Gentoo Archives: gentoo-commits

From: Alice Ferrazzi <alicef@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.19 commit in: /
Date: Wed, 13 Oct 2021 15:00:35
Message-Id: 1634137218.a564b9e2d597e3b892211ac546222ac3794b10aa.alicef@gentoo
1 commit: a564b9e2d597e3b892211ac546222ac3794b10aa
2 Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
3 AuthorDate: Wed Oct 13 15:00:14 2021 +0000
4 Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
5 CommitDate: Wed Oct 13 15:00:18 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=a564b9e2
7
8 Linux patch 4.19.211
9
10 Signed-off-by: Alice Ferrazzi <alicef <AT> gentoo.org>
11
12 0000_README | 4 +
13 1210_linux-4.19.211.patch | 663 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 667 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index c0c1a0a..ac7acb4 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -879,6 +879,10 @@ Patch: 1209_linux-4.19.210.patch
21 From: https://www.kernel.org
22 Desc: Linux 4.19.210
23
24 +Patch: 1210_linux-4.19.211.patch
25 +From: https://www.kernel.org
26 +Desc: Linux 4.19.211
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1210_linux-4.19.211.patch b/1210_linux-4.19.211.patch
33 new file mode 100644
34 index 0000000..eea7bdb
35 --- /dev/null
36 +++ b/1210_linux-4.19.211.patch
37 @@ -0,0 +1,663 @@
38 +diff --git a/Makefile b/Makefile
39 +index d9c39b3c05d56..d4e6f5d326b06 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 4
45 + PATCHLEVEL = 19
46 +-SUBLEVEL = 210
47 ++SUBLEVEL = 211
48 + EXTRAVERSION =
49 + NAME = "People's Front"
50 +
51 +diff --git a/arch/arm/boot/dts/omap3430-sdp.dts b/arch/arm/boot/dts/omap3430-sdp.dts
52 +index d652708f6bef5..56e3db08e9690 100644
53 +--- a/arch/arm/boot/dts/omap3430-sdp.dts
54 ++++ b/arch/arm/boot/dts/omap3430-sdp.dts
55 +@@ -104,7 +104,7 @@
56 +
57 + nand@1,0 {
58 + compatible = "ti,omap2-nand";
59 +- reg = <0 0 4>; /* CS0, offset 0, IO size 4 */
60 ++ reg = <1 0 4>; /* CS1, offset 0, IO size 4 */
61 + interrupt-parent = <&gpmc>;
62 + interrupts = <0 IRQ_TYPE_NONE>, /* fifoevent */
63 + <1 IRQ_TYPE_NONE>; /* termcount */
64 +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
65 +index d0153bbbdbeb8..00daa844bf8c6 100644
66 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
67 ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
68 +@@ -1182,7 +1182,7 @@
69 + };
70 +
71 + gpu: adreno-3xx@4300000 {
72 +- compatible = "qcom,adreno-3xx";
73 ++ compatible = "qcom,adreno-320.2", "qcom,adreno";
74 + reg = <0x04300000 0x20000>;
75 + reg-names = "kgsl_3d0_reg_memory";
76 + interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_HIGH>;
77 +@@ -1197,7 +1197,6 @@
78 + <&mmcc GFX3D_AHB_CLK>,
79 + <&mmcc GFX3D_AXI_CLK>,
80 + <&mmcc MMSS_IMEM_AHB_CLK>;
81 +- qcom,chipid = <0x03020002>;
82 +
83 + iommus = <&gfx3d 0
84 + &gfx3d 1
85 +diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
86 +index 4bfefbec971a6..c3ca6e2cf7ffb 100644
87 +--- a/arch/arm/mach-imx/pm-imx6.c
88 ++++ b/arch/arm/mach-imx/pm-imx6.c
89 +@@ -15,6 +15,7 @@
90 + #include <linux/io.h>
91 + #include <linux/irq.h>
92 + #include <linux/genalloc.h>
93 ++#include <linux/irqchip/arm-gic.h>
94 + #include <linux/mfd/syscon.h>
95 + #include <linux/mfd/syscon/imx6q-iomuxc-gpr.h>
96 + #include <linux/of.h>
97 +@@ -622,6 +623,7 @@ static void __init imx6_pm_common_init(const struct imx6_pm_socdata
98 +
99 + static void imx6_pm_stby_poweroff(void)
100 + {
101 ++ gic_cpu_if_down(0);
102 + imx6_set_lpm(STOP_POWER_OFF);
103 + imx6q_suspend_finish(0);
104 +
105 +diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
106 +index 79b12e7445373..dade3a3ba6662 100644
107 +--- a/arch/arm/net/bpf_jit_32.c
108 ++++ b/arch/arm/net/bpf_jit_32.c
109 +@@ -39,6 +39,10 @@
110 + * +-----+
111 + * |RSVD | JIT scratchpad
112 + * current ARM_SP => +-----+ <= (BPF_FP - STACK_SIZE + SCRATCH_SIZE)
113 ++ * | ... | caller-saved registers
114 ++ * +-----+
115 ++ * | ... | arguments passed on stack
116 ++ * ARM_SP during call => +-----|
117 + * | |
118 + * | ... | Function call stack
119 + * | |
120 +@@ -66,6 +70,12 @@
121 + *
122 + * When popping registers off the stack at the end of a BPF function, we
123 + * reference them via the current ARM_FP register.
124 ++ *
125 ++ * Some eBPF operations are implemented via a call to a helper function.
126 ++ * Such calls are "invisible" in the eBPF code, so it is up to the calling
127 ++ * program to preserve any caller-saved ARM registers during the call. The
128 ++ * JIT emits code to push and pop those registers onto the stack, immediately
129 ++ * above the callee stack frame.
130 + */
131 + #define CALLEE_MASK (1 << ARM_R4 | 1 << ARM_R5 | 1 << ARM_R6 | \
132 + 1 << ARM_R7 | 1 << ARM_R8 | 1 << ARM_R9 | \
133 +@@ -73,6 +83,8 @@
134 + #define CALLEE_PUSH_MASK (CALLEE_MASK | 1 << ARM_LR)
135 + #define CALLEE_POP_MASK (CALLEE_MASK | 1 << ARM_PC)
136 +
137 ++#define CALLER_MASK (1 << ARM_R0 | 1 << ARM_R1 | 1 << ARM_R2 | 1 << ARM_R3)
138 ++
139 + enum {
140 + /* Stack layout - these are offsets from (top of stack - 4) */
141 + BPF_R2_HI,
142 +@@ -467,6 +479,7 @@ static inline int epilogue_offset(const struct jit_ctx *ctx)
143 +
144 + static inline void emit_udivmod(u8 rd, u8 rm, u8 rn, struct jit_ctx *ctx, u8 op)
145 + {
146 ++ const int exclude_mask = BIT(ARM_R0) | BIT(ARM_R1);
147 + const s8 *tmp = bpf2a32[TMP_REG_1];
148 +
149 + #if __LINUX_ARM_ARCH__ == 7
150 +@@ -498,11 +511,17 @@ static inline void emit_udivmod(u8 rd, u8 rm, u8 rn, struct jit_ctx *ctx, u8 op)
151 + emit(ARM_MOV_R(ARM_R0, rm), ctx);
152 + }
153 +
154 ++ /* Push caller-saved registers on stack */
155 ++ emit(ARM_PUSH(CALLER_MASK & ~exclude_mask), ctx);
156 ++
157 + /* Call appropriate function */
158 + emit_mov_i(ARM_IP, op == BPF_DIV ?
159 + (u32)jit_udiv32 : (u32)jit_mod32, ctx);
160 + emit_blx_r(ARM_IP, ctx);
161 +
162 ++ /* Restore caller-saved registers from stack */
163 ++ emit(ARM_POP(CALLER_MASK & ~exclude_mask), ctx);
164 ++
165 + /* Save return value */
166 + if (rd != ARM_R0)
167 + emit(ARM_MOV_R(rd, ARM_R0), ctx);
168 +diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
169 +index 4d8cb9bb8365d..43e6597c720c2 100644
170 +--- a/arch/mips/net/bpf_jit.c
171 ++++ b/arch/mips/net/bpf_jit.c
172 +@@ -662,6 +662,11 @@ static void build_epilogue(struct jit_ctx *ctx)
173 + ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative : func) : \
174 + func##_positive)
175 +
176 ++static bool is_bad_offset(int b_off)
177 ++{
178 ++ return b_off > 0x1ffff || b_off < -0x20000;
179 ++}
180 ++
181 + static int build_body(struct jit_ctx *ctx)
182 + {
183 + const struct bpf_prog *prog = ctx->skf;
184 +@@ -728,7 +733,10 @@ load_common:
185 + /* Load return register on DS for failures */
186 + emit_reg_move(r_ret, r_zero, ctx);
187 + /* Return with error */
188 +- emit_b(b_imm(prog->len, ctx), ctx);
189 ++ b_off = b_imm(prog->len, ctx);
190 ++ if (is_bad_offset(b_off))
191 ++ return -E2BIG;
192 ++ emit_b(b_off, ctx);
193 + emit_nop(ctx);
194 + break;
195 + case BPF_LD | BPF_W | BPF_IND:
196 +@@ -775,8 +783,10 @@ load_ind:
197 + emit_jalr(MIPS_R_RA, r_s0, ctx);
198 + emit_reg_move(MIPS_R_A0, r_skb, ctx); /* delay slot */
199 + /* Check the error value */
200 +- emit_bcond(MIPS_COND_NE, r_ret, 0,
201 +- b_imm(prog->len, ctx), ctx);
202 ++ b_off = b_imm(prog->len, ctx);
203 ++ if (is_bad_offset(b_off))
204 ++ return -E2BIG;
205 ++ emit_bcond(MIPS_COND_NE, r_ret, 0, b_off, ctx);
206 + emit_reg_move(r_ret, r_zero, ctx);
207 + /* We are good */
208 + /* X <- P[1:K] & 0xf */
209 +@@ -855,8 +865,10 @@ load_ind:
210 + /* A /= X */
211 + ctx->flags |= SEEN_X | SEEN_A;
212 + /* Check if r_X is zero */
213 +- emit_bcond(MIPS_COND_EQ, r_X, r_zero,
214 +- b_imm(prog->len, ctx), ctx);
215 ++ b_off = b_imm(prog->len, ctx);
216 ++ if (is_bad_offset(b_off))
217 ++ return -E2BIG;
218 ++ emit_bcond(MIPS_COND_EQ, r_X, r_zero, b_off, ctx);
219 + emit_load_imm(r_ret, 0, ctx); /* delay slot */
220 + emit_div(r_A, r_X, ctx);
221 + break;
222 +@@ -864,8 +876,10 @@ load_ind:
223 + /* A %= X */
224 + ctx->flags |= SEEN_X | SEEN_A;
225 + /* Check if r_X is zero */
226 +- emit_bcond(MIPS_COND_EQ, r_X, r_zero,
227 +- b_imm(prog->len, ctx), ctx);
228 ++ b_off = b_imm(prog->len, ctx);
229 ++ if (is_bad_offset(b_off))
230 ++ return -E2BIG;
231 ++ emit_bcond(MIPS_COND_EQ, r_X, r_zero, b_off, ctx);
232 + emit_load_imm(r_ret, 0, ctx); /* delay slot */
233 + emit_mod(r_A, r_X, ctx);
234 + break;
235 +@@ -926,7 +940,10 @@ load_ind:
236 + break;
237 + case BPF_JMP | BPF_JA:
238 + /* pc += K */
239 +- emit_b(b_imm(i + k + 1, ctx), ctx);
240 ++ b_off = b_imm(i + k + 1, ctx);
241 ++ if (is_bad_offset(b_off))
242 ++ return -E2BIG;
243 ++ emit_b(b_off, ctx);
244 + emit_nop(ctx);
245 + break;
246 + case BPF_JMP | BPF_JEQ | BPF_K:
247 +@@ -1056,12 +1073,16 @@ jmp_cmp:
248 + break;
249 + case BPF_RET | BPF_A:
250 + ctx->flags |= SEEN_A;
251 +- if (i != prog->len - 1)
252 ++ if (i != prog->len - 1) {
253 + /*
254 + * If this is not the last instruction
255 + * then jump to the epilogue
256 + */
257 +- emit_b(b_imm(prog->len, ctx), ctx);
258 ++ b_off = b_imm(prog->len, ctx);
259 ++ if (is_bad_offset(b_off))
260 ++ return -E2BIG;
261 ++ emit_b(b_off, ctx);
262 ++ }
263 + emit_reg_move(r_ret, r_A, ctx); /* delay slot */
264 + break;
265 + case BPF_RET | BPF_K:
266 +@@ -1075,7 +1096,10 @@ jmp_cmp:
267 + * If this is not the last instruction
268 + * then jump to the epilogue
269 + */
270 +- emit_b(b_imm(prog->len, ctx), ctx);
271 ++ b_off = b_imm(prog->len, ctx);
272 ++ if (is_bad_offset(b_off))
273 ++ return -E2BIG;
274 ++ emit_b(b_off, ctx);
275 + emit_nop(ctx);
276 + }
277 + break;
278 +@@ -1133,8 +1157,10 @@ jmp_cmp:
279 + /* Load *dev pointer */
280 + emit_load_ptr(r_s0, r_skb, off, ctx);
281 + /* error (0) in the delay slot */
282 +- emit_bcond(MIPS_COND_EQ, r_s0, r_zero,
283 +- b_imm(prog->len, ctx), ctx);
284 ++ b_off = b_imm(prog->len, ctx);
285 ++ if (is_bad_offset(b_off))
286 ++ return -E2BIG;
287 ++ emit_bcond(MIPS_COND_EQ, r_s0, r_zero, b_off, ctx);
288 + emit_reg_move(r_ret, r_zero, ctx);
289 + if (code == (BPF_ANC | SKF_AD_IFINDEX)) {
290 + BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, ifindex) != 4);
291 +@@ -1244,7 +1270,10 @@ void bpf_jit_compile(struct bpf_prog *fp)
292 +
293 + /* Generate the actual JIT code */
294 + build_prologue(&ctx);
295 +- build_body(&ctx);
296 ++ if (build_body(&ctx)) {
297 ++ module_memfree(ctx.target);
298 ++ goto out;
299 ++ }
300 + build_epilogue(&ctx);
301 +
302 + /* Update the icache */
303 +diff --git a/arch/powerpc/boot/dts/fsl/t1023rdb.dts b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
304 +index 5ba6fbfca2742..f82f85c65964c 100644
305 +--- a/arch/powerpc/boot/dts/fsl/t1023rdb.dts
306 ++++ b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
307 +@@ -154,7 +154,7 @@
308 +
309 + fm1mac3: ethernet@e4000 {
310 + phy-handle = <&sgmii_aqr_phy3>;
311 +- phy-connection-type = "sgmii-2500";
312 ++ phy-connection-type = "2500base-x";
313 + sleep = <&rcpm 0x20000000>;
314 + };
315 +
316 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
317 +index d994501d9179f..3dd2949b2b356 100644
318 +--- a/arch/x86/Kconfig
319 ++++ b/arch/x86/Kconfig
320 +@@ -1387,7 +1387,7 @@ config HIGHMEM4G
321 +
322 + config HIGHMEM64G
323 + bool "64GB"
324 +- depends on !M486 && !M586 && !M586TSC && !M586MMX && !MGEODE_LX && !MGEODEGX1 && !MCYRIXIII && !MELAN && !MWINCHIPC6 && !WINCHIP3D && !MK6
325 ++ depends on !M486 && !M586 && !M586TSC && !M586MMX && !MGEODE_LX && !MGEODEGX1 && !MCYRIXIII && !MELAN && !MWINCHIPC6 && !MWINCHIP3D && !MK6
326 + select X86_PAE
327 + ---help---
328 + Select this if you have a 32-bit processor and more than 4
329 +diff --git a/arch/xtensa/kernel/irq.c b/arch/xtensa/kernel/irq.c
330 +index a48bf2d10ac2d..80cc9770a8d2d 100644
331 +--- a/arch/xtensa/kernel/irq.c
332 ++++ b/arch/xtensa/kernel/irq.c
333 +@@ -145,7 +145,7 @@ unsigned xtensa_get_ext_irq_no(unsigned irq)
334 +
335 + void __init init_IRQ(void)
336 + {
337 +-#ifdef CONFIG_OF
338 ++#ifdef CONFIG_USE_OF
339 + irqchip_init();
340 + #else
341 + #ifdef CONFIG_HAVE_SMP
342 +diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
343 +index 4561a786fab07..cce4833a60832 100644
344 +--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
345 ++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
346 +@@ -185,6 +185,7 @@ static const struct file_operations nouveau_pstate_fops = {
347 + .open = nouveau_debugfs_pstate_open,
348 + .read = seq_read,
349 + .write = nouveau_debugfs_pstate_set,
350 ++ .release = single_release,
351 + };
352 +
353 + static struct drm_info_list nouveau_debugfs_list[] = {
354 +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
355 +index 8ba4122fb3404..8288cfb44cb2c 100644
356 +--- a/drivers/i2c/i2c-core-acpi.c
357 ++++ b/drivers/i2c/i2c-core-acpi.c
358 +@@ -395,6 +395,7 @@ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value,
359 + break;
360 +
361 + i2c_acpi_register_device(adapter, adev, &info);
362 ++ put_device(&adapter->dev);
363 + break;
364 + case ACPI_RECONFIG_DEVICE_REMOVE:
365 + if (!acpi_device_enumerated(adev))
366 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
367 +index 246734be51775..062b942517822 100644
368 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
369 ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
370 +@@ -4724,7 +4724,8 @@ static void i40e_clear_interrupt_scheme(struct i40e_pf *pf)
371 + {
372 + int i;
373 +
374 +- i40e_free_misc_vector(pf);
375 ++ if (test_bit(__I40E_MISC_IRQ_REQUESTED, pf->state))
376 ++ i40e_free_misc_vector(pf);
377 +
378 + i40e_put_lump(pf->irq_pile, pf->iwarp_base_vector,
379 + I40E_IWARP_IRQ_PILE_ID);
380 +@@ -9068,7 +9069,7 @@ static int i40e_get_capabilities(struct i40e_pf *pf,
381 + if (pf->hw.aq.asq_last_status == I40E_AQ_RC_ENOMEM) {
382 + /* retry with a larger buffer */
383 + buf_len = data_size;
384 +- } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK) {
385 ++ } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK || err) {
386 + dev_info(&pf->pdev->dev,
387 + "capability discovery failed, err %s aq_err %s\n",
388 + i40e_stat_str(&pf->hw, err),
389 +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
390 +index 08c81d4cfca86..3207da2224f67 100644
391 +--- a/drivers/net/phy/mdio_bus.c
392 ++++ b/drivers/net/phy/mdio_bus.c
393 +@@ -378,6 +378,13 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
394 + bus->dev.groups = NULL;
395 + dev_set_name(&bus->dev, "%s", bus->id);
396 +
397 ++ /* We need to set state to MDIOBUS_UNREGISTERED to correctly release
398 ++ * the device in mdiobus_free()
399 ++ *
400 ++ * State will be updated later in this function in case of success
401 ++ */
402 ++ bus->state = MDIOBUS_UNREGISTERED;
403 ++
404 + err = device_register(&bus->dev);
405 + if (err) {
406 + pr_err("mii_bus %s failed to register\n", bus->id);
407 +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
408 +index 47d518e6d5d4f..71bafc8f5ed02 100644
409 +--- a/drivers/net/phy/sfp.c
410 ++++ b/drivers/net/phy/sfp.c
411 +@@ -113,7 +113,7 @@ static const char * const sm_state_strings[] = {
412 + [SFP_S_LINK_UP] = "link_up",
413 + [SFP_S_TX_FAULT] = "tx_fault",
414 + [SFP_S_REINIT] = "reinit",
415 +- [SFP_S_TX_DISABLE] = "rx_disable",
416 ++ [SFP_S_TX_DISABLE] = "tx_disable",
417 + };
418 +
419 + static const char *sm_state_to_str(unsigned short sm_state)
420 +diff --git a/drivers/ptp/ptp_pch.c b/drivers/ptp/ptp_pch.c
421 +index 78ccf936d3560..84feaa140f1b3 100644
422 +--- a/drivers/ptp/ptp_pch.c
423 ++++ b/drivers/ptp/ptp_pch.c
424 +@@ -695,6 +695,7 @@ static const struct pci_device_id pch_ieee1588_pcidev_id[] = {
425 + },
426 + {0}
427 + };
428 ++MODULE_DEVICE_TABLE(pci, pch_ieee1588_pcidev_id);
429 +
430 + static struct pci_driver pch_driver = {
431 + .name = KBUILD_MODNAME,
432 +diff --git a/drivers/usb/Kconfig b/drivers/usb/Kconfig
433 +index 70e6c956c23ce..a9f12a52f7265 100644
434 +--- a/drivers/usb/Kconfig
435 ++++ b/drivers/usb/Kconfig
436 +@@ -175,8 +175,7 @@ source "drivers/usb/roles/Kconfig"
437 +
438 + config USB_LED_TRIG
439 + bool "USB LED Triggers"
440 +- depends on LEDS_CLASS && LEDS_TRIGGERS
441 +- select USB_COMMON
442 ++ depends on LEDS_CLASS && USB_COMMON && LEDS_TRIGGERS
443 + help
444 + This option adds LED triggers for USB host and/or gadget activity.
445 +
446 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
447 +index 6959231d63b3e..0522bd2d9d3cc 100644
448 +--- a/drivers/usb/class/cdc-acm.c
449 ++++ b/drivers/usb/class/cdc-acm.c
450 +@@ -339,6 +339,9 @@ static void acm_process_notification(struct acm *acm, unsigned char *buf)
451 + acm->iocount.overrun++;
452 + spin_unlock_irqrestore(&acm->read_lock, flags);
453 +
454 ++ if (newctrl & ACM_CTRL_BRK)
455 ++ tty_flip_buffer_push(&acm->port);
456 ++
457 + if (difference)
458 + wake_up_all(&acm->wioctl);
459 +
460 +@@ -474,11 +477,16 @@ static int acm_submit_read_urbs(struct acm *acm, gfp_t mem_flags)
461 +
462 + static void acm_process_read_urb(struct acm *acm, struct urb *urb)
463 + {
464 ++ unsigned long flags;
465 ++
466 + if (!urb->actual_length)
467 + return;
468 +
469 ++ spin_lock_irqsave(&acm->read_lock, flags);
470 + tty_insert_flip_string(&acm->port, urb->transfer_buffer,
471 + urb->actual_length);
472 ++ spin_unlock_irqrestore(&acm->read_lock, flags);
473 ++
474 + tty_flip_buffer_push(&acm->port);
475 + }
476 +
477 +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
478 +index 2459e2afd65ec..19906020eb145 100644
479 +--- a/drivers/xen/balloon.c
480 ++++ b/drivers/xen/balloon.c
481 +@@ -508,12 +508,12 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp)
482 + }
483 +
484 + /*
485 +- * Stop waiting if either state is not BP_EAGAIN and ballooning action is
486 +- * needed, or if the credit has changed while state is BP_EAGAIN.
487 ++ * Stop waiting if either state is BP_DONE and ballooning action is
488 ++ * needed, or if the credit has changed while state is not BP_DONE.
489 + */
490 + static bool balloon_thread_cond(enum bp_state state, long credit)
491 + {
492 +- if (state != BP_EAGAIN)
493 ++ if (state == BP_DONE)
494 + credit = 0;
495 +
496 + return current_credit() != credit || kthread_should_stop();
497 +@@ -533,10 +533,19 @@ static int balloon_thread(void *unused)
498 +
499 + set_freezable();
500 + for (;;) {
501 +- if (state == BP_EAGAIN)
502 +- timeout = balloon_stats.schedule_delay * HZ;
503 +- else
504 ++ switch (state) {
505 ++ case BP_DONE:
506 ++ case BP_ECANCELED:
507 + timeout = 3600 * HZ;
508 ++ break;
509 ++ case BP_EAGAIN:
510 ++ timeout = balloon_stats.schedule_delay * HZ;
511 ++ break;
512 ++ case BP_WAIT:
513 ++ timeout = HZ;
514 ++ break;
515 ++ }
516 ++
517 + credit = current_credit();
518 +
519 + wait_event_freezable_timeout(balloon_thread_wq,
520 +diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
521 +index a8486432be05a..74ff28fda64dc 100644
522 +--- a/drivers/xen/privcmd.c
523 ++++ b/drivers/xen/privcmd.c
524 +@@ -835,11 +835,12 @@ static long privcmd_ioctl_mmap_resource(struct file *file,
525 + unsigned int domid =
526 + (xdata.flags & XENMEM_rsrc_acq_caller_owned) ?
527 + DOMID_SELF : kdata.dom;
528 +- int num;
529 ++ int num, *errs = (int *)pfns;
530 +
531 ++ BUILD_BUG_ON(sizeof(*errs) > sizeof(*pfns));
532 + num = xen_remap_domain_mfn_array(vma,
533 + kdata.addr & PAGE_MASK,
534 +- pfns, kdata.num, (int *)pfns,
535 ++ pfns, kdata.num, errs,
536 + vma->vm_page_prot,
537 + domid,
538 + vma->vm_private_data);
539 +@@ -849,7 +850,7 @@ static long privcmd_ioctl_mmap_resource(struct file *file,
540 + unsigned int i;
541 +
542 + for (i = 0; i < num; i++) {
543 +- rc = pfns[i];
544 ++ rc = errs[i];
545 + if (rc < 0)
546 + break;
547 + }
548 +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
549 +index db0beefe65ec2..f67c5de1aeb8d 100644
550 +--- a/fs/nfsd/nfs4xdr.c
551 ++++ b/fs/nfsd/nfs4xdr.c
552 +@@ -3124,15 +3124,18 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
553 + goto fail;
554 + cd->rd_maxcount -= entry_bytes;
555 + /*
556 +- * RFC 3530 14.2.24 describes rd_dircount as only a "hint", so
557 +- * let's always let through the first entry, at least:
558 ++ * RFC 3530 14.2.24 describes rd_dircount as only a "hint", and
559 ++ * notes that it could be zero. If it is zero, then the server
560 ++ * should enforce only the rd_maxcount value.
561 + */
562 +- if (!cd->rd_dircount)
563 +- goto fail;
564 +- name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8;
565 +- if (name_and_cookie > cd->rd_dircount && cd->cookie_offset)
566 +- goto fail;
567 +- cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie);
568 ++ if (cd->rd_dircount) {
569 ++ name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8;
570 ++ if (name_and_cookie > cd->rd_dircount && cd->cookie_offset)
571 ++ goto fail;
572 ++ cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie);
573 ++ if (!cd->rd_dircount)
574 ++ cd->rd_maxcount = 0;
575 ++ }
576 +
577 + cd->cookie_offset = cookie_offset;
578 + skip_entry:
579 +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
580 +index 0b4ee1ab25df0..0578c15e1a676 100644
581 +--- a/fs/overlayfs/dir.c
582 ++++ b/fs/overlayfs/dir.c
583 +@@ -1166,9 +1166,13 @@ static int ovl_rename(struct inode *olddir, struct dentry *old,
584 + goto out_dput;
585 + }
586 + } else {
587 +- if (!d_is_negative(newdentry) &&
588 +- (!new_opaque || !ovl_is_whiteout(newdentry)))
589 +- goto out_dput;
590 ++ if (!d_is_negative(newdentry)) {
591 ++ if (!new_opaque || !ovl_is_whiteout(newdentry))
592 ++ goto out_dput;
593 ++ } else {
594 ++ if (flags & RENAME_EXCHANGE)
595 ++ goto out_dput;
596 ++ }
597 + }
598 +
599 + if (olddentry == trap)
600 +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
601 +index a47d623f59fe7..92310b07cb98e 100644
602 +--- a/kernel/bpf/stackmap.c
603 ++++ b/kernel/bpf/stackmap.c
604 +@@ -63,7 +63,8 @@ static inline int stack_map_data_size(struct bpf_map *map)
605 +
606 + static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
607 + {
608 +- u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
609 ++ u64 elem_size = sizeof(struct stack_map_bucket) +
610 ++ (u64)smap->map.value_size;
611 + int err;
612 +
613 + smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries,
614 +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
615 +index ec2b58a09f763..c00cb376263a0 100644
616 +--- a/net/bridge/br_netlink.c
617 ++++ b/net/bridge/br_netlink.c
618 +@@ -1511,7 +1511,7 @@ static size_t br_get_linkxstats_size(const struct net_device *dev, int attr)
619 + }
620 +
621 + return numvls * nla_total_size(sizeof(struct bridge_vlan_xstats)) +
622 +- nla_total_size(sizeof(struct br_mcast_stats)) +
623 ++ nla_total_size_64bit(sizeof(struct br_mcast_stats)) +
624 + nla_total_size(0);
625 + }
626 +
627 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
628 +index 055fd09ac1114..83de32e34bb55 100644
629 +--- a/net/core/rtnetlink.c
630 ++++ b/net/core/rtnetlink.c
631 +@@ -4512,7 +4512,7 @@ nla_put_failure:
632 + static size_t if_nlmsg_stats_size(const struct net_device *dev,
633 + u32 filter_mask)
634 + {
635 +- size_t size = 0;
636 ++ size_t size = NLMSG_ALIGN(sizeof(struct if_stats_msg));
637 +
638 + if (stats_attr_valid(filter_mask, IFLA_STATS_LINK_64, 0))
639 + size += nla_total_size_64bit(sizeof(struct rtnl_link_stats64));
640 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
641 +index b0fd268ed65e5..dd4e4289d0d2a 100644
642 +--- a/net/netlink/af_netlink.c
643 ++++ b/net/netlink/af_netlink.c
644 +@@ -599,7 +599,10 @@ static int netlink_insert(struct sock *sk, u32 portid)
645 +
646 + /* We need to ensure that the socket is hashed and visible. */
647 + smp_wmb();
648 +- nlk_sk(sk)->bound = portid;
649 ++ /* Paired with lockless reads from netlink_bind(),
650 ++ * netlink_connect() and netlink_sendmsg().
651 ++ */
652 ++ WRITE_ONCE(nlk_sk(sk)->bound, portid);
653 +
654 + err:
655 + release_sock(sk);
656 +@@ -1018,7 +1021,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
657 + else if (nlk->ngroups < 8*sizeof(groups))
658 + groups &= (1UL << nlk->ngroups) - 1;
659 +
660 +- bound = nlk->bound;
661 ++ /* Paired with WRITE_ONCE() in netlink_insert() */
662 ++ bound = READ_ONCE(nlk->bound);
663 + if (bound) {
664 + /* Ensure nlk->portid is up-to-date. */
665 + smp_rmb();
666 +@@ -1104,8 +1108,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
667 +
668 + /* No need for barriers here as we return to user-space without
669 + * using any of the bound attributes.
670 ++ * Paired with WRITE_ONCE() in netlink_insert().
671 + */
672 +- if (!nlk->bound)
673 ++ if (!READ_ONCE(nlk->bound))
674 + err = netlink_autobind(sock);
675 +
676 + if (err == 0) {
677 +@@ -1870,7 +1875,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
678 + dst_group = nlk->dst_group;
679 + }
680 +
681 +- if (!nlk->bound) {
682 ++ /* Paired with WRITE_ONCE() in netlink_insert() */
683 ++ if (!READ_ONCE(nlk->bound)) {
684 + err = netlink_autobind(sock);
685 + if (err)
686 + goto out;
687 +diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
688 +index 24893d3b5d229..bcd3ca97caea1 100644
689 +--- a/net/sched/sch_fifo.c
690 ++++ b/net/sched/sch_fifo.c
691 +@@ -152,6 +152,9 @@ int fifo_set_limit(struct Qdisc *q, unsigned int limit)
692 + if (strncmp(q->ops->id + 1, "fifo", 4) != 0)
693 + return 0;
694 +
695 ++ if (!q->ops->change)
696 ++ return 0;
697 ++
698 + nla = kmalloc(nla_attr_size(sizeof(struct tc_fifo_qopt)), GFP_KERNEL);
699 + if (nla) {
700 + nla->nla_type = RTM_NEWQDISC;