Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Wed, 09 Jan 2019 17:52:27
Message-Id: 1547056300.e5d216e0258419f8f3e76a26315623f825786c6d.mpagano@gentoo
1 commit: e5d216e0258419f8f3e76a26315623f825786c6d
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jan 9 17:51:40 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Jan 9 17:51:40 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e5d216e0
7
8 proj/linux-patches: Linux patch 4.9.149
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1148_linux-4.9.149.patch | 1651 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1655 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 490672d..81b354f 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -635,6 +635,10 @@ Patch: 1147_linux-4.9.148.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.148
23
24 +Patch: 1148_linux-4.9.149.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.149
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1148_linux-4.9.149.patch b/1148_linux-4.9.149.patch
33 new file mode 100644
34 index 0000000..95ea39d
35 --- /dev/null
36 +++ b/1148_linux-4.9.149.patch
37 @@ -0,0 +1,1651 @@
38 +diff --git a/Makefile b/Makefile
39 +index 1b71b11ea63e..1feac0246fe2 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 9
45 +-SUBLEVEL = 148
46 ++SUBLEVEL = 149
47 + EXTRAVERSION =
48 + NAME = Roaring Lionus
49 +
50 +diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
51 +index 0dbc1c6ab7dc..68dedca5a47e 100644
52 +--- a/arch/arm64/include/asm/kvm_arm.h
53 ++++ b/arch/arm64/include/asm/kvm_arm.h
54 +@@ -99,7 +99,7 @@
55 + TCR_EL2_ORGN0_MASK | TCR_EL2_IRGN0_MASK | TCR_EL2_T0SZ_MASK)
56 +
57 + /* VTCR_EL2 Registers bits */
58 +-#define VTCR_EL2_RES1 (1 << 31)
59 ++#define VTCR_EL2_RES1 (1U << 31)
60 + #define VTCR_EL2_HD (1 << 22)
61 + #define VTCR_EL2_HA (1 << 21)
62 + #define VTCR_EL2_PS_MASK TCR_EL2_PS_MASK
63 +diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
64 +index 37fe58c19a90..542c3ede9722 100644
65 +--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
66 ++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
67 +@@ -13,6 +13,7 @@
68 + #include <stdint.h>
69 + #include <stdio.h>
70 + #include <stdlib.h>
71 ++#include "../../../../include/linux/sizes.h"
72 +
73 + int main(int argc, char *argv[])
74 + {
75 +@@ -45,11 +46,11 @@ int main(int argc, char *argv[])
76 + vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size;
77 +
78 + /*
79 +- * Align with 16 bytes: "greater than that used for any standard data
80 +- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition).
81 ++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE,
82 ++ * which may be as large as 64KB depending on the kernel configuration.
83 + */
84 +
85 +- vmlinuz_load_addr += (16 - vmlinux_size % 16);
86 ++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K);
87 +
88 + printf("0x%llx\n", vmlinuz_load_addr);
89 +
90 +diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper.c b/arch/mips/cavium-octeon/executive/cvmx-helper.c
91 +index 396236a02b8c..59defc5e88aa 100644
92 +--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
93 ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
94 +@@ -290,7 +290,8 @@ static cvmx_helper_interface_mode_t __cvmx_get_mode_cn7xxx(int interface)
95 + case 3:
96 + return CVMX_HELPER_INTERFACE_MODE_LOOP;
97 + case 4:
98 +- return CVMX_HELPER_INTERFACE_MODE_RGMII;
99 ++ /* TODO: Implement support for AGL (RGMII). */
100 ++ return CVMX_HELPER_INTERFACE_MODE_DISABLED;
101 + default:
102 + return CVMX_HELPER_INTERFACE_MODE_DISABLED;
103 + }
104 +diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h
105 +index 514cbc0a6a67..ef6f00798011 100644
106 +--- a/arch/mips/include/asm/pgtable-64.h
107 ++++ b/arch/mips/include/asm/pgtable-64.h
108 +@@ -193,6 +193,11 @@ static inline int pmd_bad(pmd_t pmd)
109 +
110 + static inline int pmd_present(pmd_t pmd)
111 + {
112 ++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
113 ++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE))
114 ++ return pmd_val(pmd) & _PAGE_PRESENT;
115 ++#endif
116 ++
117 + return pmd_val(pmd) != (unsigned long) invalid_pte_table;
118 + }
119 +
120 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
121 +index 22a0ccb17ad0..9a8167b175d5 100644
122 +--- a/arch/x86/include/asm/kvm_host.h
123 ++++ b/arch/x86/include/asm/kvm_host.h
124 +@@ -1324,7 +1324,7 @@ asmlinkage void kvm_spurious_fault(void);
125 + "cmpb $0, kvm_rebooting \n\t" \
126 + "jne 668b \n\t" \
127 + __ASM_SIZE(push) " $666b \n\t" \
128 +- "call kvm_spurious_fault \n\t" \
129 ++ "jmp kvm_spurious_fault \n\t" \
130 + ".popsection \n\t" \
131 + _ASM_EXTABLE(666b, 667b)
132 +
133 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
134 +index 011050820608..9446a3a2fc69 100644
135 +--- a/arch/x86/kvm/vmx.c
136 ++++ b/arch/x86/kvm/vmx.c
137 +@@ -6548,9 +6548,24 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
138 +
139 + gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
140 + if (!kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) {
141 +- skip_emulated_instruction(vcpu);
142 + trace_kvm_fast_mmio(gpa);
143 +- return 1;
144 ++ /*
145 ++ * Doing kvm_skip_emulated_instruction() depends on undefined
146 ++ * behavior: Intel's manual doesn't mandate
147 ++ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG
148 ++ * occurs and while on real hardware it was observed to be set,
149 ++ * other hypervisors (namely Hyper-V) don't set it, we end up
150 ++ * advancing IP with some random value. Disable fast mmio when
151 ++ * running nested and keep it for real hardware in hope that
152 ++ * VM_EXIT_INSTRUCTION_LEN will always be set correctly.
153 ++ */
154 ++ if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) {
155 ++ skip_emulated_instruction(vcpu);
156 ++ return 1;
157 ++ }
158 ++ else
159 ++ return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP,
160 ++ NULL, 0) == EMULATE_DONE;
161 + }
162 +
163 + ret = handle_mmio_page_fault(vcpu, gpa, true);
164 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
165 +index 27d13b870e07..46e0ad71b4da 100644
166 +--- a/arch/x86/kvm/x86.c
167 ++++ b/arch/x86/kvm/x86.c
168 +@@ -5707,7 +5707,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
169 + * handle watchpoints yet, those would be handled in
170 + * the emulate_ops.
171 + */
172 +- if (kvm_vcpu_check_breakpoint(vcpu, &r))
173 ++ if (!(emulation_type & EMULTYPE_SKIP) &&
174 ++ kvm_vcpu_check_breakpoint(vcpu, &r))
175 + return r;
176 +
177 + ctxt->interruptibility = 0;
178 +diff --git a/drivers/base/platform-msi.c b/drivers/base/platform-msi.c
179 +index be6a599bc0c1..7ba1d731dece 100644
180 +--- a/drivers/base/platform-msi.c
181 ++++ b/drivers/base/platform-msi.c
182 +@@ -375,14 +375,16 @@ void platform_msi_domain_free(struct irq_domain *domain, unsigned int virq,
183 + unsigned int nvec)
184 + {
185 + struct platform_msi_priv_data *data = domain->host_data;
186 +- struct msi_desc *desc;
187 +- for_each_msi_entry(desc, data->dev) {
188 ++ struct msi_desc *desc, *tmp;
189 ++ for_each_msi_entry_safe(desc, tmp, data->dev) {
190 + if (WARN_ON(!desc->irq || desc->nvec_used != 1))
191 + return;
192 + if (!(desc->irq >= virq && desc->irq < (virq + nvec)))
193 + continue;
194 +
195 + irq_domain_free_irqs_common(domain, desc->irq, 1);
196 ++ list_del(&desc->list);
197 ++ free_msi_entry(desc);
198 + }
199 + }
200 +
201 +diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
202 +index caa86b19c76d..f74f451baf6a 100644
203 +--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
204 ++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
205 +@@ -369,6 +369,7 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
206 + struct device *dev = chip->dev.parent;
207 + struct i2c_client *client = to_i2c_client(dev);
208 + u32 ordinal;
209 ++ unsigned long duration;
210 + size_t count = 0;
211 + int burst_count, bytes2write, retries, rc = -EIO;
212 +
213 +@@ -455,10 +456,12 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
214 + return rc;
215 + }
216 + ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
217 +- rc = i2c_nuvoton_wait_for_data_avail(chip,
218 +- tpm_calc_ordinal_duration(chip,
219 +- ordinal),
220 +- &priv->read_queue);
221 ++ if (chip->flags & TPM_CHIP_FLAG_TPM2)
222 ++ duration = tpm2_calc_ordinal_duration(chip, ordinal);
223 ++ else
224 ++ duration = tpm_calc_ordinal_duration(chip, ordinal);
225 ++
226 ++ rc = i2c_nuvoton_wait_for_data_avail(chip, duration, &priv->read_queue);
227 + if (rc) {
228 + dev_err(dev, "%s() timeout command duration\n", __func__);
229 + i2c_nuvoton_ready(chip);
230 +diff --git a/drivers/clk/rockchip/clk-rk3188.c b/drivers/clk/rockchip/clk-rk3188.c
231 +index d0e722a0e8cf..523378d1396e 100644
232 +--- a/drivers/clk/rockchip/clk-rk3188.c
233 ++++ b/drivers/clk/rockchip/clk-rk3188.c
234 +@@ -381,7 +381,7 @@ static struct rockchip_clk_branch common_clk_branches[] __initdata = {
235 + COMPOSITE_NOMUX(0, "spdif_pre", "i2s_src", 0,
236 + RK2928_CLKSEL_CON(5), 0, 7, DFLAGS,
237 + RK2928_CLKGATE_CON(0), 13, GFLAGS),
238 +- COMPOSITE_FRACMUX(0, "spdif_frac", "spdif_pll", CLK_SET_RATE_PARENT,
239 ++ COMPOSITE_FRACMUX(0, "spdif_frac", "spdif_pre", CLK_SET_RATE_PARENT,
240 + RK2928_CLKSEL_CON(9), 0,
241 + RK2928_CLKGATE_CON(0), 14, GFLAGS,
242 + &common_spdif_fracmux),
243 +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
244 +index 471984ec2db0..30adc5745cba 100644
245 +--- a/drivers/input/mouse/elan_i2c_core.c
246 ++++ b/drivers/input/mouse/elan_i2c_core.c
247 +@@ -1240,6 +1240,7 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
248 + static const struct acpi_device_id elan_acpi_id[] = {
249 + { "ELAN0000", 0 },
250 + { "ELAN0100", 0 },
251 ++ { "ELAN0501", 0 },
252 + { "ELAN0600", 0 },
253 + { "ELAN0602", 0 },
254 + { "ELAN0605", 0 },
255 +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
256 +index dd7e38ac29bd..d15347de415a 100644
257 +--- a/drivers/isdn/capi/kcapi.c
258 ++++ b/drivers/isdn/capi/kcapi.c
259 +@@ -851,7 +851,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
260 + u16 ret;
261 +
262 + if (contr == 0) {
263 +- strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
264 ++ strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
265 + return CAPI_NOERROR;
266 + }
267 +
268 +@@ -859,7 +859,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
269 +
270 + ctr = get_capi_ctr_by_nr(contr);
271 + if (ctr && ctr->state == CAPI_CTR_RUNNING) {
272 +- strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
273 ++ strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
274 + ret = CAPI_NOERROR;
275 + } else
276 + ret = CAPI_REGNOTINSTALLED;
277 +diff --git a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
278 +index 1f463f4c3024..d2f72f3635aa 100644
279 +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
280 ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
281 +@@ -1618,7 +1618,7 @@ typedef struct { u16 __; u8 _; } __packed x24;
282 + unsigned s; \
283 + \
284 + for (s = 0; s < len; s++) { \
285 +- u8 chr = font8x16[text[s] * 16 + line]; \
286 ++ u8 chr = font8x16[(u8)text[s] * 16 + line]; \
287 + \
288 + if (hdiv == 2 && tpg->hflip) { \
289 + pos[3] = (chr & (0x01 << 6) ? fg : bg); \
290 +diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
291 +index d5c84ecf2027..25d4fd4f4c0b 100644
292 +--- a/drivers/media/platform/vivid/vivid-vid-cap.c
293 ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
294 +@@ -452,6 +452,8 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls)
295 + tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap));
296 + break;
297 + }
298 ++ vfree(dev->bitmap_cap);
299 ++ dev->bitmap_cap = NULL;
300 + vivid_update_quality(dev);
301 + tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
302 + dev->crop_cap = dev->src_rect;
303 +diff --git a/drivers/mtd/spi-nor/Kconfig b/drivers/mtd/spi-nor/Kconfig
304 +index 4a682ee0f632..b4f6cadd28fe 100644
305 +--- a/drivers/mtd/spi-nor/Kconfig
306 ++++ b/drivers/mtd/spi-nor/Kconfig
307 +@@ -31,7 +31,7 @@ config MTD_SPI_NOR_USE_4K_SECTORS
308 +
309 + config SPI_ATMEL_QUADSPI
310 + tristate "Atmel Quad SPI Controller"
311 +- depends on ARCH_AT91 || (ARM && COMPILE_TEST)
312 ++ depends on ARCH_AT91 || (ARM && COMPILE_TEST && !ARCH_EBSA110)
313 + depends on OF && HAS_IOMEM
314 + help
315 + This enables support for the Quad SPI controller in master mode.
316 +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
317 +index b375ae9f98ef..4996228fd7e6 100644
318 +--- a/drivers/net/ethernet/ibm/ibmveth.c
319 ++++ b/drivers/net/ethernet/ibm/ibmveth.c
320 +@@ -1162,11 +1162,15 @@ out:
321 +
322 + map_failed_frags:
323 + last = i+1;
324 +- for (i = 0; i < last; i++)
325 ++ for (i = 1; i < last; i++)
326 + dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
327 + descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
328 + DMA_TO_DEVICE);
329 +
330 ++ dma_unmap_single(&adapter->vdev->dev,
331 ++ descs[0].fields.address,
332 ++ descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
333 ++ DMA_TO_DEVICE);
334 + map_failed:
335 + if (!firmware_has_feature(FW_FEATURE_CMO))
336 + netdev_err(netdev, "tx: unable to map xmit buffer\n");
337 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
338 +index da1d73fe1a81..d5e8ac86c195 100644
339 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
340 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
341 +@@ -1167,11 +1167,6 @@ static int mlx5e_get_ts_info(struct net_device *dev,
342 + struct ethtool_ts_info *info)
343 + {
344 + struct mlx5e_priv *priv = netdev_priv(dev);
345 +- int ret;
346 +-
347 +- ret = ethtool_op_get_ts_info(dev, info);
348 +- if (ret)
349 +- return ret;
350 +
351 + info->phc_index = priv->tstamp.ptp ?
352 + ptp_clock_index(priv->tstamp.ptp) : -1;
353 +@@ -1179,9 +1174,9 @@ static int mlx5e_get_ts_info(struct net_device *dev,
354 + if (!MLX5_CAP_GEN(priv->mdev, device_frequency_khz))
355 + return 0;
356 +
357 +- info->so_timestamping |= SOF_TIMESTAMPING_TX_HARDWARE |
358 +- SOF_TIMESTAMPING_RX_HARDWARE |
359 +- SOF_TIMESTAMPING_RAW_HARDWARE;
360 ++ info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE |
361 ++ SOF_TIMESTAMPING_RX_HARDWARE |
362 ++ SOF_TIMESTAMPING_RAW_HARDWARE;
363 +
364 + info->tx_types = BIT(HWTSTAMP_TX_OFF) |
365 + BIT(HWTSTAMP_TX_ON);
366 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
367 +index 5f3402ba9916..13dfc197bdd8 100644
368 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
369 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
370 +@@ -390,7 +390,7 @@ static void del_rule(struct fs_node *node)
371 + }
372 + if ((fte->action & MLX5_FLOW_CONTEXT_ACTION_FWD_DEST) &&
373 + --fte->dests_size) {
374 +- modify_mask = BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_DESTINATION_LIST),
375 ++ modify_mask = BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_DESTINATION_LIST);
376 + err = mlx5_cmd_update_fte(dev, ft,
377 + fg->id,
378 + modify_mask,
379 +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
380 +index f04be9e8980f..5048a6df6a8e 100644
381 +--- a/drivers/net/phy/phy_device.c
382 ++++ b/drivers/net/phy/phy_device.c
383 +@@ -163,11 +163,8 @@ static int mdio_bus_phy_restore(struct device *dev)
384 + if (ret < 0)
385 + return ret;
386 +
387 +- /* The PHY needs to renegotiate. */
388 +- phydev->link = 0;
389 +- phydev->state = PHY_UP;
390 +-
391 +- phy_start_machine(phydev);
392 ++ if (phydev->attached_dev && phydev->adjust_link)
393 ++ phy_start_machine(phydev);
394 +
395 + return 0;
396 + }
397 +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
398 +index 2b728cc52e3a..134eb184fa22 100644
399 +--- a/drivers/net/usb/qmi_wwan.c
400 ++++ b/drivers/net/usb/qmi_wwan.c
401 +@@ -951,7 +951,7 @@ static const struct usb_device_id products[] = {
402 + {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
403 + {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
404 + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
405 +- {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */
406 ++ {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */
407 + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
408 + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
409 + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
410 +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
411 +index 1bc5e93d2a34..eb56bb5916be 100644
412 +--- a/drivers/net/wan/x25_asy.c
413 ++++ b/drivers/net/wan/x25_asy.c
414 +@@ -488,8 +488,10 @@ static int x25_asy_open(struct net_device *dev)
415 +
416 + /* Cleanup */
417 + kfree(sl->xbuff);
418 ++ sl->xbuff = NULL;
419 + noxbuff:
420 + kfree(sl->rbuff);
421 ++ sl->rbuff = NULL;
422 + norbuff:
423 + return -ENOMEM;
424 + }
425 +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
426 +index aceae791baf3..14ceeaaa7fe5 100644
427 +--- a/drivers/net/xen-netfront.c
428 ++++ b/drivers/net/xen-netfront.c
429 +@@ -903,7 +903,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
430 + if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
431 + unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
432 +
433 +- BUG_ON(pull_to <= skb_headlen(skb));
434 ++ BUG_ON(pull_to < skb_headlen(skb));
435 + __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
436 + }
437 + if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
438 +diff --git a/drivers/nfc/nxp-nci/firmware.c b/drivers/nfc/nxp-nci/firmware.c
439 +index 5291797324ba..553011f58339 100644
440 +--- a/drivers/nfc/nxp-nci/firmware.c
441 ++++ b/drivers/nfc/nxp-nci/firmware.c
442 +@@ -24,7 +24,7 @@
443 + #include <linux/completion.h>
444 + #include <linux/firmware.h>
445 + #include <linux/nfc.h>
446 +-#include <linux/unaligned/access_ok.h>
447 ++#include <asm/unaligned.h>
448 +
449 + #include "nxp-nci.h"
450 +
451 +diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
452 +index 36099e557730..06a157c63416 100644
453 +--- a/drivers/nfc/nxp-nci/i2c.c
454 ++++ b/drivers/nfc/nxp-nci/i2c.c
455 +@@ -36,7 +36,7 @@
456 + #include <linux/of_gpio.h>
457 + #include <linux/of_irq.h>
458 + #include <linux/platform_data/nxp-nci.h>
459 +-#include <linux/unaligned/access_ok.h>
460 ++#include <asm/unaligned.h>
461 +
462 + #include <net/nfc/nfc.h>
463 +
464 +diff --git a/drivers/rtc/rtc-m41t80.c b/drivers/rtc/rtc-m41t80.c
465 +index c4ca6a385790..6b6b623cc250 100644
466 +--- a/drivers/rtc/rtc-m41t80.c
467 ++++ b/drivers/rtc/rtc-m41t80.c
468 +@@ -333,7 +333,7 @@ static int m41t80_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
469 + alrm->time.tm_min = bcd2bin(alarmvals[3] & 0x7f);
470 + alrm->time.tm_hour = bcd2bin(alarmvals[2] & 0x3f);
471 + alrm->time.tm_mday = bcd2bin(alarmvals[1] & 0x3f);
472 +- alrm->time.tm_mon = bcd2bin(alarmvals[0] & 0x3f);
473 ++ alrm->time.tm_mon = bcd2bin(alarmvals[0] & 0x3f) - 1;
474 +
475 + alrm->enabled = !!(alarmvals[0] & M41T80_ALMON_AFE);
476 + alrm->pending = (flags & M41T80_FLAGS_AF) && alrm->enabled;
477 +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
478 +index f35cc10772f6..25abf2d1732a 100644
479 +--- a/drivers/spi/spi-bcm2835.c
480 ++++ b/drivers/spi/spi-bcm2835.c
481 +@@ -88,7 +88,7 @@ struct bcm2835_spi {
482 + u8 *rx_buf;
483 + int tx_len;
484 + int rx_len;
485 +- bool dma_pending;
486 ++ unsigned int dma_pending;
487 + };
488 +
489 + static inline u32 bcm2835_rd(struct bcm2835_spi *bs, unsigned reg)
490 +@@ -155,8 +155,7 @@ static irqreturn_t bcm2835_spi_interrupt(int irq, void *dev_id)
491 + /* Write as many bytes as possible to FIFO */
492 + bcm2835_wr_fifo(bs);
493 +
494 +- /* based on flags decide if we can finish the transfer */
495 +- if (bcm2835_rd(bs, BCM2835_SPI_CS) & BCM2835_SPI_CS_DONE) {
496 ++ if (!bs->rx_len) {
497 + /* Transfer complete - reset SPI HW */
498 + bcm2835_spi_reset_hw(master);
499 + /* wake up the framework */
500 +@@ -233,10 +232,9 @@ static void bcm2835_spi_dma_done(void *data)
501 + * is called the tx-dma must have finished - can't get to this
502 + * situation otherwise...
503 + */
504 +- dmaengine_terminate_all(master->dma_tx);
505 +-
506 +- /* mark as no longer pending */
507 +- bs->dma_pending = 0;
508 ++ if (cmpxchg(&bs->dma_pending, true, false)) {
509 ++ dmaengine_terminate_all(master->dma_tx);
510 ++ }
511 +
512 + /* and mark as completed */;
513 + complete(&master->xfer_completion);
514 +@@ -342,6 +340,7 @@ static int bcm2835_spi_transfer_one_dma(struct spi_master *master,
515 + if (ret) {
516 + /* need to reset on errors */
517 + dmaengine_terminate_all(master->dma_tx);
518 ++ bs->dma_pending = false;
519 + bcm2835_spi_reset_hw(master);
520 + return ret;
521 + }
522 +@@ -617,10 +616,9 @@ static void bcm2835_spi_handle_err(struct spi_master *master,
523 + struct bcm2835_spi *bs = spi_master_get_devdata(master);
524 +
525 + /* if an error occurred and we have an active dma, then terminate */
526 +- if (bs->dma_pending) {
527 ++ if (cmpxchg(&bs->dma_pending, true, false)) {
528 + dmaengine_terminate_all(master->dma_tx);
529 + dmaengine_terminate_all(master->dma_rx);
530 +- bs->dma_pending = 0;
531 + }
532 + /* and reset */
533 + bcm2835_spi_reset_hw(master);
534 +diff --git a/drivers/staging/wilc1000/wilc_sdio.c b/drivers/staging/wilc1000/wilc_sdio.c
535 +index 39b73fb27398..63c8701dedcf 100644
536 +--- a/drivers/staging/wilc1000/wilc_sdio.c
537 ++++ b/drivers/staging/wilc1000/wilc_sdio.c
538 +@@ -830,6 +830,7 @@ static int sdio_read_int(struct wilc *wilc, u32 *int_status)
539 + if (!g_sdio.irq_gpio) {
540 + int i;
541 +
542 ++ cmd.read_write = 0;
543 + cmd.function = 1;
544 + cmd.address = 0x04;
545 + cmd.data = 0;
546 +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
547 +index 7497f1d4a818..fcf2e51f2cfe 100644
548 +--- a/drivers/tty/serial/xilinx_uartps.c
549 ++++ b/drivers/tty/serial/xilinx_uartps.c
550 +@@ -128,7 +128,7 @@ MODULE_PARM_DESC(rx_timeout, "Rx timeout, 1-255");
551 + #define CDNS_UART_IXR_RXTRIG 0x00000001 /* RX FIFO trigger interrupt */
552 + #define CDNS_UART_IXR_RXFULL 0x00000004 /* RX FIFO full interrupt. */
553 + #define CDNS_UART_IXR_RXEMPTY 0x00000002 /* RX FIFO empty interrupt. */
554 +-#define CDNS_UART_IXR_MASK 0x00001FFF /* Valid bit mask */
555 ++#define CDNS_UART_IXR_RXMASK 0x000021e7 /* Valid RX bit mask */
556 +
557 + /*
558 + * Do not enable parity error interrupt for the following
559 +@@ -362,7 +362,7 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id)
560 + cdns_uart_handle_tx(dev_id);
561 + isrstatus &= ~CDNS_UART_IXR_TXEMPTY;
562 + }
563 +- if (isrstatus & CDNS_UART_IXR_MASK)
564 ++ if (isrstatus & CDNS_UART_IXR_RXMASK)
565 + cdns_uart_handle_rx(dev_id, isrstatus);
566 +
567 + spin_unlock(&port->lock);
568 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
569 +index cd4f96354fa8..6c0bb38c4089 100644
570 +--- a/drivers/usb/class/cdc-acm.c
571 ++++ b/drivers/usb/class/cdc-acm.c
572 +@@ -502,6 +502,13 @@ static int acm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
573 + if (retval)
574 + goto error_init_termios;
575 +
576 ++ /*
577 ++ * Suppress initial echoing for some devices which might send data
578 ++ * immediately after acm driver has been installed.
579 ++ */
580 ++ if (acm->quirks & DISABLE_ECHO)
581 ++ tty->termios.c_lflag &= ~ECHO;
582 ++
583 + tty->driver_data = acm;
584 +
585 + return 0;
586 +@@ -1620,6 +1627,9 @@ static const struct usb_device_id acm_ids[] = {
587 + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@×××××.com */
588 + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
589 + },
590 ++ { USB_DEVICE(0x0e8d, 0x2000), /* MediaTek Inc Preloader */
591 ++ .driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */
592 ++ },
593 + { USB_DEVICE(0x0e8d, 0x3329), /* MediaTek Inc GPS */
594 + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
595 + },
596 +diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
597 +index b30ac5fcde68..1ad9ff9f493d 100644
598 +--- a/drivers/usb/class/cdc-acm.h
599 ++++ b/drivers/usb/class/cdc-acm.h
600 +@@ -134,3 +134,4 @@ struct acm {
601 + #define QUIRK_CONTROL_LINE_STATE BIT(6)
602 + #define CLEAR_HALT_CONDITIONS BIT(7)
603 + #define SEND_ZERO_PACKET BIT(8)
604 ++#define DISABLE_ECHO BIT(9)
605 +diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c
606 +index 7bf78be1fd32..72c3ed76a77d 100644
607 +--- a/drivers/usb/host/r8a66597-hcd.c
608 ++++ b/drivers/usb/host/r8a66597-hcd.c
609 +@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb,
610 +
611 + static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
612 + struct usb_host_endpoint *hep)
613 ++__acquires(r8a66597->lock)
614 ++__releases(r8a66597->lock)
615 + {
616 + struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd);
617 + struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv;
618 +@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
619 + return;
620 + pipenum = pipe->info.pipenum;
621 +
622 ++ spin_lock_irqsave(&r8a66597->lock, flags);
623 + if (pipenum == 0) {
624 + kfree(hep->hcpriv);
625 + hep->hcpriv = NULL;
626 ++ spin_unlock_irqrestore(&r8a66597->lock, flags);
627 + return;
628 + }
629 +
630 +- spin_lock_irqsave(&r8a66597->lock, flags);
631 + pipe_stop(r8a66597, pipe);
632 + pipe_irq_disable(r8a66597, pipenum);
633 + disable_irq_empty(r8a66597, pipenum);
634 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
635 +index 1e3445dd84b2..7bc2c9fef605 100644
636 +--- a/drivers/usb/serial/option.c
637 ++++ b/drivers/usb/serial/option.c
638 +@@ -1956,6 +1956,10 @@ static const struct usb_device_id option_ids[] = {
639 + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
640 + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
641 + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
642 ++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
643 ++ .driver_info = RSVD(4) | RSVD(5) },
644 ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */
645 ++ .driver_info = RSVD(6) },
646 + { } /* Terminating entry */
647 + };
648 + MODULE_DEVICE_TABLE(usb, option_ids);
649 +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
650 +index 3da25ad267a2..4966768d3c98 100644
651 +--- a/drivers/usb/serial/pl2303.c
652 ++++ b/drivers/usb/serial/pl2303.c
653 +@@ -86,9 +86,14 @@ static const struct usb_device_id id_table[] = {
654 + { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
655 + { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
656 + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
657 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) },
658 + { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
659 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) },
660 + { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
661 + { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) },
662 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) },
663 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) },
664 ++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) },
665 + { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) },
666 + { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) },
667 + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) },
668 +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
669 +index 123289085ee2..a84f0959ab34 100644
670 +--- a/drivers/usb/serial/pl2303.h
671 ++++ b/drivers/usb/serial/pl2303.h
672 +@@ -123,10 +123,15 @@
673 +
674 + /* Hewlett-Packard POS Pole Displays */
675 + #define HP_VENDOR_ID 0x03f0
676 ++#define HP_LM920_PRODUCT_ID 0x026b
677 ++#define HP_TD620_PRODUCT_ID 0x0956
678 + #define HP_LD960_PRODUCT_ID 0x0b39
679 + #define HP_LCM220_PRODUCT_ID 0x3139
680 + #define HP_LCM960_PRODUCT_ID 0x3239
681 + #define HP_LD220_PRODUCT_ID 0x3524
682 ++#define HP_LD220TA_PRODUCT_ID 0x4349
683 ++#define HP_LD960TA_PRODUCT_ID 0x4439
684 ++#define HP_LM940_PRODUCT_ID 0x5039
685 +
686 + /* Cressi Edy (diving computer) PC interface */
687 + #define CRESSI_VENDOR_ID 0x04b8
688 +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
689 +index 4c5625cb540c..53b1b3cfce84 100644
690 +--- a/drivers/vhost/vhost.c
691 ++++ b/drivers/vhost/vhost.c
692 +@@ -2145,6 +2145,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
693 + return -EFAULT;
694 + }
695 + if (unlikely(vq->log_used)) {
696 ++ /* Make sure used idx is seen before log. */
697 ++ smp_wmb();
698 + /* Log used index update. */
699 + log_write(vq->log_base,
700 + vq->log_addr + offsetof(struct vring_used, idx),
701 +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c
702 +index 8257a5a97cc0..98c25b969ab8 100644
703 +--- a/fs/cifs/smb2maperror.c
704 ++++ b/fs/cifs/smb2maperror.c
705 +@@ -377,8 +377,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = {
706 + {STATUS_NONEXISTENT_EA_ENTRY, -EIO, "STATUS_NONEXISTENT_EA_ENTRY"},
707 + {STATUS_NO_EAS_ON_FILE, -ENODATA, "STATUS_NO_EAS_ON_FILE"},
708 + {STATUS_EA_CORRUPT_ERROR, -EIO, "STATUS_EA_CORRUPT_ERROR"},
709 +- {STATUS_FILE_LOCK_CONFLICT, -EIO, "STATUS_FILE_LOCK_CONFLICT"},
710 +- {STATUS_LOCK_NOT_GRANTED, -EIO, "STATUS_LOCK_NOT_GRANTED"},
711 ++ {STATUS_FILE_LOCK_CONFLICT, -EACCES, "STATUS_FILE_LOCK_CONFLICT"},
712 ++ {STATUS_LOCK_NOT_GRANTED, -EACCES, "STATUS_LOCK_NOT_GRANTED"},
713 + {STATUS_DELETE_PENDING, -ENOENT, "STATUS_DELETE_PENDING"},
714 + {STATUS_CTL_FILE_NOT_SUPPORTED, -ENOSYS,
715 + "STATUS_CTL_FILE_NOT_SUPPORTED"},
716 +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
717 +index d06cfe372609..1008384d5ed5 100644
718 +--- a/fs/ext4/inline.c
719 ++++ b/fs/ext4/inline.c
720 +@@ -702,8 +702,11 @@ int ext4_try_to_write_inline_data(struct address_space *mapping,
721 +
722 + if (!PageUptodate(page)) {
723 + ret = ext4_read_inline_page(inode, page);
724 +- if (ret < 0)
725 ++ if (ret < 0) {
726 ++ unlock_page(page);
727 ++ put_page(page);
728 + goto out_up_read;
729 ++ }
730 + }
731 +
732 + ret = 1;
733 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
734 +index 9be605c63ae1..58e6b8a03e90 100644
735 +--- a/fs/ext4/resize.c
736 ++++ b/fs/ext4/resize.c
737 +@@ -1600,7 +1600,7 @@ int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input)
738 + }
739 +
740 + if (reserved_gdb || gdb_off == 0) {
741 +- if (ext4_has_feature_resize_inode(sb) ||
742 ++ if (!ext4_has_feature_resize_inode(sb) ||
743 + !le16_to_cpu(es->s_reserved_gdt_blocks)) {
744 + ext4_warning(sb,
745 + "No reserved GDT blocks, can't resize");
746 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
747 +index 75177eb498ed..6810234b0b27 100644
748 +--- a/fs/ext4/super.c
749 ++++ b/fs/ext4/super.c
750 +@@ -1076,6 +1076,16 @@ static struct dentry *ext4_fh_to_parent(struct super_block *sb, struct fid *fid,
751 + ext4_nfs_get_inode);
752 + }
753 +
754 ++static int ext4_nfs_commit_metadata(struct inode *inode)
755 ++{
756 ++ struct writeback_control wbc = {
757 ++ .sync_mode = WB_SYNC_ALL
758 ++ };
759 ++
760 ++ trace_ext4_nfs_commit_metadata(inode);
761 ++ return ext4_write_inode(inode, &wbc);
762 ++}
763 ++
764 + /*
765 + * Try to release metadata pages (indirect blocks, directories) which are
766 + * mapped via the block device. Since these pages could have journal heads
767 +@@ -1258,6 +1268,7 @@ static const struct export_operations ext4_export_ops = {
768 + .fh_to_dentry = ext4_fh_to_dentry,
769 + .fh_to_parent = ext4_fh_to_parent,
770 + .get_parent = ext4_get_parent,
771 ++ .commit_metadata = ext4_nfs_commit_metadata,
772 + };
773 +
774 + enum {
775 +@@ -5425,9 +5436,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
776 + qf_inode->i_flags |= S_NOQUOTA;
777 + lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA);
778 + err = dquot_enable(qf_inode, type, format_id, flags);
779 +- iput(qf_inode);
780 + if (err)
781 + lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL);
782 ++ iput(qf_inode);
783 +
784 + return err;
785 + }
786 +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
787 +index 22f765069655..ec9beaa69abb 100644
788 +--- a/fs/ext4/xattr.c
789 ++++ b/fs/ext4/xattr.c
790 +@@ -1499,7 +1499,7 @@ retry:
791 + base = IFIRST(header);
792 + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
793 + min_offs = end - base;
794 +- total_ino = sizeof(struct ext4_xattr_ibody_header);
795 ++ total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
796 +
797 + error = xattr_check_inode(inode, header, end);
798 + if (error)
799 +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
800 +index c8f408d8a582..83a96334dc07 100644
801 +--- a/fs/f2fs/super.c
802 ++++ b/fs/f2fs/super.c
803 +@@ -1427,10 +1427,10 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
804 + return 1;
805 + }
806 +
807 +- if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
808 ++ if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) {
809 + f2fs_msg(sb, KERN_INFO,
810 +- "Wrong segment_count / block_count (%u > %u)",
811 +- segment_count, le32_to_cpu(raw_super->block_count));
812 ++ "Wrong segment_count / block_count (%u > %llu)",
813 ++ segment_count, le64_to_cpu(raw_super->block_count));
814 + return 1;
815 + }
816 +
817 +diff --git a/include/linux/msi.h b/include/linux/msi.h
818 +index 0db320b7bb15..debc8aa4ec19 100644
819 +--- a/include/linux/msi.h
820 ++++ b/include/linux/msi.h
821 +@@ -108,6 +108,8 @@ struct msi_desc {
822 + list_first_entry(dev_to_msi_list((dev)), struct msi_desc, list)
823 + #define for_each_msi_entry(desc, dev) \
824 + list_for_each_entry((desc), dev_to_msi_list((dev)), list)
825 ++#define for_each_msi_entry_safe(desc, tmp, dev) \
826 ++ list_for_each_entry_safe((desc), (tmp), dev_to_msi_list((dev)), list)
827 +
828 + #ifdef CONFIG_PCI_MSI
829 + #define first_pci_msi_entry(pdev) first_msi_entry(&(pdev)->dev)
830 +diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
831 +index ac377a23265f..597b84d4805b 100644
832 +--- a/include/linux/ptr_ring.h
833 ++++ b/include/linux/ptr_ring.h
834 +@@ -384,6 +384,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
835 + else if (destroy)
836 + destroy(ptr);
837 +
838 ++ if (producer >= size)
839 ++ producer = 0;
840 + r->size = size;
841 + r->producer = producer;
842 + r->consumer = 0;
843 +diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
844 +index 2a1abbf8da74..95f33eeee984 100644
845 +--- a/include/net/gro_cells.h
846 ++++ b/include/net/gro_cells.h
847 +@@ -86,6 +86,7 @@ static inline void gro_cells_destroy(struct gro_cells *gcells)
848 + for_each_possible_cpu(i) {
849 + struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
850 +
851 ++ napi_disable(&cell->napi);
852 + netif_napi_del(&cell->napi);
853 + __skb_queue_purge(&cell->napi_skbs);
854 + }
855 +diff --git a/include/net/sock.h b/include/net/sock.h
856 +index 6d42ed883bf9..15bb04dec40e 100644
857 +--- a/include/net/sock.h
858 ++++ b/include/net/sock.h
859 +@@ -284,6 +284,7 @@ struct sock_common {
860 + * @sk_filter: socket filtering instructions
861 + * @sk_timer: sock cleanup timer
862 + * @sk_stamp: time stamp of last packet received
863 ++ * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
864 + * @sk_tsflags: SO_TIMESTAMPING socket options
865 + * @sk_tskey: counter to disambiguate concurrent tstamp requests
866 + * @sk_socket: Identd and reporting IO signals
867 +@@ -425,6 +426,9 @@ struct sock {
868 + long sk_sndtimeo;
869 + struct timer_list sk_timer;
870 + ktime_t sk_stamp;
871 ++#if BITS_PER_LONG==32
872 ++ seqlock_t sk_stamp_seq;
873 ++#endif
874 + u16 sk_tsflags;
875 + u8 sk_shutdown;
876 + u32 sk_tskey;
877 +@@ -2114,6 +2118,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb)
878 + atomic_add(segs, &sk->sk_drops);
879 + }
880 +
881 ++static inline ktime_t sock_read_timestamp(struct sock *sk)
882 ++{
883 ++#if BITS_PER_LONG==32
884 ++ unsigned int seq;
885 ++ ktime_t kt;
886 ++
887 ++ do {
888 ++ seq = read_seqbegin(&sk->sk_stamp_seq);
889 ++ kt = sk->sk_stamp;
890 ++ } while (read_seqretry(&sk->sk_stamp_seq, seq));
891 ++
892 ++ return kt;
893 ++#else
894 ++ return sk->sk_stamp;
895 ++#endif
896 ++}
897 ++
898 ++static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
899 ++{
900 ++#if BITS_PER_LONG==32
901 ++ write_seqlock(&sk->sk_stamp_seq);
902 ++ sk->sk_stamp = kt;
903 ++ write_sequnlock(&sk->sk_stamp_seq);
904 ++#else
905 ++ sk->sk_stamp = kt;
906 ++#endif
907 ++}
908 ++
909 + void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
910 + struct sk_buff *skb);
911 + void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
912 +@@ -2138,7 +2170,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
913 + (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
914 + __sock_recv_timestamp(msg, sk, skb);
915 + else
916 +- sk->sk_stamp = kt;
917 ++ sock_write_timestamp(sk, kt);
918 +
919 + if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
920 + __sock_recv_wifi_status(msg, sk, skb);
921 +@@ -2158,7 +2190,7 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
922 + if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
923 + __sock_recv_ts_and_drops(msg, sk, skb);
924 + else
925 +- sk->sk_stamp = skb->tstamp;
926 ++ sock_write_timestamp(sk, skb->tstamp);
927 + }
928 +
929 + void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags);
930 +diff --git a/include/trace/events/ext4.h b/include/trace/events/ext4.h
931 +index 09c71e9aaebf..215668b14f61 100644
932 +--- a/include/trace/events/ext4.h
933 ++++ b/include/trace/events/ext4.h
934 +@@ -223,6 +223,26 @@ TRACE_EVENT(ext4_drop_inode,
935 + (unsigned long) __entry->ino, __entry->drop)
936 + );
937 +
938 ++TRACE_EVENT(ext4_nfs_commit_metadata,
939 ++ TP_PROTO(struct inode *inode),
940 ++
941 ++ TP_ARGS(inode),
942 ++
943 ++ TP_STRUCT__entry(
944 ++ __field( dev_t, dev )
945 ++ __field( ino_t, ino )
946 ++ ),
947 ++
948 ++ TP_fast_assign(
949 ++ __entry->dev = inode->i_sb->s_dev;
950 ++ __entry->ino = inode->i_ino;
951 ++ ),
952 ++
953 ++ TP_printk("dev %d,%d ino %lu",
954 ++ MAJOR(__entry->dev), MINOR(__entry->dev),
955 ++ (unsigned long) __entry->ino)
956 ++);
957 ++
958 + TRACE_EVENT(ext4_mark_inode_dirty,
959 + TP_PROTO(struct inode *inode, unsigned long IP),
960 +
961 +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
962 +index 2fdebabbfacd..2772f6a13fcb 100644
963 +--- a/net/ax25/af_ax25.c
964 ++++ b/net/ax25/af_ax25.c
965 +@@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
966 + break;
967 + }
968 +
969 +- dev = dev_get_by_name(&init_net, devname);
970 ++ rtnl_lock();
971 ++ dev = __dev_get_by_name(&init_net, devname);
972 + if (!dev) {
973 ++ rtnl_unlock();
974 + res = -ENODEV;
975 + break;
976 + }
977 +
978 + ax25->ax25_dev = ax25_dev_ax25dev(dev);
979 ++ if (!ax25->ax25_dev) {
980 ++ rtnl_unlock();
981 ++ res = -ENODEV;
982 ++ break;
983 ++ }
984 + ax25_fillin_cb(ax25, ax25->ax25_dev);
985 +- dev_put(dev);
986 ++ rtnl_unlock();
987 + break;
988 +
989 + default:
990 +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
991 +index 3d106767b272..5faca5db6385 100644
992 +--- a/net/ax25/ax25_dev.c
993 ++++ b/net/ax25/ax25_dev.c
994 +@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev)
995 + if ((s = ax25_dev_list) == ax25_dev) {
996 + ax25_dev_list = s->next;
997 + spin_unlock_bh(&ax25_dev_lock);
998 ++ dev->ax25_ptr = NULL;
999 + dev_put(dev);
1000 + kfree(ax25_dev);
1001 + return;
1002 +@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev)
1003 + if (s->next == ax25_dev) {
1004 + s->next = ax25_dev->next;
1005 + spin_unlock_bh(&ax25_dev_lock);
1006 ++ dev->ax25_ptr = NULL;
1007 + dev_put(dev);
1008 + kfree(ax25_dev);
1009 + return;
1010 +diff --git a/net/compat.c b/net/compat.c
1011 +index 73671e6ec6eb..633fcf6ee369 100644
1012 +--- a/net/compat.c
1013 ++++ b/net/compat.c
1014 +@@ -457,12 +457,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
1015 + err = -ENOENT;
1016 + if (!sock_flag(sk, SOCK_TIMESTAMP))
1017 + sock_enable_timestamp(sk, SOCK_TIMESTAMP);
1018 +- tv = ktime_to_timeval(sk->sk_stamp);
1019 ++ tv = ktime_to_timeval(sock_read_timestamp(sk));
1020 ++
1021 + if (tv.tv_sec == -1)
1022 + return err;
1023 + if (tv.tv_sec == 0) {
1024 +- sk->sk_stamp = ktime_get_real();
1025 +- tv = ktime_to_timeval(sk->sk_stamp);
1026 ++ ktime_t kt = ktime_get_real();
1027 ++ sock_write_timestamp(sk, kt);
1028 ++ tv = ktime_to_timeval(kt);
1029 + }
1030 + err = 0;
1031 + if (put_user(tv.tv_sec, &ctv->tv_sec) ||
1032 +@@ -485,12 +487,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta
1033 + err = -ENOENT;
1034 + if (!sock_flag(sk, SOCK_TIMESTAMP))
1035 + sock_enable_timestamp(sk, SOCK_TIMESTAMP);
1036 +- ts = ktime_to_timespec(sk->sk_stamp);
1037 ++ ts = ktime_to_timespec(sock_read_timestamp(sk));
1038 + if (ts.tv_sec == -1)
1039 + return err;
1040 + if (ts.tv_sec == 0) {
1041 +- sk->sk_stamp = ktime_get_real();
1042 +- ts = ktime_to_timespec(sk->sk_stamp);
1043 ++ ktime_t kt = ktime_get_real();
1044 ++ sock_write_timestamp(sk, kt);
1045 ++ ts = ktime_to_timespec(kt);
1046 + }
1047 + err = 0;
1048 + if (put_user(ts.tv_sec, &ctv->tv_sec) ||
1049 +diff --git a/net/core/sock.c b/net/core/sock.c
1050 +index 1c4c43483b54..68c831e1a5c0 100644
1051 +--- a/net/core/sock.c
1052 ++++ b/net/core/sock.c
1053 +@@ -2467,6 +2467,9 @@ void sock_init_data(struct socket *sock, struct sock *sk)
1054 + sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
1055 +
1056 + sk->sk_stamp = ktime_set(-1L, 0);
1057 ++#if BITS_PER_LONG==32
1058 ++ seqlock_init(&sk->sk_stamp_seq);
1059 ++#endif
1060 +
1061 + #ifdef CONFIG_NET_RX_BUSY_POLL
1062 + sk->sk_napi_id = 0;
1063 +diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
1064 +index 50ed47559bb7..34d20a2a5cbd 100644
1065 +--- a/net/ieee802154/6lowpan/tx.c
1066 ++++ b/net/ieee802154/6lowpan/tx.c
1067 +@@ -48,6 +48,9 @@ int lowpan_header_create(struct sk_buff *skb, struct net_device *ldev,
1068 + const struct ipv6hdr *hdr = ipv6_hdr(skb);
1069 + struct neighbour *n;
1070 +
1071 ++ if (!daddr)
1072 ++ return -EINVAL;
1073 ++
1074 + /* TODO:
1075 + * if this package isn't ipv6 one, where should it be routed?
1076 + */
1077 +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
1078 +index 80e48f40c3a8..496f8d86b503 100644
1079 +--- a/net/ipv4/ip_fragment.c
1080 ++++ b/net/ipv4/ip_fragment.c
1081 +@@ -345,10 +345,10 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
1082 + struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
1083 + struct rb_node **rbn, *parent;
1084 + struct sk_buff *skb1, *prev_tail;
1085 ++ int ihl, end, skb1_run_end;
1086 + struct net_device *dev;
1087 + unsigned int fragsize;
1088 + int flags, offset;
1089 +- int ihl, end;
1090 + int err = -ENOENT;
1091 + u8 ecn;
1092 +
1093 +@@ -418,7 +418,9 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
1094 + * overlapping fragment, the entire datagram (and any constituent
1095 + * fragments) MUST be silently discarded.
1096 + *
1097 +- * We do the same here for IPv4 (and increment an snmp counter).
1098 ++ * We do the same here for IPv4 (and increment an snmp counter) but
1099 ++ * we do not want to drop the whole queue in response to a duplicate
1100 ++ * fragment.
1101 + */
1102 +
1103 + /* Find out where to put this fragment. */
1104 +@@ -442,13 +444,17 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
1105 + do {
1106 + parent = *rbn;
1107 + skb1 = rb_to_skb(parent);
1108 ++ skb1_run_end = skb1->ip_defrag_offset +
1109 ++ FRAG_CB(skb1)->frag_run_len;
1110 + if (end <= skb1->ip_defrag_offset)
1111 + rbn = &parent->rb_left;
1112 +- else if (offset >= skb1->ip_defrag_offset +
1113 +- FRAG_CB(skb1)->frag_run_len)
1114 ++ else if (offset >= skb1_run_end)
1115 + rbn = &parent->rb_right;
1116 +- else /* Found an overlap with skb1. */
1117 +- goto discard_qp;
1118 ++ else if (offset >= skb1->ip_defrag_offset &&
1119 ++ end <= skb1_run_end)
1120 ++ goto err; /* No new data, potential duplicate */
1121 ++ else
1122 ++ goto discard_qp; /* Found an overlap */
1123 + } while (*rbn);
1124 + /* Here we have parent properly set, and rbn pointing to
1125 + * one of its NULL left/right children. Insert skb.
1126 +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
1127 +index 742a3432c3ea..354926e61f06 100644
1128 +--- a/net/ipv4/ipmr.c
1129 ++++ b/net/ipv4/ipmr.c
1130 +@@ -68,6 +68,8 @@
1131 + #include <linux/netconf.h>
1132 + #include <net/nexthop.h>
1133 +
1134 ++#include <linux/nospec.h>
1135 ++
1136 + struct ipmr_rule {
1137 + struct fib_rule common;
1138 + };
1139 +@@ -1562,6 +1564,7 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
1140 + return -EFAULT;
1141 + if (vr.vifi >= mrt->maxvif)
1142 + return -EINVAL;
1143 ++ vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif);
1144 + read_lock(&mrt_lock);
1145 + vif = &mrt->vif_table[vr.vifi];
1146 + if (VIF_EXISTS(mrt, vr.vifi)) {
1147 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
1148 +index 9c5afa5153ce..f89516d04150 100644
1149 +--- a/net/ipv6/ip6_tunnel.c
1150 ++++ b/net/ipv6/ip6_tunnel.c
1151 +@@ -907,6 +907,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto,
1152 + goto drop;
1153 + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
1154 + goto drop;
1155 ++ ipv6h = ipv6_hdr(skb);
1156 + if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr))
1157 + goto drop;
1158 + if (iptunnel_pull_header(skb, 0, tpi->proto, false))
1159 +diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c
1160 +index b283f293ee4a..caad40d6e74d 100644
1161 +--- a/net/ipv6/ip6_udp_tunnel.c
1162 ++++ b/net/ipv6/ip6_udp_tunnel.c
1163 +@@ -15,7 +15,7 @@
1164 + int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
1165 + struct socket **sockp)
1166 + {
1167 +- struct sockaddr_in6 udp6_addr;
1168 ++ struct sockaddr_in6 udp6_addr = {};
1169 + int err;
1170 + struct socket *sock = NULL;
1171 +
1172 +@@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
1173 + goto error;
1174 +
1175 + if (cfg->peer_udp_port) {
1176 ++ memset(&udp6_addr, 0, sizeof(udp6_addr));
1177 + udp6_addr.sin6_family = AF_INET6;
1178 + memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6,
1179 + sizeof(udp6_addr.sin6_addr));
1180 +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
1181 +index 3213921cdfee..c2b2ee71fc6c 100644
1182 +--- a/net/ipv6/ip6_vti.c
1183 ++++ b/net/ipv6/ip6_vti.c
1184 +@@ -318,6 +318,7 @@ static int vti6_rcv(struct sk_buff *skb)
1185 + return 0;
1186 + }
1187 +
1188 ++ ipv6h = ipv6_hdr(skb);
1189 + if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
1190 + t->dev->stats.rx_dropped++;
1191 + rcu_read_unlock();
1192 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
1193 +index 4b93ad4fe6d8..ad597b4b22a0 100644
1194 +--- a/net/ipv6/ip6mr.c
1195 ++++ b/net/ipv6/ip6mr.c
1196 +@@ -72,6 +72,8 @@ struct mr6_table {
1197 + #endif
1198 + };
1199 +
1200 ++#include <linux/nospec.h>
1201 ++
1202 + struct ip6mr_rule {
1203 + struct fib_rule common;
1204 + };
1205 +@@ -1873,6 +1875,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
1206 + return -EFAULT;
1207 + if (vr.mifi >= mrt->maxvif)
1208 + return -EINVAL;
1209 ++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
1210 + read_lock(&mrt_lock);
1211 + vif = &mrt->vif6_table[vr.mifi];
1212 + if (MIF_EXISTS(mrt, vr.mifi)) {
1213 +@@ -1947,6 +1950,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
1214 + return -EFAULT;
1215 + if (vr.mifi >= mrt->maxvif)
1216 + return -EINVAL;
1217 ++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
1218 + read_lock(&mrt_lock);
1219 + vif = &mrt->vif6_table[vr.mifi];
1220 + if (MIF_EXISTS(mrt, vr.mifi)) {
1221 +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
1222 +index ed212ffc1d9d..046ae1caecea 100644
1223 +--- a/net/netrom/af_netrom.c
1224 ++++ b/net/netrom/af_netrom.c
1225 +@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr)
1226 + sk_for_each(s, &nr_list)
1227 + if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
1228 + s->sk_state == TCP_LISTEN) {
1229 +- bh_lock_sock(s);
1230 ++ sock_hold(s);
1231 + goto found;
1232 + }
1233 + s = NULL;
1234 +@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id)
1235 + struct nr_sock *nr = nr_sk(s);
1236 +
1237 + if (nr->my_index == index && nr->my_id == id) {
1238 +- bh_lock_sock(s);
1239 ++ sock_hold(s);
1240 + goto found;
1241 + }
1242 + }
1243 +@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id,
1244 +
1245 + if (nr->your_index == index && nr->your_id == id &&
1246 + !ax25cmp(&nr->dest_addr, dest)) {
1247 +- bh_lock_sock(s);
1248 ++ sock_hold(s);
1249 + goto found;
1250 + }
1251 + }
1252 +@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void)
1253 + if (i != 0 && j != 0) {
1254 + if ((sk=nr_find_socket(i, j)) == NULL)
1255 + break;
1256 +- bh_unlock_sock(sk);
1257 ++ sock_put(sk);
1258 + }
1259 +
1260 + id++;
1261 +@@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
1262 + }
1263 +
1264 + if (sk != NULL) {
1265 ++ bh_lock_sock(sk);
1266 + skb_reset_transport_header(skb);
1267 +
1268 + if (frametype == NR_CONNACK && skb->len == 22)
1269 +@@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
1270 +
1271 + ret = nr_process_rx_frame(sk, skb);
1272 + bh_unlock_sock(sk);
1273 ++ sock_put(sk);
1274 + return ret;
1275 + }
1276 +
1277 +@@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
1278 + (make = nr_make_new(sk)) == NULL) {
1279 + nr_transmit_refusal(skb, 0);
1280 + if (sk)
1281 +- bh_unlock_sock(sk);
1282 ++ sock_put(sk);
1283 + return 0;
1284 + }
1285 +
1286 ++ bh_lock_sock(sk);
1287 ++
1288 + window = skb->data[20];
1289 +
1290 + skb->sk = make;
1291 +@@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
1292 + sk->sk_data_ready(sk);
1293 +
1294 + bh_unlock_sock(sk);
1295 ++ sock_put(sk);
1296 +
1297 + nr_insert_socket(make);
1298 +
1299 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
1300 +index 24412e8f4061..a9d0358d4f3b 100644
1301 +--- a/net/packet/af_packet.c
1302 ++++ b/net/packet/af_packet.c
1303 +@@ -2660,8 +2660,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
1304 + sll_addr)))
1305 + goto out;
1306 + proto = saddr->sll_protocol;
1307 +- addr = saddr->sll_addr;
1308 ++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
1309 + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
1310 ++ if (addr && dev && saddr->sll_halen < dev->addr_len)
1311 ++ goto out;
1312 + }
1313 +
1314 + err = -ENXIO;
1315 +@@ -2857,8 +2859,10 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
1316 + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
1317 + goto out;
1318 + proto = saddr->sll_protocol;
1319 +- addr = saddr->sll_addr;
1320 ++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
1321 + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
1322 ++ if (addr && dev && saddr->sll_halen < dev->addr_len)
1323 ++ goto out;
1324 + }
1325 +
1326 + err = -ENXIO;
1327 +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
1328 +index f4d5efb1d231..e7866d47934d 100644
1329 +--- a/net/sctp/ipv6.c
1330 ++++ b/net/sctp/ipv6.c
1331 +@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
1332 + if (addr) {
1333 + addr->a.v6.sin6_family = AF_INET6;
1334 + addr->a.v6.sin6_port = 0;
1335 ++ addr->a.v6.sin6_flowinfo = 0;
1336 + addr->a.v6.sin6_addr = ifa->addr;
1337 + addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
1338 + addr->valid = 1;
1339 +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
1340 +index 266a30c8b88b..33f599cb0936 100644
1341 +--- a/net/sunrpc/svcsock.c
1342 ++++ b/net/sunrpc/svcsock.c
1343 +@@ -572,7 +572,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
1344 + /* Don't enable netstamp, sunrpc doesn't
1345 + need that much accuracy */
1346 + }
1347 +- svsk->sk_sk->sk_stamp = skb->tstamp;
1348 ++ sock_write_timestamp(svsk->sk_sk, skb->tstamp);
1349 + set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
1350 +
1351 + len = skb->len;
1352 +diff --git a/net/tipc/socket.c b/net/tipc/socket.c
1353 +index 9d3f047305ce..57df99ca6347 100644
1354 +--- a/net/tipc/socket.c
1355 ++++ b/net/tipc/socket.c
1356 +@@ -2281,11 +2281,15 @@ void tipc_sk_reinit(struct net *net)
1357 + goto walk_stop;
1358 +
1359 + while ((tsk = rhashtable_walk_next(&iter)) && !IS_ERR(tsk)) {
1360 +- spin_lock_bh(&tsk->sk.sk_lock.slock);
1361 ++ sock_hold(&tsk->sk);
1362 ++ rhashtable_walk_stop(&iter);
1363 ++ lock_sock(&tsk->sk);
1364 + msg = &tsk->phdr;
1365 + msg_set_prevnode(msg, tn->own_addr);
1366 + msg_set_orignode(msg, tn->own_addr);
1367 +- spin_unlock_bh(&tsk->sk.sk_lock.slock);
1368 ++ release_sock(&tsk->sk);
1369 ++ rhashtable_walk_start(&iter);
1370 ++ sock_put(&tsk->sk);
1371 + }
1372 + walk_stop:
1373 + rhashtable_walk_stop(&iter);
1374 +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
1375 +index 107375d80c70..133e72654e77 100644
1376 +--- a/net/tipc/udp_media.c
1377 ++++ b/net/tipc/udp_media.c
1378 +@@ -243,10 +243,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
1379 + }
1380 +
1381 + err = tipc_udp_xmit(net, _skb, ub, src, &rcast->addr);
1382 +- if (err) {
1383 +- kfree_skb(_skb);
1384 ++ if (err)
1385 + goto out;
1386 +- }
1387 + }
1388 + err = 0;
1389 + out:
1390 +@@ -676,6 +674,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
1391 + if (err)
1392 + goto err;
1393 +
1394 ++ if (remote.proto != local.proto) {
1395 ++ err = -EINVAL;
1396 ++ goto err;
1397 ++ }
1398 ++
1399 + b->bcast_addr.media_id = TIPC_MEDIA_TYPE_UDP;
1400 + b->bcast_addr.broadcast = 1;
1401 + rcu_assign_pointer(b->media_ptr, ub);
1402 +diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
1403 +index 4aa391c5c733..008f3424dcbc 100644
1404 +--- a/net/vmw_vsock/vmci_transport.c
1405 ++++ b/net/vmw_vsock/vmci_transport.c
1406 +@@ -272,6 +272,31 @@ vmci_transport_send_control_pkt_bh(struct sockaddr_vm *src,
1407 + false);
1408 + }
1409 +
1410 ++static int
1411 ++vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src,
1412 ++ struct sockaddr_vm *dst,
1413 ++ enum vmci_transport_packet_type type,
1414 ++ u64 size,
1415 ++ u64 mode,
1416 ++ struct vmci_transport_waiting_info *wait,
1417 ++ u16 proto,
1418 ++ struct vmci_handle handle)
1419 ++{
1420 ++ struct vmci_transport_packet *pkt;
1421 ++ int err;
1422 ++
1423 ++ pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
1424 ++ if (!pkt)
1425 ++ return -ENOMEM;
1426 ++
1427 ++ err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size,
1428 ++ mode, wait, proto, handle,
1429 ++ true);
1430 ++ kfree(pkt);
1431 ++
1432 ++ return err;
1433 ++}
1434 ++
1435 + static int
1436 + vmci_transport_send_control_pkt(struct sock *sk,
1437 + enum vmci_transport_packet_type type,
1438 +@@ -281,9 +306,7 @@ vmci_transport_send_control_pkt(struct sock *sk,
1439 + u16 proto,
1440 + struct vmci_handle handle)
1441 + {
1442 +- struct vmci_transport_packet *pkt;
1443 + struct vsock_sock *vsk;
1444 +- int err;
1445 +
1446 + vsk = vsock_sk(sk);
1447 +
1448 +@@ -293,17 +316,10 @@ vmci_transport_send_control_pkt(struct sock *sk,
1449 + if (!vsock_addr_bound(&vsk->remote_addr))
1450 + return -EINVAL;
1451 +
1452 +- pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
1453 +- if (!pkt)
1454 +- return -ENOMEM;
1455 +-
1456 +- err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr,
1457 +- &vsk->remote_addr, type, size,
1458 +- mode, wait, proto, handle,
1459 +- true);
1460 +- kfree(pkt);
1461 +-
1462 +- return err;
1463 ++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr,
1464 ++ &vsk->remote_addr,
1465 ++ type, size, mode,
1466 ++ wait, proto, handle);
1467 + }
1468 +
1469 + static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
1470 +@@ -321,12 +337,29 @@ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
1471 + static int vmci_transport_send_reset(struct sock *sk,
1472 + struct vmci_transport_packet *pkt)
1473 + {
1474 ++ struct sockaddr_vm *dst_ptr;
1475 ++ struct sockaddr_vm dst;
1476 ++ struct vsock_sock *vsk;
1477 ++
1478 + if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST)
1479 + return 0;
1480 +- return vmci_transport_send_control_pkt(sk,
1481 +- VMCI_TRANSPORT_PACKET_TYPE_RST,
1482 +- 0, 0, NULL, VSOCK_PROTO_INVALID,
1483 +- VMCI_INVALID_HANDLE);
1484 ++
1485 ++ vsk = vsock_sk(sk);
1486 ++
1487 ++ if (!vsock_addr_bound(&vsk->local_addr))
1488 ++ return -EINVAL;
1489 ++
1490 ++ if (vsock_addr_bound(&vsk->remote_addr)) {
1491 ++ dst_ptr = &vsk->remote_addr;
1492 ++ } else {
1493 ++ vsock_addr_init(&dst, pkt->dg.src.context,
1494 ++ pkt->src_port);
1495 ++ dst_ptr = &dst;
1496 ++ }
1497 ++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr,
1498 ++ VMCI_TRANSPORT_PACKET_TYPE_RST,
1499 ++ 0, 0, NULL, VSOCK_PROTO_INVALID,
1500 ++ VMCI_INVALID_HANDLE);
1501 + }
1502 +
1503 + static int vmci_transport_send_negotiate(struct sock *sk, size_t size)
1504 +diff --git a/sound/core/pcm.c b/sound/core/pcm.c
1505 +index 6bda8f6c5f84..cdff5f976480 100644
1506 +--- a/sound/core/pcm.c
1507 ++++ b/sound/core/pcm.c
1508 +@@ -25,6 +25,7 @@
1509 + #include <linux/time.h>
1510 + #include <linux/mutex.h>
1511 + #include <linux/device.h>
1512 ++#include <linux/nospec.h>
1513 + #include <sound/core.h>
1514 + #include <sound/minors.h>
1515 + #include <sound/pcm.h>
1516 +@@ -125,6 +126,7 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
1517 + return -EFAULT;
1518 + if (stream < 0 || stream > 1)
1519 + return -EINVAL;
1520 ++ stream = array_index_nospec(stream, 2);
1521 + if (get_user(subdevice, &info->subdevice))
1522 + return -EFAULT;
1523 + mutex_lock(&register_mutex);
1524 +diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
1525 +index 50b216fc369f..5d422d65e62b 100644
1526 +--- a/sound/pci/emu10k1/emufx.c
1527 ++++ b/sound/pci/emu10k1/emufx.c
1528 +@@ -36,6 +36,7 @@
1529 + #include <linux/init.h>
1530 + #include <linux/mutex.h>
1531 + #include <linux/moduleparam.h>
1532 ++#include <linux/nospec.h>
1533 +
1534 + #include <sound/core.h>
1535 + #include <sound/tlv.h>
1536 +@@ -1000,6 +1001,8 @@ static int snd_emu10k1_ipcm_poke(struct snd_emu10k1 *emu,
1537 +
1538 + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
1539 + return -EINVAL;
1540 ++ ipcm->substream = array_index_nospec(ipcm->substream,
1541 ++ EMU10K1_FX8010_PCM_COUNT);
1542 + if (ipcm->channels > 32)
1543 + return -EINVAL;
1544 + pcm = &emu->fx8010.pcm[ipcm->substream];
1545 +@@ -1046,6 +1049,8 @@ static int snd_emu10k1_ipcm_peek(struct snd_emu10k1 *emu,
1546 +
1547 + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
1548 + return -EINVAL;
1549 ++ ipcm->substream = array_index_nospec(ipcm->substream,
1550 ++ EMU10K1_FX8010_PCM_COUNT);
1551 + pcm = &emu->fx8010.pcm[ipcm->substream];
1552 + mutex_lock(&emu->fx8010.lock);
1553 + spin_lock_irq(&emu->reg_lock);
1554 +diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
1555 +index 0621920f7617..e85fb04ec7be 100644
1556 +--- a/sound/pci/hda/hda_tegra.c
1557 ++++ b/sound/pci/hda/hda_tegra.c
1558 +@@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct device *dev)
1559 + struct snd_card *card = dev_get_drvdata(dev);
1560 + struct azx *chip = card->private_data;
1561 + struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip);
1562 ++ struct hdac_bus *bus = azx_bus(chip);
1563 +
1564 + snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
1565 +
1566 + azx_stop_chip(chip);
1567 ++ synchronize_irq(bus->irq);
1568 + azx_enter_link_reset(chip);
1569 + hda_tegra_disable_clocks(hda);
1570 +
1571 +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
1572 +index d392e867e9ab..ba9cd75e4c98 100644
1573 +--- a/sound/pci/hda/patch_conexant.c
1574 ++++ b/sound/pci/hda/patch_conexant.c
1575 +@@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
1576 + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
1577 + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
1578 + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
1579 ++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
1580 + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
1581 + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
1582 + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
1583 +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
1584 +index b94fc6357139..b044dea3c815 100644
1585 +--- a/sound/pci/rme9652/hdsp.c
1586 ++++ b/sound/pci/rme9652/hdsp.c
1587 +@@ -30,6 +30,7 @@
1588 + #include <linux/math64.h>
1589 + #include <linux/vmalloc.h>
1590 + #include <linux/io.h>
1591 ++#include <linux/nospec.h>
1592 +
1593 + #include <sound/core.h>
1594 + #include <sound/control.h>
1595 +@@ -4065,15 +4066,16 @@ static int snd_hdsp_channel_info(struct snd_pcm_substream *substream,
1596 + struct snd_pcm_channel_info *info)
1597 + {
1598 + struct hdsp *hdsp = snd_pcm_substream_chip(substream);
1599 +- int mapped_channel;
1600 ++ unsigned int channel = info->channel;
1601 +
1602 +- if (snd_BUG_ON(info->channel >= hdsp->max_channels))
1603 ++ if (snd_BUG_ON(channel >= hdsp->max_channels))
1604 + return -EINVAL;
1605 ++ channel = array_index_nospec(channel, hdsp->max_channels);
1606 +
1607 +- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
1608 ++ if (hdsp->channel_map[channel] < 0)
1609 + return -EINVAL;
1610 +
1611 +- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES;
1612 ++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES;
1613 + info->first = 0;
1614 + info->step = 32;
1615 + return 0;
1616 +diff --git a/sound/synth/emux/emux_hwdep.c b/sound/synth/emux/emux_hwdep.c
1617 +index e557946718a9..d9fcae071b47 100644
1618 +--- a/sound/synth/emux/emux_hwdep.c
1619 ++++ b/sound/synth/emux/emux_hwdep.c
1620 +@@ -22,9 +22,9 @@
1621 + #include <sound/core.h>
1622 + #include <sound/hwdep.h>
1623 + #include <linux/uaccess.h>
1624 ++#include <linux/nospec.h>
1625 + #include "emux_voice.h"
1626 +
1627 +-
1628 + #define TMP_CLIENT_ID 0x1001
1629 +
1630 + /*
1631 +@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux *emu, void __user *arg)
1632 + return -EFAULT;
1633 + if (info.mode < 0 || info.mode >= EMUX_MD_END)
1634 + return -EINVAL;
1635 ++ info.mode = array_index_nospec(info.mode, EMUX_MD_END);
1636 +
1637 + if (info.port < 0) {
1638 + for (i = 0; i < emu->num_ports; i++)
1639 + emu->portptrs[i]->ctrls[info.mode] = info.value;
1640 + } else {
1641 +- if (info.port < emu->num_ports)
1642 ++ if (info.port < emu->num_ports) {
1643 ++ info.port = array_index_nospec(info.port, emu->num_ports);
1644 + emu->portptrs[info.port]->ctrls[info.mode] = info.value;
1645 ++ }
1646 + }
1647 + return 0;
1648 + }
1649 +diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
1650 +index 0f84371d4d6b..c86c1d5ea65c 100644
1651 +--- a/tools/perf/util/pmu.c
1652 ++++ b/tools/perf/util/pmu.c
1653 +@@ -103,7 +103,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
1654 + char path[PATH_MAX];
1655 + char *lc;
1656 +
1657 +- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
1658 ++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
1659 +
1660 + fd = open(path, O_RDONLY);
1661 + if (fd == -1)
1662 +@@ -163,7 +163,7 @@ static int perf_pmu__parse_unit(struct perf_pmu_alias *alias, char *dir, char *n
1663 + ssize_t sret;
1664 + int fd;
1665 +
1666 +- snprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
1667 ++ scnprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
1668 +
1669 + fd = open(path, O_RDONLY);
1670 + if (fd == -1)
1671 +@@ -193,7 +193,7 @@ perf_pmu__parse_per_pkg(struct perf_pmu_alias *alias, char *dir, char *name)
1672 + char path[PATH_MAX];
1673 + int fd;
1674 +
1675 +- snprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
1676 ++ scnprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
1677 +
1678 + fd = open(path, O_RDONLY);
1679 + if (fd == -1)
1680 +@@ -211,7 +211,7 @@ static int perf_pmu__parse_snapshot(struct perf_pmu_alias *alias,
1681 + char path[PATH_MAX];
1682 + int fd;
1683 +
1684 +- snprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
1685 ++ scnprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
1686 +
1687 + fd = open(path, O_RDONLY);
1688 + if (fd == -1)
Report Message
Find on MARC Find on Google Groups