Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Wed, 23 Jan 2019 11:29:24
Message-Id: 1548242927.9c74cda091aec4d4602305f0d541cb3f77a8e723.mpagano@gentoo
1 commit: 9c74cda091aec4d4602305f0d541cb3f77a8e723
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jan 23 11:28:47 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Jan 23 11:28:47 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=9c74cda0
7
8 proj/linux-patches: Linux patch 4.9.152
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1151_linux-4.9.152.patch | 1581 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1585 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 93d0884..da300b6 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -647,6 +647,10 @@ Patch: 1150_linux-4.9.151.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.151
23
24 +Patch: 1151_linux-4.9.152.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.152
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1151_linux-4.9.152.patch b/1151_linux-4.9.152.patch
33 new file mode 100644
34 index 0000000..33a8d7e
35 --- /dev/null
36 +++ b/1151_linux-4.9.152.patch
37 @@ -0,0 +1,1581 @@
38 +diff --git a/Makefile b/Makefile
39 +index f1aeb98f9ace..27a9292fc0ed 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 9
45 +-SUBLEVEL = 151
46 ++SUBLEVEL = 152
47 + EXTRAVERSION =
48 + NAME = Roaring Lionus
49 +
50 +diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
51 +index 68dedca5a47e..a11c8c2915c9 100644
52 +--- a/arch/arm64/include/asm/kvm_arm.h
53 ++++ b/arch/arm64/include/asm/kvm_arm.h
54 +@@ -23,6 +23,8 @@
55 + #include <asm/types.h>
56 +
57 + /* Hyp Configuration Register (HCR) bits */
58 ++#define HCR_API (UL(1) << 41)
59 ++#define HCR_APK (UL(1) << 40)
60 + #define HCR_E2H (UL(1) << 34)
61 + #define HCR_ID (UL(1) << 33)
62 + #define HCR_CD (UL(1) << 32)
63 +@@ -82,6 +84,7 @@
64 + HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW)
65 + #define HCR_VIRT_EXCP_MASK (HCR_VSE | HCR_VI | HCR_VF)
66 + #define HCR_INT_OVERRIDE (HCR_FMO | HCR_IMO)
67 ++#define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK)
68 + #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H)
69 +
70 + /* TCR_EL2 Registers bits */
71 +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
72 +index fa52817d84c5..3289d1458791 100644
73 +--- a/arch/arm64/kernel/head.S
74 ++++ b/arch/arm64/kernel/head.S
75 +@@ -517,10 +517,9 @@ CPU_LE( bic x0, x0, #(3 << 24) ) // Clear the EE and E0E bits for EL1
76 + #endif
77 +
78 + /* Hyp configuration. */
79 +- mov x0, #HCR_RW // 64-bit EL1
80 ++ mov_q x0, HCR_HOST_NVHE_FLAGS
81 + cbz x2, set_hcr
82 +- orr x0, x0, #HCR_TGE // Enable Host Extensions
83 +- orr x0, x0, #HCR_E2H
84 ++ mov_q x0, HCR_HOST_VHE_FLAGS
85 + set_hcr:
86 + msr hcr_el2, x0
87 + isb
88 +diff --git a/arch/arm64/kernel/kaslr.c b/arch/arm64/kernel/kaslr.c
89 +index d7e90d97f5c4..2a21318fed1d 100644
90 +--- a/arch/arm64/kernel/kaslr.c
91 ++++ b/arch/arm64/kernel/kaslr.c
92 +@@ -14,6 +14,7 @@
93 + #include <linux/sched.h>
94 + #include <linux/types.h>
95 +
96 ++#include <asm/cacheflush.h>
97 + #include <asm/fixmap.h>
98 + #include <asm/kernel-pgtable.h>
99 + #include <asm/memory.h>
100 +@@ -43,7 +44,7 @@ static __init u64 get_kaslr_seed(void *fdt)
101 + return ret;
102 + }
103 +
104 +-static __init const u8 *get_cmdline(void *fdt)
105 ++static __init const u8 *kaslr_get_cmdline(void *fdt)
106 + {
107 + static __initconst const u8 default_cmdline[] = CONFIG_CMDLINE;
108 +
109 +@@ -109,7 +110,7 @@ u64 __init kaslr_early_init(u64 dt_phys, u64 modulo_offset)
110 + * Check if 'nokaslr' appears on the command line, and
111 + * return 0 if that is the case.
112 + */
113 +- cmdline = get_cmdline(fdt);
114 ++ cmdline = kaslr_get_cmdline(fdt);
115 + str = strstr(cmdline, "nokaslr");
116 + if (str == cmdline || (str > cmdline && *(str - 1) == ' '))
117 + return 0;
118 +@@ -178,5 +179,8 @@ u64 __init kaslr_early_init(u64 dt_phys, u64 modulo_offset)
119 + module_alloc_base += (module_range * (seed & ((1 << 21) - 1))) >> 21;
120 + module_alloc_base &= PAGE_MASK;
121 +
122 ++ __flush_dcache_area(&module_alloc_base, sizeof(module_alloc_base));
123 ++ __flush_dcache_area(&memstart_offset_seed, sizeof(memstart_offset_seed));
124 ++
125 + return offset;
126 + }
127 +diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c
128 +index 12f9d1ecdf4c..115b0955715f 100644
129 +--- a/arch/arm64/kvm/hyp/switch.c
130 ++++ b/arch/arm64/kvm/hyp/switch.c
131 +@@ -112,7 +112,7 @@ static void __hyp_text __deactivate_traps_vhe(void)
132 +
133 + static void __hyp_text __deactivate_traps_nvhe(void)
134 + {
135 +- write_sysreg(HCR_RW, hcr_el2);
136 ++ write_sysreg(HCR_HOST_NVHE_FLAGS, hcr_el2);
137 + write_sysreg(CPTR_EL2_DEFAULT, cptr_el2);
138 + }
139 +
140 +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
141 +index 34fbbf8fdeaa..1d987061d1a1 100644
142 +--- a/arch/mips/Kconfig
143 ++++ b/arch/mips/Kconfig
144 +@@ -3135,6 +3135,7 @@ config MIPS32_O32
145 + config MIPS32_N32
146 + bool "Kernel support for n32 binaries"
147 + depends on 64BIT
148 ++ select ARCH_WANT_COMPAT_IPC_PARSE_VERSION
149 + select COMPAT
150 + select MIPS32_COMPAT
151 + select SYSVIPC_COMPAT if SYSVIPC
152 +diff --git a/arch/mips/pci/msi-octeon.c b/arch/mips/pci/msi-octeon.c
153 +index 2a5bb849b10e..288b58b00dc8 100644
154 +--- a/arch/mips/pci/msi-octeon.c
155 ++++ b/arch/mips/pci/msi-octeon.c
156 +@@ -369,7 +369,9 @@ int __init octeon_msi_initialize(void)
157 + int irq;
158 + struct irq_chip *msi;
159 +
160 +- if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) {
161 ++ if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_INVALID) {
162 ++ return 0;
163 ++ } else if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) {
164 + msi_rcv_reg[0] = CVMX_PEXP_NPEI_MSI_RCV0;
165 + msi_rcv_reg[1] = CVMX_PEXP_NPEI_MSI_RCV1;
166 + msi_rcv_reg[2] = CVMX_PEXP_NPEI_MSI_RCV2;
167 +diff --git a/crypto/authenc.c b/crypto/authenc.c
168 +index c3180eb6d1ee..6bfec690ca5b 100644
169 +--- a/crypto/authenc.c
170 ++++ b/crypto/authenc.c
171 +@@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,
172 + return -EINVAL;
173 + if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
174 + return -EINVAL;
175 +- if (RTA_PAYLOAD(rta) < sizeof(*param))
176 ++
177 ++ /*
178 ++ * RTA_OK() didn't align the rtattr's payload when validating that it
179 ++ * fits in the buffer. Yet, the keys should start on the next 4-byte
180 ++ * aligned boundary. To avoid confusion, require that the rtattr
181 ++ * payload be exactly the param struct, which has a 4-byte aligned size.
182 ++ */
183 ++ if (RTA_PAYLOAD(rta) != sizeof(*param))
184 + return -EINVAL;
185 ++ BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
186 +
187 + param = RTA_DATA(rta);
188 + keys->enckeylen = be32_to_cpu(param->enckeylen);
189 +
190 +- key += RTA_ALIGN(rta->rta_len);
191 +- keylen -= RTA_ALIGN(rta->rta_len);
192 ++ key += rta->rta_len;
193 ++ keylen -= rta->rta_len;
194 +
195 + if (keylen < keys->enckeylen)
196 + return -EINVAL;
197 +diff --git a/crypto/authencesn.c b/crypto/authencesn.c
198 +index 49e7e85a23d5..73b12f128ae5 100644
199 +--- a/crypto/authencesn.c
200 ++++ b/crypto/authencesn.c
201 +@@ -279,7 +279,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
202 + struct aead_request *req = areq->data;
203 +
204 + err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
205 +- aead_request_complete(req, err);
206 ++ authenc_esn_request_complete(req, err);
207 + }
208 +
209 + static int crypto_authenc_esn_decrypt(struct aead_request *req)
210 +diff --git a/drivers/block/loop.c b/drivers/block/loop.c
211 +index 9f840d9fdfcb..344f34746c10 100644
212 +--- a/drivers/block/loop.c
213 ++++ b/drivers/block/loop.c
214 +@@ -81,7 +81,7 @@
215 + #include <asm/uaccess.h>
216 +
217 + static DEFINE_IDR(loop_index_idr);
218 +-static DEFINE_MUTEX(loop_index_mutex);
219 ++static DEFINE_MUTEX(loop_ctl_mutex);
220 +
221 + static int max_part;
222 + static int part_shift;
223 +@@ -1033,7 +1033,7 @@ static int loop_clr_fd(struct loop_device *lo)
224 + */
225 + if (atomic_read(&lo->lo_refcnt) > 1) {
226 + lo->lo_flags |= LO_FLAGS_AUTOCLEAR;
227 +- mutex_unlock(&lo->lo_ctl_mutex);
228 ++ mutex_unlock(&loop_ctl_mutex);
229 + return 0;
230 + }
231 +
232 +@@ -1082,12 +1082,12 @@ static int loop_clr_fd(struct loop_device *lo)
233 + if (!part_shift)
234 + lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN;
235 + loop_unprepare_queue(lo);
236 +- mutex_unlock(&lo->lo_ctl_mutex);
237 ++ mutex_unlock(&loop_ctl_mutex);
238 + /*
239 +- * Need not hold lo_ctl_mutex to fput backing file.
240 +- * Calling fput holding lo_ctl_mutex triggers a circular
241 ++ * Need not hold loop_ctl_mutex to fput backing file.
242 ++ * Calling fput holding loop_ctl_mutex triggers a circular
243 + * lock dependency possibility warning as fput can take
244 +- * bd_mutex which is usually taken before lo_ctl_mutex.
245 ++ * bd_mutex which is usually taken before loop_ctl_mutex.
246 + */
247 + fput(filp);
248 + return 0;
249 +@@ -1350,7 +1350,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
250 + struct loop_device *lo = bdev->bd_disk->private_data;
251 + int err;
252 +
253 +- mutex_lock_nested(&lo->lo_ctl_mutex, 1);
254 ++ mutex_lock_nested(&loop_ctl_mutex, 1);
255 + switch (cmd) {
256 + case LOOP_SET_FD:
257 + err = loop_set_fd(lo, mode, bdev, arg);
258 +@@ -1359,7 +1359,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
259 + err = loop_change_fd(lo, bdev, arg);
260 + break;
261 + case LOOP_CLR_FD:
262 +- /* loop_clr_fd would have unlocked lo_ctl_mutex on success */
263 ++ /* loop_clr_fd would have unlocked loop_ctl_mutex on success */
264 + err = loop_clr_fd(lo);
265 + if (!err)
266 + goto out_unlocked;
267 +@@ -1395,7 +1395,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
268 + default:
269 + err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL;
270 + }
271 +- mutex_unlock(&lo->lo_ctl_mutex);
272 ++ mutex_unlock(&loop_ctl_mutex);
273 +
274 + out_unlocked:
275 + return err;
276 +@@ -1528,16 +1528,16 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode,
277 +
278 + switch(cmd) {
279 + case LOOP_SET_STATUS:
280 +- mutex_lock(&lo->lo_ctl_mutex);
281 ++ mutex_lock(&loop_ctl_mutex);
282 + err = loop_set_status_compat(
283 + lo, (const struct compat_loop_info __user *) arg);
284 +- mutex_unlock(&lo->lo_ctl_mutex);
285 ++ mutex_unlock(&loop_ctl_mutex);
286 + break;
287 + case LOOP_GET_STATUS:
288 +- mutex_lock(&lo->lo_ctl_mutex);
289 ++ mutex_lock(&loop_ctl_mutex);
290 + err = loop_get_status_compat(
291 + lo, (struct compat_loop_info __user *) arg);
292 +- mutex_unlock(&lo->lo_ctl_mutex);
293 ++ mutex_unlock(&loop_ctl_mutex);
294 + break;
295 + case LOOP_SET_CAPACITY:
296 + case LOOP_CLR_FD:
297 +@@ -1559,9 +1559,11 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode,
298 + static int lo_open(struct block_device *bdev, fmode_t mode)
299 + {
300 + struct loop_device *lo;
301 +- int err = 0;
302 ++ int err;
303 +
304 +- mutex_lock(&loop_index_mutex);
305 ++ err = mutex_lock_killable(&loop_ctl_mutex);
306 ++ if (err)
307 ++ return err;
308 + lo = bdev->bd_disk->private_data;
309 + if (!lo) {
310 + err = -ENXIO;
311 +@@ -1570,18 +1572,20 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
312 +
313 + atomic_inc(&lo->lo_refcnt);
314 + out:
315 +- mutex_unlock(&loop_index_mutex);
316 ++ mutex_unlock(&loop_ctl_mutex);
317 + return err;
318 + }
319 +
320 +-static void __lo_release(struct loop_device *lo)
321 ++static void lo_release(struct gendisk *disk, fmode_t mode)
322 + {
323 ++ struct loop_device *lo;
324 + int err;
325 +
326 ++ mutex_lock(&loop_ctl_mutex);
327 ++ lo = disk->private_data;
328 + if (atomic_dec_return(&lo->lo_refcnt))
329 +- return;
330 ++ goto out_unlock;
331 +
332 +- mutex_lock(&lo->lo_ctl_mutex);
333 + if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) {
334 + /*
335 + * In autoclear mode, stop the loop thread
336 +@@ -1598,14 +1602,8 @@ static void __lo_release(struct loop_device *lo)
337 + loop_flush(lo);
338 + }
339 +
340 +- mutex_unlock(&lo->lo_ctl_mutex);
341 +-}
342 +-
343 +-static void lo_release(struct gendisk *disk, fmode_t mode)
344 +-{
345 +- mutex_lock(&loop_index_mutex);
346 +- __lo_release(disk->private_data);
347 +- mutex_unlock(&loop_index_mutex);
348 ++out_unlock:
349 ++ mutex_unlock(&loop_ctl_mutex);
350 + }
351 +
352 + static const struct block_device_operations lo_fops = {
353 +@@ -1644,10 +1642,10 @@ static int unregister_transfer_cb(int id, void *ptr, void *data)
354 + struct loop_device *lo = ptr;
355 + struct loop_func_table *xfer = data;
356 +
357 +- mutex_lock(&lo->lo_ctl_mutex);
358 ++ mutex_lock(&loop_ctl_mutex);
359 + if (lo->lo_encryption == xfer)
360 + loop_release_xfer(lo);
361 +- mutex_unlock(&lo->lo_ctl_mutex);
362 ++ mutex_unlock(&loop_ctl_mutex);
363 + return 0;
364 + }
365 +
366 +@@ -1813,7 +1811,6 @@ static int loop_add(struct loop_device **l, int i)
367 + if (!part_shift)
368 + disk->flags |= GENHD_FL_NO_PART_SCAN;
369 + disk->flags |= GENHD_FL_EXT_DEVT;
370 +- mutex_init(&lo->lo_ctl_mutex);
371 + atomic_set(&lo->lo_refcnt, 0);
372 + lo->lo_number = i;
373 + spin_lock_init(&lo->lo_lock);
374 +@@ -1892,7 +1889,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data)
375 + struct kobject *kobj;
376 + int err;
377 +
378 +- mutex_lock(&loop_index_mutex);
379 ++ mutex_lock(&loop_ctl_mutex);
380 + err = loop_lookup(&lo, MINOR(dev) >> part_shift);
381 + if (err < 0)
382 + err = loop_add(&lo, MINOR(dev) >> part_shift);
383 +@@ -1900,7 +1897,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data)
384 + kobj = NULL;
385 + else
386 + kobj = get_disk(lo->lo_disk);
387 +- mutex_unlock(&loop_index_mutex);
388 ++ mutex_unlock(&loop_ctl_mutex);
389 +
390 + *part = 0;
391 + return kobj;
392 +@@ -1910,9 +1907,13 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd,
393 + unsigned long parm)
394 + {
395 + struct loop_device *lo;
396 +- int ret = -ENOSYS;
397 ++ int ret;
398 ++
399 ++ ret = mutex_lock_killable(&loop_ctl_mutex);
400 ++ if (ret)
401 ++ return ret;
402 +
403 +- mutex_lock(&loop_index_mutex);
404 ++ ret = -ENOSYS;
405 + switch (cmd) {
406 + case LOOP_CTL_ADD:
407 + ret = loop_lookup(&lo, parm);
408 +@@ -1926,19 +1927,15 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd,
409 + ret = loop_lookup(&lo, parm);
410 + if (ret < 0)
411 + break;
412 +- mutex_lock(&lo->lo_ctl_mutex);
413 + if (lo->lo_state != Lo_unbound) {
414 + ret = -EBUSY;
415 +- mutex_unlock(&lo->lo_ctl_mutex);
416 + break;
417 + }
418 + if (atomic_read(&lo->lo_refcnt) > 0) {
419 + ret = -EBUSY;
420 +- mutex_unlock(&lo->lo_ctl_mutex);
421 + break;
422 + }
423 + lo->lo_disk->private_data = NULL;
424 +- mutex_unlock(&lo->lo_ctl_mutex);
425 + idr_remove(&loop_index_idr, lo->lo_number);
426 + loop_remove(lo);
427 + break;
428 +@@ -1948,7 +1945,7 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd,
429 + break;
430 + ret = loop_add(&lo, -1);
431 + }
432 +- mutex_unlock(&loop_index_mutex);
433 ++ mutex_unlock(&loop_ctl_mutex);
434 +
435 + return ret;
436 + }
437 +@@ -2031,10 +2028,10 @@ static int __init loop_init(void)
438 + THIS_MODULE, loop_probe, NULL, NULL);
439 +
440 + /* pre-create number of devices given by config or max_loop */
441 +- mutex_lock(&loop_index_mutex);
442 ++ mutex_lock(&loop_ctl_mutex);
443 + for (i = 0; i < nr; i++)
444 + loop_add(&lo, i);
445 +- mutex_unlock(&loop_index_mutex);
446 ++ mutex_unlock(&loop_ctl_mutex);
447 +
448 + printk(KERN_INFO "loop: module loaded\n");
449 + return 0;
450 +diff --git a/drivers/block/loop.h b/drivers/block/loop.h
451 +index 60f0fd2c0c65..a923e74495ce 100644
452 +--- a/drivers/block/loop.h
453 ++++ b/drivers/block/loop.h
454 +@@ -55,7 +55,6 @@ struct loop_device {
455 +
456 + spinlock_t lo_lock;
457 + int lo_state;
458 +- struct mutex lo_ctl_mutex;
459 + struct kthread_worker worker;
460 + struct task_struct *worker_task;
461 + bool use_dio;
462 +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
463 +index 42a53956aefe..394f8ec83cf0 100644
464 +--- a/drivers/block/nbd.c
465 ++++ b/drivers/block/nbd.c
466 +@@ -108,7 +108,7 @@ static const char *nbdcmd_to_ascii(int cmd)
467 +
468 + static int nbd_size_clear(struct nbd_device *nbd, struct block_device *bdev)
469 + {
470 +- bdev->bd_inode->i_size = 0;
471 ++ bd_set_size(bdev, 0);
472 + set_capacity(nbd->disk, 0);
473 + kobject_uevent(&nbd_to_dev(nbd)->kobj, KOBJ_CHANGE);
474 +
475 +@@ -117,29 +117,21 @@ static int nbd_size_clear(struct nbd_device *nbd, struct block_device *bdev)
476 +
477 + static void nbd_size_update(struct nbd_device *nbd, struct block_device *bdev)
478 + {
479 +- if (!nbd_is_connected(nbd))
480 +- return;
481 +-
482 +- bdev->bd_inode->i_size = nbd->bytesize;
483 ++ blk_queue_logical_block_size(nbd->disk->queue, nbd->blksize);
484 ++ blk_queue_physical_block_size(nbd->disk->queue, nbd->blksize);
485 ++ bd_set_size(bdev, nbd->bytesize);
486 ++ set_blocksize(bdev, nbd->blksize);
487 + set_capacity(nbd->disk, nbd->bytesize >> 9);
488 + kobject_uevent(&nbd_to_dev(nbd)->kobj, KOBJ_CHANGE);
489 + }
490 +
491 +-static int nbd_size_set(struct nbd_device *nbd, struct block_device *bdev,
492 ++static void nbd_size_set(struct nbd_device *nbd, struct block_device *bdev,
493 + loff_t blocksize, loff_t nr_blocks)
494 + {
495 +- int ret;
496 +-
497 +- ret = set_blocksize(bdev, blocksize);
498 +- if (ret)
499 +- return ret;
500 +-
501 + nbd->blksize = blocksize;
502 + nbd->bytesize = blocksize * nr_blocks;
503 +-
504 +- nbd_size_update(nbd, bdev);
505 +-
506 +- return 0;
507 ++ if (nbd_is_connected(nbd))
508 ++ nbd_size_update(nbd, bdev);
509 + }
510 +
511 + static void nbd_end_request(struct nbd_cmd *cmd)
512 +@@ -655,16 +647,17 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
513 + case NBD_SET_BLKSIZE: {
514 + loff_t bsize = div_s64(nbd->bytesize, arg);
515 +
516 +- return nbd_size_set(nbd, bdev, arg, bsize);
517 ++ nbd_size_set(nbd, bdev, arg, bsize);
518 ++ return 0;
519 + }
520 +
521 + case NBD_SET_SIZE:
522 +- return nbd_size_set(nbd, bdev, nbd->blksize,
523 +- div_s64(arg, nbd->blksize));
524 +-
525 ++ nbd_size_set(nbd, bdev, nbd->blksize,
526 ++ div_s64(arg, nbd->blksize));
527 ++ return 0;
528 + case NBD_SET_SIZE_BLOCKS:
529 +- return nbd_size_set(nbd, bdev, nbd->blksize, arg);
530 +-
531 ++ nbd_size_set(nbd, bdev, nbd->blksize, arg);
532 ++ return 0;
533 + case NBD_SET_TIMEOUT:
534 + if (arg) {
535 + nbd->tag_set.timeout = arg * HZ;
536 +diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
537 +index 631337c2e4a7..9eac4dcb9971 100644
538 +--- a/drivers/crypto/caam/caamhash.c
539 ++++ b/drivers/crypto/caam/caamhash.c
540 +@@ -1232,13 +1232,16 @@ static int ahash_final_no_ctx(struct ahash_request *req)
541 +
542 + desc = edesc->hw_desc;
543 +
544 +- state->buf_dma = dma_map_single(jrdev, buf, buflen, DMA_TO_DEVICE);
545 +- if (dma_mapping_error(jrdev, state->buf_dma)) {
546 +- dev_err(jrdev, "unable to map src\n");
547 +- goto unmap;
548 +- }
549 ++ if (buflen) {
550 ++ state->buf_dma = dma_map_single(jrdev, buf, buflen,
551 ++ DMA_TO_DEVICE);
552 ++ if (dma_mapping_error(jrdev, state->buf_dma)) {
553 ++ dev_err(jrdev, "unable to map src\n");
554 ++ goto unmap;
555 ++ }
556 +
557 +- append_seq_in_ptr(desc, state->buf_dma, buflen, 0);
558 ++ append_seq_in_ptr(desc, state->buf_dma, buflen, 0);
559 ++ }
560 +
561 + edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result,
562 + digestsize);
563 +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
564 +index 7c71722be395..463033b4db1d 100644
565 +--- a/drivers/crypto/talitos.c
566 ++++ b/drivers/crypto/talitos.c
567 +@@ -1347,23 +1347,18 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
568 + struct talitos_private *priv = dev_get_drvdata(dev);
569 + bool is_sec1 = has_ftr_sec1(priv);
570 + int max_len = is_sec1 ? TALITOS1_MAX_DATA_LEN : TALITOS2_MAX_DATA_LEN;
571 +- void *err;
572 +
573 + if (cryptlen + authsize > max_len) {
574 + dev_err(dev, "length exceeds h/w max limit\n");
575 + return ERR_PTR(-EINVAL);
576 + }
577 +
578 +- if (ivsize)
579 +- iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE);
580 +-
581 + if (!dst || dst == src) {
582 + src_len = assoclen + cryptlen + authsize;
583 + src_nents = sg_nents_for_len(src, src_len);
584 + if (src_nents < 0) {
585 + dev_err(dev, "Invalid number of src SG.\n");
586 +- err = ERR_PTR(-EINVAL);
587 +- goto error_sg;
588 ++ return ERR_PTR(-EINVAL);
589 + }
590 + src_nents = (src_nents == 1) ? 0 : src_nents;
591 + dst_nents = dst ? src_nents : 0;
592 +@@ -1373,16 +1368,14 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
593 + src_nents = sg_nents_for_len(src, src_len);
594 + if (src_nents < 0) {
595 + dev_err(dev, "Invalid number of src SG.\n");
596 +- err = ERR_PTR(-EINVAL);
597 +- goto error_sg;
598 ++ return ERR_PTR(-EINVAL);
599 + }
600 + src_nents = (src_nents == 1) ? 0 : src_nents;
601 + dst_len = assoclen + cryptlen + (encrypt ? authsize : 0);
602 + dst_nents = sg_nents_for_len(dst, dst_len);
603 + if (dst_nents < 0) {
604 + dev_err(dev, "Invalid number of dst SG.\n");
605 +- err = ERR_PTR(-EINVAL);
606 +- goto error_sg;
607 ++ return ERR_PTR(-EINVAL);
608 + }
609 + dst_nents = (dst_nents == 1) ? 0 : dst_nents;
610 + }
611 +@@ -1405,12 +1398,14 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
612 + dma_len = 0;
613 + alloc_len += icv_stashing ? authsize : 0;
614 + }
615 ++ alloc_len += ivsize;
616 +
617 + edesc = kmalloc(alloc_len, GFP_DMA | flags);
618 +- if (!edesc) {
619 +- dev_err(dev, "could not allocate edescriptor\n");
620 +- err = ERR_PTR(-ENOMEM);
621 +- goto error_sg;
622 ++ if (!edesc)
623 ++ return ERR_PTR(-ENOMEM);
624 ++ if (ivsize) {
625 ++ iv = memcpy(((u8 *)edesc) + alloc_len - ivsize, iv, ivsize);
626 ++ iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE);
627 + }
628 +
629 + edesc->src_nents = src_nents;
630 +@@ -1423,10 +1418,6 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
631 + DMA_BIDIRECTIONAL);
632 +
633 + return edesc;
634 +-error_sg:
635 +- if (iv_dma)
636 +- dma_unmap_single(dev, iv_dma, ivsize, DMA_TO_DEVICE);
637 +- return err;
638 + }
639 +
640 + static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv,
641 +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
642 +index 6a48d6637e5c..2e85e609f125 100644
643 +--- a/drivers/gpu/drm/drm_fb_helper.c
644 ++++ b/drivers/gpu/drm/drm_fb_helper.c
645 +@@ -1238,9 +1238,14 @@ int drm_fb_helper_check_var(struct fb_var_screeninfo *var,
646 + struct drm_framebuffer *fb = fb_helper->fb;
647 + int depth;
648 +
649 +- if (var->pixclock != 0 || in_dbg_master())
650 ++ if (in_dbg_master())
651 + return -EINVAL;
652 +
653 ++ if (var->pixclock != 0) {
654 ++ DRM_DEBUG("fbdev emulation doesn't support changing the pixel clock, value of pixclock is ignored\n");
655 ++ var->pixclock = 0;
656 ++ }
657 ++
658 + /* Need to resize the fb object !!! */
659 + if (var->bits_per_pixel > fb->bits_per_pixel ||
660 + var->xres > fb->width || var->yres > fb->height ||
661 +diff --git a/drivers/media/platform/vivid/vivid-kthread-cap.c b/drivers/media/platform/vivid/vivid-kthread-cap.c
662 +index 6ca71aabb576..d300e5e7eadc 100644
663 +--- a/drivers/media/platform/vivid/vivid-kthread-cap.c
664 ++++ b/drivers/media/platform/vivid/vivid-kthread-cap.c
665 +@@ -877,8 +877,11 @@ int vivid_start_generating_vid_cap(struct vivid_dev *dev, bool *pstreaming)
666 + "%s-vid-cap", dev->v4l2_dev.name);
667 +
668 + if (IS_ERR(dev->kthread_vid_cap)) {
669 ++ int err = PTR_ERR(dev->kthread_vid_cap);
670 ++
671 ++ dev->kthread_vid_cap = NULL;
672 + v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n");
673 +- return PTR_ERR(dev->kthread_vid_cap);
674 ++ return err;
675 + }
676 + *pstreaming = true;
677 + vivid_grab_controls(dev, true);
678 +diff --git a/drivers/media/platform/vivid/vivid-kthread-out.c b/drivers/media/platform/vivid/vivid-kthread-out.c
679 +index 98eed5889bc1..7c8d75852816 100644
680 +--- a/drivers/media/platform/vivid/vivid-kthread-out.c
681 ++++ b/drivers/media/platform/vivid/vivid-kthread-out.c
682 +@@ -248,8 +248,11 @@ int vivid_start_generating_vid_out(struct vivid_dev *dev, bool *pstreaming)
683 + "%s-vid-out", dev->v4l2_dev.name);
684 +
685 + if (IS_ERR(dev->kthread_vid_out)) {
686 ++ int err = PTR_ERR(dev->kthread_vid_out);
687 ++
688 ++ dev->kthread_vid_out = NULL;
689 + v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n");
690 +- return PTR_ERR(dev->kthread_vid_out);
691 ++ return err;
692 + }
693 + *pstreaming = true;
694 + vivid_grab_controls(dev, true);
695 +diff --git a/drivers/media/platform/vivid/vivid-vid-common.c b/drivers/media/platform/vivid/vivid-vid-common.c
696 +index fcda3ae4e6b0..f9a810e3f521 100644
697 +--- a/drivers/media/platform/vivid/vivid-vid-common.c
698 ++++ b/drivers/media/platform/vivid/vivid-vid-common.c
699 +@@ -33,7 +33,7 @@ const struct v4l2_dv_timings_cap vivid_dv_timings_cap = {
700 + .type = V4L2_DV_BT_656_1120,
701 + /* keep this initialization for compatibility with GCC < 4.4.6 */
702 + .reserved = { 0 },
703 +- V4L2_INIT_BT_TIMINGS(0, MAX_WIDTH, 0, MAX_HEIGHT, 14000000, 775000000,
704 ++ V4L2_INIT_BT_TIMINGS(16, MAX_WIDTH, 16, MAX_HEIGHT, 14000000, 775000000,
705 + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
706 + V4L2_DV_BT_STD_CVT | V4L2_DV_BT_STD_GTF,
707 + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_INTERLACED)
708 +diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
709 +index 1ed7ba3dfdbe..ae959e01042a 100644
710 +--- a/drivers/media/usb/em28xx/em28xx-video.c
711 ++++ b/drivers/media/usb/em28xx/em28xx-video.c
712 +@@ -1062,6 +1062,8 @@ int em28xx_start_analog_streaming(struct vb2_queue *vq, unsigned int count)
713 +
714 + em28xx_videodbg("%s\n", __func__);
715 +
716 ++ dev->v4l2->field_count = 0;
717 ++
718 + /* Make sure streaming is not already in progress for this type
719 + of filehandle (e.g. video, vbi) */
720 + rc = res_get(dev, vq->type);
721 +@@ -1290,8 +1292,6 @@ static void em28xx_ctrl_notify(struct v4l2_ctrl *ctrl, void *priv)
722 + {
723 + struct em28xx *dev = priv;
724 +
725 +- dev->v4l2->field_count = 0;
726 +-
727 + /*
728 + * In the case of non-AC97 volume controls, we still need
729 + * to do some setups at em28xx, in order to mute/unmute
730 +diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
731 +index 4df4a1f402be..b1a4d4e2341b 100644
732 +--- a/drivers/media/v4l2-core/videobuf2-core.c
733 ++++ b/drivers/media/v4l2-core/videobuf2-core.c
734 +@@ -1916,9 +1916,13 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
735 + return -EINVAL;
736 + }
737 + }
738 ++
739 ++ mutex_lock(&q->mmap_lock);
740 ++
741 + if (vb2_fileio_is_active(q)) {
742 + dprintk(1, "mmap: file io in progress\n");
743 +- return -EBUSY;
744 ++ ret = -EBUSY;
745 ++ goto unlock;
746 + }
747 +
748 + /*
749 +@@ -1926,7 +1930,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
750 + */
751 + ret = __find_plane_by_offset(q, off, &buffer, &plane);
752 + if (ret)
753 +- return ret;
754 ++ goto unlock;
755 +
756 + vb = q->bufs[buffer];
757 +
758 +@@ -1939,11 +1943,13 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
759 + if (length < (vma->vm_end - vma->vm_start)) {
760 + dprintk(1,
761 + "MMAP invalid, as it would overflow buffer length\n");
762 +- return -EINVAL;
763 ++ ret = -EINVAL;
764 ++ goto unlock;
765 + }
766 +
767 +- mutex_lock(&q->mmap_lock);
768 + ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma);
769 ++
770 ++unlock:
771 + mutex_unlock(&q->mmap_lock);
772 + if (ret)
773 + return ret;
774 +diff --git a/drivers/mfd/tps6586x.c b/drivers/mfd/tps6586x.c
775 +index 5628a6b5b19b..c5c320efc7b4 100644
776 +--- a/drivers/mfd/tps6586x.c
777 ++++ b/drivers/mfd/tps6586x.c
778 +@@ -594,6 +594,29 @@ static int tps6586x_i2c_remove(struct i2c_client *client)
779 + return 0;
780 + }
781 +
782 ++static int __maybe_unused tps6586x_i2c_suspend(struct device *dev)
783 ++{
784 ++ struct tps6586x *tps6586x = dev_get_drvdata(dev);
785 ++
786 ++ if (tps6586x->client->irq)
787 ++ disable_irq(tps6586x->client->irq);
788 ++
789 ++ return 0;
790 ++}
791 ++
792 ++static int __maybe_unused tps6586x_i2c_resume(struct device *dev)
793 ++{
794 ++ struct tps6586x *tps6586x = dev_get_drvdata(dev);
795 ++
796 ++ if (tps6586x->client->irq)
797 ++ enable_irq(tps6586x->client->irq);
798 ++
799 ++ return 0;
800 ++}
801 ++
802 ++static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend,
803 ++ tps6586x_i2c_resume);
804 ++
805 + static const struct i2c_device_id tps6586x_id_table[] = {
806 + { "tps6586x", 0 },
807 + { },
808 +@@ -604,6 +627,7 @@ static struct i2c_driver tps6586x_driver = {
809 + .driver = {
810 + .name = "tps6586x",
811 + .of_match_table = of_match_ptr(tps6586x_of_match),
812 ++ .pm = &tps6586x_pm_ops,
813 + },
814 + .probe = tps6586x_i2c_probe,
815 + .remove = tps6586x_i2c_remove,
816 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
817 +index 389d1db69a32..24a3433f3944 100644
818 +--- a/drivers/net/bonding/bond_main.c
819 ++++ b/drivers/net/bonding/bond_main.c
820 +@@ -1900,6 +1900,9 @@ static int __bond_release_one(struct net_device *bond_dev,
821 + if (!bond_has_slaves(bond)) {
822 + bond_set_carrier(bond);
823 + eth_hw_addr_random(bond_dev);
824 ++ bond->nest_level = SINGLE_DEPTH_NESTING;
825 ++ } else {
826 ++ bond->nest_level = dev_get_nest_level(bond_dev) + 1;
827 + }
828 +
829 + unblock_netpoll_tx();
830 +diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c
831 +index b44c1bb687a2..ebc193f7f7dd 100644
832 +--- a/drivers/scsi/scsi_pm.c
833 ++++ b/drivers/scsi/scsi_pm.c
834 +@@ -79,8 +79,22 @@ static int scsi_dev_type_resume(struct device *dev,
835 +
836 + if (err == 0) {
837 + pm_runtime_disable(dev);
838 +- pm_runtime_set_active(dev);
839 ++ err = pm_runtime_set_active(dev);
840 + pm_runtime_enable(dev);
841 ++
842 ++ /*
843 ++ * Forcibly set runtime PM status of request queue to "active"
844 ++ * to make sure we can again get requests from the queue
845 ++ * (see also blk_pm_peek_request()).
846 ++ *
847 ++ * The resume hook will correct runtime PM status of the disk.
848 ++ */
849 ++ if (!err && scsi_is_sdev_device(dev)) {
850 ++ struct scsi_device *sdev = to_scsi_device(dev);
851 ++
852 ++ if (sdev->request_queue->dev)
853 ++ blk_set_runtime_active(sdev->request_queue);
854 ++ }
855 + }
856 +
857 + return err;
858 +@@ -139,16 +153,6 @@ static int scsi_bus_resume_common(struct device *dev,
859 + else
860 + fn = NULL;
861 +
862 +- /*
863 +- * Forcibly set runtime PM status of request queue to "active" to
864 +- * make sure we can again get requests from the queue (see also
865 +- * blk_pm_peek_request()).
866 +- *
867 +- * The resume hook will correct runtime PM status of the disk.
868 +- */
869 +- if (scsi_is_sdev_device(dev) && pm_runtime_suspended(dev))
870 +- blk_set_runtime_active(to_scsi_device(dev)->request_queue);
871 +-
872 + if (fn) {
873 + async_schedule_domain(fn, dev, &scsi_sd_pm_domain);
874 +
875 +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
876 +index ab999c4444b8..867ae76f93f2 100644
877 +--- a/drivers/scsi/sd.c
878 ++++ b/drivers/scsi/sd.c
879 +@@ -208,6 +208,12 @@ cache_type_store(struct device *dev, struct device_attribute *attr,
880 + sp = buffer_data[0] & 0x80 ? 1 : 0;
881 + buffer_data[0] &= ~0x80;
882 +
883 ++ /*
884 ++ * Ensure WP, DPOFUA, and RESERVED fields are cleared in
885 ++ * received mode parameter buffer before doing MODE SELECT.
886 ++ */
887 ++ data.device_specific = 0;
888 ++
889 + if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT,
890 + SD_MAX_RETRIES, &data, &sshdr)) {
891 + if (scsi_sense_valid(&sshdr))
892 +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
893 +index e6c4321d695c..f61f8650665f 100644
894 +--- a/drivers/tty/tty_io.c
895 ++++ b/drivers/tty/tty_io.c
896 +@@ -1475,7 +1475,8 @@ static void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct *
897 + static int tty_reopen(struct tty_struct *tty)
898 + {
899 + struct tty_driver *driver = tty->driver;
900 +- int retval;
901 ++ struct tty_ldisc *ld;
902 ++ int retval = 0;
903 +
904 + if (driver->type == TTY_DRIVER_TYPE_PTY &&
905 + driver->subtype == PTY_TYPE_MASTER)
906 +@@ -1487,14 +1488,21 @@ static int tty_reopen(struct tty_struct *tty)
907 + if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN))
908 + return -EBUSY;
909 +
910 +- tty->count++;
911 ++ ld = tty_ldisc_ref_wait(tty);
912 ++ if (ld) {
913 ++ tty_ldisc_deref(ld);
914 ++ } else {
915 ++ retval = tty_ldisc_lock(tty, 5 * HZ);
916 ++ if (retval)
917 ++ return retval;
918 +
919 +- if (tty->ldisc)
920 +- return 0;
921 ++ if (!tty->ldisc)
922 ++ retval = tty_ldisc_reinit(tty, tty->termios.c_line);
923 ++ tty_ldisc_unlock(tty);
924 ++ }
925 +
926 +- retval = tty_ldisc_reinit(tty, tty->termios.c_line);
927 +- if (retval)
928 +- tty->count--;
929 ++ if (retval == 0)
930 ++ tty->count++;
931 +
932 + return retval;
933 + }
934 +diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c
935 +index 1bf8ed13f827..dbd7ba32caac 100644
936 +--- a/drivers/tty/tty_ldsem.c
937 ++++ b/drivers/tty/tty_ldsem.c
938 +@@ -307,6 +307,16 @@ down_write_failed(struct ld_semaphore *sem, long count, long timeout)
939 + if (!locked)
940 + ldsem_atomic_update(-LDSEM_WAIT_BIAS, sem);
941 + list_del(&waiter.list);
942 ++
943 ++ /*
944 ++ * In case of timeout, wake up every reader who gave the right of way
945 ++ * to writer. Prevent separation readers into two groups:
946 ++ * one that helds semaphore and another that sleeps.
947 ++ * (in case of no contention with a writer)
948 ++ */
949 ++ if (!locked && list_empty(&sem->write_wait))
950 ++ __ldsem_wake_readers(sem);
951 ++
952 + raw_spin_unlock_irq(&sem->wait_lock);
953 +
954 + __set_task_state(tsk, TASK_RUNNING);
955 +diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
956 +index a3edb20ea4c3..a846d32ee653 100644
957 +--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
958 ++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
959 +@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, unsigned int cmd, unsigned long arg)
960 +
961 + int r = 0;
962 +
963 ++ memset(&p, 0, sizeof(p));
964 ++
965 + switch (cmd) {
966 + case OMAPFB_SYNC_GFX:
967 + DBG("ioctl SYNC_GFX\n");
968 +diff --git a/fs/block_dev.c b/fs/block_dev.c
969 +index cb936c90ae82..8a894cd4875b 100644
970 +--- a/fs/block_dev.c
971 ++++ b/fs/block_dev.c
972 +@@ -114,6 +114,20 @@ void invalidate_bdev(struct block_device *bdev)
973 + }
974 + EXPORT_SYMBOL(invalidate_bdev);
975 +
976 ++static void set_init_blocksize(struct block_device *bdev)
977 ++{
978 ++ unsigned bsize = bdev_logical_block_size(bdev);
979 ++ loff_t size = i_size_read(bdev->bd_inode);
980 ++
981 ++ while (bsize < PAGE_SIZE) {
982 ++ if (size & bsize)
983 ++ break;
984 ++ bsize <<= 1;
985 ++ }
986 ++ bdev->bd_block_size = bsize;
987 ++ bdev->bd_inode->i_blkbits = blksize_bits(bsize);
988 ++}
989 ++
990 + int set_blocksize(struct block_device *bdev, int size)
991 + {
992 + /* Size must be a power of two, and between 512 and PAGE_SIZE */
993 +@@ -1209,18 +1223,9 @@ EXPORT_SYMBOL(check_disk_change);
994 +
995 + void bd_set_size(struct block_device *bdev, loff_t size)
996 + {
997 +- unsigned bsize = bdev_logical_block_size(bdev);
998 +-
999 + inode_lock(bdev->bd_inode);
1000 + i_size_write(bdev->bd_inode, size);
1001 + inode_unlock(bdev->bd_inode);
1002 +- while (bsize < PAGE_SIZE) {
1003 +- if (size & bsize)
1004 +- break;
1005 +- bsize <<= 1;
1006 +- }
1007 +- bdev->bd_block_size = bsize;
1008 +- bdev->bd_inode->i_blkbits = blksize_bits(bsize);
1009 + }
1010 + EXPORT_SYMBOL(bd_set_size);
1011 +
1012 +@@ -1297,8 +1302,10 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
1013 + }
1014 + }
1015 +
1016 +- if (!ret)
1017 ++ if (!ret) {
1018 + bd_set_size(bdev,(loff_t)get_capacity(disk)<<9);
1019 ++ set_init_blocksize(bdev);
1020 ++ }
1021 +
1022 + /*
1023 + * If the device is invalidated, rescan partition
1024 +@@ -1333,6 +1340,7 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
1025 + goto out_clear;
1026 + }
1027 + bd_set_size(bdev, (loff_t)bdev->bd_part->nr_sects << 9);
1028 ++ set_init_blocksize(bdev);
1029 + }
1030 + } else {
1031 + if (bdev->bd_contains == bdev) {
1032 +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
1033 +index 77b32415d9f2..9d3352fe8dc9 100644
1034 +--- a/fs/btrfs/disk-io.c
1035 ++++ b/fs/btrfs/disk-io.c
1036 +@@ -4193,6 +4193,14 @@ static void btrfs_destroy_all_ordered_extents(struct btrfs_fs_info *fs_info)
1037 + spin_lock(&fs_info->ordered_root_lock);
1038 + }
1039 + spin_unlock(&fs_info->ordered_root_lock);
1040 ++
1041 ++ /*
1042 ++ * We need this here because if we've been flipped read-only we won't
1043 ++ * get sync() from the umount, so we need to make sure any ordered
1044 ++ * extents that haven't had their dirty pages IO start writeout yet
1045 ++ * actually get run and error out properly.
1046 ++ */
1047 ++ btrfs_wait_ordered_roots(fs_info, -1, 0, (u64)-1);
1048 + }
1049 +
1050 + static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
1051 +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c
1052 +index ab4cbb4be423..e59eeaf02eaa 100644
1053 +--- a/fs/f2fs/recovery.c
1054 ++++ b/fs/f2fs/recovery.c
1055 +@@ -196,32 +196,6 @@ static void recover_inode(struct inode *inode, struct page *page)
1056 + ino_of_node(page), name);
1057 + }
1058 +
1059 +-static bool is_same_inode(struct inode *inode, struct page *ipage)
1060 +-{
1061 +- struct f2fs_inode *ri = F2FS_INODE(ipage);
1062 +- struct timespec disk;
1063 +-
1064 +- if (!IS_INODE(ipage))
1065 +- return true;
1066 +-
1067 +- disk.tv_sec = le64_to_cpu(ri->i_ctime);
1068 +- disk.tv_nsec = le32_to_cpu(ri->i_ctime_nsec);
1069 +- if (timespec_compare(&inode->i_ctime, &disk) > 0)
1070 +- return false;
1071 +-
1072 +- disk.tv_sec = le64_to_cpu(ri->i_atime);
1073 +- disk.tv_nsec = le32_to_cpu(ri->i_atime_nsec);
1074 +- if (timespec_compare(&inode->i_atime, &disk) > 0)
1075 +- return false;
1076 +-
1077 +- disk.tv_sec = le64_to_cpu(ri->i_mtime);
1078 +- disk.tv_nsec = le32_to_cpu(ri->i_mtime_nsec);
1079 +- if (timespec_compare(&inode->i_mtime, &disk) > 0)
1080 +- return false;
1081 +-
1082 +- return true;
1083 +-}
1084 +-
1085 + static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head)
1086 + {
1087 + struct curseg_info *curseg;
1088 +@@ -248,10 +222,7 @@ static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head)
1089 + goto next;
1090 +
1091 + entry = get_fsync_inode(head, ino_of_node(page));
1092 +- if (entry) {
1093 +- if (!is_same_inode(entry->inode, page))
1094 +- goto next;
1095 +- } else {
1096 ++ if (!entry) {
1097 + if (IS_INODE(page) && is_dent_dnode(page)) {
1098 + err = recover_inode_page(sbi, page);
1099 + if (err)
1100 +diff --git a/fs/proc/array.c b/fs/proc/array.c
1101 +index 94f83e74db24..712b44c63701 100644
1102 +--- a/fs/proc/array.c
1103 ++++ b/fs/proc/array.c
1104 +@@ -346,8 +346,9 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
1105 + {
1106 + #ifdef CONFIG_SECCOMP
1107 + seq_put_decimal_ull(m, "Seccomp:\t", p->seccomp.mode);
1108 ++ seq_putc(m, '\n');
1109 + #endif
1110 +- seq_printf(m, "\nSpeculation_Store_Bypass:\t");
1111 ++ seq_printf(m, "Speculation_Store_Bypass:\t");
1112 + switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
1113 + case -EINVAL:
1114 + seq_printf(m, "unknown");
1115 +diff --git a/mm/memory.c b/mm/memory.c
1116 +index f3fef1df7402..35d8217bb046 100644
1117 +--- a/mm/memory.c
1118 ++++ b/mm/memory.c
1119 +@@ -2823,6 +2823,28 @@ static int __do_fault(struct fault_env *fe, pgoff_t pgoff,
1120 + struct vm_fault vmf;
1121 + int ret;
1122 +
1123 ++ /*
1124 ++ * Preallocate pte before we take page_lock because this might lead to
1125 ++ * deadlocks for memcg reclaim which waits for pages under writeback:
1126 ++ * lock_page(A)
1127 ++ * SetPageWriteback(A)
1128 ++ * unlock_page(A)
1129 ++ * lock_page(B)
1130 ++ * lock_page(B)
1131 ++ * pte_alloc_pne
1132 ++ * shrink_page_list
1133 ++ * wait_on_page_writeback(A)
1134 ++ * SetPageWriteback(B)
1135 ++ * unlock_page(B)
1136 ++ * # flush A, B to clear the writeback
1137 ++ */
1138 ++ if (pmd_none(*fe->pmd) && !fe->prealloc_pte) {
1139 ++ fe->prealloc_pte = pte_alloc_one(vma->vm_mm, fe->address);
1140 ++ if (!fe->prealloc_pte)
1141 ++ return VM_FAULT_OOM;
1142 ++ smp_wmb(); /* See comment in __pte_alloc() */
1143 ++ }
1144 ++
1145 + vmf.virtual_address = (void __user *)(fe->address & PAGE_MASK);
1146 + vmf.pgoff = pgoff;
1147 + vmf.flags = fe->flags;
1148 +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
1149 +index 82ce5713f744..7e42c0d1f55b 100644
1150 +--- a/net/bridge/br_netfilter_hooks.c
1151 ++++ b/net/bridge/br_netfilter_hooks.c
1152 +@@ -275,7 +275,7 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_
1153 + struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
1154 + int ret;
1155 +
1156 +- if (neigh->hh.hh_len) {
1157 ++ if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) {
1158 + neigh_hh_bridge(&neigh->hh, skb);
1159 + skb->dev = nf_bridge->physindev;
1160 + ret = br_handle_frame_finish(net, sk, skb);
1161 +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
1162 +index 18c1f07e4f3b..c7e5aaf2eeb8 100644
1163 +--- a/net/bridge/netfilter/ebtables.c
1164 ++++ b/net/bridge/netfilter/ebtables.c
1165 +@@ -1147,14 +1147,16 @@ static int do_replace(struct net *net, const void __user *user,
1166 + tmp.name[sizeof(tmp.name) - 1] = 0;
1167 +
1168 + countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1169 +- newinfo = vmalloc(sizeof(*newinfo) + countersize);
1170 ++ newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT,
1171 ++ PAGE_KERNEL);
1172 + if (!newinfo)
1173 + return -ENOMEM;
1174 +
1175 + if (countersize)
1176 + memset(newinfo->counters, 0, countersize);
1177 +
1178 +- newinfo->entries = vmalloc(tmp.entries_size);
1179 ++ newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT,
1180 ++ PAGE_KERNEL);
1181 + if (!newinfo->entries) {
1182 + ret = -ENOMEM;
1183 + goto free_newinfo;
1184 +diff --git a/net/can/gw.c b/net/can/gw.c
1185 +index 77c8af4047ef..81650affa3fa 100644
1186 +--- a/net/can/gw.c
1187 ++++ b/net/can/gw.c
1188 +@@ -418,13 +418,29 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
1189 + while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx])
1190 + (*gwj->mod.modfunc[modidx++])(cf, &gwj->mod);
1191 +
1192 +- /* check for checksum updates when the CAN frame has been modified */
1193 ++ /* Has the CAN frame been modified? */
1194 + if (modidx) {
1195 +- if (gwj->mod.csumfunc.crc8)
1196 ++ /* get available space for the processed CAN frame type */
1197 ++ int max_len = nskb->len - offsetof(struct can_frame, data);
1198 ++
1199 ++ /* dlc may have changed, make sure it fits to the CAN frame */
1200 ++ if (cf->can_dlc > max_len)
1201 ++ goto out_delete;
1202 ++
1203 ++ /* check for checksum updates in classic CAN length only */
1204 ++ if (gwj->mod.csumfunc.crc8) {
1205 ++ if (cf->can_dlc > 8)
1206 ++ goto out_delete;
1207 ++
1208 + (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
1209 ++ }
1210 ++
1211 ++ if (gwj->mod.csumfunc.xor) {
1212 ++ if (cf->can_dlc > 8)
1213 ++ goto out_delete;
1214 +
1215 +- if (gwj->mod.csumfunc.xor)
1216 + (*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor);
1217 ++ }
1218 + }
1219 +
1220 + /* clear the skb timestamp if not configured the other way */
1221 +@@ -436,6 +452,14 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
1222 + gwj->dropped_frames++;
1223 + else
1224 + gwj->handled_frames++;
1225 ++
1226 ++ return;
1227 ++
1228 ++ out_delete:
1229 ++ /* delete frame due to misconfiguration */
1230 ++ gwj->deleted_frames++;
1231 ++ kfree_skb(nskb);
1232 ++ return;
1233 + }
1234 +
1235 + static inline int cgw_register_filter(struct cgw_job *gwj)
1236 +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
1237 +index a5851c0bc278..e39895ea1b77 100644
1238 +--- a/net/ipv4/ip_sockglue.c
1239 ++++ b/net/ipv4/ip_sockglue.c
1240 +@@ -133,19 +133,17 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
1241 +
1242 + static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
1243 + {
1244 ++ __be16 _ports[2], *ports;
1245 + struct sockaddr_in sin;
1246 +- __be16 *ports;
1247 +- int end;
1248 +-
1249 +- end = skb_transport_offset(skb) + 4;
1250 +- if (end > 0 && !pskb_may_pull(skb, end))
1251 +- return;
1252 +
1253 + /* All current transport protocols have the port numbers in the
1254 + * first four bytes of the transport header and this function is
1255 + * written with this assumption in mind.
1256 + */
1257 +- ports = (__be16 *)skb_transport_header(skb);
1258 ++ ports = skb_header_pointer(skb, skb_transport_offset(skb),
1259 ++ sizeof(_ports), &_ports);
1260 ++ if (!ports)
1261 ++ return;
1262 +
1263 + sin.sin_family = AF_INET;
1264 + sin.sin_addr.s_addr = ip_hdr(skb)->daddr;
1265 +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
1266 +index 2d3c8fe27583..956af11e9ba3 100644
1267 +--- a/net/ipv6/datagram.c
1268 ++++ b/net/ipv6/datagram.c
1269 +@@ -335,6 +335,7 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info)
1270 + skb_reset_network_header(skb);
1271 + iph = ipv6_hdr(skb);
1272 + iph->daddr = fl6->daddr;
1273 ++ ip6_flow_hdr(iph, 0, 0);
1274 +
1275 + serr = SKB_EXT_ERR(skb);
1276 + serr->ee.ee_errno = err;
1277 +@@ -694,17 +695,15 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
1278 + }
1279 + if (np->rxopt.bits.rxorigdstaddr) {
1280 + struct sockaddr_in6 sin6;
1281 +- __be16 *ports;
1282 +- int end;
1283 ++ __be16 _ports[2], *ports;
1284 +
1285 +- end = skb_transport_offset(skb) + 4;
1286 +- if (end <= 0 || pskb_may_pull(skb, end)) {
1287 ++ ports = skb_header_pointer(skb, skb_transport_offset(skb),
1288 ++ sizeof(_ports), &_ports);
1289 ++ if (ports) {
1290 + /* All current transport protocols have the port numbers in the
1291 + * first four bytes of the transport header and this function is
1292 + * written with this assumption in mind.
1293 + */
1294 +- ports = (__be16 *)skb_transport_header(skb);
1295 +-
1296 + sin6.sin6_family = AF_INET6;
1297 + sin6.sin6_addr = ipv6_hdr(skb)->daddr;
1298 + sin6.sin6_port = ports[1];
1299 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
1300 +index a9d0358d4f3b..82e222cd4845 100644
1301 +--- a/net/packet/af_packet.c
1302 ++++ b/net/packet/af_packet.c
1303 +@@ -2663,7 +2663,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
1304 + addr = saddr->sll_halen ? saddr->sll_addr : NULL;
1305 + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
1306 + if (addr && dev && saddr->sll_halen < dev->addr_len)
1307 +- goto out;
1308 ++ goto out_put;
1309 + }
1310 +
1311 + err = -ENXIO;
1312 +@@ -2862,7 +2862,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
1313 + addr = saddr->sll_halen ? saddr->sll_addr : NULL;
1314 + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
1315 + if (addr && dev && saddr->sll_halen < dev->addr_len)
1316 +- goto out;
1317 ++ goto out_unlock;
1318 + }
1319 +
1320 + err = -ENXIO;
1321 +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
1322 +index e7866d47934d..31f461f955ec 100644
1323 +--- a/net/sctp/ipv6.c
1324 ++++ b/net/sctp/ipv6.c
1325 +@@ -97,11 +97,9 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
1326 +
1327 + switch (ev) {
1328 + case NETDEV_UP:
1329 +- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
1330 ++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
1331 + if (addr) {
1332 + addr->a.v6.sin6_family = AF_INET6;
1333 +- addr->a.v6.sin6_port = 0;
1334 +- addr->a.v6.sin6_flowinfo = 0;
1335 + addr->a.v6.sin6_addr = ifa->addr;
1336 + addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
1337 + addr->valid = 1;
1338 +@@ -413,7 +411,6 @@ static void sctp_v6_copy_addrlist(struct list_head *addrlist,
1339 + addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
1340 + if (addr) {
1341 + addr->a.v6.sin6_family = AF_INET6;
1342 +- addr->a.v6.sin6_port = 0;
1343 + addr->a.v6.sin6_addr = ifp->addr;
1344 + addr->a.v6.sin6_scope_id = dev->ifindex;
1345 + addr->valid = 1;
1346 +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
1347 +index fb7b7632316a..8ea8217db960 100644
1348 +--- a/net/sctp/protocol.c
1349 ++++ b/net/sctp/protocol.c
1350 +@@ -151,7 +151,6 @@ static void sctp_v4_copy_addrlist(struct list_head *addrlist,
1351 + addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
1352 + if (addr) {
1353 + addr->a.v4.sin_family = AF_INET;
1354 +- addr->a.v4.sin_port = 0;
1355 + addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
1356 + addr->valid = 1;
1357 + INIT_LIST_HEAD(&addr->list);
1358 +@@ -777,10 +776,9 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev,
1359 +
1360 + switch (ev) {
1361 + case NETDEV_UP:
1362 +- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
1363 ++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
1364 + if (addr) {
1365 + addr->a.v4.sin_family = AF_INET;
1366 +- addr->a.v4.sin_port = 0;
1367 + addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
1368 + addr->valid = 1;
1369 + spin_lock_bh(&net->sctp.local_addr_lock);
1370 +diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
1371 +index 5b30603596d0..eafc78e063f1 100644
1372 +--- a/net/sunrpc/rpcb_clnt.c
1373 ++++ b/net/sunrpc/rpcb_clnt.c
1374 +@@ -770,6 +770,12 @@ void rpcb_getport_async(struct rpc_task *task)
1375 + case RPCBVERS_3:
1376 + map->r_netid = xprt->address_strings[RPC_DISPLAY_NETID];
1377 + map->r_addr = rpc_sockaddr2uaddr(sap, GFP_ATOMIC);
1378 ++ if (!map->r_addr) {
1379 ++ status = -ENOMEM;
1380 ++ dprintk("RPC: %5u %s: no memory available\n",
1381 ++ task->tk_pid, __func__);
1382 ++ goto bailout_free_args;
1383 ++ }
1384 + map->r_owner = "";
1385 + break;
1386 + case RPCBVERS_2:
1387 +@@ -792,6 +798,8 @@ void rpcb_getport_async(struct rpc_task *task)
1388 + rpc_put_task(child);
1389 + return;
1390 +
1391 ++bailout_free_args:
1392 ++ kfree(map);
1393 + bailout_release_client:
1394 + rpc_release_client(rpcb_clnt);
1395 + bailout_nofree:
1396 +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
1397 +index aedc476fac02..d947b8210399 100644
1398 +--- a/net/tipc/netlink_compat.c
1399 ++++ b/net/tipc/netlink_compat.c
1400 +@@ -87,6 +87,11 @@ static int tipc_skb_tailroom(struct sk_buff *skb)
1401 + return limit;
1402 + }
1403 +
1404 ++static inline int TLV_GET_DATA_LEN(struct tlv_desc *tlv)
1405 ++{
1406 ++ return TLV_GET_LEN(tlv) - TLV_SPACE(0);
1407 ++}
1408 ++
1409 + static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
1410 + {
1411 + struct tlv_desc *tlv = (struct tlv_desc *)skb_tail_pointer(skb);
1412 +@@ -166,6 +171,11 @@ static struct sk_buff *tipc_get_err_tlv(char *str)
1413 + return buf;
1414 + }
1415 +
1416 ++static inline bool string_is_valid(char *s, int len)
1417 ++{
1418 ++ return memchr(s, '\0', len) ? true : false;
1419 ++}
1420 ++
1421 + static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
1422 + struct tipc_nl_compat_msg *msg,
1423 + struct sk_buff *arg)
1424 +@@ -370,6 +380,7 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
1425 + struct nlattr *prop;
1426 + struct nlattr *bearer;
1427 + struct tipc_bearer_config *b;
1428 ++ int len;
1429 +
1430 + b = (struct tipc_bearer_config *)TLV_DATA(msg->req);
1431 +
1432 +@@ -377,6 +388,10 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
1433 + if (!bearer)
1434 + return -EMSGSIZE;
1435 +
1436 ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
1437 ++ if (!string_is_valid(b->name, len))
1438 ++ return -EINVAL;
1439 ++
1440 + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, b->name))
1441 + return -EMSGSIZE;
1442 +
1443 +@@ -402,6 +417,7 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
1444 + {
1445 + char *name;
1446 + struct nlattr *bearer;
1447 ++ int len;
1448 +
1449 + name = (char *)TLV_DATA(msg->req);
1450 +
1451 +@@ -409,6 +425,10 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
1452 + if (!bearer)
1453 + return -EMSGSIZE;
1454 +
1455 ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
1456 ++ if (!string_is_valid(name, len))
1457 ++ return -EINVAL;
1458 ++
1459 + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, name))
1460 + return -EMSGSIZE;
1461 +
1462 +@@ -469,6 +489,7 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
1463 + struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
1464 + struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
1465 + int err;
1466 ++ int len;
1467 +
1468 + if (!attrs[TIPC_NLA_LINK])
1469 + return -EINVAL;
1470 +@@ -495,6 +516,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
1471 + return err;
1472 +
1473 + name = (char *)TLV_DATA(msg->req);
1474 ++
1475 ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
1476 ++ if (!string_is_valid(name, len))
1477 ++ return -EINVAL;
1478 ++
1479 + if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
1480 + return 0;
1481 +
1482 +@@ -635,6 +661,7 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb,
1483 + struct nlattr *prop;
1484 + struct nlattr *media;
1485 + struct tipc_link_config *lc;
1486 ++ int len;
1487 +
1488 + lc = (struct tipc_link_config *)TLV_DATA(msg->req);
1489 +
1490 +@@ -642,6 +669,10 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb,
1491 + if (!media)
1492 + return -EMSGSIZE;
1493 +
1494 ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
1495 ++ if (!string_is_valid(lc->name, len))
1496 ++ return -EINVAL;
1497 ++
1498 + if (nla_put_string(skb, TIPC_NLA_MEDIA_NAME, lc->name))
1499 + return -EMSGSIZE;
1500 +
1501 +@@ -662,6 +693,7 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb,
1502 + struct nlattr *prop;
1503 + struct nlattr *bearer;
1504 + struct tipc_link_config *lc;
1505 ++ int len;
1506 +
1507 + lc = (struct tipc_link_config *)TLV_DATA(msg->req);
1508 +
1509 +@@ -669,6 +701,10 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb,
1510 + if (!bearer)
1511 + return -EMSGSIZE;
1512 +
1513 ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
1514 ++ if (!string_is_valid(lc->name, len))
1515 ++ return -EINVAL;
1516 ++
1517 + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, lc->name))
1518 + return -EMSGSIZE;
1519 +
1520 +@@ -717,9 +753,14 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,
1521 + struct tipc_link_config *lc;
1522 + struct tipc_bearer *bearer;
1523 + struct tipc_media *media;
1524 ++ int len;
1525 +
1526 + lc = (struct tipc_link_config *)TLV_DATA(msg->req);
1527 +
1528 ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
1529 ++ if (!string_is_valid(lc->name, len))
1530 ++ return -EINVAL;
1531 ++
1532 + media = tipc_media_find(lc->name);
1533 + if (media) {
1534 + cmd->doit = &tipc_nl_media_set;
1535 +@@ -741,6 +782,7 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd,
1536 + {
1537 + char *name;
1538 + struct nlattr *link;
1539 ++ int len;
1540 +
1541 + name = (char *)TLV_DATA(msg->req);
1542 +
1543 +@@ -748,6 +790,10 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd,
1544 + if (!link)
1545 + return -EMSGSIZE;
1546 +
1547 ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
1548 ++ if (!string_is_valid(name, len))
1549 ++ return -EINVAL;
1550 ++
1551 + if (nla_put_string(skb, TIPC_NLA_LINK_NAME, name))
1552 + return -EMSGSIZE;
1553 +
1554 +@@ -769,6 +815,8 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg)
1555 + };
1556 +
1557 + ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req);
1558 ++ if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query))
1559 ++ return -EINVAL;
1560 +
1561 + depth = ntohl(ntq->depth);
1562 +
1563 +@@ -1192,7 +1240,7 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info)
1564 + }
1565 +
1566 + len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
1567 +- if (len && !TLV_OK(msg.req, len)) {
1568 ++ if (!len || !TLV_OK(msg.req, len)) {
1569 + msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED);
1570 + err = -EOPNOTSUPP;
1571 + goto send;
1572 +diff --git a/security/security.c b/security/security.c
1573 +index f825304f04a7..112df16be770 100644
1574 +--- a/security/security.c
1575 ++++ b/security/security.c
1576 +@@ -904,6 +904,13 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
1577 +
1578 + void security_cred_free(struct cred *cred)
1579 + {
1580 ++ /*
1581 ++ * There is a failure case in prepare_creds() that
1582 ++ * may result in a call here with ->security being NULL.
1583 ++ */
1584 ++ if (unlikely(cred->security == NULL))
1585 ++ return;
1586 ++
1587 + call_void_hook(cred_free, cred);
1588 + }
1589 +
1590 +diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
1591 +index 175e4dce58df..c483de590ba3 100644
1592 +--- a/security/selinux/ss/policydb.c
1593 ++++ b/security/selinux/ss/policydb.c
1594 +@@ -726,7 +726,8 @@ static int sens_destroy(void *key, void *datum, void *p)
1595 + kfree(key);
1596 + if (datum) {
1597 + levdatum = datum;
1598 +- ebitmap_destroy(&levdatum->level->cat);
1599 ++ if (levdatum->level)
1600 ++ ebitmap_destroy(&levdatum->level->cat);
1601 + kfree(levdatum->level);
1602 + }
1603 + kfree(datum);
1604 +diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
1605 +index 0309f2111c70..5367f854fadc 100644
1606 +--- a/security/yama/yama_lsm.c
1607 ++++ b/security/yama/yama_lsm.c
1608 +@@ -359,7 +359,9 @@ static int yama_ptrace_access_check(struct task_struct *child,
1609 + break;
1610 + case YAMA_SCOPE_RELATIONAL:
1611 + rcu_read_lock();
1612 +- if (!task_is_descendant(current, child) &&
1613 ++ if (!pid_alive(child))
1614 ++ rc = -EPERM;
1615 ++ if (!rc && !task_is_descendant(current, child) &&
1616 + !ptracer_exception_found(current, child) &&
1617 + !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
1618 + rc = -EPERM;
Report Message
Find on MARC Find on Google Groups