Gentoo Archives: gentoo-commits

From: Alice Ferrazzi <alicef@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Tue, 23 Feb 2021 13:38:46
Message-Id: 1614087460.a36c86ff7da449dcc400901d3e361d4042fd9f7e.alicef@gentoo
1 commit: a36c86ff7da449dcc400901d3e361d4042fd9f7e
2 Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
3 AuthorDate: Tue Feb 23 13:37:07 2021 +0000
4 Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
5 CommitDate: Tue Feb 23 13:37:40 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=a36c86ff
7
8 Linux patch 4.9.258
9
10 Signed-off-by: Alice Ferrazzi <alicef <AT> gentoo.org>
11
12 0000_README | 4 +
13 1257_linux-4.9.258.patch | 2316 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 2320 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index e08f1e6..3c566c7 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -1071,6 +1071,10 @@ Patch: 1256_linux-4.9.257.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.257
23
24 +Patch: 1257_linux-4.9.258.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.258
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1257_linux-4.9.258.patch b/1257_linux-4.9.258.patch
33 new file mode 100644
34 index 0000000..94ef50a
35 --- /dev/null
36 +++ b/1257_linux-4.9.258.patch
37 @@ -0,0 +1,2316 @@
38 +diff --git a/Makefile b/Makefile
39 +index e53096154f816..e5955f122ffd3 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 9
45 +-SUBLEVEL = 257
46 ++SUBLEVEL = 258
47 + EXTRAVERSION =
48 + NAME = Roaring Lionus
49 +
50 +@@ -762,6 +762,13 @@ ifdef CONFIG_FUNCTION_TRACER
51 + ifndef CC_FLAGS_FTRACE
52 + CC_FLAGS_FTRACE := -pg
53 + endif
54 ++ifdef CONFIG_FTRACE_MCOUNT_RECORD
55 ++ # gcc 5 supports generating the mcount tables directly
56 ++ ifeq ($(call cc-option-yn,-mrecord-mcount),y)
57 ++ CC_FLAGS_FTRACE += -mrecord-mcount
58 ++ export CC_USING_RECORD_MCOUNT := 1
59 ++ endif
60 ++endif
61 + export CC_FLAGS_FTRACE
62 + ifdef CONFIG_HAVE_FENTRY
63 + CC_USING_FENTRY := $(call cc-option, -mfentry -DCC_USING_FENTRY)
64 +diff --git a/arch/arm/boot/dts/lpc32xx.dtsi b/arch/arm/boot/dts/lpc32xx.dtsi
65 +index 2802c9565b6ca..976a75a4eb2c6 100644
66 +--- a/arch/arm/boot/dts/lpc32xx.dtsi
67 ++++ b/arch/arm/boot/dts/lpc32xx.dtsi
68 +@@ -323,9 +323,6 @@
69 +
70 + clocks = <&xtal_32k>, <&xtal>;
71 + clock-names = "xtal_32k", "xtal";
72 +-
73 +- assigned-clocks = <&clk LPC32XX_CLK_HCLK_PLL>;
74 +- assigned-clock-rates = <208000000>;
75 + };
76 + };
77 +
78 +diff --git a/arch/arm/xen/p2m.c b/arch/arm/xen/p2m.c
79 +index 0ed01f2d5ee4b..02579e6569f0c 100644
80 +--- a/arch/arm/xen/p2m.c
81 ++++ b/arch/arm/xen/p2m.c
82 +@@ -93,8 +93,10 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops,
83 + for (i = 0; i < count; i++) {
84 + if (map_ops[i].status)
85 + continue;
86 +- set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT,
87 +- map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT);
88 ++ if (unlikely(!set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT,
89 ++ map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT))) {
90 ++ return -ENOMEM;
91 ++ }
92 + }
93 +
94 + return 0;
95 +diff --git a/arch/h8300/kernel/asm-offsets.c b/arch/h8300/kernel/asm-offsets.c
96 +index dc2d16ce8a0d5..3e33a9844d99a 100644
97 +--- a/arch/h8300/kernel/asm-offsets.c
98 ++++ b/arch/h8300/kernel/asm-offsets.c
99 +@@ -62,6 +62,9 @@ int main(void)
100 + OFFSET(TI_FLAGS, thread_info, flags);
101 + OFFSET(TI_CPU, thread_info, cpu);
102 + OFFSET(TI_PRE, thread_info, preempt_count);
103 ++#ifdef CONFIG_PREEMPTION
104 ++ DEFINE(TI_PRE_COUNT, offsetof(struct thread_info, preempt_count));
105 ++#endif
106 +
107 + return 0;
108 + }
109 +diff --git a/arch/x86/Makefile b/arch/x86/Makefile
110 +index a95d414663b1e..9f0099c46c881 100644
111 +--- a/arch/x86/Makefile
112 ++++ b/arch/x86/Makefile
113 +@@ -61,6 +61,9 @@ endif
114 + KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow
115 + KBUILD_CFLAGS += $(call cc-option,-mno-avx,)
116 +
117 ++# Intel CET isn't enabled in the kernel
118 ++KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)
119 ++
120 + ifeq ($(CONFIG_X86_32),y)
121 + BITS := 32
122 + UTS_MACHINE := i386
123 +@@ -137,9 +140,6 @@ else
124 + KBUILD_CFLAGS += -mno-red-zone
125 + KBUILD_CFLAGS += -mcmodel=kernel
126 +
127 +- # Intel CET isn't enabled in the kernel
128 +- KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)
129 +-
130 + # -funit-at-a-time shrinks the kernel .text considerably
131 + # unfortunately it makes reading oopses harder.
132 + KBUILD_CFLAGS += $(call cc-option,-funit-at-a-time)
133 +diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c
134 +index 37129db76d33e..fbf8508e558ac 100644
135 +--- a/arch/x86/xen/p2m.c
136 ++++ b/arch/x86/xen/p2m.c
137 +@@ -725,7 +725,8 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops,
138 + unsigned long mfn, pfn;
139 +
140 + /* Do not add to override if the map failed. */
141 +- if (map_ops[i].status)
142 ++ if (map_ops[i].status != GNTST_okay ||
143 ++ (kmap_ops && kmap_ops[i].status != GNTST_okay))
144 + continue;
145 +
146 + if (map_ops[i].flags & GNTMAP_contains_pte) {
147 +@@ -763,17 +764,15 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops,
148 + unsigned long mfn = __pfn_to_mfn(page_to_pfn(pages[i]));
149 + unsigned long pfn = page_to_pfn(pages[i]);
150 +
151 +- if (mfn == INVALID_P2M_ENTRY || !(mfn & FOREIGN_FRAME_BIT)) {
152 ++ if (mfn != INVALID_P2M_ENTRY && (mfn & FOREIGN_FRAME_BIT))
153 ++ set_phys_to_machine(pfn, INVALID_P2M_ENTRY);
154 ++ else
155 + ret = -EINVAL;
156 +- goto out;
157 +- }
158 +-
159 +- set_phys_to_machine(pfn, INVALID_P2M_ENTRY);
160 + }
161 + if (kunmap_ops)
162 + ret = HYPERVISOR_grant_table_op(GNTTABOP_unmap_grant_ref,
163 +- kunmap_ops, count);
164 +-out:
165 ++ kunmap_ops, count) ?: ret;
166 ++
167 + return ret;
168 + }
169 + EXPORT_SYMBOL_GPL(clear_foreign_p2m_mapping);
170 +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
171 +index 4f643a87f9c7d..2b739ba841b1a 100644
172 +--- a/drivers/block/xen-blkback/blkback.c
173 ++++ b/drivers/block/xen-blkback/blkback.c
174 +@@ -843,8 +843,11 @@ again:
175 + pages[i]->page = persistent_gnt->page;
176 + pages[i]->persistent_gnt = persistent_gnt;
177 + } else {
178 +- if (get_free_page(ring, &pages[i]->page))
179 +- goto out_of_memory;
180 ++ if (get_free_page(ring, &pages[i]->page)) {
181 ++ put_free_pages(ring, pages_to_gnt, segs_to_map);
182 ++ ret = -ENOMEM;
183 ++ goto out;
184 ++ }
185 + addr = vaddr(pages[i]->page);
186 + pages_to_gnt[segs_to_map] = pages[i]->page;
187 + pages[i]->persistent_gnt = NULL;
188 +@@ -860,10 +863,8 @@ again:
189 + break;
190 + }
191 +
192 +- if (segs_to_map) {
193 ++ if (segs_to_map)
194 + ret = gnttab_map_refs(map, NULL, pages_to_gnt, segs_to_map);
195 +- BUG_ON(ret);
196 +- }
197 +
198 + /*
199 + * Now swizzle the MFN in our domain with the MFN from the other domain
200 +@@ -878,7 +879,7 @@ again:
201 + pr_debug("invalid buffer -- could not remap it\n");
202 + put_free_pages(ring, &pages[seg_idx]->page, 1);
203 + pages[seg_idx]->handle = BLKBACK_INVALID_HANDLE;
204 +- ret |= 1;
205 ++ ret |= !ret;
206 + goto next;
207 + }
208 + pages[seg_idx]->handle = map[new_map_idx].handle;
209 +@@ -930,17 +931,18 @@ next:
210 + }
211 + segs_to_map = 0;
212 + last_map = map_until;
213 +- if (map_until != num)
214 ++ if (!ret && map_until != num)
215 + goto again;
216 +
217 +- return ret;
218 +-
219 +-out_of_memory:
220 +- pr_alert("%s: out of memory\n", __func__);
221 +- put_free_pages(ring, pages_to_gnt, segs_to_map);
222 +- for (i = last_map; i < num; i++)
223 ++out:
224 ++ for (i = last_map; i < num; i++) {
225 ++ /* Don't zap current batch's valid persistent grants. */
226 ++ if(i >= last_map + segs_to_map)
227 ++ pages[i]->persistent_gnt = NULL;
228 + pages[i]->handle = BLKBACK_INVALID_HANDLE;
229 +- return -ENOMEM;
230 ++ }
231 ++
232 ++ return ret;
233 + }
234 +
235 + static int xen_blkbk_map_seg(struct pending_req *pending_req)
236 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c
237 +index f4d75ffe3d8a8..7f01fb91ea668 100644
238 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c
239 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs-vif.c
240 +@@ -518,7 +518,10 @@ static ssize_t iwl_dbgfs_os_device_timediff_read(struct file *file,
241 + const size_t bufsz = sizeof(buf);
242 + int pos = 0;
243 +
244 ++ mutex_lock(&mvm->mutex);
245 + iwl_mvm_get_sync_time(mvm, &curr_gp2, &curr_os);
246 ++ mutex_unlock(&mvm->mutex);
247 ++
248 + do_div(curr_os, NSEC_PER_USEC);
249 + diff = curr_os - curr_gp2;
250 + pos += scnprintf(buf + pos, bufsz - pos, "diff=%lld\n", diff);
251 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
252 +index 6d38eec3f9d3c..a78aaf17116e9 100644
253 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
254 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
255 +@@ -1104,6 +1104,7 @@ static void iwl_mvm_reprobe_wk(struct work_struct *wk)
256 + reprobe = container_of(wk, struct iwl_mvm_reprobe, work);
257 + if (device_reprobe(reprobe->dev))
258 + dev_err(reprobe->dev, "reprobe failed!\n");
259 ++ put_device(reprobe->dev);
260 + kfree(reprobe);
261 + module_put(THIS_MODULE);
262 + }
263 +@@ -1202,7 +1203,7 @@ void iwl_mvm_nic_restart(struct iwl_mvm *mvm, bool fw_error)
264 + module_put(THIS_MODULE);
265 + return;
266 + }
267 +- reprobe->dev = mvm->trans->dev;
268 ++ reprobe->dev = get_device(mvm->trans->dev);
269 + INIT_WORK(&reprobe->work, iwl_mvm_reprobe_wk);
270 + schedule_work(&reprobe->work);
271 + } else if (mvm->cur_ucode == IWL_UCODE_REGULAR) {
272 +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
273 +index 174e45d78c46a..ff564198d2cef 100644
274 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
275 ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
276 +@@ -676,6 +676,11 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id)
277 + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
278 + struct iwl_txq *txq = &trans_pcie->txq[txq_id];
279 +
280 ++ if (!txq) {
281 ++ IWL_ERR(trans, "Trying to free a queue that wasn't allocated?\n");
282 ++ return;
283 ++ }
284 ++
285 + spin_lock_bh(&txq->lock);
286 + while (txq->write_ptr != txq->read_ptr) {
287 + IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n",
288 +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
289 +index fd2ac6cd0c691..0024200c30ce4 100644
290 +--- a/drivers/net/xen-netback/netback.c
291 ++++ b/drivers/net/xen-netback/netback.c
292 +@@ -1328,13 +1328,11 @@ int xenvif_tx_action(struct xenvif_queue *queue, int budget)
293 + return 0;
294 +
295 + gnttab_batch_copy(queue->tx_copy_ops, nr_cops);
296 +- if (nr_mops != 0) {
297 ++ if (nr_mops != 0)
298 + ret = gnttab_map_refs(queue->tx_map_ops,
299 + NULL,
300 + queue->pages_to_map,
301 + nr_mops);
302 +- BUG_ON(ret);
303 +- }
304 +
305 + work_done = xenvif_tx_submit(queue);
306 +
307 +diff --git a/drivers/net/xen-netback/rx.c b/drivers/net/xen-netback/rx.c
308 +index f152246c7dfb7..ddfb1cfa2dd94 100644
309 +--- a/drivers/net/xen-netback/rx.c
310 ++++ b/drivers/net/xen-netback/rx.c
311 +@@ -38,10 +38,15 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
312 + RING_IDX prod, cons;
313 + struct sk_buff *skb;
314 + int needed;
315 ++ unsigned long flags;
316 ++
317 ++ spin_lock_irqsave(&queue->rx_queue.lock, flags);
318 +
319 + skb = skb_peek(&queue->rx_queue);
320 +- if (!skb)
321 ++ if (!skb) {
322 ++ spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
323 + return false;
324 ++ }
325 +
326 + needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE);
327 + if (skb_is_gso(skb))
328 +@@ -49,6 +54,8 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
329 + if (skb->sw_hash)
330 + needed++;
331 +
332 ++ spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
333 ++
334 + do {
335 + prod = queue->rx.sring->req_prod;
336 + cons = queue->rx.req_cons;
337 +diff --git a/drivers/remoteproc/qcom_q6v5_pil.c b/drivers/remoteproc/qcom_q6v5_pil.c
338 +index 2e0caaaa766a3..72fc33bba99c1 100644
339 +--- a/drivers/remoteproc/qcom_q6v5_pil.c
340 ++++ b/drivers/remoteproc/qcom_q6v5_pil.c
341 +@@ -193,6 +193,12 @@ static int q6v5_load(struct rproc *rproc, const struct firmware *fw)
342 + {
343 + struct q6v5 *qproc = rproc->priv;
344 +
345 ++ /* MBA is restricted to a maximum size of 1M */
346 ++ if (fw->size > qproc->mba_size || fw->size > SZ_1M) {
347 ++ dev_err(qproc->dev, "MBA firmware load failed\n");
348 ++ return -EINVAL;
349 ++ }
350 ++
351 + memcpy(qproc->mba_region, fw->data, fw->size);
352 +
353 + return 0;
354 +diff --git a/drivers/scsi/qla2xxx/qla_tmpl.c b/drivers/scsi/qla2xxx/qla_tmpl.c
355 +index 9c2c7fe612806..ba83c36b76bdf 100644
356 +--- a/drivers/scsi/qla2xxx/qla_tmpl.c
357 ++++ b/drivers/scsi/qla2xxx/qla_tmpl.c
358 +@@ -878,7 +878,8 @@ qla27xx_template_checksum(void *p, ulong size)
359 + static inline int
360 + qla27xx_verify_template_checksum(struct qla27xx_fwdt_template *tmp)
361 + {
362 +- return qla27xx_template_checksum(tmp, tmp->template_size) == 0;
363 ++ return qla27xx_template_checksum(tmp,
364 ++ le32_to_cpu(tmp->template_size)) == 0;
365 + }
366 +
367 + static inline int
368 +@@ -894,7 +895,7 @@ qla27xx_execute_fwdt_template(struct scsi_qla_host *vha)
369 + ulong len;
370 +
371 + if (qla27xx_fwdt_template_valid(tmp)) {
372 +- len = tmp->template_size;
373 ++ len = le32_to_cpu(tmp->template_size);
374 + tmp = memcpy(vha->hw->fw_dump, tmp, len);
375 + ql27xx_edit_template(vha, tmp);
376 + qla27xx_walk_template(vha, tmp, tmp, &len);
377 +@@ -910,7 +911,7 @@ qla27xx_fwdt_calculate_dump_size(struct scsi_qla_host *vha)
378 + ulong len = 0;
379 +
380 + if (qla27xx_fwdt_template_valid(tmp)) {
381 +- len = tmp->template_size;
382 ++ len = le32_to_cpu(tmp->template_size);
383 + qla27xx_walk_template(vha, tmp, NULL, &len);
384 + }
385 +
386 +@@ -922,7 +923,7 @@ qla27xx_fwdt_template_size(void *p)
387 + {
388 + struct qla27xx_fwdt_template *tmp = p;
389 +
390 +- return tmp->template_size;
391 ++ return le32_to_cpu(tmp->template_size);
392 + }
393 +
394 + ulong
395 +diff --git a/drivers/scsi/qla2xxx/qla_tmpl.h b/drivers/scsi/qla2xxx/qla_tmpl.h
396 +index 141c1c5e73f42..2d3e1a8349b3b 100644
397 +--- a/drivers/scsi/qla2xxx/qla_tmpl.h
398 ++++ b/drivers/scsi/qla2xxx/qla_tmpl.h
399 +@@ -13,7 +13,7 @@
400 + struct __packed qla27xx_fwdt_template {
401 + uint32_t template_type;
402 + uint32_t entry_offset;
403 +- uint32_t template_size;
404 ++ __le32 template_size;
405 + uint32_t reserved_1;
406 +
407 + uint32_t entry_count;
408 +diff --git a/drivers/usb/dwc3/ulpi.c b/drivers/usb/dwc3/ulpi.c
409 +index bd86f84f37901..3862edf59f7de 100644
410 +--- a/drivers/usb/dwc3/ulpi.c
411 ++++ b/drivers/usb/dwc3/ulpi.c
412 +@@ -10,6 +10,8 @@
413 + * published by the Free Software Foundation.
414 + */
415 +
416 ++#include <linux/delay.h>
417 ++#include <linux/time64.h>
418 + #include <linux/ulpi/regs.h>
419 +
420 + #include "core.h"
421 +@@ -20,12 +22,22 @@
422 + DWC3_GUSB2PHYACC_ADDR(ULPI_ACCESS_EXTENDED) | \
423 + DWC3_GUSB2PHYACC_EXTEND_ADDR(a) : DWC3_GUSB2PHYACC_ADDR(a))
424 +
425 +-static int dwc3_ulpi_busyloop(struct dwc3 *dwc)
426 ++#define DWC3_ULPI_BASE_DELAY DIV_ROUND_UP(NSEC_PER_SEC, 60000000L)
427 ++
428 ++static int dwc3_ulpi_busyloop(struct dwc3 *dwc, u8 addr, bool read)
429 + {
430 +- unsigned count = 1000;
431 ++ unsigned long ns = 5L * DWC3_ULPI_BASE_DELAY;
432 ++ unsigned int count = 1000;
433 + u32 reg;
434 +
435 ++ if (addr >= ULPI_EXT_VENDOR_SPECIFIC)
436 ++ ns += DWC3_ULPI_BASE_DELAY;
437 ++
438 ++ if (read)
439 ++ ns += DWC3_ULPI_BASE_DELAY;
440 ++
441 + while (count--) {
442 ++ ndelay(ns);
443 + reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYACC(0));
444 + if (!(reg & DWC3_GUSB2PHYACC_BUSY))
445 + return 0;
446 +@@ -44,7 +56,7 @@ static int dwc3_ulpi_read(struct device *dev, u8 addr)
447 + reg = DWC3_GUSB2PHYACC_NEWREGREQ | DWC3_ULPI_ADDR(addr);
448 + dwc3_writel(dwc->regs, DWC3_GUSB2PHYACC(0), reg);
449 +
450 +- ret = dwc3_ulpi_busyloop(dwc);
451 ++ ret = dwc3_ulpi_busyloop(dwc, addr, true);
452 + if (ret)
453 + return ret;
454 +
455 +@@ -62,7 +74,7 @@ static int dwc3_ulpi_write(struct device *dev, u8 addr, u8 val)
456 + reg |= DWC3_GUSB2PHYACC_WRITE | val;
457 + dwc3_writel(dwc->regs, DWC3_GUSB2PHYACC(0), reg);
458 +
459 +- return dwc3_ulpi_busyloop(dwc);
460 ++ return dwc3_ulpi_busyloop(dwc, addr, false);
461 + }
462 +
463 + static const struct ulpi_ops dwc3_ulpi_ops = {
464 +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
465 +index 910b5d40c6e9f..69d59102ff1be 100644
466 +--- a/drivers/xen/gntdev.c
467 ++++ b/drivers/xen/gntdev.c
468 +@@ -293,36 +293,47 @@ static int map_grant_pages(struct grant_map *map)
469 + * to the kernel linear addresses of the struct pages.
470 + * These ptes are completely different from the user ptes dealt
471 + * with find_grant_ptes.
472 ++ * Note that GNTMAP_device_map isn't needed here: The
473 ++ * dev_bus_addr output field gets consumed only from ->map_ops,
474 ++ * and by not requesting it when mapping we also avoid needing
475 ++ * to mirror dev_bus_addr into ->unmap_ops (and holding an extra
476 ++ * reference to the page in the hypervisor).
477 + */
478 ++ unsigned int flags = (map->flags & ~GNTMAP_device_map) |
479 ++ GNTMAP_host_map;
480 ++
481 + for (i = 0; i < map->count; i++) {
482 + unsigned long address = (unsigned long)
483 + pfn_to_kaddr(page_to_pfn(map->pages[i]));
484 + BUG_ON(PageHighMem(map->pages[i]));
485 +
486 +- gnttab_set_map_op(&map->kmap_ops[i], address,
487 +- map->flags | GNTMAP_host_map,
488 ++ gnttab_set_map_op(&map->kmap_ops[i], address, flags,
489 + map->grants[i].ref,
490 + map->grants[i].domid);
491 + gnttab_set_unmap_op(&map->kunmap_ops[i], address,
492 +- map->flags | GNTMAP_host_map, -1);
493 ++ flags, -1);
494 + }
495 + }
496 +
497 + pr_debug("map %d+%d\n", map->index, map->count);
498 + err = gnttab_map_refs(map->map_ops, use_ptemod ? map->kmap_ops : NULL,
499 + map->pages, map->count);
500 +- if (err)
501 +- return err;
502 +
503 + for (i = 0; i < map->count; i++) {
504 +- if (map->map_ops[i].status) {
505 ++ if (map->map_ops[i].status == GNTST_okay)
506 ++ map->unmap_ops[i].handle = map->map_ops[i].handle;
507 ++ else if (!err)
508 + err = -EINVAL;
509 +- continue;
510 +- }
511 +
512 +- map->unmap_ops[i].handle = map->map_ops[i].handle;
513 +- if (use_ptemod)
514 +- map->kunmap_ops[i].handle = map->kmap_ops[i].handle;
515 ++ if (map->flags & GNTMAP_device_map)
516 ++ map->unmap_ops[i].dev_bus_addr = map->map_ops[i].dev_bus_addr;
517 ++
518 ++ if (use_ptemod) {
519 ++ if (map->kmap_ops[i].status == GNTST_okay)
520 ++ map->kunmap_ops[i].handle = map->kmap_ops[i].handle;
521 ++ else if (!err)
522 ++ err = -EINVAL;
523 ++ }
524 + }
525 + return err;
526 + }
527 +diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
528 +index 3243d917651a3..4bba877ef5477 100644
529 +--- a/drivers/xen/xen-scsiback.c
530 ++++ b/drivers/xen/xen-scsiback.c
531 +@@ -423,12 +423,12 @@ static int scsiback_gnttab_data_map_batch(struct gnttab_map_grant_ref *map,
532 + return 0;
533 +
534 + err = gnttab_map_refs(map, NULL, pg, cnt);
535 +- BUG_ON(err);
536 + for (i = 0; i < cnt; i++) {
537 + if (unlikely(map[i].status != GNTST_okay)) {
538 + pr_err("invalid buffer -- could not remap it\n");
539 + map[i].handle = SCSIBACK_INVALID_HANDLE;
540 +- err = -ENOMEM;
541 ++ if (!err)
542 ++ err = -ENOMEM;
543 + } else {
544 + get_page(pg[i]);
545 + }
546 +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
547 +index f978ae2bb846f..2de656ecc48bb 100644
548 +--- a/fs/fs-writeback.c
549 ++++ b/fs/fs-writeback.c
550 +@@ -1971,7 +1971,7 @@ void wb_workfn(struct work_struct *work)
551 + struct bdi_writeback, dwork);
552 + long pages_written;
553 +
554 +- set_worker_desc("flush-%s", dev_name(wb->bdi->dev));
555 ++ set_worker_desc("flush-%s", bdi_dev_name(wb->bdi));
556 + current->flags |= PF_SWAPWRITE;
557 +
558 + if (likely(!current_is_workqueue_rescuer() ||
559 +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
560 +index 299dbf59f28f8..3a583aa1fafeb 100644
561 +--- a/fs/overlayfs/copy_up.c
562 ++++ b/fs/overlayfs/copy_up.c
563 +@@ -92,6 +92,14 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new)
564 +
565 + if (ovl_is_private_xattr(name))
566 + continue;
567 ++
568 ++ error = security_inode_copy_up_xattr(name);
569 ++ if (error < 0 && error != -EOPNOTSUPP)
570 ++ break;
571 ++ if (error == 1) {
572 ++ error = 0;
573 ++ continue; /* Discard */
574 ++ }
575 + retry:
576 + size = vfs_getxattr(old, name, value, value_size);
577 + if (size == -ERANGE)
578 +@@ -115,13 +123,6 @@ retry:
579 + goto retry;
580 + }
581 +
582 +- error = security_inode_copy_up_xattr(name);
583 +- if (error < 0 && error != -EOPNOTSUPP)
584 +- break;
585 +- if (error == 1) {
586 +- error = 0;
587 +- continue; /* Discard */
588 +- }
589 + error = vfs_setxattr(new, name, value, size, 0);
590 + if (error)
591 + break;
592 +diff --git a/fs/squashfs/export.c b/fs/squashfs/export.c
593 +index 8073b6532cf04..d2a806416c3ab 100644
594 +--- a/fs/squashfs/export.c
595 ++++ b/fs/squashfs/export.c
596 +@@ -54,12 +54,17 @@ static long long squashfs_inode_lookup(struct super_block *sb, int ino_num)
597 + struct squashfs_sb_info *msblk = sb->s_fs_info;
598 + int blk = SQUASHFS_LOOKUP_BLOCK(ino_num - 1);
599 + int offset = SQUASHFS_LOOKUP_BLOCK_OFFSET(ino_num - 1);
600 +- u64 start = le64_to_cpu(msblk->inode_lookup_table[blk]);
601 ++ u64 start;
602 + __le64 ino;
603 + int err;
604 +
605 + TRACE("Entered squashfs_inode_lookup, inode_number = %d\n", ino_num);
606 +
607 ++ if (ino_num == 0 || (ino_num - 1) >= msblk->inodes)
608 ++ return -EINVAL;
609 ++
610 ++ start = le64_to_cpu(msblk->inode_lookup_table[blk]);
611 ++
612 + err = squashfs_read_metadata(sb, &ino, &start, &offset, sizeof(ino));
613 + if (err < 0)
614 + return err;
615 +@@ -124,7 +129,10 @@ __le64 *squashfs_read_inode_lookup_table(struct super_block *sb,
616 + u64 lookup_table_start, u64 next_table, unsigned int inodes)
617 + {
618 + unsigned int length = SQUASHFS_LOOKUP_BLOCK_BYTES(inodes);
619 ++ unsigned int indexes = SQUASHFS_LOOKUP_BLOCKS(inodes);
620 ++ int n;
621 + __le64 *table;
622 ++ u64 start, end;
623 +
624 + TRACE("In read_inode_lookup_table, length %d\n", length);
625 +
626 +@@ -134,20 +142,37 @@ __le64 *squashfs_read_inode_lookup_table(struct super_block *sb,
627 + if (inodes == 0)
628 + return ERR_PTR(-EINVAL);
629 +
630 +- /* length bytes should not extend into the next table - this check
631 +- * also traps instances where lookup_table_start is incorrectly larger
632 +- * than the next table start
633 ++ /*
634 ++ * The computed size of the lookup table (length bytes) should exactly
635 ++ * match the table start and end points
636 + */
637 +- if (lookup_table_start + length > next_table)
638 ++ if (length != (next_table - lookup_table_start))
639 + return ERR_PTR(-EINVAL);
640 +
641 + table = squashfs_read_table(sb, lookup_table_start, length);
642 ++ if (IS_ERR(table))
643 ++ return table;
644 +
645 + /*
646 +- * table[0] points to the first inode lookup table metadata block,
647 +- * this should be less than lookup_table_start
648 ++ * table0], table[1], ... table[indexes - 1] store the locations
649 ++ * of the compressed inode lookup blocks. Each entry should be
650 ++ * less than the next (i.e. table[0] < table[1]), and the difference
651 ++ * between them should be SQUASHFS_METADATA_SIZE or less.
652 ++ * table[indexes - 1] should be less than lookup_table_start, and
653 ++ * again the difference should be SQUASHFS_METADATA_SIZE or less
654 + */
655 +- if (!IS_ERR(table) && le64_to_cpu(table[0]) >= lookup_table_start) {
656 ++ for (n = 0; n < (indexes - 1); n++) {
657 ++ start = le64_to_cpu(table[n]);
658 ++ end = le64_to_cpu(table[n + 1]);
659 ++
660 ++ if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {
661 ++ kfree(table);
662 ++ return ERR_PTR(-EINVAL);
663 ++ }
664 ++ }
665 ++
666 ++ start = le64_to_cpu(table[indexes - 1]);
667 ++ if (start >= lookup_table_start || (lookup_table_start - start) > SQUASHFS_METADATA_SIZE) {
668 + kfree(table);
669 + return ERR_PTR(-EINVAL);
670 + }
671 +diff --git a/fs/squashfs/id.c b/fs/squashfs/id.c
672 +index d38ea3dab9515..8ccc0e3f6ea5a 100644
673 +--- a/fs/squashfs/id.c
674 ++++ b/fs/squashfs/id.c
675 +@@ -48,10 +48,15 @@ int squashfs_get_id(struct super_block *sb, unsigned int index,
676 + struct squashfs_sb_info *msblk = sb->s_fs_info;
677 + int block = SQUASHFS_ID_BLOCK(index);
678 + int offset = SQUASHFS_ID_BLOCK_OFFSET(index);
679 +- u64 start_block = le64_to_cpu(msblk->id_table[block]);
680 ++ u64 start_block;
681 + __le32 disk_id;
682 + int err;
683 +
684 ++ if (index >= msblk->ids)
685 ++ return -EINVAL;
686 ++
687 ++ start_block = le64_to_cpu(msblk->id_table[block]);
688 ++
689 + err = squashfs_read_metadata(sb, &disk_id, &start_block, &offset,
690 + sizeof(disk_id));
691 + if (err < 0)
692 +@@ -69,7 +74,10 @@ __le64 *squashfs_read_id_index_table(struct super_block *sb,
693 + u64 id_table_start, u64 next_table, unsigned short no_ids)
694 + {
695 + unsigned int length = SQUASHFS_ID_BLOCK_BYTES(no_ids);
696 ++ unsigned int indexes = SQUASHFS_ID_BLOCKS(no_ids);
697 ++ int n;
698 + __le64 *table;
699 ++ u64 start, end;
700 +
701 + TRACE("In read_id_index_table, length %d\n", length);
702 +
703 +@@ -80,20 +88,36 @@ __le64 *squashfs_read_id_index_table(struct super_block *sb,
704 + return ERR_PTR(-EINVAL);
705 +
706 + /*
707 +- * length bytes should not extend into the next table - this check
708 +- * also traps instances where id_table_start is incorrectly larger
709 +- * than the next table start
710 ++ * The computed size of the index table (length bytes) should exactly
711 ++ * match the table start and end points
712 + */
713 +- if (id_table_start + length > next_table)
714 ++ if (length != (next_table - id_table_start))
715 + return ERR_PTR(-EINVAL);
716 +
717 + table = squashfs_read_table(sb, id_table_start, length);
718 ++ if (IS_ERR(table))
719 ++ return table;
720 +
721 + /*
722 +- * table[0] points to the first id lookup table metadata block, this
723 +- * should be less than id_table_start
724 ++ * table[0], table[1], ... table[indexes - 1] store the locations
725 ++ * of the compressed id blocks. Each entry should be less than
726 ++ * the next (i.e. table[0] < table[1]), and the difference between them
727 ++ * should be SQUASHFS_METADATA_SIZE or less. table[indexes - 1]
728 ++ * should be less than id_table_start, and again the difference
729 ++ * should be SQUASHFS_METADATA_SIZE or less
730 + */
731 +- if (!IS_ERR(table) && le64_to_cpu(table[0]) >= id_table_start) {
732 ++ for (n = 0; n < (indexes - 1); n++) {
733 ++ start = le64_to_cpu(table[n]);
734 ++ end = le64_to_cpu(table[n + 1]);
735 ++
736 ++ if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {
737 ++ kfree(table);
738 ++ return ERR_PTR(-EINVAL);
739 ++ }
740 ++ }
741 ++
742 ++ start = le64_to_cpu(table[indexes - 1]);
743 ++ if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) {
744 + kfree(table);
745 + return ERR_PTR(-EINVAL);
746 + }
747 +diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h
748 +index ef69c31947bf8..5234c19a0eabc 100644
749 +--- a/fs/squashfs/squashfs_fs_sb.h
750 ++++ b/fs/squashfs/squashfs_fs_sb.h
751 +@@ -77,5 +77,6 @@ struct squashfs_sb_info {
752 + unsigned int inodes;
753 + unsigned int fragments;
754 + int xattr_ids;
755 ++ unsigned int ids;
756 + };
757 + #endif
758 +diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
759 +index 1516bb779b8d4..5abc9d03397c1 100644
760 +--- a/fs/squashfs/super.c
761 ++++ b/fs/squashfs/super.c
762 +@@ -176,6 +176,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
763 + msblk->directory_table = le64_to_cpu(sblk->directory_table_start);
764 + msblk->inodes = le32_to_cpu(sblk->inodes);
765 + msblk->fragments = le32_to_cpu(sblk->fragments);
766 ++ msblk->ids = le16_to_cpu(sblk->no_ids);
767 + flags = le16_to_cpu(sblk->flags);
768 +
769 + TRACE("Found valid superblock on %pg\n", sb->s_bdev);
770 +@@ -187,7 +188,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
771 + TRACE("Block size %d\n", msblk->block_size);
772 + TRACE("Number of inodes %d\n", msblk->inodes);
773 + TRACE("Number of fragments %d\n", msblk->fragments);
774 +- TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids));
775 ++ TRACE("Number of ids %d\n", msblk->ids);
776 + TRACE("sblk->inode_table_start %llx\n", msblk->inode_table);
777 + TRACE("sblk->directory_table_start %llx\n", msblk->directory_table);
778 + TRACE("sblk->fragment_table_start %llx\n",
779 +@@ -244,8 +245,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
780 + allocate_id_index_table:
781 + /* Allocate and read id index table */
782 + msblk->id_table = squashfs_read_id_index_table(sb,
783 +- le64_to_cpu(sblk->id_table_start), next_table,
784 +- le16_to_cpu(sblk->no_ids));
785 ++ le64_to_cpu(sblk->id_table_start), next_table, msblk->ids);
786 + if (IS_ERR(msblk->id_table)) {
787 + ERROR("unable to read id index table\n");
788 + err = PTR_ERR(msblk->id_table);
789 +diff --git a/fs/squashfs/xattr.h b/fs/squashfs/xattr.h
790 +index afe70f815e3de..86b0a0073e51f 100644
791 +--- a/fs/squashfs/xattr.h
792 ++++ b/fs/squashfs/xattr.h
793 +@@ -30,8 +30,16 @@ extern int squashfs_xattr_lookup(struct super_block *, unsigned int, int *,
794 + static inline __le64 *squashfs_read_xattr_id_table(struct super_block *sb,
795 + u64 start, u64 *xattr_table_start, int *xattr_ids)
796 + {
797 ++ struct squashfs_xattr_id_table *id_table;
798 ++
799 ++ id_table = squashfs_read_table(sb, start, sizeof(*id_table));
800 ++ if (IS_ERR(id_table))
801 ++ return (__le64 *) id_table;
802 ++
803 ++ *xattr_table_start = le64_to_cpu(id_table->xattr_table_start);
804 ++ kfree(id_table);
805 ++
806 + ERROR("Xattrs in filesystem, these will be ignored\n");
807 +- *xattr_table_start = start;
808 + return ERR_PTR(-ENOTSUPP);
809 + }
810 +
811 +diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c
812 +index c89607d690c48..3a655d879600c 100644
813 +--- a/fs/squashfs/xattr_id.c
814 ++++ b/fs/squashfs/xattr_id.c
815 +@@ -44,10 +44,15 @@ int squashfs_xattr_lookup(struct super_block *sb, unsigned int index,
816 + struct squashfs_sb_info *msblk = sb->s_fs_info;
817 + int block = SQUASHFS_XATTR_BLOCK(index);
818 + int offset = SQUASHFS_XATTR_BLOCK_OFFSET(index);
819 +- u64 start_block = le64_to_cpu(msblk->xattr_id_table[block]);
820 ++ u64 start_block;
821 + struct squashfs_xattr_id id;
822 + int err;
823 +
824 ++ if (index >= msblk->xattr_ids)
825 ++ return -EINVAL;
826 ++
827 ++ start_block = le64_to_cpu(msblk->xattr_id_table[block]);
828 ++
829 + err = squashfs_read_metadata(sb, &id, &start_block, &offset,
830 + sizeof(id));
831 + if (err < 0)
832 +@@ -63,13 +68,17 @@ int squashfs_xattr_lookup(struct super_block *sb, unsigned int index,
833 + /*
834 + * Read uncompressed xattr id lookup table indexes from disk into memory
835 + */
836 +-__le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 start,
837 ++__le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start,
838 + u64 *xattr_table_start, int *xattr_ids)
839 + {
840 +- unsigned int len;
841 ++ struct squashfs_sb_info *msblk = sb->s_fs_info;
842 ++ unsigned int len, indexes;
843 + struct squashfs_xattr_id_table *id_table;
844 ++ __le64 *table;
845 ++ u64 start, end;
846 ++ int n;
847 +
848 +- id_table = squashfs_read_table(sb, start, sizeof(*id_table));
849 ++ id_table = squashfs_read_table(sb, table_start, sizeof(*id_table));
850 + if (IS_ERR(id_table))
851 + return (__le64 *) id_table;
852 +
853 +@@ -83,13 +92,52 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 start,
854 + if (*xattr_ids == 0)
855 + return ERR_PTR(-EINVAL);
856 +
857 +- /* xattr_table should be less than start */
858 +- if (*xattr_table_start >= start)
859 ++ len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
860 ++ indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);
861 ++
862 ++ /*
863 ++ * The computed size of the index table (len bytes) should exactly
864 ++ * match the table start and end points
865 ++ */
866 ++ start = table_start + sizeof(*id_table);
867 ++ end = msblk->bytes_used;
868 ++
869 ++ if (len != (end - start))
870 + return ERR_PTR(-EINVAL);
871 +
872 +- len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
873 ++ table = squashfs_read_table(sb, start, len);
874 ++ if (IS_ERR(table))
875 ++ return table;
876 ++
877 ++ /* table[0], table[1], ... table[indexes - 1] store the locations
878 ++ * of the compressed xattr id blocks. Each entry should be less than
879 ++ * the next (i.e. table[0] < table[1]), and the difference between them
880 ++ * should be SQUASHFS_METADATA_SIZE or less. table[indexes - 1]
881 ++ * should be less than table_start, and again the difference
882 ++ * shouls be SQUASHFS_METADATA_SIZE or less.
883 ++ *
884 ++ * Finally xattr_table_start should be less than table[0].
885 ++ */
886 ++ for (n = 0; n < (indexes - 1); n++) {
887 ++ start = le64_to_cpu(table[n]);
888 ++ end = le64_to_cpu(table[n + 1]);
889 ++
890 ++ if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {
891 ++ kfree(table);
892 ++ return ERR_PTR(-EINVAL);
893 ++ }
894 ++ }
895 ++
896 ++ start = le64_to_cpu(table[indexes - 1]);
897 ++ if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) {
898 ++ kfree(table);
899 ++ return ERR_PTR(-EINVAL);
900 ++ }
901 +
902 +- TRACE("In read_xattr_index_table, length %d\n", len);
903 ++ if (*xattr_table_start >= le64_to_cpu(table[0])) {
904 ++ kfree(table);
905 ++ return ERR_PTR(-EINVAL);
906 ++ }
907 +
908 +- return squashfs_read_table(sb, start + sizeof(*id_table), len);
909 ++ return table;
910 + }
911 +diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h
912 +index 63f17b106a4a6..57db558c9a616 100644
913 +--- a/include/linux/backing-dev.h
914 ++++ b/include/linux/backing-dev.h
915 +@@ -12,6 +12,7 @@
916 + #include <linux/fs.h>
917 + #include <linux/sched.h>
918 + #include <linux/blkdev.h>
919 ++#include <linux/device.h>
920 + #include <linux/writeback.h>
921 + #include <linux/blk-cgroup.h>
922 + #include <linux/backing-dev-defs.h>
923 +@@ -517,4 +518,13 @@ static inline int bdi_rw_congested(struct backing_dev_info *bdi)
924 + (1 << WB_async_congested));
925 + }
926 +
927 ++extern const char *bdi_unknown_name;
928 ++
929 ++static inline const char *bdi_dev_name(struct backing_dev_info *bdi)
930 ++{
931 ++ if (!bdi || !bdi->dev)
932 ++ return bdi_unknown_name;
933 ++ return dev_name(bdi->dev);
934 ++}
935 ++
936 + #endif /* _LINUX_BACKING_DEV_H */
937 +diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h
938 +index b3d34d3e0e7ef..9b8b014d13af1 100644
939 +--- a/include/linux/ftrace.h
940 ++++ b/include/linux/ftrace.h
941 +@@ -783,7 +783,9 @@ typedef int (*trace_func_graph_ent_t)(struct ftrace_graph_ent *); /* entry */
942 + #ifdef CONFIG_FUNCTION_GRAPH_TRACER
943 +
944 + /* for init task */
945 +-#define INIT_FTRACE_GRAPH .ret_stack = NULL,
946 ++#define INIT_FTRACE_GRAPH \
947 ++ .ret_stack = NULL, \
948 ++ .tracing_graph_pause = ATOMIC_INIT(0),
949 +
950 + /*
951 + * Stack of return addresses for functions
952 +diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
953 +index 8b35bdbdc214c..fd77f8303ab9a 100644
954 +--- a/include/linux/memcontrol.h
955 ++++ b/include/linux/memcontrol.h
956 +@@ -490,9 +490,21 @@ bool mem_cgroup_oom_synchronize(bool wait);
957 + extern int do_swap_account;
958 + #endif
959 +
960 +-void lock_page_memcg(struct page *page);
961 ++struct mem_cgroup *lock_page_memcg(struct page *page);
962 ++void __unlock_page_memcg(struct mem_cgroup *memcg);
963 + void unlock_page_memcg(struct page *page);
964 +
965 ++static inline void __mem_cgroup_update_page_stat(struct page *page,
966 ++ struct mem_cgroup *memcg,
967 ++ enum mem_cgroup_stat_index idx,
968 ++ int val)
969 ++{
970 ++ VM_BUG_ON(!(rcu_read_lock_held() || PageLocked(page)));
971 ++
972 ++ if (memcg && memcg->stat)
973 ++ this_cpu_add(memcg->stat->count[idx], val);
974 ++}
975 ++
976 + /**
977 + * mem_cgroup_update_page_stat - update page state statistics
978 + * @page: the page
979 +@@ -508,13 +520,12 @@ void unlock_page_memcg(struct page *page);
980 + * mem_cgroup_update_page_stat(page, state, -1);
981 + * unlock_page(page) or unlock_page_memcg(page)
982 + */
983 ++
984 + static inline void mem_cgroup_update_page_stat(struct page *page,
985 + enum mem_cgroup_stat_index idx, int val)
986 + {
987 +- VM_BUG_ON(!(rcu_read_lock_held() || PageLocked(page)));
988 +
989 +- if (page->mem_cgroup)
990 +- this_cpu_add(page->mem_cgroup->stat->count[idx], val);
991 ++ __mem_cgroup_update_page_stat(page, page->mem_cgroup, idx, val);
992 + }
993 +
994 + static inline void mem_cgroup_inc_page_stat(struct page *page,
995 +@@ -709,7 +720,12 @@ mem_cgroup_print_oom_info(struct mem_cgroup *memcg, struct task_struct *p)
996 + {
997 + }
998 +
999 +-static inline void lock_page_memcg(struct page *page)
1000 ++static inline struct mem_cgroup *lock_page_memcg(struct page *page)
1001 ++{
1002 ++ return NULL;
1003 ++}
1004 ++
1005 ++static inline void __unlock_page_memcg(struct mem_cgroup *memcg)
1006 + {
1007 + }
1008 +
1009 +@@ -745,6 +761,13 @@ static inline void mem_cgroup_update_page_stat(struct page *page,
1010 + {
1011 + }
1012 +
1013 ++static inline void __mem_cgroup_update_page_stat(struct page *page,
1014 ++ struct mem_cgroup *memcg,
1015 ++ enum mem_cgroup_stat_index idx,
1016 ++ int nr)
1017 ++{
1018 ++}
1019 ++
1020 + static inline void mem_cgroup_inc_page_stat(struct page *page,
1021 + enum mem_cgroup_stat_index idx)
1022 + {
1023 +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
1024 +index 4d1b1056ac972..2aacafe2bce58 100644
1025 +--- a/include/linux/netdevice.h
1026 ++++ b/include/linux/netdevice.h
1027 +@@ -3701,6 +3701,7 @@ static inline void netif_tx_disable(struct net_device *dev)
1028 +
1029 + local_bh_disable();
1030 + cpu = smp_processor_id();
1031 ++ spin_lock(&dev->tx_global_lock);
1032 + for (i = 0; i < dev->num_tx_queues; i++) {
1033 + struct netdev_queue *txq = netdev_get_tx_queue(dev, i);
1034 +
1035 +@@ -3708,6 +3709,7 @@ static inline void netif_tx_disable(struct net_device *dev)
1036 + netif_tx_stop_queue(txq);
1037 + __netif_tx_unlock(txq);
1038 + }
1039 ++ spin_unlock(&dev->tx_global_lock);
1040 + local_bh_enable();
1041 + }
1042 +
1043 +diff --git a/include/linux/string.h b/include/linux/string.h
1044 +index 42eed573ebb63..66a91f5a34499 100644
1045 +--- a/include/linux/string.h
1046 ++++ b/include/linux/string.h
1047 +@@ -29,6 +29,10 @@ size_t strlcpy(char *, const char *, size_t);
1048 + #ifndef __HAVE_ARCH_STRSCPY
1049 + ssize_t strscpy(char *, const char *, size_t);
1050 + #endif
1051 ++
1052 ++/* Wraps calls to strscpy()/memset(), no arch specific code required */
1053 ++ssize_t strscpy_pad(char *dest, const char *src, size_t count);
1054 ++
1055 + #ifndef __HAVE_ARCH_STRCAT
1056 + extern char * strcat(char *, const char *);
1057 + #endif
1058 +diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
1059 +index 56c48c884a242..bf0db32b40aa0 100644
1060 +--- a/include/linux/sunrpc/xdr.h
1061 ++++ b/include/linux/sunrpc/xdr.h
1062 +@@ -23,8 +23,7 @@
1063 + #define XDR_QUADLEN(l) (((l) + 3) >> 2)
1064 +
1065 + /*
1066 +- * Generic opaque `network object.' At the kernel level, this type
1067 +- * is used only by lockd.
1068 ++ * Generic opaque `network object.'
1069 + */
1070 + #define XDR_MAX_NETOBJ 1024
1071 + struct xdr_netobj {
1072 +diff --git a/include/trace/events/writeback.h b/include/trace/events/writeback.h
1073 +index ec964a924cd2f..49a72adc7135c 100644
1074 +--- a/include/trace/events/writeback.h
1075 ++++ b/include/trace/events/writeback.h
1076 +@@ -65,8 +65,9 @@ TRACE_EVENT(writeback_dirty_page,
1077 + ),
1078 +
1079 + TP_fast_assign(
1080 +- strncpy(__entry->name,
1081 +- mapping ? dev_name(inode_to_bdi(mapping->host)->dev) : "(unknown)", 32);
1082 ++ strscpy_pad(__entry->name,
1083 ++ bdi_dev_name(mapping ? inode_to_bdi(mapping->host) :
1084 ++ NULL), 32);
1085 + __entry->ino = mapping ? mapping->host->i_ino : 0;
1086 + __entry->index = page->index;
1087 + ),
1088 +@@ -95,8 +96,7 @@ DECLARE_EVENT_CLASS(writeback_dirty_inode_template,
1089 + struct backing_dev_info *bdi = inode_to_bdi(inode);
1090 +
1091 + /* may be called for files on pseudo FSes w/ unregistered bdi */
1092 +- strncpy(__entry->name,
1093 +- bdi->dev ? dev_name(bdi->dev) : "(unknown)", 32);
1094 ++ strscpy_pad(__entry->name, bdi_dev_name(bdi), 32);
1095 + __entry->ino = inode->i_ino;
1096 + __entry->state = inode->i_state;
1097 + __entry->flags = flags;
1098 +@@ -175,8 +175,8 @@ DECLARE_EVENT_CLASS(writeback_write_inode_template,
1099 + ),
1100 +
1101 + TP_fast_assign(
1102 +- strncpy(__entry->name,
1103 +- dev_name(inode_to_bdi(inode)->dev), 32);
1104 ++ strscpy_pad(__entry->name,
1105 ++ bdi_dev_name(inode_to_bdi(inode)), 32);
1106 + __entry->ino = inode->i_ino;
1107 + __entry->sync_mode = wbc->sync_mode;
1108 + __entry->cgroup_ino = __trace_wbc_assign_cgroup(wbc);
1109 +@@ -219,8 +219,7 @@ DECLARE_EVENT_CLASS(writeback_work_class,
1110 + __field(unsigned int, cgroup_ino)
1111 + ),
1112 + TP_fast_assign(
1113 +- strncpy(__entry->name,
1114 +- wb->bdi->dev ? dev_name(wb->bdi->dev) : "(unknown)", 32);
1115 ++ strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32);
1116 + __entry->nr_pages = work->nr_pages;
1117 + __entry->sb_dev = work->sb ? work->sb->s_dev : 0;
1118 + __entry->sync_mode = work->sync_mode;
1119 +@@ -273,7 +272,7 @@ DECLARE_EVENT_CLASS(writeback_class,
1120 + __field(unsigned int, cgroup_ino)
1121 + ),
1122 + TP_fast_assign(
1123 +- strncpy(__entry->name, dev_name(wb->bdi->dev), 32);
1124 ++ strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32);
1125 + __entry->cgroup_ino = __trace_wb_assign_cgroup(wb);
1126 + ),
1127 + TP_printk("bdi %s: cgroup_ino=%u",
1128 +@@ -296,7 +295,7 @@ TRACE_EVENT(writeback_bdi_register,
1129 + __array(char, name, 32)
1130 + ),
1131 + TP_fast_assign(
1132 +- strncpy(__entry->name, dev_name(bdi->dev), 32);
1133 ++ strscpy_pad(__entry->name, bdi_dev_name(bdi), 32);
1134 + ),
1135 + TP_printk("bdi %s",
1136 + __entry->name
1137 +@@ -321,7 +320,7 @@ DECLARE_EVENT_CLASS(wbc_class,
1138 + ),
1139 +
1140 + TP_fast_assign(
1141 +- strncpy(__entry->name, dev_name(bdi->dev), 32);
1142 ++ strscpy_pad(__entry->name, bdi_dev_name(bdi), 32);
1143 + __entry->nr_to_write = wbc->nr_to_write;
1144 + __entry->pages_skipped = wbc->pages_skipped;
1145 + __entry->sync_mode = wbc->sync_mode;
1146 +@@ -372,7 +371,7 @@ TRACE_EVENT(writeback_queue_io,
1147 + __field(unsigned int, cgroup_ino)
1148 + ),
1149 + TP_fast_assign(
1150 +- strncpy(__entry->name, dev_name(wb->bdi->dev), 32);
1151 ++ strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32);
1152 + __entry->older = dirtied_before;
1153 + __entry->age = (jiffies - dirtied_before) * 1000 / HZ;
1154 + __entry->moved = moved;
1155 +@@ -457,7 +456,7 @@ TRACE_EVENT(bdi_dirty_ratelimit,
1156 + ),
1157 +
1158 + TP_fast_assign(
1159 +- strlcpy(__entry->bdi, dev_name(wb->bdi->dev), 32);
1160 ++ strscpy_pad(__entry->bdi, bdi_dev_name(wb->bdi), 32);
1161 + __entry->write_bw = KBps(wb->write_bandwidth);
1162 + __entry->avg_write_bw = KBps(wb->avg_write_bandwidth);
1163 + __entry->dirty_rate = KBps(dirty_rate);
1164 +@@ -522,7 +521,7 @@ TRACE_EVENT(balance_dirty_pages,
1165 +
1166 + TP_fast_assign(
1167 + unsigned long freerun = (thresh + bg_thresh) / 2;
1168 +- strlcpy(__entry->bdi, dev_name(wb->bdi->dev), 32);
1169 ++ strscpy_pad(__entry->bdi, bdi_dev_name(wb->bdi), 32);
1170 +
1171 + __entry->limit = global_wb_domain.dirty_limit;
1172 + __entry->setpoint = (global_wb_domain.dirty_limit +
1173 +@@ -582,8 +581,8 @@ TRACE_EVENT(writeback_sb_inodes_requeue,
1174 + ),
1175 +
1176 + TP_fast_assign(
1177 +- strncpy(__entry->name,
1178 +- dev_name(inode_to_bdi(inode)->dev), 32);
1179 ++ strscpy_pad(__entry->name,
1180 ++ bdi_dev_name(inode_to_bdi(inode)), 32);
1181 + __entry->ino = inode->i_ino;
1182 + __entry->state = inode->i_state;
1183 + __entry->dirtied_when = inode->dirtied_when;
1184 +@@ -656,8 +655,8 @@ DECLARE_EVENT_CLASS(writeback_single_inode_template,
1185 + ),
1186 +
1187 + TP_fast_assign(
1188 +- strncpy(__entry->name,
1189 +- dev_name(inode_to_bdi(inode)->dev), 32);
1190 ++ strscpy_pad(__entry->name,
1191 ++ bdi_dev_name(inode_to_bdi(inode)), 32);
1192 + __entry->ino = inode->i_ino;
1193 + __entry->state = inode->i_state;
1194 + __entry->dirtied_when = inode->dirtied_when;
1195 +diff --git a/include/xen/grant_table.h b/include/xen/grant_table.h
1196 +index 34b1379f9777d..f9d8aac170fbc 100644
1197 +--- a/include/xen/grant_table.h
1198 ++++ b/include/xen/grant_table.h
1199 +@@ -157,6 +157,7 @@ gnttab_set_map_op(struct gnttab_map_grant_ref *map, phys_addr_t addr,
1200 + map->flags = flags;
1201 + map->ref = ref;
1202 + map->dom = domid;
1203 ++ map->status = 1; /* arbitrary positive value */
1204 + }
1205 +
1206 + static inline void
1207 +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
1208 +index a2a232dec2363..2fdf6f96f9762 100644
1209 +--- a/kernel/bpf/stackmap.c
1210 ++++ b/kernel/bpf/stackmap.c
1211 +@@ -70,6 +70,8 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr)
1212 +
1213 + /* hash table size must be power of 2 */
1214 + n_buckets = roundup_pow_of_two(attr->max_entries);
1215 ++ if (!n_buckets)
1216 ++ return ERR_PTR(-E2BIG);
1217 +
1218 + cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap);
1219 + if (cost >= U32_MAX - PAGE_SIZE)
1220 +diff --git a/kernel/futex.c b/kernel/futex.c
1221 +index 83db5787c67ef..b65dbb5d60bb1 100644
1222 +--- a/kernel/futex.c
1223 ++++ b/kernel/futex.c
1224 +@@ -1019,6 +1019,39 @@ static void exit_pi_state_list(struct task_struct *curr)
1225 + * [10] There is no transient state which leaves owner and user space
1226 + * TID out of sync. Except one error case where the kernel is denied
1227 + * write access to the user address, see fixup_pi_state_owner().
1228 ++ *
1229 ++ *
1230 ++ * Serialization and lifetime rules:
1231 ++ *
1232 ++ * hb->lock:
1233 ++ *
1234 ++ * hb -> futex_q, relation
1235 ++ * futex_q -> pi_state, relation
1236 ++ *
1237 ++ * (cannot be raw because hb can contain arbitrary amount
1238 ++ * of futex_q's)
1239 ++ *
1240 ++ * pi_mutex->wait_lock:
1241 ++ *
1242 ++ * {uval, pi_state}
1243 ++ *
1244 ++ * (and pi_mutex 'obviously')
1245 ++ *
1246 ++ * p->pi_lock:
1247 ++ *
1248 ++ * p->pi_state_list -> pi_state->list, relation
1249 ++ *
1250 ++ * pi_state->refcount:
1251 ++ *
1252 ++ * pi_state lifetime
1253 ++ *
1254 ++ *
1255 ++ * Lock order:
1256 ++ *
1257 ++ * hb->lock
1258 ++ * pi_mutex->wait_lock
1259 ++ * p->pi_lock
1260 ++ *
1261 + */
1262 +
1263 + /*
1264 +@@ -1026,10 +1059,12 @@ static void exit_pi_state_list(struct task_struct *curr)
1265 + * the pi_state against the user space value. If correct, attach to
1266 + * it.
1267 + */
1268 +-static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state,
1269 ++static int attach_to_pi_state(u32 __user *uaddr, u32 uval,
1270 ++ struct futex_pi_state *pi_state,
1271 + struct futex_pi_state **ps)
1272 + {
1273 + pid_t pid = uval & FUTEX_TID_MASK;
1274 ++ int ret, uval2;
1275 +
1276 + /*
1277 + * Userspace might have messed up non-PI and PI futexes [3]
1278 +@@ -1037,8 +1072,33 @@ static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state,
1279 + if (unlikely(!pi_state))
1280 + return -EINVAL;
1281 +
1282 ++ /*
1283 ++ * We get here with hb->lock held, and having found a
1284 ++ * futex_top_waiter(). This means that futex_lock_pi() of said futex_q
1285 ++ * has dropped the hb->lock in between queue_me() and unqueue_me_pi(),
1286 ++ * which in turn means that futex_lock_pi() still has a reference on
1287 ++ * our pi_state.
1288 ++ */
1289 + WARN_ON(!atomic_read(&pi_state->refcount));
1290 +
1291 ++ /*
1292 ++ * Now that we have a pi_state, we can acquire wait_lock
1293 ++ * and do the state validation.
1294 ++ */
1295 ++ raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
1296 ++
1297 ++ /*
1298 ++ * Since {uval, pi_state} is serialized by wait_lock, and our current
1299 ++ * uval was read without holding it, it can have changed. Verify it
1300 ++ * still is what we expect it to be, otherwise retry the entire
1301 ++ * operation.
1302 ++ */
1303 ++ if (get_futex_value_locked(&uval2, uaddr))
1304 ++ goto out_efault;
1305 ++
1306 ++ if (uval != uval2)
1307 ++ goto out_eagain;
1308 ++
1309 + /*
1310 + * Handle the owner died case:
1311 + */
1312 +@@ -1054,11 +1114,11 @@ static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state,
1313 + * is not 0. Inconsistent state. [5]
1314 + */
1315 + if (pid)
1316 +- return -EINVAL;
1317 ++ goto out_einval;
1318 + /*
1319 + * Take a ref on the state and return success. [4]
1320 + */
1321 +- goto out_state;
1322 ++ goto out_attach;
1323 + }
1324 +
1325 + /*
1326 +@@ -1070,14 +1130,14 @@ static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state,
1327 + * Take a ref on the state and return success. [6]
1328 + */
1329 + if (!pid)
1330 +- goto out_state;
1331 ++ goto out_attach;
1332 + } else {
1333 + /*
1334 + * If the owner died bit is not set, then the pi_state
1335 + * must have an owner. [7]
1336 + */
1337 + if (!pi_state->owner)
1338 +- return -EINVAL;
1339 ++ goto out_einval;
1340 + }
1341 +
1342 + /*
1343 +@@ -1086,11 +1146,29 @@ static int attach_to_pi_state(u32 uval, struct futex_pi_state *pi_state,
1344 + * user space TID. [9/10]
1345 + */
1346 + if (pid != task_pid_vnr(pi_state->owner))
1347 +- return -EINVAL;
1348 +-out_state:
1349 ++ goto out_einval;
1350 ++
1351 ++out_attach:
1352 + atomic_inc(&pi_state->refcount);
1353 ++ raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1354 + *ps = pi_state;
1355 + return 0;
1356 ++
1357 ++out_einval:
1358 ++ ret = -EINVAL;
1359 ++ goto out_error;
1360 ++
1361 ++out_eagain:
1362 ++ ret = -EAGAIN;
1363 ++ goto out_error;
1364 ++
1365 ++out_efault:
1366 ++ ret = -EFAULT;
1367 ++ goto out_error;
1368 ++
1369 ++out_error:
1370 ++ raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1371 ++ return ret;
1372 + }
1373 +
1374 + /**
1375 +@@ -1123,11 +1201,67 @@ static void wait_for_owner_exiting(int ret, struct task_struct *exiting)
1376 + put_task_struct(exiting);
1377 + }
1378 +
1379 ++static int handle_exit_race(u32 __user *uaddr, u32 uval,
1380 ++ struct task_struct *tsk)
1381 ++{
1382 ++ u32 uval2;
1383 ++
1384 ++ /*
1385 ++ * If the futex exit state is not yet FUTEX_STATE_DEAD, wait
1386 ++ * for it to finish.
1387 ++ */
1388 ++ if (tsk && tsk->futex_state != FUTEX_STATE_DEAD)
1389 ++ return -EAGAIN;
1390 ++
1391 ++ /*
1392 ++ * Reread the user space value to handle the following situation:
1393 ++ *
1394 ++ * CPU0 CPU1
1395 ++ *
1396 ++ * sys_exit() sys_futex()
1397 ++ * do_exit() futex_lock_pi()
1398 ++ * futex_lock_pi_atomic()
1399 ++ * exit_signals(tsk) No waiters:
1400 ++ * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
1401 ++ * mm_release(tsk) Set waiter bit
1402 ++ * exit_robust_list(tsk) { *uaddr = 0x80000PID;
1403 ++ * Set owner died attach_to_pi_owner() {
1404 ++ * *uaddr = 0xC0000000; tsk = get_task(PID);
1405 ++ * } if (!tsk->flags & PF_EXITING) {
1406 ++ * ... attach();
1407 ++ * tsk->futex_state = } else {
1408 ++ * FUTEX_STATE_DEAD; if (tsk->futex_state !=
1409 ++ * FUTEX_STATE_DEAD)
1410 ++ * return -EAGAIN;
1411 ++ * return -ESRCH; <--- FAIL
1412 ++ * }
1413 ++ *
1414 ++ * Returning ESRCH unconditionally is wrong here because the
1415 ++ * user space value has been changed by the exiting task.
1416 ++ *
1417 ++ * The same logic applies to the case where the exiting task is
1418 ++ * already gone.
1419 ++ */
1420 ++ if (get_futex_value_locked(&uval2, uaddr))
1421 ++ return -EFAULT;
1422 ++
1423 ++ /* If the user space value has changed, try again. */
1424 ++ if (uval2 != uval)
1425 ++ return -EAGAIN;
1426 ++
1427 ++ /*
1428 ++ * The exiting task did not have a robust list, the robust list was
1429 ++ * corrupted or the user space value in *uaddr is simply bogus.
1430 ++ * Give up and tell user space.
1431 ++ */
1432 ++ return -ESRCH;
1433 ++}
1434 ++
1435 + /*
1436 + * Lookup the task for the TID provided from user space and attach to
1437 + * it after doing proper sanity checks.
1438 + */
1439 +-static int attach_to_pi_owner(u32 uval, union futex_key *key,
1440 ++static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
1441 + struct futex_pi_state **ps,
1442 + struct task_struct **exiting)
1443 + {
1444 +@@ -1138,12 +1272,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
1445 + /*
1446 + * We are the first waiter - try to look up the real owner and attach
1447 + * the new pi_state to it, but bail out when TID = 0 [1]
1448 ++ *
1449 ++ * The !pid check is paranoid. None of the call sites should end up
1450 ++ * with pid == 0, but better safe than sorry. Let the caller retry
1451 + */
1452 + if (!pid)
1453 +- return -ESRCH;
1454 ++ return -EAGAIN;
1455 + p = futex_find_get_task(pid);
1456 + if (!p)
1457 +- return -ESRCH;
1458 ++ return handle_exit_race(uaddr, uval, NULL);
1459 +
1460 + if (unlikely(p->flags & PF_KTHREAD)) {
1461 + put_task_struct(p);
1462 +@@ -1162,7 +1299,7 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
1463 + * FUTEX_STATE_DEAD, we know that the task has finished
1464 + * the cleanup:
1465 + */
1466 +- int ret = (p->futex_state = FUTEX_STATE_DEAD) ? -ESRCH : -EAGAIN;
1467 ++ int ret = handle_exit_race(uaddr, uval, p);
1468 +
1469 + raw_spin_unlock_irq(&p->pi_lock);
1470 + /*
1471 +@@ -1183,6 +1320,9 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
1472 +
1473 + /*
1474 + * No existing pi state. First waiter. [2]
1475 ++ *
1476 ++ * This creates pi_state, we have hb->lock held, this means nothing can
1477 ++ * observe this state, wait_lock is irrelevant.
1478 + */
1479 + pi_state = alloc_pi_state();
1480 +
1481 +@@ -1207,7 +1347,8 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
1482 + return 0;
1483 + }
1484 +
1485 +-static int lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
1486 ++static int lookup_pi_state(u32 __user *uaddr, u32 uval,
1487 ++ struct futex_hash_bucket *hb,
1488 + union futex_key *key, struct futex_pi_state **ps,
1489 + struct task_struct **exiting)
1490 + {
1491 +@@ -1218,13 +1359,13 @@ static int lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
1492 + * attach to the pi_state when the validation succeeds.
1493 + */
1494 + if (match)
1495 +- return attach_to_pi_state(uval, match->pi_state, ps);
1496 ++ return attach_to_pi_state(uaddr, uval, match->pi_state, ps);
1497 +
1498 + /*
1499 + * We are the first waiter - try to look up the owner based on
1500 + * @uval and attach to it.
1501 + */
1502 +- return attach_to_pi_owner(uval, key, ps, exiting);
1503 ++ return attach_to_pi_owner(uaddr, uval, key, ps, exiting);
1504 + }
1505 +
1506 + static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
1507 +@@ -1237,7 +1378,7 @@ static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
1508 + if (unlikely(cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)))
1509 + return -EFAULT;
1510 +
1511 +- /*If user space value changed, let the caller retry */
1512 ++ /* If user space value changed, let the caller retry */
1513 + return curval != uval ? -EAGAIN : 0;
1514 + }
1515 +
1516 +@@ -1301,7 +1442,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
1517 + */
1518 + match = futex_top_waiter(hb, key);
1519 + if (match)
1520 +- return attach_to_pi_state(uval, match->pi_state, ps);
1521 ++ return attach_to_pi_state(uaddr, uval, match->pi_state, ps);
1522 +
1523 + /*
1524 + * No waiter and user TID is 0. We are here because the
1525 +@@ -1340,7 +1481,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
1526 + * attach to the owner. If that fails, no harm done, we only
1527 + * set the FUTEX_WAITERS bit in the user space variable.
1528 + */
1529 +- return attach_to_pi_owner(uval, key, ps, exiting);
1530 ++ return attach_to_pi_owner(uaddr, newval, key, ps, exiting);
1531 + }
1532 +
1533 + /**
1534 +@@ -1441,6 +1582,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this,
1535 +
1536 + if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) {
1537 + ret = -EFAULT;
1538 ++
1539 + } else if (curval != uval) {
1540 + /*
1541 + * If a unconditional UNLOCK_PI operation (user space did not
1542 +@@ -1977,7 +2119,7 @@ retry_private:
1543 + * If that call succeeds then we have pi_state and an
1544 + * initial refcount on it.
1545 + */
1546 +- ret = lookup_pi_state(ret, hb2, &key2,
1547 ++ ret = lookup_pi_state(uaddr2, ret, hb2, &key2,
1548 + &pi_state, &exiting);
1549 + }
1550 +
1551 +@@ -2282,7 +2424,6 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
1552 + int err = 0;
1553 +
1554 + oldowner = pi_state->owner;
1555 +-
1556 + /* Owner died? */
1557 + if (!pi_state->owner)
1558 + newtid |= FUTEX_OWNER_DIED;
1559 +@@ -2305,11 +2446,10 @@ static int __fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
1560 + * because we can fault here. Imagine swapped out pages or a fork
1561 + * that marked all the anonymous memory readonly for cow.
1562 + *
1563 +- * Modifying pi_state _before_ the user space value would
1564 +- * leave the pi_state in an inconsistent state when we fault
1565 +- * here, because we need to drop the hash bucket lock to
1566 +- * handle the fault. This might be observed in the PID check
1567 +- * in lookup_pi_state.
1568 ++ * Modifying pi_state _before_ the user space value would leave the
1569 ++ * pi_state in an inconsistent state when we fault here, because we
1570 ++ * need to drop the locks to handle the fault. This might be observed
1571 ++ * in the PID check in lookup_pi_state.
1572 + */
1573 + retry:
1574 + if (!argowner) {
1575 +@@ -2322,7 +2462,7 @@ retry:
1576 + }
1577 +
1578 + if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) {
1579 +- /* We got the lock after all, nothing to fix. */
1580 ++ /* We got the lock. pi_state is correct. Tell caller. */
1581 + return 1;
1582 + }
1583 +
1584 +@@ -2364,24 +2504,29 @@ retry:
1585 + */
1586 + pi_state_update_owner(pi_state, newowner);
1587 +
1588 +- return 0;
1589 ++ return argowner == current;
1590 +
1591 + /*
1592 +- * To handle the page fault we need to drop the hash bucket
1593 +- * lock here. That gives the other task (either the highest priority
1594 +- * waiter itself or the task which stole the rtmutex) the
1595 +- * chance to try the fixup of the pi_state. So once we are
1596 +- * back from handling the fault we need to check the pi_state
1597 +- * after reacquiring the hash bucket lock and before trying to
1598 +- * do another fixup. When the fixup has been done already we
1599 +- * simply return.
1600 ++ * To handle the page fault we need to drop the locks here. That gives
1601 ++ * the other task (either the highest priority waiter itself or the
1602 ++ * task which stole the rtmutex) the chance to try the fixup of the
1603 ++ * pi_state. So once we are back from handling the fault we need to
1604 ++ * check the pi_state after reacquiring the locks and before trying to
1605 ++ * do another fixup. When the fixup has been done already we simply
1606 ++ * return.
1607 ++ *
1608 ++ * Note: we hold both hb->lock and pi_mutex->wait_lock. We can safely
1609 ++ * drop hb->lock since the caller owns the hb -> futex_q relation.
1610 ++ * Dropping the pi_mutex->wait_lock requires the state revalidate.
1611 + */
1612 + handle_fault:
1613 ++ raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);
1614 + spin_unlock(q->lock_ptr);
1615 +
1616 + err = fault_in_user_writeable(uaddr);
1617 +
1618 + spin_lock(q->lock_ptr);
1619 ++ raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
1620 +
1621 + /*
1622 + * Check if someone else fixed it for us:
1623 +@@ -2447,8 +2592,6 @@ static long futex_wait_restart(struct restart_block *restart);
1624 + */
1625 + static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
1626 + {
1627 +- int ret = 0;
1628 +-
1629 + if (locked) {
1630 + /*
1631 + * Got the lock. We might not be the anticipated owner if we
1632 +@@ -2459,8 +2602,8 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
1633 + * stable state, anything else needs more attention.
1634 + */
1635 + if (q->pi_state->owner != current)
1636 +- ret = fixup_pi_state_owner(uaddr, q, current);
1637 +- goto out;
1638 ++ return fixup_pi_state_owner(uaddr, q, current);
1639 ++ return 1;
1640 + }
1641 +
1642 + /*
1643 +@@ -2471,10 +2614,8 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
1644 + * Another speculative read; pi_state->owner == current is unstable
1645 + * but needs our attention.
1646 + */
1647 +- if (q->pi_state->owner == current) {
1648 +- ret = fixup_pi_state_owner(uaddr, q, NULL);
1649 +- goto out;
1650 +- }
1651 ++ if (q->pi_state->owner == current)
1652 ++ return fixup_pi_state_owner(uaddr, q, NULL);
1653 +
1654 + /*
1655 + * Paranoia check. If we did not take the lock, then we should not be
1656 +@@ -2483,8 +2624,7 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
1657 + if (WARN_ON_ONCE(rt_mutex_owner(&q->pi_state->pi_mutex) == current))
1658 + return fixup_pi_state_owner(uaddr, q, current);
1659 +
1660 +-out:
1661 +- return ret ? ret : locked;
1662 ++ return 0;
1663 + }
1664 +
1665 + /**
1666 +@@ -3106,6 +3246,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
1667 + */
1668 + put_pi_state(q.pi_state);
1669 + spin_unlock(q.lock_ptr);
1670 ++ /*
1671 ++ * Adjust the return value. It's either -EFAULT or
1672 ++ * success (1) but the caller expects 0 for success.
1673 ++ */
1674 ++ ret = ret < 0 ? ret : 0;
1675 + }
1676 + } else {
1677 + struct rt_mutex *pi_mutex;
1678 +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
1679 +index 16ca877745f62..ce49b62b08346 100644
1680 +--- a/kernel/trace/ftrace.c
1681 ++++ b/kernel/trace/ftrace.c
1682 +@@ -5803,7 +5803,6 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
1683 + }
1684 +
1685 + if (t->ret_stack == NULL) {
1686 +- atomic_set(&t->tracing_graph_pause, 0);
1687 + atomic_set(&t->trace_overrun, 0);
1688 + t->curr_ret_stack = -1;
1689 + /* Make sure the tasks see the -1 first: */
1690 +@@ -6015,7 +6014,6 @@ static DEFINE_PER_CPU(struct ftrace_ret_stack *, idle_ret_stack);
1691 + static void
1692 + graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
1693 + {
1694 +- atomic_set(&t->tracing_graph_pause, 0);
1695 + atomic_set(&t->trace_overrun, 0);
1696 + t->ftrace_timestamp = 0;
1697 + /* make curr_ret_stack visible before we add the ret_stack */
1698 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
1699 +index 005929d13c7db..b87ab105fa22b 100644
1700 +--- a/kernel/trace/trace.c
1701 ++++ b/kernel/trace/trace.c
1702 +@@ -2090,7 +2090,7 @@ trace_event_buffer_lock_reserve(struct ring_buffer **current_rb,
1703 + (entry = this_cpu_read(trace_buffered_event))) {
1704 + /* Try to use the per cpu buffer first */
1705 + val = this_cpu_inc_return(trace_buffered_event_cnt);
1706 +- if (val == 1) {
1707 ++ if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) {
1708 + trace_event_setup(entry, type, flags, pc);
1709 + entry->array[0] = len;
1710 + return entry;
1711 +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
1712 +index 5bf072e437c41..1499b2c2799c7 100644
1713 +--- a/kernel/trace/trace_events.c
1714 ++++ b/kernel/trace/trace_events.c
1715 +@@ -1105,7 +1105,8 @@ system_enable_read(struct file *filp, char __user *ubuf, size_t cnt,
1716 + mutex_lock(&event_mutex);
1717 + list_for_each_entry(file, &tr->events, list) {
1718 + call = file->event_call;
1719 +- if (!trace_event_name(call) || !call->class || !call->class->reg)
1720 ++ if ((call->flags & TRACE_EVENT_FL_IGNORE_ENABLE) ||
1721 ++ !trace_event_name(call) || !call->class || !call->class->reg)
1722 + continue;
1723 +
1724 + if (system && strcmp(call->class->system, system->name) != 0)
1725 +diff --git a/lib/string.c b/lib/string.c
1726 +index d099762a9bd60..8fe13371aed7a 100644
1727 +--- a/lib/string.c
1728 ++++ b/lib/string.c
1729 +@@ -157,11 +157,9 @@ EXPORT_SYMBOL(strlcpy);
1730 + * @src: Where to copy the string from
1731 + * @count: Size of destination buffer
1732 + *
1733 +- * Copy the string, or as much of it as fits, into the dest buffer.
1734 +- * The routine returns the number of characters copied (not including
1735 +- * the trailing NUL) or -E2BIG if the destination buffer wasn't big enough.
1736 +- * The behavior is undefined if the string buffers overlap.
1737 +- * The destination buffer is always NUL terminated, unless it's zero-sized.
1738 ++ * Copy the string, or as much of it as fits, into the dest buffer. The
1739 ++ * behavior is undefined if the string buffers overlap. The destination
1740 ++ * buffer is always NUL terminated, unless it's zero-sized.
1741 + *
1742 + * Preferred to strlcpy() since the API doesn't require reading memory
1743 + * from the src string beyond the specified "count" bytes, and since
1744 +@@ -171,8 +169,10 @@ EXPORT_SYMBOL(strlcpy);
1745 + *
1746 + * Preferred to strncpy() since it always returns a valid string, and
1747 + * doesn't unnecessarily force the tail of the destination buffer to be
1748 +- * zeroed. If the zeroing is desired, it's likely cleaner to use strscpy()
1749 +- * with an overflow test, then just memset() the tail of the dest buffer.
1750 ++ * zeroed. If zeroing is desired please use strscpy_pad().
1751 ++ *
1752 ++ * Return: The number of characters copied (not including the trailing
1753 ++ * %NUL) or -E2BIG if the destination buffer wasn't big enough.
1754 + */
1755 + ssize_t strscpy(char *dest, const char *src, size_t count)
1756 + {
1757 +@@ -259,6 +259,39 @@ char *stpcpy(char *__restrict__ dest, const char *__restrict__ src)
1758 + }
1759 + EXPORT_SYMBOL(stpcpy);
1760 +
1761 ++/**
1762 ++ * strscpy_pad() - Copy a C-string into a sized buffer
1763 ++ * @dest: Where to copy the string to
1764 ++ * @src: Where to copy the string from
1765 ++ * @count: Size of destination buffer
1766 ++ *
1767 ++ * Copy the string, or as much of it as fits, into the dest buffer. The
1768 ++ * behavior is undefined if the string buffers overlap. The destination
1769 ++ * buffer is always %NUL terminated, unless it's zero-sized.
1770 ++ *
1771 ++ * If the source string is shorter than the destination buffer, zeros
1772 ++ * the tail of the destination buffer.
1773 ++ *
1774 ++ * For full explanation of why you may want to consider using the
1775 ++ * 'strscpy' functions please see the function docstring for strscpy().
1776 ++ *
1777 ++ * Return: The number of characters copied (not including the trailing
1778 ++ * %NUL) or -E2BIG if the destination buffer wasn't big enough.
1779 ++ */
1780 ++ssize_t strscpy_pad(char *dest, const char *src, size_t count)
1781 ++{
1782 ++ ssize_t written;
1783 ++
1784 ++ written = strscpy(dest, src, count);
1785 ++ if (written < 0 || written == count - 1)
1786 ++ return written;
1787 ++
1788 ++ memset(dest + written + 1, 0, count - written - 1);
1789 ++
1790 ++ return written;
1791 ++}
1792 ++EXPORT_SYMBOL(strscpy_pad);
1793 ++
1794 + #ifndef __HAVE_ARCH_STRCAT
1795 + /**
1796 + * strcat - Append one %NUL-terminated string to another
1797 +diff --git a/mm/backing-dev.c b/mm/backing-dev.c
1798 +index 113b7d3170799..aad61d0175a1c 100644
1799 +--- a/mm/backing-dev.c
1800 ++++ b/mm/backing-dev.c
1801 +@@ -21,6 +21,7 @@ struct backing_dev_info noop_backing_dev_info = {
1802 + EXPORT_SYMBOL_GPL(noop_backing_dev_info);
1803 +
1804 + static struct class *bdi_class;
1805 ++const char *bdi_unknown_name = "(unknown)";
1806 +
1807 + /*
1808 + * bdi_lock protects updates to bdi_list. bdi_list has RCU reader side
1809 +diff --git a/mm/memblock.c b/mm/memblock.c
1810 +index 42b98af6a4158..e43065b13c08c 100644
1811 +--- a/mm/memblock.c
1812 ++++ b/mm/memblock.c
1813 +@@ -186,14 +186,6 @@ __memblock_find_range_top_down(phys_addr_t start, phys_addr_t end,
1814 + *
1815 + * Find @size free area aligned to @align in the specified range and node.
1816 + *
1817 +- * When allocation direction is bottom-up, the @start should be greater
1818 +- * than the end of the kernel image. Otherwise, it will be trimmed. The
1819 +- * reason is that we want the bottom-up allocation just near the kernel
1820 +- * image so it is highly likely that the allocated memory and the kernel
1821 +- * will reside in the same node.
1822 +- *
1823 +- * If bottom-up allocation failed, will try to allocate memory top-down.
1824 +- *
1825 + * RETURNS:
1826 + * Found address on success, 0 on failure.
1827 + */
1828 +@@ -201,8 +193,6 @@ phys_addr_t __init_memblock memblock_find_in_range_node(phys_addr_t size,
1829 + phys_addr_t align, phys_addr_t start,
1830 + phys_addr_t end, int nid, ulong flags)
1831 + {
1832 +- phys_addr_t kernel_end, ret;
1833 +-
1834 + /* pump up @end */
1835 + if (end == MEMBLOCK_ALLOC_ACCESSIBLE)
1836 + end = memblock.current_limit;
1837 +@@ -210,39 +200,13 @@ phys_addr_t __init_memblock memblock_find_in_range_node(phys_addr_t size,
1838 + /* avoid allocating the first page */
1839 + start = max_t(phys_addr_t, start, PAGE_SIZE);
1840 + end = max(start, end);
1841 +- kernel_end = __pa_symbol(_end);
1842 +-
1843 +- /*
1844 +- * try bottom-up allocation only when bottom-up mode
1845 +- * is set and @end is above the kernel image.
1846 +- */
1847 +- if (memblock_bottom_up() && end > kernel_end) {
1848 +- phys_addr_t bottom_up_start;
1849 +-
1850 +- /* make sure we will allocate above the kernel */
1851 +- bottom_up_start = max(start, kernel_end);
1852 +
1853 +- /* ok, try bottom-up allocation first */
1854 +- ret = __memblock_find_range_bottom_up(bottom_up_start, end,
1855 +- size, align, nid, flags);
1856 +- if (ret)
1857 +- return ret;
1858 +-
1859 +- /*
1860 +- * we always limit bottom-up allocation above the kernel,
1861 +- * but top-down allocation doesn't have the limit, so
1862 +- * retrying top-down allocation may succeed when bottom-up
1863 +- * allocation failed.
1864 +- *
1865 +- * bottom-up allocation is expected to be fail very rarely,
1866 +- * so we use WARN_ONCE() here to see the stack trace if
1867 +- * fail happens.
1868 +- */
1869 +- WARN_ONCE(1, "memblock: bottom-up allocation failed, memory hotunplug may be affected\n");
1870 +- }
1871 +-
1872 +- return __memblock_find_range_top_down(start, end, size, align, nid,
1873 +- flags);
1874 ++ if (memblock_bottom_up())
1875 ++ return __memblock_find_range_bottom_up(start, end, size, align,
1876 ++ nid, flags);
1877 ++ else
1878 ++ return __memblock_find_range_top_down(start, end, size, align,
1879 ++ nid, flags);
1880 + }
1881 +
1882 + /**
1883 +diff --git a/mm/memcontrol.c b/mm/memcontrol.c
1884 +index d4232744c59f1..27b0b4f03fcdc 100644
1885 +--- a/mm/memcontrol.c
1886 ++++ b/mm/memcontrol.c
1887 +@@ -1638,9 +1638,13 @@ cleanup:
1888 + * @page: the page
1889 + *
1890 + * This function protects unlocked LRU pages from being moved to
1891 +- * another cgroup and stabilizes their page->mem_cgroup binding.
1892 ++ * another cgroup.
1893 ++ *
1894 ++ * It ensures lifetime of the returned memcg. Caller is responsible
1895 ++ * for the lifetime of the page; __unlock_page_memcg() is available
1896 ++ * when @page might get freed inside the locked section.
1897 + */
1898 +-void lock_page_memcg(struct page *page)
1899 ++struct mem_cgroup *lock_page_memcg(struct page *page)
1900 + {
1901 + struct mem_cgroup *memcg;
1902 + unsigned long flags;
1903 +@@ -1649,18 +1653,24 @@ void lock_page_memcg(struct page *page)
1904 + * The RCU lock is held throughout the transaction. The fast
1905 + * path can get away without acquiring the memcg->move_lock
1906 + * because page moving starts with an RCU grace period.
1907 +- */
1908 ++ *
1909 ++ * The RCU lock also protects the memcg from being freed when
1910 ++ * the page state that is going to change is the only thing
1911 ++ * preventing the page itself from being freed. E.g. writeback
1912 ++ * doesn't hold a page reference and relies on PG_writeback to
1913 ++ * keep off truncation, migration and so forth.
1914 ++ */
1915 + rcu_read_lock();
1916 +
1917 + if (mem_cgroup_disabled())
1918 +- return;
1919 ++ return NULL;
1920 + again:
1921 + memcg = page->mem_cgroup;
1922 + if (unlikely(!memcg))
1923 +- return;
1924 ++ return NULL;
1925 +
1926 + if (atomic_read(&memcg->moving_account) <= 0)
1927 +- return;
1928 ++ return memcg;
1929 +
1930 + spin_lock_irqsave(&memcg->move_lock, flags);
1931 + if (memcg != page->mem_cgroup) {
1932 +@@ -1676,18 +1686,18 @@ again:
1933 + memcg->move_lock_task = current;
1934 + memcg->move_lock_flags = flags;
1935 +
1936 +- return;
1937 ++ return memcg;
1938 + }
1939 + EXPORT_SYMBOL(lock_page_memcg);
1940 +
1941 + /**
1942 +- * unlock_page_memcg - unlock a page->mem_cgroup binding
1943 +- * @page: the page
1944 ++ * __unlock_page_memcg - unlock and unpin a memcg
1945 ++ * @memcg: the memcg
1946 ++ *
1947 ++ * Unlock and unpin a memcg returned by lock_page_memcg().
1948 + */
1949 +-void unlock_page_memcg(struct page *page)
1950 ++void __unlock_page_memcg(struct mem_cgroup *memcg)
1951 + {
1952 +- struct mem_cgroup *memcg = page->mem_cgroup;
1953 +-
1954 + if (memcg && memcg->move_lock_task == current) {
1955 + unsigned long flags = memcg->move_lock_flags;
1956 +
1957 +@@ -1699,6 +1709,15 @@ void unlock_page_memcg(struct page *page)
1958 +
1959 + rcu_read_unlock();
1960 + }
1961 ++
1962 ++/**
1963 ++ * unlock_page_memcg - unlock a page->mem_cgroup binding
1964 ++ * @page: the page
1965 ++ */
1966 ++void unlock_page_memcg(struct page *page)
1967 ++{
1968 ++ __unlock_page_memcg(page->mem_cgroup);
1969 ++}
1970 + EXPORT_SYMBOL(unlock_page_memcg);
1971 +
1972 + /*
1973 +diff --git a/mm/page-writeback.c b/mm/page-writeback.c
1974 +index 462c778b9fb55..498c924f2fcd6 100644
1975 +--- a/mm/page-writeback.c
1976 ++++ b/mm/page-writeback.c
1977 +@@ -2717,9 +2717,10 @@ EXPORT_SYMBOL(clear_page_dirty_for_io);
1978 + int test_clear_page_writeback(struct page *page)
1979 + {
1980 + struct address_space *mapping = page_mapping(page);
1981 ++ struct mem_cgroup *memcg;
1982 + int ret;
1983 +
1984 +- lock_page_memcg(page);
1985 ++ memcg = lock_page_memcg(page);
1986 + if (mapping && mapping_use_writeback_tags(mapping)) {
1987 + struct inode *inode = mapping->host;
1988 + struct backing_dev_info *bdi = inode_to_bdi(inode);
1989 +@@ -2747,13 +2748,20 @@ int test_clear_page_writeback(struct page *page)
1990 + } else {
1991 + ret = TestClearPageWriteback(page);
1992 + }
1993 ++ /*
1994 ++ * NOTE: Page might be free now! Writeback doesn't hold a page
1995 ++ * reference on its own, it relies on truncation to wait for
1996 ++ * the clearing of PG_writeback. The below can only access
1997 ++ * page state that is static across allocation cycles.
1998 ++ */
1999 + if (ret) {
2000 +- mem_cgroup_dec_page_stat(page, MEM_CGROUP_STAT_WRITEBACK);
2001 ++ __mem_cgroup_update_page_stat(page, memcg,
2002 ++ MEM_CGROUP_STAT_WRITEBACK, -1);
2003 + dec_node_page_state(page, NR_WRITEBACK);
2004 + dec_zone_page_state(page, NR_ZONE_WRITE_PENDING);
2005 + inc_node_page_state(page, NR_WRITTEN);
2006 + }
2007 +- unlock_page_memcg(page);
2008 ++ __unlock_page_memcg(memcg);
2009 + return ret;
2010 + }
2011 +
2012 +diff --git a/net/key/af_key.c b/net/key/af_key.c
2013 +index 76a008b1cbe5f..adc93329e6aac 100644
2014 +--- a/net/key/af_key.c
2015 ++++ b/net/key/af_key.c
2016 +@@ -2933,7 +2933,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t)
2017 + break;
2018 + if (!aalg->pfkey_supported)
2019 + continue;
2020 +- if (aalg_tmpl_set(t, aalg) && aalg->available)
2021 ++ if (aalg_tmpl_set(t, aalg))
2022 + sz += sizeof(struct sadb_comb);
2023 + }
2024 + return sz + sizeof(struct sadb_prop);
2025 +@@ -2951,7 +2951,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t)
2026 + if (!ealg->pfkey_supported)
2027 + continue;
2028 +
2029 +- if (!(ealg_tmpl_set(t, ealg) && ealg->available))
2030 ++ if (!(ealg_tmpl_set(t, ealg)))
2031 + continue;
2032 +
2033 + for (k = 1; ; k++) {
2034 +@@ -2962,7 +2962,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t)
2035 + if (!aalg->pfkey_supported)
2036 + continue;
2037 +
2038 +- if (aalg_tmpl_set(t, aalg) && aalg->available)
2039 ++ if (aalg_tmpl_set(t, aalg))
2040 + sz += sizeof(struct sadb_comb);
2041 + }
2042 + }
2043 +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
2044 +index d507d0fc7858a..ddd90a3820d39 100644
2045 +--- a/net/netfilter/nf_conntrack_core.c
2046 ++++ b/net/netfilter/nf_conntrack_core.c
2047 +@@ -903,7 +903,8 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
2048 + * Let nf_ct_resolve_clash() deal with this later.
2049 + */
2050 + if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
2051 +- &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple))
2052 ++ &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) &&
2053 ++ nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL))
2054 + continue;
2055 +
2056 + NF_CT_STAT_INC_ATOMIC(net, found);
2057 +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
2058 +index 79d7ad621a80f..03c8bd854e56a 100644
2059 +--- a/net/netfilter/xt_recent.c
2060 ++++ b/net/netfilter/xt_recent.c
2061 +@@ -155,7 +155,8 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e)
2062 + /*
2063 + * Drop entries with timestamps older then 'time'.
2064 + */
2065 +-static void recent_entry_reap(struct recent_table *t, unsigned long time)
2066 ++static void recent_entry_reap(struct recent_table *t, unsigned long time,
2067 ++ struct recent_entry *working, bool update)
2068 + {
2069 + struct recent_entry *e;
2070 +
2071 +@@ -164,6 +165,12 @@ static void recent_entry_reap(struct recent_table *t, unsigned long time)
2072 + */
2073 + e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
2074 +
2075 ++ /*
2076 ++ * Do not reap the entry which are going to be updated.
2077 ++ */
2078 ++ if (e == working && update)
2079 ++ return;
2080 ++
2081 + /*
2082 + * The last time stamp is the most recent.
2083 + */
2084 +@@ -306,7 +313,8 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
2085 +
2086 + /* info->seconds must be non-zero */
2087 + if (info->check_set & XT_RECENT_REAP)
2088 +- recent_entry_reap(t, time);
2089 ++ recent_entry_reap(t, time, e,
2090 ++ info->check_set & XT_RECENT_UPDATE && ret);
2091 + }
2092 +
2093 + if (info->check_set & XT_RECENT_SET ||
2094 +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
2095 +index 591d378d1a188..1d00f49dfe48d 100644
2096 +--- a/net/sunrpc/auth_gss/auth_gss.c
2097 ++++ b/net/sunrpc/auth_gss/auth_gss.c
2098 +@@ -53,6 +53,7 @@
2099 + #include <asm/uaccess.h>
2100 + #include <linux/hashtable.h>
2101 +
2102 ++#include "auth_gss_internal.h"
2103 + #include "../netns.h"
2104 +
2105 + static const struct rpc_authops authgss_ops;
2106 +@@ -147,35 +148,6 @@ gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx)
2107 + clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags);
2108 + }
2109 +
2110 +-static const void *
2111 +-simple_get_bytes(const void *p, const void *end, void *res, size_t len)
2112 +-{
2113 +- const void *q = (const void *)((const char *)p + len);
2114 +- if (unlikely(q > end || q < p))
2115 +- return ERR_PTR(-EFAULT);
2116 +- memcpy(res, p, len);
2117 +- return q;
2118 +-}
2119 +-
2120 +-static inline const void *
2121 +-simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest)
2122 +-{
2123 +- const void *q;
2124 +- unsigned int len;
2125 +-
2126 +- p = simple_get_bytes(p, end, &len, sizeof(len));
2127 +- if (IS_ERR(p))
2128 +- return p;
2129 +- q = (const void *)((const char *)p + len);
2130 +- if (unlikely(q > end || q < p))
2131 +- return ERR_PTR(-EFAULT);
2132 +- dest->data = kmemdup(p, len, GFP_NOFS);
2133 +- if (unlikely(dest->data == NULL))
2134 +- return ERR_PTR(-ENOMEM);
2135 +- dest->len = len;
2136 +- return q;
2137 +-}
2138 +-
2139 + static struct gss_cl_ctx *
2140 + gss_cred_get_ctx(struct rpc_cred *cred)
2141 + {
2142 +diff --git a/net/sunrpc/auth_gss/auth_gss_internal.h b/net/sunrpc/auth_gss/auth_gss_internal.h
2143 +new file mode 100644
2144 +index 0000000000000..f6d9631bd9d00
2145 +--- /dev/null
2146 ++++ b/net/sunrpc/auth_gss/auth_gss_internal.h
2147 +@@ -0,0 +1,45 @@
2148 ++// SPDX-License-Identifier: BSD-3-Clause
2149 ++/*
2150 ++ * linux/net/sunrpc/auth_gss/auth_gss_internal.h
2151 ++ *
2152 ++ * Internal definitions for RPCSEC_GSS client authentication
2153 ++ *
2154 ++ * Copyright (c) 2000 The Regents of the University of Michigan.
2155 ++ * All rights reserved.
2156 ++ *
2157 ++ */
2158 ++#include <linux/err.h>
2159 ++#include <linux/string.h>
2160 ++#include <linux/sunrpc/xdr.h>
2161 ++
2162 ++static inline const void *
2163 ++simple_get_bytes(const void *p, const void *end, void *res, size_t len)
2164 ++{
2165 ++ const void *q = (const void *)((const char *)p + len);
2166 ++ if (unlikely(q > end || q < p))
2167 ++ return ERR_PTR(-EFAULT);
2168 ++ memcpy(res, p, len);
2169 ++ return q;
2170 ++}
2171 ++
2172 ++static inline const void *
2173 ++simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest)
2174 ++{
2175 ++ const void *q;
2176 ++ unsigned int len;
2177 ++
2178 ++ p = simple_get_bytes(p, end, &len, sizeof(len));
2179 ++ if (IS_ERR(p))
2180 ++ return p;
2181 ++ q = (const void *)((const char *)p + len);
2182 ++ if (unlikely(q > end || q < p))
2183 ++ return ERR_PTR(-EFAULT);
2184 ++ if (len) {
2185 ++ dest->data = kmemdup(p, len, GFP_NOFS);
2186 ++ if (unlikely(dest->data == NULL))
2187 ++ return ERR_PTR(-ENOMEM);
2188 ++ } else
2189 ++ dest->data = NULL;
2190 ++ dest->len = len;
2191 ++ return q;
2192 ++}
2193 +diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
2194 +index 60595835317af..ea2f6022b3d5d 100644
2195 +--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
2196 ++++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
2197 +@@ -46,6 +46,8 @@
2198 + #include <linux/sunrpc/xdr.h>
2199 + #include <linux/sunrpc/gss_krb5_enctypes.h>
2200 +
2201 ++#include "auth_gss_internal.h"
2202 ++
2203 + #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
2204 + # define RPCDBG_FACILITY RPCDBG_AUTH
2205 + #endif
2206 +@@ -187,35 +189,6 @@ get_gss_krb5_enctype(int etype)
2207 + return NULL;
2208 + }
2209 +
2210 +-static const void *
2211 +-simple_get_bytes(const void *p, const void *end, void *res, int len)
2212 +-{
2213 +- const void *q = (const void *)((const char *)p + len);
2214 +- if (unlikely(q > end || q < p))
2215 +- return ERR_PTR(-EFAULT);
2216 +- memcpy(res, p, len);
2217 +- return q;
2218 +-}
2219 +-
2220 +-static const void *
2221 +-simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res)
2222 +-{
2223 +- const void *q;
2224 +- unsigned int len;
2225 +-
2226 +- p = simple_get_bytes(p, end, &len, sizeof(len));
2227 +- if (IS_ERR(p))
2228 +- return p;
2229 +- q = (const void *)((const char *)p + len);
2230 +- if (unlikely(q > end || q < p))
2231 +- return ERR_PTR(-EFAULT);
2232 +- res->data = kmemdup(p, len, GFP_NOFS);
2233 +- if (unlikely(res->data == NULL))
2234 +- return ERR_PTR(-ENOMEM);
2235 +- res->len = len;
2236 +- return q;
2237 +-}
2238 +-
2239 + static inline const void *
2240 + get_key(const void *p, const void *end,
2241 + struct krb5_ctx *ctx, struct crypto_skcipher **res)
2242 +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
2243 +index 3a2543b9701a9..bd3a5ef8e59b9 100644
2244 +--- a/net/vmw_vsock/af_vsock.c
2245 ++++ b/net/vmw_vsock/af_vsock.c
2246 +@@ -830,10 +830,12 @@ static int vsock_shutdown(struct socket *sock, int mode)
2247 + */
2248 +
2249 + sk = sock->sk;
2250 ++
2251 ++ lock_sock(sk);
2252 + if (sock->state == SS_UNCONNECTED) {
2253 + err = -ENOTCONN;
2254 + if (sk->sk_type == SOCK_STREAM)
2255 +- return err;
2256 ++ goto out;
2257 + } else {
2258 + sock->state = SS_DISCONNECTING;
2259 + err = 0;
2260 +@@ -842,10 +844,8 @@ static int vsock_shutdown(struct socket *sock, int mode)
2261 + /* Receive and send shutdowns are treated alike. */
2262 + mode = mode & (RCV_SHUTDOWN | SEND_SHUTDOWN);
2263 + if (mode) {
2264 +- lock_sock(sk);
2265 + sk->sk_shutdown |= mode;
2266 + sk->sk_state_change(sk);
2267 +- release_sock(sk);
2268 +
2269 + if (sk->sk_type == SOCK_STREAM) {
2270 + sock_reset_flag(sk, SOCK_DONE);
2271 +@@ -853,6 +853,8 @@ static int vsock_shutdown(struct socket *sock, int mode)
2272 + }
2273 + }
2274 +
2275 ++out:
2276 ++ release_sock(sk);
2277 + return err;
2278 + }
2279 +
2280 +@@ -1121,7 +1123,6 @@ static void vsock_connect_timeout(struct work_struct *work)
2281 + {
2282 + struct sock *sk;
2283 + struct vsock_sock *vsk;
2284 +- int cancel = 0;
2285 +
2286 + vsk = container_of(work, struct vsock_sock, connect_work.work);
2287 + sk = sk_vsock(vsk);
2288 +@@ -1132,11 +1133,9 @@ static void vsock_connect_timeout(struct work_struct *work)
2289 + sk->sk_state = SS_UNCONNECTED;
2290 + sk->sk_err = ETIMEDOUT;
2291 + sk->sk_error_report(sk);
2292 +- cancel = 1;
2293 ++ vsock_transport_cancel_pkt(vsk);
2294 + }
2295 + release_sock(sk);
2296 +- if (cancel)
2297 +- vsock_transport_cancel_pkt(vsk);
2298 +
2299 + sock_put(sk);
2300 + }
2301 +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
2302 +index aa9d1c7780c3d..5f7bcc7da460d 100644
2303 +--- a/net/vmw_vsock/virtio_transport_common.c
2304 ++++ b/net/vmw_vsock/virtio_transport_common.c
2305 +@@ -959,10 +959,10 @@ void virtio_transport_recv_pkt(struct virtio_vsock_pkt *pkt)
2306 +
2307 + vsk = vsock_sk(sk);
2308 +
2309 +- space_available = virtio_transport_space_update(sk, pkt);
2310 +-
2311 + lock_sock(sk);
2312 +
2313 ++ space_available = virtio_transport_space_update(sk, pkt);
2314 ++
2315 + /* Update CID in case it has changed after a transport reset event */
2316 + vsk->local_addr.svm_cid = dst.svm_cid;
2317 +
2318 +diff --git a/scripts/Makefile.build b/scripts/Makefile.build
2319 +index 6228a83156ea1..f8ee4e33a085f 100644
2320 +--- a/scripts/Makefile.build
2321 ++++ b/scripts/Makefile.build
2322 +@@ -222,6 +222,8 @@ cmd_modversions_c = \
2323 + endif
2324 +
2325 + ifdef CONFIG_FTRACE_MCOUNT_RECORD
2326 ++ifndef CC_USING_RECORD_MCOUNT
2327 ++# compiler will not generate __mcount_loc use recordmcount or recordmcount.pl
2328 + ifdef BUILD_C_RECORDMCOUNT
2329 + ifeq ("$(origin RECORDMCOUNT_WARN)", "command line")
2330 + RECORDMCOUNT_FLAGS = -w
2331 +@@ -250,6 +252,7 @@ cmd_record_mcount = \
2332 + "$(CC_FLAGS_FTRACE)" ]; then \
2333 + $(sub_cmd_record_mcount) \
2334 + fi;
2335 ++endif # CC_USING_RECORD_MCOUNT
2336 + endif
2337 +
2338 + ifdef CONFIG_STACK_VALIDATION
2339 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
2340 +index 5bddabb3de7c3..db859b595dba1 100644
2341 +--- a/virt/kvm/kvm_main.c
2342 ++++ b/virt/kvm/kvm_main.c
2343 +@@ -382,9 +382,8 @@ static void kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn,
2344 + */
2345 + kvm->mmu_notifier_count++;
2346 + need_tlb_flush = kvm_unmap_hva_range(kvm, start, end);
2347 +- need_tlb_flush |= kvm->tlbs_dirty;
2348 + /* we've to flush the tlb before the pages can be freed */
2349 +- if (need_tlb_flush)
2350 ++ if (need_tlb_flush || kvm->tlbs_dirty)
2351 + kvm_flush_remote_tlbs(kvm);
2352 +
2353 + spin_unlock(&kvm->mmu_lock);