 100644
574 +--- a/net/ipv6/ip6_offload.c
575 ++++ b/net/ipv6/ip6_offload.c
576 +@@ -118,6 +118,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
577 + ipv6h = (struct ipv6hdr *)(skb_mac_header(skb) + nhoff);
578 + ipv6h->payload_len = htons(skb->len - nhoff - sizeof(*ipv6h));
579 + skb->network_header = (u8 *)ipv6h - skb->head;
580 ++ skb_reset_mac_len(skb);
581 +
582 + if (udpfrag) {
583 + int err = ip6_find_1stfragopt(skb, &prevhdr);
584 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
585 +index 0feede45bd28..530b62fd6b64 100644
586 +--- a/net/ipv6/ip6_output.c
587 ++++ b/net/ipv6/ip6_output.c
588 +@@ -193,12 +193,10 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
589 + kfree_skb(skb);
590 + return -ENOBUFS;
591 + }
592 ++ if (skb->sk)
593 ++ skb_set_owner_w(skb2, skb->sk);
594 + consume_skb(skb);
595 + skb = skb2;
596 +- /* skb_set_owner_w() changes sk->sk_wmem_alloc atomically,
597 +- * it is safe to call in our context (socket lock not held)
598 +- */
599 +- skb_set_owner_w(skb, (struct sock *)sk);
600 + }
601 + if (opt->opt_flen)
602 + ipv6_push_frag_opts(skb, opt, &proto);
603 +diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
604 +index 2b0f0ac498d2..5a58f9f38095 100644
605 +--- a/net/nfc/hci/core.c
606 ++++ b/net/nfc/hci/core.c
607 +@@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
608 + }
609 + create_info = (struct hci_create_pipe_resp *)skb->data;
610 +
611 ++ if (create_info->pipe >= NFC_HCI_MAX_PIPES) {
612 ++ status = NFC_HCI_ANY_E_NOK;
613 ++ goto exit;
614 ++ }
615 ++
616 + /* Save the new created pipe and bind with local gate,
617 + * the description for skb->data[3] is destination gate id
618 + * but since we received this cmd from host controller, we
619 +@@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
620 + }
621 + delete_info = (struct hci_delete_pipe_noti *)skb->data;
622 +
623 ++ if (delete_info->pipe >= NFC_HCI_MAX_PIPES) {
624 ++ status = NFC_HCI_ANY_E_NOK;
625 ++ goto exit;
626 ++ }
627 ++
628 + hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
629 + hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
630 + break;
631 +diff --git a/sound/firewire/bebob/bebob_maudio.c b/sound/firewire/bebob/bebob_maudio.c
632 +index 07e5abdbceb5..0a576ccca3dc 100644
633 +--- a/sound/firewire/bebob/bebob_maudio.c
634 ++++ b/sound/firewire/bebob/bebob_maudio.c
635 +@@ -96,17 +96,13 @@ int snd_bebob_maudio_load_firmware(struct fw_unit *unit)
636 + struct fw_device *device = fw_parent_device(unit);
637 + int err, rcode;
638 + u64 date;
639 +- __le32 cues[3] = {
640 +- cpu_to_le32(MAUDIO_BOOTLOADER_CUE1),
641 +- cpu_to_le32(MAUDIO_BOOTLOADER_CUE2),
642 +- cpu_to_le32(MAUDIO_BOOTLOADER_CUE3)
643 +- };
644 ++ __le32 *cues;
645 +
646 + /* check date of software used to build */
647 + err = snd_bebob_read_block(unit, INFO_OFFSET_SW_DATE,
648 + &date, sizeof(u64));
649 + if (err < 0)
650 +- goto end;
651 ++ return err;
652 + /*
653 + * firmware version 5058 or later has date later than "20070401", but
654 + * 'date' is not null-terminated.
655 +@@ -114,20 +110,28 @@ int snd_bebob_maudio_load_firmware(struct fw_unit *unit)
656 + if (date < 0x3230303730343031LL) {
657 + dev_err(&unit->device,
658 + "Use firmware version 5058 or later\n");
659 +- err = -ENOSYS;
660 +- goto end;
661 ++ return -ENXIO;
662 + }
663 +
664 ++ cues = kmalloc_array(3, sizeof(*cues), GFP_KERNEL);
665 ++ if (!cues)
666 ++ return -ENOMEM;
667 ++
668 ++ cues[0] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE1);
669 ++ cues[1] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE2);
670 ++ cues[2] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE3);
671 ++
672 + rcode = fw_run_transaction(device->card, TCODE_WRITE_BLOCK_REQUEST,
673 + device->node_id, device->generation,
674 + device->max_speed, BEBOB_ADDR_REG_REQ,
675 +- cues, sizeof(cues));
676 ++ cues, 3 * sizeof(*cues));
677 ++ kfree(cues);
678 + if (rcode != RCODE_COMPLETE) {
679 + dev_err(&unit->device,
680 + "Failed to send a cue to load firmware\n");
681 + err = -EIO;
682 + }
683 +-end:
684 ++
685 + return err;
686 + }
687 +
688 +diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
689 +index 56fc47bd6dba..50b216fc369f 100644
690 +--- a/sound/pci/emu10k1/emufx.c
691 ++++ b/sound/pci/emu10k1/emufx.c
692 +@@ -2520,7 +2520,7 @@ static int snd_emu10k1_fx8010_ioctl(struct snd_hwdep * hw, struct file *file, un
693 + emu->support_tlv = 1;
694 + return put_user(SNDRV_EMU10K1_VERSION, (int __user *)argp);
695 + case SNDRV_EMU10K1_IOCTL_INFO:
696 +- info = kmalloc(sizeof(*info), GFP_KERNEL);
697 ++ info = kzalloc(sizeof(*info), GFP_KERNEL);
698 + if (!info)
699 + return -ENOMEM;
700 + snd_emu10k1_fx8010_info(emu, info);
701 +diff --git a/sound/soc/codecs/cs4265.c b/sound/soc/codecs/cs4265.c
702 +index 55db19ddc5ff..93b02be3a90e 100644
703 +--- a/sound/soc/codecs/cs4265.c
704 ++++ b/sound/soc/codecs/cs4265.c
705 +@@ -157,8 +157,8 @@ static const struct snd_kcontrol_new cs4265_snd_controls[] = {
706 + SOC_SINGLE("Validity Bit Control Switch", CS4265_SPDIF_CTL2,
707 + 3, 1, 0),
708 + SOC_ENUM("SPDIF Mono/Stereo", spdif_mono_stereo_enum),
709 +- SOC_SINGLE("MMTLR Data Switch", 0,
710 +- 1, 1, 0),
711 ++ SOC_SINGLE("MMTLR Data Switch", CS4265_SPDIF_CTL2,
712 ++ 0, 1, 0),
713 + SOC_ENUM("Mono Channel Select", spdif_mono_select_enum),
714 + SND_SOC_BYTES("C Data Buffer", CS4265_C_DATA_BUFF, 24),
715 + };