Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.20 commit in: /
Date: Sun, 10 Mar 2019 14:14:20
Message-Id: 1552227234.12f3c647f24bfba1d73bc6cf0fec459faa52b455.mpagano@gentoo
1 commit: 12f3c647f24bfba1d73bc6cf0fec459faa52b455
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Mar 10 14:13:54 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Mar 10 14:13:54 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=12f3c647
7
8 proj/linux-patches: Linux patch 4.20.15
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1014_linux-4.20.15.patch | 3168 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 3172 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index dd1fcee..dd61e24 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -99,6 +99,10 @@ Patch: 1013_linux-4.20.14.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.20.14
23
24 +Patch: 1014_linux-4.20.15.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.20.15
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1014_linux-4.20.15.patch b/1014_linux-4.20.15.patch
33 new file mode 100644
34 index 0000000..6fee7b4
35 --- /dev/null
36 +++ b/1014_linux-4.20.15.patch
37 @@ -0,0 +1,3168 @@
38 +diff --git a/Makefile b/Makefile
39 +index f7baaa0a3164b..25b45c24bac0b 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 4
45 + PATCHLEVEL = 20
46 +-SUBLEVEL = 14
47 ++SUBLEVEL = 15
48 + EXTRAVERSION =
49 + NAME = Shy Crocodile
50 +
51 +diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
52 +index ba150c755fcce..85b6c60f285d2 100644
53 +--- a/arch/mips/kernel/irq.c
54 ++++ b/arch/mips/kernel/irq.c
55 +@@ -52,6 +52,7 @@ asmlinkage void spurious_interrupt(void)
56 + void __init init_IRQ(void)
57 + {
58 + int i;
59 ++ unsigned int order = get_order(IRQ_STACK_SIZE);
60 +
61 + for (i = 0; i < NR_IRQS; i++)
62 + irq_set_noprobe(i);
63 +@@ -62,8 +63,7 @@ void __init init_IRQ(void)
64 + arch_init_irq();
65 +
66 + for_each_possible_cpu(i) {
67 +- int irq_pages = IRQ_STACK_SIZE / PAGE_SIZE;
68 +- void *s = (void *)__get_free_pages(GFP_KERNEL, irq_pages);
69 ++ void *s = (void *)__get_free_pages(GFP_KERNEL, order);
70 +
71 + irq_stack[i] = s;
72 + pr_debug("CPU%d IRQ stack at 0x%p - 0x%p\n", i,
73 +diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c
74 +index 9e21573714910..f8debf7aeb4c1 100644
75 +--- a/arch/x86/boot/compressed/pgtable_64.c
76 ++++ b/arch/x86/boot/compressed/pgtable_64.c
77 +@@ -1,5 +1,7 @@
78 ++#include <linux/efi.h>
79 + #include <asm/e820/types.h>
80 + #include <asm/processor.h>
81 ++#include <asm/efi.h>
82 + #include "pgtable.h"
83 + #include "../string.h"
84 +
85 +@@ -37,9 +39,10 @@ int cmdline_find_option_bool(const char *option);
86 +
87 + static unsigned long find_trampoline_placement(void)
88 + {
89 +- unsigned long bios_start, ebda_start;
90 ++ unsigned long bios_start = 0, ebda_start = 0;
91 + unsigned long trampoline_start;
92 + struct boot_e820_entry *entry;
93 ++ char *signature;
94 + int i;
95 +
96 + /*
97 +@@ -47,8 +50,18 @@ static unsigned long find_trampoline_placement(void)
98 + * This code is based on reserve_bios_regions().
99 + */
100 +
101 +- ebda_start = *(unsigned short *)0x40e << 4;
102 +- bios_start = *(unsigned short *)0x413 << 10;
103 ++ /*
104 ++ * EFI systems may not provide legacy ROM. The memory may not be mapped
105 ++ * at all.
106 ++ *
107 ++ * Only look for values in the legacy ROM for non-EFI system.
108 ++ */
109 ++ signature = (char *)&boot_params->efi_info.efi_loader_signature;
110 ++ if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
111 ++ strncmp(signature, EFI64_LOADER_SIGNATURE, 4)) {
112 ++ ebda_start = *(unsigned short *)0x40e << 4;
113 ++ bios_start = *(unsigned short *)0x413 << 10;
114 ++ }
115 +
116 + if (bios_start < BIOS_START_MIN || bios_start > BIOS_START_MAX)
117 + bios_start = BIOS_START_MAX;
118 +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
119 +index eeea634bee0a7..6a25278e00929 100644
120 +--- a/arch/x86/kernel/cpu/amd.c
121 ++++ b/arch/x86/kernel/cpu/amd.c
122 +@@ -818,11 +818,9 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
123 + static void init_amd_zn(struct cpuinfo_x86 *c)
124 + {
125 + set_cpu_cap(c, X86_FEATURE_ZEN);
126 +- /*
127 +- * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects
128 +- * all up to and including B1.
129 +- */
130 +- if (c->x86_model <= 1 && c->x86_stepping <= 1)
131 ++
132 ++ /* Fix erratum 1076: CPB feature bit not being set in CPUID. */
133 ++ if (!cpu_has(c, X86_FEATURE_CPB))
134 + set_cpu_cap(c, X86_FEATURE_CPB);
135 + }
136 +
137 +diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c
138 +index 4bb68133a72af..5a0e0bd68b769 100644
139 +--- a/arch/xtensa/kernel/process.c
140 ++++ b/arch/xtensa/kernel/process.c
141 +@@ -320,8 +320,8 @@ unsigned long get_wchan(struct task_struct *p)
142 +
143 + /* Stack layout: sp-4: ra, sp-3: sp' */
144 +
145 +- pc = MAKE_PC_FROM_RA(*(unsigned long*)sp - 4, sp);
146 +- sp = *(unsigned long *)sp - 3;
147 ++ pc = MAKE_PC_FROM_RA(SPILL_SLOT(sp, 0), sp);
148 ++ sp = SPILL_SLOT(sp, 1);
149 + } while (count++ < 16);
150 + return 0;
151 + }
152 +diff --git a/drivers/android/binder.c b/drivers/android/binder.c
153 +index b834ee335d9a8..6d5f3aca8e9c2 100644
154 +--- a/drivers/android/binder.c
155 ++++ b/drivers/android/binder.c
156 +@@ -356,6 +356,8 @@ struct binder_error {
157 + * (invariant after initialized)
158 + * @min_priority: minimum scheduling priority
159 + * (invariant after initialized)
160 ++ * @txn_security_ctx: require sender's security context
161 ++ * (invariant after initialized)
162 + * @async_todo: list of async work items
163 + * (protected by @proc->inner_lock)
164 + *
165 +@@ -392,6 +394,7 @@ struct binder_node {
166 + * invariant after initialization
167 + */
168 + u8 accept_fds:1;
169 ++ u8 txn_security_ctx:1;
170 + u8 min_priority;
171 + };
172 + bool has_async_transaction;
173 +@@ -642,6 +645,7 @@ struct binder_transaction {
174 + long saved_priority;
175 + kuid_t sender_euid;
176 + struct list_head fd_fixups;
177 ++ binder_uintptr_t security_ctx;
178 + /**
179 + * @lock: protects @from, @to_proc, and @to_thread
180 + *
181 +@@ -1165,6 +1169,7 @@ static struct binder_node *binder_init_node_ilocked(
182 + node->work.type = BINDER_WORK_NODE;
183 + node->min_priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
184 + node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
185 ++ node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX);
186 + spin_lock_init(&node->lock);
187 + INIT_LIST_HEAD(&node->work.entry);
188 + INIT_LIST_HEAD(&node->async_todo);
189 +@@ -2777,6 +2782,8 @@ static void binder_transaction(struct binder_proc *proc,
190 + binder_size_t last_fixup_min_off = 0;
191 + struct binder_context *context = proc->context;
192 + int t_debug_id = atomic_inc_return(&binder_last_id);
193 ++ char *secctx = NULL;
194 ++ u32 secctx_sz = 0;
195 +
196 + e = binder_transaction_log_add(&binder_transaction_log);
197 + e->debug_id = t_debug_id;
198 +@@ -3017,6 +3024,20 @@ static void binder_transaction(struct binder_proc *proc,
199 + t->flags = tr->flags;
200 + t->priority = task_nice(current);
201 +
202 ++ if (target_node && target_node->txn_security_ctx) {
203 ++ u32 secid;
204 ++
205 ++ security_task_getsecid(proc->tsk, &secid);
206 ++ ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
207 ++ if (ret) {
208 ++ return_error = BR_FAILED_REPLY;
209 ++ return_error_param = ret;
210 ++ return_error_line = __LINE__;
211 ++ goto err_get_secctx_failed;
212 ++ }
213 ++ extra_buffers_size += ALIGN(secctx_sz, sizeof(u64));
214 ++ }
215 ++
216 + trace_binder_transaction(reply, t, target_node);
217 +
218 + t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size,
219 +@@ -3033,6 +3054,19 @@ static void binder_transaction(struct binder_proc *proc,
220 + t->buffer = NULL;
221 + goto err_binder_alloc_buf_failed;
222 + }
223 ++ if (secctx) {
224 ++ size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
225 ++ ALIGN(tr->offsets_size, sizeof(void *)) +
226 ++ ALIGN(extra_buffers_size, sizeof(void *)) -
227 ++ ALIGN(secctx_sz, sizeof(u64));
228 ++ char *kptr = t->buffer->data + buf_offset;
229 ++
230 ++ t->security_ctx = (uintptr_t)kptr +
231 ++ binder_alloc_get_user_buffer_offset(&target_proc->alloc);
232 ++ memcpy(kptr, secctx, secctx_sz);
233 ++ security_release_secctx(secctx, secctx_sz);
234 ++ secctx = NULL;
235 ++ }
236 + t->buffer->debug_id = t->debug_id;
237 + t->buffer->transaction = t;
238 + t->buffer->target_node = target_node;
239 +@@ -3302,6 +3336,9 @@ err_copy_data_failed:
240 + t->buffer->transaction = NULL;
241 + binder_alloc_free_buf(&target_proc->alloc, t->buffer);
242 + err_binder_alloc_buf_failed:
243 ++ if (secctx)
244 ++ security_release_secctx(secctx, secctx_sz);
245 ++err_get_secctx_failed:
246 + kfree(tcomplete);
247 + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
248 + err_alloc_tcomplete_failed:
249 +@@ -4033,11 +4070,13 @@ retry:
250 +
251 + while (1) {
252 + uint32_t cmd;
253 +- struct binder_transaction_data tr;
254 ++ struct binder_transaction_data_secctx tr;
255 ++ struct binder_transaction_data *trd = &tr.transaction_data;
256 + struct binder_work *w = NULL;
257 + struct list_head *list = NULL;
258 + struct binder_transaction *t = NULL;
259 + struct binder_thread *t_from;
260 ++ size_t trsize = sizeof(*trd);
261 +
262 + binder_inner_proc_lock(proc);
263 + if (!binder_worklist_empty_ilocked(&thread->todo))
264 +@@ -4232,8 +4271,8 @@ retry:
265 + if (t->buffer->target_node) {
266 + struct binder_node *target_node = t->buffer->target_node;
267 +
268 +- tr.target.ptr = target_node->ptr;
269 +- tr.cookie = target_node->cookie;
270 ++ trd->target.ptr = target_node->ptr;
271 ++ trd->cookie = target_node->cookie;
272 + t->saved_priority = task_nice(current);
273 + if (t->priority < target_node->min_priority &&
274 + !(t->flags & TF_ONE_WAY))
275 +@@ -4243,22 +4282,23 @@ retry:
276 + binder_set_nice(target_node->min_priority);
277 + cmd = BR_TRANSACTION;
278 + } else {
279 +- tr.target.ptr = 0;
280 +- tr.cookie = 0;
281 ++ trd->target.ptr = 0;
282 ++ trd->cookie = 0;
283 + cmd = BR_REPLY;
284 + }
285 +- tr.code = t->code;
286 +- tr.flags = t->flags;
287 +- tr.sender_euid = from_kuid(current_user_ns(), t->sender_euid);
288 ++ trd->code = t->code;
289 ++ trd->flags = t->flags;
290 ++ trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid);
291 +
292 + t_from = binder_get_txn_from(t);
293 + if (t_from) {
294 + struct task_struct *sender = t_from->proc->tsk;
295 +
296 +- tr.sender_pid = task_tgid_nr_ns(sender,
297 +- task_active_pid_ns(current));
298 ++ trd->sender_pid =
299 ++ task_tgid_nr_ns(sender,
300 ++ task_active_pid_ns(current));
301 + } else {
302 +- tr.sender_pid = 0;
303 ++ trd->sender_pid = 0;
304 + }
305 +
306 + ret = binder_apply_fd_fixups(t);
307 +@@ -4289,15 +4329,20 @@ retry:
308 + }
309 + continue;
310 + }
311 +- tr.data_size = t->buffer->data_size;
312 +- tr.offsets_size = t->buffer->offsets_size;
313 +- tr.data.ptr.buffer = (binder_uintptr_t)
314 ++ trd->data_size = t->buffer->data_size;
315 ++ trd->offsets_size = t->buffer->offsets_size;
316 ++ trd->data.ptr.buffer = (binder_uintptr_t)
317 + ((uintptr_t)t->buffer->data +
318 + binder_alloc_get_user_buffer_offset(&proc->alloc));
319 +- tr.data.ptr.offsets = tr.data.ptr.buffer +
320 ++ trd->data.ptr.offsets = trd->data.ptr.buffer +
321 + ALIGN(t->buffer->data_size,
322 + sizeof(void *));
323 +
324 ++ tr.secctx = t->security_ctx;
325 ++ if (t->security_ctx) {
326 ++ cmd = BR_TRANSACTION_SEC_CTX;
327 ++ trsize = sizeof(tr);
328 ++ }
329 + if (put_user(cmd, (uint32_t __user *)ptr)) {
330 + if (t_from)
331 + binder_thread_dec_tmpref(t_from);
332 +@@ -4308,7 +4353,7 @@ retry:
333 + return -EFAULT;
334 + }
335 + ptr += sizeof(uint32_t);
336 +- if (copy_to_user(ptr, &tr, sizeof(tr))) {
337 ++ if (copy_to_user(ptr, &tr, trsize)) {
338 + if (t_from)
339 + binder_thread_dec_tmpref(t_from);
340 +
341 +@@ -4317,7 +4362,7 @@ retry:
342 +
343 + return -EFAULT;
344 + }
345 +- ptr += sizeof(tr);
346 ++ ptr += trsize;
347 +
348 + trace_binder_transaction_received(t);
349 + binder_stat_br(proc, thread, cmd);
350 +@@ -4325,16 +4370,18 @@ retry:
351 + "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n",
352 + proc->pid, thread->pid,
353 + (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" :
354 +- "BR_REPLY",
355 ++ (cmd == BR_TRANSACTION_SEC_CTX) ?
356 ++ "BR_TRANSACTION_SEC_CTX" : "BR_REPLY",
357 + t->debug_id, t_from ? t_from->proc->pid : 0,
358 + t_from ? t_from->pid : 0, cmd,
359 + t->buffer->data_size, t->buffer->offsets_size,
360 +- (u64)tr.data.ptr.buffer, (u64)tr.data.ptr.offsets);
361 ++ (u64)trd->data.ptr.buffer,
362 ++ (u64)trd->data.ptr.offsets);
363 +
364 + if (t_from)
365 + binder_thread_dec_tmpref(t_from);
366 + t->buffer->allow_user_free = 1;
367 +- if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {
368 ++ if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) {
369 + binder_inner_proc_lock(thread->proc);
370 + t->to_parent = thread->transaction_stack;
371 + t->to_thread = thread;
372 +@@ -4676,7 +4723,8 @@ out:
373 + return ret;
374 + }
375 +
376 +-static int binder_ioctl_set_ctx_mgr(struct file *filp)
377 ++static int binder_ioctl_set_ctx_mgr(struct file *filp,
378 ++ struct flat_binder_object *fbo)
379 + {
380 + int ret = 0;
381 + struct binder_proc *proc = filp->private_data;
382 +@@ -4705,7 +4753,7 @@ static int binder_ioctl_set_ctx_mgr(struct file *filp)
383 + } else {
384 + context->binder_context_mgr_uid = curr_euid;
385 + }
386 +- new_node = binder_new_node(proc, NULL);
387 ++ new_node = binder_new_node(proc, fbo);
388 + if (!new_node) {
389 + ret = -ENOMEM;
390 + goto out;
391 +@@ -4828,8 +4876,20 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
392 + binder_inner_proc_unlock(proc);
393 + break;
394 + }
395 ++ case BINDER_SET_CONTEXT_MGR_EXT: {
396 ++ struct flat_binder_object fbo;
397 ++
398 ++ if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
399 ++ ret = -EINVAL;
400 ++ goto err;
401 ++ }
402 ++ ret = binder_ioctl_set_ctx_mgr(filp, &fbo);
403 ++ if (ret)
404 ++ goto err;
405 ++ break;
406 ++ }
407 + case BINDER_SET_CONTEXT_MGR:
408 +- ret = binder_ioctl_set_ctx_mgr(filp);
409 ++ ret = binder_ioctl_set_ctx_mgr(filp, NULL);
410 + if (ret)
411 + goto err;
412 + break;
413 +diff --git a/drivers/base/dd.c b/drivers/base/dd.c
414 +index 9d6604b50d75e..b4ee11d6e665a 100644
415 +--- a/drivers/base/dd.c
416 ++++ b/drivers/base/dd.c
417 +@@ -965,9 +965,9 @@ static void __device_release_driver(struct device *dev, struct device *parent)
418 + drv->remove(dev);
419 +
420 + device_links_driver_cleanup(dev);
421 +- arch_teardown_dma_ops(dev);
422 +
423 + devres_release_all(dev);
424 ++ arch_teardown_dma_ops(dev);
425 + dev->driver = NULL;
426 + dev_set_drvdata(dev, NULL);
427 + if (dev->pm_domain && dev->pm_domain->dismiss)
428 +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
429 +index 41405de27d665..c91bba00df4e4 100644
430 +--- a/drivers/bluetooth/btrtl.c
431 ++++ b/drivers/bluetooth/btrtl.c
432 +@@ -552,10 +552,9 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
433 + hdev->bus);
434 +
435 + if (!btrtl_dev->ic_info) {
436 +- rtl_dev_err(hdev, "rtl: unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
437 ++ rtl_dev_info(hdev, "rtl: unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
438 + lmp_subver, hci_rev, hci_ver);
439 +- ret = -EINVAL;
440 +- goto err_free;
441 ++ return btrtl_dev;
442 + }
443 +
444 + if (btrtl_dev->ic_info->has_rom_version) {
445 +@@ -610,6 +609,11 @@ int btrtl_download_firmware(struct hci_dev *hdev,
446 + * standard btusb. Once that firmware is uploaded, the subver changes
447 + * to a different value.
448 + */
449 ++ if (!btrtl_dev->ic_info) {
450 ++ rtl_dev_info(hdev, "rtl: assuming no firmware upload needed\n");
451 ++ return 0;
452 ++ }
453 ++
454 + switch (btrtl_dev->ic_info->lmp_subver) {
455 + case RTL_ROM_LMP_8723A:
456 + case RTL_ROM_LMP_3499:
457 +diff --git a/drivers/char/applicom.c b/drivers/char/applicom.c
458 +index c0a5b1f3a9863..4ccc39e00ced3 100644
459 +--- a/drivers/char/applicom.c
460 ++++ b/drivers/char/applicom.c
461 +@@ -32,6 +32,7 @@
462 + #include <linux/wait.h>
463 + #include <linux/init.h>
464 + #include <linux/fs.h>
465 ++#include <linux/nospec.h>
466 +
467 + #include <asm/io.h>
468 + #include <linux/uaccess.h>
469 +@@ -386,7 +387,11 @@ static ssize_t ac_write(struct file *file, const char __user *buf, size_t count,
470 + TicCard = st_loc.tic_des_from_pc; /* tic number to send */
471 + IndexCard = NumCard - 1;
472 +
473 +- if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO)
474 ++ if (IndexCard >= MAX_BOARD)
475 ++ return -EINVAL;
476 ++ IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
477 ++
478 ++ if (!apbs[IndexCard].RamIO)
479 + return -EINVAL;
480 +
481 + #ifdef DEBUG
482 +@@ -697,6 +702,7 @@ static long ac_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
483 + unsigned char IndexCard;
484 + void __iomem *pmem;
485 + int ret = 0;
486 ++ static int warncount = 10;
487 + volatile unsigned char byte_reset_it;
488 + struct st_ram_io *adgl;
489 + void __user *argp = (void __user *)arg;
490 +@@ -711,16 +717,12 @@ static long ac_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
491 + mutex_lock(&ac_mutex);
492 + IndexCard = adgl->num_card-1;
493 +
494 +- if(cmd != 6 && ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {
495 +- static int warncount = 10;
496 +- if (warncount) {
497 +- printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number %d\n",(int)IndexCard+1);
498 +- warncount--;
499 +- }
500 +- kfree(adgl);
501 +- mutex_unlock(&ac_mutex);
502 +- return -EINVAL;
503 +- }
504 ++ if (cmd != 6 && IndexCard >= MAX_BOARD)
505 ++ goto err;
506 ++ IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
507 ++
508 ++ if (cmd != 6 && !apbs[IndexCard].RamIO)
509 ++ goto err;
510 +
511 + switch (cmd) {
512 +
513 +@@ -838,5 +840,16 @@ static long ac_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
514 + kfree(adgl);
515 + mutex_unlock(&ac_mutex);
516 + return 0;
517 ++
518 ++err:
519 ++ if (warncount) {
520 ++ pr_warn("APPLICOM driver IOCTL, bad board number %d\n",
521 ++ (int)IndexCard + 1);
522 ++ warncount--;
523 ++ }
524 ++ kfree(adgl);
525 ++ mutex_unlock(&ac_mutex);
526 ++ return -EINVAL;
527 ++
528 + }
529 +
530 +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
531 +index df34a12a388f3..a2e595b9b2df3 100644
532 +--- a/drivers/cpufreq/cpufreq.c
533 ++++ b/drivers/cpufreq/cpufreq.c
534 +@@ -545,13 +545,13 @@ EXPORT_SYMBOL_GPL(cpufreq_policy_transition_delay_us);
535 + * SYSFS INTERFACE *
536 + *********************************************************************/
537 + static ssize_t show_boost(struct kobject *kobj,
538 +- struct attribute *attr, char *buf)
539 ++ struct kobj_attribute *attr, char *buf)
540 + {
541 + return sprintf(buf, "%d\n", cpufreq_driver->boost_enabled);
542 + }
543 +
544 +-static ssize_t store_boost(struct kobject *kobj, struct attribute *attr,
545 +- const char *buf, size_t count)
546 ++static ssize_t store_boost(struct kobject *kobj, struct kobj_attribute *attr,
547 ++ const char *buf, size_t count)
548 + {
549 + int ret, enable;
550 +
551 +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
552 +index 9578312e43f2f..e4125f404d86c 100644
553 +--- a/drivers/cpufreq/intel_pstate.c
554 ++++ b/drivers/cpufreq/intel_pstate.c
555 +@@ -873,7 +873,7 @@ static void intel_pstate_update_policies(void)
556 + /************************** sysfs begin ************************/
557 + #define show_one(file_name, object) \
558 + static ssize_t show_##file_name \
559 +- (struct kobject *kobj, struct attribute *attr, char *buf) \
560 ++ (struct kobject *kobj, struct kobj_attribute *attr, char *buf) \
561 + { \
562 + return sprintf(buf, "%u\n", global.object); \
563 + }
564 +@@ -882,7 +882,7 @@ static ssize_t intel_pstate_show_status(char *buf);
565 + static int intel_pstate_update_status(const char *buf, size_t size);
566 +
567 + static ssize_t show_status(struct kobject *kobj,
568 +- struct attribute *attr, char *buf)
569 ++ struct kobj_attribute *attr, char *buf)
570 + {
571 + ssize_t ret;
572 +
573 +@@ -893,7 +893,7 @@ static ssize_t show_status(struct kobject *kobj,
574 + return ret;
575 + }
576 +
577 +-static ssize_t store_status(struct kobject *a, struct attribute *b,
578 ++static ssize_t store_status(struct kobject *a, struct kobj_attribute *b,
579 + const char *buf, size_t count)
580 + {
581 + char *p = memchr(buf, '\n', count);
582 +@@ -907,7 +907,7 @@ static ssize_t store_status(struct kobject *a, struct attribute *b,
583 + }
584 +
585 + static ssize_t show_turbo_pct(struct kobject *kobj,
586 +- struct attribute *attr, char *buf)
587 ++ struct kobj_attribute *attr, char *buf)
588 + {
589 + struct cpudata *cpu;
590 + int total, no_turbo, turbo_pct;
591 +@@ -933,7 +933,7 @@ static ssize_t show_turbo_pct(struct kobject *kobj,
592 + }
593 +
594 + static ssize_t show_num_pstates(struct kobject *kobj,
595 +- struct attribute *attr, char *buf)
596 ++ struct kobj_attribute *attr, char *buf)
597 + {
598 + struct cpudata *cpu;
599 + int total;
600 +@@ -954,7 +954,7 @@ static ssize_t show_num_pstates(struct kobject *kobj,
601 + }
602 +
603 + static ssize_t show_no_turbo(struct kobject *kobj,
604 +- struct attribute *attr, char *buf)
605 ++ struct kobj_attribute *attr, char *buf)
606 + {
607 + ssize_t ret;
608 +
609 +@@ -976,7 +976,7 @@ static ssize_t show_no_turbo(struct kobject *kobj,
610 + return ret;
611 + }
612 +
613 +-static ssize_t store_no_turbo(struct kobject *a, struct attribute *b,
614 ++static ssize_t store_no_turbo(struct kobject *a, struct kobj_attribute *b,
615 + const char *buf, size_t count)
616 + {
617 + unsigned int input;
618 +@@ -1023,7 +1023,7 @@ static ssize_t store_no_turbo(struct kobject *a, struct attribute *b,
619 + return count;
620 + }
621 +
622 +-static ssize_t store_max_perf_pct(struct kobject *a, struct attribute *b,
623 ++static ssize_t store_max_perf_pct(struct kobject *a, struct kobj_attribute *b,
624 + const char *buf, size_t count)
625 + {
626 + unsigned int input;
627 +@@ -1053,7 +1053,7 @@ static ssize_t store_max_perf_pct(struct kobject *a, struct attribute *b,
628 + return count;
629 + }
630 +
631 +-static ssize_t store_min_perf_pct(struct kobject *a, struct attribute *b,
632 ++static ssize_t store_min_perf_pct(struct kobject *a, struct kobj_attribute *b,
633 + const char *buf, size_t count)
634 + {
635 + unsigned int input;
636 +@@ -1085,12 +1085,13 @@ static ssize_t store_min_perf_pct(struct kobject *a, struct attribute *b,
637 + }
638 +
639 + static ssize_t show_hwp_dynamic_boost(struct kobject *kobj,
640 +- struct attribute *attr, char *buf)
641 ++ struct kobj_attribute *attr, char *buf)
642 + {
643 + return sprintf(buf, "%u\n", hwp_boost);
644 + }
645 +
646 +-static ssize_t store_hwp_dynamic_boost(struct kobject *a, struct attribute *b,
647 ++static ssize_t store_hwp_dynamic_boost(struct kobject *a,
648 ++ struct kobj_attribute *b,
649 + const char *buf, size_t count)
650 + {
651 + unsigned int input;
652 +diff --git a/drivers/gnss/sirf.c b/drivers/gnss/sirf.c
653 +index 2c22836d3ffd5..4596fde16dfe6 100644
654 +--- a/drivers/gnss/sirf.c
655 ++++ b/drivers/gnss/sirf.c
656 +@@ -310,30 +310,26 @@ static int sirf_probe(struct serdev_device *serdev)
657 + ret = -ENODEV;
658 + goto err_put_device;
659 + }
660 ++
661 ++ ret = regulator_enable(data->vcc);
662 ++ if (ret)
663 ++ goto err_put_device;
664 ++
665 ++ /* Wait for chip to boot into hibernate mode. */
666 ++ msleep(SIRF_BOOT_DELAY);
667 + }
668 +
669 + if (data->wakeup) {
670 + ret = gpiod_to_irq(data->wakeup);
671 + if (ret < 0)
672 +- goto err_put_device;
673 +-
674 ++ goto err_disable_vcc;
675 + data->irq = ret;
676 +
677 +- ret = devm_request_threaded_irq(dev, data->irq, NULL,
678 +- sirf_wakeup_handler,
679 ++ ret = request_threaded_irq(data->irq, NULL, sirf_wakeup_handler,
680 + IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
681 + "wakeup", data);
682 + if (ret)
683 +- goto err_put_device;
684 +- }
685 +-
686 +- if (data->on_off) {
687 +- ret = regulator_enable(data->vcc);
688 +- if (ret)
689 +- goto err_put_device;
690 +-
691 +- /* Wait for chip to boot into hibernate mode */
692 +- msleep(SIRF_BOOT_DELAY);
693 ++ goto err_disable_vcc;
694 + }
695 +
696 + if (IS_ENABLED(CONFIG_PM)) {
697 +@@ -342,7 +338,7 @@ static int sirf_probe(struct serdev_device *serdev)
698 + } else {
699 + ret = sirf_runtime_resume(dev);
700 + if (ret < 0)
701 +- goto err_disable_vcc;
702 ++ goto err_free_irq;
703 + }
704 +
705 + ret = gnss_register_device(gdev);
706 +@@ -356,6 +352,9 @@ err_disable_rpm:
707 + pm_runtime_disable(dev);
708 + else
709 + sirf_runtime_suspend(dev);
710 ++err_free_irq:
711 ++ if (data->wakeup)
712 ++ free_irq(data->irq, data);
713 + err_disable_vcc:
714 + if (data->on_off)
715 + regulator_disable(data->vcc);
716 +@@ -376,6 +375,9 @@ static void sirf_remove(struct serdev_device *serdev)
717 + else
718 + sirf_runtime_suspend(&serdev->dev);
719 +
720 ++ if (data->wakeup)
721 ++ free_irq(data->irq, data);
722 ++
723 + if (data->on_off)
724 + regulator_disable(data->vcc);
725 +
726 +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
727 +index b0113f6fdbb46..9021f01651d65 100644
728 +--- a/drivers/net/dsa/mv88e6xxx/chip.c
729 ++++ b/drivers/net/dsa/mv88e6xxx/chip.c
730 +@@ -896,7 +896,7 @@ static uint64_t _mv88e6xxx_get_ethtool_stat(struct mv88e6xxx_chip *chip,
731 + default:
732 + return U64_MAX;
733 + }
734 +- value = (((u64)high) << 16) | low;
735 ++ value = (((u64)high) << 32) | low;
736 + return value;
737 + }
738 +
739 +@@ -3082,7 +3082,7 @@ static const struct mv88e6xxx_ops mv88e6161_ops = {
740 + .port_disable_pri_override = mv88e6xxx_port_disable_pri_override,
741 + .port_link_state = mv88e6352_port_link_state,
742 + .port_get_cmode = mv88e6185_port_get_cmode,
743 +- .stats_snapshot = mv88e6320_g1_stats_snapshot,
744 ++ .stats_snapshot = mv88e6xxx_g1_stats_snapshot,
745 + .stats_set_histogram = mv88e6095_g1_stats_set_histogram,
746 + .stats_get_sset_count = mv88e6095_stats_get_sset_count,
747 + .stats_get_strings = mv88e6095_stats_get_strings,
748 +@@ -4206,7 +4206,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
749 + .name = "Marvell 88E6190",
750 + .num_databases = 4096,
751 + .num_ports = 11, /* 10 + Z80 */
752 +- .num_internal_phys = 11,
753 ++ .num_internal_phys = 9,
754 + .num_gpio = 16,
755 + .max_vid = 8191,
756 + .port_base_addr = 0x0,
757 +@@ -4229,7 +4229,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
758 + .name = "Marvell 88E6190X",
759 + .num_databases = 4096,
760 + .num_ports = 11, /* 10 + Z80 */
761 +- .num_internal_phys = 11,
762 ++ .num_internal_phys = 9,
763 + .num_gpio = 16,
764 + .max_vid = 8191,
765 + .port_base_addr = 0x0,
766 +@@ -4252,7 +4252,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
767 + .name = "Marvell 88E6191",
768 + .num_databases = 4096,
769 + .num_ports = 11, /* 10 + Z80 */
770 +- .num_internal_phys = 11,
771 ++ .num_internal_phys = 9,
772 + .max_vid = 8191,
773 + .port_base_addr = 0x0,
774 + .phy_base_addr = 0x0,
775 +@@ -4299,7 +4299,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
776 + .name = "Marvell 88E6290",
777 + .num_databases = 4096,
778 + .num_ports = 11, /* 10 + Z80 */
779 +- .num_internal_phys = 11,
780 ++ .num_internal_phys = 9,
781 + .num_gpio = 16,
782 + .max_vid = 8191,
783 + .port_base_addr = 0x0,
784 +@@ -4461,7 +4461,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
785 + .name = "Marvell 88E6390",
786 + .num_databases = 4096,
787 + .num_ports = 11, /* 10 + Z80 */
788 +- .num_internal_phys = 11,
789 ++ .num_internal_phys = 9,
790 + .num_gpio = 16,
791 + .max_vid = 8191,
792 + .port_base_addr = 0x0,
793 +@@ -4484,7 +4484,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
794 + .name = "Marvell 88E6390X",
795 + .num_databases = 4096,
796 + .num_ports = 11, /* 10 + Z80 */
797 +- .num_internal_phys = 11,
798 ++ .num_internal_phys = 9,
799 + .num_gpio = 16,
800 + .max_vid = 8191,
801 + .port_base_addr = 0x0,
802 +@@ -4579,6 +4579,14 @@ static int mv88e6xxx_smi_init(struct mv88e6xxx_chip *chip,
803 + return 0;
804 + }
805 +
806 ++static void mv88e6xxx_ports_cmode_init(struct mv88e6xxx_chip *chip)
807 ++{
808 ++ int i;
809 ++
810 ++ for (i = 0; i < mv88e6xxx_num_ports(chip); i++)
811 ++ chip->ports[i].cmode = MV88E6XXX_PORT_STS_CMODE_INVALID;
812 ++}
813 ++
814 + static enum dsa_tag_protocol mv88e6xxx_get_tag_protocol(struct dsa_switch *ds,
815 + int port)
816 + {
817 +@@ -4615,6 +4623,8 @@ static const char *mv88e6xxx_drv_probe(struct device *dsa_dev,
818 + if (err)
819 + goto free;
820 +
821 ++ mv88e6xxx_ports_cmode_init(chip);
822 ++
823 + mutex_lock(&chip->reg_lock);
824 + err = mv88e6xxx_switch_reset(chip);
825 + mutex_unlock(&chip->reg_lock);
826 +@@ -4821,6 +4831,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
827 + if (err)
828 + goto out;
829 +
830 ++ mv88e6xxx_ports_cmode_init(chip);
831 + mv88e6xxx_phy_init(chip);
832 +
833 + if (chip->info->ops->get_eeprom) {
834 +diff --git a/drivers/net/dsa/mv88e6xxx/port.c b/drivers/net/dsa/mv88e6xxx/port.c
835 +index cd7db60a508ba..abe86d7781d82 100644
836 +--- a/drivers/net/dsa/mv88e6xxx/port.c
837 ++++ b/drivers/net/dsa/mv88e6xxx/port.c
838 +@@ -190,7 +190,7 @@ int mv88e6xxx_port_set_duplex(struct mv88e6xxx_chip *chip, int port, int dup)
839 + /* normal duplex detection */
840 + break;
841 + default:
842 +- return -EINVAL;
843 ++ return -EOPNOTSUPP;
844 + }
845 +
846 + err = mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_MAC_CTL, reg);
847 +@@ -395,6 +395,10 @@ int mv88e6390x_port_set_cmode(struct mv88e6xxx_chip *chip, int port,
848 + cmode = 0;
849 + }
850 +
851 ++ /* cmode doesn't change, nothing to do for us */
852 ++ if (cmode == chip->ports[port].cmode)
853 ++ return 0;
854 ++
855 + lane = mv88e6390x_serdes_get_lane(chip, port);
856 + if (lane < 0)
857 + return lane;
858 +@@ -405,7 +409,7 @@ int mv88e6390x_port_set_cmode(struct mv88e6xxx_chip *chip, int port,
859 + return err;
860 + }
861 +
862 +- err = mv88e6390_serdes_power(chip, port, false);
863 ++ err = mv88e6390x_serdes_power(chip, port, false);
864 + if (err)
865 + return err;
866 +
867 +@@ -421,7 +425,7 @@ int mv88e6390x_port_set_cmode(struct mv88e6xxx_chip *chip, int port,
868 + if (err)
869 + return err;
870 +
871 +- err = mv88e6390_serdes_power(chip, port, true);
872 ++ err = mv88e6390x_serdes_power(chip, port, true);
873 + if (err)
874 + return err;
875 +
876 +diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h
877 +index 091aa0057f1f6..cbb64a7683e28 100644
878 +--- a/drivers/net/dsa/mv88e6xxx/port.h
879 ++++ b/drivers/net/dsa/mv88e6xxx/port.h
880 +@@ -52,6 +52,7 @@
881 + #define MV88E6185_PORT_STS_CMODE_1000BASE_X 0x0005
882 + #define MV88E6185_PORT_STS_CMODE_PHY 0x0006
883 + #define MV88E6185_PORT_STS_CMODE_DISABLED 0x0007
884 ++#define MV88E6XXX_PORT_STS_CMODE_INVALID 0xff
885 +
886 + /* Offset 0x01: MAC (or PCS or Physical) Control Register */
887 + #define MV88E6XXX_PORT_MAC_CTL 0x01
888 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
889 +index 090207817ad8d..29b068b81e2ac 100644
890 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
891 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
892 +@@ -497,6 +497,12 @@ normal_tx:
893 + }
894 +
895 + length >>= 9;
896 ++ if (unlikely(length >= ARRAY_SIZE(bnxt_lhint_arr))) {
897 ++ dev_warn_ratelimited(&pdev->dev, "Dropped oversize %d bytes TX packet.\n",
898 ++ skb->len);
899 ++ i = 0;
900 ++ goto tx_dma_error;
901 ++ }
902 + flags |= bnxt_lhint_arr[length];
903 + txbd->tx_bd_len_flags_type = cpu_to_le32(flags);
904 +
905 +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
906 +index ae2f35039343b..1485f66cf7b0c 100644
907 +--- a/drivers/net/ethernet/marvell/sky2.c
908 ++++ b/drivers/net/ethernet/marvell/sky2.c
909 +@@ -46,6 +46,7 @@
910 + #include <linux/mii.h>
911 + #include <linux/of_device.h>
912 + #include <linux/of_net.h>
913 ++#include <linux/dmi.h>
914 +
915 + #include <asm/irq.h>
916 +
917 +@@ -93,7 +94,7 @@ static int copybreak __read_mostly = 128;
918 + module_param(copybreak, int, 0);
919 + MODULE_PARM_DESC(copybreak, "Receive copy threshold");
920 +
921 +-static int disable_msi = 0;
922 ++static int disable_msi = -1;
923 + module_param(disable_msi, int, 0);
924 + MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)");
925 +
926 +@@ -4931,6 +4932,24 @@ static const char *sky2_name(u8 chipid, char *buf, int sz)
927 + return buf;
928 + }
929 +
930 ++static const struct dmi_system_id msi_blacklist[] = {
931 ++ {
932 ++ .ident = "Dell Inspiron 1545",
933 ++ .matches = {
934 ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
935 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1545"),
936 ++ },
937 ++ },
938 ++ {
939 ++ .ident = "Gateway P-79",
940 ++ .matches = {
941 ++ DMI_MATCH(DMI_SYS_VENDOR, "Gateway"),
942 ++ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"),
943 ++ },
944 ++ },
945 ++ {}
946 ++};
947 ++
948 + static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
949 + {
950 + struct net_device *dev, *dev1;
951 +@@ -5042,6 +5061,9 @@ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
952 + goto err_out_free_pci;
953 + }
954 +
955 ++ if (disable_msi == -1)
956 ++ disable_msi = !!dmi_check_system(msi_blacklist);
957 ++
958 + if (!disable_msi && pci_enable_msi(pdev) == 0) {
959 + err = sky2_test_msi(hw);
960 + if (err) {
961 +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
962 +index 1ce8b729929fe..671ea75d0a4a1 100644
963 +--- a/drivers/net/ethernet/microchip/lan743x_main.c
964 ++++ b/drivers/net/ethernet/microchip/lan743x_main.c
965 +@@ -1400,7 +1400,8 @@ static int lan743x_tx_frame_start(struct lan743x_tx *tx,
966 + }
967 +
968 + static void lan743x_tx_frame_add_lso(struct lan743x_tx *tx,
969 +- unsigned int frame_length)
970 ++ unsigned int frame_length,
971 ++ int nr_frags)
972 + {
973 + /* called only from within lan743x_tx_xmit_frame.
974 + * assuming tx->ring_lock has already been acquired.
975 +@@ -1410,6 +1411,10 @@ static void lan743x_tx_frame_add_lso(struct lan743x_tx *tx,
976 +
977 + /* wrap up previous descriptor */
978 + tx->frame_data0 |= TX_DESC_DATA0_EXT_;
979 ++ if (nr_frags <= 0) {
980 ++ tx->frame_data0 |= TX_DESC_DATA0_LS_;
981 ++ tx->frame_data0 |= TX_DESC_DATA0_IOC_;
982 ++ }
983 + tx_descriptor = &tx->ring_cpu_ptr[tx->frame_tail];
984 + tx_descriptor->data0 = tx->frame_data0;
985 +
986 +@@ -1514,8 +1519,11 @@ static void lan743x_tx_frame_end(struct lan743x_tx *tx,
987 + u32 tx_tail_flags = 0;
988 +
989 + /* wrap up previous descriptor */
990 +- tx->frame_data0 |= TX_DESC_DATA0_LS_;
991 +- tx->frame_data0 |= TX_DESC_DATA0_IOC_;
992 ++ if ((tx->frame_data0 & TX_DESC_DATA0_DTYPE_MASK_) ==
993 ++ TX_DESC_DATA0_DTYPE_DATA_) {
994 ++ tx->frame_data0 |= TX_DESC_DATA0_LS_;
995 ++ tx->frame_data0 |= TX_DESC_DATA0_IOC_;
996 ++ }
997 +
998 + tx_descriptor = &tx->ring_cpu_ptr[tx->frame_tail];
999 + buffer_info = &tx->buffer_info[tx->frame_tail];
1000 +@@ -1600,7 +1608,7 @@ static netdev_tx_t lan743x_tx_xmit_frame(struct lan743x_tx *tx,
1001 + }
1002 +
1003 + if (gso)
1004 +- lan743x_tx_frame_add_lso(tx, frame_length);
1005 ++ lan743x_tx_frame_add_lso(tx, frame_length, nr_frags);
1006 +
1007 + if (nr_frags <= 0)
1008 + goto finish;
1009 +diff --git a/drivers/net/ethernet/mscc/ocelot_board.c b/drivers/net/ethernet/mscc/ocelot_board.c
1010 +index 4c23d18bbf44a..14b83bbf828d3 100644
1011 +--- a/drivers/net/ethernet/mscc/ocelot_board.c
1012 ++++ b/drivers/net/ethernet/mscc/ocelot_board.c
1013 +@@ -266,6 +266,7 @@ static int mscc_ocelot_probe(struct platform_device *pdev)
1014 + struct phy *serdes;
1015 + void __iomem *regs;
1016 + char res_name[8];
1017 ++ int phy_mode;
1018 + u32 port;
1019 +
1020 + if (of_property_read_u32(portnp, "reg", &port))
1021 +@@ -291,11 +292,11 @@ static int mscc_ocelot_probe(struct platform_device *pdev)
1022 + if (err)
1023 + return err;
1024 +
1025 +- err = of_get_phy_mode(portnp);
1026 +- if (err < 0)
1027 ++ phy_mode = of_get_phy_mode(portnp);
1028 ++ if (phy_mode < 0)
1029 + ocelot->ports[port]->phy_mode = PHY_INTERFACE_MODE_NA;
1030 + else
1031 +- ocelot->ports[port]->phy_mode = err;
1032 ++ ocelot->ports[port]->phy_mode = phy_mode;
1033 +
1034 + switch (ocelot->ports[port]->phy_mode) {
1035 + case PHY_INTERFACE_MODE_NA:
1036 +@@ -303,6 +304,13 @@ static int mscc_ocelot_probe(struct platform_device *pdev)
1037 + case PHY_INTERFACE_MODE_SGMII:
1038 + break;
1039 + case PHY_INTERFACE_MODE_QSGMII:
1040 ++ /* Ensure clock signals and speed is set on all
1041 ++ * QSGMII links
1042 ++ */
1043 ++ ocelot_port_writel(ocelot->ports[port],
1044 ++ DEV_CLOCK_CFG_LINK_SPEED
1045 ++ (OCELOT_SPEED_1000),
1046 ++ DEV_CLOCK_CFG);
1047 + break;
1048 + default:
1049 + dev_err(ocelot->dev,
1050 +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
1051 +index 2e6e11d8cf5cb..d6ad8331ca4f5 100644
1052 +--- a/drivers/net/geneve.c
1053 ++++ b/drivers/net/geneve.c
1054 +@@ -637,15 +637,20 @@ out:
1055 + static int geneve_open(struct net_device *dev)
1056 + {
1057 + struct geneve_dev *geneve = netdev_priv(dev);
1058 +- bool ipv6 = !!(geneve->info.mode & IP_TUNNEL_INFO_IPV6);
1059 + bool metadata = geneve->collect_md;
1060 ++ bool ipv4, ipv6;
1061 + int ret = 0;
1062 +
1063 ++ ipv6 = geneve->info.mode & IP_TUNNEL_INFO_IPV6 || metadata;
1064 ++ ipv4 = !ipv6 || metadata;
1065 + #if IS_ENABLED(CONFIG_IPV6)
1066 +- if (ipv6 || metadata)
1067 ++ if (ipv6) {
1068 + ret = geneve_sock_add(geneve, true);
1069 ++ if (ret < 0 && ret != -EAFNOSUPPORT)
1070 ++ ipv4 = false;
1071 ++ }
1072 + #endif
1073 +- if (!ret && (!ipv6 || metadata))
1074 ++ if (ipv4)
1075 + ret = geneve_sock_add(geneve, false);
1076 + if (ret < 0)
1077 + geneve_sock_release(geneve);
1078 +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
1079 +index 80d9297ad9d9c..136533e2e4879 100644
1080 +--- a/drivers/net/hyperv/netvsc_drv.c
1081 ++++ b/drivers/net/hyperv/netvsc_drv.c
1082 +@@ -744,6 +744,14 @@ void netvsc_linkstatus_callback(struct net_device *net,
1083 + schedule_delayed_work(&ndev_ctx->dwork, 0);
1084 + }
1085 +
1086 ++static void netvsc_comp_ipcsum(struct sk_buff *skb)
1087 ++{
1088 ++ struct iphdr *iph = (struct iphdr *)skb->data;
1089 ++
1090 ++ iph->check = 0;
1091 ++ iph->check = ip_fast_csum(iph, iph->ihl);
1092 ++}
1093 ++
1094 + static struct sk_buff *netvsc_alloc_recv_skb(struct net_device *net,
1095 + struct netvsc_channel *nvchan)
1096 + {
1097 +@@ -770,9 +778,17 @@ static struct sk_buff *netvsc_alloc_recv_skb(struct net_device *net,
1098 + /* skb is already created with CHECKSUM_NONE */
1099 + skb_checksum_none_assert(skb);
1100 +
1101 +- /*
1102 +- * In Linux, the IP checksum is always checked.
1103 +- * Do L4 checksum offload if enabled and present.
1104 ++ /* Incoming packets may have IP header checksum verified by the host.
1105 ++ * They may not have IP header checksum computed after coalescing.
1106 ++ * We compute it here if the flags are set, because on Linux, the IP
1107 ++ * checksum is always checked.
1108 ++ */
1109 ++ if (csum_info && csum_info->receive.ip_checksum_value_invalid &&
1110 ++ csum_info->receive.ip_checksum_succeeded &&
1111 ++ skb->protocol == htons(ETH_P_IP))
1112 ++ netvsc_comp_ipcsum(skb);
1113 ++
1114 ++ /* Do L4 checksum offload if enabled and present.
1115 + */
1116 + if (csum_info && (net->features & NETIF_F_RXCSUM)) {
1117 + if (csum_info->receive.tcp_checksum_succeeded ||
1118 +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
1119 +index 22dfbd4c6aaf4..6c50e7c1feb12 100644
1120 +--- a/drivers/net/phy/micrel.c
1121 ++++ b/drivers/net/phy/micrel.c
1122 +@@ -339,6 +339,17 @@ static int ksz8041_config_aneg(struct phy_device *phydev)
1123 + return genphy_config_aneg(phydev);
1124 + }
1125 +
1126 ++static int ksz8061_config_init(struct phy_device *phydev)
1127 ++{
1128 ++ int ret;
1129 ++
1130 ++ ret = phy_write_mmd(phydev, MDIO_MMD_PMAPMD, MDIO_DEVID1, 0xB61A);
1131 ++ if (ret)
1132 ++ return ret;
1133 ++
1134 ++ return kszphy_config_init(phydev);
1135 ++}
1136 ++
1137 + static int ksz9021_load_values_from_of(struct phy_device *phydev,
1138 + const struct device_node *of_node,
1139 + u16 reg,
1140 +@@ -1044,7 +1055,7 @@ static struct phy_driver ksphy_driver[] = {
1141 + .phy_id_mask = MICREL_PHY_ID_MASK,
1142 + .features = PHY_BASIC_FEATURES,
1143 + .flags = PHY_HAS_INTERRUPT,
1144 +- .config_init = kszphy_config_init,
1145 ++ .config_init = ksz8061_config_init,
1146 + .ack_interrupt = kszphy_ack_interrupt,
1147 + .config_intr = kszphy_config_intr,
1148 + .suspend = genphy_suspend,
1149 +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
1150 +index b60c82065fd11..93365a5c25570 100644
1151 +--- a/drivers/net/phy/phylink.c
1152 ++++ b/drivers/net/phy/phylink.c
1153 +@@ -321,6 +321,10 @@ static int phylink_get_mac_state(struct phylink *pl, struct phylink_link_state *
1154 + linkmode_zero(state->lp_advertising);
1155 + state->interface = pl->link_config.interface;
1156 + state->an_enabled = pl->link_config.an_enabled;
1157 ++ state->speed = SPEED_UNKNOWN;
1158 ++ state->duplex = DUPLEX_UNKNOWN;
1159 ++ state->pause = MLO_PAUSE_NONE;
1160 ++ state->an_complete = 0;
1161 + state->link = 1;
1162 +
1163 + return pl->ops->mac_link_state(ndev, state);
1164 +diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
1165 +index a5ef97010eb34..5541e1c19936c 100644
1166 +--- a/drivers/net/team/team_mode_loadbalance.c
1167 ++++ b/drivers/net/team/team_mode_loadbalance.c
1168 +@@ -325,6 +325,20 @@ static int lb_bpf_func_set(struct team *team, struct team_gsetter_ctx *ctx)
1169 + return 0;
1170 + }
1171 +
1172 ++static void lb_bpf_func_free(struct team *team)
1173 ++{
1174 ++ struct lb_priv *lb_priv = get_lb_priv(team);
1175 ++ struct bpf_prog *fp;
1176 ++
1177 ++ if (!lb_priv->ex->orig_fprog)
1178 ++ return;
1179 ++
1180 ++ __fprog_destroy(lb_priv->ex->orig_fprog);
1181 ++ fp = rcu_dereference_protected(lb_priv->fp,
1182 ++ lockdep_is_held(&team->lock));
1183 ++ bpf_prog_destroy(fp);
1184 ++}
1185 ++
1186 + static int lb_tx_method_get(struct team *team, struct team_gsetter_ctx *ctx)
1187 + {
1188 + struct lb_priv *lb_priv = get_lb_priv(team);
1189 +@@ -639,6 +653,7 @@ static void lb_exit(struct team *team)
1190 +
1191 + team_options_unregister(team, lb_options,
1192 + ARRAY_SIZE(lb_options));
1193 ++ lb_bpf_func_free(team);
1194 + cancel_delayed_work_sync(&lb_priv->ex->stats.refresh_dw);
1195 + free_percpu(lb_priv->pcpu_stats);
1196 + kfree(lb_priv->ex);
1197 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
1198 +index 1e6f0da1fa8e7..efc08dad3a1bf 100644
1199 +--- a/drivers/net/tun.c
1200 ++++ b/drivers/net/tun.c
1201 +@@ -2147,9 +2147,9 @@ static void *tun_ring_recv(struct tun_file *tfile, int noblock, int *err)
1202 + }
1203 +
1204 + add_wait_queue(&tfile->wq.wait, &wait);
1205 +- current->state = TASK_INTERRUPTIBLE;
1206 +
1207 + while (1) {
1208 ++ set_current_state(TASK_INTERRUPTIBLE);
1209 + ptr = ptr_ring_consume(&tfile->tx_ring);
1210 + if (ptr)
1211 + break;
1212 +@@ -2165,7 +2165,7 @@ static void *tun_ring_recv(struct tun_file *tfile, int noblock, int *err)
1213 + schedule();
1214 + }
1215 +
1216 +- current->state = TASK_RUNNING;
1217 ++ __set_current_state(TASK_RUNNING);
1218 + remove_wait_queue(&tfile->wq.wait, &wait);
1219 +
1220 + out:
1221 +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
1222 +index 735ad838e2ba8..6e381354f658e 100644
1223 +--- a/drivers/net/usb/qmi_wwan.c
1224 ++++ b/drivers/net/usb/qmi_wwan.c
1225 +@@ -976,6 +976,13 @@ static const struct usb_device_id products[] = {
1226 + 0xff),
1227 + .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr,
1228 + },
1229 ++ { /* Quectel EG12/EM12 */
1230 ++ USB_DEVICE_AND_INTERFACE_INFO(0x2c7c, 0x0512,
1231 ++ USB_CLASS_VENDOR_SPEC,
1232 ++ USB_SUBCLASS_VENDOR_SPEC,
1233 ++ 0xff),
1234 ++ .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr,
1235 ++ },
1236 +
1237 + /* 3. Combined interface devices matching on interface number */
1238 + {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */
1239 +@@ -1343,17 +1350,20 @@ static bool quectel_ec20_detected(struct usb_interface *intf)
1240 + return false;
1241 + }
1242 +
1243 +-static bool quectel_ep06_diag_detected(struct usb_interface *intf)
1244 ++static bool quectel_diag_detected(struct usb_interface *intf)
1245 + {
1246 + struct usb_device *dev = interface_to_usbdev(intf);
1247 + struct usb_interface_descriptor intf_desc = intf->cur_altsetting->desc;
1248 ++ u16 id_vendor = le16_to_cpu(dev->descriptor.idVendor);
1249 ++ u16 id_product = le16_to_cpu(dev->descriptor.idProduct);
1250 +
1251 +- if (le16_to_cpu(dev->descriptor.idVendor) == 0x2c7c &&
1252 +- le16_to_cpu(dev->descriptor.idProduct) == 0x0306 &&
1253 +- intf_desc.bNumEndpoints == 2)
1254 +- return true;
1255 ++ if (id_vendor != 0x2c7c || intf_desc.bNumEndpoints != 2)
1256 ++ return false;
1257 +
1258 +- return false;
1259 ++ if (id_product == 0x0306 || id_product == 0x0512)
1260 ++ return true;
1261 ++ else
1262 ++ return false;
1263 + }
1264 +
1265 + static int qmi_wwan_probe(struct usb_interface *intf,
1266 +@@ -1390,13 +1400,13 @@ static int qmi_wwan_probe(struct usb_interface *intf,
1267 + return -ENODEV;
1268 + }
1269 +
1270 +- /* Quectel EP06/EM06/EG06 supports dynamic interface configuration, so
1271 ++ /* Several Quectel modems supports dynamic interface configuration, so
1272 + * we need to match on class/subclass/protocol. These values are
1273 + * identical for the diagnostic- and QMI-interface, but bNumEndpoints is
1274 + * different. Ignore the current interface if the number of endpoints
1275 + * the number for the diag interface (two).
1276 + */
1277 +- if (quectel_ep06_diag_detected(intf))
1278 ++ if (quectel_diag_detected(intf))
1279 + return -ENODEV;
1280 +
1281 + return usbnet_probe(intf, id);
1282 +diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
1283 +index 0ccb021f1e786..10d580c3dea3f 100644
1284 +--- a/drivers/net/xen-netback/hash.c
1285 ++++ b/drivers/net/xen-netback/hash.c
1286 +@@ -454,6 +454,8 @@ void xenvif_init_hash(struct xenvif *vif)
1287 + if (xenvif_hash_cache_size == 0)
1288 + return;
1289 +
1290 ++ BUG_ON(vif->hash.cache.count);
1291 ++
1292 + spin_lock_init(&vif->hash.cache.lock);
1293 + INIT_LIST_HEAD(&vif->hash.cache.list);
1294 + }
1295 +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
1296 +index 182d6770f1027..6da12518e6934 100644
1297 +--- a/drivers/net/xen-netback/interface.c
1298 ++++ b/drivers/net/xen-netback/interface.c
1299 +@@ -153,6 +153,13 @@ static u16 xenvif_select_queue(struct net_device *dev, struct sk_buff *skb,
1300 + {
1301 + struct xenvif *vif = netdev_priv(dev);
1302 + unsigned int size = vif->hash.size;
1303 ++ unsigned int num_queues;
1304 ++
1305 ++ /* If queues are not set up internally - always return 0
1306 ++ * as the packet going to be dropped anyway */
1307 ++ num_queues = READ_ONCE(vif->num_queues);
1308 ++ if (num_queues < 1)
1309 ++ return 0;
1310 +
1311 + if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE)
1312 + return fallback(dev, skb, NULL) % dev->real_num_tx_queues;
1313 +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
1314 +index 80aae3a32c2a3..f09948b009dd0 100644
1315 +--- a/drivers/net/xen-netback/netback.c
1316 ++++ b/drivers/net/xen-netback/netback.c
1317 +@@ -1072,11 +1072,6 @@ static int xenvif_handle_frag_list(struct xenvif_queue *queue, struct sk_buff *s
1318 + skb_frag_size_set(&frags[i], len);
1319 + }
1320 +
1321 +- /* Copied all the bits from the frag list -- free it. */
1322 +- skb_frag_list_init(skb);
1323 +- xenvif_skb_zerocopy_prepare(queue, nskb);
1324 +- kfree_skb(nskb);
1325 +-
1326 + /* Release all the original (foreign) frags. */
1327 + for (f = 0; f < skb_shinfo(skb)->nr_frags; f++)
1328 + skb_frag_unref(skb, f);
1329 +@@ -1145,6 +1140,8 @@ static int xenvif_tx_submit(struct xenvif_queue *queue)
1330 + xenvif_fill_frags(queue, skb);
1331 +
1332 + if (unlikely(skb_has_frag_list(skb))) {
1333 ++ struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
1334 ++ xenvif_skb_zerocopy_prepare(queue, nskb);
1335 + if (xenvif_handle_frag_list(queue, skb)) {
1336 + if (net_ratelimit())
1337 + netdev_err(queue->vif->dev,
1338 +@@ -1153,6 +1150,9 @@ static int xenvif_tx_submit(struct xenvif_queue *queue)
1339 + kfree_skb(skb);
1340 + continue;
1341 + }
1342 ++ /* Copied all the bits from the frag list -- free it. */
1343 ++ skb_frag_list_init(skb);
1344 ++ kfree_skb(nskb);
1345 + }
1346 +
1347 + skb->dev = queue->vif->dev;
1348 +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
1349 +index fa6e0c3b3aa67..520b6fcd72628 100644
1350 +--- a/drivers/scsi/scsi_lib.c
1351 ++++ b/drivers/scsi/scsi_lib.c
1352 +@@ -757,6 +757,7 @@ static blk_status_t scsi_result_to_blk_status(struct scsi_cmnd *cmd, int result)
1353 + set_host_byte(cmd, DID_OK);
1354 + return BLK_STS_TARGET;
1355 + case DID_NEXUS_FAILURE:
1356 ++ set_host_byte(cmd, DID_OK);
1357 + return BLK_STS_NEXUS;
1358 + case DID_ALLOC_FAILURE:
1359 + set_host_byte(cmd, DID_OK);
1360 +diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
1361 +index a880b5c6c6c32..be815330ed958 100644
1362 +--- a/drivers/staging/android/ashmem.c
1363 ++++ b/drivers/staging/android/ashmem.c
1364 +@@ -75,6 +75,9 @@ struct ashmem_range {
1365 + /* LRU list of unpinned pages, protected by ashmem_mutex */
1366 + static LIST_HEAD(ashmem_lru_list);
1367 +
1368 ++static atomic_t ashmem_shrink_inflight = ATOMIC_INIT(0);
1369 ++static DECLARE_WAIT_QUEUE_HEAD(ashmem_shrink_wait);
1370 ++
1371 + /*
1372 + * long lru_count - The count of pages on our LRU list.
1373 + *
1374 +@@ -168,19 +171,15 @@ static inline void lru_del(struct ashmem_range *range)
1375 + * @end: The ending page (inclusive)
1376 + *
1377 + * This function is protected by ashmem_mutex.
1378 +- *
1379 +- * Return: 0 if successful, or -ENOMEM if there is an error
1380 + */
1381 +-static int range_alloc(struct ashmem_area *asma,
1382 +- struct ashmem_range *prev_range, unsigned int purged,
1383 +- size_t start, size_t end)
1384 ++static void range_alloc(struct ashmem_area *asma,
1385 ++ struct ashmem_range *prev_range, unsigned int purged,
1386 ++ size_t start, size_t end,
1387 ++ struct ashmem_range **new_range)
1388 + {
1389 +- struct ashmem_range *range;
1390 +-
1391 +- range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL);
1392 +- if (!range)
1393 +- return -ENOMEM;
1394 ++ struct ashmem_range *range = *new_range;
1395 +
1396 ++ *new_range = NULL;
1397 + range->asma = asma;
1398 + range->pgstart = start;
1399 + range->pgend = end;
1400 +@@ -190,8 +189,6 @@ static int range_alloc(struct ashmem_area *asma,
1401 +
1402 + if (range_on_lru(range))
1403 + lru_add(range);
1404 +-
1405 +- return 0;
1406 + }
1407 +
1408 + /**
1409 +@@ -438,7 +435,6 @@ out:
1410 + static unsigned long
1411 + ashmem_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1412 + {
1413 +- struct ashmem_range *range, *next;
1414 + unsigned long freed = 0;
1415 +
1416 + /* We might recurse into filesystem code, so bail out if necessary */
1417 +@@ -448,21 +444,33 @@ ashmem_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1418 + if (!mutex_trylock(&ashmem_mutex))
1419 + return -1;
1420 +
1421 +- list_for_each_entry_safe(range, next, &ashmem_lru_list, lru) {
1422 ++ while (!list_empty(&ashmem_lru_list)) {
1423 ++ struct ashmem_range *range =
1424 ++ list_first_entry(&ashmem_lru_list, typeof(*range), lru);
1425 + loff_t start = range->pgstart * PAGE_SIZE;
1426 + loff_t end = (range->pgend + 1) * PAGE_SIZE;
1427 ++ struct file *f = range->asma->file;
1428 +
1429 +- range->asma->file->f_op->fallocate(range->asma->file,
1430 +- FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
1431 +- start, end - start);
1432 ++ get_file(f);
1433 ++ atomic_inc(&ashmem_shrink_inflight);
1434 + range->purged = ASHMEM_WAS_PURGED;
1435 + lru_del(range);
1436 +
1437 + freed += range_size(range);
1438 ++ mutex_unlock(&ashmem_mutex);
1439 ++ f->f_op->fallocate(f,
1440 ++ FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
1441 ++ start, end - start);
1442 ++ fput(f);
1443 ++ if (atomic_dec_and_test(&ashmem_shrink_inflight))
1444 ++ wake_up_all(&ashmem_shrink_wait);
1445 ++ if (!mutex_trylock(&ashmem_mutex))
1446 ++ goto out;
1447 + if (--sc->nr_to_scan <= 0)
1448 + break;
1449 + }
1450 + mutex_unlock(&ashmem_mutex);
1451 ++out:
1452 + return freed;
1453 + }
1454 +
1455 +@@ -582,7 +590,8 @@ static int get_name(struct ashmem_area *asma, void __user *name)
1456 + *
1457 + * Caller must hold ashmem_mutex.
1458 + */
1459 +-static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
1460 ++static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend,
1461 ++ struct ashmem_range **new_range)
1462 + {
1463 + struct ashmem_range *range, *next;
1464 + int ret = ASHMEM_NOT_PURGED;
1465 +@@ -635,7 +644,7 @@ static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
1466 + * second half and adjust the first chunk's endpoint.
1467 + */
1468 + range_alloc(asma, range, range->purged,
1469 +- pgend + 1, range->pgend);
1470 ++ pgend + 1, range->pgend, new_range);
1471 + range_shrink(range, range->pgstart, pgstart - 1);
1472 + break;
1473 + }
1474 +@@ -649,7 +658,8 @@ static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
1475 + *
1476 + * Caller must hold ashmem_mutex.
1477 + */
1478 +-static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
1479 ++static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend,
1480 ++ struct ashmem_range **new_range)
1481 + {
1482 + struct ashmem_range *range, *next;
1483 + unsigned int purged = ASHMEM_NOT_PURGED;
1484 +@@ -675,7 +685,8 @@ restart:
1485 + }
1486 + }
1487 +
1488 +- return range_alloc(asma, range, purged, pgstart, pgend);
1489 ++ range_alloc(asma, range, purged, pgstart, pgend, new_range);
1490 ++ return 0;
1491 + }
1492 +
1493 + /*
1494 +@@ -708,11 +719,19 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
1495 + struct ashmem_pin pin;
1496 + size_t pgstart, pgend;
1497 + int ret = -EINVAL;
1498 ++ struct ashmem_range *range = NULL;
1499 +
1500 + if (copy_from_user(&pin, p, sizeof(pin)))
1501 + return -EFAULT;
1502 +
1503 ++ if (cmd == ASHMEM_PIN || cmd == ASHMEM_UNPIN) {
1504 ++ range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL);
1505 ++ if (!range)
1506 ++ return -ENOMEM;
1507 ++ }
1508 ++
1509 + mutex_lock(&ashmem_mutex);
1510 ++ wait_event(ashmem_shrink_wait, !atomic_read(&ashmem_shrink_inflight));
1511 +
1512 + if (!asma->file)
1513 + goto out_unlock;
1514 +@@ -735,10 +754,10 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
1515 +
1516 + switch (cmd) {
1517 + case ASHMEM_PIN:
1518 +- ret = ashmem_pin(asma, pgstart, pgend);
1519 ++ ret = ashmem_pin(asma, pgstart, pgend, &range);
1520 + break;
1521 + case ASHMEM_UNPIN:
1522 +- ret = ashmem_unpin(asma, pgstart, pgend);
1523 ++ ret = ashmem_unpin(asma, pgstart, pgend, &range);
1524 + break;
1525 + case ASHMEM_GET_PIN_STATUS:
1526 + ret = ashmem_get_pin_status(asma, pgstart, pgend);
1527 +@@ -747,6 +766,8 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
1528 +
1529 + out_unlock:
1530 + mutex_unlock(&ashmem_mutex);
1531 ++ if (range)
1532 ++ kmem_cache_free(ashmem_range_cachep, range);
1533 +
1534 + return ret;
1535 + }
1536 +diff --git a/drivers/staging/android/ion/ion_system_heap.c b/drivers/staging/android/ion/ion_system_heap.c
1537 +index 548bb02c0ca6b..a8621dc8e1f67 100644
1538 +--- a/drivers/staging/android/ion/ion_system_heap.c
1539 ++++ b/drivers/staging/android/ion/ion_system_heap.c
1540 +@@ -224,10 +224,10 @@ static void ion_system_heap_destroy_pools(struct ion_page_pool **pools)
1541 + static int ion_system_heap_create_pools(struct ion_page_pool **pools)
1542 + {
1543 + int i;
1544 +- gfp_t gfp_flags = low_order_gfp_flags;
1545 +
1546 + for (i = 0; i < NUM_ORDERS; i++) {
1547 + struct ion_page_pool *pool;
1548 ++ gfp_t gfp_flags = low_order_gfp_flags;
1549 +
1550 + if (orders[i] > 4)
1551 + gfp_flags = high_order_gfp_flags;
1552 +diff --git a/drivers/staging/comedi/drivers/ni_660x.c b/drivers/staging/comedi/drivers/ni_660x.c
1553 +index e70a461e723f8..405573e927cfc 100644
1554 +--- a/drivers/staging/comedi/drivers/ni_660x.c
1555 ++++ b/drivers/staging/comedi/drivers/ni_660x.c
1556 +@@ -656,6 +656,7 @@ static int ni_660x_set_pfi_routing(struct comedi_device *dev,
1557 + case NI_660X_PFI_OUTPUT_DIO:
1558 + if (chan > 31)
1559 + return -EINVAL;
1560 ++ break;
1561 + default:
1562 + return -EINVAL;
1563 + }
1564 +diff --git a/drivers/staging/erofs/inode.c b/drivers/staging/erofs/inode.c
1565 +index d7fbf5f4600f3..f99954dbfdb58 100644
1566 +--- a/drivers/staging/erofs/inode.c
1567 ++++ b/drivers/staging/erofs/inode.c
1568 +@@ -185,16 +185,16 @@ static int fill_inode(struct inode *inode, int isdir)
1569 + /* setup the new inode */
1570 + if (S_ISREG(inode->i_mode)) {
1571 + #ifdef CONFIG_EROFS_FS_XATTR
1572 +- if (vi->xattr_isize)
1573 +- inode->i_op = &erofs_generic_xattr_iops;
1574 ++ inode->i_op = &erofs_generic_xattr_iops;
1575 + #endif
1576 + inode->i_fop = &generic_ro_fops;
1577 + } else if (S_ISDIR(inode->i_mode)) {
1578 + inode->i_op =
1579 + #ifdef CONFIG_EROFS_FS_XATTR
1580 +- vi->xattr_isize ? &erofs_dir_xattr_iops :
1581 +-#endif
1582 ++ &erofs_dir_xattr_iops;
1583 ++#else
1584 + &erofs_dir_iops;
1585 ++#endif
1586 + inode->i_fop = &erofs_dir_fops;
1587 + } else if (S_ISLNK(inode->i_mode)) {
1588 + /* by default, page_get_link is used for symlink */
1589 +diff --git a/drivers/staging/erofs/internal.h b/drivers/staging/erofs/internal.h
1590 +index 8929443558676..2aaa7d3a1d62c 100644
1591 +--- a/drivers/staging/erofs/internal.h
1592 ++++ b/drivers/staging/erofs/internal.h
1593 +@@ -352,12 +352,17 @@ static inline erofs_off_t iloc(struct erofs_sb_info *sbi, erofs_nid_t nid)
1594 + return blknr_to_addr(sbi->meta_blkaddr) + (nid << sbi->islotbits);
1595 + }
1596 +
1597 +-#define inode_set_inited_xattr(inode) (EROFS_V(inode)->flags |= 1)
1598 +-#define inode_has_inited_xattr(inode) (EROFS_V(inode)->flags & 1)
1599 ++/* atomic flag definitions */
1600 ++#define EROFS_V_EA_INITED_BIT 0
1601 ++
1602 ++/* bitlock definitions (arranged in reverse order) */
1603 ++#define EROFS_V_BL_XATTR_BIT (BITS_PER_LONG - 1)
1604 +
1605 + struct erofs_vnode {
1606 + erofs_nid_t nid;
1607 +- unsigned int flags;
1608 ++
1609 ++ /* atomic flags (including bitlocks) */
1610 ++ unsigned long flags;
1611 +
1612 + unsigned char data_mapping_mode;
1613 + /* inline size in bytes */
1614 +diff --git a/drivers/staging/erofs/unzip_vle.c b/drivers/staging/erofs/unzip_vle.c
1615 +index 1c4b3e0343f58..6348dbfbf77b5 100644
1616 +--- a/drivers/staging/erofs/unzip_vle.c
1617 ++++ b/drivers/staging/erofs/unzip_vle.c
1618 +@@ -59,15 +59,30 @@ enum z_erofs_vle_work_role {
1619 + Z_EROFS_VLE_WORK_SECONDARY,
1620 + Z_EROFS_VLE_WORK_PRIMARY,
1621 + /*
1622 +- * The current work has at least been linked with the following
1623 +- * processed chained works, which means if the processing page
1624 +- * is the tail partial page of the work, the current work can
1625 +- * safely use the whole page, as illustrated below:
1626 +- * +--------------+-------------------------------------------+
1627 +- * | tail page | head page (of the previous work) |
1628 +- * +--------------+-------------------------------------------+
1629 +- * /\ which belongs to the current work
1630 +- * [ (*) this page can be used for the current work itself. ]
1631 ++ * The current work was the tail of an exist chain, and the previous
1632 ++ * processed chained works are all decided to be hooked up to it.
1633 ++ * A new chain should be created for the remaining unprocessed works,
1634 ++ * therefore different from Z_EROFS_VLE_WORK_PRIMARY_FOLLOWED,
1635 ++ * the next work cannot reuse the whole page in the following scenario:
1636 ++ * ________________________________________________________________
1637 ++ * | tail (partial) page | head (partial) page |
1638 ++ * | (belongs to the next work) | (belongs to the current work) |
1639 ++ * |_______PRIMARY_FOLLOWED_______|________PRIMARY_HOOKED___________|
1640 ++ */
1641 ++ Z_EROFS_VLE_WORK_PRIMARY_HOOKED,
1642 ++ /*
1643 ++ * The current work has been linked with the processed chained works,
1644 ++ * and could be also linked with the potential remaining works, which
1645 ++ * means if the processing page is the tail partial page of the work,
1646 ++ * the current work can safely use the whole page (since the next work
1647 ++ * is under control) for in-place decompression, as illustrated below:
1648 ++ * ________________________________________________________________
1649 ++ * | tail (partial) page | head (partial) page |
1650 ++ * | (of the current work) | (of the previous work) |
1651 ++ * | PRIMARY_FOLLOWED or | |
1652 ++ * |_____PRIMARY_HOOKED____|____________PRIMARY_FOLLOWED____________|
1653 ++ *
1654 ++ * [ (*) the above page can be used for the current work itself. ]
1655 + */
1656 + Z_EROFS_VLE_WORK_PRIMARY_FOLLOWED,
1657 + Z_EROFS_VLE_WORK_MAX
1658 +@@ -236,10 +251,10 @@ static int z_erofs_vle_work_add_page(
1659 + return ret ? 0 : -EAGAIN;
1660 + }
1661 +
1662 +-static inline bool try_to_claim_workgroup(
1663 +- struct z_erofs_vle_workgroup *grp,
1664 +- z_erofs_vle_owned_workgrp_t *owned_head,
1665 +- bool *hosted)
1666 ++static enum z_erofs_vle_work_role
1667 ++try_to_claim_workgroup(struct z_erofs_vle_workgroup *grp,
1668 ++ z_erofs_vle_owned_workgrp_t *owned_head,
1669 ++ bool *hosted)
1670 + {
1671 + DBG_BUGON(*hosted == true);
1672 +
1673 +@@ -253,6 +268,9 @@ retry:
1674 +
1675 + *owned_head = grp;
1676 + *hosted = true;
1677 ++ /* lucky, I am the followee :) */
1678 ++ return Z_EROFS_VLE_WORK_PRIMARY_FOLLOWED;
1679 ++
1680 + } else if (grp->next == Z_EROFS_VLE_WORKGRP_TAIL) {
1681 + /*
1682 + * type 2, link to the end of a existing open chain,
1683 +@@ -262,12 +280,11 @@ retry:
1684 + if (Z_EROFS_VLE_WORKGRP_TAIL != cmpxchg(&grp->next,
1685 + Z_EROFS_VLE_WORKGRP_TAIL, *owned_head))
1686 + goto retry;
1687 +-
1688 + *owned_head = Z_EROFS_VLE_WORKGRP_TAIL;
1689 +- } else
1690 +- return false; /* :( better luck next time */
1691 ++ return Z_EROFS_VLE_WORK_PRIMARY_HOOKED;
1692 ++ }
1693 +
1694 +- return true; /* lucky, I am the followee :) */
1695 ++ return Z_EROFS_VLE_WORK_PRIMARY; /* :( better luck next time */
1696 + }
1697 +
1698 + struct z_erofs_vle_work_finder {
1699 +@@ -345,12 +362,9 @@ z_erofs_vle_work_lookup(const struct z_erofs_vle_work_finder *f)
1700 + *f->hosted = false;
1701 + if (!primary)
1702 + *f->role = Z_EROFS_VLE_WORK_SECONDARY;
1703 +- /* claim the workgroup if possible */
1704 +- else if (try_to_claim_workgroup(grp, f->owned_head, f->hosted))
1705 +- *f->role = Z_EROFS_VLE_WORK_PRIMARY_FOLLOWED;
1706 +- else
1707 +- *f->role = Z_EROFS_VLE_WORK_PRIMARY;
1708 +-
1709 ++ else /* claim the workgroup if possible */
1710 ++ *f->role = try_to_claim_workgroup(grp, f->owned_head,
1711 ++ f->hosted);
1712 + return work;
1713 + }
1714 +
1715 +@@ -410,6 +424,9 @@ z_erofs_vle_work_register(const struct z_erofs_vle_work_finder *f,
1716 + return work;
1717 + }
1718 +
1719 ++#define builder_is_hooked(builder) \
1720 ++ ((builder)->role >= Z_EROFS_VLE_WORK_PRIMARY_HOOKED)
1721 ++
1722 + #define builder_is_followed(builder) \
1723 + ((builder)->role >= Z_EROFS_VLE_WORK_PRIMARY_FOLLOWED)
1724 +
1725 +@@ -584,7 +601,7 @@ static int z_erofs_do_read_page(struct z_erofs_vle_frontend *fe,
1726 + struct z_erofs_vle_work_builder *const builder = &fe->builder;
1727 + const loff_t offset = page_offset(page);
1728 +
1729 +- bool tight = builder_is_followed(builder);
1730 ++ bool tight = builder_is_hooked(builder);
1731 + struct z_erofs_vle_work *work = builder->work;
1732 +
1733 + #ifdef EROFS_FS_HAS_MANAGED_CACHE
1734 +@@ -609,8 +626,12 @@ repeat:
1735 +
1736 + /* lucky, within the range of the current map_blocks */
1737 + if (offset + cur >= map->m_la &&
1738 +- offset + cur < map->m_la + map->m_llen)
1739 ++ offset + cur < map->m_la + map->m_llen) {
1740 ++ /* didn't get a valid unzip work previously (very rare) */
1741 ++ if (!builder->work)
1742 ++ goto restart_now;
1743 + goto hitted;
1744 ++ }
1745 +
1746 + /* go ahead the next map_blocks */
1747 + debugln("%s: [out-of-range] pos %llu", __func__, offset + cur);
1748 +@@ -624,6 +645,7 @@ repeat:
1749 + if (unlikely(err))
1750 + goto err_out;
1751 +
1752 ++restart_now:
1753 + if (unlikely(!(map->m_flags & EROFS_MAP_MAPPED)))
1754 + goto hitted;
1755 +
1756 +@@ -649,7 +671,7 @@ repeat:
1757 + builder->role = Z_EROFS_VLE_WORK_PRIMARY;
1758 + #endif
1759 +
1760 +- tight &= builder_is_followed(builder);
1761 ++ tight &= builder_is_hooked(builder);
1762 + work = builder->work;
1763 + hitted:
1764 + cur = end - min_t(unsigned int, offset + end - map->m_la, end);
1765 +@@ -664,6 +686,9 @@ hitted:
1766 + (tight ? Z_EROFS_PAGE_TYPE_EXCLUSIVE :
1767 + Z_EROFS_VLE_PAGE_TYPE_TAIL_SHARED));
1768 +
1769 ++ if (cur)
1770 ++ tight &= builder_is_followed(builder);
1771 ++
1772 + retry:
1773 + err = z_erofs_vle_work_add_page(builder, page, page_type);
1774 + /* should allocate an additional staging page for pagevec */
1775 +@@ -904,11 +929,10 @@ repeat:
1776 + if (llen > grp->llen)
1777 + llen = grp->llen;
1778 +
1779 +- err = z_erofs_vle_unzip_fast_percpu(compressed_pages,
1780 +- clusterpages, pages, llen, work->pageofs,
1781 +- z_erofs_onlinepage_endio);
1782 ++ err = z_erofs_vle_unzip_fast_percpu(compressed_pages, clusterpages,
1783 ++ pages, llen, work->pageofs);
1784 + if (err != -ENOTSUPP)
1785 +- goto out_percpu;
1786 ++ goto out;
1787 +
1788 + if (sparsemem_pages >= nr_pages)
1789 + goto skip_allocpage;
1790 +@@ -929,8 +953,25 @@ skip_allocpage:
1791 + erofs_vunmap(vout, nr_pages);
1792 +
1793 + out:
1794 ++ /* must handle all compressed pages before endding pages */
1795 ++ for (i = 0; i < clusterpages; ++i) {
1796 ++ page = compressed_pages[i];
1797 ++
1798 ++#ifdef EROFS_FS_HAS_MANAGED_CACHE
1799 ++ if (page->mapping == mngda)
1800 ++ continue;
1801 ++#endif
1802 ++ /* recycle all individual staging pages */
1803 ++ (void)z_erofs_gather_if_stagingpage(page_pool, page);
1804 ++
1805 ++ WRITE_ONCE(compressed_pages[i], NULL);
1806 ++ }
1807 ++
1808 + for (i = 0; i < nr_pages; ++i) {
1809 + page = pages[i];
1810 ++ if (!page)
1811 ++ continue;
1812 ++
1813 + DBG_BUGON(page->mapping == NULL);
1814 +
1815 + /* recycle all individual staging pages */
1816 +@@ -943,20 +984,6 @@ out:
1817 + z_erofs_onlinepage_endio(page);
1818 + }
1819 +
1820 +-out_percpu:
1821 +- for (i = 0; i < clusterpages; ++i) {
1822 +- page = compressed_pages[i];
1823 +-
1824 +-#ifdef EROFS_FS_HAS_MANAGED_CACHE
1825 +- if (page->mapping == mngda)
1826 +- continue;
1827 +-#endif
1828 +- /* recycle all individual staging pages */
1829 +- (void)z_erofs_gather_if_stagingpage(page_pool, page);
1830 +-
1831 +- WRITE_ONCE(compressed_pages[i], NULL);
1832 +- }
1833 +-
1834 + if (pages == z_pagemap_global)
1835 + mutex_unlock(&z_pagemap_global_lock);
1836 + else if (unlikely(pages != pages_onstack))
1837 +diff --git a/drivers/staging/erofs/unzip_vle.h b/drivers/staging/erofs/unzip_vle.h
1838 +index 3316bc36965d4..684ff06fc7bf8 100644
1839 +--- a/drivers/staging/erofs/unzip_vle.h
1840 ++++ b/drivers/staging/erofs/unzip_vle.h
1841 +@@ -218,8 +218,7 @@ extern int z_erofs_vle_plain_copy(struct page **compressed_pages,
1842 +
1843 + extern int z_erofs_vle_unzip_fast_percpu(struct page **compressed_pages,
1844 + unsigned clusterpages, struct page **pages,
1845 +- unsigned outlen, unsigned short pageofs,
1846 +- void (*endio)(struct page *));
1847 ++ unsigned int outlen, unsigned short pageofs);
1848 +
1849 + extern int z_erofs_vle_unzip_vmap(struct page **compressed_pages,
1850 + unsigned clusterpages, void *vaddr, unsigned llen,
1851 +diff --git a/drivers/staging/erofs/unzip_vle_lz4.c b/drivers/staging/erofs/unzip_vle_lz4.c
1852 +index 16ac335ee59f4..8fa8a71a5445b 100644
1853 +--- a/drivers/staging/erofs/unzip_vle_lz4.c
1854 ++++ b/drivers/staging/erofs/unzip_vle_lz4.c
1855 +@@ -105,8 +105,7 @@ int z_erofs_vle_unzip_fast_percpu(struct page **compressed_pages,
1856 + unsigned int clusterpages,
1857 + struct page **pages,
1858 + unsigned int outlen,
1859 +- unsigned short pageofs,
1860 +- void (*endio)(struct page *))
1861 ++ unsigned short pageofs)
1862 + {
1863 + void *vin, *vout;
1864 + unsigned int nr_pages, i, j;
1865 +@@ -128,19 +127,16 @@ int z_erofs_vle_unzip_fast_percpu(struct page **compressed_pages,
1866 + ret = z_erofs_unzip_lz4(vin, vout + pageofs,
1867 + clusterpages * PAGE_SIZE, outlen);
1868 +
1869 +- if (ret >= 0) {
1870 +- outlen = ret;
1871 +- ret = 0;
1872 +- }
1873 ++ if (ret < 0)
1874 ++ goto out;
1875 ++ ret = 0;
1876 +
1877 + for (i = 0; i < nr_pages; ++i) {
1878 + j = min((unsigned int)PAGE_SIZE - pageofs, outlen);
1879 +
1880 + if (pages[i]) {
1881 +- if (ret < 0) {
1882 +- SetPageError(pages[i]);
1883 +- } else if (clusterpages == 1 &&
1884 +- pages[i] == compressed_pages[0]) {
1885 ++ if (clusterpages == 1 &&
1886 ++ pages[i] == compressed_pages[0]) {
1887 + memcpy(vin + pageofs, vout + pageofs, j);
1888 + } else {
1889 + void *dst = kmap_atomic(pages[i]);
1890 +@@ -148,12 +144,13 @@ int z_erofs_vle_unzip_fast_percpu(struct page **compressed_pages,
1891 + memcpy(dst + pageofs, vout + pageofs, j);
1892 + kunmap_atomic(dst);
1893 + }
1894 +- endio(pages[i]);
1895 + }
1896 + vout += PAGE_SIZE;
1897 + outlen -= j;
1898 + pageofs = 0;
1899 + }
1900 ++
1901 ++out:
1902 + preempt_enable();
1903 +
1904 + if (clusterpages == 1)
1905 +diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c
1906 +index 80dca6a4adbe2..6cb05ae312338 100644
1907 +--- a/drivers/staging/erofs/xattr.c
1908 ++++ b/drivers/staging/erofs/xattr.c
1909 +@@ -44,19 +44,48 @@ static inline void xattr_iter_end_final(struct xattr_iter *it)
1910 +
1911 + static int init_inode_xattrs(struct inode *inode)
1912 + {
1913 ++ struct erofs_vnode *const vi = EROFS_V(inode);
1914 + struct xattr_iter it;
1915 + unsigned int i;
1916 + struct erofs_xattr_ibody_header *ih;
1917 + struct super_block *sb;
1918 + struct erofs_sb_info *sbi;
1919 +- struct erofs_vnode *vi;
1920 + bool atomic_map;
1921 ++ int ret = 0;
1922 +
1923 +- if (likely(inode_has_inited_xattr(inode)))
1924 ++ /* the most case is that xattrs of this inode are initialized. */
1925 ++ if (test_bit(EROFS_V_EA_INITED_BIT, &vi->flags))
1926 + return 0;
1927 +
1928 +- vi = EROFS_V(inode);
1929 +- BUG_ON(!vi->xattr_isize);
1930 ++ if (wait_on_bit_lock(&vi->flags, EROFS_V_BL_XATTR_BIT, TASK_KILLABLE))
1931 ++ return -ERESTARTSYS;
1932 ++
1933 ++ /* someone has initialized xattrs for us? */
1934 ++ if (test_bit(EROFS_V_EA_INITED_BIT, &vi->flags))
1935 ++ goto out_unlock;
1936 ++
1937 ++ /*
1938 ++ * bypass all xattr operations if ->xattr_isize is not greater than
1939 ++ * sizeof(struct erofs_xattr_ibody_header), in detail:
1940 ++ * 1) it is not enough to contain erofs_xattr_ibody_header then
1941 ++ * ->xattr_isize should be 0 (it means no xattr);
1942 ++ * 2) it is just to contain erofs_xattr_ibody_header, which is on-disk
1943 ++ * undefined right now (maybe use later with some new sb feature).
1944 ++ */
1945 ++ if (vi->xattr_isize == sizeof(struct erofs_xattr_ibody_header)) {
1946 ++ errln("xattr_isize %d of nid %llu is not supported yet",
1947 ++ vi->xattr_isize, vi->nid);
1948 ++ ret = -ENOTSUPP;
1949 ++ goto out_unlock;
1950 ++ } else if (vi->xattr_isize < sizeof(struct erofs_xattr_ibody_header)) {
1951 ++ if (unlikely(vi->xattr_isize)) {
1952 ++ DBG_BUGON(1);
1953 ++ ret = -EIO;
1954 ++ goto out_unlock; /* xattr ondisk layout error */
1955 ++ }
1956 ++ ret = -ENOATTR;
1957 ++ goto out_unlock;
1958 ++ }
1959 +
1960 + sb = inode->i_sb;
1961 + sbi = EROFS_SB(sb);
1962 +@@ -64,8 +93,10 @@ static int init_inode_xattrs(struct inode *inode)
1963 + it.ofs = erofs_blkoff(iloc(sbi, vi->nid) + vi->inode_isize);
1964 +
1965 + it.page = erofs_get_inline_page(inode, it.blkaddr);
1966 +- if (IS_ERR(it.page))
1967 +- return PTR_ERR(it.page);
1968 ++ if (IS_ERR(it.page)) {
1969 ++ ret = PTR_ERR(it.page);
1970 ++ goto out_unlock;
1971 ++ }
1972 +
1973 + /* read in shared xattr array (non-atomic, see kmalloc below) */
1974 + it.kaddr = kmap(it.page);
1975 +@@ -78,7 +109,8 @@ static int init_inode_xattrs(struct inode *inode)
1976 + sizeof(uint), GFP_KERNEL);
1977 + if (vi->xattr_shared_xattrs == NULL) {
1978 + xattr_iter_end(&it, atomic_map);
1979 +- return -ENOMEM;
1980 ++ ret = -ENOMEM;
1981 ++ goto out_unlock;
1982 + }
1983 +
1984 + /* let's skip ibody header */
1985 +@@ -92,8 +124,12 @@ static int init_inode_xattrs(struct inode *inode)
1986 +
1987 + it.page = erofs_get_meta_page(sb,
1988 + ++it.blkaddr, S_ISDIR(inode->i_mode));
1989 +- if (IS_ERR(it.page))
1990 +- return PTR_ERR(it.page);
1991 ++ if (IS_ERR(it.page)) {
1992 ++ kfree(vi->xattr_shared_xattrs);
1993 ++ vi->xattr_shared_xattrs = NULL;
1994 ++ ret = PTR_ERR(it.page);
1995 ++ goto out_unlock;
1996 ++ }
1997 +
1998 + it.kaddr = kmap_atomic(it.page);
1999 + atomic_map = true;
2000 +@@ -105,8 +141,11 @@ static int init_inode_xattrs(struct inode *inode)
2001 + }
2002 + xattr_iter_end(&it, atomic_map);
2003 +
2004 +- inode_set_inited_xattr(inode);
2005 +- return 0;
2006 ++ set_bit(EROFS_V_EA_INITED_BIT, &vi->flags);
2007 ++
2008 ++out_unlock:
2009 ++ clear_and_wake_up_bit(EROFS_V_BL_XATTR_BIT, &vi->flags);
2010 ++ return ret;
2011 + }
2012 +
2013 + /*
2014 +@@ -422,7 +461,6 @@ static int erofs_xattr_generic_get(const struct xattr_handler *handler,
2015 + struct dentry *unused, struct inode *inode,
2016 + const char *name, void *buffer, size_t size)
2017 + {
2018 +- struct erofs_vnode *const vi = EROFS_V(inode);
2019 + struct erofs_sb_info *const sbi = EROFS_I_SB(inode);
2020 +
2021 + switch (handler->flags) {
2022 +@@ -440,9 +478,6 @@ static int erofs_xattr_generic_get(const struct xattr_handler *handler,
2023 + return -EINVAL;
2024 + }
2025 +
2026 +- if (!vi->xattr_isize)
2027 +- return -ENOATTR;
2028 +-
2029 + return erofs_getxattr(inode, handler->flags, name, buffer, size);
2030 + }
2031 +
2032 +diff --git a/drivers/staging/wilc1000/linux_wlan.c b/drivers/staging/wilc1000/linux_wlan.c
2033 +index 76c901235e93e..693a471890750 100644
2034 +--- a/drivers/staging/wilc1000/linux_wlan.c
2035 ++++ b/drivers/staging/wilc1000/linux_wlan.c
2036 +@@ -1104,8 +1104,8 @@ int wilc_netdev_init(struct wilc **wilc, struct device *dev, int io_type,
2037 + vif->wilc = *wilc;
2038 + vif->ndev = ndev;
2039 + wl->vif[i] = vif;
2040 +- wl->vif_num = i;
2041 +- vif->idx = wl->vif_num;
2042 ++ wl->vif_num = i + 1;
2043 ++ vif->idx = i;
2044 +
2045 + ndev->netdev_ops = &wilc_netdev_ops;
2046 +
2047 +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
2048 +index a9ec7051f2864..c2fe218e051f0 100644
2049 +--- a/drivers/usb/host/xhci-pci.c
2050 ++++ b/drivers/usb/host/xhci-pci.c
2051 +@@ -194,6 +194,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
2052 + xhci->quirks |= XHCI_SSIC_PORT_UNUSED;
2053 + if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
2054 + (pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
2055 ++ pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
2056 + pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI))
2057 + xhci->quirks |= XHCI_INTEL_USB_ROLE_SW;
2058 + if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
2059 +diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c
2060 +index 938ff06c03495..efb0cad8710e3 100644
2061 +--- a/drivers/usb/host/xhci-tegra.c
2062 ++++ b/drivers/usb/host/xhci-tegra.c
2063 +@@ -941,9 +941,9 @@ static void tegra_xusb_powerdomain_remove(struct device *dev,
2064 + device_link_del(tegra->genpd_dl_ss);
2065 + if (tegra->genpd_dl_host)
2066 + device_link_del(tegra->genpd_dl_host);
2067 +- if (tegra->genpd_dev_ss)
2068 ++ if (!IS_ERR_OR_NULL(tegra->genpd_dev_ss))
2069 + dev_pm_domain_detach(tegra->genpd_dev_ss, true);
2070 +- if (tegra->genpd_dev_host)
2071 ++ if (!IS_ERR_OR_NULL(tegra->genpd_dev_host))
2072 + dev_pm_domain_detach(tegra->genpd_dev_host, true);
2073 + }
2074 +
2075 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
2076 +index c0777a374a88f..4c66edf533fe9 100644
2077 +--- a/drivers/usb/serial/cp210x.c
2078 ++++ b/drivers/usb/serial/cp210x.c
2079 +@@ -61,6 +61,7 @@ static const struct usb_device_id id_table[] = {
2080 + { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
2081 + { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */
2082 + { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */
2083 ++ { USB_DEVICE(0x0B00, 0x3070) }, /* Ingenico 3070 */
2084 + { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */
2085 + { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */
2086 + { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */
2087 +@@ -1353,8 +1354,13 @@ static int cp210x_gpio_get(struct gpio_chip *gc, unsigned int gpio)
2088 + if (priv->partnum == CP210X_PARTNUM_CP2105)
2089 + req_type = REQTYPE_INTERFACE_TO_HOST;
2090 +
2091 ++ result = usb_autopm_get_interface(serial->interface);
2092 ++ if (result)
2093 ++ return result;
2094 ++
2095 + result = cp210x_read_vendor_block(serial, req_type,
2096 + CP210X_READ_LATCH, &buf, sizeof(buf));
2097 ++ usb_autopm_put_interface(serial->interface);
2098 + if (result < 0)
2099 + return result;
2100 +
2101 +@@ -1375,6 +1381,10 @@ static void cp210x_gpio_set(struct gpio_chip *gc, unsigned int gpio, int value)
2102 +
2103 + buf.mask = BIT(gpio);
2104 +
2105 ++ result = usb_autopm_get_interface(serial->interface);
2106 ++ if (result)
2107 ++ goto out;
2108 ++
2109 + if (priv->partnum == CP210X_PARTNUM_CP2105) {
2110 + result = cp210x_write_vendor_block(serial,
2111 + REQTYPE_HOST_TO_INTERFACE,
2112 +@@ -1392,6 +1402,8 @@ static void cp210x_gpio_set(struct gpio_chip *gc, unsigned int gpio, int value)
2113 + NULL, 0, USB_CTRL_SET_TIMEOUT);
2114 + }
2115 +
2116 ++ usb_autopm_put_interface(serial->interface);
2117 ++out:
2118 + if (result < 0) {
2119 + dev_err(&serial->interface->dev, "failed to set GPIO value: %d\n",
2120 + result);
2121 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
2122 +index f459c1a18156e..9f3ba5c854d0a 100644
2123 +--- a/drivers/usb/serial/ftdi_sio.c
2124 ++++ b/drivers/usb/serial/ftdi_sio.c
2125 +@@ -1025,6 +1025,8 @@ static const struct usb_device_id id_table_combined[] = {
2126 + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
2127 + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
2128 + { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
2129 ++ /* EZPrototypes devices */
2130 ++ { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) },
2131 + { } /* Terminating entry */
2132 + };
2133 +
2134 +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
2135 +index 975d02666c5a0..b863bedb55a13 100644
2136 +--- a/drivers/usb/serial/ftdi_sio_ids.h
2137 ++++ b/drivers/usb/serial/ftdi_sio_ids.h
2138 +@@ -1308,6 +1308,12 @@
2139 + #define IONICS_VID 0x1c0c
2140 + #define IONICS_PLUGCOMPUTER_PID 0x0102
2141 +
2142 ++/*
2143 ++ * EZPrototypes (PID reseller)
2144 ++ */
2145 ++#define EZPROTOTYPES_VID 0x1c40
2146 ++#define HJELMSLUND_USB485_ISO_PID 0x0477
2147 ++
2148 + /*
2149 + * Dresden Elektronik Sensor Terminal Board
2150 + */
2151 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
2152 +index aef15497ff31f..11b21d9410f35 100644
2153 +--- a/drivers/usb/serial/option.c
2154 ++++ b/drivers/usb/serial/option.c
2155 +@@ -1148,6 +1148,8 @@ static const struct usb_device_id option_ids[] = {
2156 + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
2157 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
2158 + .driver_info = NCTRL(0) | RSVD(3) },
2159 ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1102, 0xff), /* Telit ME910 (ECM) */
2160 ++ .driver_info = NCTRL(0) },
2161 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
2162 + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
2163 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
2164 +diff --git a/fs/aio.c b/fs/aio.c
2165 +index aac9659381d25..7f73f6928939b 100644
2166 +--- a/fs/aio.c
2167 ++++ b/fs/aio.c
2168 +@@ -1661,6 +1661,7 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
2169 + struct poll_iocb *req = container_of(wait, struct poll_iocb, wait);
2170 + struct aio_kiocb *iocb = container_of(req, struct aio_kiocb, poll);
2171 + __poll_t mask = key_to_poll(key);
2172 ++ unsigned long flags;
2173 +
2174 + req->woken = true;
2175 +
2176 +@@ -1669,10 +1670,15 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
2177 + if (!(mask & req->events))
2178 + return 0;
2179 +
2180 +- /* try to complete the iocb inline if we can: */
2181 +- if (spin_trylock(&iocb->ki_ctx->ctx_lock)) {
2182 ++ /*
2183 ++ * Try to complete the iocb inline if we can. Use
2184 ++ * irqsave/irqrestore because not all filesystems (e.g. fuse)
2185 ++ * call this function with IRQs disabled and because IRQs
2186 ++ * have to be disabled before ctx_lock is obtained.
2187 ++ */
2188 ++ if (spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) {
2189 + list_del(&iocb->ki_list);
2190 +- spin_unlock(&iocb->ki_ctx->ctx_lock);
2191 ++ spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags);
2192 +
2193 + list_del_init(&req->wait.entry);
2194 + aio_poll_complete(iocb, mask);
2195 +diff --git a/fs/exec.c b/fs/exec.c
2196 +index fc281b738a982..20c33029a0628 100644
2197 +--- a/fs/exec.c
2198 ++++ b/fs/exec.c
2199 +@@ -929,7 +929,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
2200 + bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
2201 + if (bytes < 0) {
2202 + ret = bytes;
2203 +- goto out;
2204 ++ goto out_free;
2205 + }
2206 +
2207 + if (bytes == 0)
2208 +diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h
2209 +index 882a9b9e34bc2..72f59e8321e79 100644
2210 +--- a/include/linux/cpufreq.h
2211 ++++ b/include/linux/cpufreq.h
2212 +@@ -254,20 +254,12 @@ __ATTR(_name, 0644, show_##_name, store_##_name)
2213 + static struct freq_attr _name = \
2214 + __ATTR(_name, 0200, NULL, store_##_name)
2215 +
2216 +-struct global_attr {
2217 +- struct attribute attr;
2218 +- ssize_t (*show)(struct kobject *kobj,
2219 +- struct attribute *attr, char *buf);
2220 +- ssize_t (*store)(struct kobject *a, struct attribute *b,
2221 +- const char *c, size_t count);
2222 +-};
2223 +-
2224 + #define define_one_global_ro(_name) \
2225 +-static struct global_attr _name = \
2226 ++static struct kobj_attribute _name = \
2227 + __ATTR(_name, 0444, show_##_name, NULL)
2228 +
2229 + #define define_one_global_rw(_name) \
2230 +-static struct global_attr _name = \
2231 ++static struct kobj_attribute _name = \
2232 + __ATTR(_name, 0644, show_##_name, store_##_name)
2233 +
2234 +
2235 +diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
2236 +index ec9d6bc658559..fabee6db0abb7 100644
2237 +--- a/include/net/bluetooth/bluetooth.h
2238 ++++ b/include/net/bluetooth/bluetooth.h
2239 +@@ -276,7 +276,7 @@ int bt_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg);
2240 + int bt_sock_wait_state(struct sock *sk, int state, unsigned long timeo);
2241 + int bt_sock_wait_ready(struct sock *sk, unsigned long flags);
2242 +
2243 +-void bt_accept_enqueue(struct sock *parent, struct sock *sk);
2244 ++void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh);
2245 + void bt_accept_unlink(struct sock *sk);
2246 + struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock);
2247 +
2248 +diff --git a/include/net/icmp.h b/include/net/icmp.h
2249 +index 3ef2743a8eecc..8665bf24e3b7a 100644
2250 +--- a/include/net/icmp.h
2251 ++++ b/include/net/icmp.h
2252 +@@ -22,6 +22,7 @@
2253 +
2254 + #include <net/inet_sock.h>
2255 + #include <net/snmp.h>
2256 ++#include <net/ip.h>
2257 +
2258 + struct icmp_err {
2259 + int errno;
2260 +@@ -39,7 +40,13 @@ struct net_proto_family;
2261 + struct sk_buff;
2262 + struct net;
2263 +
2264 +-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info);
2265 ++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
2266 ++ const struct ip_options *opt);
2267 ++static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
2268 ++{
2269 ++ __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt);
2270 ++}
2271 ++
2272 + int icmp_rcv(struct sk_buff *skb);
2273 + void icmp_err(struct sk_buff *skb, u32 info);
2274 + int icmp_init(void);
2275 +diff --git a/include/net/ip.h b/include/net/ip.h
2276 +index 72593e171d14c..b2b7cdb3f6fda 100644
2277 +--- a/include/net/ip.h
2278 ++++ b/include/net/ip.h
2279 +@@ -665,6 +665,8 @@ static inline int ip_options_echo(struct net *net, struct ip_options *dopt,
2280 + }
2281 +
2282 + void ip_options_fragment(struct sk_buff *skb);
2283 ++int __ip_options_compile(struct net *net, struct ip_options *opt,
2284 ++ struct sk_buff *skb, __be32 *info);
2285 + int ip_options_compile(struct net *net, struct ip_options *opt,
2286 + struct sk_buff *skb);
2287 + int ip_options_get(struct net *net, struct ip_options_rcu **optp,
2288 +@@ -714,7 +716,7 @@ extern int sysctl_icmp_msgs_burst;
2289 + int ip_misc_proc_init(void);
2290 + #endif
2291 +
2292 +-int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto,
2293 ++int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto, u8 family,
2294 + struct netlink_ext_ack *extack);
2295 +
2296 + #endif /* _IP_H */
2297 +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
2298 +index 4d736427a4cb9..13327bd432312 100644
2299 +--- a/include/net/sch_generic.h
2300 ++++ b/include/net/sch_generic.h
2301 +@@ -48,7 +48,10 @@ struct qdisc_size_table {
2302 + struct qdisc_skb_head {
2303 + struct sk_buff *head;
2304 + struct sk_buff *tail;
2305 +- __u32 qlen;
2306 ++ union {
2307 ++ u32 qlen;
2308 ++ atomic_t atomic_qlen;
2309 ++ };
2310 + spinlock_t lock;
2311 + };
2312 +
2313 +@@ -405,27 +408,19 @@ static inline void qdisc_cb_private_validate(const struct sk_buff *skb, int sz)
2314 + BUILD_BUG_ON(sizeof(qcb->data) < sz);
2315 + }
2316 +
2317 +-static inline int qdisc_qlen_cpu(const struct Qdisc *q)
2318 +-{
2319 +- return this_cpu_ptr(q->cpu_qstats)->qlen;
2320 +-}
2321 +-
2322 + static inline int qdisc_qlen(const struct Qdisc *q)
2323 + {
2324 + return q->q.qlen;
2325 + }
2326 +
2327 +-static inline int qdisc_qlen_sum(const struct Qdisc *q)
2328 ++static inline u32 qdisc_qlen_sum(const struct Qdisc *q)
2329 + {
2330 +- __u32 qlen = q->qstats.qlen;
2331 +- int i;
2332 ++ u32 qlen = q->qstats.qlen;
2333 +
2334 +- if (q->flags & TCQ_F_NOLOCK) {
2335 +- for_each_possible_cpu(i)
2336 +- qlen += per_cpu_ptr(q->cpu_qstats, i)->qlen;
2337 +- } else {
2338 ++ if (q->flags & TCQ_F_NOLOCK)
2339 ++ qlen += atomic_read(&q->q.atomic_qlen);
2340 ++ else
2341 + qlen += q->q.qlen;
2342 +- }
2343 +
2344 + return qlen;
2345 + }
2346 +@@ -798,14 +793,14 @@ static inline void qdisc_qstats_cpu_backlog_inc(struct Qdisc *sch,
2347 + this_cpu_add(sch->cpu_qstats->backlog, qdisc_pkt_len(skb));
2348 + }
2349 +
2350 +-static inline void qdisc_qstats_cpu_qlen_inc(struct Qdisc *sch)
2351 ++static inline void qdisc_qstats_atomic_qlen_inc(struct Qdisc *sch)
2352 + {
2353 +- this_cpu_inc(sch->cpu_qstats->qlen);
2354 ++ atomic_inc(&sch->q.atomic_qlen);
2355 + }
2356 +
2357 +-static inline void qdisc_qstats_cpu_qlen_dec(struct Qdisc *sch)
2358 ++static inline void qdisc_qstats_atomic_qlen_dec(struct Qdisc *sch)
2359 + {
2360 +- this_cpu_dec(sch->cpu_qstats->qlen);
2361 ++ atomic_dec(&sch->q.atomic_qlen);
2362 + }
2363 +
2364 + static inline void qdisc_qstats_cpu_requeues_inc(struct Qdisc *sch)
2365 +diff --git a/include/uapi/linux/android/binder.h b/include/uapi/linux/android/binder.h
2366 +index b9ba520f7e4bb..2832134e53971 100644
2367 +--- a/include/uapi/linux/android/binder.h
2368 ++++ b/include/uapi/linux/android/binder.h
2369 +@@ -41,6 +41,14 @@ enum {
2370 + enum {
2371 + FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff,
2372 + FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100,
2373 ++
2374 ++ /**
2375 ++ * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
2376 ++ *
2377 ++ * Only when set, causes senders to include their security
2378 ++ * context
2379 ++ */
2380 ++ FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000,
2381 + };
2382 +
2383 + #ifdef BINDER_IPC_32BIT
2384 +@@ -218,6 +226,7 @@ struct binder_node_info_for_ref {
2385 + #define BINDER_VERSION _IOWR('b', 9, struct binder_version)
2386 + #define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info)
2387 + #define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref)
2388 ++#define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object)
2389 +
2390 + /*
2391 + * NOTE: Two special error codes you should check for when calling
2392 +@@ -276,6 +285,11 @@ struct binder_transaction_data {
2393 + } data;
2394 + };
2395 +
2396 ++struct binder_transaction_data_secctx {
2397 ++ struct binder_transaction_data transaction_data;
2398 ++ binder_uintptr_t secctx;
2399 ++};
2400 ++
2401 + struct binder_transaction_data_sg {
2402 + struct binder_transaction_data transaction_data;
2403 + binder_size_t buffers_size;
2404 +@@ -311,6 +325,11 @@ enum binder_driver_return_protocol {
2405 + BR_OK = _IO('r', 1),
2406 + /* No parameters! */
2407 +
2408 ++ BR_TRANSACTION_SEC_CTX = _IOR('r', 2,
2409 ++ struct binder_transaction_data_secctx),
2410 ++ /*
2411 ++ * binder_transaction_data_secctx: the received command.
2412 ++ */
2413 + BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data),
2414 + BR_REPLY = _IOR('r', 3, struct binder_transaction_data),
2415 + /*
2416 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
2417 +index e4c8262291521..63a9253679f2a 100644
2418 +--- a/kernel/bpf/verifier.c
2419 ++++ b/kernel/bpf/verifier.c
2420 +@@ -6428,7 +6428,8 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
2421 + u32 off_reg;
2422 +
2423 + aux = &env->insn_aux_data[i + delta];
2424 +- if (!aux->alu_state)
2425 ++ if (!aux->alu_state ||
2426 ++ aux->alu_state == BPF_ALU_NON_POINTER)
2427 + continue;
2428 +
2429 + isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
2430 +diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
2431 +index 5574e862de8d5..5a1c64a26e819 100644
2432 +--- a/kernel/trace/trace_events_filter.c
2433 ++++ b/kernel/trace/trace_events_filter.c
2434 +@@ -1301,7 +1301,7 @@ static int parse_pred(const char *str, void *data,
2435 + /* go past the last quote */
2436 + i++;
2437 +
2438 +- } else if (isdigit(str[i])) {
2439 ++ } else if (isdigit(str[i]) || str[i] == '-') {
2440 +
2441 + /* Make sure the field is not a string */
2442 + if (is_string_field(field)) {
2443 +@@ -1314,6 +1314,9 @@ static int parse_pred(const char *str, void *data,
2444 + goto err_free;
2445 + }
2446 +
2447 ++ if (str[i] == '-')
2448 ++ i++;
2449 ++
2450 + /* We allow 0xDEADBEEF */
2451 + while (isalnum(str[i]))
2452 + i++;
2453 +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
2454 +index deacc52d7ff18..8d12198eaa949 100644
2455 +--- a/net/bluetooth/af_bluetooth.c
2456 ++++ b/net/bluetooth/af_bluetooth.c
2457 +@@ -154,15 +154,25 @@ void bt_sock_unlink(struct bt_sock_list *l, struct sock *sk)
2458 + }
2459 + EXPORT_SYMBOL(bt_sock_unlink);
2460 +
2461 +-void bt_accept_enqueue(struct sock *parent, struct sock *sk)
2462 ++void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh)
2463 + {
2464 + BT_DBG("parent %p, sk %p", parent, sk);
2465 +
2466 + sock_hold(sk);
2467 +- lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
2468 ++
2469 ++ if (bh)
2470 ++ bh_lock_sock_nested(sk);
2471 ++ else
2472 ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
2473 ++
2474 + list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
2475 + bt_sk(sk)->parent = parent;
2476 +- release_sock(sk);
2477 ++
2478 ++ if (bh)
2479 ++ bh_unlock_sock(sk);
2480 ++ else
2481 ++ release_sock(sk);
2482 ++
2483 + parent->sk_ack_backlog++;
2484 + }
2485 + EXPORT_SYMBOL(bt_accept_enqueue);
2486 +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
2487 +index 686bdc6b35b03..a3a2cd55e23a9 100644
2488 +--- a/net/bluetooth/l2cap_sock.c
2489 ++++ b/net/bluetooth/l2cap_sock.c
2490 +@@ -1252,7 +1252,7 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
2491 +
2492 + l2cap_sock_init(sk, parent);
2493 +
2494 +- bt_accept_enqueue(parent, sk);
2495 ++ bt_accept_enqueue(parent, sk, false);
2496 +
2497 + release_sock(parent);
2498 +
2499 +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
2500 +index d606e92122916..c044ff2f73e6c 100644
2501 +--- a/net/bluetooth/rfcomm/sock.c
2502 ++++ b/net/bluetooth/rfcomm/sock.c
2503 +@@ -988,7 +988,7 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
2504 + rfcomm_pi(sk)->channel = channel;
2505 +
2506 + sk->sk_state = BT_CONFIG;
2507 +- bt_accept_enqueue(parent, sk);
2508 ++ bt_accept_enqueue(parent, sk, true);
2509 +
2510 + /* Accept connection and return socket DLC */
2511 + *d = rfcomm_pi(sk)->dlc;
2512 +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
2513 +index 8f0f9279eac9f..a4ca55df73908 100644
2514 +--- a/net/bluetooth/sco.c
2515 ++++ b/net/bluetooth/sco.c
2516 +@@ -193,7 +193,7 @@ static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
2517 + conn->sk = sk;
2518 +
2519 + if (parent)
2520 +- bt_accept_enqueue(parent, sk);
2521 ++ bt_accept_enqueue(parent, sk, true);
2522 + }
2523 +
2524 + static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
2525 +diff --git a/net/core/gen_stats.c b/net/core/gen_stats.c
2526 +index 9bf1b9ad17806..ac679f74ba475 100644
2527 +--- a/net/core/gen_stats.c
2528 ++++ b/net/core/gen_stats.c
2529 +@@ -291,7 +291,6 @@ __gnet_stats_copy_queue_cpu(struct gnet_stats_queue *qstats,
2530 + for_each_possible_cpu(i) {
2531 + const struct gnet_stats_queue *qcpu = per_cpu_ptr(q, i);
2532 +
2533 +- qstats->qlen = 0;
2534 + qstats->backlog += qcpu->backlog;
2535 + qstats->drops += qcpu->drops;
2536 + qstats->requeues += qcpu->requeues;
2537 +@@ -307,7 +306,6 @@ void __gnet_stats_copy_queue(struct gnet_stats_queue *qstats,
2538 + if (cpu) {
2539 + __gnet_stats_copy_queue_cpu(qstats, cpu);
2540 + } else {
2541 +- qstats->qlen = q->qlen;
2542 + qstats->backlog = q->backlog;
2543 + qstats->drops = q->drops;
2544 + qstats->requeues = q->requeues;
2545 +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
2546 +index bd67c4d0fcfdf..2aabb7eb08541 100644
2547 +--- a/net/core/net-sysfs.c
2548 ++++ b/net/core/net-sysfs.c
2549 +@@ -1547,6 +1547,9 @@ static int register_queue_kobjects(struct net_device *dev)
2550 + error:
2551 + netdev_queue_update_kobjects(dev, txq, 0);
2552 + net_rx_queue_update_kobjects(dev, rxq, 0);
2553 ++#ifdef CONFIG_SYSFS
2554 ++ kset_unregister(dev->queues_kset);
2555 ++#endif
2556 + return error;
2557 + }
2558 +
2559 +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
2560 +index 777fa3b7fb13d..f0165c5f376b3 100644
2561 +--- a/net/ipv4/cipso_ipv4.c
2562 ++++ b/net/ipv4/cipso_ipv4.c
2563 +@@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level)
2564 + case CIPSO_V4_MAP_PASS:
2565 + return 0;
2566 + case CIPSO_V4_MAP_TRANS:
2567 +- if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
2568 ++ if ((level < doi_def->map.std->lvl.cipso_size) &&
2569 ++ (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL))
2570 + return 0;
2571 + break;
2572 + }
2573 +@@ -1735,13 +1736,26 @@ validate_return:
2574 + */
2575 + void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
2576 + {
2577 ++ unsigned char optbuf[sizeof(struct ip_options) + 40];
2578 ++ struct ip_options *opt = (struct ip_options *)optbuf;
2579 ++
2580 + if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)
2581 + return;
2582 +
2583 ++ /*
2584 ++ * We might be called above the IP layer,
2585 ++ * so we can not use icmp_send and IPCB here.
2586 ++ */
2587 ++
2588 ++ memset(opt, 0, sizeof(struct ip_options));
2589 ++ opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
2590 ++ if (__ip_options_compile(dev_net(skb->dev), opt, skb, NULL))
2591 ++ return;
2592 ++
2593 + if (gateway)
2594 +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);
2595 ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt);
2596 + else
2597 +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);
2598 ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt);
2599 + }
2600 +
2601 + /**
2602 +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
2603 +index fe4f6a6242383..ed14ec2455847 100644
2604 +--- a/net/ipv4/fib_frontend.c
2605 ++++ b/net/ipv4/fib_frontend.c
2606 +@@ -710,6 +710,10 @@ static int rtm_to_fib_config(struct net *net, struct sk_buff *skb,
2607 + case RTA_GATEWAY:
2608 + cfg->fc_gw = nla_get_be32(attr);
2609 + break;
2610 ++ case RTA_VIA:
2611 ++ NL_SET_ERR_MSG(extack, "IPv4 does not support RTA_VIA attribute");
2612 ++ err = -EINVAL;
2613 ++ goto errout;
2614 + case RTA_PRIORITY:
2615 + cfg->fc_priority = nla_get_u32(attr);
2616 + break;
2617 +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
2618 +index d832beed6e3a3..c897fec9f903a 100644
2619 +--- a/net/ipv4/icmp.c
2620 ++++ b/net/ipv4/icmp.c
2621 +@@ -570,7 +570,8 @@ relookup_failed:
2622 + * MUST reply to only the first fragment.
2623 + */
2624 +
2625 +-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
2626 ++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
2627 ++ const struct ip_options *opt)
2628 + {
2629 + struct iphdr *iph;
2630 + int room;
2631 +@@ -691,7 +692,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
2632 + iph->tos;
2633 + mark = IP4_REPLY_MARK(net, skb_in->mark);
2634 +
2635 +- if (ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in))
2636 ++ if (__ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in, opt))
2637 + goto out_unlock;
2638 +
2639 +
2640 +@@ -742,7 +743,7 @@ out_bh_enable:
2641 + local_bh_enable();
2642 + out:;
2643 + }
2644 +-EXPORT_SYMBOL(icmp_send);
2645 ++EXPORT_SYMBOL(__icmp_send);
2646 +
2647 +
2648 + static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
2649 +diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
2650 +index 3163428219cd5..a433b74a4f761 100644
2651 +--- a/net/ipv4/ip_input.c
2652 ++++ b/net/ipv4/ip_input.c
2653 +@@ -308,11 +308,10 @@ drop:
2654 + }
2655 +
2656 + static int ip_rcv_finish_core(struct net *net, struct sock *sk,
2657 +- struct sk_buff *skb)
2658 ++ struct sk_buff *skb, struct net_device *dev)
2659 + {
2660 + const struct iphdr *iph = ip_hdr(skb);
2661 + int (*edemux)(struct sk_buff *skb);
2662 +- struct net_device *dev = skb->dev;
2663 + struct rtable *rt;
2664 + int err;
2665 +
2666 +@@ -401,6 +400,7 @@ drop_error:
2667 +
2668 + static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
2669 + {
2670 ++ struct net_device *dev = skb->dev;
2671 + int ret;
2672 +
2673 + /* if ingress device is enslaved to an L3 master device pass the
2674 +@@ -410,7 +410,7 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
2675 + if (!skb)
2676 + return NET_RX_SUCCESS;
2677 +
2678 +- ret = ip_rcv_finish_core(net, sk, skb);
2679 ++ ret = ip_rcv_finish_core(net, sk, skb, dev);
2680 + if (ret != NET_RX_DROP)
2681 + ret = dst_input(skb);
2682 + return ret;
2683 +@@ -546,6 +546,7 @@ static void ip_list_rcv_finish(struct net *net, struct sock *sk,
2684 +
2685 + INIT_LIST_HEAD(&sublist);
2686 + list_for_each_entry_safe(skb, next, head, list) {
2687 ++ struct net_device *dev = skb->dev;
2688 + struct dst_entry *dst;
2689 +
2690 + skb_list_del_init(skb);
2691 +@@ -555,7 +556,7 @@ static void ip_list_rcv_finish(struct net *net, struct sock *sk,
2692 + skb = l3mdev_ip_rcv(skb);
2693 + if (!skb)
2694 + continue;
2695 +- if (ip_rcv_finish_core(net, sk, skb) == NET_RX_DROP)
2696 ++ if (ip_rcv_finish_core(net, sk, skb, dev) == NET_RX_DROP)
2697 + continue;
2698 +
2699 + dst = skb_dst(skb);
2700 +diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
2701 +index ed194d46c00e3..32a35043c9f59 100644
2702 +--- a/net/ipv4/ip_options.c
2703 ++++ b/net/ipv4/ip_options.c
2704 +@@ -251,8 +251,9 @@ static void spec_dst_fill(__be32 *spec_dst, struct sk_buff *skb)
2705 + * If opt == NULL, then skb->data should point to IP header.
2706 + */
2707 +
2708 +-int ip_options_compile(struct net *net,
2709 +- struct ip_options *opt, struct sk_buff *skb)
2710 ++int __ip_options_compile(struct net *net,
2711 ++ struct ip_options *opt, struct sk_buff *skb,
2712 ++ __be32 *info)
2713 + {
2714 + __be32 spec_dst = htonl(INADDR_ANY);
2715 + unsigned char *pp_ptr = NULL;
2716 +@@ -468,11 +469,22 @@ eol:
2717 + return 0;
2718 +
2719 + error:
2720 +- if (skb) {
2721 +- icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24));
2722 +- }
2723 ++ if (info)
2724 ++ *info = htonl((pp_ptr-iph)<<24);
2725 + return -EINVAL;
2726 + }
2727 ++
2728 ++int ip_options_compile(struct net *net,
2729 ++ struct ip_options *opt, struct sk_buff *skb)
2730 ++{
2731 ++ int ret;
2732 ++ __be32 info;
2733 ++
2734 ++ ret = __ip_options_compile(net, opt, skb, &info);
2735 ++ if (ret != 0 && skb)
2736 ++ icmp_send(skb, ICMP_PARAMETERPROB, 0, info);
2737 ++ return ret;
2738 ++}
2739 + EXPORT_SYMBOL(ip_options_compile);
2740 +
2741 + /*
2742 +diff --git a/net/ipv4/netlink.c b/net/ipv4/netlink.c
2743 +index f86bb4f066095..d8e3a1fb8e826 100644
2744 +--- a/net/ipv4/netlink.c
2745 ++++ b/net/ipv4/netlink.c
2746 +@@ -3,9 +3,10 @@
2747 + #include <linux/types.h>
2748 + #include <net/net_namespace.h>
2749 + #include <net/netlink.h>
2750 ++#include <linux/in6.h>
2751 + #include <net/ip.h>
2752 +
2753 +-int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto,
2754 ++int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto, u8 family,
2755 + struct netlink_ext_ack *extack)
2756 + {
2757 + *ip_proto = nla_get_u8(attr);
2758 +@@ -13,11 +14,19 @@ int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto,
2759 + switch (*ip_proto) {
2760 + case IPPROTO_TCP:
2761 + case IPPROTO_UDP:
2762 ++ return 0;
2763 + case IPPROTO_ICMP:
2764 ++ if (family != AF_INET)
2765 ++ break;
2766 ++ return 0;
2767 ++#if IS_ENABLED(CONFIG_IPV6)
2768 ++ case IPPROTO_ICMPV6:
2769 ++ if (family != AF_INET6)
2770 ++ break;
2771 + return 0;
2772 +- default:
2773 +- NL_SET_ERR_MSG(extack, "Unsupported ip proto");
2774 +- return -EOPNOTSUPP;
2775 ++#endif
2776 + }
2777 ++ NL_SET_ERR_MSG(extack, "Unsupported ip proto");
2778 ++ return -EOPNOTSUPP;
2779 + }
2780 + EXPORT_SYMBOL_GPL(rtm_getroute_parse_ip_proto);
2781 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
2782 +index d1ddf1d037215..efe45200db4f5 100644
2783 +--- a/net/ipv4/route.c
2784 ++++ b/net/ipv4/route.c
2785 +@@ -2803,7 +2803,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
2786 +
2787 + if (tb[RTA_IP_PROTO]) {
2788 + err = rtm_getroute_parse_ip_proto(tb[RTA_IP_PROTO],
2789 +- &ip_proto, extack);
2790 ++ &ip_proto, AF_INET, extack);
2791 + if (err)
2792 + return err;
2793 + }
2794 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
2795 +index edda3f9daab9a..9ed08ac6066c8 100644
2796 +--- a/net/ipv6/ip6mr.c
2797 ++++ b/net/ipv6/ip6mr.c
2798 +@@ -1964,10 +1964,10 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
2799 +
2800 + static inline int ip6mr_forward2_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
2801 + {
2802 +- __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
2803 +- IPSTATS_MIB_OUTFORWDATAGRAMS);
2804 +- __IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)),
2805 +- IPSTATS_MIB_OUTOCTETS, skb->len);
2806 ++ IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
2807 ++ IPSTATS_MIB_OUTFORWDATAGRAMS);
2808 ++ IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)),
2809 ++ IPSTATS_MIB_OUTOCTETS, skb->len);
2810 + return dst_output(net, sk, skb);
2811 + }
2812 +
2813 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
2814 +index 059f0531f7c1c..c87ce5732338c 100644
2815 +--- a/net/ipv6/route.c
2816 ++++ b/net/ipv6/route.c
2817 +@@ -4163,6 +4163,10 @@ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
2818 + cfg->fc_gateway = nla_get_in6_addr(tb[RTA_GATEWAY]);
2819 + cfg->fc_flags |= RTF_GATEWAY;
2820 + }
2821 ++ if (tb[RTA_VIA]) {
2822 ++ NL_SET_ERR_MSG(extack, "IPv6 does not support RTA_VIA attribute");
2823 ++ goto errout;
2824 ++ }
2825 +
2826 + if (tb[RTA_DST]) {
2827 + int plen = (rtm->rtm_dst_len + 7) >> 3;
2828 +@@ -4880,7 +4884,8 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
2829 +
2830 + if (tb[RTA_IP_PROTO]) {
2831 + err = rtm_getroute_parse_ip_proto(tb[RTA_IP_PROTO],
2832 +- &fl6.flowi6_proto, extack);
2833 ++ &fl6.flowi6_proto, AF_INET6,
2834 ++ extack);
2835 + if (err)
2836 + goto errout;
2837 + }
2838 +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
2839 +index e8a1dabef803e..09e440e8dfaec 100644
2840 +--- a/net/ipv6/sit.c
2841 ++++ b/net/ipv6/sit.c
2842 +@@ -1873,6 +1873,7 @@ static int __net_init sit_init_net(struct net *net)
2843 +
2844 + err_reg_dev:
2845 + ipip6_dev_free(sitn->fb_tunnel_dev);
2846 ++ free_netdev(sitn->fb_tunnel_dev);
2847 + err_alloc_dev:
2848 + return err;
2849 + }
2850 +diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
2851 +index 7d55d4c040887..fa763e2e50ec2 100644
2852 +--- a/net/mpls/af_mpls.c
2853 ++++ b/net/mpls/af_mpls.c
2854 +@@ -1838,6 +1838,9 @@ static int rtm_to_route_config(struct sk_buff *skb,
2855 + goto errout;
2856 + break;
2857 + }
2858 ++ case RTA_GATEWAY:
2859 ++ NL_SET_ERR_MSG(extack, "MPLS does not support RTA_GATEWAY attribute");
2860 ++ goto errout;
2861 + case RTA_VIA:
2862 + {
2863 + if (nla_get_via(nla, &cfg->rc_via_alen,
2864 +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
2865 +index ea7c67050792c..ee3e5b6471a69 100644
2866 +--- a/net/netlabel/netlabel_kapi.c
2867 ++++ b/net/netlabel/netlabel_kapi.c
2868 +@@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
2869 + (state == 0 && (byte & bitmask) == 0))
2870 + return bit_spot;
2871 +
2872 +- bit_spot++;
2873 ++ if (++bit_spot >= bitmap_len)
2874 ++ return -1;
2875 + bitmask >>= 1;
2876 + if (bitmask == 0) {
2877 + byte = bitmap[++byte_offset];
2878 +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
2879 +index 6a196e438b6c0..d1fc019e932e0 100644
2880 +--- a/net/nfc/llcp_commands.c
2881 ++++ b/net/nfc/llcp_commands.c
2882 +@@ -419,6 +419,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
2883 + sock->service_name,
2884 + sock->service_name_len,
2885 + &service_name_tlv_length);
2886 ++ if (!service_name_tlv) {
2887 ++ err = -ENOMEM;
2888 ++ goto error_tlv;
2889 ++ }
2890 + size += service_name_tlv_length;
2891 + }
2892 +
2893 +@@ -429,9 +433,17 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
2894 +
2895 + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
2896 + &miux_tlv_length);
2897 ++ if (!miux_tlv) {
2898 ++ err = -ENOMEM;
2899 ++ goto error_tlv;
2900 ++ }
2901 + size += miux_tlv_length;
2902 +
2903 + rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
2904 ++ if (!rw_tlv) {
2905 ++ err = -ENOMEM;
2906 ++ goto error_tlv;
2907 ++ }
2908 + size += rw_tlv_length;
2909 +
2910 + pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len);
2911 +@@ -484,9 +496,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
2912 +
2913 + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
2914 + &miux_tlv_length);
2915 ++ if (!miux_tlv) {
2916 ++ err = -ENOMEM;
2917 ++ goto error_tlv;
2918 ++ }
2919 + size += miux_tlv_length;
2920 +
2921 + rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
2922 ++ if (!rw_tlv) {
2923 ++ err = -ENOMEM;
2924 ++ goto error_tlv;
2925 ++ }
2926 + size += rw_tlv_length;
2927 +
2928 + skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size);
2929 +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
2930 +index ef4026a23e802..4fa015208aab1 100644
2931 +--- a/net/nfc/llcp_core.c
2932 ++++ b/net/nfc/llcp_core.c
2933 +@@ -532,10 +532,10 @@ static u8 nfc_llcp_reserve_sdp_ssap(struct nfc_llcp_local *local)
2934 +
2935 + static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
2936 + {
2937 +- u8 *gb_cur, *version_tlv, version, version_length;
2938 +- u8 *lto_tlv, lto_length;
2939 +- u8 *wks_tlv, wks_length;
2940 +- u8 *miux_tlv, miux_length;
2941 ++ u8 *gb_cur, version, version_length;
2942 ++ u8 lto_length, wks_length, miux_length;
2943 ++ u8 *version_tlv = NULL, *lto_tlv = NULL,
2944 ++ *wks_tlv = NULL, *miux_tlv = NULL;
2945 + __be16 wks = cpu_to_be16(local->local_wks);
2946 + u8 gb_len = 0;
2947 + int ret = 0;
2948 +@@ -543,17 +543,33 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
2949 + version = LLCP_VERSION_11;
2950 + version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
2951 + 1, &version_length);
2952 ++ if (!version_tlv) {
2953 ++ ret = -ENOMEM;
2954 ++ goto out;
2955 ++ }
2956 + gb_len += version_length;
2957 +
2958 + lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, &lto_length);
2959 ++ if (!lto_tlv) {
2960 ++ ret = -ENOMEM;
2961 ++ goto out;
2962 ++ }
2963 + gb_len += lto_length;
2964 +
2965 + pr_debug("Local wks 0x%lx\n", local->local_wks);
2966 + wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length);
2967 ++ if (!wks_tlv) {
2968 ++ ret = -ENOMEM;
2969 ++ goto out;
2970 ++ }
2971 + gb_len += wks_length;
2972 +
2973 + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
2974 + &miux_length);
2975 ++ if (!miux_tlv) {
2976 ++ ret = -ENOMEM;
2977 ++ goto out;
2978 ++ }
2979 + gb_len += miux_length;
2980 +
2981 + gb_len += ARRAY_SIZE(llcp_magic);
2982 +diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
2983 +index 8af6c11d2482a..faa1addf89b3b 100644
2984 +--- a/net/sched/act_ipt.c
2985 ++++ b/net/sched/act_ipt.c
2986 +@@ -199,8 +199,7 @@ err3:
2987 + err2:
2988 + kfree(tname);
2989 + err1:
2990 +- if (ret == ACT_P_CREATED)
2991 +- tcf_idr_release(*a, bind);
2992 ++ tcf_idr_release(*a, bind);
2993 + return err;
2994 + }
2995 +
2996 +diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
2997 +index 64dba3708fce2..cfceed28c3331 100644
2998 +--- a/net/sched/act_skbedit.c
2999 ++++ b/net/sched/act_skbedit.c
3000 +@@ -189,8 +189,7 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
3001 +
3002 + params_new = kzalloc(sizeof(*params_new), GFP_KERNEL);
3003 + if (unlikely(!params_new)) {
3004 +- if (ret == ACT_P_CREATED)
3005 +- tcf_idr_release(*a, bind);
3006 ++ tcf_idr_release(*a, bind);
3007 + return -ENOMEM;
3008 + }
3009 +
3010 +diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
3011 +index 904730b8ce8f2..6f16202d4b4ff 100644
3012 +--- a/net/sched/act_tunnel_key.c
3013 ++++ b/net/sched/act_tunnel_key.c
3014 +@@ -377,7 +377,8 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
3015 + return ret;
3016 +
3017 + release_tun_meta:
3018 +- dst_release(&metadata->dst);
3019 ++ if (metadata)
3020 ++ dst_release(&metadata->dst);
3021 +
3022 + err_out:
3023 + if (exists)
3024 +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
3025 +index de1663f7d3ad6..52f429b1cdd53 100644
3026 +--- a/net/sched/sch_generic.c
3027 ++++ b/net/sched/sch_generic.c
3028 +@@ -68,7 +68,7 @@ static inline struct sk_buff *__skb_dequeue_bad_txq(struct Qdisc *q)
3029 + skb = __skb_dequeue(&q->skb_bad_txq);
3030 + if (qdisc_is_percpu_stats(q)) {
3031 + qdisc_qstats_cpu_backlog_dec(q, skb);
3032 +- qdisc_qstats_cpu_qlen_dec(q);
3033 ++ qdisc_qstats_atomic_qlen_dec(q);
3034 + } else {
3035 + qdisc_qstats_backlog_dec(q, skb);
3036 + q->q.qlen--;
3037 +@@ -108,7 +108,7 @@ static inline void qdisc_enqueue_skb_bad_txq(struct Qdisc *q,
3038 +
3039 + if (qdisc_is_percpu_stats(q)) {
3040 + qdisc_qstats_cpu_backlog_inc(q, skb);
3041 +- qdisc_qstats_cpu_qlen_inc(q);
3042 ++ qdisc_qstats_atomic_qlen_inc(q);
3043 + } else {
3044 + qdisc_qstats_backlog_inc(q, skb);
3045 + q->q.qlen++;
3046 +@@ -147,7 +147,7 @@ static inline int dev_requeue_skb_locked(struct sk_buff *skb, struct Qdisc *q)
3047 +
3048 + qdisc_qstats_cpu_requeues_inc(q);
3049 + qdisc_qstats_cpu_backlog_inc(q, skb);
3050 +- qdisc_qstats_cpu_qlen_inc(q);
3051 ++ qdisc_qstats_atomic_qlen_inc(q);
3052 +
3053 + skb = next;
3054 + }
3055 +@@ -252,7 +252,7 @@ static struct sk_buff *dequeue_skb(struct Qdisc *q, bool *validate,
3056 + skb = __skb_dequeue(&q->gso_skb);
3057 + if (qdisc_is_percpu_stats(q)) {
3058 + qdisc_qstats_cpu_backlog_dec(q, skb);
3059 +- qdisc_qstats_cpu_qlen_dec(q);
3060 ++ qdisc_qstats_atomic_qlen_dec(q);
3061 + } else {
3062 + qdisc_qstats_backlog_dec(q, skb);
3063 + q->q.qlen--;
3064 +@@ -645,7 +645,7 @@ static int pfifo_fast_enqueue(struct sk_buff *skb, struct Qdisc *qdisc,
3065 + if (unlikely(err))
3066 + return qdisc_drop_cpu(skb, qdisc, to_free);
3067 +
3068 +- qdisc_qstats_cpu_qlen_inc(qdisc);
3069 ++ qdisc_qstats_atomic_qlen_inc(qdisc);
3070 + /* Note: skb can not be used after skb_array_produce(),
3071 + * so we better not use qdisc_qstats_cpu_backlog_inc()
3072 + */
3073 +@@ -670,7 +670,7 @@ static struct sk_buff *pfifo_fast_dequeue(struct Qdisc *qdisc)
3074 + if (likely(skb)) {
3075 + qdisc_qstats_cpu_backlog_dec(qdisc, skb);
3076 + qdisc_bstats_cpu_update(qdisc, skb);
3077 +- qdisc_qstats_cpu_qlen_dec(qdisc);
3078 ++ qdisc_qstats_atomic_qlen_dec(qdisc);
3079 + }
3080 +
3081 + return skb;
3082 +@@ -714,7 +714,6 @@ static void pfifo_fast_reset(struct Qdisc *qdisc)
3083 + struct gnet_stats_queue *q = per_cpu_ptr(qdisc->cpu_qstats, i);
3084 +
3085 + q->backlog = 0;
3086 +- q->qlen = 0;
3087 + }
3088 + }
3089 +
3090 +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
3091 +index 22cd46a600576..ffb9e21ffc5c7 100644
3092 +--- a/net/sched/sch_netem.c
3093 ++++ b/net/sched/sch_netem.c
3094 +@@ -430,6 +430,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
3095 + int nb = 0;
3096 + int count = 1;
3097 + int rc = NET_XMIT_SUCCESS;
3098 ++ int rc_drop = NET_XMIT_DROP;
3099 +
3100 + /* Do not fool qdisc_drop_all() */
3101 + skb->prev = NULL;
3102 +@@ -469,6 +470,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
3103 + q->duplicate = 0;
3104 + rootq->enqueue(skb2, rootq, to_free);
3105 + q->duplicate = dupsave;
3106 ++ rc_drop = NET_XMIT_SUCCESS;
3107 + }
3108 +
3109 + /*
3110 +@@ -481,7 +483,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
3111 + if (skb_is_gso(skb)) {
3112 + segs = netem_segment(skb, sch, to_free);
3113 + if (!segs)
3114 +- return NET_XMIT_DROP;
3115 ++ return rc_drop;
3116 + } else {
3117 + segs = skb;
3118 + }
3119 +@@ -504,8 +506,10 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
3120 + 1<<(prandom_u32() % 8);
3121 + }
3122 +
3123 +- if (unlikely(sch->q.qlen >= sch->limit))
3124 +- return qdisc_drop_all(skb, sch, to_free);
3125 ++ if (unlikely(sch->q.qlen >= sch->limit)) {
3126 ++ qdisc_drop_all(skb, sch, to_free);
3127 ++ return rc_drop;
3128 ++ }
3129 +
3130 + qdisc_qstats_backlog_inc(sch, skb);
3131 +
3132 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
3133 +index b7a534f6d7c20..1b5728e9c4974 100644
3134 +--- a/net/sctp/socket.c
3135 ++++ b/net/sctp/socket.c
3136 +@@ -1866,6 +1866,7 @@ static int sctp_sendmsg_check_sflags(struct sctp_association *asoc,
3137 +
3138 + pr_debug("%s: aborting association:%p\n", __func__, asoc);
3139 + sctp_primitive_ABORT(net, asoc, chunk);
3140 ++ iov_iter_revert(&msg->msg_iter, msg_len);
3141 +
3142 + return 0;
3143 + }
3144 +diff --git a/net/socket.c b/net/socket.c
3145 +index 93a45f15ee40d..d4ac431b78b28 100644
3146 +--- a/net/socket.c
3147 ++++ b/net/socket.c
3148 +@@ -577,6 +577,7 @@ static void __sock_release(struct socket *sock, struct inode *inode)
3149 + if (inode)
3150 + inode_lock(inode);
3151 + sock->ops->release(sock);
3152 ++ sock->sk = NULL;
3153 + if (inode)
3154 + inode_unlock(inode);
3155 + sock->ops = NULL;
3156 +diff --git a/net/tipc/socket.c b/net/tipc/socket.c
3157 +index 8f34db2a97857..f08d8e4923f23 100644
3158 +--- a/net/tipc/socket.c
3159 ++++ b/net/tipc/socket.c
3160 +@@ -376,11 +376,13 @@ static int tipc_sk_sock_err(struct socket *sock, long *timeout)
3161 +
3162 + #define tipc_wait_for_cond(sock_, timeo_, condition_) \
3163 + ({ \
3164 ++ DEFINE_WAIT_FUNC(wait_, woken_wake_function); \
3165 + struct sock *sk_; \
3166 + int rc_; \
3167 + \
3168 + while ((rc_ = !(condition_))) { \
3169 +- DEFINE_WAIT_FUNC(wait_, woken_wake_function); \
3170 ++ /* coupled with smp_wmb() in tipc_sk_proto_rcv() */ \
3171 ++ smp_rmb(); \
3172 + sk_ = (sock_)->sk; \
3173 + rc_ = tipc_sk_sock_err((sock_), timeo_); \
3174 + if (rc_) \
3175 +@@ -1320,7 +1322,7 @@ static int __tipc_sendmsg(struct socket *sock, struct msghdr *m, size_t dlen)
3176 +
3177 + if (unlikely(!dest)) {
3178 + dest = &tsk->peer;
3179 +- if (!syn || dest->family != AF_TIPC)
3180 ++ if (!syn && dest->family != AF_TIPC)
3181 + return -EDESTADDRREQ;
3182 + }
3183 +
3184 +@@ -1968,6 +1970,8 @@ static void tipc_sk_proto_rcv(struct sock *sk,
3185 + return;
3186 + case SOCK_WAKEUP:
3187 + tipc_dest_del(&tsk->cong_links, msg_orignode(hdr), 0);
3188 ++ /* coupled with smp_rmb() in tipc_wait_for_cond() */
3189 ++ smp_wmb();
3190 + tsk->cong_link_cnt--;
3191 + wakeup = true;
3192 + break;
3193 +diff --git a/tools/testing/selftests/firmware/fw_lib.sh b/tools/testing/selftests/firmware/fw_lib.sh
3194 +index 6c5f1b2ffb745..1cbb12e284a68 100755
3195 +--- a/tools/testing/selftests/firmware/fw_lib.sh
3196 ++++ b/tools/testing/selftests/firmware/fw_lib.sh
3197 +@@ -91,7 +91,7 @@ verify_reqs()
3198 + if [ "$TEST_REQS_FW_SYSFS_FALLBACK" = "yes" ]; then
3199 + if [ ! "$HAS_FW_LOADER_USER_HELPER" = "yes" ]; then
3200 + echo "usermode helper disabled so ignoring test"
3201 +- exit $ksft_skip
3202 ++ exit 0
3203 + fi
3204 + fi
3205 + }
Report Message
Find on MARC Find on Google Groups