Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Tue, 08 Feb 2022 17:58:01
Message-Id: 1644343064.5cfe93a1c00df434b691c71be327dd51aa79b09d.mpagano@gentoo
1 commit: 5cfe93a1c00df434b691c71be327dd51aa79b09d
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Feb 8 17:57:44 2022 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Feb 8 17:57:44 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=5cfe93a1
7
8 Linux patch 4.14.265
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1264_linux-4.14.265.patch | 2126 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 2130 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 26b19eee..702acb91 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -1103,6 +1103,10 @@ Patch: 1263_linux-4.14.264.patch
21 From: https://www.kernel.org
22 Desc: Linux 4.14.264
23
24 +Patch: 1264_linux-4.14.265.patch
25 +From: https://www.kernel.org
26 +Desc: Linux 4.14.265
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1264_linux-4.14.265.patch b/1264_linux-4.14.265.patch
33 new file mode 100644
34 index 00000000..0a179759
35 --- /dev/null
36 +++ b/1264_linux-4.14.265.patch
37 @@ -0,0 +1,2126 @@
38 +diff --git a/Makefile b/Makefile
39 +index c5508214fa1f8..bc98aa57a6faf 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 4
45 + PATCHLEVEL = 14
46 +-SUBLEVEL = 264
47 ++SUBLEVEL = 265
48 + EXTRAVERSION =
49 + NAME = Petit Gorille
50 +
51 +diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
52 +index 681f966b7211d..3325760173813 100644
53 +--- a/arch/powerpc/kernel/Makefile
54 ++++ b/arch/powerpc/kernel/Makefile
55 +@@ -15,6 +15,7 @@ CFLAGS_prom_init.o += -fPIC
56 + CFLAGS_btext.o += -fPIC
57 + endif
58 +
59 ++CFLAGS_setup_32.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
60 + CFLAGS_cputable.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
61 + CFLAGS_prom_init.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
62 + CFLAGS_btext.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
63 +diff --git a/arch/powerpc/lib/Makefile b/arch/powerpc/lib/Makefile
64 +index c66c3626a2161..00c34be4c6042 100644
65 +--- a/arch/powerpc/lib/Makefile
66 ++++ b/arch/powerpc/lib/Makefile
67 +@@ -10,6 +10,9 @@ ccflags-$(CONFIG_PPC64) := $(NO_MINIMAL_TOC)
68 + CFLAGS_REMOVE_code-patching.o = $(CC_FLAGS_FTRACE)
69 + CFLAGS_REMOVE_feature-fixups.o = $(CC_FLAGS_FTRACE)
70 +
71 ++CFLAGS_code-patching.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
72 ++CFLAGS_feature-fixups.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
73 ++
74 + obj-y += string.o alloc.o code-patching.o feature-fixups.o
75 +
76 + obj-$(CONFIG_PPC32) += div64.o copy_32.o crtsavres.o
77 +diff --git a/arch/s390/hypfs/hypfs_vm.c b/arch/s390/hypfs/hypfs_vm.c
78 +index c4b7b681e0554..90740be25cf86 100644
79 +--- a/arch/s390/hypfs/hypfs_vm.c
80 ++++ b/arch/s390/hypfs/hypfs_vm.c
81 +@@ -20,6 +20,7 @@
82 +
83 + static char local_guest[] = " ";
84 + static char all_guests[] = "* ";
85 ++static char *all_groups = all_guests;
86 + static char *guest_query;
87 +
88 + struct diag2fc_data {
89 +@@ -62,10 +63,11 @@ static int diag2fc(int size, char* query, void *addr)
90 +
91 + memcpy(parm_list.userid, query, NAME_LEN);
92 + ASCEBC(parm_list.userid, NAME_LEN);
93 +- parm_list.addr = (unsigned long) addr ;
94 ++ memcpy(parm_list.aci_grp, all_groups, NAME_LEN);
95 ++ ASCEBC(parm_list.aci_grp, NAME_LEN);
96 ++ parm_list.addr = (unsigned long)addr;
97 + parm_list.size = size;
98 + parm_list.fmt = 0x02;
99 +- memset(parm_list.aci_grp, 0x40, NAME_LEN);
100 + rc = -1;
101 +
102 + diag_stat_inc(DIAG_STAT_X2FC);
103 +diff --git a/block/bio-integrity.c b/block/bio-integrity.c
104 +index d3df44c3b43af..4cee9446ce588 100644
105 +--- a/block/bio-integrity.c
106 ++++ b/block/bio-integrity.c
107 +@@ -417,7 +417,7 @@ void bio_integrity_advance(struct bio *bio, unsigned int bytes_done)
108 + struct blk_integrity *bi = blk_get_integrity(bio->bi_disk);
109 + unsigned bytes = bio_integrity_bytes(bi, bytes_done >> 9);
110 +
111 +- bip->bip_iter.bi_sector += bytes_done >> 9;
112 ++ bip->bip_iter.bi_sector += bio_integrity_intervals(bi, bytes_done >> 9);
113 + bvec_iter_advance(bip->bip_vec, &bip->bip_iter, bytes);
114 + }
115 + EXPORT_SYMBOL(bio_integrity_advance);
116 +diff --git a/drivers/edac/altera_edac.c b/drivers/edac/altera_edac.c
117 +index d92090b127de7..5cf180448a9e0 100644
118 +--- a/drivers/edac/altera_edac.c
119 ++++ b/drivers/edac/altera_edac.c
120 +@@ -357,7 +357,7 @@ static int altr_sdram_probe(struct platform_device *pdev)
121 + if (irq < 0) {
122 + edac_printk(KERN_ERR, EDAC_MC,
123 + "No irq %d in DT\n", irq);
124 +- return -ENODEV;
125 ++ return irq;
126 + }
127 +
128 + /* Arria10 has a 2nd IRQ */
129 +diff --git a/drivers/edac/xgene_edac.c b/drivers/edac/xgene_edac.c
130 +index e8b81d7ef61fa..028ddc7903254 100644
131 +--- a/drivers/edac/xgene_edac.c
132 ++++ b/drivers/edac/xgene_edac.c
133 +@@ -1934,7 +1934,7 @@ static int xgene_edac_probe(struct platform_device *pdev)
134 + irq = platform_get_irq(pdev, i);
135 + if (irq < 0) {
136 + dev_err(&pdev->dev, "No IRQ resource\n");
137 +- rc = -EINVAL;
138 ++ rc = irq;
139 + goto out_err;
140 + }
141 + rc = devm_request_irq(&pdev->dev, irq,
142 +diff --git a/drivers/gpu/drm/i915/intel_overlay.c b/drivers/gpu/drm/i915/intel_overlay.c
143 +index aace22e7ccace..d3afa2b6ef9c5 100644
144 +--- a/drivers/gpu/drm/i915/intel_overlay.c
145 ++++ b/drivers/gpu/drm/i915/intel_overlay.c
146 +@@ -965,6 +965,9 @@ static int check_overlay_dst(struct intel_overlay *overlay,
147 + const struct intel_crtc_state *pipe_config =
148 + overlay->crtc->config;
149 +
150 ++ if (rec->dst_height == 0 || rec->dst_width == 0)
151 ++ return -EINVAL;
152 ++
153 + if (rec->dst_x < pipe_config->pipe_src_w &&
154 + rec->dst_x + rec->dst_width <= pipe_config->pipe_src_w &&
155 + rec->dst_y < pipe_config->pipe_src_h &&
156 +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
157 +index c0a7fa56d9a74..32c7bf0d44faf 100644
158 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
159 ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
160 +@@ -554,12 +554,14 @@ void __exit msm_dsi_phy_driver_unregister(void)
161 + int msm_dsi_phy_enable(struct msm_dsi_phy *phy, int src_pll_id,
162 + struct msm_dsi_phy_clk_request *clk_req)
163 + {
164 +- struct device *dev = &phy->pdev->dev;
165 ++ struct device *dev;
166 + int ret;
167 +
168 + if (!phy || !phy->cfg->ops.enable)
169 + return -EINVAL;
170 +
171 ++ dev = &phy->pdev->dev;
172 ++
173 + ret = dsi_phy_enable_resource(phy);
174 + if (ret) {
175 + dev_err(dev, "%s: resource enable failed, %d\n",
176 +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
177 +index 3dad4687d3ddc..7951f57f92027 100644
178 +--- a/drivers/gpu/drm/msm/msm_drv.c
179 ++++ b/drivers/gpu/drm/msm/msm_drv.c
180 +@@ -321,7 +321,7 @@ static int msm_init_vram(struct drm_device *dev)
181 + of_node_put(node);
182 + if (ret)
183 + return ret;
184 +- size = r.end - r.start;
185 ++ size = r.end - r.start + 1;
186 + DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start);
187 +
188 + /* if we have no IOMMU, then we need to use carveout allocator.
189 +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
190 +index f3c30b2a788e8..8bff14ae16b0e 100644
191 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
192 ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
193 +@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
194 + *addr += bios->imaged_addr;
195 + }
196 +
197 +- if (unlikely(*addr + size >= bios->size)) {
198 ++ if (unlikely(*addr + size > bios->size)) {
199 + nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
200 + return false;
201 + }
202 +diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c
203 +index 30a7f7fde6511..033c89f8359d1 100644
204 +--- a/drivers/hwmon/lm90.c
205 ++++ b/drivers/hwmon/lm90.c
206 +@@ -359,7 +359,7 @@ static const struct lm90_params lm90_params[] = {
207 + .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT
208 + | LM90_HAVE_BROKEN_ALERT,
209 + .alert_alarms = 0x7c,
210 +- .max_convrate = 8,
211 ++ .max_convrate = 7,
212 + },
213 + [lm86] = {
214 + .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT,
215 +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
216 +index 3f8511104c5b6..657b70338f7a6 100644
217 +--- a/drivers/infiniband/hw/mlx4/main.c
218 ++++ b/drivers/infiniband/hw/mlx4/main.c
219 +@@ -3346,7 +3346,7 @@ static void mlx4_ib_event(struct mlx4_dev *dev, void *ibdev_ptr,
220 + case MLX4_DEV_EVENT_PORT_MGMT_CHANGE:
221 + ew = kmalloc(sizeof *ew, GFP_ATOMIC);
222 + if (!ew)
223 +- break;
224 ++ return;
225 +
226 + INIT_WORK(&ew->work, handle_port_mgmt_change_event);
227 + memcpy(&ew->ib_eqe, eqe, sizeof *eqe);
228 +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
229 +index ec9a20e069417..5dddbb9b06f12 100644
230 +--- a/drivers/iommu/amd_iommu_init.c
231 ++++ b/drivers/iommu/amd_iommu_init.c
232 +@@ -30,6 +30,7 @@
233 + #include <linux/iommu.h>
234 + #include <linux/kmemleak.h>
235 + #include <linux/mem_encrypt.h>
236 ++#include <linux/iopoll.h>
237 + #include <asm/pci-direct.h>
238 + #include <asm/iommu.h>
239 + #include <asm/gart.h>
240 +@@ -770,6 +771,7 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu)
241 + status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET);
242 + if (status & (MMIO_STATUS_GALOG_RUN_MASK))
243 + break;
244 ++ udelay(10);
245 + }
246 +
247 + if (i >= LOOP_TIMEOUT)
248 +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
249 +index 25e85fdfb9d49..1f34835e12b59 100644
250 +--- a/drivers/iommu/intel_irq_remapping.c
251 ++++ b/drivers/iommu/intel_irq_remapping.c
252 +@@ -543,9 +543,8 @@ static int intel_setup_irq_remapping(struct intel_iommu *iommu)
253 + fn, &intel_ir_domain_ops,
254 + iommu);
255 + if (!iommu->ir_domain) {
256 +- irq_domain_free_fwnode(fn);
257 + pr_err("IR%d: failed to allocate irqdomain\n", iommu->seq_id);
258 +- goto out_free_bitmap;
259 ++ goto out_free_fwnode;
260 + }
261 + iommu->ir_msi_domain =
262 + arch_create_remap_msi_irq_domain(iommu->ir_domain,
263 +@@ -569,7 +568,7 @@ static int intel_setup_irq_remapping(struct intel_iommu *iommu)
264 +
265 + if (dmar_enable_qi(iommu)) {
266 + pr_err("Failed to enable queued invalidation\n");
267 +- goto out_free_bitmap;
268 ++ goto out_free_ir_domain;
269 + }
270 + }
271 +
272 +@@ -593,6 +592,14 @@ static int intel_setup_irq_remapping(struct intel_iommu *iommu)
273 +
274 + return 0;
275 +
276 ++out_free_ir_domain:
277 ++ if (iommu->ir_msi_domain)
278 ++ irq_domain_remove(iommu->ir_msi_domain);
279 ++ iommu->ir_msi_domain = NULL;
280 ++ irq_domain_remove(iommu->ir_domain);
281 ++ iommu->ir_domain = NULL;
282 ++out_free_fwnode:
283 ++ irq_domain_free_fwnode(fn);
284 + out_free_bitmap:
285 + kfree(bitmap);
286 + out_free_pages:
287 +diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
288 +index 76f6a4f628b39..cc0df7280fe50 100644
289 +--- a/drivers/misc/Makefile
290 ++++ b/drivers/misc/Makefile
291 +@@ -69,7 +69,7 @@ KCOV_INSTRUMENT_lkdtm_rodata.o := n
292 +
293 + OBJCOPYFLAGS :=
294 + OBJCOPYFLAGS_lkdtm_rodata_objcopy.o := \
295 +- --rename-section .text=.rodata,alloc,readonly,load
296 ++ --rename-section .text=.rodata,alloc,readonly,load,contents
297 + targets += lkdtm_rodata.o lkdtm_rodata_objcopy.o
298 + $(obj)/lkdtm_rodata_objcopy.o: $(obj)/lkdtm_rodata.o FORCE
299 + $(call if_changed,objcopy)
300 +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
301 +index 8556962e68244..78412d6024aad 100644
302 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
303 ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
304 +@@ -724,7 +724,9 @@ static void xgbe_stop_timers(struct xgbe_prv_data *pdata)
305 + if (!channel->tx_ring)
306 + break;
307 +
308 ++ /* Deactivate the Tx timer */
309 + del_timer_sync(&channel->tx_timer);
310 ++ channel->tx_timer_active = 0;
311 + }
312 + }
313 +
314 +@@ -2720,6 +2722,14 @@ read_again:
315 + buf2_len = xgbe_rx_buf2_len(rdata, packet, len);
316 + len += buf2_len;
317 +
318 ++ if (buf2_len > rdata->rx.buf.dma_len) {
319 ++ /* Hardware inconsistency within the descriptors
320 ++ * that has resulted in a length underflow.
321 ++ */
322 ++ error = 1;
323 ++ goto skip_data;
324 ++ }
325 ++
326 + if (!skb) {
327 + skb = xgbe_create_skb(pdata, napi, rdata,
328 + buf1_len);
329 +@@ -2749,8 +2759,10 @@ skip_data:
330 + if (!last || context_next)
331 + goto read_again;
332 +
333 +- if (!skb)
334 ++ if (!skb || error) {
335 ++ dev_kfree_skb(skb);
336 + goto next_packet;
337 ++ }
338 +
339 + /* Be sure we don't exceed the configured MTU */
340 + max_len = netdev->mtu + ETH_HLEN;
341 +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
342 +index 4befc885efb8d..8d8eb9e2465ff 100644
343 +--- a/drivers/net/ethernet/ibm/ibmvnic.c
344 ++++ b/drivers/net/ethernet/ibm/ibmvnic.c
345 +@@ -3691,12 +3691,6 @@ static void ibmvnic_tasklet(void *data)
346 + ibmvnic_handle_crq(crq, adapter);
347 + crq->generic.first = 0;
348 + }
349 +-
350 +- /* remain in tasklet until all
351 +- * capabilities responses are received
352 +- */
353 +- if (!adapter->wait_capability)
354 +- done = true;
355 + }
356 + /* if capabilities CRQ's were sent in this tasklet, the following
357 + * tasklet must wait until all responses are received
358 +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
359 +index 438e2675bc132..bb46a635c7e54 100644
360 +--- a/drivers/net/ethernet/intel/i40e/i40e.h
361 ++++ b/drivers/net/ethernet/intel/i40e/i40e.h
362 +@@ -627,12 +627,12 @@ struct i40e_vsi {
363 + struct rtnl_link_stats64 net_stats_offsets;
364 + struct i40e_eth_stats eth_stats;
365 + struct i40e_eth_stats eth_stats_offsets;
366 +- u32 tx_restart;
367 +- u32 tx_busy;
368 ++ u64 tx_restart;
369 ++ u64 tx_busy;
370 + u64 tx_linearize;
371 + u64 tx_force_wb;
372 +- u32 rx_buf_failed;
373 +- u32 rx_page_failed;
374 ++ u64 rx_buf_failed;
375 ++ u64 rx_page_failed;
376 +
377 + /* These are containers of ring pointers, allocated at run-time */
378 + struct i40e_ring **rx_rings;
379 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
380 +index 8f326f87a815b..126207be492d3 100644
381 +--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
382 ++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
383 +@@ -259,7 +259,7 @@ static void i40e_dbg_dump_vsi_seid(struct i40e_pf *pf, int seid)
384 + (unsigned long int)vsi->net_stats_offsets.rx_compressed,
385 + (unsigned long int)vsi->net_stats_offsets.tx_compressed);
386 + dev_info(&pf->pdev->dev,
387 +- " tx_restart = %d, tx_busy = %d, rx_buf_failed = %d, rx_page_failed = %d\n",
388 ++ " tx_restart = %llu, tx_busy = %llu, rx_buf_failed = %llu, rx_page_failed = %llu\n",
389 + vsi->tx_restart, vsi->tx_busy,
390 + vsi->rx_buf_failed, vsi->rx_page_failed);
391 + rcu_read_lock();
392 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
393 +index 5b5434976698e..5dac08c2c6e68 100644
394 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
395 ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
396 +@@ -778,9 +778,9 @@ static void i40e_update_vsi_stats(struct i40e_vsi *vsi)
397 + struct rtnl_link_stats64 *ns; /* netdev stats */
398 + struct i40e_eth_stats *oes;
399 + struct i40e_eth_stats *es; /* device's eth stats */
400 +- u32 tx_restart, tx_busy;
401 ++ u64 tx_restart, tx_busy;
402 + struct i40e_ring *p;
403 +- u32 rx_page, rx_buf;
404 ++ u64 rx_page, rx_buf;
405 + u64 bytes, packets;
406 + unsigned int start;
407 + u64 tx_linearize;
408 +@@ -7245,15 +7245,9 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired)
409 + }
410 + i40e_get_oem_version(&pf->hw);
411 +
412 +- if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) &&
413 +- ((hw->aq.fw_maj_ver == 4 && hw->aq.fw_min_ver <= 33) ||
414 +- hw->aq.fw_maj_ver < 4) && hw->mac.type == I40E_MAC_XL710) {
415 +- /* The following delay is necessary for 4.33 firmware and older
416 +- * to recover after EMP reset. 200 ms should suffice but we
417 +- * put here 300 ms to be sure that FW is ready to operate
418 +- * after reset.
419 +- */
420 +- mdelay(300);
421 ++ if (test_and_clear_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state)) {
422 ++ /* The following delay is necessary for firmware update. */
423 ++ mdelay(1000);
424 + }
425 +
426 + /* re-verify the eeprom if we just had an EMP reset */
427 +diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c
428 +index b74c735a423dd..3338e24b91a57 100644
429 +--- a/drivers/net/hamradio/yam.c
430 ++++ b/drivers/net/hamradio/yam.c
431 +@@ -980,9 +980,7 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
432 + sizeof(struct yamdrv_ioctl_mcs));
433 + if (IS_ERR(ym))
434 + return PTR_ERR(ym);
435 +- if (ym->cmd != SIOCYAMSMCS)
436 +- return -EINVAL;
437 +- if (ym->bitrate > YAM_MAXBITRATE) {
438 ++ if (ym->cmd != SIOCYAMSMCS || ym->bitrate > YAM_MAXBITRATE) {
439 + kfree(ym);
440 + return -EINVAL;
441 + }
442 +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
443 +index 368369469e321..893a5787d81d7 100644
444 +--- a/drivers/net/ieee802154/ca8210.c
445 ++++ b/drivers/net/ieee802154/ca8210.c
446 +@@ -1770,6 +1770,7 @@ static int ca8210_async_xmit_complete(
447 + status
448 + );
449 + if (status != MAC_TRANSACTION_OVERFLOW) {
450 ++ dev_kfree_skb_any(priv->tx_skb);
451 + ieee802154_wake_queue(priv->hw);
452 + return 0;
453 + }
454 +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
455 +index 834fa544d6d93..6b10d68e3e538 100644
456 +--- a/drivers/net/macsec.c
457 ++++ b/drivers/net/macsec.c
458 +@@ -3230,6 +3230,15 @@ static int macsec_newlink(struct net *net, struct net_device *dev,
459 +
460 + macsec->real_dev = real_dev;
461 +
462 ++ /* send_sci must be set to true when transmit sci explicitly is set */
463 ++ if ((data && data[IFLA_MACSEC_SCI]) &&
464 ++ (data && data[IFLA_MACSEC_INC_SCI])) {
465 ++ u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
466 ++
467 ++ if (!send_sci)
468 ++ return -EINVAL;
469 ++ }
470 ++
471 + if (data && data[IFLA_MACSEC_ICV_LEN])
472 + icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
473 + mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
474 +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
475 +index 89d8efe8753e5..a045fb3a698be 100644
476 +--- a/drivers/net/phy/phylink.c
477 ++++ b/drivers/net/phy/phylink.c
478 +@@ -514,6 +514,11 @@ static int phylink_register_sfp(struct phylink *pl, struct device_node *np)
479 + if (!sfp_np)
480 + return 0;
481 +
482 ++ if (!of_device_is_available(sfp_np)) {
483 ++ of_node_put(sfp_np);
484 ++ return 0;
485 ++ }
486 ++
487 + pl->sfp_bus = sfp_register_upstream(sfp_np, pl->netdev, pl,
488 + &sfp_phylink_ops);
489 + if (!pl->sfp_bus)
490 +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
491 +index 8e2eb20613548..cea005cc7b2ab 100644
492 +--- a/drivers/net/usb/ipheth.c
493 ++++ b/drivers/net/usb/ipheth.c
494 +@@ -173,7 +173,7 @@ static int ipheth_alloc_urbs(struct ipheth_device *iphone)
495 + if (tx_buf == NULL)
496 + goto free_rx_urb;
497 +
498 +- rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE,
499 ++ rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN,
500 + GFP_KERNEL, &rx_urb->transfer_dma);
501 + if (rx_buf == NULL)
502 + goto free_tx_buf;
503 +@@ -198,7 +198,7 @@ error_nomem:
504 +
505 + static void ipheth_free_urbs(struct ipheth_device *iphone)
506 + {
507 +- usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf,
508 ++ usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone->rx_buf,
509 + iphone->rx_urb->transfer_dma);
510 + usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf,
511 + iphone->tx_urb->transfer_dma);
512 +@@ -371,7 +371,7 @@ static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags)
513 +
514 + usb_fill_bulk_urb(dev->rx_urb, udev,
515 + usb_rcvbulkpipe(udev, dev->bulk_in),
516 +- dev->rx_buf, IPHETH_BUF_SIZE,
517 ++ dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN,
518 + ipheth_rcvbulk_callback,
519 + dev);
520 + dev->rx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
521 +diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
522 +index 6a5b5b16145e3..3805bcce9691b 100644
523 +--- a/drivers/rpmsg/rpmsg_char.c
524 ++++ b/drivers/rpmsg/rpmsg_char.c
525 +@@ -100,7 +100,7 @@ static int rpmsg_eptdev_destroy(struct device *dev, void *data)
526 + /* wake up any blocked readers */
527 + wake_up_interruptible(&eptdev->readq);
528 +
529 +- device_del(&eptdev->dev);
530 ++ cdev_device_del(&eptdev->cdev, &eptdev->dev);
531 + put_device(&eptdev->dev);
532 +
533 + return 0;
534 +@@ -336,7 +336,6 @@ static void rpmsg_eptdev_release_device(struct device *dev)
535 +
536 + ida_simple_remove(&rpmsg_ept_ida, dev->id);
537 + ida_simple_remove(&rpmsg_minor_ida, MINOR(eptdev->dev.devt));
538 +- cdev_del(&eptdev->cdev);
539 + kfree(eptdev);
540 + }
541 +
542 +@@ -381,19 +380,13 @@ static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev,
543 + dev->id = ret;
544 + dev_set_name(dev, "rpmsg%d", ret);
545 +
546 +- ret = cdev_add(&eptdev->cdev, dev->devt, 1);
547 ++ ret = cdev_device_add(&eptdev->cdev, &eptdev->dev);
548 + if (ret)
549 + goto free_ept_ida;
550 +
551 + /* We can now rely on the release function for cleanup */
552 + dev->release = rpmsg_eptdev_release_device;
553 +
554 +- ret = device_add(dev);
555 +- if (ret) {
556 +- dev_err(dev, "device_add failed: %d\n", ret);
557 +- put_device(dev);
558 +- }
559 +-
560 + return ret;
561 +
562 + free_ept_ida:
563 +@@ -461,7 +454,6 @@ static void rpmsg_ctrldev_release_device(struct device *dev)
564 +
565 + ida_simple_remove(&rpmsg_ctrl_ida, dev->id);
566 + ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
567 +- cdev_del(&ctrldev->cdev);
568 + kfree(ctrldev);
569 + }
570 +
571 +@@ -496,19 +488,13 @@ static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev)
572 + dev->id = ret;
573 + dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret);
574 +
575 +- ret = cdev_add(&ctrldev->cdev, dev->devt, 1);
576 ++ ret = cdev_device_add(&ctrldev->cdev, &ctrldev->dev);
577 + if (ret)
578 + goto free_ctrl_ida;
579 +
580 + /* We can now rely on the release function for cleanup */
581 + dev->release = rpmsg_ctrldev_release_device;
582 +
583 +- ret = device_add(dev);
584 +- if (ret) {
585 +- dev_err(&rpdev->dev, "device_add failed: %d\n", ret);
586 +- put_device(dev);
587 +- }
588 +-
589 + dev_set_drvdata(&rpdev->dev, ctrldev);
590 +
591 + return ret;
592 +@@ -534,7 +520,7 @@ static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev)
593 + if (ret)
594 + dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret);
595 +
596 +- device_del(&ctrldev->dev);
597 ++ cdev_device_del(&ctrldev->cdev, &ctrldev->dev);
598 + put_device(&ctrldev->dev);
599 + }
600 +
601 +diff --git a/drivers/rtc/rtc-mc146818-lib.c b/drivers/rtc/rtc-mc146818-lib.c
602 +index 18a6f15e313d8..86b8858917b62 100644
603 +--- a/drivers/rtc/rtc-mc146818-lib.c
604 ++++ b/drivers/rtc/rtc-mc146818-lib.c
605 +@@ -82,7 +82,7 @@ unsigned int mc146818_get_time(struct rtc_time *time)
606 + time->tm_year += real_year - 72;
607 + #endif
608 +
609 +- if (century > 20)
610 ++ if (century > 19)
611 + time->tm_year += (century - 19) * 100;
612 +
613 + /*
614 +diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c
615 +index 0c5fd722a72dc..a7ed1edf24722 100644
616 +--- a/drivers/s390/scsi/zfcp_fc.c
617 ++++ b/drivers/s390/scsi/zfcp_fc.c
618 +@@ -521,6 +521,8 @@ static void zfcp_fc_adisc_handler(void *data)
619 + goto out;
620 + }
621 +
622 ++ /* re-init to undo drop from zfcp_fc_adisc() */
623 ++ port->d_id = ntoh24(adisc_resp->adisc_port_id);
624 + /* port is good, unblock rport without going through erp */
625 + zfcp_scsi_schedule_rport_register(port);
626 + out:
627 +@@ -534,6 +536,7 @@ static int zfcp_fc_adisc(struct zfcp_port *port)
628 + struct zfcp_fc_req *fc_req;
629 + struct zfcp_adapter *adapter = port->adapter;
630 + struct Scsi_Host *shost = adapter->scsi_host;
631 ++ u32 d_id;
632 + int ret;
633 +
634 + fc_req = kmem_cache_zalloc(zfcp_fc_req_cache, GFP_ATOMIC);
635 +@@ -558,7 +561,15 @@ static int zfcp_fc_adisc(struct zfcp_port *port)
636 + fc_req->u.adisc.req.adisc_cmd = ELS_ADISC;
637 + hton24(fc_req->u.adisc.req.adisc_port_id, fc_host_port_id(shost));
638 +
639 +- ret = zfcp_fsf_send_els(adapter, port->d_id, &fc_req->ct_els,
640 ++ d_id = port->d_id; /* remember as destination for send els below */
641 ++ /*
642 ++ * Force fresh GID_PN lookup on next port recovery.
643 ++ * Must happen after request setup and before sending request,
644 ++ * to prevent race with port->d_id re-init in zfcp_fc_adisc_handler().
645 ++ */
646 ++ port->d_id = 0;
647 ++
648 ++ ret = zfcp_fsf_send_els(adapter, d_id, &fc_req->ct_els,
649 + ZFCP_FC_CTELS_TMO);
650 + if (ret)
651 + kmem_cache_free(zfcp_fc_req_cache, fc_req);
652 +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
653 +index 116a56f0af016..b91fd5ded5591 100644
654 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
655 ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
656 +@@ -80,7 +80,7 @@ static int bnx2fc_bind_pcidev(struct bnx2fc_hba *hba);
657 + static void bnx2fc_unbind_pcidev(struct bnx2fc_hba *hba);
658 + static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface,
659 + struct device *parent, int npiv);
660 +-static void bnx2fc_destroy_work(struct work_struct *work);
661 ++static void bnx2fc_port_destroy(struct fcoe_port *port);
662 +
663 + static struct bnx2fc_hba *bnx2fc_hba_lookup(struct net_device *phys_dev);
664 + static struct bnx2fc_interface *bnx2fc_interface_lookup(struct net_device
665 +@@ -515,7 +515,8 @@ static int bnx2fc_l2_rcv_thread(void *arg)
666 +
667 + static void bnx2fc_recv_frame(struct sk_buff *skb)
668 + {
669 +- u32 fr_len;
670 ++ u64 crc_err;
671 ++ u32 fr_len, fr_crc;
672 + struct fc_lport *lport;
673 + struct fcoe_rcv_info *fr;
674 + struct fc_stats *stats;
675 +@@ -549,6 +550,11 @@ static void bnx2fc_recv_frame(struct sk_buff *skb)
676 + skb_pull(skb, sizeof(struct fcoe_hdr));
677 + fr_len = skb->len - sizeof(struct fcoe_crc_eof);
678 +
679 ++ stats = per_cpu_ptr(lport->stats, get_cpu());
680 ++ stats->RxFrames++;
681 ++ stats->RxWords += fr_len / FCOE_WORD_TO_BYTE;
682 ++ put_cpu();
683 ++
684 + fp = (struct fc_frame *)skb;
685 + fc_frame_init(fp);
686 + fr_dev(fp) = lport;
687 +@@ -631,16 +637,15 @@ static void bnx2fc_recv_frame(struct sk_buff *skb)
688 + return;
689 + }
690 +
691 +- stats = per_cpu_ptr(lport->stats, smp_processor_id());
692 +- stats->RxFrames++;
693 +- stats->RxWords += fr_len / FCOE_WORD_TO_BYTE;
694 ++ fr_crc = le32_to_cpu(fr_crc(fp));
695 +
696 +- if (le32_to_cpu(fr_crc(fp)) !=
697 +- ~crc32(~0, skb->data, fr_len)) {
698 +- if (stats->InvalidCRCCount < 5)
699 ++ if (unlikely(fr_crc != ~crc32(~0, skb->data, fr_len))) {
700 ++ stats = per_cpu_ptr(lport->stats, get_cpu());
701 ++ crc_err = (stats->InvalidCRCCount++);
702 ++ put_cpu();
703 ++ if (crc_err < 5)
704 + printk(KERN_WARNING PFX "dropping frame with "
705 + "CRC error\n");
706 +- stats->InvalidCRCCount++;
707 + kfree_skb(skb);
708 + return;
709 + }
710 +@@ -911,9 +916,6 @@ static void bnx2fc_indicate_netevent(void *context, unsigned long event,
711 + __bnx2fc_destroy(interface);
712 + }
713 + mutex_unlock(&bnx2fc_dev_lock);
714 +-
715 +- /* Ensure ALL destroy work has been completed before return */
716 +- flush_workqueue(bnx2fc_wq);
717 + return;
718 +
719 + default:
720 +@@ -1220,8 +1222,8 @@ static int bnx2fc_vport_destroy(struct fc_vport *vport)
721 + mutex_unlock(&n_port->lp_mutex);
722 + bnx2fc_free_vport(interface->hba, port->lport);
723 + bnx2fc_port_shutdown(port->lport);
724 ++ bnx2fc_port_destroy(port);
725 + bnx2fc_interface_put(interface);
726 +- queue_work(bnx2fc_wq, &port->destroy_work);
727 + return 0;
728 + }
729 +
730 +@@ -1530,7 +1532,6 @@ static struct fc_lport *bnx2fc_if_create(struct bnx2fc_interface *interface,
731 + port->lport = lport;
732 + port->priv = interface;
733 + port->get_netdev = bnx2fc_netdev;
734 +- INIT_WORK(&port->destroy_work, bnx2fc_destroy_work);
735 +
736 + /* Configure fcoe_port */
737 + rc = bnx2fc_lport_config(lport);
738 +@@ -1658,8 +1659,8 @@ static void __bnx2fc_destroy(struct bnx2fc_interface *interface)
739 + bnx2fc_interface_cleanup(interface);
740 + bnx2fc_stop(interface);
741 + list_del(&interface->list);
742 ++ bnx2fc_port_destroy(port);
743 + bnx2fc_interface_put(interface);
744 +- queue_work(bnx2fc_wq, &port->destroy_work);
745 + }
746 +
747 + /**
748 +@@ -1700,15 +1701,12 @@ netdev_err:
749 + return rc;
750 + }
751 +
752 +-static void bnx2fc_destroy_work(struct work_struct *work)
753 ++static void bnx2fc_port_destroy(struct fcoe_port *port)
754 + {
755 +- struct fcoe_port *port;
756 + struct fc_lport *lport;
757 +
758 +- port = container_of(work, struct fcoe_port, destroy_work);
759 + lport = port->lport;
760 +-
761 +- BNX2FC_HBA_DBG(lport, "Entered bnx2fc_destroy_work\n");
762 ++ BNX2FC_HBA_DBG(lport, "Entered %s, destroying lport %p\n", __func__, lport);
763 +
764 + bnx2fc_if_destroy(lport);
765 + }
766 +@@ -2563,9 +2561,6 @@ static void bnx2fc_ulp_exit(struct cnic_dev *dev)
767 + __bnx2fc_destroy(interface);
768 + mutex_unlock(&bnx2fc_dev_lock);
769 +
770 +- /* Ensure ALL destroy work has been completed before return */
771 +- flush_workqueue(bnx2fc_wq);
772 +-
773 + bnx2fc_ulp_stop(hba);
774 + /* unregister cnic device */
775 + if (test_and_clear_bit(BNX2FC_CNIC_REGISTERED, &hba->reg_with_cnic))
776 +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c
777 +index 298b1dd463800..0321ac531df7f 100644
778 +--- a/drivers/spi/spi-bcm-qspi.c
779 ++++ b/drivers/spi/spi-bcm-qspi.c
780 +@@ -522,7 +522,7 @@ static void bcm_qspi_chip_select(struct bcm_qspi *qspi, int cs)
781 + u32 rd = 0;
782 + u32 wr = 0;
783 +
784 +- if (qspi->base[CHIP_SELECT]) {
785 ++ if (cs >= 0 && qspi->base[CHIP_SELECT]) {
786 + rd = bcm_qspi_read(qspi, CHIP_SELECT, 0);
787 + wr = (rd & ~0xff) | (1 << cs);
788 + if (rd == wr)
789 +diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c
790 +index 4d1d7053291b2..a050dfd8e6230 100644
791 +--- a/drivers/spi/spi-meson-spicc.c
792 ++++ b/drivers/spi/spi-meson-spicc.c
793 +@@ -529,6 +529,11 @@ static int meson_spicc_probe(struct platform_device *pdev)
794 + writel_relaxed(0, spicc->base + SPICC_INTREG);
795 +
796 + irq = platform_get_irq(pdev, 0);
797 ++ if (irq < 0) {
798 ++ ret = irq;
799 ++ goto out_master;
800 ++ }
801 ++
802 + ret = devm_request_irq(&pdev->dev, irq, meson_spicc_irq,
803 + 0, NULL, spicc);
804 + if (ret) {
805 +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
806 +index 690e8ddf5f6b8..faca2ab758992 100644
807 +--- a/drivers/spi/spi-mt65xx.c
808 ++++ b/drivers/spi/spi-mt65xx.c
809 +@@ -498,7 +498,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id)
810 + else
811 + mdata->state = MTK_SPI_IDLE;
812 +
813 +- if (!master->can_dma(master, master->cur_msg->spi, trans)) {
814 ++ if (!master->can_dma(master, NULL, trans)) {
815 + if (trans->rx_buf) {
816 + cnt = mdata->xfer_len / 4;
817 + ioread32_rep(mdata->base + SPI_RX_DATA_REG,
818 +diff --git a/drivers/staging/typec/tcpm.c b/drivers/staging/typec/tcpm.c
819 +index 4fff829b00aa6..04734a8275931 100644
820 +--- a/drivers/staging/typec/tcpm.c
821 ++++ b/drivers/staging/typec/tcpm.c
822 +@@ -3103,7 +3103,8 @@ static void _tcpm_pd_vbus_off(struct tcpm_port *port)
823 + case SNK_TRYWAIT_DEBOUNCE:
824 + break;
825 + case SNK_ATTACH_WAIT:
826 +- tcpm_set_state(port, SNK_UNATTACHED, 0);
827 ++ case SNK_DEBOUNCED:
828 ++ /* Do nothing, as TCPM is still waiting for vbus to reaach VSAFE5V to connect */
829 + break;
830 +
831 + case SNK_NEGOTIATE_CAPABILITIES:
832 +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
833 +index c70e79a0e9f28..52a43922b4fea 100644
834 +--- a/drivers/tty/n_gsm.c
835 ++++ b/drivers/tty/n_gsm.c
836 +@@ -325,6 +325,7 @@ static struct tty_driver *gsm_tty_driver;
837 + #define GSM1_ESCAPE_BITS 0x20
838 + #define XON 0x11
839 + #define XOFF 0x13
840 ++#define ISO_IEC_646_MASK 0x7F
841 +
842 + static const struct tty_port_operations gsm_port_ops;
843 +
844 +@@ -543,7 +544,8 @@ static int gsm_stuff_frame(const u8 *input, u8 *output, int len)
845 + int olen = 0;
846 + while (len--) {
847 + if (*input == GSM1_SOF || *input == GSM1_ESCAPE
848 +- || *input == XON || *input == XOFF) {
849 ++ || (*input & ISO_IEC_646_MASK) == XON
850 ++ || (*input & ISO_IEC_646_MASK) == XOFF) {
851 + *output++ = GSM1_ESCAPE;
852 + *output++ = *input++ ^ GSM1_ESCAPE_BITS;
853 + olen++;
854 +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
855 +index 72015cc7b33f0..527b394efb971 100644
856 +--- a/drivers/tty/serial/8250/8250_pci.c
857 ++++ b/drivers/tty/serial/8250/8250_pci.c
858 +@@ -4808,8 +4808,30 @@ static const struct pci_device_id serial_pci_tbl[] = {
859 + { PCI_VENDOR_ID_INTASHIELD, PCI_DEVICE_ID_INTASHIELD_IS400,
860 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */
861 + pbn_b2_4_115200 },
862 ++ /* Brainboxes Devices */
863 + /*
864 +- * BrainBoxes UC-260
865 ++ * Brainboxes UC-101
866 ++ */
867 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0BA1,
868 ++ PCI_ANY_ID, PCI_ANY_ID,
869 ++ 0, 0,
870 ++ pbn_b2_2_115200 },
871 ++ /*
872 ++ * Brainboxes UC-235/246
873 ++ */
874 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0AA1,
875 ++ PCI_ANY_ID, PCI_ANY_ID,
876 ++ 0, 0,
877 ++ pbn_b2_1_115200 },
878 ++ /*
879 ++ * Brainboxes UC-257
880 ++ */
881 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0861,
882 ++ PCI_ANY_ID, PCI_ANY_ID,
883 ++ 0, 0,
884 ++ pbn_b2_2_115200 },
885 ++ /*
886 ++ * Brainboxes UC-260/271/701/756
887 + */
888 + { PCI_VENDOR_ID_INTASHIELD, 0x0D21,
889 + PCI_ANY_ID, PCI_ANY_ID,
890 +@@ -4817,7 +4839,81 @@ static const struct pci_device_id serial_pci_tbl[] = {
891 + pbn_b2_4_115200 },
892 + { PCI_VENDOR_ID_INTASHIELD, 0x0E34,
893 + PCI_ANY_ID, PCI_ANY_ID,
894 +- PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
895 ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
896 ++ pbn_b2_4_115200 },
897 ++ /*
898 ++ * Brainboxes UC-268
899 ++ */
900 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0841,
901 ++ PCI_ANY_ID, PCI_ANY_ID,
902 ++ 0, 0,
903 ++ pbn_b2_4_115200 },
904 ++ /*
905 ++ * Brainboxes UC-275/279
906 ++ */
907 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0881,
908 ++ PCI_ANY_ID, PCI_ANY_ID,
909 ++ 0, 0,
910 ++ pbn_b2_8_115200 },
911 ++ /*
912 ++ * Brainboxes UC-302
913 ++ */
914 ++ { PCI_VENDOR_ID_INTASHIELD, 0x08E1,
915 ++ PCI_ANY_ID, PCI_ANY_ID,
916 ++ 0, 0,
917 ++ pbn_b2_2_115200 },
918 ++ /*
919 ++ * Brainboxes UC-310
920 ++ */
921 ++ { PCI_VENDOR_ID_INTASHIELD, 0x08C1,
922 ++ PCI_ANY_ID, PCI_ANY_ID,
923 ++ 0, 0,
924 ++ pbn_b2_2_115200 },
925 ++ /*
926 ++ * Brainboxes UC-313
927 ++ */
928 ++ { PCI_VENDOR_ID_INTASHIELD, 0x08A3,
929 ++ PCI_ANY_ID, PCI_ANY_ID,
930 ++ 0, 0,
931 ++ pbn_b2_2_115200 },
932 ++ /*
933 ++ * Brainboxes UC-320/324
934 ++ */
935 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A61,
936 ++ PCI_ANY_ID, PCI_ANY_ID,
937 ++ 0, 0,
938 ++ pbn_b2_1_115200 },
939 ++ /*
940 ++ * Brainboxes UC-346
941 ++ */
942 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0B02,
943 ++ PCI_ANY_ID, PCI_ANY_ID,
944 ++ 0, 0,
945 ++ pbn_b2_4_115200 },
946 ++ /*
947 ++ * Brainboxes UC-357
948 ++ */
949 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A81,
950 ++ PCI_ANY_ID, PCI_ANY_ID,
951 ++ 0, 0,
952 ++ pbn_b2_2_115200 },
953 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0A83,
954 ++ PCI_ANY_ID, PCI_ANY_ID,
955 ++ 0, 0,
956 ++ pbn_b2_2_115200 },
957 ++ /*
958 ++ * Brainboxes UC-368
959 ++ */
960 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0C41,
961 ++ PCI_ANY_ID, PCI_ANY_ID,
962 ++ 0, 0,
963 ++ pbn_b2_4_115200 },
964 ++ /*
965 ++ * Brainboxes UC-420/431
966 ++ */
967 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0921,
968 ++ PCI_ANY_ID, PCI_ANY_ID,
969 ++ 0, 0,
970 + pbn_b2_4_115200 },
971 + /*
972 + * Perle PCI-RAS cards
973 +diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
974 +index a10335e904ea9..52bedd4e1603e 100644
975 +--- a/drivers/tty/serial/stm32-usart.c
976 ++++ b/drivers/tty/serial/stm32-usart.c
977 +@@ -402,7 +402,7 @@ static void stm32_start_tx(struct uart_port *port)
978 + {
979 + struct circ_buf *xmit = &port->state->xmit;
980 +
981 +- if (uart_circ_empty(xmit))
982 ++ if (uart_circ_empty(xmit) && !port->x_char)
983 + return;
984 +
985 + stm32_transmit_chars(port);
986 +diff --git a/drivers/usb/common/ulpi.c b/drivers/usb/common/ulpi.c
987 +index e02acfb1ca95f..4f6e131a3d581 100644
988 +--- a/drivers/usb/common/ulpi.c
989 ++++ b/drivers/usb/common/ulpi.c
990 +@@ -42,8 +42,11 @@ static int ulpi_match(struct device *dev, struct device_driver *driver)
991 + struct ulpi *ulpi = to_ulpi_dev(dev);
992 + const struct ulpi_device_id *id;
993 +
994 +- /* Some ULPI devices don't have a vendor id so rely on OF match */
995 +- if (ulpi->id.vendor == 0)
996 ++ /*
997 ++ * Some ULPI devices don't have a vendor id
998 ++ * or provide an id_table so rely on OF match.
999 ++ */
1000 ++ if (ulpi->id.vendor == 0 || !drv->id_table)
1001 + return of_driver_match_device(dev, driver);
1002 +
1003 + for (id = drv->id_table; id->vendor; id++)
1004 +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
1005 +index d634db802fbd7..c1f58b2e9f7e8 100644
1006 +--- a/drivers/usb/core/hcd.c
1007 ++++ b/drivers/usb/core/hcd.c
1008 +@@ -1679,6 +1679,13 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
1009 + urb->hcpriv = NULL;
1010 + INIT_LIST_HEAD(&urb->urb_list);
1011 + atomic_dec(&urb->use_count);
1012 ++ /*
1013 ++ * Order the write of urb->use_count above before the read
1014 ++ * of urb->reject below. Pairs with the memory barriers in
1015 ++ * usb_kill_urb() and usb_poison_urb().
1016 ++ */
1017 ++ smp_mb__after_atomic();
1018 ++
1019 + atomic_dec(&urb->dev->urbnum);
1020 + if (atomic_read(&urb->reject))
1021 + wake_up(&usb_kill_urb_queue);
1022 +@@ -1788,6 +1795,13 @@ static void __usb_hcd_giveback_urb(struct urb *urb)
1023 +
1024 + usb_anchor_resume_wakeups(anchor);
1025 + atomic_dec(&urb->use_count);
1026 ++ /*
1027 ++ * Order the write of urb->use_count above before the read
1028 ++ * of urb->reject below. Pairs with the memory barriers in
1029 ++ * usb_kill_urb() and usb_poison_urb().
1030 ++ */
1031 ++ smp_mb__after_atomic();
1032 ++
1033 + if (unlikely(atomic_read(&urb->reject)))
1034 + wake_up(&usb_kill_urb_queue);
1035 + usb_put_urb(urb);
1036 +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
1037 +index bd6ebc9d17c8c..ed6a542c4bedb 100644
1038 +--- a/drivers/usb/core/urb.c
1039 ++++ b/drivers/usb/core/urb.c
1040 +@@ -686,6 +686,12 @@ void usb_kill_urb(struct urb *urb)
1041 + if (!(urb && urb->dev && urb->ep))
1042 + return;
1043 + atomic_inc(&urb->reject);
1044 ++ /*
1045 ++ * Order the write of urb->reject above before the read
1046 ++ * of urb->use_count below. Pairs with the barriers in
1047 ++ * __usb_hcd_giveback_urb() and usb_hcd_submit_urb().
1048 ++ */
1049 ++ smp_mb__after_atomic();
1050 +
1051 + usb_hcd_unlink_urb(urb, -ENOENT);
1052 + wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0);
1053 +@@ -727,6 +733,12 @@ void usb_poison_urb(struct urb *urb)
1054 + if (!urb)
1055 + return;
1056 + atomic_inc(&urb->reject);
1057 ++ /*
1058 ++ * Order the write of urb->reject above before the read
1059 ++ * of urb->use_count below. Pairs with the barriers in
1060 ++ * __usb_hcd_giveback_urb() and usb_hcd_submit_urb().
1061 ++ */
1062 ++ smp_mb__after_atomic();
1063 +
1064 + if (!urb->dev || !urb->ep)
1065 + return;
1066 +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c
1067 +index 1c5745f7abea1..16142c321df8e 100644
1068 +--- a/drivers/usb/gadget/function/f_sourcesink.c
1069 ++++ b/drivers/usb/gadget/function/f_sourcesink.c
1070 +@@ -587,6 +587,7 @@ static int source_sink_start_ep(struct f_sourcesink *ss, bool is_in,
1071 +
1072 + if (is_iso) {
1073 + switch (speed) {
1074 ++ case USB_SPEED_SUPER_PLUS:
1075 + case USB_SPEED_SUPER:
1076 + size = ss->isoc_maxpacket *
1077 + (ss->isoc_mult + 1) *
1078 +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
1079 +index 15915784071eb..fedf7e2bc8af2 100644
1080 +--- a/drivers/usb/storage/unusual_devs.h
1081 ++++ b/drivers/usb/storage/unusual_devs.h
1082 +@@ -2320,6 +2320,16 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x9999,
1083 + USB_SC_DEVICE, USB_PR_DEVICE, usb_stor_euscsi_init,
1084 + US_FL_SCM_MULT_TARG ),
1085 +
1086 ++/*
1087 ++ * Reported by DocMAX <mail@××××××××××.de>
1088 ++ * and Thomas Weißschuh <linux@××××××××××.net>
1089 ++ */
1090 ++UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999,
1091 ++ "VIA Labs, Inc.",
1092 ++ "VL817 SATA Bridge",
1093 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
1094 ++ US_FL_IGNORE_UAS),
1095 ++
1096 + UNUSUAL_DEV( 0x2116, 0x0320, 0x0001, 0x0001,
1097 + "ST",
1098 + "2A",
1099 +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
1100 +index 034b5d0a05044..58d8fd6543021 100644
1101 +--- a/fs/ext4/inline.c
1102 ++++ b/fs/ext4/inline.c
1103 +@@ -1131,7 +1131,15 @@ static void ext4_restore_inline_data(handle_t *handle, struct inode *inode,
1104 + struct ext4_iloc *iloc,
1105 + void *buf, int inline_size)
1106 + {
1107 +- ext4_create_inline_data(handle, inode, inline_size);
1108 ++ int ret;
1109 ++
1110 ++ ret = ext4_create_inline_data(handle, inode, inline_size);
1111 ++ if (ret) {
1112 ++ ext4_msg(inode->i_sb, KERN_EMERG,
1113 ++ "error restoring inline_data for inode -- potential data loss! (inode %lu, error %d)",
1114 ++ inode->i_ino, ret);
1115 ++ return;
1116 ++ }
1117 + ext4_write_inline_data(inode, iloc, buf, 0, inline_size);
1118 + ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
1119 + }
1120 +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
1121 +index 5c26e90db5887..c3ae37036b9d1 100644
1122 +--- a/fs/nfs/dir.c
1123 ++++ b/fs/nfs/dir.c
1124 +@@ -1607,6 +1607,24 @@ out:
1125 +
1126 + no_open:
1127 + res = nfs_lookup(dir, dentry, lookup_flags);
1128 ++ if (!res) {
1129 ++ inode = d_inode(dentry);
1130 ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
1131 ++ !S_ISDIR(inode->i_mode))
1132 ++ res = ERR_PTR(-ENOTDIR);
1133 ++ else if (inode && S_ISREG(inode->i_mode))
1134 ++ res = ERR_PTR(-EOPENSTALE);
1135 ++ } else if (!IS_ERR(res)) {
1136 ++ inode = d_inode(res);
1137 ++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
1138 ++ !S_ISDIR(inode->i_mode)) {
1139 ++ dput(res);
1140 ++ res = ERR_PTR(-ENOTDIR);
1141 ++ } else if (inode && S_ISREG(inode->i_mode)) {
1142 ++ dput(res);
1143 ++ res = ERR_PTR(-EOPENSTALE);
1144 ++ }
1145 ++ }
1146 + if (switched) {
1147 + d_lookup_done(dentry);
1148 + if (!res)
1149 +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
1150 +index 1c7a695ac265b..6720c82ac3515 100644
1151 +--- a/fs/nfsd/nfs4state.c
1152 ++++ b/fs/nfsd/nfs4state.c
1153 +@@ -3423,8 +3423,10 @@ nfsd4_setclientid_confirm(struct svc_rqst *rqstp,
1154 + status = nfserr_clid_inuse;
1155 + if (client_has_state(old)
1156 + && !same_creds(&unconf->cl_cred,
1157 +- &old->cl_cred))
1158 ++ &old->cl_cred)) {
1159 ++ old = NULL;
1160 + goto out;
1161 ++ }
1162 + status = mark_client_expired_locked(old);
1163 + if (status) {
1164 + old = NULL;
1165 +diff --git a/fs/udf/inode.c b/fs/udf/inode.c
1166 +index e0e2bc19c9294..592e9356f3ecf 100644
1167 +--- a/fs/udf/inode.c
1168 ++++ b/fs/udf/inode.c
1169 +@@ -251,10 +251,6 @@ int udf_expand_file_adinicb(struct inode *inode)
1170 + char *kaddr;
1171 + struct udf_inode_info *iinfo = UDF_I(inode);
1172 + int err;
1173 +- struct writeback_control udf_wbc = {
1174 +- .sync_mode = WB_SYNC_NONE,
1175 +- .nr_to_write = 1,
1176 +- };
1177 +
1178 + WARN_ON_ONCE(!inode_is_locked(inode));
1179 + if (!iinfo->i_lenAlloc) {
1180 +@@ -298,8 +294,10 @@ int udf_expand_file_adinicb(struct inode *inode)
1181 + iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG;
1182 + /* from now on we have normal address_space methods */
1183 + inode->i_data.a_ops = &udf_aops;
1184 ++ set_page_dirty(page);
1185 ++ unlock_page(page);
1186 + up_write(&iinfo->i_data_sem);
1187 +- err = inode->i_data.a_ops->writepage(page, &udf_wbc);
1188 ++ err = filemap_fdatawrite(inode->i_mapping);
1189 + if (err) {
1190 + /* Restore everything back so that we don't lose data... */
1191 + lock_page(page);
1192 +@@ -311,6 +309,7 @@ int udf_expand_file_adinicb(struct inode *inode)
1193 + unlock_page(page);
1194 + iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;
1195 + inode->i_data.a_ops = &udf_adinicb_aops;
1196 ++ iinfo->i_lenAlloc = inode->i_size;
1197 + up_write(&iinfo->i_data_sem);
1198 + }
1199 + put_page(page);
1200 +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
1201 +index fc552da905b3a..7972aac9264c0 100644
1202 +--- a/include/linux/netdevice.h
1203 ++++ b/include/linux/netdevice.h
1204 +@@ -2206,6 +2206,7 @@ struct packet_type {
1205 + struct net_device *);
1206 + bool (*id_match)(struct packet_type *ptype,
1207 + struct sock *sk);
1208 ++ struct net *af_packet_net;
1209 + void *af_packet_priv;
1210 + struct list_head list;
1211 + };
1212 +diff --git a/include/net/ip.h b/include/net/ip.h
1213 +index 20a92cdb1e35c..4aff48d6ba915 100644
1214 +--- a/include/net/ip.h
1215 ++++ b/include/net/ip.h
1216 +@@ -399,19 +399,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
1217 + {
1218 + struct iphdr *iph = ip_hdr(skb);
1219 +
1220 ++ /* We had many attacks based on IPID, use the private
1221 ++ * generator as much as we can.
1222 ++ */
1223 ++ if (sk && inet_sk(sk)->inet_daddr) {
1224 ++ iph->id = htons(inet_sk(sk)->inet_id);
1225 ++ inet_sk(sk)->inet_id += segs;
1226 ++ return;
1227 ++ }
1228 + if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) {
1229 +- /* This is only to work around buggy Windows95/2000
1230 +- * VJ compression implementations. If the ID field
1231 +- * does not change, they drop every other packet in
1232 +- * a TCP stream using header compression.
1233 +- */
1234 +- if (sk && inet_sk(sk)->inet_daddr) {
1235 +- iph->id = htons(inet_sk(sk)->inet_id);
1236 +- inet_sk(sk)->inet_id += segs;
1237 +- } else {
1238 +- iph->id = 0;
1239 +- }
1240 ++ iph->id = 0;
1241 + } else {
1242 ++ /* Unfortunately we need the big hammer to get a suitable IPID */
1243 + __ip_select_ident(net, iph, segs);
1244 + }
1245 + }
1246 +diff --git a/include/net/netfilter/nf_nat_l4proto.h b/include/net/netfilter/nf_nat_l4proto.h
1247 +index 67835ff8a2d98..103ecea6afdb8 100644
1248 +--- a/include/net/netfilter/nf_nat_l4proto.h
1249 ++++ b/include/net/netfilter/nf_nat_l4proto.h
1250 +@@ -74,7 +74,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
1251 + struct nf_conntrack_tuple *tuple,
1252 + const struct nf_nat_range *range,
1253 + enum nf_nat_manip_type maniptype,
1254 +- const struct nf_conn *ct, u16 *rover);
1255 ++ const struct nf_conn *ct);
1256 +
1257 + int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[],
1258 + struct nf_nat_range *range);
1259 +diff --git a/kernel/audit.c b/kernel/audit.c
1260 +index 2b82316b844b7..0ad61f5da661c 100644
1261 +--- a/kernel/audit.c
1262 ++++ b/kernel/audit.c
1263 +@@ -509,20 +509,22 @@ static void kauditd_printk_skb(struct sk_buff *skb)
1264 + /**
1265 + * kauditd_rehold_skb - Handle a audit record send failure in the hold queue
1266 + * @skb: audit record
1267 ++ * @error: error code (unused)
1268 + *
1269 + * Description:
1270 + * This should only be used by the kauditd_thread when it fails to flush the
1271 + * hold queue.
1272 + */
1273 +-static void kauditd_rehold_skb(struct sk_buff *skb)
1274 ++static void kauditd_rehold_skb(struct sk_buff *skb, __always_unused int error)
1275 + {
1276 +- /* put the record back in the queue at the same place */
1277 +- skb_queue_head(&audit_hold_queue, skb);
1278 ++ /* put the record back in the queue */
1279 ++ skb_queue_tail(&audit_hold_queue, skb);
1280 + }
1281 +
1282 + /**
1283 + * kauditd_hold_skb - Queue an audit record, waiting for auditd
1284 + * @skb: audit record
1285 ++ * @error: error code
1286 + *
1287 + * Description:
1288 + * Queue the audit record, waiting for an instance of auditd. When this
1289 +@@ -532,19 +534,31 @@ static void kauditd_rehold_skb(struct sk_buff *skb)
1290 + * and queue it, if we have room. If we want to hold on to the record, but we
1291 + * don't have room, record a record lost message.
1292 + */
1293 +-static void kauditd_hold_skb(struct sk_buff *skb)
1294 ++static void kauditd_hold_skb(struct sk_buff *skb, int error)
1295 + {
1296 + /* at this point it is uncertain if we will ever send this to auditd so
1297 + * try to send the message via printk before we go any further */
1298 + kauditd_printk_skb(skb);
1299 +
1300 + /* can we just silently drop the message? */
1301 +- if (!audit_default) {
1302 +- kfree_skb(skb);
1303 +- return;
1304 ++ if (!audit_default)
1305 ++ goto drop;
1306 ++
1307 ++ /* the hold queue is only for when the daemon goes away completely,
1308 ++ * not -EAGAIN failures; if we are in a -EAGAIN state requeue the
1309 ++ * record on the retry queue unless it's full, in which case drop it
1310 ++ */
1311 ++ if (error == -EAGAIN) {
1312 ++ if (!audit_backlog_limit ||
1313 ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) {
1314 ++ skb_queue_tail(&audit_retry_queue, skb);
1315 ++ return;
1316 ++ }
1317 ++ audit_log_lost("kauditd retry queue overflow");
1318 ++ goto drop;
1319 + }
1320 +
1321 +- /* if we have room, queue the message */
1322 ++ /* if we have room in the hold queue, queue the message */
1323 + if (!audit_backlog_limit ||
1324 + skb_queue_len(&audit_hold_queue) < audit_backlog_limit) {
1325 + skb_queue_tail(&audit_hold_queue, skb);
1326 +@@ -553,24 +567,32 @@ static void kauditd_hold_skb(struct sk_buff *skb)
1327 +
1328 + /* we have no other options - drop the message */
1329 + audit_log_lost("kauditd hold queue overflow");
1330 ++drop:
1331 + kfree_skb(skb);
1332 + }
1333 +
1334 + /**
1335 + * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd
1336 + * @skb: audit record
1337 ++ * @error: error code (unused)
1338 + *
1339 + * Description:
1340 + * Not as serious as kauditd_hold_skb() as we still have a connected auditd,
1341 + * but for some reason we are having problems sending it audit records so
1342 + * queue the given record and attempt to resend.
1343 + */
1344 +-static void kauditd_retry_skb(struct sk_buff *skb)
1345 ++static void kauditd_retry_skb(struct sk_buff *skb, __always_unused int error)
1346 + {
1347 +- /* NOTE: because records should only live in the retry queue for a
1348 +- * short period of time, before either being sent or moved to the hold
1349 +- * queue, we don't currently enforce a limit on this queue */
1350 +- skb_queue_tail(&audit_retry_queue, skb);
1351 ++ if (!audit_backlog_limit ||
1352 ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) {
1353 ++ skb_queue_tail(&audit_retry_queue, skb);
1354 ++ return;
1355 ++ }
1356 ++
1357 ++ /* we have to drop the record, send it via printk as a last effort */
1358 ++ kauditd_printk_skb(skb);
1359 ++ audit_log_lost("kauditd retry queue overflow");
1360 ++ kfree_skb(skb);
1361 + }
1362 +
1363 + /**
1364 +@@ -608,7 +630,7 @@ static void auditd_reset(const struct auditd_connection *ac)
1365 + /* flush the retry queue to the hold queue, but don't touch the main
1366 + * queue since we need to process that normally for multicast */
1367 + while ((skb = skb_dequeue(&audit_retry_queue)))
1368 +- kauditd_hold_skb(skb);
1369 ++ kauditd_hold_skb(skb, -ECONNREFUSED);
1370 + }
1371 +
1372 + /**
1373 +@@ -682,16 +704,18 @@ static int kauditd_send_queue(struct sock *sk, u32 portid,
1374 + struct sk_buff_head *queue,
1375 + unsigned int retry_limit,
1376 + void (*skb_hook)(struct sk_buff *skb),
1377 +- void (*err_hook)(struct sk_buff *skb))
1378 ++ void (*err_hook)(struct sk_buff *skb, int error))
1379 + {
1380 + int rc = 0;
1381 +- struct sk_buff *skb;
1382 ++ struct sk_buff *skb = NULL;
1383 ++ struct sk_buff *skb_tail;
1384 + unsigned int failed = 0;
1385 +
1386 + /* NOTE: kauditd_thread takes care of all our locking, we just use
1387 + * the netlink info passed to us (e.g. sk and portid) */
1388 +
1389 +- while ((skb = skb_dequeue(queue))) {
1390 ++ skb_tail = skb_peek_tail(queue);
1391 ++ while ((skb != skb_tail) && (skb = skb_dequeue(queue))) {
1392 + /* call the skb_hook for each skb we touch */
1393 + if (skb_hook)
1394 + (*skb_hook)(skb);
1395 +@@ -699,7 +723,7 @@ static int kauditd_send_queue(struct sock *sk, u32 portid,
1396 + /* can we send to anyone via unicast? */
1397 + if (!sk) {
1398 + if (err_hook)
1399 +- (*err_hook)(skb);
1400 ++ (*err_hook)(skb, -ECONNREFUSED);
1401 + continue;
1402 + }
1403 +
1404 +@@ -713,7 +737,7 @@ retry:
1405 + rc == -ECONNREFUSED || rc == -EPERM) {
1406 + sk = NULL;
1407 + if (err_hook)
1408 +- (*err_hook)(skb);
1409 ++ (*err_hook)(skb, rc);
1410 + if (rc == -EAGAIN)
1411 + rc = 0;
1412 + /* continue to drain the queue */
1413 +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
1414 +index 485e319ba742a..220c43a085e42 100644
1415 +--- a/kernel/bpf/core.c
1416 ++++ b/kernel/bpf/core.c
1417 +@@ -228,27 +228,57 @@ static bool bpf_is_jmp_and_has_target(const struct bpf_insn *insn)
1418 + BPF_OP(insn->code) != BPF_EXIT;
1419 + }
1420 +
1421 +-static void bpf_adj_branches(struct bpf_prog *prog, u32 pos, u32 delta)
1422 ++static int bpf_adj_delta_to_off(struct bpf_insn *insn, u32 pos, u32 delta,
1423 ++ u32 curr, const bool probe_pass)
1424 + {
1425 ++ const s32 off_min = S16_MIN, off_max = S16_MAX;
1426 ++ s32 off = insn->off;
1427 ++
1428 ++ if (curr < pos && curr + off + 1 > pos)
1429 ++ off += delta;
1430 ++ else if (curr > pos + delta && curr + off + 1 <= pos + delta)
1431 ++ off -= delta;
1432 ++ if (off < off_min || off > off_max)
1433 ++ return -ERANGE;
1434 ++ if (!probe_pass)
1435 ++ insn->off = off;
1436 ++ return 0;
1437 ++}
1438 ++
1439 ++static int bpf_adj_branches(struct bpf_prog *prog, u32 pos, u32 delta,
1440 ++ const bool probe_pass)
1441 ++{
1442 ++ u32 i, insn_cnt = prog->len + (probe_pass ? delta : 0);
1443 + struct bpf_insn *insn = prog->insnsi;
1444 +- u32 i, insn_cnt = prog->len;
1445 ++ int ret = 0;
1446 +
1447 + for (i = 0; i < insn_cnt; i++, insn++) {
1448 ++ /* In the probing pass we still operate on the original,
1449 ++ * unpatched image in order to check overflows before we
1450 ++ * do any other adjustments. Therefore skip the patchlet.
1451 ++ */
1452 ++ if (probe_pass && i == pos) {
1453 ++ i += delta + 1;
1454 ++ insn++;
1455 ++ }
1456 ++
1457 + if (!bpf_is_jmp_and_has_target(insn))
1458 + continue;
1459 +
1460 +- /* Adjust offset of jmps if we cross boundaries. */
1461 +- if (i < pos && i + insn->off + 1 > pos)
1462 +- insn->off += delta;
1463 +- else if (i > pos + delta && i + insn->off + 1 <= pos + delta)
1464 +- insn->off -= delta;
1465 ++ /* Adjust offset of jmps if we cross patch boundaries. */
1466 ++ ret = bpf_adj_delta_to_off(insn, pos, delta, i, probe_pass);
1467 ++ if (ret)
1468 ++ break;
1469 + }
1470 ++
1471 ++ return ret;
1472 + }
1473 +
1474 + struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
1475 + const struct bpf_insn *patch, u32 len)
1476 + {
1477 + u32 insn_adj_cnt, insn_rest, insn_delta = len - 1;
1478 ++ const u32 cnt_max = S16_MAX;
1479 + struct bpf_prog *prog_adj;
1480 +
1481 + /* Since our patchlet doesn't expand the image, we're done. */
1482 +@@ -259,6 +289,15 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
1483 +
1484 + insn_adj_cnt = prog->len + insn_delta;
1485 +
1486 ++ /* Reject anything that would potentially let the insn->off
1487 ++ * target overflow when we have excessive program expansions.
1488 ++ * We need to probe here before we do any reallocation where
1489 ++ * we afterwards may not fail anymore.
1490 ++ */
1491 ++ if (insn_adj_cnt > cnt_max &&
1492 ++ bpf_adj_branches(prog, off, insn_delta, true))
1493 ++ return NULL;
1494 ++
1495 + /* Several new instructions need to be inserted. Make room
1496 + * for them. Likely, there's no need for a new allocation as
1497 + * last page could have large enough tailroom.
1498 +@@ -284,7 +323,11 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
1499 + sizeof(*patch) * insn_rest);
1500 + memcpy(prog_adj->insnsi + off, patch, sizeof(*patch) * len);
1501 +
1502 +- bpf_adj_branches(prog_adj, off, insn_delta);
1503 ++ /* We are guaranteed to not fail at this point, otherwise
1504 ++ * the ship has sailed to reverse to the original state. An
1505 ++ * overflow cannot happen at this point.
1506 ++ */
1507 ++ BUG_ON(bpf_adj_branches(prog_adj, off, insn_delta, false));
1508 +
1509 + return prog_adj;
1510 + }
1511 +diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c
1512 +index dfba59be190b6..b929b39633839 100644
1513 +--- a/kernel/power/wakelock.c
1514 ++++ b/kernel/power/wakelock.c
1515 +@@ -39,23 +39,19 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active)
1516 + {
1517 + struct rb_node *node;
1518 + struct wakelock *wl;
1519 +- char *str = buf;
1520 +- char *end = buf + PAGE_SIZE;
1521 ++ int len = 0;
1522 +
1523 + mutex_lock(&wakelocks_lock);
1524 +
1525 + for (node = rb_first(&wakelocks_tree); node; node = rb_next(node)) {
1526 + wl = rb_entry(node, struct wakelock, node);
1527 + if (wl->ws.active == show_active)
1528 +- str += scnprintf(str, end - str, "%s ", wl->name);
1529 ++ len += sysfs_emit_at(buf, len, "%s ", wl->name);
1530 + }
1531 +- if (str > buf)
1532 +- str--;
1533 +-
1534 +- str += scnprintf(str, end - str, "\n");
1535 ++ len += sysfs_emit_at(buf, len, "\n");
1536 +
1537 + mutex_unlock(&wakelocks_lock);
1538 +- return (str - buf);
1539 ++ return len;
1540 + }
1541 +
1542 + #if CONFIG_PM_WAKELOCKS_LIMIT > 0
1543 +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
1544 +index eca596a56f46b..39e222fb3004f 100644
1545 +--- a/net/bluetooth/hci_event.c
1546 ++++ b/net/bluetooth/hci_event.c
1547 +@@ -4967,6 +4967,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
1548 + struct hci_ev_le_advertising_info *ev = ptr;
1549 + s8 rssi;
1550 +
1551 ++ if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) {
1552 ++ bt_dev_err(hdev, "Malicious advertising data.");
1553 ++ break;
1554 ++ }
1555 ++
1556 + if (ev->length <= HCI_MAX_AD_LENGTH &&
1557 + ev->data + ev->length <= skb_tail_pointer(skb)) {
1558 + rssi = ev->data[ev->length];
1559 +@@ -4978,11 +4983,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
1560 + }
1561 +
1562 + ptr += sizeof(*ev) + ev->length + 1;
1563 +-
1564 +- if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
1565 +- bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
1566 +- break;
1567 +- }
1568 + }
1569 +
1570 + hci_dev_unlock(hdev);
1571 +diff --git a/net/core/filter.c b/net/core/filter.c
1572 +index 729e302bba6e9..9b934767a1d86 100644
1573 +--- a/net/core/filter.c
1574 ++++ b/net/core/filter.c
1575 +@@ -472,11 +472,18 @@ do_pass:
1576 +
1577 + #define BPF_EMIT_JMP \
1578 + do { \
1579 ++ const s32 off_min = S16_MIN, off_max = S16_MAX; \
1580 ++ s32 off; \
1581 ++ \
1582 + if (target >= len || target < 0) \
1583 + goto err; \
1584 +- insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0; \
1585 ++ off = addrs ? addrs[target] - addrs[i] - 1 : 0; \
1586 + /* Adjust pc relative offset for 2nd or 3rd insn. */ \
1587 +- insn->off -= insn - tmp_insns; \
1588 ++ off -= insn - tmp_insns; \
1589 ++ /* Reject anything not fitting into insn->off. */ \
1590 ++ if (off < off_min || off > off_max) \
1591 ++ goto err; \
1592 ++ insn->off = off; \
1593 + } while (0)
1594 +
1595 + case BPF_JMP | BPF_JA:
1596 +diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c
1597 +index 615ccab55f387..120015d23ec8b 100644
1598 +--- a/net/core/net-procfs.c
1599 ++++ b/net/core/net-procfs.c
1600 +@@ -209,12 +209,23 @@ static const struct file_operations softnet_seq_fops = {
1601 + .release = seq_release,
1602 + };
1603 +
1604 +-static void *ptype_get_idx(loff_t pos)
1605 ++static void *ptype_get_idx(struct seq_file *seq, loff_t pos)
1606 + {
1607 ++ struct list_head *ptype_list = NULL;
1608 + struct packet_type *pt = NULL;
1609 ++ struct net_device *dev;
1610 + loff_t i = 0;
1611 + int t;
1612 +
1613 ++ for_each_netdev_rcu(seq_file_net(seq), dev) {
1614 ++ ptype_list = &dev->ptype_all;
1615 ++ list_for_each_entry_rcu(pt, ptype_list, list) {
1616 ++ if (i == pos)
1617 ++ return pt;
1618 ++ ++i;
1619 ++ }
1620 ++ }
1621 ++
1622 + list_for_each_entry_rcu(pt, &ptype_all, list) {
1623 + if (i == pos)
1624 + return pt;
1625 +@@ -235,22 +246,40 @@ static void *ptype_seq_start(struct seq_file *seq, loff_t *pos)
1626 + __acquires(RCU)
1627 + {
1628 + rcu_read_lock();
1629 +- return *pos ? ptype_get_idx(*pos - 1) : SEQ_START_TOKEN;
1630 ++ return *pos ? ptype_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
1631 + }
1632 +
1633 + static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1634 + {
1635 ++ struct net_device *dev;
1636 + struct packet_type *pt;
1637 + struct list_head *nxt;
1638 + int hash;
1639 +
1640 + ++*pos;
1641 + if (v == SEQ_START_TOKEN)
1642 +- return ptype_get_idx(0);
1643 ++ return ptype_get_idx(seq, 0);
1644 +
1645 + pt = v;
1646 + nxt = pt->list.next;
1647 ++ if (pt->dev) {
1648 ++ if (nxt != &pt->dev->ptype_all)
1649 ++ goto found;
1650 ++
1651 ++ dev = pt->dev;
1652 ++ for_each_netdev_continue_rcu(seq_file_net(seq), dev) {
1653 ++ if (!list_empty(&dev->ptype_all)) {
1654 ++ nxt = dev->ptype_all.next;
1655 ++ goto found;
1656 ++ }
1657 ++ }
1658 ++
1659 ++ nxt = ptype_all.next;
1660 ++ goto ptype_all;
1661 ++ }
1662 ++
1663 + if (pt->type == htons(ETH_P_ALL)) {
1664 ++ptype_all:
1665 + if (nxt != &ptype_all)
1666 + goto found;
1667 + hash = 0;
1668 +@@ -279,7 +308,8 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
1669 +
1670 + if (v == SEQ_START_TOKEN)
1671 + seq_puts(seq, "Type Device Function\n");
1672 +- else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) {
1673 ++ else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) &&
1674 ++ (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) {
1675 + if (pt->type == htons(ETH_P_ALL))
1676 + seq_puts(seq, "ALL ");
1677 + else
1678 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
1679 +index d7e2cb7ae1fa4..738514e5c8ba2 100644
1680 +--- a/net/core/rtnetlink.c
1681 ++++ b/net/core/rtnetlink.c
1682 +@@ -2523,9 +2523,9 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
1683 + {
1684 + struct net *net = sock_net(skb->sk);
1685 + const struct rtnl_link_ops *ops;
1686 +- const struct rtnl_link_ops *m_ops = NULL;
1687 ++ const struct rtnl_link_ops *m_ops;
1688 + struct net_device *dev;
1689 +- struct net_device *master_dev = NULL;
1690 ++ struct net_device *master_dev;
1691 + struct ifinfomsg *ifm;
1692 + char kind[MODULE_NAME_LEN];
1693 + char ifname[IFNAMSIZ];
1694 +@@ -2556,6 +2556,8 @@ replay:
1695 + dev = NULL;
1696 + }
1697 +
1698 ++ master_dev = NULL;
1699 ++ m_ops = NULL;
1700 + if (dev) {
1701 + master_dev = netdev_master_upper_dev_get(dev);
1702 + if (master_dev)
1703 +diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c
1704 +index 6d4c71a52b6b2..3407ee1159f7b 100644
1705 +--- a/net/ieee802154/nl802154.c
1706 ++++ b/net/ieee802154/nl802154.c
1707 +@@ -1459,7 +1459,7 @@ static int nl802154_send_key(struct sk_buff *msg, u32 cmd, u32 portid,
1708 +
1709 + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd);
1710 + if (!hdr)
1711 +- return -1;
1712 ++ return -ENOBUFS;
1713 +
1714 + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex))
1715 + goto nla_put_failure;
1716 +@@ -1650,7 +1650,7 @@ static int nl802154_send_device(struct sk_buff *msg, u32 cmd, u32 portid,
1717 +
1718 + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd);
1719 + if (!hdr)
1720 +- return -1;
1721 ++ return -ENOBUFS;
1722 +
1723 + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex))
1724 + goto nla_put_failure;
1725 +@@ -1828,7 +1828,7 @@ static int nl802154_send_devkey(struct sk_buff *msg, u32 cmd, u32 portid,
1726 +
1727 + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd);
1728 + if (!hdr)
1729 +- return -1;
1730 ++ return -ENOBUFS;
1731 +
1732 + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex))
1733 + goto nla_put_failure;
1734 +@@ -2005,7 +2005,7 @@ static int nl802154_send_seclevel(struct sk_buff *msg, u32 cmd, u32 portid,
1735 +
1736 + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd);
1737 + if (!hdr)
1738 +- return -1;
1739 ++ return -ENOBUFS;
1740 +
1741 + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex))
1742 + goto nla_put_failure;
1743 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
1744 +index c9f82525bfa45..aab18ab49e3b9 100644
1745 +--- a/net/ipv4/ip_output.c
1746 ++++ b/net/ipv4/ip_output.c
1747 +@@ -160,12 +160,19 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk,
1748 + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
1749 + iph->saddr = saddr;
1750 + iph->protocol = sk->sk_protocol;
1751 +- if (ip_dont_fragment(sk, &rt->dst)) {
1752 ++ /* Do not bother generating IPID for small packets (eg SYNACK) */
1753 ++ if (skb->len <= IPV4_MIN_MTU || ip_dont_fragment(sk, &rt->dst)) {
1754 + iph->frag_off = htons(IP_DF);
1755 + iph->id = 0;
1756 + } else {
1757 + iph->frag_off = 0;
1758 +- __ip_select_ident(net, iph, 1);
1759 ++ /* TCP packets here are SYNACK with fat IPv4/TCP options.
1760 ++ * Avoid using the hashed IP ident generator.
1761 ++ */
1762 ++ if (sk->sk_protocol == IPPROTO_TCP)
1763 ++ iph->id = (__force __be16)prandom_u32();
1764 ++ else
1765 ++ __ip_select_ident(net, iph, 1);
1766 + }
1767 +
1768 + if (opt && opt->opt.optlen) {
1769 +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
1770 +index aab141c4a3892..bfd0ab9d3b578 100644
1771 +--- a/net/ipv4/ping.c
1772 ++++ b/net/ipv4/ping.c
1773 +@@ -225,7 +225,8 @@ static struct sock *ping_lookup(struct net *net, struct sk_buff *skb, u16 ident)
1774 + continue;
1775 + }
1776 +
1777 +- if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif)
1778 ++ if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif &&
1779 ++ sk->sk_bound_dev_if != inet_sdif(skb))
1780 + continue;
1781 +
1782 + sock_hold(sk);
1783 +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
1784 +index 261a9813b88cd..9c4b2c0dc68ae 100644
1785 +--- a/net/ipv4/raw.c
1786 ++++ b/net/ipv4/raw.c
1787 +@@ -721,6 +721,7 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1788 + int ret = -EINVAL;
1789 + int chk_addr_ret;
1790 +
1791 ++ lock_sock(sk);
1792 + if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_in))
1793 + goto out;
1794 +
1795 +@@ -740,7 +741,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1796 + inet->inet_saddr = 0; /* Use device */
1797 + sk_dst_reset(sk);
1798 + ret = 0;
1799 +-out: return ret;
1800 ++out:
1801 ++ release_sock(sk);
1802 ++ return ret;
1803 + }
1804 +
1805 + /*
1806 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
1807 +index aa9638febdd80..9458a0dfa8206 100644
1808 +--- a/net/ipv6/ip6_tunnel.c
1809 ++++ b/net/ipv6/ip6_tunnel.c
1810 +@@ -1008,12 +1008,12 @@ int ip6_tnl_xmit_ctl(struct ip6_tnl *t,
1811 + ldev = dev_get_by_index_rcu(net, p->link);
1812 +
1813 + if (unlikely(!ipv6_chk_addr(net, laddr, ldev, 0)))
1814 +- pr_warn("%s xmit: Local address not yet configured!\n",
1815 +- p->name);
1816 ++ pr_warn_ratelimited("%s xmit: Local address not yet configured!\n",
1817 ++ p->name);
1818 + else if (!ipv6_addr_is_multicast(raddr) &&
1819 + unlikely(ipv6_chk_addr(net, raddr, NULL, 0)))
1820 +- pr_warn("%s xmit: Routing loop! Remote address found on this node!\n",
1821 +- p->name);
1822 ++ pr_warn_ratelimited("%s xmit: Routing loop! Remote address found on this node!\n",
1823 ++ p->name);
1824 + else
1825 + ret = 1;
1826 + rcu_read_unlock();
1827 +diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
1828 +index 7d7466dbf6633..a4f709a3cbacc 100644
1829 +--- a/net/netfilter/nf_nat_proto_common.c
1830 ++++ b/net/netfilter/nf_nat_proto_common.c
1831 +@@ -38,12 +38,12 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
1832 + struct nf_conntrack_tuple *tuple,
1833 + const struct nf_nat_range *range,
1834 + enum nf_nat_manip_type maniptype,
1835 +- const struct nf_conn *ct,
1836 +- u16 *rover)
1837 ++ const struct nf_conn *ct)
1838 + {
1839 +- unsigned int range_size, min, max, i;
1840 ++ unsigned int range_size, min, max, i, attempts;
1841 + __be16 *portptr;
1842 +- u_int16_t off;
1843 ++ u16 off;
1844 ++ static const unsigned int max_attempts = 128;
1845 +
1846 + if (maniptype == NF_NAT_MANIP_SRC)
1847 + portptr = &tuple->src.u.all;
1848 +@@ -84,17 +84,31 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
1849 + } else if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
1850 + off = prandom_u32();
1851 + } else {
1852 +- off = *rover;
1853 ++ off = prandom_u32();
1854 + }
1855 +
1856 +- for (i = 0; ; ++off) {
1857 ++ attempts = range_size;
1858 ++ if (attempts > max_attempts)
1859 ++ attempts = max_attempts;
1860 ++
1861 ++ /* We are in softirq; doing a search of the entire range risks
1862 ++ * soft lockup when all tuples are already used.
1863 ++ *
1864 ++ * If we can't find any free port from first offset, pick a new
1865 ++ * one and try again, with ever smaller search window.
1866 ++ */
1867 ++another_round:
1868 ++ for (i = 0; i < attempts; i++, off++) {
1869 + *portptr = htons(min + off % range_size);
1870 +- if (++i != range_size && nf_nat_used_tuple(tuple, ct))
1871 +- continue;
1872 +- if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL))
1873 +- *rover = off;
1874 +- return;
1875 ++ if (!nf_nat_used_tuple(tuple, ct))
1876 ++ return;
1877 + }
1878 ++
1879 ++ if (attempts >= range_size || attempts < 16)
1880 ++ return;
1881 ++ attempts /= 2;
1882 ++ off = prandom_u32();
1883 ++ goto another_round;
1884 + }
1885 + EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple);
1886 +
1887 +diff --git a/net/netfilter/nf_nat_proto_dccp.c b/net/netfilter/nf_nat_proto_dccp.c
1888 +index 269fcd5dc34c4..04c671300a143 100644
1889 +--- a/net/netfilter/nf_nat_proto_dccp.c
1890 ++++ b/net/netfilter/nf_nat_proto_dccp.c
1891 +@@ -18,8 +18,6 @@
1892 + #include <net/netfilter/nf_nat_l3proto.h>
1893 + #include <net/netfilter/nf_nat_l4proto.h>
1894 +
1895 +-static u_int16_t dccp_port_rover;
1896 +-
1897 + static void
1898 + dccp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1899 + struct nf_conntrack_tuple *tuple,
1900 +@@ -27,8 +25,7 @@ dccp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1901 + enum nf_nat_manip_type maniptype,
1902 + const struct nf_conn *ct)
1903 + {
1904 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1905 +- &dccp_port_rover);
1906 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1907 + }
1908 +
1909 + static bool
1910 +diff --git a/net/netfilter/nf_nat_proto_sctp.c b/net/netfilter/nf_nat_proto_sctp.c
1911 +index c57ee3240b1d5..7329c9b1dc1ef 100644
1912 +--- a/net/netfilter/nf_nat_proto_sctp.c
1913 ++++ b/net/netfilter/nf_nat_proto_sctp.c
1914 +@@ -12,8 +12,6 @@
1915 +
1916 + #include <net/netfilter/nf_nat_l4proto.h>
1917 +
1918 +-static u_int16_t nf_sctp_port_rover;
1919 +-
1920 + static void
1921 + sctp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1922 + struct nf_conntrack_tuple *tuple,
1923 +@@ -21,8 +19,7 @@ sctp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1924 + enum nf_nat_manip_type maniptype,
1925 + const struct nf_conn *ct)
1926 + {
1927 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1928 +- &nf_sctp_port_rover);
1929 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1930 + }
1931 +
1932 + static bool
1933 +diff --git a/net/netfilter/nf_nat_proto_tcp.c b/net/netfilter/nf_nat_proto_tcp.c
1934 +index 4f8820fc51480..882e79c6df734 100644
1935 +--- a/net/netfilter/nf_nat_proto_tcp.c
1936 ++++ b/net/netfilter/nf_nat_proto_tcp.c
1937 +@@ -18,8 +18,6 @@
1938 + #include <net/netfilter/nf_nat_l4proto.h>
1939 + #include <net/netfilter/nf_nat_core.h>
1940 +
1941 +-static u16 tcp_port_rover;
1942 +-
1943 + static void
1944 + tcp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1945 + struct nf_conntrack_tuple *tuple,
1946 +@@ -27,8 +25,7 @@ tcp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1947 + enum nf_nat_manip_type maniptype,
1948 + const struct nf_conn *ct)
1949 + {
1950 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1951 +- &tcp_port_rover);
1952 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1953 + }
1954 +
1955 + static bool
1956 +diff --git a/net/netfilter/nf_nat_proto_udp.c b/net/netfilter/nf_nat_proto_udp.c
1957 +index 167ad0dd269c9..f48bacd38d9d5 100644
1958 +--- a/net/netfilter/nf_nat_proto_udp.c
1959 ++++ b/net/netfilter/nf_nat_proto_udp.c
1960 +@@ -17,8 +17,6 @@
1961 + #include <net/netfilter/nf_nat_l3proto.h>
1962 + #include <net/netfilter/nf_nat_l4proto.h>
1963 +
1964 +-static u16 udp_port_rover;
1965 +-
1966 + static void
1967 + udp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1968 + struct nf_conntrack_tuple *tuple,
1969 +@@ -26,8 +24,7 @@ udp_unique_tuple(const struct nf_nat_l3proto *l3proto,
1970 + enum nf_nat_manip_type maniptype,
1971 + const struct nf_conn *ct)
1972 + {
1973 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1974 +- &udp_port_rover);
1975 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1976 + }
1977 +
1978 + static void
1979 +@@ -78,8 +75,6 @@ static bool udp_manip_pkt(struct sk_buff *skb,
1980 + }
1981 +
1982 + #ifdef CONFIG_NF_NAT_PROTO_UDPLITE
1983 +-static u16 udplite_port_rover;
1984 +-
1985 + static bool udplite_manip_pkt(struct sk_buff *skb,
1986 + const struct nf_nat_l3proto *l3proto,
1987 + unsigned int iphdroff, unsigned int hdroff,
1988 +@@ -103,8 +98,7 @@ udplite_unique_tuple(const struct nf_nat_l3proto *l3proto,
1989 + enum nf_nat_manip_type maniptype,
1990 + const struct nf_conn *ct)
1991 + {
1992 +- nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct,
1993 +- &udplite_port_rover);
1994 ++ nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
1995 + }
1996 +
1997 + const struct nf_nat_l4proto nf_nat_l4proto_udplite = {
1998 +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
1999 +index b1a9f330a51fe..fd87216bc0a99 100644
2000 +--- a/net/netfilter/nft_payload.c
2001 ++++ b/net/netfilter/nft_payload.c
2002 +@@ -194,6 +194,9 @@ static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
2003 + struct sk_buff *skb,
2004 + unsigned int *l4csum_offset)
2005 + {
2006 ++ if (pkt->xt.fragoff)
2007 ++ return -1;
2008 ++
2009 + switch (pkt->tprot) {
2010 + case IPPROTO_TCP:
2011 + *l4csum_offset = offsetof(struct tcphdr, check);
2012 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
2013 +index 3177b9320c62d..1381bfcb3cf05 100644
2014 +--- a/net/packet/af_packet.c
2015 ++++ b/net/packet/af_packet.c
2016 +@@ -1756,6 +1756,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
2017 + match->prot_hook.dev = po->prot_hook.dev;
2018 + match->prot_hook.func = packet_rcv_fanout;
2019 + match->prot_hook.af_packet_priv = match;
2020 ++ match->prot_hook.af_packet_net = read_pnet(&match->net);
2021 + match->prot_hook.id_match = match_fanout_group;
2022 + list_add(&match->list, &fanout_list);
2023 + }
2024 +@@ -1769,7 +1770,10 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
2025 + err = -ENOSPC;
2026 + if (refcount_read(&match->sk_ref) < PACKET_FANOUT_MAX) {
2027 + __dev_remove_pack(&po->prot_hook);
2028 +- po->fanout = match;
2029 ++
2030 ++ /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */
2031 ++ WRITE_ONCE(po->fanout, match);
2032 ++
2033 + po->rollover = rollover;
2034 + rollover = NULL;
2035 + refcount_set(&match->sk_ref, refcount_read(&match->sk_ref) + 1);
2036 +@@ -3330,6 +3334,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
2037 + po->prot_hook.func = packet_rcv_spkt;
2038 +
2039 + po->prot_hook.af_packet_priv = sk;
2040 ++ po->prot_hook.af_packet_net = sock_net(sk);
2041 +
2042 + if (proto) {
2043 + po->prot_hook.type = proto;
2044 +@@ -3913,7 +3918,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
2045 + }
2046 + case PACKET_FANOUT_DATA:
2047 + {
2048 +- if (!po->fanout)
2049 ++ /* Paired with the WRITE_ONCE() in fanout_add() */
2050 ++ if (!READ_ONCE(po->fanout))
2051 + return -EINVAL;
2052 +
2053 + return fanout_set_data(po, optval, optlen);
2054 +diff --git a/sound/soc/fsl/pcm030-audio-fabric.c b/sound/soc/fsl/pcm030-audio-fabric.c
2055 +index ec731223cab3d..72d4548994842 100644
2056 +--- a/sound/soc/fsl/pcm030-audio-fabric.c
2057 ++++ b/sound/soc/fsl/pcm030-audio-fabric.c
2058 +@@ -90,16 +90,21 @@ static int pcm030_fabric_probe(struct platform_device *op)
2059 + dev_err(&op->dev, "platform_device_alloc() failed\n");
2060 +
2061 + ret = platform_device_add(pdata->codec_device);
2062 +- if (ret)
2063 ++ if (ret) {
2064 + dev_err(&op->dev, "platform_device_add() failed: %d\n", ret);
2065 ++ platform_device_put(pdata->codec_device);
2066 ++ }
2067 +
2068 + ret = snd_soc_register_card(card);
2069 +- if (ret)
2070 ++ if (ret) {
2071 + dev_err(&op->dev, "snd_soc_register_card() failed: %d\n", ret);
2072 ++ platform_device_del(pdata->codec_device);
2073 ++ platform_device_put(pdata->codec_device);
2074 ++ }
2075 +
2076 + platform_set_drvdata(op, pdata);
2077 +-
2078 + return ret;
2079 ++
2080 + }
2081 +
2082 + static int pcm030_fabric_remove(struct platform_device *op)
2083 +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
2084 +index d5ef627e93be0..e1c897ad0fe5f 100644
2085 +--- a/sound/soc/soc-ops.c
2086 ++++ b/sound/soc/soc-ops.c
2087 +@@ -327,13 +327,27 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
2088 + if (sign_bit)
2089 + mask = BIT(sign_bit + 1) - 1;
2090 +
2091 +- val = ((ucontrol->value.integer.value[0] + min) & mask);
2092 ++ val = ucontrol->value.integer.value[0];
2093 ++ if (mc->platform_max && val > mc->platform_max)
2094 ++ return -EINVAL;
2095 ++ if (val > max - min)
2096 ++ return -EINVAL;
2097 ++ if (val < 0)
2098 ++ return -EINVAL;
2099 ++ val = (val + min) & mask;
2100 + if (invert)
2101 + val = max - val;
2102 + val_mask = mask << shift;
2103 + val = val << shift;
2104 + if (snd_soc_volsw_is_stereo(mc)) {
2105 +- val2 = ((ucontrol->value.integer.value[1] + min) & mask);
2106 ++ val2 = ucontrol->value.integer.value[1];
2107 ++ if (mc->platform_max && val2 > mc->platform_max)
2108 ++ return -EINVAL;
2109 ++ if (val2 > max - min)
2110 ++ return -EINVAL;
2111 ++ if (val2 < 0)
2112 ++ return -EINVAL;
2113 ++ val2 = (val2 + min) & mask;
2114 + if (invert)
2115 + val2 = max - val2;
2116 + if (reg == reg2) {
2117 +@@ -427,8 +441,15 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
2118 + int err = 0;
2119 + unsigned int val, val_mask, val2 = 0;
2120 +
2121 ++ val = ucontrol->value.integer.value[0];
2122 ++ if (mc->platform_max && val > mc->platform_max)
2123 ++ return -EINVAL;
2124 ++ if (val > max - min)
2125 ++ return -EINVAL;
2126 ++ if (val < 0)
2127 ++ return -EINVAL;
2128 + val_mask = mask << shift;
2129 +- val = (ucontrol->value.integer.value[0] + min) & mask;
2130 ++ val = (val + min) & mask;
2131 + val = val << shift;
2132 +
2133 + err = snd_soc_component_update_bits(component, reg, val_mask, val);
2134 +@@ -894,6 +915,8 @@ int snd_soc_put_xr_sx(struct snd_kcontrol *kcontrol,
2135 + unsigned int i, regval, regmask;
2136 + int err;
2137 +
2138 ++ if (val < mc->min || val > mc->max)
2139 ++ return -EINVAL;
2140 + if (invert)
2141 + val = max - val;
2142 + val &= mask;
2143 +diff --git a/tools/testing/selftests/futex/Makefile b/tools/testing/selftests/futex/Makefile
2144 +index a63e8453984d2..cacf7671427a2 100644
2145 +--- a/tools/testing/selftests/futex/Makefile
2146 ++++ b/tools/testing/selftests/futex/Makefile
2147 +@@ -11,7 +11,7 @@ all:
2148 + @for DIR in $(SUBDIRS); do \
2149 + BUILD_TARGET=$(OUTPUT)/$$DIR; \
2150 + mkdir $$BUILD_TARGET -p; \
2151 +- make OUTPUT=$$BUILD_TARGET -C $$DIR $@;\
2152 ++ $(MAKE) OUTPUT=$$BUILD_TARGET -C $$DIR $@;\
2153 + if [ -e $$DIR/$(TEST_PROGS) ]; then \
2154 + rsync -a $$DIR/$(TEST_PROGS) $$BUILD_TARGET/; \
2155 + fi \
2156 +@@ -40,6 +40,6 @@ override define CLEAN
2157 + @for DIR in $(SUBDIRS); do \
2158 + BUILD_TARGET=$(OUTPUT)/$$DIR; \
2159 + mkdir $$BUILD_TARGET -p; \
2160 +- make OUTPUT=$$BUILD_TARGET -C $$DIR $@;\
2161 ++ $(MAKE) OUTPUT=$$BUILD_TARGET -C $$DIR $@;\
2162 + done
2163 + endef
Report Message
Find on MARC Find on Google Groups