Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 4.3.3/
Date: Wed, 23 Dec 2015 07:52:24
Message-Id: 1450857523.3cf9059c012c71a2844696f25f29fcbd3dacbfc0.blueness@gentoo
1 commit: 3cf9059c012c71a2844696f25f29fcbd3dacbfc0
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Wed Dec 23 07:58:43 2015 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Wed Dec 23 07:58:43 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=3cf9059c
7
8 grsecurity-3.1-4.3.3-201512222129
9
10 4.3.3/0000_README | 6 +-
11 4.3.3/1002_linux-4.3.3.patch | 4424 --------------------
12 ...> 4420_grsecurity-3.1-4.3.3-201512222129.patch} | 295 +-
13 3 files changed, 241 insertions(+), 4484 deletions(-)
14
15 diff --git a/4.3.3/0000_README b/4.3.3/0000_README
16 index 3e1d5a0..2c1a853 100644
17 --- a/4.3.3/0000_README
18 +++ b/4.3.3/0000_README
19 @@ -2,11 +2,7 @@ README
20 -----------------------------------------------------------------------------
21 Individual Patch Descriptions:
22 -----------------------------------------------------------------------------
23 -Patch: 1002_linux-4.3.3.patch
24 -From: http://www.kernel.org
25 -Desc: Linux 4.3.3
26 -
27 -Patch: 4420_grsecurity-3.1-4.3.3-201512162141.patch
28 +Patch: 4420_grsecurity-3.1-4.3.3-201512222129.patch
29 From: http://www.grsecurity.net
30 Desc: hardened-sources base patch from upstream grsecurity
31
32
33 diff --git a/4.3.3/1002_linux-4.3.3.patch b/4.3.3/1002_linux-4.3.3.patch
34 deleted file mode 100644
35 index d8cd741..0000000
36 --- a/4.3.3/1002_linux-4.3.3.patch
37 +++ /dev/null
38 @@ -1,4424 +0,0 @@
39 -diff --git a/Makefile b/Makefile
40 -index 1a4953b..2070d16 100644
41 ---- a/Makefile
42 -+++ b/Makefile
43 -@@ -1,6 +1,6 @@
44 - VERSION = 4
45 - PATCHLEVEL = 3
46 --SUBLEVEL = 2
47 -+SUBLEVEL = 3
48 - EXTRAVERSION =
49 - NAME = Blurry Fish Butt
50 -
51 -diff --git a/block/blk-merge.c b/block/blk-merge.c
52 -index c4e9c37..0e5f4fc 100644
53 ---- a/block/blk-merge.c
54 -+++ b/block/blk-merge.c
55 -@@ -91,7 +91,7 @@ static struct bio *blk_bio_segment_split(struct request_queue *q,
56 -
57 - seg_size += bv.bv_len;
58 - bvprv = bv;
59 -- bvprvp = &bv;
60 -+ bvprvp = &bvprv;
61 - sectors += bv.bv_len >> 9;
62 - continue;
63 - }
64 -@@ -101,7 +101,7 @@ new_segment:
65 -
66 - nsegs++;
67 - bvprv = bv;
68 -- bvprvp = &bv;
69 -+ bvprvp = &bvprv;
70 - seg_size = bv.bv_len;
71 - sectors += bv.bv_len >> 9;
72 - }
73 -diff --git a/certs/.gitignore b/certs/.gitignore
74 -new file mode 100644
75 -index 0000000..f51aea4
76 ---- /dev/null
77 -+++ b/certs/.gitignore
78 -@@ -0,0 +1,4 @@
79 -+#
80 -+# Generated files
81 -+#
82 -+x509_certificate_list
83 -diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
84 -index 128e7df..8630a77 100644
85 ---- a/drivers/block/rbd.c
86 -+++ b/drivers/block/rbd.c
87 -@@ -3444,6 +3444,7 @@ static void rbd_queue_workfn(struct work_struct *work)
88 - goto err_rq;
89 - }
90 - img_request->rq = rq;
91 -+ snapc = NULL; /* img_request consumes a ref */
92 -
93 - if (op_type == OBJ_OP_DISCARD)
94 - result = rbd_img_request_fill(img_request, OBJ_REQUEST_NODATA,
95 -diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
96 -index f51d376..c2f5117 100644
97 ---- a/drivers/firewire/ohci.c
98 -+++ b/drivers/firewire/ohci.c
99 -@@ -3675,6 +3675,11 @@ static int pci_probe(struct pci_dev *dev,
100 -
101 - reg_write(ohci, OHCI1394_IsoXmitIntMaskSet, ~0);
102 - ohci->it_context_support = reg_read(ohci, OHCI1394_IsoXmitIntMaskSet);
103 -+ /* JMicron JMB38x often shows 0 at first read, just ignore it */
104 -+ if (!ohci->it_context_support) {
105 -+ ohci_notice(ohci, "overriding IsoXmitIntMask\n");
106 -+ ohci->it_context_support = 0xf;
107 -+ }
108 - reg_write(ohci, OHCI1394_IsoXmitIntMaskClear, ~0);
109 - ohci->it_context_mask = ohci->it_context_support;
110 - ohci->n_it = hweight32(ohci->it_context_mask);
111 -diff --git a/drivers/media/pci/cobalt/Kconfig b/drivers/media/pci/cobalt/Kconfig
112 -index 1f88ccc..a01f0cc 100644
113 ---- a/drivers/media/pci/cobalt/Kconfig
114 -+++ b/drivers/media/pci/cobalt/Kconfig
115 -@@ -1,6 +1,6 @@
116 - config VIDEO_COBALT
117 - tristate "Cisco Cobalt support"
118 -- depends on VIDEO_V4L2 && I2C && MEDIA_CONTROLLER
119 -+ depends on VIDEO_V4L2 && I2C && VIDEO_V4L2_SUBDEV_API
120 - depends on PCI_MSI && MTD_COMPLEX_MAPPINGS
121 - depends on GPIOLIB || COMPILE_TEST
122 - depends on SND
123 -diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
124 -index a937772..7f709cb 100644
125 ---- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
126 -+++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
127 -@@ -1583,8 +1583,14 @@ err_disable_device:
128 - static void nicvf_remove(struct pci_dev *pdev)
129 - {
130 - struct net_device *netdev = pci_get_drvdata(pdev);
131 -- struct nicvf *nic = netdev_priv(netdev);
132 -- struct net_device *pnetdev = nic->pnicvf->netdev;
133 -+ struct nicvf *nic;
134 -+ struct net_device *pnetdev;
135 -+
136 -+ if (!netdev)
137 -+ return;
138 -+
139 -+ nic = netdev_priv(netdev);
140 -+ pnetdev = nic->pnicvf->netdev;
141 -
142 - /* Check if this Qset is assigned to different VF.
143 - * If yes, clean primary and all secondary Qsets.
144 -diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
145 -index 731423c..8bead97 100644
146 ---- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
147 -+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
148 -@@ -4934,26 +4934,41 @@ static void rem_slave_counters(struct mlx4_dev *dev, int slave)
149 - struct res_counter *counter;
150 - struct res_counter *tmp;
151 - int err;
152 -- int index;
153 -+ int *counters_arr = NULL;
154 -+ int i, j;
155 -
156 - err = move_all_busy(dev, slave, RES_COUNTER);
157 - if (err)
158 - mlx4_warn(dev, "rem_slave_counters: Could not move all counters - too busy for slave %d\n",
159 - slave);
160 -
161 -- spin_lock_irq(mlx4_tlock(dev));
162 -- list_for_each_entry_safe(counter, tmp, counter_list, com.list) {
163 -- if (counter->com.owner == slave) {
164 -- index = counter->com.res_id;
165 -- rb_erase(&counter->com.node,
166 -- &tracker->res_tree[RES_COUNTER]);
167 -- list_del(&counter->com.list);
168 -- kfree(counter);
169 -- __mlx4_counter_free(dev, index);
170 -+ counters_arr = kmalloc_array(dev->caps.max_counters,
171 -+ sizeof(*counters_arr), GFP_KERNEL);
172 -+ if (!counters_arr)
173 -+ return;
174 -+
175 -+ do {
176 -+ i = 0;
177 -+ j = 0;
178 -+ spin_lock_irq(mlx4_tlock(dev));
179 -+ list_for_each_entry_safe(counter, tmp, counter_list, com.list) {
180 -+ if (counter->com.owner == slave) {
181 -+ counters_arr[i++] = counter->com.res_id;
182 -+ rb_erase(&counter->com.node,
183 -+ &tracker->res_tree[RES_COUNTER]);
184 -+ list_del(&counter->com.list);
185 -+ kfree(counter);
186 -+ }
187 -+ }
188 -+ spin_unlock_irq(mlx4_tlock(dev));
189 -+
190 -+ while (j < i) {
191 -+ __mlx4_counter_free(dev, counters_arr[j++]);
192 - mlx4_release_resource(dev, slave, RES_COUNTER, 1, 0);
193 - }
194 -- }
195 -- spin_unlock_irq(mlx4_tlock(dev));
196 -+ } while (i);
197 -+
198 -+ kfree(counters_arr);
199 - }
200 -
201 - static void rem_slave_xrcdns(struct mlx4_dev *dev, int slave)
202 -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
203 -index 59874d6..443632d 100644
204 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
205 -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
206 -@@ -1332,6 +1332,42 @@ static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt)
207 - return err;
208 - }
209 -
210 -+static int mlx5e_refresh_tir_self_loopback_enable(struct mlx5_core_dev *mdev,
211 -+ u32 tirn)
212 -+{
213 -+ void *in;
214 -+ int inlen;
215 -+ int err;
216 -+
217 -+ inlen = MLX5_ST_SZ_BYTES(modify_tir_in);
218 -+ in = mlx5_vzalloc(inlen);
219 -+ if (!in)
220 -+ return -ENOMEM;
221 -+
222 -+ MLX5_SET(modify_tir_in, in, bitmask.self_lb_en, 1);
223 -+
224 -+ err = mlx5_core_modify_tir(mdev, tirn, in, inlen);
225 -+
226 -+ kvfree(in);
227 -+
228 -+ return err;
229 -+}
230 -+
231 -+static int mlx5e_refresh_tirs_self_loopback_enable(struct mlx5e_priv *priv)
232 -+{
233 -+ int err;
234 -+ int i;
235 -+
236 -+ for (i = 0; i < MLX5E_NUM_TT; i++) {
237 -+ err = mlx5e_refresh_tir_self_loopback_enable(priv->mdev,
238 -+ priv->tirn[i]);
239 -+ if (err)
240 -+ return err;
241 -+ }
242 -+
243 -+ return 0;
244 -+}
245 -+
246 - static int mlx5e_set_dev_port_mtu(struct net_device *netdev)
247 - {
248 - struct mlx5e_priv *priv = netdev_priv(netdev);
249 -@@ -1367,13 +1403,20 @@ int mlx5e_open_locked(struct net_device *netdev)
250 -
251 - err = mlx5e_set_dev_port_mtu(netdev);
252 - if (err)
253 -- return err;
254 -+ goto err_clear_state_opened_flag;
255 -
256 - err = mlx5e_open_channels(priv);
257 - if (err) {
258 - netdev_err(netdev, "%s: mlx5e_open_channels failed, %d\n",
259 - __func__, err);
260 -- return err;
261 -+ goto err_clear_state_opened_flag;
262 -+ }
263 -+
264 -+ err = mlx5e_refresh_tirs_self_loopback_enable(priv);
265 -+ if (err) {
266 -+ netdev_err(netdev, "%s: mlx5e_refresh_tirs_self_loopback_enable failed, %d\n",
267 -+ __func__, err);
268 -+ goto err_close_channels;
269 - }
270 -
271 - mlx5e_update_carrier(priv);
272 -@@ -1382,6 +1425,12 @@ int mlx5e_open_locked(struct net_device *netdev)
273 - schedule_delayed_work(&priv->update_stats_work, 0);
274 -
275 - return 0;
276 -+
277 -+err_close_channels:
278 -+ mlx5e_close_channels(priv);
279 -+err_clear_state_opened_flag:
280 -+ clear_bit(MLX5E_STATE_OPENED, &priv->state);
281 -+ return err;
282 - }
283 -
284 - static int mlx5e_open(struct net_device *netdev)
285 -@@ -1899,6 +1948,9 @@ static int mlx5e_check_required_hca_cap(struct mlx5_core_dev *mdev)
286 - "Not creating net device, some required device capabilities are missing\n");
287 - return -ENOTSUPP;
288 - }
289 -+ if (!MLX5_CAP_ETH(mdev, self_lb_en_modifiable))
290 -+ mlx5_core_warn(mdev, "Self loop back prevention is not supported\n");
291 -+
292 - return 0;
293 - }
294 -
295 -diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
296 -index b4f2123..79ef799 100644
297 ---- a/drivers/net/ethernet/realtek/r8169.c
298 -+++ b/drivers/net/ethernet/realtek/r8169.c
299 -@@ -7429,15 +7429,15 @@ process_pkt:
300 -
301 - rtl8169_rx_vlan_tag(desc, skb);
302 -
303 -+ if (skb->pkt_type == PACKET_MULTICAST)
304 -+ dev->stats.multicast++;
305 -+
306 - napi_gro_receive(&tp->napi, skb);
307 -
308 - u64_stats_update_begin(&tp->rx_stats.syncp);
309 - tp->rx_stats.packets++;
310 - tp->rx_stats.bytes += pkt_size;
311 - u64_stats_update_end(&tp->rx_stats.syncp);
312 --
313 -- if (skb->pkt_type == PACKET_MULTICAST)
314 -- dev->stats.multicast++;
315 - }
316 - release_descriptor:
317 - desc->opts2 = 0;
318 -diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c
319 -index 9c71295..85e64044 100644
320 ---- a/drivers/net/phy/broadcom.c
321 -+++ b/drivers/net/phy/broadcom.c
322 -@@ -675,7 +675,7 @@ static struct mdio_device_id __maybe_unused broadcom_tbl[] = {
323 - { PHY_ID_BCM5461, 0xfffffff0 },
324 - { PHY_ID_BCM54616S, 0xfffffff0 },
325 - { PHY_ID_BCM5464, 0xfffffff0 },
326 -- { PHY_ID_BCM5482, 0xfffffff0 },
327 -+ { PHY_ID_BCM5481, 0xfffffff0 },
328 - { PHY_ID_BCM5482, 0xfffffff0 },
329 - { PHY_ID_BCM50610, 0xfffffff0 },
330 - { PHY_ID_BCM50610M, 0xfffffff0 },
331 -diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
332 -index 2a7c1be..66e0853 100644
333 ---- a/drivers/net/usb/qmi_wwan.c
334 -+++ b/drivers/net/usb/qmi_wwan.c
335 -@@ -775,6 +775,7 @@ static const struct usb_device_id products[] = {
336 - {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
337 - {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
338 - {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
339 -+ {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */
340 - {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */
341 - {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */
342 - {QMI_FIXED_INTF(0x0b3c, 0xc002, 4)}, /* Olivetti Olicard 140 */
343 -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
344 -index 488c6f5..c9e309c 100644
345 ---- a/drivers/net/vrf.c
346 -+++ b/drivers/net/vrf.c
347 -@@ -581,7 +581,6 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
348 - {
349 - struct net_vrf *vrf = netdev_priv(dev);
350 - struct net_vrf_dev *vrf_ptr;
351 -- int err;
352 -
353 - if (!data || !data[IFLA_VRF_TABLE])
354 - return -EINVAL;
355 -@@ -590,26 +589,16 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
356 -
357 - dev->priv_flags |= IFF_VRF_MASTER;
358 -
359 -- err = -ENOMEM;
360 - vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
361 - if (!vrf_ptr)
362 -- goto out_fail;
363 -+ return -ENOMEM;
364 -
365 - vrf_ptr->ifindex = dev->ifindex;
366 - vrf_ptr->tb_id = vrf->tb_id;
367 -
368 -- err = register_netdevice(dev);
369 -- if (err < 0)
370 -- goto out_fail;
371 --
372 - rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
373 -
374 -- return 0;
375 --
376 --out_fail:
377 -- kfree(vrf_ptr);
378 -- free_netdev(dev);
379 -- return err;
380 -+ return register_netdev(dev);
381 - }
382 -
383 - static size_t vrf_nl_getsize(const struct net_device *dev)
384 -diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
385 -index 938efe3..94eea1f 100644
386 ---- a/fs/btrfs/ctree.h
387 -+++ b/fs/btrfs/ctree.h
388 -@@ -3398,7 +3398,7 @@ int btrfs_set_disk_extent_flags(struct btrfs_trans_handle *trans,
389 - int btrfs_free_extent(struct btrfs_trans_handle *trans,
390 - struct btrfs_root *root,
391 - u64 bytenr, u64 num_bytes, u64 parent, u64 root_objectid,
392 -- u64 owner, u64 offset, int no_quota);
393 -+ u64 owner, u64 offset);
394 -
395 - int btrfs_free_reserved_extent(struct btrfs_root *root, u64 start, u64 len,
396 - int delalloc);
397 -@@ -3411,7 +3411,7 @@ int btrfs_finish_extent_commit(struct btrfs_trans_handle *trans,
398 - int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
399 - struct btrfs_root *root,
400 - u64 bytenr, u64 num_bytes, u64 parent,
401 -- u64 root_objectid, u64 owner, u64 offset, int no_quota);
402 -+ u64 root_objectid, u64 owner, u64 offset);
403 -
404 - int btrfs_start_dirty_block_groups(struct btrfs_trans_handle *trans,
405 - struct btrfs_root *root);
406 -diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c
407 -index ac3e81d..7832031 100644
408 ---- a/fs/btrfs/delayed-ref.c
409 -+++ b/fs/btrfs/delayed-ref.c
410 -@@ -197,6 +197,119 @@ static inline void drop_delayed_ref(struct btrfs_trans_handle *trans,
411 - trans->delayed_ref_updates--;
412 - }
413 -
414 -+static bool merge_ref(struct btrfs_trans_handle *trans,
415 -+ struct btrfs_delayed_ref_root *delayed_refs,
416 -+ struct btrfs_delayed_ref_head *head,
417 -+ struct btrfs_delayed_ref_node *ref,
418 -+ u64 seq)
419 -+{
420 -+ struct btrfs_delayed_ref_node *next;
421 -+ bool done = false;
422 -+
423 -+ next = list_first_entry(&head->ref_list, struct btrfs_delayed_ref_node,
424 -+ list);
425 -+ while (!done && &next->list != &head->ref_list) {
426 -+ int mod;
427 -+ struct btrfs_delayed_ref_node *next2;
428 -+
429 -+ next2 = list_next_entry(next, list);
430 -+
431 -+ if (next == ref)
432 -+ goto next;
433 -+
434 -+ if (seq && next->seq >= seq)
435 -+ goto next;
436 -+
437 -+ if (next->type != ref->type)
438 -+ goto next;
439 -+
440 -+ if ((ref->type == BTRFS_TREE_BLOCK_REF_KEY ||
441 -+ ref->type == BTRFS_SHARED_BLOCK_REF_KEY) &&
442 -+ comp_tree_refs(btrfs_delayed_node_to_tree_ref(ref),
443 -+ btrfs_delayed_node_to_tree_ref(next),
444 -+ ref->type))
445 -+ goto next;
446 -+ if ((ref->type == BTRFS_EXTENT_DATA_REF_KEY ||
447 -+ ref->type == BTRFS_SHARED_DATA_REF_KEY) &&
448 -+ comp_data_refs(btrfs_delayed_node_to_data_ref(ref),
449 -+ btrfs_delayed_node_to_data_ref(next)))
450 -+ goto next;
451 -+
452 -+ if (ref->action == next->action) {
453 -+ mod = next->ref_mod;
454 -+ } else {
455 -+ if (ref->ref_mod < next->ref_mod) {
456 -+ swap(ref, next);
457 -+ done = true;
458 -+ }
459 -+ mod = -next->ref_mod;
460 -+ }
461 -+
462 -+ drop_delayed_ref(trans, delayed_refs, head, next);
463 -+ ref->ref_mod += mod;
464 -+ if (ref->ref_mod == 0) {
465 -+ drop_delayed_ref(trans, delayed_refs, head, ref);
466 -+ done = true;
467 -+ } else {
468 -+ /*
469 -+ * Can't have multiples of the same ref on a tree block.
470 -+ */
471 -+ WARN_ON(ref->type == BTRFS_TREE_BLOCK_REF_KEY ||
472 -+ ref->type == BTRFS_SHARED_BLOCK_REF_KEY);
473 -+ }
474 -+next:
475 -+ next = next2;
476 -+ }
477 -+
478 -+ return done;
479 -+}
480 -+
481 -+void btrfs_merge_delayed_refs(struct btrfs_trans_handle *trans,
482 -+ struct btrfs_fs_info *fs_info,
483 -+ struct btrfs_delayed_ref_root *delayed_refs,
484 -+ struct btrfs_delayed_ref_head *head)
485 -+{
486 -+ struct btrfs_delayed_ref_node *ref;
487 -+ u64 seq = 0;
488 -+
489 -+ assert_spin_locked(&head->lock);
490 -+
491 -+ if (list_empty(&head->ref_list))
492 -+ return;
493 -+
494 -+ /* We don't have too many refs to merge for data. */
495 -+ if (head->is_data)
496 -+ return;
497 -+
498 -+ spin_lock(&fs_info->tree_mod_seq_lock);
499 -+ if (!list_empty(&fs_info->tree_mod_seq_list)) {
500 -+ struct seq_list *elem;
501 -+
502 -+ elem = list_first_entry(&fs_info->tree_mod_seq_list,
503 -+ struct seq_list, list);
504 -+ seq = elem->seq;
505 -+ }
506 -+ spin_unlock(&fs_info->tree_mod_seq_lock);
507 -+
508 -+ ref = list_first_entry(&head->ref_list, struct btrfs_delayed_ref_node,
509 -+ list);
510 -+ while (&ref->list != &head->ref_list) {
511 -+ if (seq && ref->seq >= seq)
512 -+ goto next;
513 -+
514 -+ if (merge_ref(trans, delayed_refs, head, ref, seq)) {
515 -+ if (list_empty(&head->ref_list))
516 -+ break;
517 -+ ref = list_first_entry(&head->ref_list,
518 -+ struct btrfs_delayed_ref_node,
519 -+ list);
520 -+ continue;
521 -+ }
522 -+next:
523 -+ ref = list_next_entry(ref, list);
524 -+ }
525 -+}
526 -+
527 - int btrfs_check_delayed_seq(struct btrfs_fs_info *fs_info,
528 - struct btrfs_delayed_ref_root *delayed_refs,
529 - u64 seq)
530 -@@ -292,8 +405,7 @@ add_delayed_ref_tail_merge(struct btrfs_trans_handle *trans,
531 - exist = list_entry(href->ref_list.prev, struct btrfs_delayed_ref_node,
532 - list);
533 - /* No need to compare bytenr nor is_head */
534 -- if (exist->type != ref->type || exist->no_quota != ref->no_quota ||
535 -- exist->seq != ref->seq)
536 -+ if (exist->type != ref->type || exist->seq != ref->seq)
537 - goto add_tail;
538 -
539 - if ((exist->type == BTRFS_TREE_BLOCK_REF_KEY ||
540 -@@ -524,7 +636,7 @@ add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
541 - struct btrfs_delayed_ref_head *head_ref,
542 - struct btrfs_delayed_ref_node *ref, u64 bytenr,
543 - u64 num_bytes, u64 parent, u64 ref_root, int level,
544 -- int action, int no_quota)
545 -+ int action)
546 - {
547 - struct btrfs_delayed_tree_ref *full_ref;
548 - struct btrfs_delayed_ref_root *delayed_refs;
549 -@@ -546,7 +658,6 @@ add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
550 - ref->action = action;
551 - ref->is_head = 0;
552 - ref->in_tree = 1;
553 -- ref->no_quota = no_quota;
554 - ref->seq = seq;
555 -
556 - full_ref = btrfs_delayed_node_to_tree_ref(ref);
557 -@@ -579,7 +690,7 @@ add_delayed_data_ref(struct btrfs_fs_info *fs_info,
558 - struct btrfs_delayed_ref_head *head_ref,
559 - struct btrfs_delayed_ref_node *ref, u64 bytenr,
560 - u64 num_bytes, u64 parent, u64 ref_root, u64 owner,
561 -- u64 offset, int action, int no_quota)
562 -+ u64 offset, int action)
563 - {
564 - struct btrfs_delayed_data_ref *full_ref;
565 - struct btrfs_delayed_ref_root *delayed_refs;
566 -@@ -602,7 +713,6 @@ add_delayed_data_ref(struct btrfs_fs_info *fs_info,
567 - ref->action = action;
568 - ref->is_head = 0;
569 - ref->in_tree = 1;
570 -- ref->no_quota = no_quota;
571 - ref->seq = seq;
572 -
573 - full_ref = btrfs_delayed_node_to_data_ref(ref);
574 -@@ -633,17 +743,13 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
575 - struct btrfs_trans_handle *trans,
576 - u64 bytenr, u64 num_bytes, u64 parent,
577 - u64 ref_root, int level, int action,
578 -- struct btrfs_delayed_extent_op *extent_op,
579 -- int no_quota)
580 -+ struct btrfs_delayed_extent_op *extent_op)
581 - {
582 - struct btrfs_delayed_tree_ref *ref;
583 - struct btrfs_delayed_ref_head *head_ref;
584 - struct btrfs_delayed_ref_root *delayed_refs;
585 - struct btrfs_qgroup_extent_record *record = NULL;
586 -
587 -- if (!is_fstree(ref_root) || !fs_info->quota_enabled)
588 -- no_quota = 0;
589 --
590 - BUG_ON(extent_op && extent_op->is_data);
591 - ref = kmem_cache_alloc(btrfs_delayed_tree_ref_cachep, GFP_NOFS);
592 - if (!ref)
593 -@@ -672,8 +778,7 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
594 - bytenr, num_bytes, action, 0);
595 -
596 - add_delayed_tree_ref(fs_info, trans, head_ref, &ref->node, bytenr,
597 -- num_bytes, parent, ref_root, level, action,
598 -- no_quota);
599 -+ num_bytes, parent, ref_root, level, action);
600 - spin_unlock(&delayed_refs->lock);
601 -
602 - return 0;
603 -@@ -694,17 +799,13 @@ int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info,
604 - u64 bytenr, u64 num_bytes,
605 - u64 parent, u64 ref_root,
606 - u64 owner, u64 offset, int action,
607 -- struct btrfs_delayed_extent_op *extent_op,
608 -- int no_quota)
609 -+ struct btrfs_delayed_extent_op *extent_op)
610 - {
611 - struct btrfs_delayed_data_ref *ref;
612 - struct btrfs_delayed_ref_head *head_ref;
613 - struct btrfs_delayed_ref_root *delayed_refs;
614 - struct btrfs_qgroup_extent_record *record = NULL;
615 -
616 -- if (!is_fstree(ref_root) || !fs_info->quota_enabled)
617 -- no_quota = 0;
618 --
619 - BUG_ON(extent_op && !extent_op->is_data);
620 - ref = kmem_cache_alloc(btrfs_delayed_data_ref_cachep, GFP_NOFS);
621 - if (!ref)
622 -@@ -740,7 +841,7 @@ int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info,
623 -
624 - add_delayed_data_ref(fs_info, trans, head_ref, &ref->node, bytenr,
625 - num_bytes, parent, ref_root, owner, offset,
626 -- action, no_quota);
627 -+ action);
628 - spin_unlock(&delayed_refs->lock);
629 -
630 - return 0;
631 -diff --git a/fs/btrfs/delayed-ref.h b/fs/btrfs/delayed-ref.h
632 -index 13fb5e6..930887a 100644
633 ---- a/fs/btrfs/delayed-ref.h
634 -+++ b/fs/btrfs/delayed-ref.h
635 -@@ -68,7 +68,6 @@ struct btrfs_delayed_ref_node {
636 -
637 - unsigned int action:8;
638 - unsigned int type:8;
639 -- unsigned int no_quota:1;
640 - /* is this node still in the rbtree? */
641 - unsigned int is_head:1;
642 - unsigned int in_tree:1;
643 -@@ -233,15 +232,13 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
644 - struct btrfs_trans_handle *trans,
645 - u64 bytenr, u64 num_bytes, u64 parent,
646 - u64 ref_root, int level, int action,
647 -- struct btrfs_delayed_extent_op *extent_op,
648 -- int no_quota);
649 -+ struct btrfs_delayed_extent_op *extent_op);
650 - int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info,
651 - struct btrfs_trans_handle *trans,
652 - u64 bytenr, u64 num_bytes,
653 - u64 parent, u64 ref_root,
654 - u64 owner, u64 offset, int action,
655 -- struct btrfs_delayed_extent_op *extent_op,
656 -- int no_quota);
657 -+ struct btrfs_delayed_extent_op *extent_op);
658 - int btrfs_add_delayed_extent_op(struct btrfs_fs_info *fs_info,
659 - struct btrfs_trans_handle *trans,
660 - u64 bytenr, u64 num_bytes,
661 -diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
662 -index 601d7d4..cadacf6 100644
663 ---- a/fs/btrfs/extent-tree.c
664 -+++ b/fs/btrfs/extent-tree.c
665 -@@ -95,8 +95,7 @@ static int alloc_reserved_tree_block(struct btrfs_trans_handle *trans,
666 - struct btrfs_root *root,
667 - u64 parent, u64 root_objectid,
668 - u64 flags, struct btrfs_disk_key *key,
669 -- int level, struct btrfs_key *ins,
670 -- int no_quota);
671 -+ int level, struct btrfs_key *ins);
672 - static int do_chunk_alloc(struct btrfs_trans_handle *trans,
673 - struct btrfs_root *extent_root, u64 flags,
674 - int force);
675 -@@ -2009,8 +2008,7 @@ int btrfs_discard_extent(struct btrfs_root *root, u64 bytenr,
676 - int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
677 - struct btrfs_root *root,
678 - u64 bytenr, u64 num_bytes, u64 parent,
679 -- u64 root_objectid, u64 owner, u64 offset,
680 -- int no_quota)
681 -+ u64 root_objectid, u64 owner, u64 offset)
682 - {
683 - int ret;
684 - struct btrfs_fs_info *fs_info = root->fs_info;
685 -@@ -2022,12 +2020,12 @@ int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
686 - ret = btrfs_add_delayed_tree_ref(fs_info, trans, bytenr,
687 - num_bytes,
688 - parent, root_objectid, (int)owner,
689 -- BTRFS_ADD_DELAYED_REF, NULL, no_quota);
690 -+ BTRFS_ADD_DELAYED_REF, NULL);
691 - } else {
692 - ret = btrfs_add_delayed_data_ref(fs_info, trans, bytenr,
693 - num_bytes,
694 - parent, root_objectid, owner, offset,
695 -- BTRFS_ADD_DELAYED_REF, NULL, no_quota);
696 -+ BTRFS_ADD_DELAYED_REF, NULL);
697 - }
698 - return ret;
699 - }
700 -@@ -2048,15 +2046,11 @@ static int __btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
701 - u64 num_bytes = node->num_bytes;
702 - u64 refs;
703 - int ret;
704 -- int no_quota = node->no_quota;
705 -
706 - path = btrfs_alloc_path();
707 - if (!path)
708 - return -ENOMEM;
709 -
710 -- if (!is_fstree(root_objectid) || !root->fs_info->quota_enabled)
711 -- no_quota = 1;
712 --
713 - path->reada = 1;
714 - path->leave_spinning = 1;
715 - /* this will setup the path even if it fails to insert the back ref */
716 -@@ -2291,8 +2285,7 @@ static int run_delayed_tree_ref(struct btrfs_trans_handle *trans,
717 - parent, ref_root,
718 - extent_op->flags_to_set,
719 - &extent_op->key,
720 -- ref->level, &ins,
721 -- node->no_quota);
722 -+ ref->level, &ins);
723 - } else if (node->action == BTRFS_ADD_DELAYED_REF) {
724 - ret = __btrfs_inc_extent_ref(trans, root, node,
725 - parent, ref_root,
726 -@@ -2433,7 +2426,21 @@ static noinline int __btrfs_run_delayed_refs(struct btrfs_trans_handle *trans,
727 - }
728 - }
729 -
730 -+ /*
731 -+ * We need to try and merge add/drops of the same ref since we
732 -+ * can run into issues with relocate dropping the implicit ref
733 -+ * and then it being added back again before the drop can
734 -+ * finish. If we merged anything we need to re-loop so we can
735 -+ * get a good ref.
736 -+ * Or we can get node references of the same type that weren't
737 -+ * merged when created due to bumps in the tree mod seq, and
738 -+ * we need to merge them to prevent adding an inline extent
739 -+ * backref before dropping it (triggering a BUG_ON at
740 -+ * insert_inline_extent_backref()).
741 -+ */
742 - spin_lock(&locked_ref->lock);
743 -+ btrfs_merge_delayed_refs(trans, fs_info, delayed_refs,
744 -+ locked_ref);
745 -
746 - /*
747 - * locked_ref is the head node, so we have to go one
748 -@@ -3109,7 +3116,7 @@ static int __btrfs_mod_ref(struct btrfs_trans_handle *trans,
749 - int level;
750 - int ret = 0;
751 - int (*process_func)(struct btrfs_trans_handle *, struct btrfs_root *,
752 -- u64, u64, u64, u64, u64, u64, int);
753 -+ u64, u64, u64, u64, u64, u64);
754 -
755 -
756 - if (btrfs_test_is_dummy_root(root))
757 -@@ -3150,15 +3157,14 @@ static int __btrfs_mod_ref(struct btrfs_trans_handle *trans,
758 - key.offset -= btrfs_file_extent_offset(buf, fi);
759 - ret = process_func(trans, root, bytenr, num_bytes,
760 - parent, ref_root, key.objectid,
761 -- key.offset, 1);
762 -+ key.offset);
763 - if (ret)
764 - goto fail;
765 - } else {
766 - bytenr = btrfs_node_blockptr(buf, i);
767 - num_bytes = root->nodesize;
768 - ret = process_func(trans, root, bytenr, num_bytes,
769 -- parent, ref_root, level - 1, 0,
770 -- 1);
771 -+ parent, ref_root, level - 1, 0);
772 - if (ret)
773 - goto fail;
774 - }
775 -@@ -6233,7 +6239,6 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans,
776 - int extent_slot = 0;
777 - int found_extent = 0;
778 - int num_to_del = 1;
779 -- int no_quota = node->no_quota;
780 - u32 item_size;
781 - u64 refs;
782 - u64 bytenr = node->bytenr;
783 -@@ -6242,9 +6247,6 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans,
784 - bool skinny_metadata = btrfs_fs_incompat(root->fs_info,
785 - SKINNY_METADATA);
786 -
787 -- if (!info->quota_enabled || !is_fstree(root_objectid))
788 -- no_quota = 1;
789 --
790 - path = btrfs_alloc_path();
791 - if (!path)
792 - return -ENOMEM;
793 -@@ -6570,7 +6572,7 @@ void btrfs_free_tree_block(struct btrfs_trans_handle *trans,
794 - buf->start, buf->len,
795 - parent, root->root_key.objectid,
796 - btrfs_header_level(buf),
797 -- BTRFS_DROP_DELAYED_REF, NULL, 0);
798 -+ BTRFS_DROP_DELAYED_REF, NULL);
799 - BUG_ON(ret); /* -ENOMEM */
800 - }
801 -
802 -@@ -6618,7 +6620,7 @@ out:
803 - /* Can return -ENOMEM */
804 - int btrfs_free_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root,
805 - u64 bytenr, u64 num_bytes, u64 parent, u64 root_objectid,
806 -- u64 owner, u64 offset, int no_quota)
807 -+ u64 owner, u64 offset)
808 - {
809 - int ret;
810 - struct btrfs_fs_info *fs_info = root->fs_info;
811 -@@ -6641,13 +6643,13 @@ int btrfs_free_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root,
812 - ret = btrfs_add_delayed_tree_ref(fs_info, trans, bytenr,
813 - num_bytes,
814 - parent, root_objectid, (int)owner,
815 -- BTRFS_DROP_DELAYED_REF, NULL, no_quota);
816 -+ BTRFS_DROP_DELAYED_REF, NULL);
817 - } else {
818 - ret = btrfs_add_delayed_data_ref(fs_info, trans, bytenr,
819 - num_bytes,
820 - parent, root_objectid, owner,
821 - offset, BTRFS_DROP_DELAYED_REF,
822 -- NULL, no_quota);
823 -+ NULL);
824 - }
825 - return ret;
826 - }
827 -@@ -7429,8 +7431,7 @@ static int alloc_reserved_tree_block(struct btrfs_trans_handle *trans,
828 - struct btrfs_root *root,
829 - u64 parent, u64 root_objectid,
830 - u64 flags, struct btrfs_disk_key *key,
831 -- int level, struct btrfs_key *ins,
832 -- int no_quota)
833 -+ int level, struct btrfs_key *ins)
834 - {
835 - int ret;
836 - struct btrfs_fs_info *fs_info = root->fs_info;
837 -@@ -7520,7 +7521,7 @@ int btrfs_alloc_reserved_file_extent(struct btrfs_trans_handle *trans,
838 - ret = btrfs_add_delayed_data_ref(root->fs_info, trans, ins->objectid,
839 - ins->offset, 0,
840 - root_objectid, owner, offset,
841 -- BTRFS_ADD_DELAYED_EXTENT, NULL, 0);
842 -+ BTRFS_ADD_DELAYED_EXTENT, NULL);
843 - return ret;
844 - }
845 -
846 -@@ -7734,7 +7735,7 @@ struct extent_buffer *btrfs_alloc_tree_block(struct btrfs_trans_handle *trans,
847 - ins.objectid, ins.offset,
848 - parent, root_objectid, level,
849 - BTRFS_ADD_DELAYED_EXTENT,
850 -- extent_op, 0);
851 -+ extent_op);
852 - if (ret)
853 - goto out_free_delayed;
854 - }
855 -@@ -8282,7 +8283,7 @@ skip:
856 - }
857 - }
858 - ret = btrfs_free_extent(trans, root, bytenr, blocksize, parent,
859 -- root->root_key.objectid, level - 1, 0, 0);
860 -+ root->root_key.objectid, level - 1, 0);
861 - BUG_ON(ret); /* -ENOMEM */
862 - }
863 - btrfs_tree_unlock(next);
864 -diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
865 -index 8c6f247..e27ea7a 100644
866 ---- a/fs/btrfs/file.c
867 -+++ b/fs/btrfs/file.c
868 -@@ -756,8 +756,16 @@ next_slot:
869 - }
870 -
871 - btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
872 -- if (key.objectid > ino ||
873 -- key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end)
874 -+
875 -+ if (key.objectid > ino)
876 -+ break;
877 -+ if (WARN_ON_ONCE(key.objectid < ino) ||
878 -+ key.type < BTRFS_EXTENT_DATA_KEY) {
879 -+ ASSERT(del_nr == 0);
880 -+ path->slots[0]++;
881 -+ goto next_slot;
882 -+ }
883 -+ if (key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end)
884 - break;
885 -
886 - fi = btrfs_item_ptr(leaf, path->slots[0],
887 -@@ -776,8 +784,8 @@ next_slot:
888 - btrfs_file_extent_inline_len(leaf,
889 - path->slots[0], fi);
890 - } else {
891 -- WARN_ON(1);
892 -- extent_end = search_start;
893 -+ /* can't happen */
894 -+ BUG();
895 - }
896 -
897 - /*
898 -@@ -847,7 +855,7 @@ next_slot:
899 - disk_bytenr, num_bytes, 0,
900 - root->root_key.objectid,
901 - new_key.objectid,
902 -- start - extent_offset, 1);
903 -+ start - extent_offset);
904 - BUG_ON(ret); /* -ENOMEM */
905 - }
906 - key.offset = start;
907 -@@ -925,7 +933,7 @@ delete_extent_item:
908 - disk_bytenr, num_bytes, 0,
909 - root->root_key.objectid,
910 - key.objectid, key.offset -
911 -- extent_offset, 0);
912 -+ extent_offset);
913 - BUG_ON(ret); /* -ENOMEM */
914 - inode_sub_bytes(inode,
915 - extent_end - key.offset);
916 -@@ -1204,7 +1212,7 @@ again:
917 -
918 - ret = btrfs_inc_extent_ref(trans, root, bytenr, num_bytes, 0,
919 - root->root_key.objectid,
920 -- ino, orig_offset, 1);
921 -+ ino, orig_offset);
922 - BUG_ON(ret); /* -ENOMEM */
923 -
924 - if (split == start) {
925 -@@ -1231,7 +1239,7 @@ again:
926 - del_nr++;
927 - ret = btrfs_free_extent(trans, root, bytenr, num_bytes,
928 - 0, root->root_key.objectid,
929 -- ino, orig_offset, 0);
930 -+ ino, orig_offset);
931 - BUG_ON(ret); /* -ENOMEM */
932 - }
933 - other_start = 0;
934 -@@ -1248,7 +1256,7 @@ again:
935 - del_nr++;
936 - ret = btrfs_free_extent(trans, root, bytenr, num_bytes,
937 - 0, root->root_key.objectid,
938 -- ino, orig_offset, 0);
939 -+ ino, orig_offset);
940 - BUG_ON(ret); /* -ENOMEM */
941 - }
942 - if (del_nr == 0) {
943 -@@ -1868,8 +1876,13 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
944 - struct btrfs_log_ctx ctx;
945 - int ret = 0;
946 - bool full_sync = 0;
947 -- const u64 len = end - start + 1;
948 -+ u64 len;
949 -
950 -+ /*
951 -+ * The range length can be represented by u64, we have to do the typecasts
952 -+ * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync()
953 -+ */
954 -+ len = (u64)end - (u64)start + 1;
955 - trace_btrfs_sync_file(file, datasync);
956 -
957 - /*
958 -@@ -2057,8 +2070,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
959 - }
960 - }
961 - if (!full_sync) {
962 -- ret = btrfs_wait_ordered_range(inode, start,
963 -- end - start + 1);
964 -+ ret = btrfs_wait_ordered_range(inode, start, len);
965 - if (ret) {
966 - btrfs_end_transaction(trans, root);
967 - goto out;
968 -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
969 -index 611b66d..396e3d5 100644
970 ---- a/fs/btrfs/inode.c
971 -+++ b/fs/btrfs/inode.c
972 -@@ -1294,8 +1294,14 @@ next_slot:
973 - num_bytes = 0;
974 - btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]);
975 -
976 -- if (found_key.objectid > ino ||
977 -- found_key.type > BTRFS_EXTENT_DATA_KEY ||
978 -+ if (found_key.objectid > ino)
979 -+ break;
980 -+ if (WARN_ON_ONCE(found_key.objectid < ino) ||
981 -+ found_key.type < BTRFS_EXTENT_DATA_KEY) {
982 -+ path->slots[0]++;
983 -+ goto next_slot;
984 -+ }
985 -+ if (found_key.type > BTRFS_EXTENT_DATA_KEY ||
986 - found_key.offset > end)
987 - break;
988 -
989 -@@ -2573,7 +2579,7 @@ again:
990 - ret = btrfs_inc_extent_ref(trans, root, new->bytenr,
991 - new->disk_len, 0,
992 - backref->root_id, backref->inum,
993 -- new->file_pos, 0); /* start - extent_offset */
994 -+ new->file_pos); /* start - extent_offset */
995 - if (ret) {
996 - btrfs_abort_transaction(trans, root, ret);
997 - goto out_free_path;
998 -@@ -4217,6 +4223,47 @@ static int truncate_space_check(struct btrfs_trans_handle *trans,
999 -
1000 - }
1001 -
1002 -+static int truncate_inline_extent(struct inode *inode,
1003 -+ struct btrfs_path *path,
1004 -+ struct btrfs_key *found_key,
1005 -+ const u64 item_end,
1006 -+ const u64 new_size)
1007 -+{
1008 -+ struct extent_buffer *leaf = path->nodes[0];
1009 -+ int slot = path->slots[0];
1010 -+ struct btrfs_file_extent_item *fi;
1011 -+ u32 size = (u32)(new_size - found_key->offset);
1012 -+ struct btrfs_root *root = BTRFS_I(inode)->root;
1013 -+
1014 -+ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
1015 -+
1016 -+ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) {
1017 -+ loff_t offset = new_size;
1018 -+ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE);
1019 -+
1020 -+ /*
1021 -+ * Zero out the remaining of the last page of our inline extent,
1022 -+ * instead of directly truncating our inline extent here - that
1023 -+ * would be much more complex (decompressing all the data, then
1024 -+ * compressing the truncated data, which might be bigger than
1025 -+ * the size of the inline extent, resize the extent, etc).
1026 -+ * We release the path because to get the page we might need to
1027 -+ * read the extent item from disk (data not in the page cache).
1028 -+ */
1029 -+ btrfs_release_path(path);
1030 -+ return btrfs_truncate_page(inode, offset, page_end - offset, 0);
1031 -+ }
1032 -+
1033 -+ btrfs_set_file_extent_ram_bytes(leaf, fi, size);
1034 -+ size = btrfs_file_extent_calc_inline_size(size);
1035 -+ btrfs_truncate_item(root, path, size, 1);
1036 -+
1037 -+ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
1038 -+ inode_sub_bytes(inode, item_end + 1 - new_size);
1039 -+
1040 -+ return 0;
1041 -+}
1042 -+
1043 - /*
1044 - * this can truncate away extent items, csum items and directory items.
1045 - * It starts at a high offset and removes keys until it can't find
1046 -@@ -4411,27 +4458,40 @@ search_again:
1047 - * special encodings
1048 - */
1049 - if (!del_item &&
1050 -- btrfs_file_extent_compression(leaf, fi) == 0 &&
1051 - btrfs_file_extent_encryption(leaf, fi) == 0 &&
1052 - btrfs_file_extent_other_encoding(leaf, fi) == 0) {
1053 -- u32 size = new_size - found_key.offset;
1054 --
1055 -- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
1056 -- inode_sub_bytes(inode, item_end + 1 -
1057 -- new_size);
1058 -
1059 - /*
1060 -- * update the ram bytes to properly reflect
1061 -- * the new size of our item
1062 -+ * Need to release path in order to truncate a
1063 -+ * compressed extent. So delete any accumulated
1064 -+ * extent items so far.
1065 - */
1066 -- btrfs_set_file_extent_ram_bytes(leaf, fi, size);
1067 -- size =
1068 -- btrfs_file_extent_calc_inline_size(size);
1069 -- btrfs_truncate_item(root, path, size, 1);
1070 -+ if (btrfs_file_extent_compression(leaf, fi) !=
1071 -+ BTRFS_COMPRESS_NONE && pending_del_nr) {
1072 -+ err = btrfs_del_items(trans, root, path,
1073 -+ pending_del_slot,
1074 -+ pending_del_nr);
1075 -+ if (err) {
1076 -+ btrfs_abort_transaction(trans,
1077 -+ root,
1078 -+ err);
1079 -+ goto error;
1080 -+ }
1081 -+ pending_del_nr = 0;
1082 -+ }
1083 -+
1084 -+ err = truncate_inline_extent(inode, path,
1085 -+ &found_key,
1086 -+ item_end,
1087 -+ new_size);
1088 -+ if (err) {
1089 -+ btrfs_abort_transaction(trans,
1090 -+ root, err);
1091 -+ goto error;
1092 -+ }
1093 - } else if (test_bit(BTRFS_ROOT_REF_COWS,
1094 - &root->state)) {
1095 -- inode_sub_bytes(inode, item_end + 1 -
1096 -- found_key.offset);
1097 -+ inode_sub_bytes(inode, item_end + 1 - new_size);
1098 - }
1099 - }
1100 - delete:
1101 -@@ -4461,7 +4521,7 @@ delete:
1102 - ret = btrfs_free_extent(trans, root, extent_start,
1103 - extent_num_bytes, 0,
1104 - btrfs_header_owner(leaf),
1105 -- ino, extent_offset, 0);
1106 -+ ino, extent_offset);
1107 - BUG_ON(ret);
1108 - if (btrfs_should_throttle_delayed_refs(trans, root))
1109 - btrfs_async_run_delayed_refs(root,
1110 -diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
1111 -index 8d20f3b..6548a36 100644
1112 ---- a/fs/btrfs/ioctl.c
1113 -+++ b/fs/btrfs/ioctl.c
1114 -@@ -3203,41 +3203,6 @@ out:
1115 - return ret;
1116 - }
1117 -
1118 --/* Helper to check and see if this root currently has a ref on the given disk
1119 -- * bytenr. If it does then we need to update the quota for this root. This
1120 -- * doesn't do anything if quotas aren't enabled.
1121 -- */
1122 --static int check_ref(struct btrfs_trans_handle *trans, struct btrfs_root *root,
1123 -- u64 disko)
1124 --{
1125 -- struct seq_list tree_mod_seq_elem = SEQ_LIST_INIT(tree_mod_seq_elem);
1126 -- struct ulist *roots;
1127 -- struct ulist_iterator uiter;
1128 -- struct ulist_node *root_node = NULL;
1129 -- int ret;
1130 --
1131 -- if (!root->fs_info->quota_enabled)
1132 -- return 1;
1133 --
1134 -- btrfs_get_tree_mod_seq(root->fs_info, &tree_mod_seq_elem);
1135 -- ret = btrfs_find_all_roots(trans, root->fs_info, disko,
1136 -- tree_mod_seq_elem.seq, &roots);
1137 -- if (ret < 0)
1138 -- goto out;
1139 -- ret = 0;
1140 -- ULIST_ITER_INIT(&uiter);
1141 -- while ((root_node = ulist_next(roots, &uiter))) {
1142 -- if (root_node->val == root->objectid) {
1143 -- ret = 1;
1144 -- break;
1145 -- }
1146 -- }
1147 -- ulist_free(roots);
1148 --out:
1149 -- btrfs_put_tree_mod_seq(root->fs_info, &tree_mod_seq_elem);
1150 -- return ret;
1151 --}
1152 --
1153 - static int clone_finish_inode_update(struct btrfs_trans_handle *trans,
1154 - struct inode *inode,
1155 - u64 endoff,
1156 -@@ -3328,6 +3293,150 @@ static void clone_update_extent_map(struct inode *inode,
1157 - &BTRFS_I(inode)->runtime_flags);
1158 - }
1159 -
1160 -+/*
1161 -+ * Make sure we do not end up inserting an inline extent into a file that has
1162 -+ * already other (non-inline) extents. If a file has an inline extent it can
1163 -+ * not have any other extents and the (single) inline extent must start at the
1164 -+ * file offset 0. Failing to respect these rules will lead to file corruption,
1165 -+ * resulting in EIO errors on read/write operations, hitting BUG_ON's in mm, etc
1166 -+ *
1167 -+ * We can have extents that have been already written to disk or we can have
1168 -+ * dirty ranges still in delalloc, in which case the extent maps and items are
1169 -+ * created only when we run delalloc, and the delalloc ranges might fall outside
1170 -+ * the range we are currently locking in the inode's io tree. So we check the
1171 -+ * inode's i_size because of that (i_size updates are done while holding the
1172 -+ * i_mutex, which we are holding here).
1173 -+ * We also check to see if the inode has a size not greater than "datal" but has
1174 -+ * extents beyond it, due to an fallocate with FALLOC_FL_KEEP_SIZE (and we are
1175 -+ * protected against such concurrent fallocate calls by the i_mutex).
1176 -+ *
1177 -+ * If the file has no extents but a size greater than datal, do not allow the
1178 -+ * copy because we would need turn the inline extent into a non-inline one (even
1179 -+ * with NO_HOLES enabled). If we find our destination inode only has one inline
1180 -+ * extent, just overwrite it with the source inline extent if its size is less
1181 -+ * than the source extent's size, or we could copy the source inline extent's
1182 -+ * data into the destination inode's inline extent if the later is greater then
1183 -+ * the former.
1184 -+ */
1185 -+static int clone_copy_inline_extent(struct inode *src,
1186 -+ struct inode *dst,
1187 -+ struct btrfs_trans_handle *trans,
1188 -+ struct btrfs_path *path,
1189 -+ struct btrfs_key *new_key,
1190 -+ const u64 drop_start,
1191 -+ const u64 datal,
1192 -+ const u64 skip,
1193 -+ const u64 size,
1194 -+ char *inline_data)
1195 -+{
1196 -+ struct btrfs_root *root = BTRFS_I(dst)->root;
1197 -+ const u64 aligned_end = ALIGN(new_key->offset + datal,
1198 -+ root->sectorsize);
1199 -+ int ret;
1200 -+ struct btrfs_key key;
1201 -+
1202 -+ if (new_key->offset > 0)
1203 -+ return -EOPNOTSUPP;
1204 -+
1205 -+ key.objectid = btrfs_ino(dst);
1206 -+ key.type = BTRFS_EXTENT_DATA_KEY;
1207 -+ key.offset = 0;
1208 -+ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
1209 -+ if (ret < 0) {
1210 -+ return ret;
1211 -+ } else if (ret > 0) {
1212 -+ if (path->slots[0] >= btrfs_header_nritems(path->nodes[0])) {
1213 -+ ret = btrfs_next_leaf(root, path);
1214 -+ if (ret < 0)
1215 -+ return ret;
1216 -+ else if (ret > 0)
1217 -+ goto copy_inline_extent;
1218 -+ }
1219 -+ btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]);
1220 -+ if (key.objectid == btrfs_ino(dst) &&
1221 -+ key.type == BTRFS_EXTENT_DATA_KEY) {
1222 -+ ASSERT(key.offset > 0);
1223 -+ return -EOPNOTSUPP;
1224 -+ }
1225 -+ } else if (i_size_read(dst) <= datal) {
1226 -+ struct btrfs_file_extent_item *ei;
1227 -+ u64 ext_len;
1228 -+
1229 -+ /*
1230 -+ * If the file size is <= datal, make sure there are no other
1231 -+ * extents following (can happen do to an fallocate call with
1232 -+ * the flag FALLOC_FL_KEEP_SIZE).
1233 -+ */
1234 -+ ei = btrfs_item_ptr(path->nodes[0], path->slots[0],
1235 -+ struct btrfs_file_extent_item);
1236 -+ /*
1237 -+ * If it's an inline extent, it can not have other extents
1238 -+ * following it.
1239 -+ */
1240 -+ if (btrfs_file_extent_type(path->nodes[0], ei) ==
1241 -+ BTRFS_FILE_EXTENT_INLINE)
1242 -+ goto copy_inline_extent;
1243 -+
1244 -+ ext_len = btrfs_file_extent_num_bytes(path->nodes[0], ei);
1245 -+ if (ext_len > aligned_end)
1246 -+ return -EOPNOTSUPP;
1247 -+
1248 -+ ret = btrfs_next_item(root, path);
1249 -+ if (ret < 0) {
1250 -+ return ret;
1251 -+ } else if (ret == 0) {
1252 -+ btrfs_item_key_to_cpu(path->nodes[0], &key,
1253 -+ path->slots[0]);
1254 -+ if (key.objectid == btrfs_ino(dst) &&
1255 -+ key.type == BTRFS_EXTENT_DATA_KEY)
1256 -+ return -EOPNOTSUPP;
1257 -+ }
1258 -+ }
1259 -+
1260 -+copy_inline_extent:
1261 -+ /*
1262 -+ * We have no extent items, or we have an extent at offset 0 which may
1263 -+ * or may not be inlined. All these cases are dealt the same way.
1264 -+ */
1265 -+ if (i_size_read(dst) > datal) {
1266 -+ /*
1267 -+ * If the destination inode has an inline extent...
1268 -+ * This would require copying the data from the source inline
1269 -+ * extent into the beginning of the destination's inline extent.
1270 -+ * But this is really complex, both extents can be compressed
1271 -+ * or just one of them, which would require decompressing and
1272 -+ * re-compressing data (which could increase the new compressed
1273 -+ * size, not allowing the compressed data to fit anymore in an
1274 -+ * inline extent).
1275 -+ * So just don't support this case for now (it should be rare,
1276 -+ * we are not really saving space when cloning inline extents).
1277 -+ */
1278 -+ return -EOPNOTSUPP;
1279 -+ }
1280 -+
1281 -+ btrfs_release_path(path);
1282 -+ ret = btrfs_drop_extents(trans, root, dst, drop_start, aligned_end, 1);
1283 -+ if (ret)
1284 -+ return ret;
1285 -+ ret = btrfs_insert_empty_item(trans, root, path, new_key, size);
1286 -+ if (ret)
1287 -+ return ret;
1288 -+
1289 -+ if (skip) {
1290 -+ const u32 start = btrfs_file_extent_calc_inline_size(0);
1291 -+
1292 -+ memmove(inline_data + start, inline_data + start + skip, datal);
1293 -+ }
1294 -+
1295 -+ write_extent_buffer(path->nodes[0], inline_data,
1296 -+ btrfs_item_ptr_offset(path->nodes[0],
1297 -+ path->slots[0]),
1298 -+ size);
1299 -+ inode_add_bytes(dst, datal);
1300 -+
1301 -+ return 0;
1302 -+}
1303 -+
1304 - /**
1305 - * btrfs_clone() - clone a range from inode file to another
1306 - *
1307 -@@ -3352,9 +3461,7 @@ static int btrfs_clone(struct inode *src, struct inode *inode,
1308 - u32 nritems;
1309 - int slot;
1310 - int ret;
1311 -- int no_quota;
1312 - const u64 len = olen_aligned;
1313 -- u64 last_disko = 0;
1314 - u64 last_dest_end = destoff;
1315 -
1316 - ret = -ENOMEM;
1317 -@@ -3400,7 +3507,6 @@ static int btrfs_clone(struct inode *src, struct inode *inode,
1318 -
1319 - nritems = btrfs_header_nritems(path->nodes[0]);
1320 - process_slot:
1321 -- no_quota = 1;
1322 - if (path->slots[0] >= nritems) {
1323 - ret = btrfs_next_leaf(BTRFS_I(src)->root, path);
1324 - if (ret < 0)
1325 -@@ -3552,35 +3658,13 @@ process_slot:
1326 - btrfs_set_file_extent_num_bytes(leaf, extent,
1327 - datal);
1328 -
1329 -- /*
1330 -- * We need to look up the roots that point at
1331 -- * this bytenr and see if the new root does. If
1332 -- * it does not we need to make sure we update
1333 -- * quotas appropriately.
1334 -- */
1335 -- if (disko && root != BTRFS_I(src)->root &&
1336 -- disko != last_disko) {
1337 -- no_quota = check_ref(trans, root,
1338 -- disko);
1339 -- if (no_quota < 0) {
1340 -- btrfs_abort_transaction(trans,
1341 -- root,
1342 -- ret);
1343 -- btrfs_end_transaction(trans,
1344 -- root);
1345 -- ret = no_quota;
1346 -- goto out;
1347 -- }
1348 -- }
1349 --
1350 - if (disko) {
1351 - inode_add_bytes(inode, datal);
1352 - ret = btrfs_inc_extent_ref(trans, root,
1353 - disko, diskl, 0,
1354 - root->root_key.objectid,
1355 - btrfs_ino(inode),
1356 -- new_key.offset - datao,
1357 -- no_quota);
1358 -+ new_key.offset - datao);
1359 - if (ret) {
1360 - btrfs_abort_transaction(trans,
1361 - root,
1362 -@@ -3594,21 +3678,6 @@ process_slot:
1363 - } else if (type == BTRFS_FILE_EXTENT_INLINE) {
1364 - u64 skip = 0;
1365 - u64 trim = 0;
1366 -- u64 aligned_end = 0;
1367 --
1368 -- /*
1369 -- * Don't copy an inline extent into an offset
1370 -- * greater than zero. Having an inline extent
1371 -- * at such an offset results in chaos as btrfs
1372 -- * isn't prepared for such cases. Just skip
1373 -- * this case for the same reasons as commented
1374 -- * at btrfs_ioctl_clone().
1375 -- */
1376 -- if (last_dest_end > 0) {
1377 -- ret = -EOPNOTSUPP;
1378 -- btrfs_end_transaction(trans, root);
1379 -- goto out;
1380 -- }
1381 -
1382 - if (off > key.offset) {
1383 - skip = off - key.offset;
1384 -@@ -3626,42 +3695,22 @@ process_slot:
1385 - size -= skip + trim;
1386 - datal -= skip + trim;
1387 -
1388 -- aligned_end = ALIGN(new_key.offset + datal,
1389 -- root->sectorsize);
1390 -- ret = btrfs_drop_extents(trans, root, inode,
1391 -- drop_start,
1392 -- aligned_end,
1393 -- 1);
1394 -+ ret = clone_copy_inline_extent(src, inode,
1395 -+ trans, path,
1396 -+ &new_key,
1397 -+ drop_start,
1398 -+ datal,
1399 -+ skip, size, buf);
1400 - if (ret) {
1401 - if (ret != -EOPNOTSUPP)
1402 - btrfs_abort_transaction(trans,
1403 -- root, ret);
1404 -- btrfs_end_transaction(trans, root);
1405 -- goto out;
1406 -- }
1407 --
1408 -- ret = btrfs_insert_empty_item(trans, root, path,
1409 -- &new_key, size);
1410 -- if (ret) {
1411 -- btrfs_abort_transaction(trans, root,
1412 -- ret);
1413 -+ root,
1414 -+ ret);
1415 - btrfs_end_transaction(trans, root);
1416 - goto out;
1417 - }
1418 --
1419 -- if (skip) {
1420 -- u32 start =
1421 -- btrfs_file_extent_calc_inline_size(0);
1422 -- memmove(buf+start, buf+start+skip,
1423 -- datal);
1424 -- }
1425 --
1426 - leaf = path->nodes[0];
1427 - slot = path->slots[0];
1428 -- write_extent_buffer(leaf, buf,
1429 -- btrfs_item_ptr_offset(leaf, slot),
1430 -- size);
1431 -- inode_add_bytes(inode, datal);
1432 - }
1433 -
1434 - /* If we have an implicit hole (NO_HOLES feature). */
1435 -diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
1436 -index 303babe..ab507e3 100644
1437 ---- a/fs/btrfs/relocation.c
1438 -+++ b/fs/btrfs/relocation.c
1439 -@@ -1716,7 +1716,7 @@ int replace_file_extents(struct btrfs_trans_handle *trans,
1440 - ret = btrfs_inc_extent_ref(trans, root, new_bytenr,
1441 - num_bytes, parent,
1442 - btrfs_header_owner(leaf),
1443 -- key.objectid, key.offset, 1);
1444 -+ key.objectid, key.offset);
1445 - if (ret) {
1446 - btrfs_abort_transaction(trans, root, ret);
1447 - break;
1448 -@@ -1724,7 +1724,7 @@ int replace_file_extents(struct btrfs_trans_handle *trans,
1449 -
1450 - ret = btrfs_free_extent(trans, root, bytenr, num_bytes,
1451 - parent, btrfs_header_owner(leaf),
1452 -- key.objectid, key.offset, 1);
1453 -+ key.objectid, key.offset);
1454 - if (ret) {
1455 - btrfs_abort_transaction(trans, root, ret);
1456 - break;
1457 -@@ -1900,23 +1900,21 @@ again:
1458 -
1459 - ret = btrfs_inc_extent_ref(trans, src, old_bytenr, blocksize,
1460 - path->nodes[level]->start,
1461 -- src->root_key.objectid, level - 1, 0,
1462 -- 1);
1463 -+ src->root_key.objectid, level - 1, 0);
1464 - BUG_ON(ret);
1465 - ret = btrfs_inc_extent_ref(trans, dest, new_bytenr, blocksize,
1466 - 0, dest->root_key.objectid, level - 1,
1467 -- 0, 1);
1468 -+ 0);
1469 - BUG_ON(ret);
1470 -
1471 - ret = btrfs_free_extent(trans, src, new_bytenr, blocksize,
1472 - path->nodes[level]->start,
1473 -- src->root_key.objectid, level - 1, 0,
1474 -- 1);
1475 -+ src->root_key.objectid, level - 1, 0);
1476 - BUG_ON(ret);
1477 -
1478 - ret = btrfs_free_extent(trans, dest, old_bytenr, blocksize,
1479 - 0, dest->root_key.objectid, level - 1,
1480 -- 0, 1);
1481 -+ 0);
1482 - BUG_ON(ret);
1483 -
1484 - btrfs_unlock_up_safe(path, 0);
1485 -@@ -2745,7 +2743,7 @@ static int do_relocation(struct btrfs_trans_handle *trans,
1486 - node->eb->start, blocksize,
1487 - upper->eb->start,
1488 - btrfs_header_owner(upper->eb),
1489 -- node->level, 0, 1);
1490 -+ node->level, 0);
1491 - BUG_ON(ret);
1492 -
1493 - ret = btrfs_drop_subtree(trans, root, eb, upper->eb);
1494 -diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
1495 -index a739b82..23bb2e4 100644
1496 ---- a/fs/btrfs/send.c
1497 -+++ b/fs/btrfs/send.c
1498 -@@ -2353,8 +2353,14 @@ static int send_subvol_begin(struct send_ctx *sctx)
1499 - }
1500 -
1501 - TLV_PUT_STRING(sctx, BTRFS_SEND_A_PATH, name, namelen);
1502 -- TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID,
1503 -- sctx->send_root->root_item.uuid);
1504 -+
1505 -+ if (!btrfs_is_empty_uuid(sctx->send_root->root_item.received_uuid))
1506 -+ TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID,
1507 -+ sctx->send_root->root_item.received_uuid);
1508 -+ else
1509 -+ TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID,
1510 -+ sctx->send_root->root_item.uuid);
1511 -+
1512 - TLV_PUT_U64(sctx, BTRFS_SEND_A_CTRANSID,
1513 - le64_to_cpu(sctx->send_root->root_item.ctransid));
1514 - if (parent_root) {
1515 -diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
1516 -index 1bbaace..6f8af2d 100644
1517 ---- a/fs/btrfs/tree-log.c
1518 -+++ b/fs/btrfs/tree-log.c
1519 -@@ -691,7 +691,7 @@ static noinline int replay_one_extent(struct btrfs_trans_handle *trans,
1520 - ret = btrfs_inc_extent_ref(trans, root,
1521 - ins.objectid, ins.offset,
1522 - 0, root->root_key.objectid,
1523 -- key->objectid, offset, 0);
1524 -+ key->objectid, offset);
1525 - if (ret)
1526 - goto out;
1527 - } else {
1528 -diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c
1529 -index 6f518c9..1fcd7b6 100644
1530 ---- a/fs/btrfs/xattr.c
1531 -+++ b/fs/btrfs/xattr.c
1532 -@@ -313,8 +313,10 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size)
1533 - /* check to make sure this item is what we want */
1534 - if (found_key.objectid != key.objectid)
1535 - break;
1536 -- if (found_key.type != BTRFS_XATTR_ITEM_KEY)
1537 -+ if (found_key.type > BTRFS_XATTR_ITEM_KEY)
1538 - break;
1539 -+ if (found_key.type < BTRFS_XATTR_ITEM_KEY)
1540 -+ goto next;
1541 -
1542 - di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item);
1543 - if (verify_dir_item(root, leaf, di))
1544 -diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
1545 -index 51cb02d..fe2c982 100644
1546 ---- a/fs/ceph/mds_client.c
1547 -+++ b/fs/ceph/mds_client.c
1548 -@@ -1935,7 +1935,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
1549 -
1550 - len = sizeof(*head) +
1551 - pathlen1 + pathlen2 + 2*(1 + sizeof(u32) + sizeof(u64)) +
1552 -- sizeof(struct timespec);
1553 -+ sizeof(struct ceph_timespec);
1554 -
1555 - /* calculate (max) length for cap releases */
1556 - len += sizeof(struct ceph_mds_request_release) *
1557 -diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
1558 -index c711be8..9c8d233 100644
1559 ---- a/fs/debugfs/inode.c
1560 -+++ b/fs/debugfs/inode.c
1561 -@@ -271,8 +271,12 @@ static struct dentry *start_creating(const char *name, struct dentry *parent)
1562 - dput(dentry);
1563 - dentry = ERR_PTR(-EEXIST);
1564 - }
1565 -- if (IS_ERR(dentry))
1566 -+
1567 -+ if (IS_ERR(dentry)) {
1568 - mutex_unlock(&d_inode(parent)->i_mutex);
1569 -+ simple_release_fs(&debugfs_mount, &debugfs_mount_count);
1570 -+ }
1571 -+
1572 - return dentry;
1573 - }
1574 -
1575 -diff --git a/fs/ext4/crypto.c b/fs/ext4/crypto.c
1576 -index 4573155..2fab243 100644
1577 ---- a/fs/ext4/crypto.c
1578 -+++ b/fs/ext4/crypto.c
1579 -@@ -411,7 +411,13 @@ int ext4_encrypted_zeroout(struct inode *inode, struct ext4_extent *ex)
1580 - ext4_lblk_t lblk = ex->ee_block;
1581 - ext4_fsblk_t pblk = ext4_ext_pblock(ex);
1582 - unsigned int len = ext4_ext_get_actual_len(ex);
1583 -- int err = 0;
1584 -+ int ret, err = 0;
1585 -+
1586 -+#if 0
1587 -+ ext4_msg(inode->i_sb, KERN_CRIT,
1588 -+ "ext4_encrypted_zeroout ino %lu lblk %u len %u",
1589 -+ (unsigned long) inode->i_ino, lblk, len);
1590 -+#endif
1591 -
1592 - BUG_ON(inode->i_sb->s_blocksize != PAGE_CACHE_SIZE);
1593 -
1594 -@@ -437,17 +443,26 @@ int ext4_encrypted_zeroout(struct inode *inode, struct ext4_extent *ex)
1595 - goto errout;
1596 - }
1597 - bio->bi_bdev = inode->i_sb->s_bdev;
1598 -- bio->bi_iter.bi_sector = pblk;
1599 -- err = bio_add_page(bio, ciphertext_page,
1600 -+ bio->bi_iter.bi_sector =
1601 -+ pblk << (inode->i_sb->s_blocksize_bits - 9);
1602 -+ ret = bio_add_page(bio, ciphertext_page,
1603 - inode->i_sb->s_blocksize, 0);
1604 -- if (err) {
1605 -+ if (ret != inode->i_sb->s_blocksize) {
1606 -+ /* should never happen! */
1607 -+ ext4_msg(inode->i_sb, KERN_ERR,
1608 -+ "bio_add_page failed: %d", ret);
1609 -+ WARN_ON(1);
1610 - bio_put(bio);
1611 -+ err = -EIO;
1612 - goto errout;
1613 - }
1614 - err = submit_bio_wait(WRITE, bio);
1615 -+ if ((err == 0) && bio->bi_error)
1616 -+ err = -EIO;
1617 - bio_put(bio);
1618 - if (err)
1619 - goto errout;
1620 -+ lblk++; pblk++;
1621 - }
1622 - err = 0;
1623 - errout:
1624 -diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
1625 -index d418431..e770c1ee 100644
1626 ---- a/fs/ext4/ext4_jbd2.c
1627 -+++ b/fs/ext4/ext4_jbd2.c
1628 -@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle)
1629 - return 0;
1630 - }
1631 -
1632 -+ err = handle->h_err;
1633 - if (!handle->h_transaction) {
1634 -- err = jbd2_journal_stop(handle);
1635 -- return handle->h_err ? handle->h_err : err;
1636 -+ rc = jbd2_journal_stop(handle);
1637 -+ return err ? err : rc;
1638 - }
1639 -
1640 - sb = handle->h_transaction->t_journal->j_private;
1641 -- err = handle->h_err;
1642 - rc = jbd2_journal_stop(handle);
1643 -
1644 - if (!err)
1645 -diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
1646 -index 2553aa8..7f486e3 100644
1647 ---- a/fs/ext4/extents.c
1648 -+++ b/fs/ext4/extents.c
1649 -@@ -3558,6 +3558,9 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
1650 - max_zeroout = sbi->s_extent_max_zeroout_kb >>
1651 - (inode->i_sb->s_blocksize_bits - 10);
1652 -
1653 -+ if (ext4_encrypted_inode(inode))
1654 -+ max_zeroout = 0;
1655 -+
1656 - /* If extent is less than s_max_zeroout_kb, zeroout directly */
1657 - if (max_zeroout && (ee_len <= max_zeroout)) {
1658 - err = ext4_ext_zeroout(inode, ex);
1659 -diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
1660 -index 84ba4d2..17fbe38 100644
1661 ---- a/fs/ext4/page-io.c
1662 -+++ b/fs/ext4/page-io.c
1663 -@@ -425,6 +425,7 @@ int ext4_bio_write_page(struct ext4_io_submit *io,
1664 - struct buffer_head *bh, *head;
1665 - int ret = 0;
1666 - int nr_submitted = 0;
1667 -+ int nr_to_submit = 0;
1668 -
1669 - blocksize = 1 << inode->i_blkbits;
1670 -
1671 -@@ -477,11 +478,13 @@ int ext4_bio_write_page(struct ext4_io_submit *io,
1672 - unmap_underlying_metadata(bh->b_bdev, bh->b_blocknr);
1673 - }
1674 - set_buffer_async_write(bh);
1675 -+ nr_to_submit++;
1676 - } while ((bh = bh->b_this_page) != head);
1677 -
1678 - bh = head = page_buffers(page);
1679 -
1680 -- if (ext4_encrypted_inode(inode) && S_ISREG(inode->i_mode)) {
1681 -+ if (ext4_encrypted_inode(inode) && S_ISREG(inode->i_mode) &&
1682 -+ nr_to_submit) {
1683 - data_page = ext4_encrypt(inode, page);
1684 - if (IS_ERR(data_page)) {
1685 - ret = PTR_ERR(data_page);
1686 -diff --git a/fs/ext4/super.c b/fs/ext4/super.c
1687 -index a63c7b0..df84bd2 100644
1688 ---- a/fs/ext4/super.c
1689 -+++ b/fs/ext4/super.c
1690 -@@ -394,9 +394,13 @@ static void ext4_handle_error(struct super_block *sb)
1691 - smp_wmb();
1692 - sb->s_flags |= MS_RDONLY;
1693 - }
1694 -- if (test_opt(sb, ERRORS_PANIC))
1695 -+ if (test_opt(sb, ERRORS_PANIC)) {
1696 -+ if (EXT4_SB(sb)->s_journal &&
1697 -+ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
1698 -+ return;
1699 - panic("EXT4-fs (device %s): panic forced after error\n",
1700 - sb->s_id);
1701 -+ }
1702 - }
1703 -
1704 - #define ext4_error_ratelimit(sb) \
1705 -@@ -585,8 +589,12 @@ void __ext4_abort(struct super_block *sb, const char *function,
1706 - jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO);
1707 - save_error_info(sb, function, line);
1708 - }
1709 -- if (test_opt(sb, ERRORS_PANIC))
1710 -+ if (test_opt(sb, ERRORS_PANIC)) {
1711 -+ if (EXT4_SB(sb)->s_journal &&
1712 -+ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
1713 -+ return;
1714 - panic("EXT4-fs panic from previous error\n");
1715 -+ }
1716 - }
1717 -
1718 - void __ext4_msg(struct super_block *sb,
1719 -diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
1720 -index 8270fe9..37023d0 100644
1721 ---- a/fs/jbd2/journal.c
1722 -+++ b/fs/jbd2/journal.c
1723 -@@ -2071,8 +2071,12 @@ static void __journal_abort_soft (journal_t *journal, int errno)
1724 -
1725 - __jbd2_journal_abort_hard(journal);
1726 -
1727 -- if (errno)
1728 -+ if (errno) {
1729 - jbd2_journal_update_sb_errno(journal);
1730 -+ write_lock(&journal->j_state_lock);
1731 -+ journal->j_flags |= JBD2_REC_ERR;
1732 -+ write_unlock(&journal->j_state_lock);
1733 -+ }
1734 - }
1735 -
1736 - /**
1737 -diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
1738 -index 326d9e1..ffdf9b9 100644
1739 ---- a/fs/nfs/inode.c
1740 -+++ b/fs/nfs/inode.c
1741 -@@ -1824,7 +1824,11 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
1742 - if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0)
1743 - nfsi->attr_gencount = fattr->gencount;
1744 - }
1745 -- invalid &= ~NFS_INO_INVALID_ATTR;
1746 -+
1747 -+ /* Don't declare attrcache up to date if there were no attrs! */
1748 -+ if (fattr->valid != 0)
1749 -+ invalid &= ~NFS_INO_INVALID_ATTR;
1750 -+
1751 - /* Don't invalidate the data if we were to blame */
1752 - if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)
1753 - || S_ISLNK(inode->i_mode)))
1754 -diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
1755 -index 223bedd..10410e8 100644
1756 ---- a/fs/nfs/nfs4client.c
1757 -+++ b/fs/nfs/nfs4client.c
1758 -@@ -33,7 +33,7 @@ static int nfs_get_cb_ident_idr(struct nfs_client *clp, int minorversion)
1759 - return ret;
1760 - idr_preload(GFP_KERNEL);
1761 - spin_lock(&nn->nfs_client_lock);
1762 -- ret = idr_alloc(&nn->cb_ident_idr, clp, 0, 0, GFP_NOWAIT);
1763 -+ ret = idr_alloc(&nn->cb_ident_idr, clp, 1, 0, GFP_NOWAIT);
1764 - if (ret >= 0)
1765 - clp->cl_cb_ident = ret;
1766 - spin_unlock(&nn->nfs_client_lock);
1767 -diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
1768 -index 8abe271..abf5cae 100644
1769 ---- a/fs/nfs/pnfs.c
1770 -+++ b/fs/nfs/pnfs.c
1771 -@@ -872,33 +872,38 @@ send_layoutget(struct pnfs_layout_hdr *lo,
1772 -
1773 - dprintk("--> %s\n", __func__);
1774 -
1775 -- lgp = kzalloc(sizeof(*lgp), gfp_flags);
1776 -- if (lgp == NULL)
1777 -- return NULL;
1778 -+ /*
1779 -+ * Synchronously retrieve layout information from server and
1780 -+ * store in lseg. If we race with a concurrent seqid morphing
1781 -+ * op, then re-send the LAYOUTGET.
1782 -+ */
1783 -+ do {
1784 -+ lgp = kzalloc(sizeof(*lgp), gfp_flags);
1785 -+ if (lgp == NULL)
1786 -+ return NULL;
1787 -+
1788 -+ i_size = i_size_read(ino);
1789 -+
1790 -+ lgp->args.minlength = PAGE_CACHE_SIZE;
1791 -+ if (lgp->args.minlength > range->length)
1792 -+ lgp->args.minlength = range->length;
1793 -+ if (range->iomode == IOMODE_READ) {
1794 -+ if (range->offset >= i_size)
1795 -+ lgp->args.minlength = 0;
1796 -+ else if (i_size - range->offset < lgp->args.minlength)
1797 -+ lgp->args.minlength = i_size - range->offset;
1798 -+ }
1799 -+ lgp->args.maxcount = PNFS_LAYOUT_MAXSIZE;
1800 -+ lgp->args.range = *range;
1801 -+ lgp->args.type = server->pnfs_curr_ld->id;
1802 -+ lgp->args.inode = ino;
1803 -+ lgp->args.ctx = get_nfs_open_context(ctx);
1804 -+ lgp->gfp_flags = gfp_flags;
1805 -+ lgp->cred = lo->plh_lc_cred;
1806 -
1807 -- i_size = i_size_read(ino);
1808 -+ lseg = nfs4_proc_layoutget(lgp, gfp_flags);
1809 -+ } while (lseg == ERR_PTR(-EAGAIN));
1810 -
1811 -- lgp->args.minlength = PAGE_CACHE_SIZE;
1812 -- if (lgp->args.minlength > range->length)
1813 -- lgp->args.minlength = range->length;
1814 -- if (range->iomode == IOMODE_READ) {
1815 -- if (range->offset >= i_size)
1816 -- lgp->args.minlength = 0;
1817 -- else if (i_size - range->offset < lgp->args.minlength)
1818 -- lgp->args.minlength = i_size - range->offset;
1819 -- }
1820 -- lgp->args.maxcount = PNFS_LAYOUT_MAXSIZE;
1821 -- lgp->args.range = *range;
1822 -- lgp->args.type = server->pnfs_curr_ld->id;
1823 -- lgp->args.inode = ino;
1824 -- lgp->args.ctx = get_nfs_open_context(ctx);
1825 -- lgp->gfp_flags = gfp_flags;
1826 -- lgp->cred = lo->plh_lc_cred;
1827 --
1828 -- /* Synchronously retrieve layout information from server and
1829 -- * store in lseg.
1830 -- */
1831 -- lseg = nfs4_proc_layoutget(lgp, gfp_flags);
1832 - if (IS_ERR(lseg)) {
1833 - switch (PTR_ERR(lseg)) {
1834 - case -ENOMEM:
1835 -@@ -1687,6 +1692,7 @@ pnfs_layout_process(struct nfs4_layoutget *lgp)
1836 - /* existing state ID, make sure the sequence number matches. */
1837 - if (pnfs_layout_stateid_blocked(lo, &res->stateid)) {
1838 - dprintk("%s forget reply due to sequence\n", __func__);
1839 -+ status = -EAGAIN;
1840 - goto out_forget_reply;
1841 - }
1842 - pnfs_set_layout_stateid(lo, &res->stateid, false);
1843 -diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
1844 -index 0f1d569..0dea0c2 100644
1845 ---- a/fs/nfsd/nfs4state.c
1846 -+++ b/fs/nfsd/nfs4state.c
1847 -@@ -765,16 +765,68 @@ void nfs4_unhash_stid(struct nfs4_stid *s)
1848 - s->sc_type = 0;
1849 - }
1850 -
1851 --static void
1852 -+/**
1853 -+ * nfs4_get_existing_delegation - Discover if this delegation already exists
1854 -+ * @clp: a pointer to the nfs4_client we're granting a delegation to
1855 -+ * @fp: a pointer to the nfs4_file we're granting a delegation on
1856 -+ *
1857 -+ * Return:
1858 -+ * On success: NULL if an existing delegation was not found.
1859 -+ *
1860 -+ * On error: -EAGAIN if one was previously granted to this nfs4_client
1861 -+ * for this nfs4_file.
1862 -+ *
1863 -+ */
1864 -+
1865 -+static int
1866 -+nfs4_get_existing_delegation(struct nfs4_client *clp, struct nfs4_file *fp)
1867 -+{
1868 -+ struct nfs4_delegation *searchdp = NULL;
1869 -+ struct nfs4_client *searchclp = NULL;
1870 -+
1871 -+ lockdep_assert_held(&state_lock);
1872 -+ lockdep_assert_held(&fp->fi_lock);
1873 -+
1874 -+ list_for_each_entry(searchdp, &fp->fi_delegations, dl_perfile) {
1875 -+ searchclp = searchdp->dl_stid.sc_client;
1876 -+ if (clp == searchclp) {
1877 -+ return -EAGAIN;
1878 -+ }
1879 -+ }
1880 -+ return 0;
1881 -+}
1882 -+
1883 -+/**
1884 -+ * hash_delegation_locked - Add a delegation to the appropriate lists
1885 -+ * @dp: a pointer to the nfs4_delegation we are adding.
1886 -+ * @fp: a pointer to the nfs4_file we're granting a delegation on
1887 -+ *
1888 -+ * Return:
1889 -+ * On success: NULL if the delegation was successfully hashed.
1890 -+ *
1891 -+ * On error: -EAGAIN if one was previously granted to this
1892 -+ * nfs4_client for this nfs4_file. Delegation is not hashed.
1893 -+ *
1894 -+ */
1895 -+
1896 -+static int
1897 - hash_delegation_locked(struct nfs4_delegation *dp, struct nfs4_file *fp)
1898 - {
1899 -+ int status;
1900 -+ struct nfs4_client *clp = dp->dl_stid.sc_client;
1901 -+
1902 - lockdep_assert_held(&state_lock);
1903 - lockdep_assert_held(&fp->fi_lock);
1904 -
1905 -+ status = nfs4_get_existing_delegation(clp, fp);
1906 -+ if (status)
1907 -+ return status;
1908 -+ ++fp->fi_delegees;
1909 - atomic_inc(&dp->dl_stid.sc_count);
1910 - dp->dl_stid.sc_type = NFS4_DELEG_STID;
1911 - list_add(&dp->dl_perfile, &fp->fi_delegations);
1912 -- list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations);
1913 -+ list_add(&dp->dl_perclnt, &clp->cl_delegations);
1914 -+ return 0;
1915 - }
1916 -
1917 - static bool
1918 -@@ -3360,6 +3412,7 @@ static void init_open_stateid(struct nfs4_ol_stateid *stp, struct nfs4_file *fp,
1919 - stp->st_access_bmap = 0;
1920 - stp->st_deny_bmap = 0;
1921 - stp->st_openstp = NULL;
1922 -+ init_rwsem(&stp->st_rwsem);
1923 - spin_lock(&oo->oo_owner.so_client->cl_lock);
1924 - list_add(&stp->st_perstateowner, &oo->oo_owner.so_stateids);
1925 - spin_lock(&fp->fi_lock);
1926 -@@ -3945,6 +3998,18 @@ static struct file_lock *nfs4_alloc_init_lease(struct nfs4_file *fp, int flag)
1927 - return fl;
1928 - }
1929 -
1930 -+/**
1931 -+ * nfs4_setlease - Obtain a delegation by requesting lease from vfs layer
1932 -+ * @dp: a pointer to the nfs4_delegation we're adding.
1933 -+ *
1934 -+ * Return:
1935 -+ * On success: Return code will be 0 on success.
1936 -+ *
1937 -+ * On error: -EAGAIN if there was an existing delegation.
1938 -+ * nonzero if there is an error in other cases.
1939 -+ *
1940 -+ */
1941 -+
1942 - static int nfs4_setlease(struct nfs4_delegation *dp)
1943 - {
1944 - struct nfs4_file *fp = dp->dl_stid.sc_file;
1945 -@@ -3976,16 +4041,19 @@ static int nfs4_setlease(struct nfs4_delegation *dp)
1946 - goto out_unlock;
1947 - /* Race breaker */
1948 - if (fp->fi_deleg_file) {
1949 -- status = 0;
1950 -- ++fp->fi_delegees;
1951 -- hash_delegation_locked(dp, fp);
1952 -+ status = hash_delegation_locked(dp, fp);
1953 - goto out_unlock;
1954 - }
1955 - fp->fi_deleg_file = filp;
1956 -- fp->fi_delegees = 1;
1957 -- hash_delegation_locked(dp, fp);
1958 -+ fp->fi_delegees = 0;
1959 -+ status = hash_delegation_locked(dp, fp);
1960 - spin_unlock(&fp->fi_lock);
1961 - spin_unlock(&state_lock);
1962 -+ if (status) {
1963 -+ /* Should never happen, this is a new fi_deleg_file */
1964 -+ WARN_ON_ONCE(1);
1965 -+ goto out_fput;
1966 -+ }
1967 - return 0;
1968 - out_unlock:
1969 - spin_unlock(&fp->fi_lock);
1970 -@@ -4005,6 +4073,15 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh,
1971 - if (fp->fi_had_conflict)
1972 - return ERR_PTR(-EAGAIN);
1973 -
1974 -+ spin_lock(&state_lock);
1975 -+ spin_lock(&fp->fi_lock);
1976 -+ status = nfs4_get_existing_delegation(clp, fp);
1977 -+ spin_unlock(&fp->fi_lock);
1978 -+ spin_unlock(&state_lock);
1979 -+
1980 -+ if (status)
1981 -+ return ERR_PTR(status);
1982 -+
1983 - dp = alloc_init_deleg(clp, fh, odstate);
1984 - if (!dp)
1985 - return ERR_PTR(-ENOMEM);
1986 -@@ -4023,9 +4100,7 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh,
1987 - status = -EAGAIN;
1988 - goto out_unlock;
1989 - }
1990 -- ++fp->fi_delegees;
1991 -- hash_delegation_locked(dp, fp);
1992 -- status = 0;
1993 -+ status = hash_delegation_locked(dp, fp);
1994 - out_unlock:
1995 - spin_unlock(&fp->fi_lock);
1996 - spin_unlock(&state_lock);
1997 -@@ -4187,15 +4262,20 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf
1998 - */
1999 - if (stp) {
2000 - /* Stateid was found, this is an OPEN upgrade */
2001 -+ down_read(&stp->st_rwsem);
2002 - status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open);
2003 -- if (status)
2004 -+ if (status) {
2005 -+ up_read(&stp->st_rwsem);
2006 - goto out;
2007 -+ }
2008 - } else {
2009 - stp = open->op_stp;
2010 - open->op_stp = NULL;
2011 - init_open_stateid(stp, fp, open);
2012 -+ down_read(&stp->st_rwsem);
2013 - status = nfs4_get_vfs_file(rqstp, fp, current_fh, stp, open);
2014 - if (status) {
2015 -+ up_read(&stp->st_rwsem);
2016 - release_open_stateid(stp);
2017 - goto out;
2018 - }
2019 -@@ -4207,6 +4287,7 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf
2020 - }
2021 - update_stateid(&stp->st_stid.sc_stateid);
2022 - memcpy(&open->op_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
2023 -+ up_read(&stp->st_rwsem);
2024 -
2025 - if (nfsd4_has_session(&resp->cstate)) {
2026 - if (open->op_deleg_want & NFS4_SHARE_WANT_NO_DELEG) {
2027 -@@ -4819,10 +4900,13 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_
2028 - * revoked delegations are kept only for free_stateid.
2029 - */
2030 - return nfserr_bad_stateid;
2031 -+ down_write(&stp->st_rwsem);
2032 - status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
2033 -- if (status)
2034 -- return status;
2035 -- return nfs4_check_fh(current_fh, &stp->st_stid);
2036 -+ if (status == nfs_ok)
2037 -+ status = nfs4_check_fh(current_fh, &stp->st_stid);
2038 -+ if (status != nfs_ok)
2039 -+ up_write(&stp->st_rwsem);
2040 -+ return status;
2041 - }
2042 -
2043 - /*
2044 -@@ -4869,6 +4953,7 @@ static __be32 nfs4_preprocess_confirmed_seqid_op(struct nfsd4_compound_state *cs
2045 - return status;
2046 - oo = openowner(stp->st_stateowner);
2047 - if (!(oo->oo_flags & NFS4_OO_CONFIRMED)) {
2048 -+ up_write(&stp->st_rwsem);
2049 - nfs4_put_stid(&stp->st_stid);
2050 - return nfserr_bad_stateid;
2051 - }
2052 -@@ -4899,11 +4984,14 @@ nfsd4_open_confirm(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
2053 - goto out;
2054 - oo = openowner(stp->st_stateowner);
2055 - status = nfserr_bad_stateid;
2056 -- if (oo->oo_flags & NFS4_OO_CONFIRMED)
2057 -+ if (oo->oo_flags & NFS4_OO_CONFIRMED) {
2058 -+ up_write(&stp->st_rwsem);
2059 - goto put_stateid;
2060 -+ }
2061 - oo->oo_flags |= NFS4_OO_CONFIRMED;
2062 - update_stateid(&stp->st_stid.sc_stateid);
2063 - memcpy(&oc->oc_resp_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
2064 -+ up_write(&stp->st_rwsem);
2065 - dprintk("NFSD: %s: success, seqid=%d stateid=" STATEID_FMT "\n",
2066 - __func__, oc->oc_seqid, STATEID_VAL(&stp->st_stid.sc_stateid));
2067 -
2068 -@@ -4982,6 +5070,7 @@ nfsd4_open_downgrade(struct svc_rqst *rqstp,
2069 - memcpy(&od->od_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
2070 - status = nfs_ok;
2071 - put_stateid:
2072 -+ up_write(&stp->st_rwsem);
2073 - nfs4_put_stid(&stp->st_stid);
2074 - out:
2075 - nfsd4_bump_seqid(cstate, status);
2076 -@@ -5035,6 +5124,7 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
2077 - goto out;
2078 - update_stateid(&stp->st_stid.sc_stateid);
2079 - memcpy(&close->cl_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
2080 -+ up_write(&stp->st_rwsem);
2081 -
2082 - nfsd4_close_open_stateid(stp);
2083 -
2084 -@@ -5260,6 +5350,7 @@ init_lock_stateid(struct nfs4_ol_stateid *stp, struct nfs4_lockowner *lo,
2085 - stp->st_access_bmap = 0;
2086 - stp->st_deny_bmap = open_stp->st_deny_bmap;
2087 - stp->st_openstp = open_stp;
2088 -+ init_rwsem(&stp->st_rwsem);
2089 - list_add(&stp->st_locks, &open_stp->st_locks);
2090 - list_add(&stp->st_perstateowner, &lo->lo_owner.so_stateids);
2091 - spin_lock(&fp->fi_lock);
2092 -@@ -5428,6 +5519,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
2093 - &open_stp, nn);
2094 - if (status)
2095 - goto out;
2096 -+ up_write(&open_stp->st_rwsem);
2097 - open_sop = openowner(open_stp->st_stateowner);
2098 - status = nfserr_bad_stateid;
2099 - if (!same_clid(&open_sop->oo_owner.so_client->cl_clientid,
2100 -@@ -5435,6 +5527,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
2101 - goto out;
2102 - status = lookup_or_create_lock_state(cstate, open_stp, lock,
2103 - &lock_stp, &new);
2104 -+ if (status == nfs_ok)
2105 -+ down_write(&lock_stp->st_rwsem);
2106 - } else {
2107 - status = nfs4_preprocess_seqid_op(cstate,
2108 - lock->lk_old_lock_seqid,
2109 -@@ -5540,6 +5634,8 @@ out:
2110 - seqid_mutating_err(ntohl(status)))
2111 - lock_sop->lo_owner.so_seqid++;
2112 -
2113 -+ up_write(&lock_stp->st_rwsem);
2114 -+
2115 - /*
2116 - * If this is a new, never-before-used stateid, and we are
2117 - * returning an error, then just go ahead and release it.
2118 -@@ -5709,6 +5805,7 @@ nfsd4_locku(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
2119 - fput:
2120 - fput(filp);
2121 - put_stateid:
2122 -+ up_write(&stp->st_rwsem);
2123 - nfs4_put_stid(&stp->st_stid);
2124 - out:
2125 - nfsd4_bump_seqid(cstate, status);
2126 -diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h
2127 -index 583ffc1..31bde12 100644
2128 ---- a/fs/nfsd/state.h
2129 -+++ b/fs/nfsd/state.h
2130 -@@ -534,15 +534,16 @@ struct nfs4_file {
2131 - * Better suggestions welcome.
2132 - */
2133 - struct nfs4_ol_stateid {
2134 -- struct nfs4_stid st_stid; /* must be first field */
2135 -- struct list_head st_perfile;
2136 -- struct list_head st_perstateowner;
2137 -- struct list_head st_locks;
2138 -- struct nfs4_stateowner * st_stateowner;
2139 -- struct nfs4_clnt_odstate * st_clnt_odstate;
2140 -- unsigned char st_access_bmap;
2141 -- unsigned char st_deny_bmap;
2142 -- struct nfs4_ol_stateid * st_openstp;
2143 -+ struct nfs4_stid st_stid;
2144 -+ struct list_head st_perfile;
2145 -+ struct list_head st_perstateowner;
2146 -+ struct list_head st_locks;
2147 -+ struct nfs4_stateowner *st_stateowner;
2148 -+ struct nfs4_clnt_odstate *st_clnt_odstate;
2149 -+ unsigned char st_access_bmap;
2150 -+ unsigned char st_deny_bmap;
2151 -+ struct nfs4_ol_stateid *st_openstp;
2152 -+ struct rw_semaphore st_rwsem;
2153 - };
2154 -
2155 - static inline struct nfs4_ol_stateid *openlockstateid(struct nfs4_stid *s)
2156 -diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c
2157 -index b7dfac2..12bfa9c 100644
2158 ---- a/fs/ocfs2/namei.c
2159 -+++ b/fs/ocfs2/namei.c
2160 -@@ -374,6 +374,8 @@ static int ocfs2_mknod(struct inode *dir,
2161 - mlog_errno(status);
2162 - goto leave;
2163 - }
2164 -+ /* update inode->i_mode after mask with "umask". */
2165 -+ inode->i_mode = mode;
2166 -
2167 - handle = ocfs2_start_trans(osb, ocfs2_mknod_credits(osb->sb,
2168 - S_ISDIR(mode),
2169 -diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
2170 -index f1f32af..3e4ff3f 100644
2171 ---- a/include/linux/ipv6.h
2172 -+++ b/include/linux/ipv6.h
2173 -@@ -227,7 +227,7 @@ struct ipv6_pinfo {
2174 - struct ipv6_ac_socklist *ipv6_ac_list;
2175 - struct ipv6_fl_socklist __rcu *ipv6_fl_list;
2176 -
2177 -- struct ipv6_txoptions *opt;
2178 -+ struct ipv6_txoptions __rcu *opt;
2179 - struct sk_buff *pktoptions;
2180 - struct sk_buff *rxpmtu;
2181 - struct inet6_cork cork;
2182 -diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
2183 -index df07e78..1abeb82 100644
2184 ---- a/include/linux/jbd2.h
2185 -+++ b/include/linux/jbd2.h
2186 -@@ -1046,6 +1046,7 @@ struct journal_s
2187 - #define JBD2_ABORT_ON_SYNCDATA_ERR 0x040 /* Abort the journal on file
2188 - * data write error in ordered
2189 - * mode */
2190 -+#define JBD2_REC_ERR 0x080 /* The errno in the sb has been recorded */
2191 -
2192 - /*
2193 - * Function declarations for the journaling transaction and buffer
2194 -diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
2195 -index dd20974..1565324 100644
2196 ---- a/include/linux/mlx5/mlx5_ifc.h
2197 -+++ b/include/linux/mlx5/mlx5_ifc.h
2198 -@@ -453,26 +453,28 @@ struct mlx5_ifc_per_protocol_networking_offload_caps_bits {
2199 - u8 lro_cap[0x1];
2200 - u8 lro_psh_flag[0x1];
2201 - u8 lro_time_stamp[0x1];
2202 -- u8 reserved_0[0x6];
2203 -+ u8 reserved_0[0x3];
2204 -+ u8 self_lb_en_modifiable[0x1];
2205 -+ u8 reserved_1[0x2];
2206 - u8 max_lso_cap[0x5];
2207 -- u8 reserved_1[0x4];
2208 -+ u8 reserved_2[0x4];
2209 - u8 rss_ind_tbl_cap[0x4];
2210 -- u8 reserved_2[0x3];
2211 -+ u8 reserved_3[0x3];
2212 - u8 tunnel_lso_const_out_ip_id[0x1];
2213 -- u8 reserved_3[0x2];
2214 -+ u8 reserved_4[0x2];
2215 - u8 tunnel_statless_gre[0x1];
2216 - u8 tunnel_stateless_vxlan[0x1];
2217 -
2218 -- u8 reserved_4[0x20];
2219 -+ u8 reserved_5[0x20];
2220 -
2221 -- u8 reserved_5[0x10];
2222 -+ u8 reserved_6[0x10];
2223 - u8 lro_min_mss_size[0x10];
2224 -
2225 -- u8 reserved_6[0x120];
2226 -+ u8 reserved_7[0x120];
2227 -
2228 - u8 lro_timer_supported_periods[4][0x20];
2229 -
2230 -- u8 reserved_7[0x600];
2231 -+ u8 reserved_8[0x600];
2232 - };
2233 -
2234 - struct mlx5_ifc_roce_cap_bits {
2235 -@@ -4051,9 +4053,11 @@ struct mlx5_ifc_modify_tis_in_bits {
2236 - };
2237 -
2238 - struct mlx5_ifc_modify_tir_bitmask_bits {
2239 -- u8 reserved[0x20];
2240 -+ u8 reserved_0[0x20];
2241 -
2242 -- u8 reserved1[0x1f];
2243 -+ u8 reserved_1[0x1b];
2244 -+ u8 self_lb_en[0x1];
2245 -+ u8 reserved_2[0x3];
2246 - u8 lro[0x1];
2247 - };
2248 -
2249 -diff --git a/include/net/af_unix.h b/include/net/af_unix.h
2250 -index b36d837..2a91a05 100644
2251 ---- a/include/net/af_unix.h
2252 -+++ b/include/net/af_unix.h
2253 -@@ -62,6 +62,7 @@ struct unix_sock {
2254 - #define UNIX_GC_CANDIDATE 0
2255 - #define UNIX_GC_MAYBE_CYCLE 1
2256 - struct socket_wq peer_wq;
2257 -+ wait_queue_t peer_wake;
2258 - };
2259 -
2260 - static inline struct unix_sock *unix_sk(const struct sock *sk)
2261 -diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
2262 -index aaf9700..fb961a5 100644
2263 ---- a/include/net/ip6_fib.h
2264 -+++ b/include/net/ip6_fib.h
2265 -@@ -167,7 +167,8 @@ static inline void rt6_update_expires(struct rt6_info *rt0, int timeout)
2266 -
2267 - static inline u32 rt6_get_cookie(const struct rt6_info *rt)
2268 - {
2269 -- if (rt->rt6i_flags & RTF_PCPU || unlikely(rt->dst.flags & DST_NOCACHE))
2270 -+ if (rt->rt6i_flags & RTF_PCPU ||
2271 -+ (unlikely(rt->dst.flags & DST_NOCACHE) && rt->dst.from))
2272 - rt = (struct rt6_info *)(rt->dst.from);
2273 -
2274 - return rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
2275 -diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
2276 -index fa915fa..d49a8f8 100644
2277 ---- a/include/net/ip6_tunnel.h
2278 -+++ b/include/net/ip6_tunnel.h
2279 -@@ -90,11 +90,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
2280 - err = ip6_local_out_sk(sk, skb);
2281 -
2282 - if (net_xmit_eval(err) == 0) {
2283 -- struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
2284 -+ struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats);
2285 - u64_stats_update_begin(&tstats->syncp);
2286 - tstats->tx_bytes += pkt_len;
2287 - tstats->tx_packets++;
2288 - u64_stats_update_end(&tstats->syncp);
2289 -+ put_cpu_ptr(tstats);
2290 - } else {
2291 - stats->tx_errors++;
2292 - stats->tx_aborted_errors++;
2293 -diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
2294 -index f6dafec..62a750a 100644
2295 ---- a/include/net/ip_tunnels.h
2296 -+++ b/include/net/ip_tunnels.h
2297 -@@ -287,12 +287,13 @@ static inline void iptunnel_xmit_stats(int err,
2298 - struct pcpu_sw_netstats __percpu *stats)
2299 - {
2300 - if (err > 0) {
2301 -- struct pcpu_sw_netstats *tstats = this_cpu_ptr(stats);
2302 -+ struct pcpu_sw_netstats *tstats = get_cpu_ptr(stats);
2303 -
2304 - u64_stats_update_begin(&tstats->syncp);
2305 - tstats->tx_bytes += err;
2306 - tstats->tx_packets++;
2307 - u64_stats_update_end(&tstats->syncp);
2308 -+ put_cpu_ptr(tstats);
2309 - } else if (err < 0) {
2310 - err_stats->tx_errors++;
2311 - err_stats->tx_aborted_errors++;
2312 -diff --git a/include/net/ipv6.h b/include/net/ipv6.h
2313 -index 711cca4..b14e158 100644
2314 ---- a/include/net/ipv6.h
2315 -+++ b/include/net/ipv6.h
2316 -@@ -205,6 +205,7 @@ extern rwlock_t ip6_ra_lock;
2317 - */
2318 -
2319 - struct ipv6_txoptions {
2320 -+ atomic_t refcnt;
2321 - /* Length of this structure */
2322 - int tot_len;
2323 -
2324 -@@ -217,7 +218,7 @@ struct ipv6_txoptions {
2325 - struct ipv6_opt_hdr *dst0opt;
2326 - struct ipv6_rt_hdr *srcrt; /* Routing Header */
2327 - struct ipv6_opt_hdr *dst1opt;
2328 --
2329 -+ struct rcu_head rcu;
2330 - /* Option buffer, as read by IPV6_PKTOPTIONS, starts here. */
2331 - };
2332 -
2333 -@@ -252,6 +253,24 @@ struct ipv6_fl_socklist {
2334 - struct rcu_head rcu;
2335 - };
2336 -
2337 -+static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
2338 -+{
2339 -+ struct ipv6_txoptions *opt;
2340 -+
2341 -+ rcu_read_lock();
2342 -+ opt = rcu_dereference(np->opt);
2343 -+ if (opt && !atomic_inc_not_zero(&opt->refcnt))
2344 -+ opt = NULL;
2345 -+ rcu_read_unlock();
2346 -+ return opt;
2347 -+}
2348 -+
2349 -+static inline void txopt_put(struct ipv6_txoptions *opt)
2350 -+{
2351 -+ if (opt && atomic_dec_and_test(&opt->refcnt))
2352 -+ kfree_rcu(opt, rcu);
2353 -+}
2354 -+
2355 - struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label);
2356 - struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space,
2357 - struct ip6_flowlabel *fl,
2358 -@@ -490,6 +509,7 @@ struct ip6_create_arg {
2359 - u32 user;
2360 - const struct in6_addr *src;
2361 - const struct in6_addr *dst;
2362 -+ int iif;
2363 - u8 ecn;
2364 - };
2365 -
2366 -diff --git a/include/net/ndisc.h b/include/net/ndisc.h
2367 -index aba5695..b3a7751 100644
2368 ---- a/include/net/ndisc.h
2369 -+++ b/include/net/ndisc.h
2370 -@@ -182,8 +182,7 @@ int ndisc_rcv(struct sk_buff *skb);
2371 -
2372 - void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
2373 - const struct in6_addr *solicit,
2374 -- const struct in6_addr *daddr, const struct in6_addr *saddr,
2375 -- struct sk_buff *oskb);
2376 -+ const struct in6_addr *daddr, const struct in6_addr *saddr);
2377 -
2378 - void ndisc_send_rs(struct net_device *dev,
2379 - const struct in6_addr *saddr, const struct in6_addr *daddr);
2380 -diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
2381 -index 444faa8..f1ad8f8 100644
2382 ---- a/include/net/sch_generic.h
2383 -+++ b/include/net/sch_generic.h
2384 -@@ -61,6 +61,9 @@ struct Qdisc {
2385 - */
2386 - #define TCQ_F_WARN_NONWC (1 << 16)
2387 - #define TCQ_F_CPUSTATS 0x20 /* run using percpu statistics */
2388 -+#define TCQ_F_NOPARENT 0x40 /* root of its hierarchy :
2389 -+ * qdisc_tree_decrease_qlen() should stop.
2390 -+ */
2391 - u32 limit;
2392 - const struct Qdisc_ops *ops;
2393 - struct qdisc_size_table __rcu *stab;
2394 -diff --git a/include/net/switchdev.h b/include/net/switchdev.h
2395 -index 319baab..731c40e 100644
2396 ---- a/include/net/switchdev.h
2397 -+++ b/include/net/switchdev.h
2398 -@@ -272,7 +272,7 @@ static inline int switchdev_port_fdb_dump(struct sk_buff *skb,
2399 - struct net_device *filter_dev,
2400 - int idx)
2401 - {
2402 -- return -EOPNOTSUPP;
2403 -+ return idx;
2404 - }
2405 -
2406 - static inline void switchdev_port_fwd_mark_set(struct net_device *dev,
2407 -diff --git a/kernel/.gitignore b/kernel/.gitignore
2408 -index 790d83c..b3097bd 100644
2409 ---- a/kernel/.gitignore
2410 -+++ b/kernel/.gitignore
2411 -@@ -5,4 +5,3 @@ config_data.h
2412 - config_data.gz
2413 - timeconst.h
2414 - hz.bc
2415 --x509_certificate_list
2416 -diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
2417 -index 29ace10..7a0decf 100644
2418 ---- a/kernel/bpf/arraymap.c
2419 -+++ b/kernel/bpf/arraymap.c
2420 -@@ -104,7 +104,7 @@ static int array_map_update_elem(struct bpf_map *map, void *key, void *value,
2421 - /* all elements already exist */
2422 - return -EEXIST;
2423 -
2424 -- memcpy(array->value + array->elem_size * index, value, array->elem_size);
2425 -+ memcpy(array->value + array->elem_size * index, value, map->value_size);
2426 - return 0;
2427 - }
2428 -
2429 -diff --git a/net/core/neighbour.c b/net/core/neighbour.c
2430 -index 2b515ba..c169bba 100644
2431 ---- a/net/core/neighbour.c
2432 -+++ b/net/core/neighbour.c
2433 -@@ -2215,7 +2215,7 @@ static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn,
2434 - ndm->ndm_pad2 = 0;
2435 - ndm->ndm_flags = pn->flags | NTF_PROXY;
2436 - ndm->ndm_type = RTN_UNICAST;
2437 -- ndm->ndm_ifindex = pn->dev->ifindex;
2438 -+ ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0;
2439 - ndm->ndm_state = NUD_NONE;
2440 -
2441 - if (nla_put(skb, NDA_DST, tbl->key_len, pn->key))
2442 -@@ -2290,7 +2290,7 @@ static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
2443 - if (h > s_h)
2444 - s_idx = 0;
2445 - for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) {
2446 -- if (dev_net(n->dev) != net)
2447 -+ if (pneigh_net(n) != net)
2448 - continue;
2449 - if (idx < s_idx)
2450 - goto next;
2451 -diff --git a/net/core/scm.c b/net/core/scm.c
2452 -index 3b6899b..8a1741b 100644
2453 ---- a/net/core/scm.c
2454 -+++ b/net/core/scm.c
2455 -@@ -305,6 +305,8 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
2456 - err = put_user(cmlen, &cm->cmsg_len);
2457 - if (!err) {
2458 - cmlen = CMSG_SPACE(i*sizeof(int));
2459 -+ if (msg->msg_controllen < cmlen)
2460 -+ cmlen = msg->msg_controllen;
2461 - msg->msg_control += cmlen;
2462 - msg->msg_controllen -= cmlen;
2463 - }
2464 -diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
2465 -index 5165571..a049050 100644
2466 ---- a/net/dccp/ipv6.c
2467 -+++ b/net/dccp/ipv6.c
2468 -@@ -202,7 +202,9 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req)
2469 - security_req_classify_flow(req, flowi6_to_flowi(&fl6));
2470 -
2471 -
2472 -- final_p = fl6_update_dst(&fl6, np->opt, &final);
2473 -+ rcu_read_lock();
2474 -+ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
2475 -+ rcu_read_unlock();
2476 -
2477 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
2478 - if (IS_ERR(dst)) {
2479 -@@ -219,7 +221,10 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req)
2480 - &ireq->ir_v6_loc_addr,
2481 - &ireq->ir_v6_rmt_addr);
2482 - fl6.daddr = ireq->ir_v6_rmt_addr;
2483 -- err = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
2484 -+ rcu_read_lock();
2485 -+ err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
2486 -+ np->tclass);
2487 -+ rcu_read_unlock();
2488 - err = net_xmit_eval(err);
2489 - }
2490 -
2491 -@@ -415,6 +420,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
2492 - {
2493 - struct inet_request_sock *ireq = inet_rsk(req);
2494 - struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
2495 -+ struct ipv6_txoptions *opt;
2496 - struct inet_sock *newinet;
2497 - struct dccp6_sock *newdp6;
2498 - struct sock *newsk;
2499 -@@ -534,13 +540,15 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
2500 - * Yes, keeping reference count would be much more clever, but we make
2501 - * one more one thing there: reattach optmem to newsk.
2502 - */
2503 -- if (np->opt != NULL)
2504 -- newnp->opt = ipv6_dup_options(newsk, np->opt);
2505 --
2506 -+ opt = rcu_dereference(np->opt);
2507 -+ if (opt) {
2508 -+ opt = ipv6_dup_options(newsk, opt);
2509 -+ RCU_INIT_POINTER(newnp->opt, opt);
2510 -+ }
2511 - inet_csk(newsk)->icsk_ext_hdr_len = 0;
2512 -- if (newnp->opt != NULL)
2513 -- inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
2514 -- newnp->opt->opt_flen);
2515 -+ if (opt)
2516 -+ inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
2517 -+ opt->opt_flen;
2518 -
2519 - dccp_sync_mss(newsk, dst_mtu(dst));
2520 -
2521 -@@ -793,6 +801,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2522 - struct ipv6_pinfo *np = inet6_sk(sk);
2523 - struct dccp_sock *dp = dccp_sk(sk);
2524 - struct in6_addr *saddr = NULL, *final_p, final;
2525 -+ struct ipv6_txoptions *opt;
2526 - struct flowi6 fl6;
2527 - struct dst_entry *dst;
2528 - int addr_type;
2529 -@@ -892,7 +901,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2530 - fl6.fl6_sport = inet->inet_sport;
2531 - security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
2532 -
2533 -- final_p = fl6_update_dst(&fl6, np->opt, &final);
2534 -+ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
2535 -+ final_p = fl6_update_dst(&fl6, opt, &final);
2536 -
2537 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
2538 - if (IS_ERR(dst)) {
2539 -@@ -912,9 +922,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2540 - __ip6_dst_store(sk, dst, NULL, NULL);
2541 -
2542 - icsk->icsk_ext_hdr_len = 0;
2543 -- if (np->opt != NULL)
2544 -- icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
2545 -- np->opt->opt_nflen);
2546 -+ if (opt)
2547 -+ icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
2548 -
2549 - inet->inet_dport = usin->sin6_port;
2550 -
2551 -diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
2552 -index 8e8203d..ef7e2c4 100644
2553 ---- a/net/ipv4/ipmr.c
2554 -+++ b/net/ipv4/ipmr.c
2555 -@@ -134,7 +134,7 @@ static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb,
2556 - struct mfc_cache *c, struct rtmsg *rtm);
2557 - static void mroute_netlink_event(struct mr_table *mrt, struct mfc_cache *mfc,
2558 - int cmd);
2559 --static void mroute_clean_tables(struct mr_table *mrt);
2560 -+static void mroute_clean_tables(struct mr_table *mrt, bool all);
2561 - static void ipmr_expire_process(unsigned long arg);
2562 -
2563 - #ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES
2564 -@@ -350,7 +350,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
2565 - static void ipmr_free_table(struct mr_table *mrt)
2566 - {
2567 - del_timer_sync(&mrt->ipmr_expire_timer);
2568 -- mroute_clean_tables(mrt);
2569 -+ mroute_clean_tables(mrt, true);
2570 - kfree(mrt);
2571 - }
2572 -
2573 -@@ -1208,7 +1208,7 @@ static int ipmr_mfc_add(struct net *net, struct mr_table *mrt,
2574 - * Close the multicast socket, and clear the vif tables etc
2575 - */
2576 -
2577 --static void mroute_clean_tables(struct mr_table *mrt)
2578 -+static void mroute_clean_tables(struct mr_table *mrt, bool all)
2579 - {
2580 - int i;
2581 - LIST_HEAD(list);
2582 -@@ -1217,8 +1217,9 @@ static void mroute_clean_tables(struct mr_table *mrt)
2583 - /* Shut down all active vif entries */
2584 -
2585 - for (i = 0; i < mrt->maxvif; i++) {
2586 -- if (!(mrt->vif_table[i].flags & VIFF_STATIC))
2587 -- vif_delete(mrt, i, 0, &list);
2588 -+ if (!all && (mrt->vif_table[i].flags & VIFF_STATIC))
2589 -+ continue;
2590 -+ vif_delete(mrt, i, 0, &list);
2591 - }
2592 - unregister_netdevice_many(&list);
2593 -
2594 -@@ -1226,7 +1227,7 @@ static void mroute_clean_tables(struct mr_table *mrt)
2595 -
2596 - for (i = 0; i < MFC_LINES; i++) {
2597 - list_for_each_entry_safe(c, next, &mrt->mfc_cache_array[i], list) {
2598 -- if (c->mfc_flags & MFC_STATIC)
2599 -+ if (!all && (c->mfc_flags & MFC_STATIC))
2600 - continue;
2601 - list_del_rcu(&c->list);
2602 - mroute_netlink_event(mrt, c, RTM_DELROUTE);
2603 -@@ -1261,7 +1262,7 @@ static void mrtsock_destruct(struct sock *sk)
2604 - NETCONFA_IFINDEX_ALL,
2605 - net->ipv4.devconf_all);
2606 - RCU_INIT_POINTER(mrt->mroute_sk, NULL);
2607 -- mroute_clean_tables(mrt);
2608 -+ mroute_clean_tables(mrt, false);
2609 - }
2610 - }
2611 - rtnl_unlock();
2612 -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
2613 -index a8f515b..0a2b61d 100644
2614 ---- a/net/ipv4/tcp_input.c
2615 -+++ b/net/ipv4/tcp_input.c
2616 -@@ -4457,19 +4457,34 @@ static int __must_check tcp_queue_rcv(struct sock *sk, struct sk_buff *skb, int
2617 - int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
2618 - {
2619 - struct sk_buff *skb;
2620 -+ int err = -ENOMEM;
2621 -+ int data_len = 0;
2622 - bool fragstolen;
2623 -
2624 - if (size == 0)
2625 - return 0;
2626 -
2627 -- skb = alloc_skb(size, sk->sk_allocation);
2628 -+ if (size > PAGE_SIZE) {
2629 -+ int npages = min_t(size_t, size >> PAGE_SHIFT, MAX_SKB_FRAGS);
2630 -+
2631 -+ data_len = npages << PAGE_SHIFT;
2632 -+ size = data_len + (size & ~PAGE_MASK);
2633 -+ }
2634 -+ skb = alloc_skb_with_frags(size - data_len, data_len,
2635 -+ PAGE_ALLOC_COSTLY_ORDER,
2636 -+ &err, sk->sk_allocation);
2637 - if (!skb)
2638 - goto err;
2639 -
2640 -+ skb_put(skb, size - data_len);
2641 -+ skb->data_len = data_len;
2642 -+ skb->len = size;
2643 -+
2644 - if (tcp_try_rmem_schedule(sk, skb, skb->truesize))
2645 - goto err_free;
2646 -
2647 -- if (memcpy_from_msg(skb_put(skb, size), msg, size))
2648 -+ err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size);
2649 -+ if (err)
2650 - goto err_free;
2651 -
2652 - TCP_SKB_CB(skb)->seq = tcp_sk(sk)->rcv_nxt;
2653 -@@ -4485,7 +4500,8 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
2654 - err_free:
2655 - kfree_skb(skb);
2656 - err:
2657 -- return -ENOMEM;
2658 -+ return err;
2659 -+
2660 - }
2661 -
2662 - static void tcp_data_queue(struct sock *sk, struct sk_buff *skb)
2663 -@@ -5643,6 +5659,7 @@ discard:
2664 - }
2665 -
2666 - tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
2667 -+ tp->copied_seq = tp->rcv_nxt;
2668 - tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1;
2669 -
2670 - /* RFC1323: The window in SYN & SYN/ACK segments is
2671 -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
2672 -index 93898e0..a7739c8 100644
2673 ---- a/net/ipv4/tcp_ipv4.c
2674 -+++ b/net/ipv4/tcp_ipv4.c
2675 -@@ -922,7 +922,8 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,
2676 - }
2677 -
2678 - md5sig = rcu_dereference_protected(tp->md5sig_info,
2679 -- sock_owned_by_user(sk));
2680 -+ sock_owned_by_user(sk) ||
2681 -+ lockdep_is_held(&sk->sk_lock.slock));
2682 - if (!md5sig) {
2683 - md5sig = kmalloc(sizeof(*md5sig), gfp);
2684 - if (!md5sig)
2685 -diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
2686 -index 7149ebc..04f0a05 100644
2687 ---- a/net/ipv4/tcp_timer.c
2688 -+++ b/net/ipv4/tcp_timer.c
2689 -@@ -176,6 +176,18 @@ static int tcp_write_timeout(struct sock *sk)
2690 - syn_set = true;
2691 - } else {
2692 - if (retransmits_timed_out(sk, sysctl_tcp_retries1, 0, 0)) {
2693 -+ /* Some middle-boxes may black-hole Fast Open _after_
2694 -+ * the handshake. Therefore we conservatively disable
2695 -+ * Fast Open on this path on recurring timeouts with
2696 -+ * few or zero bytes acked after Fast Open.
2697 -+ */
2698 -+ if (tp->syn_data_acked &&
2699 -+ tp->bytes_acked <= tp->rx_opt.mss_clamp) {
2700 -+ tcp_fastopen_cache_set(sk, 0, NULL, true, 0);
2701 -+ if (icsk->icsk_retransmits == sysctl_tcp_retries1)
2702 -+ NET_INC_STATS_BH(sock_net(sk),
2703 -+ LINUX_MIB_TCPFASTOPENACTIVEFAIL);
2704 -+ }
2705 - /* Black hole detection */
2706 - tcp_mtu_probing(icsk, sk);
2707 -
2708 -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
2709 -index dd00828..3939dd2 100644
2710 ---- a/net/ipv6/addrconf.c
2711 -+++ b/net/ipv6/addrconf.c
2712 -@@ -3628,7 +3628,7 @@ static void addrconf_dad_work(struct work_struct *w)
2713 -
2714 - /* send a neighbour solicitation for our addr */
2715 - addrconf_addr_solict_mult(&ifp->addr, &mcaddr);
2716 -- ndisc_send_ns(ifp->idev->dev, NULL, &ifp->addr, &mcaddr, &in6addr_any, NULL);
2717 -+ ndisc_send_ns(ifp->idev->dev, NULL, &ifp->addr, &mcaddr, &in6addr_any);
2718 - out:
2719 - in6_ifa_put(ifp);
2720 - rtnl_unlock();
2721 -diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
2722 -index 44bb66b..38d66dd 100644
2723 ---- a/net/ipv6/af_inet6.c
2724 -+++ b/net/ipv6/af_inet6.c
2725 -@@ -428,9 +428,11 @@ void inet6_destroy_sock(struct sock *sk)
2726 -
2727 - /* Free tx options */
2728 -
2729 -- opt = xchg(&np->opt, NULL);
2730 -- if (opt)
2731 -- sock_kfree_s(sk, opt, opt->tot_len);
2732 -+ opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL);
2733 -+ if (opt) {
2734 -+ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
2735 -+ txopt_put(opt);
2736 -+ }
2737 - }
2738 - EXPORT_SYMBOL_GPL(inet6_destroy_sock);
2739 -
2740 -@@ -659,7 +661,10 @@ int inet6_sk_rebuild_header(struct sock *sk)
2741 - fl6.fl6_sport = inet->inet_sport;
2742 - security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
2743 -
2744 -- final_p = fl6_update_dst(&fl6, np->opt, &final);
2745 -+ rcu_read_lock();
2746 -+ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt),
2747 -+ &final);
2748 -+ rcu_read_unlock();
2749 -
2750 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
2751 - if (IS_ERR(dst)) {
2752 -diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
2753 -index 9aadd57..a42a673 100644
2754 ---- a/net/ipv6/datagram.c
2755 -+++ b/net/ipv6/datagram.c
2756 -@@ -167,8 +167,10 @@ ipv4_connected:
2757 -
2758 - security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
2759 -
2760 -- opt = flowlabel ? flowlabel->opt : np->opt;
2761 -+ rcu_read_lock();
2762 -+ opt = flowlabel ? flowlabel->opt : rcu_dereference(np->opt);
2763 - final_p = fl6_update_dst(&fl6, opt, &final);
2764 -+ rcu_read_unlock();
2765 -
2766 - dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
2767 - err = 0;
2768 -diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
2769 -index ce203b0..ea7c4d6 100644
2770 ---- a/net/ipv6/exthdrs.c
2771 -+++ b/net/ipv6/exthdrs.c
2772 -@@ -727,6 +727,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
2773 - *((char **)&opt2->dst1opt) += dif;
2774 - if (opt2->srcrt)
2775 - *((char **)&opt2->srcrt) += dif;
2776 -+ atomic_set(&opt2->refcnt, 1);
2777 - }
2778 - return opt2;
2779 - }
2780 -@@ -790,7 +791,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
2781 - return ERR_PTR(-ENOBUFS);
2782 -
2783 - memset(opt2, 0, tot_len);
2784 --
2785 -+ atomic_set(&opt2->refcnt, 1);
2786 - opt2->tot_len = tot_len;
2787 - p = (char *)(opt2 + 1);
2788 -
2789 -diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
2790 -index 6927f3f..9beed30 100644
2791 ---- a/net/ipv6/inet6_connection_sock.c
2792 -+++ b/net/ipv6/inet6_connection_sock.c
2793 -@@ -77,7 +77,9 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk,
2794 - memset(fl6, 0, sizeof(*fl6));
2795 - fl6->flowi6_proto = IPPROTO_TCP;
2796 - fl6->daddr = ireq->ir_v6_rmt_addr;
2797 -- final_p = fl6_update_dst(fl6, np->opt, &final);
2798 -+ rcu_read_lock();
2799 -+ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
2800 -+ rcu_read_unlock();
2801 - fl6->saddr = ireq->ir_v6_loc_addr;
2802 - fl6->flowi6_oif = ireq->ir_iif;
2803 - fl6->flowi6_mark = ireq->ir_mark;
2804 -@@ -207,7 +209,9 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
2805 - fl6->fl6_dport = inet->inet_dport;
2806 - security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
2807 -
2808 -- final_p = fl6_update_dst(fl6, np->opt, &final);
2809 -+ rcu_read_lock();
2810 -+ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
2811 -+ rcu_read_unlock();
2812 -
2813 - dst = __inet6_csk_dst_check(sk, np->dst_cookie);
2814 - if (!dst) {
2815 -@@ -240,7 +244,8 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused
2816 - /* Restore final destination back after routing done */
2817 - fl6.daddr = sk->sk_v6_daddr;
2818 -
2819 -- res = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
2820 -+ res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
2821 -+ np->tclass);
2822 - rcu_read_unlock();
2823 - return res;
2824 - }
2825 -diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
2826 -index eabffbb..137fca4 100644
2827 ---- a/net/ipv6/ip6_tunnel.c
2828 -+++ b/net/ipv6/ip6_tunnel.c
2829 -@@ -177,7 +177,7 @@ void ip6_tnl_dst_reset(struct ip6_tnl *t)
2830 - int i;
2831 -
2832 - for_each_possible_cpu(i)
2833 -- ip6_tnl_per_cpu_dst_set(raw_cpu_ptr(t->dst_cache), NULL);
2834 -+ ip6_tnl_per_cpu_dst_set(per_cpu_ptr(t->dst_cache, i), NULL);
2835 - }
2836 - EXPORT_SYMBOL_GPL(ip6_tnl_dst_reset);
2837 -
2838 -diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
2839 -index 0e004cc..35eee72 100644
2840 ---- a/net/ipv6/ip6mr.c
2841 -+++ b/net/ipv6/ip6mr.c
2842 -@@ -118,7 +118,7 @@ static void mr6_netlink_event(struct mr6_table *mrt, struct mfc6_cache *mfc,
2843 - int cmd);
2844 - static int ip6mr_rtm_dumproute(struct sk_buff *skb,
2845 - struct netlink_callback *cb);
2846 --static void mroute_clean_tables(struct mr6_table *mrt);
2847 -+static void mroute_clean_tables(struct mr6_table *mrt, bool all);
2848 - static void ipmr_expire_process(unsigned long arg);
2849 -
2850 - #ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES
2851 -@@ -334,7 +334,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id)
2852 - static void ip6mr_free_table(struct mr6_table *mrt)
2853 - {
2854 - del_timer_sync(&mrt->ipmr_expire_timer);
2855 -- mroute_clean_tables(mrt);
2856 -+ mroute_clean_tables(mrt, true);
2857 - kfree(mrt);
2858 - }
2859 -
2860 -@@ -1542,7 +1542,7 @@ static int ip6mr_mfc_add(struct net *net, struct mr6_table *mrt,
2861 - * Close the multicast socket, and clear the vif tables etc
2862 - */
2863 -
2864 --static void mroute_clean_tables(struct mr6_table *mrt)
2865 -+static void mroute_clean_tables(struct mr6_table *mrt, bool all)
2866 - {
2867 - int i;
2868 - LIST_HEAD(list);
2869 -@@ -1552,8 +1552,9 @@ static void mroute_clean_tables(struct mr6_table *mrt)
2870 - * Shut down all active vif entries
2871 - */
2872 - for (i = 0; i < mrt->maxvif; i++) {
2873 -- if (!(mrt->vif6_table[i].flags & VIFF_STATIC))
2874 -- mif6_delete(mrt, i, &list);
2875 -+ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC))
2876 -+ continue;
2877 -+ mif6_delete(mrt, i, &list);
2878 - }
2879 - unregister_netdevice_many(&list);
2880 -
2881 -@@ -1562,7 +1563,7 @@ static void mroute_clean_tables(struct mr6_table *mrt)
2882 - */
2883 - for (i = 0; i < MFC6_LINES; i++) {
2884 - list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) {
2885 -- if (c->mfc_flags & MFC_STATIC)
2886 -+ if (!all && (c->mfc_flags & MFC_STATIC))
2887 - continue;
2888 - write_lock_bh(&mrt_lock);
2889 - list_del(&c->list);
2890 -@@ -1625,7 +1626,7 @@ int ip6mr_sk_done(struct sock *sk)
2891 - net->ipv6.devconf_all);
2892 - write_unlock_bh(&mrt_lock);
2893 -
2894 -- mroute_clean_tables(mrt);
2895 -+ mroute_clean_tables(mrt, false);
2896 - err = 0;
2897 - break;
2898 - }
2899 -diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
2900 -index 63e6956..4449ad1 100644
2901 ---- a/net/ipv6/ipv6_sockglue.c
2902 -+++ b/net/ipv6/ipv6_sockglue.c
2903 -@@ -111,7 +111,8 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
2904 - icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
2905 - }
2906 - }
2907 -- opt = xchg(&inet6_sk(sk)->opt, opt);
2908 -+ opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
2909 -+ opt);
2910 - sk_dst_reset(sk);
2911 -
2912 - return opt;
2913 -@@ -231,9 +232,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
2914 - sk->sk_socket->ops = &inet_dgram_ops;
2915 - sk->sk_family = PF_INET;
2916 - }
2917 -- opt = xchg(&np->opt, NULL);
2918 -- if (opt)
2919 -- sock_kfree_s(sk, opt, opt->tot_len);
2920 -+ opt = xchg((__force struct ipv6_txoptions **)&np->opt,
2921 -+ NULL);
2922 -+ if (opt) {
2923 -+ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
2924 -+ txopt_put(opt);
2925 -+ }
2926 - pktopt = xchg(&np->pktoptions, NULL);
2927 - kfree_skb(pktopt);
2928 -
2929 -@@ -403,7 +407,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
2930 - if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW))
2931 - break;
2932 -
2933 -- opt = ipv6_renew_options(sk, np->opt, optname,
2934 -+ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
2935 -+ opt = ipv6_renew_options(sk, opt, optname,
2936 - (struct ipv6_opt_hdr __user *)optval,
2937 - optlen);
2938 - if (IS_ERR(opt)) {
2939 -@@ -432,8 +437,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
2940 - retv = 0;
2941 - opt = ipv6_update_options(sk, opt);
2942 - sticky_done:
2943 -- if (opt)
2944 -- sock_kfree_s(sk, opt, opt->tot_len);
2945 -+ if (opt) {
2946 -+ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
2947 -+ txopt_put(opt);
2948 -+ }
2949 - break;
2950 - }
2951 -
2952 -@@ -486,6 +493,7 @@ sticky_done:
2953 - break;
2954 -
2955 - memset(opt, 0, sizeof(*opt));
2956 -+ atomic_set(&opt->refcnt, 1);
2957 - opt->tot_len = sizeof(*opt) + optlen;
2958 - retv = -EFAULT;
2959 - if (copy_from_user(opt+1, optval, optlen))
2960 -@@ -502,8 +510,10 @@ update:
2961 - retv = 0;
2962 - opt = ipv6_update_options(sk, opt);
2963 - done:
2964 -- if (opt)
2965 -- sock_kfree_s(sk, opt, opt->tot_len);
2966 -+ if (opt) {
2967 -+ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
2968 -+ txopt_put(opt);
2969 -+ }
2970 - break;
2971 - }
2972 - case IPV6_UNICAST_HOPS:
2973 -@@ -1110,10 +1120,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
2974 - case IPV6_RTHDR:
2975 - case IPV6_DSTOPTS:
2976 - {
2977 -+ struct ipv6_txoptions *opt;
2978 -
2979 - lock_sock(sk);
2980 -- len = ipv6_getsockopt_sticky(sk, np->opt,
2981 -- optname, optval, len);
2982 -+ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
2983 -+ len = ipv6_getsockopt_sticky(sk, opt, optname, optval, len);
2984 - release_sock(sk);
2985 - /* check if ipv6_getsockopt_sticky() returns err code */
2986 - if (len < 0)
2987 -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
2988 -index 083b292..41e3b5e 100644
2989 ---- a/net/ipv6/mcast.c
2990 -+++ b/net/ipv6/mcast.c
2991 -@@ -1651,7 +1651,6 @@ out:
2992 - if (!err) {
2993 - ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT);
2994 - ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
2995 -- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len);
2996 - } else {
2997 - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
2998 - }
2999 -@@ -2014,7 +2013,6 @@ out:
3000 - if (!err) {
3001 - ICMP6MSGOUT_INC_STATS(net, idev, type);
3002 - ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
3003 -- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, full_len);
3004 - } else
3005 - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
3006 -
3007 -diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
3008 -index 64a7135..9ad46cd 100644
3009 ---- a/net/ipv6/ndisc.c
3010 -+++ b/net/ipv6/ndisc.c
3011 -@@ -553,8 +553,7 @@ static void ndisc_send_unsol_na(struct net_device *dev)
3012 -
3013 - void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
3014 - const struct in6_addr *solicit,
3015 -- const struct in6_addr *daddr, const struct in6_addr *saddr,
3016 -- struct sk_buff *oskb)
3017 -+ const struct in6_addr *daddr, const struct in6_addr *saddr)
3018 - {
3019 - struct sk_buff *skb;
3020 - struct in6_addr addr_buf;
3021 -@@ -590,9 +589,6 @@ void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
3022 - ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
3023 - dev->dev_addr);
3024 -
3025 -- if (!(dev->priv_flags & IFF_XMIT_DST_RELEASE) && oskb)
3026 -- skb_dst_copy(skb, oskb);
3027 --
3028 - ndisc_send_skb(skb, daddr, saddr);
3029 - }
3030 -
3031 -@@ -679,12 +675,12 @@ static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb)
3032 - "%s: trying to ucast probe in NUD_INVALID: %pI6\n",
3033 - __func__, target);
3034 - }
3035 -- ndisc_send_ns(dev, neigh, target, target, saddr, skb);
3036 -+ ndisc_send_ns(dev, neigh, target, target, saddr);
3037 - } else if ((probes -= NEIGH_VAR(neigh->parms, APP_PROBES)) < 0) {
3038 - neigh_app_ns(neigh);
3039 - } else {
3040 - addrconf_addr_solict_mult(target, &mcaddr);
3041 -- ndisc_send_ns(dev, NULL, target, &mcaddr, saddr, skb);
3042 -+ ndisc_send_ns(dev, NULL, target, &mcaddr, saddr);
3043 - }
3044 - }
3045 -
3046 -diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
3047 -index c7196ad..dc50143 100644
3048 ---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
3049 -+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
3050 -@@ -190,7 +190,7 @@ static void nf_ct_frag6_expire(unsigned long data)
3051 - /* Creation primitives. */
3052 - static inline struct frag_queue *fq_find(struct net *net, __be32 id,
3053 - u32 user, struct in6_addr *src,
3054 -- struct in6_addr *dst, u8 ecn)
3055 -+ struct in6_addr *dst, int iif, u8 ecn)
3056 - {
3057 - struct inet_frag_queue *q;
3058 - struct ip6_create_arg arg;
3059 -@@ -200,6 +200,7 @@ static inline struct frag_queue *fq_find(struct net *net, __be32 id,
3060 - arg.user = user;
3061 - arg.src = src;
3062 - arg.dst = dst;
3063 -+ arg.iif = iif;
3064 - arg.ecn = ecn;
3065 -
3066 - local_bh_disable();
3067 -@@ -603,7 +604,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
3068 - fhdr = (struct frag_hdr *)skb_transport_header(clone);
3069 -
3070 - fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
3071 -- ip6_frag_ecn(hdr));
3072 -+ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
3073 - if (fq == NULL) {
3074 - pr_debug("Can't find and can't create new queue\n");
3075 - goto ret_orig;
3076 -diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
3077 -index fdbada156..fe97729 100644
3078 ---- a/net/ipv6/raw.c
3079 -+++ b/net/ipv6/raw.c
3080 -@@ -732,6 +732,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
3081 -
3082 - static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
3083 - {
3084 -+ struct ipv6_txoptions *opt_to_free = NULL;
3085 - struct ipv6_txoptions opt_space;
3086 - DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
3087 - struct in6_addr *daddr, *final_p, final;
3088 -@@ -838,8 +839,10 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
3089 - if (!(opt->opt_nflen|opt->opt_flen))
3090 - opt = NULL;
3091 - }
3092 -- if (!opt)
3093 -- opt = np->opt;
3094 -+ if (!opt) {
3095 -+ opt = txopt_get(np);
3096 -+ opt_to_free = opt;
3097 -+ }
3098 - if (flowlabel)
3099 - opt = fl6_merge_options(&opt_space, flowlabel, opt);
3100 - opt = ipv6_fixup_options(&opt_space, opt);
3101 -@@ -905,6 +908,7 @@ done:
3102 - dst_release(dst);
3103 - out:
3104 - fl6_sock_release(flowlabel);
3105 -+ txopt_put(opt_to_free);
3106 - return err < 0 ? err : len;
3107 - do_confirm:
3108 - dst_confirm(dst);
3109 -diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
3110 -index f1159bb..04013a9 100644
3111 ---- a/net/ipv6/reassembly.c
3112 -+++ b/net/ipv6/reassembly.c
3113 -@@ -108,7 +108,10 @@ bool ip6_frag_match(const struct inet_frag_queue *q, const void *a)
3114 - return fq->id == arg->id &&
3115 - fq->user == arg->user &&
3116 - ipv6_addr_equal(&fq->saddr, arg->src) &&
3117 -- ipv6_addr_equal(&fq->daddr, arg->dst);
3118 -+ ipv6_addr_equal(&fq->daddr, arg->dst) &&
3119 -+ (arg->iif == fq->iif ||
3120 -+ !(ipv6_addr_type(arg->dst) & (IPV6_ADDR_MULTICAST |
3121 -+ IPV6_ADDR_LINKLOCAL)));
3122 - }
3123 - EXPORT_SYMBOL(ip6_frag_match);
3124 -
3125 -@@ -180,7 +183,7 @@ static void ip6_frag_expire(unsigned long data)
3126 -
3127 - static struct frag_queue *
3128 - fq_find(struct net *net, __be32 id, const struct in6_addr *src,
3129 -- const struct in6_addr *dst, u8 ecn)
3130 -+ const struct in6_addr *dst, int iif, u8 ecn)
3131 - {
3132 - struct inet_frag_queue *q;
3133 - struct ip6_create_arg arg;
3134 -@@ -190,6 +193,7 @@ fq_find(struct net *net, __be32 id, const struct in6_addr *src,
3135 - arg.user = IP6_DEFRAG_LOCAL_DELIVER;
3136 - arg.src = src;
3137 - arg.dst = dst;
3138 -+ arg.iif = iif;
3139 - arg.ecn = ecn;
3140 -
3141 - hash = inet6_hash_frag(id, src, dst);
3142 -@@ -551,7 +555,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
3143 - }
3144 -
3145 - fq = fq_find(net, fhdr->identification, &hdr->saddr, &hdr->daddr,
3146 -- ip6_frag_ecn(hdr));
3147 -+ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
3148 - if (fq) {
3149 - int ret;
3150 -
3151 -diff --git a/net/ipv6/route.c b/net/ipv6/route.c
3152 -index 946880a..fd0e674 100644
3153 ---- a/net/ipv6/route.c
3154 -+++ b/net/ipv6/route.c
3155 -@@ -403,6 +403,14 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
3156 - }
3157 - }
3158 -
3159 -+static bool __rt6_check_expired(const struct rt6_info *rt)
3160 -+{
3161 -+ if (rt->rt6i_flags & RTF_EXPIRES)
3162 -+ return time_after(jiffies, rt->dst.expires);
3163 -+ else
3164 -+ return false;
3165 -+}
3166 -+
3167 - static bool rt6_check_expired(const struct rt6_info *rt)
3168 - {
3169 - if (rt->rt6i_flags & RTF_EXPIRES) {
3170 -@@ -538,7 +546,7 @@ static void rt6_probe_deferred(struct work_struct *w)
3171 - container_of(w, struct __rt6_probe_work, work);
3172 -
3173 - addrconf_addr_solict_mult(&work->target, &mcaddr);
3174 -- ndisc_send_ns(work->dev, NULL, &work->target, &mcaddr, NULL, NULL);
3175 -+ ndisc_send_ns(work->dev, NULL, &work->target, &mcaddr, NULL);
3176 - dev_put(work->dev);
3177 - kfree(work);
3178 - }
3179 -@@ -1270,7 +1278,8 @@ static struct dst_entry *rt6_check(struct rt6_info *rt, u32 cookie)
3180 -
3181 - static struct dst_entry *rt6_dst_from_check(struct rt6_info *rt, u32 cookie)
3182 - {
3183 -- if (rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK &&
3184 -+ if (!__rt6_check_expired(rt) &&
3185 -+ rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK &&
3186 - rt6_check((struct rt6_info *)(rt->dst.from), cookie))
3187 - return &rt->dst;
3188 - else
3189 -@@ -1290,7 +1299,8 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie)
3190 -
3191 - rt6_dst_from_metrics_check(rt);
3192 -
3193 -- if ((rt->rt6i_flags & RTF_PCPU) || unlikely(dst->flags & DST_NOCACHE))
3194 -+ if (rt->rt6i_flags & RTF_PCPU ||
3195 -+ (unlikely(dst->flags & DST_NOCACHE) && rt->dst.from))
3196 - return rt6_dst_from_check(rt, cookie);
3197 - else
3198 - return rt6_check(rt, cookie);
3199 -@@ -1340,6 +1350,12 @@ static void rt6_do_update_pmtu(struct rt6_info *rt, u32 mtu)
3200 - rt6_update_expires(rt, net->ipv6.sysctl.ip6_rt_mtu_expires);
3201 - }
3202 -
3203 -+static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt)
3204 -+{
3205 -+ return !(rt->rt6i_flags & RTF_CACHE) &&
3206 -+ (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node);
3207 -+}
3208 -+
3209 - static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
3210 - const struct ipv6hdr *iph, u32 mtu)
3211 - {
3212 -@@ -1353,7 +1369,7 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
3213 - if (mtu >= dst_mtu(dst))
3214 - return;
3215 -
3216 -- if (rt6->rt6i_flags & RTF_CACHE) {
3217 -+ if (!rt6_cache_allowed_for_pmtu(rt6)) {
3218 - rt6_do_update_pmtu(rt6, mtu);
3219 - } else {
3220 - const struct in6_addr *daddr, *saddr;
3221 -diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
3222 -index 0909f4e..f30bfdc 100644
3223 ---- a/net/ipv6/syncookies.c
3224 -+++ b/net/ipv6/syncookies.c
3225 -@@ -225,7 +225,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
3226 - memset(&fl6, 0, sizeof(fl6));
3227 - fl6.flowi6_proto = IPPROTO_TCP;
3228 - fl6.daddr = ireq->ir_v6_rmt_addr;
3229 -- final_p = fl6_update_dst(&fl6, np->opt, &final);
3230 -+ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
3231 - fl6.saddr = ireq->ir_v6_loc_addr;
3232 - fl6.flowi6_oif = sk->sk_bound_dev_if;
3233 - fl6.flowi6_mark = ireq->ir_mark;
3234 -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
3235 -index 97d9314..9e9b77b 100644
3236 ---- a/net/ipv6/tcp_ipv6.c
3237 -+++ b/net/ipv6/tcp_ipv6.c
3238 -@@ -120,6 +120,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
3239 - struct ipv6_pinfo *np = inet6_sk(sk);
3240 - struct tcp_sock *tp = tcp_sk(sk);
3241 - struct in6_addr *saddr = NULL, *final_p, final;
3242 -+ struct ipv6_txoptions *opt;
3243 - struct flowi6 fl6;
3244 - struct dst_entry *dst;
3245 - int addr_type;
3246 -@@ -235,7 +236,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
3247 - fl6.fl6_dport = usin->sin6_port;
3248 - fl6.fl6_sport = inet->inet_sport;
3249 -
3250 -- final_p = fl6_update_dst(&fl6, np->opt, &final);
3251 -+ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
3252 -+ final_p = fl6_update_dst(&fl6, opt, &final);
3253 -
3254 - security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
3255 -
3256 -@@ -263,9 +265,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
3257 - tcp_fetch_timewait_stamp(sk, dst);
3258 -
3259 - icsk->icsk_ext_hdr_len = 0;
3260 -- if (np->opt)
3261 -- icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
3262 -- np->opt->opt_nflen);
3263 -+ if (opt)
3264 -+ icsk->icsk_ext_hdr_len = opt->opt_flen +
3265 -+ opt->opt_nflen;
3266 -
3267 - tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
3268 -
3269 -@@ -461,7 +463,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst,
3270 - fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
3271 -
3272 - skb_set_queue_mapping(skb, queue_mapping);
3273 -- err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
3274 -+ err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt),
3275 -+ np->tclass);
3276 - err = net_xmit_eval(err);
3277 - }
3278 -
3279 -@@ -991,6 +994,7 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
3280 - struct inet_request_sock *ireq;
3281 - struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
3282 - struct tcp6_sock *newtcp6sk;
3283 -+ struct ipv6_txoptions *opt;
3284 - struct inet_sock *newinet;
3285 - struct tcp_sock *newtp;
3286 - struct sock *newsk;
3287 -@@ -1126,13 +1130,15 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
3288 - but we make one more one thing there: reattach optmem
3289 - to newsk.
3290 - */
3291 -- if (np->opt)
3292 -- newnp->opt = ipv6_dup_options(newsk, np->opt);
3293 --
3294 -+ opt = rcu_dereference(np->opt);
3295 -+ if (opt) {
3296 -+ opt = ipv6_dup_options(newsk, opt);
3297 -+ RCU_INIT_POINTER(newnp->opt, opt);
3298 -+ }
3299 - inet_csk(newsk)->icsk_ext_hdr_len = 0;
3300 -- if (newnp->opt)
3301 -- inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
3302 -- newnp->opt->opt_flen);
3303 -+ if (opt)
3304 -+ inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
3305 -+ opt->opt_flen;
3306 -
3307 - tcp_ca_openreq_child(newsk, dst);
3308 -
3309 -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
3310 -index 0aba654..8379fc2 100644
3311 ---- a/net/ipv6/udp.c
3312 -+++ b/net/ipv6/udp.c
3313 -@@ -1107,6 +1107,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
3314 - DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
3315 - struct in6_addr *daddr, *final_p, final;
3316 - struct ipv6_txoptions *opt = NULL;
3317 -+ struct ipv6_txoptions *opt_to_free = NULL;
3318 - struct ip6_flowlabel *flowlabel = NULL;
3319 - struct flowi6 fl6;
3320 - struct dst_entry *dst;
3321 -@@ -1260,8 +1261,10 @@ do_udp_sendmsg:
3322 - opt = NULL;
3323 - connected = 0;
3324 - }
3325 -- if (!opt)
3326 -- opt = np->opt;
3327 -+ if (!opt) {
3328 -+ opt = txopt_get(np);
3329 -+ opt_to_free = opt;
3330 -+ }
3331 - if (flowlabel)
3332 - opt = fl6_merge_options(&opt_space, flowlabel, opt);
3333 - opt = ipv6_fixup_options(&opt_space, opt);
3334 -@@ -1370,6 +1373,7 @@ release_dst:
3335 - out:
3336 - dst_release(dst);
3337 - fl6_sock_release(flowlabel);
3338 -+ txopt_put(opt_to_free);
3339 - if (!err)
3340 - return len;
3341 - /*
3342 -diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
3343 -index d1ded37..0ce9da9 100644
3344 ---- a/net/l2tp/l2tp_ip6.c
3345 -+++ b/net/l2tp/l2tp_ip6.c
3346 -@@ -486,6 +486,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
3347 - DECLARE_SOCKADDR(struct sockaddr_l2tpip6 *, lsa, msg->msg_name);
3348 - struct in6_addr *daddr, *final_p, final;
3349 - struct ipv6_pinfo *np = inet6_sk(sk);
3350 -+ struct ipv6_txoptions *opt_to_free = NULL;
3351 - struct ipv6_txoptions *opt = NULL;
3352 - struct ip6_flowlabel *flowlabel = NULL;
3353 - struct dst_entry *dst = NULL;
3354 -@@ -575,8 +576,10 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
3355 - opt = NULL;
3356 - }
3357 -
3358 -- if (opt == NULL)
3359 -- opt = np->opt;
3360 -+ if (!opt) {
3361 -+ opt = txopt_get(np);
3362 -+ opt_to_free = opt;
3363 -+ }
3364 - if (flowlabel)
3365 - opt = fl6_merge_options(&opt_space, flowlabel, opt);
3366 - opt = ipv6_fixup_options(&opt_space, opt);
3367 -@@ -631,6 +634,7 @@ done:
3368 - dst_release(dst);
3369 - out:
3370 - fl6_sock_release(flowlabel);
3371 -+ txopt_put(opt_to_free);
3372 -
3373 - return err < 0 ? err : len;
3374 -
3375 -diff --git a/net/openvswitch/dp_notify.c b/net/openvswitch/dp_notify.c
3376 -index a7a80a6..653d073 100644
3377 ---- a/net/openvswitch/dp_notify.c
3378 -+++ b/net/openvswitch/dp_notify.c
3379 -@@ -58,7 +58,7 @@ void ovs_dp_notify_wq(struct work_struct *work)
3380 - struct hlist_node *n;
3381 -
3382 - hlist_for_each_entry_safe(vport, n, &dp->ports[i], dp_hash_node) {
3383 -- if (vport->ops->type != OVS_VPORT_TYPE_NETDEV)
3384 -+ if (vport->ops->type == OVS_VPORT_TYPE_INTERNAL)
3385 - continue;
3386 -
3387 - if (!(vport->dev->priv_flags & IFF_OVS_DATAPATH))
3388 -diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
3389 -index f7e8dcc..ac14c48 100644
3390 ---- a/net/openvswitch/vport-netdev.c
3391 -+++ b/net/openvswitch/vport-netdev.c
3392 -@@ -180,9 +180,13 @@ void ovs_netdev_tunnel_destroy(struct vport *vport)
3393 - if (vport->dev->priv_flags & IFF_OVS_DATAPATH)
3394 - ovs_netdev_detach_dev(vport);
3395 -
3396 -- /* Early release so we can unregister the device */
3397 -+ /* We can be invoked by both explicit vport deletion and
3398 -+ * underlying netdev deregistration; delete the link only
3399 -+ * if it's not already shutting down.
3400 -+ */
3401 -+ if (vport->dev->reg_state == NETREG_REGISTERED)
3402 -+ rtnl_delete_link(vport->dev);
3403 - dev_put(vport->dev);
3404 -- rtnl_delete_link(vport->dev);
3405 - vport->dev = NULL;
3406 - rtnl_unlock();
3407 -
3408 -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
3409 -index 27b2898..4695a36 100644
3410 ---- a/net/packet/af_packet.c
3411 -+++ b/net/packet/af_packet.c
3412 -@@ -1741,6 +1741,20 @@ static void fanout_release(struct sock *sk)
3413 - kfree_rcu(po->rollover, rcu);
3414 - }
3415 -
3416 -+static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
3417 -+ struct sk_buff *skb)
3418 -+{
3419 -+ /* Earlier code assumed this would be a VLAN pkt, double-check
3420 -+ * this now that we have the actual packet in hand. We can only
3421 -+ * do this check on Ethernet devices.
3422 -+ */
3423 -+ if (unlikely(dev->type != ARPHRD_ETHER))
3424 -+ return false;
3425 -+
3426 -+ skb_reset_mac_header(skb);
3427 -+ return likely(eth_hdr(skb)->h_proto == htons(ETH_P_8021Q));
3428 -+}
3429 -+
3430 - static const struct proto_ops packet_ops;
3431 -
3432 - static const struct proto_ops packet_ops_spkt;
3433 -@@ -1902,18 +1916,10 @@ retry:
3434 - goto retry;
3435 - }
3436 -
3437 -- if (len > (dev->mtu + dev->hard_header_len + extra_len)) {
3438 -- /* Earlier code assumed this would be a VLAN pkt,
3439 -- * double-check this now that we have the actual
3440 -- * packet in hand.
3441 -- */
3442 -- struct ethhdr *ehdr;
3443 -- skb_reset_mac_header(skb);
3444 -- ehdr = eth_hdr(skb);
3445 -- if (ehdr->h_proto != htons(ETH_P_8021Q)) {
3446 -- err = -EMSGSIZE;
3447 -- goto out_unlock;
3448 -- }
3449 -+ if (len > (dev->mtu + dev->hard_header_len + extra_len) &&
3450 -+ !packet_extra_vlan_len_allowed(dev, skb)) {
3451 -+ err = -EMSGSIZE;
3452 -+ goto out_unlock;
3453 - }
3454 -
3455 - skb->protocol = proto;
3456 -@@ -2332,6 +2338,15 @@ static bool ll_header_truncated(const struct net_device *dev, int len)
3457 - return false;
3458 - }
3459 -
3460 -+static void tpacket_set_protocol(const struct net_device *dev,
3461 -+ struct sk_buff *skb)
3462 -+{
3463 -+ if (dev->type == ARPHRD_ETHER) {
3464 -+ skb_reset_mac_header(skb);
3465 -+ skb->protocol = eth_hdr(skb)->h_proto;
3466 -+ }
3467 -+}
3468 -+
3469 - static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
3470 - void *frame, struct net_device *dev, int size_max,
3471 - __be16 proto, unsigned char *addr, int hlen)
3472 -@@ -2368,8 +2383,6 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
3473 - skb_reserve(skb, hlen);
3474 - skb_reset_network_header(skb);
3475 -
3476 -- if (!packet_use_direct_xmit(po))
3477 -- skb_probe_transport_header(skb, 0);
3478 - if (unlikely(po->tp_tx_has_off)) {
3479 - int off_min, off_max, off;
3480 - off_min = po->tp_hdrlen - sizeof(struct sockaddr_ll);
3481 -@@ -2415,6 +2428,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
3482 - dev->hard_header_len);
3483 - if (unlikely(err))
3484 - return err;
3485 -+ if (!skb->protocol)
3486 -+ tpacket_set_protocol(dev, skb);
3487 -
3488 - data += dev->hard_header_len;
3489 - to_write -= dev->hard_header_len;
3490 -@@ -2449,6 +2464,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
3491 - len = ((to_write > len_max) ? len_max : to_write);
3492 - }
3493 -
3494 -+ skb_probe_transport_header(skb, 0);
3495 -+
3496 - return tp_len;
3497 - }
3498 -
3499 -@@ -2493,12 +2510,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
3500 - if (unlikely(!(dev->flags & IFF_UP)))
3501 - goto out_put;
3502 -
3503 -- reserve = dev->hard_header_len + VLAN_HLEN;
3504 -+ if (po->sk.sk_socket->type == SOCK_RAW)
3505 -+ reserve = dev->hard_header_len;
3506 - size_max = po->tx_ring.frame_size
3507 - - (po->tp_hdrlen - sizeof(struct sockaddr_ll));
3508 -
3509 -- if (size_max > dev->mtu + reserve)
3510 -- size_max = dev->mtu + reserve;
3511 -+ if (size_max > dev->mtu + reserve + VLAN_HLEN)
3512 -+ size_max = dev->mtu + reserve + VLAN_HLEN;
3513 -
3514 - do {
3515 - ph = packet_current_frame(po, &po->tx_ring,
3516 -@@ -2525,18 +2543,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
3517 - tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
3518 - addr, hlen);
3519 - if (likely(tp_len >= 0) &&
3520 -- tp_len > dev->mtu + dev->hard_header_len) {
3521 -- struct ethhdr *ehdr;
3522 -- /* Earlier code assumed this would be a VLAN pkt,
3523 -- * double-check this now that we have the actual
3524 -- * packet in hand.
3525 -- */
3526 -+ tp_len > dev->mtu + reserve &&
3527 -+ !packet_extra_vlan_len_allowed(dev, skb))
3528 -+ tp_len = -EMSGSIZE;
3529 -
3530 -- skb_reset_mac_header(skb);
3531 -- ehdr = eth_hdr(skb);
3532 -- if (ehdr->h_proto != htons(ETH_P_8021Q))
3533 -- tp_len = -EMSGSIZE;
3534 -- }
3535 - if (unlikely(tp_len < 0)) {
3536 - if (po->tp_loss) {
3537 - __packet_set_status(po, ph,
3538 -@@ -2757,18 +2767,10 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
3539 -
3540 - sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags);
3541 -
3542 -- if (!gso_type && (len > dev->mtu + reserve + extra_len)) {
3543 -- /* Earlier code assumed this would be a VLAN pkt,
3544 -- * double-check this now that we have the actual
3545 -- * packet in hand.
3546 -- */
3547 -- struct ethhdr *ehdr;
3548 -- skb_reset_mac_header(skb);
3549 -- ehdr = eth_hdr(skb);
3550 -- if (ehdr->h_proto != htons(ETH_P_8021Q)) {
3551 -- err = -EMSGSIZE;
3552 -- goto out_free;
3553 -- }
3554 -+ if (!gso_type && (len > dev->mtu + reserve + extra_len) &&
3555 -+ !packet_extra_vlan_len_allowed(dev, skb)) {
3556 -+ err = -EMSGSIZE;
3557 -+ goto out_free;
3558 - }
3559 -
3560 - skb->protocol = proto;
3561 -@@ -2799,8 +2801,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
3562 - len += vnet_hdr_len;
3563 - }
3564 -
3565 -- if (!packet_use_direct_xmit(po))
3566 -- skb_probe_transport_header(skb, reserve);
3567 -+ skb_probe_transport_header(skb, reserve);
3568 -+
3569 - if (unlikely(extra_len == 4))
3570 - skb->no_fcs = 1;
3571 -
3572 -diff --git a/net/rds/connection.c b/net/rds/connection.c
3573 -index 49adeef..9b2de5e 100644
3574 ---- a/net/rds/connection.c
3575 -+++ b/net/rds/connection.c
3576 -@@ -190,12 +190,6 @@ new_conn:
3577 - }
3578 - }
3579 -
3580 -- if (trans == NULL) {
3581 -- kmem_cache_free(rds_conn_slab, conn);
3582 -- conn = ERR_PTR(-ENODEV);
3583 -- goto out;
3584 -- }
3585 --
3586 - conn->c_trans = trans;
3587 -
3588 - ret = trans->conn_alloc(conn, gfp);
3589 -diff --git a/net/rds/send.c b/net/rds/send.c
3590 -index 4df61a5..859de6f 100644
3591 ---- a/net/rds/send.c
3592 -+++ b/net/rds/send.c
3593 -@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
3594 - release_sock(sk);
3595 - }
3596 -
3597 -- /* racing with another thread binding seems ok here */
3598 -+ lock_sock(sk);
3599 - if (daddr == 0 || rs->rs_bound_addr == 0) {
3600 -+ release_sock(sk);
3601 - ret = -ENOTCONN; /* XXX not a great errno */
3602 - goto out;
3603 - }
3604 -+ release_sock(sk);
3605 -
3606 - if (payload_len > rds_sk_sndbuf(rs)) {
3607 - ret = -EMSGSIZE;
3608 -diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
3609 -index f43c8f3..7ec667d 100644
3610 ---- a/net/sched/sch_api.c
3611 -+++ b/net/sched/sch_api.c
3612 -@@ -253,7 +253,8 @@ int qdisc_set_default(const char *name)
3613 - }
3614 -
3615 - /* We know handle. Find qdisc among all qdisc's attached to device
3616 -- (root qdisc, all its children, children of children etc.)
3617 -+ * (root qdisc, all its children, children of children etc.)
3618 -+ * Note: caller either uses rtnl or rcu_read_lock()
3619 - */
3620 -
3621 - static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle)
3622 -@@ -264,7 +265,7 @@ static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle)
3623 - root->handle == handle)
3624 - return root;
3625 -
3626 -- list_for_each_entry(q, &root->list, list) {
3627 -+ list_for_each_entry_rcu(q, &root->list, list) {
3628 - if (q->handle == handle)
3629 - return q;
3630 - }
3631 -@@ -277,15 +278,18 @@ void qdisc_list_add(struct Qdisc *q)
3632 - struct Qdisc *root = qdisc_dev(q)->qdisc;
3633 -
3634 - WARN_ON_ONCE(root == &noop_qdisc);
3635 -- list_add_tail(&q->list, &root->list);
3636 -+ ASSERT_RTNL();
3637 -+ list_add_tail_rcu(&q->list, &root->list);
3638 - }
3639 - }
3640 - EXPORT_SYMBOL(qdisc_list_add);
3641 -
3642 - void qdisc_list_del(struct Qdisc *q)
3643 - {
3644 -- if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS))
3645 -- list_del(&q->list);
3646 -+ if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) {
3647 -+ ASSERT_RTNL();
3648 -+ list_del_rcu(&q->list);
3649 -+ }
3650 - }
3651 - EXPORT_SYMBOL(qdisc_list_del);
3652 -
3653 -@@ -750,14 +754,18 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
3654 - if (n == 0)
3655 - return;
3656 - drops = max_t(int, n, 0);
3657 -+ rcu_read_lock();
3658 - while ((parentid = sch->parent)) {
3659 - if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS))
3660 -- return;
3661 -+ break;
3662 -
3663 -+ if (sch->flags & TCQ_F_NOPARENT)
3664 -+ break;
3665 -+ /* TODO: perform the search on a per txq basis */
3666 - sch = qdisc_lookup(qdisc_dev(sch), TC_H_MAJ(parentid));
3667 - if (sch == NULL) {
3668 -- WARN_ON(parentid != TC_H_ROOT);
3669 -- return;
3670 -+ WARN_ON_ONCE(parentid != TC_H_ROOT);
3671 -+ break;
3672 - }
3673 - cops = sch->ops->cl_ops;
3674 - if (cops->qlen_notify) {
3675 -@@ -768,6 +776,7 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
3676 - sch->q.qlen -= n;
3677 - __qdisc_qstats_drop(sch, drops);
3678 - }
3679 -+ rcu_read_unlock();
3680 - }
3681 - EXPORT_SYMBOL(qdisc_tree_decrease_qlen);
3682 -
3683 -@@ -941,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
3684 - }
3685 - lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
3686 - if (!netif_is_multiqueue(dev))
3687 -- sch->flags |= TCQ_F_ONETXQUEUE;
3688 -+ sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3689 - }
3690 -
3691 - sch->handle = handle;
3692 -diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
3693 -index cb5d4ad..e82a1ad 100644
3694 ---- a/net/sched/sch_generic.c
3695 -+++ b/net/sched/sch_generic.c
3696 -@@ -737,7 +737,7 @@ static void attach_one_default_qdisc(struct net_device *dev,
3697 - return;
3698 - }
3699 - if (!netif_is_multiqueue(dev))
3700 -- qdisc->flags |= TCQ_F_ONETXQUEUE;
3701 -+ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3702 - dev_queue->qdisc_sleeping = qdisc;
3703 - }
3704 -
3705 -diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c
3706 -index f3cbaec..3e82f04 100644
3707 ---- a/net/sched/sch_mq.c
3708 -+++ b/net/sched/sch_mq.c
3709 -@@ -63,7 +63,7 @@ static int mq_init(struct Qdisc *sch, struct nlattr *opt)
3710 - if (qdisc == NULL)
3711 - goto err;
3712 - priv->qdiscs[ntx] = qdisc;
3713 -- qdisc->flags |= TCQ_F_ONETXQUEUE;
3714 -+ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3715 - }
3716 -
3717 - sch->flags |= TCQ_F_MQROOT;
3718 -@@ -156,7 +156,7 @@ static int mq_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new,
3719 -
3720 - *old = dev_graft_qdisc(dev_queue, new);
3721 - if (new)
3722 -- new->flags |= TCQ_F_ONETXQUEUE;
3723 -+ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3724 - if (dev->flags & IFF_UP)
3725 - dev_activate(dev);
3726 - return 0;
3727 -diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c
3728 -index 3811a74..ad70ecf 100644
3729 ---- a/net/sched/sch_mqprio.c
3730 -+++ b/net/sched/sch_mqprio.c
3731 -@@ -132,7 +132,7 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt)
3732 - goto err;
3733 - }
3734 - priv->qdiscs[i] = qdisc;
3735 -- qdisc->flags |= TCQ_F_ONETXQUEUE;
3736 -+ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3737 - }
3738 -
3739 - /* If the mqprio options indicate that hardware should own
3740 -@@ -209,7 +209,7 @@ static int mqprio_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new,
3741 - *old = dev_graft_qdisc(dev_queue, new);
3742 -
3743 - if (new)
3744 -- new->flags |= TCQ_F_ONETXQUEUE;
3745 -+ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3746 -
3747 - if (dev->flags & IFF_UP)
3748 - dev_activate(dev);
3749 -diff --git a/net/sctp/auth.c b/net/sctp/auth.c
3750 -index 4f15b7d..1543e39 100644
3751 ---- a/net/sctp/auth.c
3752 -+++ b/net/sctp/auth.c
3753 -@@ -809,8 +809,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
3754 - if (!has_sha1)
3755 - return -EINVAL;
3756 -
3757 -- memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0],
3758 -- hmacs->shmac_num_idents * sizeof(__u16));
3759 -+ for (i = 0; i < hmacs->shmac_num_idents; i++)
3760 -+ ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]);
3761 - ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) +
3762 - hmacs->shmac_num_idents * sizeof(__u16));
3763 - return 0;
3764 -diff --git a/net/sctp/socket.c b/net/sctp/socket.c
3765 -index 17bef01..3ec88be 100644
3766 ---- a/net/sctp/socket.c
3767 -+++ b/net/sctp/socket.c
3768 -@@ -7375,6 +7375,13 @@ struct proto sctp_prot = {
3769 -
3770 - #if IS_ENABLED(CONFIG_IPV6)
3771 -
3772 -+#include <net/transp_v6.h>
3773 -+static void sctp_v6_destroy_sock(struct sock *sk)
3774 -+{
3775 -+ sctp_destroy_sock(sk);
3776 -+ inet6_destroy_sock(sk);
3777 -+}
3778 -+
3779 - struct proto sctpv6_prot = {
3780 - .name = "SCTPv6",
3781 - .owner = THIS_MODULE,
3782 -@@ -7384,7 +7391,7 @@ struct proto sctpv6_prot = {
3783 - .accept = sctp_accept,
3784 - .ioctl = sctp_ioctl,
3785 - .init = sctp_init_sock,
3786 -- .destroy = sctp_destroy_sock,
3787 -+ .destroy = sctp_v6_destroy_sock,
3788 - .shutdown = sctp_shutdown,
3789 - .setsockopt = sctp_setsockopt,
3790 - .getsockopt = sctp_getsockopt,
3791 -diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
3792 -index cd7c5f1..86f2e7c 100644
3793 ---- a/net/tipc/udp_media.c
3794 -+++ b/net/tipc/udp_media.c
3795 -@@ -159,8 +159,11 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
3796 - struct sk_buff *clone;
3797 - struct rtable *rt;
3798 -
3799 -- if (skb_headroom(skb) < UDP_MIN_HEADROOM)
3800 -- pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
3801 -+ if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
3802 -+ err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
3803 -+ if (err)
3804 -+ goto tx_error;
3805 -+ }
3806 -
3807 - clone = skb_clone(skb, GFP_ATOMIC);
3808 - skb_set_inner_protocol(clone, htons(ETH_P_TIPC));
3809 -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
3810 -index 94f6582..128b098 100644
3811 ---- a/net/unix/af_unix.c
3812 -+++ b/net/unix/af_unix.c
3813 -@@ -326,6 +326,118 @@ found:
3814 - return s;
3815 - }
3816 -
3817 -+/* Support code for asymmetrically connected dgram sockets
3818 -+ *
3819 -+ * If a datagram socket is connected to a socket not itself connected
3820 -+ * to the first socket (eg, /dev/log), clients may only enqueue more
3821 -+ * messages if the present receive queue of the server socket is not
3822 -+ * "too large". This means there's a second writeability condition
3823 -+ * poll and sendmsg need to test. The dgram recv code will do a wake
3824 -+ * up on the peer_wait wait queue of a socket upon reception of a
3825 -+ * datagram which needs to be propagated to sleeping would-be writers
3826 -+ * since these might not have sent anything so far. This can't be
3827 -+ * accomplished via poll_wait because the lifetime of the server
3828 -+ * socket might be less than that of its clients if these break their
3829 -+ * association with it or if the server socket is closed while clients
3830 -+ * are still connected to it and there's no way to inform "a polling
3831 -+ * implementation" that it should let go of a certain wait queue
3832 -+ *
3833 -+ * In order to propagate a wake up, a wait_queue_t of the client
3834 -+ * socket is enqueued on the peer_wait queue of the server socket
3835 -+ * whose wake function does a wake_up on the ordinary client socket
3836 -+ * wait queue. This connection is established whenever a write (or
3837 -+ * poll for write) hit the flow control condition and broken when the
3838 -+ * association to the server socket is dissolved or after a wake up
3839 -+ * was relayed.
3840 -+ */
3841 -+
3842 -+static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
3843 -+ void *key)
3844 -+{
3845 -+ struct unix_sock *u;
3846 -+ wait_queue_head_t *u_sleep;
3847 -+
3848 -+ u = container_of(q, struct unix_sock, peer_wake);
3849 -+
3850 -+ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
3851 -+ q);
3852 -+ u->peer_wake.private = NULL;
3853 -+
3854 -+ /* relaying can only happen while the wq still exists */
3855 -+ u_sleep = sk_sleep(&u->sk);
3856 -+ if (u_sleep)
3857 -+ wake_up_interruptible_poll(u_sleep, key);
3858 -+
3859 -+ return 0;
3860 -+}
3861 -+
3862 -+static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
3863 -+{
3864 -+ struct unix_sock *u, *u_other;
3865 -+ int rc;
3866 -+
3867 -+ u = unix_sk(sk);
3868 -+ u_other = unix_sk(other);
3869 -+ rc = 0;
3870 -+ spin_lock(&u_other->peer_wait.lock);
3871 -+
3872 -+ if (!u->peer_wake.private) {
3873 -+ u->peer_wake.private = other;
3874 -+ __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
3875 -+
3876 -+ rc = 1;
3877 -+ }
3878 -+
3879 -+ spin_unlock(&u_other->peer_wait.lock);
3880 -+ return rc;
3881 -+}
3882 -+
3883 -+static void unix_dgram_peer_wake_disconnect(struct sock *sk,
3884 -+ struct sock *other)
3885 -+{
3886 -+ struct unix_sock *u, *u_other;
3887 -+
3888 -+ u = unix_sk(sk);
3889 -+ u_other = unix_sk(other);
3890 -+ spin_lock(&u_other->peer_wait.lock);
3891 -+
3892 -+ if (u->peer_wake.private == other) {
3893 -+ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
3894 -+ u->peer_wake.private = NULL;
3895 -+ }
3896 -+
3897 -+ spin_unlock(&u_other->peer_wait.lock);
3898 -+}
3899 -+
3900 -+static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
3901 -+ struct sock *other)
3902 -+{
3903 -+ unix_dgram_peer_wake_disconnect(sk, other);
3904 -+ wake_up_interruptible_poll(sk_sleep(sk),
3905 -+ POLLOUT |
3906 -+ POLLWRNORM |
3907 -+ POLLWRBAND);
3908 -+}
3909 -+
3910 -+/* preconditions:
3911 -+ * - unix_peer(sk) == other
3912 -+ * - association is stable
3913 -+ */
3914 -+static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
3915 -+{
3916 -+ int connected;
3917 -+
3918 -+ connected = unix_dgram_peer_wake_connect(sk, other);
3919 -+
3920 -+ if (unix_recvq_full(other))
3921 -+ return 1;
3922 -+
3923 -+ if (connected)
3924 -+ unix_dgram_peer_wake_disconnect(sk, other);
3925 -+
3926 -+ return 0;
3927 -+}
3928 -+
3929 - static inline int unix_writable(struct sock *sk)
3930 - {
3931 - return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
3932 -@@ -430,6 +542,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
3933 - skpair->sk_state_change(skpair);
3934 - sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
3935 - }
3936 -+
3937 -+ unix_dgram_peer_wake_disconnect(sk, skpair);
3938 - sock_put(skpair); /* It may now die */
3939 - unix_peer(sk) = NULL;
3940 - }
3941 -@@ -440,6 +554,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
3942 - if (state == TCP_LISTEN)
3943 - unix_release_sock(skb->sk, 1);
3944 - /* passed fds are erased in the kfree_skb hook */
3945 -+ UNIXCB(skb).consumed = skb->len;
3946 - kfree_skb(skb);
3947 - }
3948 -
3949 -@@ -664,6 +779,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern)
3950 - INIT_LIST_HEAD(&u->link);
3951 - mutex_init(&u->readlock); /* single task reading lock */
3952 - init_waitqueue_head(&u->peer_wait);
3953 -+ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
3954 - unix_insert_socket(unix_sockets_unbound(sk), sk);
3955 - out:
3956 - if (sk == NULL)
3957 -@@ -1031,6 +1147,8 @@ restart:
3958 - if (unix_peer(sk)) {
3959 - struct sock *old_peer = unix_peer(sk);
3960 - unix_peer(sk) = other;
3961 -+ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
3962 -+
3963 - unix_state_double_unlock(sk, other);
3964 -
3965 - if (other != old_peer)
3966 -@@ -1432,6 +1550,14 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen
3967 - return err;
3968 - }
3969 -
3970 -+static bool unix_passcred_enabled(const struct socket *sock,
3971 -+ const struct sock *other)
3972 -+{
3973 -+ return test_bit(SOCK_PASSCRED, &sock->flags) ||
3974 -+ !other->sk_socket ||
3975 -+ test_bit(SOCK_PASSCRED, &other->sk_socket->flags);
3976 -+}
3977 -+
3978 - /*
3979 - * Some apps rely on write() giving SCM_CREDENTIALS
3980 - * We include credentials if source or destination socket
3981 -@@ -1442,14 +1568,41 @@ static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock,
3982 - {
3983 - if (UNIXCB(skb).pid)
3984 - return;
3985 -- if (test_bit(SOCK_PASSCRED, &sock->flags) ||
3986 -- !other->sk_socket ||
3987 -- test_bit(SOCK_PASSCRED, &other->sk_socket->flags)) {
3988 -+ if (unix_passcred_enabled(sock, other)) {
3989 - UNIXCB(skb).pid = get_pid(task_tgid(current));
3990 - current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
3991 - }
3992 - }
3993 -
3994 -+static int maybe_init_creds(struct scm_cookie *scm,
3995 -+ struct socket *socket,
3996 -+ const struct sock *other)
3997 -+{
3998 -+ int err;
3999 -+ struct msghdr msg = { .msg_controllen = 0 };
4000 -+
4001 -+ err = scm_send(socket, &msg, scm, false);
4002 -+ if (err)
4003 -+ return err;
4004 -+
4005 -+ if (unix_passcred_enabled(socket, other)) {
4006 -+ scm->pid = get_pid(task_tgid(current));
4007 -+ current_uid_gid(&scm->creds.uid, &scm->creds.gid);
4008 -+ }
4009 -+ return err;
4010 -+}
4011 -+
4012 -+static bool unix_skb_scm_eq(struct sk_buff *skb,
4013 -+ struct scm_cookie *scm)
4014 -+{
4015 -+ const struct unix_skb_parms *u = &UNIXCB(skb);
4016 -+
4017 -+ return u->pid == scm->pid &&
4018 -+ uid_eq(u->uid, scm->creds.uid) &&
4019 -+ gid_eq(u->gid, scm->creds.gid) &&
4020 -+ unix_secdata_eq(scm, skb);
4021 -+}
4022 -+
4023 - /*
4024 - * Send AF_UNIX data.
4025 - */
4026 -@@ -1470,6 +1623,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
4027 - struct scm_cookie scm;
4028 - int max_level;
4029 - int data_len = 0;
4030 -+ int sk_locked;
4031 -
4032 - wait_for_unix_gc();
4033 - err = scm_send(sock, msg, &scm, false);
4034 -@@ -1548,12 +1702,14 @@ restart:
4035 - goto out_free;
4036 - }
4037 -
4038 -+ sk_locked = 0;
4039 - unix_state_lock(other);
4040 -+restart_locked:
4041 - err = -EPERM;
4042 - if (!unix_may_send(sk, other))
4043 - goto out_unlock;
4044 -
4045 -- if (sock_flag(other, SOCK_DEAD)) {
4046 -+ if (unlikely(sock_flag(other, SOCK_DEAD))) {
4047 - /*
4048 - * Check with 1003.1g - what should
4049 - * datagram error
4050 -@@ -1561,10 +1717,14 @@ restart:
4051 - unix_state_unlock(other);
4052 - sock_put(other);
4053 -
4054 -+ if (!sk_locked)
4055 -+ unix_state_lock(sk);
4056 -+
4057 - err = 0;
4058 -- unix_state_lock(sk);
4059 - if (unix_peer(sk) == other) {
4060 - unix_peer(sk) = NULL;
4061 -+ unix_dgram_peer_wake_disconnect_wakeup(sk, other);
4062 -+
4063 - unix_state_unlock(sk);
4064 -
4065 - unix_dgram_disconnected(sk, other);
4066 -@@ -1590,21 +1750,38 @@ restart:
4067 - goto out_unlock;
4068 - }
4069 -
4070 -- if (unix_peer(other) != sk && unix_recvq_full(other)) {
4071 -- if (!timeo) {
4072 -- err = -EAGAIN;
4073 -- goto out_unlock;
4074 -+ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
4075 -+ if (timeo) {
4076 -+ timeo = unix_wait_for_peer(other, timeo);
4077 -+
4078 -+ err = sock_intr_errno(timeo);
4079 -+ if (signal_pending(current))
4080 -+ goto out_free;
4081 -+
4082 -+ goto restart;
4083 - }
4084 -
4085 -- timeo = unix_wait_for_peer(other, timeo);
4086 -+ if (!sk_locked) {
4087 -+ unix_state_unlock(other);
4088 -+ unix_state_double_lock(sk, other);
4089 -+ }
4090 -
4091 -- err = sock_intr_errno(timeo);
4092 -- if (signal_pending(current))
4093 -- goto out_free;
4094 -+ if (unix_peer(sk) != other ||
4095 -+ unix_dgram_peer_wake_me(sk, other)) {
4096 -+ err = -EAGAIN;
4097 -+ sk_locked = 1;
4098 -+ goto out_unlock;
4099 -+ }
4100 -
4101 -- goto restart;
4102 -+ if (!sk_locked) {
4103 -+ sk_locked = 1;
4104 -+ goto restart_locked;
4105 -+ }
4106 - }
4107 -
4108 -+ if (unlikely(sk_locked))
4109 -+ unix_state_unlock(sk);
4110 -+
4111 - if (sock_flag(other, SOCK_RCVTSTAMP))
4112 - __net_timestamp(skb);
4113 - maybe_add_creds(skb, sock, other);
4114 -@@ -1618,6 +1795,8 @@ restart:
4115 - return len;
4116 -
4117 - out_unlock:
4118 -+ if (sk_locked)
4119 -+ unix_state_unlock(sk);
4120 - unix_state_unlock(other);
4121 - out_free:
4122 - kfree_skb(skb);
4123 -@@ -1739,8 +1918,10 @@ out_err:
4124 - static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page,
4125 - int offset, size_t size, int flags)
4126 - {
4127 -- int err = 0;
4128 -- bool send_sigpipe = true;
4129 -+ int err;
4130 -+ bool send_sigpipe = false;
4131 -+ bool init_scm = true;
4132 -+ struct scm_cookie scm;
4133 - struct sock *other, *sk = socket->sk;
4134 - struct sk_buff *skb, *newskb = NULL, *tail = NULL;
4135 -
4136 -@@ -1758,7 +1939,7 @@ alloc_skb:
4137 - newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
4138 - &err, 0);
4139 - if (!newskb)
4140 -- return err;
4141 -+ goto err;
4142 - }
4143 -
4144 - /* we must acquire readlock as we modify already present
4145 -@@ -1767,12 +1948,12 @@ alloc_skb:
4146 - err = mutex_lock_interruptible(&unix_sk(other)->readlock);
4147 - if (err) {
4148 - err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS;
4149 -- send_sigpipe = false;
4150 - goto err;
4151 - }
4152 -
4153 - if (sk->sk_shutdown & SEND_SHUTDOWN) {
4154 - err = -EPIPE;
4155 -+ send_sigpipe = true;
4156 - goto err_unlock;
4157 - }
4158 -
4159 -@@ -1781,23 +1962,34 @@ alloc_skb:
4160 - if (sock_flag(other, SOCK_DEAD) ||
4161 - other->sk_shutdown & RCV_SHUTDOWN) {
4162 - err = -EPIPE;
4163 -+ send_sigpipe = true;
4164 - goto err_state_unlock;
4165 - }
4166 -
4167 -+ if (init_scm) {
4168 -+ err = maybe_init_creds(&scm, socket, other);
4169 -+ if (err)
4170 -+ goto err_state_unlock;
4171 -+ init_scm = false;
4172 -+ }
4173 -+
4174 - skb = skb_peek_tail(&other->sk_receive_queue);
4175 - if (tail && tail == skb) {
4176 - skb = newskb;
4177 -- } else if (!skb) {
4178 -- if (newskb)
4179 -+ } else if (!skb || !unix_skb_scm_eq(skb, &scm)) {
4180 -+ if (newskb) {
4181 - skb = newskb;
4182 -- else
4183 -+ } else {
4184 -+ tail = skb;
4185 - goto alloc_skb;
4186 -+ }
4187 - } else if (newskb) {
4188 - /* this is fast path, we don't necessarily need to
4189 - * call to kfree_skb even though with newskb == NULL
4190 - * this - does no harm
4191 - */
4192 - consume_skb(newskb);
4193 -+ newskb = NULL;
4194 - }
4195 -
4196 - if (skb_append_pagefrags(skb, page, offset, size)) {
4197 -@@ -1810,14 +2002,20 @@ alloc_skb:
4198 - skb->truesize += size;
4199 - atomic_add(size, &sk->sk_wmem_alloc);
4200 -
4201 -- if (newskb)
4202 -+ if (newskb) {
4203 -+ err = unix_scm_to_skb(&scm, skb, false);
4204 -+ if (err)
4205 -+ goto err_state_unlock;
4206 -+ spin_lock(&other->sk_receive_queue.lock);
4207 - __skb_queue_tail(&other->sk_receive_queue, newskb);
4208 -+ spin_unlock(&other->sk_receive_queue.lock);
4209 -+ }
4210 -
4211 - unix_state_unlock(other);
4212 - mutex_unlock(&unix_sk(other)->readlock);
4213 -
4214 - other->sk_data_ready(other);
4215 --
4216 -+ scm_destroy(&scm);
4217 - return size;
4218 -
4219 - err_state_unlock:
4220 -@@ -1828,6 +2026,8 @@ err:
4221 - kfree_skb(newskb);
4222 - if (send_sigpipe && !(flags & MSG_NOSIGNAL))
4223 - send_sig(SIGPIPE, current, 0);
4224 -+ if (!init_scm)
4225 -+ scm_destroy(&scm);
4226 - return err;
4227 - }
4228 -
4229 -@@ -2071,6 +2271,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
4230 -
4231 - do {
4232 - int chunk;
4233 -+ bool drop_skb;
4234 - struct sk_buff *skb, *last;
4235 -
4236 - unix_state_lock(sk);
4237 -@@ -2130,10 +2331,7 @@ unlock:
4238 -
4239 - if (check_creds) {
4240 - /* Never glue messages from different writers */
4241 -- if ((UNIXCB(skb).pid != scm.pid) ||
4242 -- !uid_eq(UNIXCB(skb).uid, scm.creds.uid) ||
4243 -- !gid_eq(UNIXCB(skb).gid, scm.creds.gid) ||
4244 -- !unix_secdata_eq(&scm, skb))
4245 -+ if (!unix_skb_scm_eq(skb, &scm))
4246 - break;
4247 - } else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
4248 - /* Copy credentials */
4249 -@@ -2151,7 +2349,11 @@ unlock:
4250 - }
4251 -
4252 - chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
4253 -+ skb_get(skb);
4254 - chunk = state->recv_actor(skb, skip, chunk, state);
4255 -+ drop_skb = !unix_skb_len(skb);
4256 -+ /* skb is only safe to use if !drop_skb */
4257 -+ consume_skb(skb);
4258 - if (chunk < 0) {
4259 - if (copied == 0)
4260 - copied = -EFAULT;
4261 -@@ -2160,6 +2362,18 @@ unlock:
4262 - copied += chunk;
4263 - size -= chunk;
4264 -
4265 -+ if (drop_skb) {
4266 -+ /* the skb was touched by a concurrent reader;
4267 -+ * we should not expect anything from this skb
4268 -+ * anymore and assume it invalid - we can be
4269 -+ * sure it was dropped from the socket queue
4270 -+ *
4271 -+ * let's report a short read
4272 -+ */
4273 -+ err = 0;
4274 -+ break;
4275 -+ }
4276 -+
4277 - /* Mark read part of skb as used */
4278 - if (!(flags & MSG_PEEK)) {
4279 - UNIXCB(skb).consumed += chunk;
4280 -@@ -2453,14 +2667,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
4281 - return mask;
4282 -
4283 - writable = unix_writable(sk);
4284 -- other = unix_peer_get(sk);
4285 -- if (other) {
4286 -- if (unix_peer(other) != sk) {
4287 -- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
4288 -- if (unix_recvq_full(other))
4289 -- writable = 0;
4290 -- }
4291 -- sock_put(other);
4292 -+ if (writable) {
4293 -+ unix_state_lock(sk);
4294 -+
4295 -+ other = unix_peer(sk);
4296 -+ if (other && unix_peer(other) != sk &&
4297 -+ unix_recvq_full(other) &&
4298 -+ unix_dgram_peer_wake_me(sk, other))
4299 -+ writable = 0;
4300 -+
4301 -+ unix_state_unlock(sk);
4302 - }
4303 -
4304 - if (writable)
4305 -diff --git a/sound/pci/Kconfig b/sound/pci/Kconfig
4306 -index edfc1b8..656ce39 100644
4307 ---- a/sound/pci/Kconfig
4308 -+++ b/sound/pci/Kconfig
4309 -@@ -25,7 +25,7 @@ config SND_ALS300
4310 - select SND_PCM
4311 - select SND_AC97_CODEC
4312 - select SND_OPL3_LIB
4313 -- select ZONE_DMA
4314 -+ depends on ZONE_DMA
4315 - help
4316 - Say 'Y' or 'M' to include support for Avance Logic ALS300/ALS300+
4317 -
4318 -@@ -50,7 +50,7 @@ config SND_ALI5451
4319 - tristate "ALi M5451 PCI Audio Controller"
4320 - select SND_MPU401_UART
4321 - select SND_AC97_CODEC
4322 -- select ZONE_DMA
4323 -+ depends on ZONE_DMA
4324 - help
4325 - Say Y here to include support for the integrated AC97 sound
4326 - device on motherboards using the ALi M5451 Audio Controller
4327 -@@ -155,7 +155,7 @@ config SND_AZT3328
4328 - select SND_PCM
4329 - select SND_RAWMIDI
4330 - select SND_AC97_CODEC
4331 -- select ZONE_DMA
4332 -+ depends on ZONE_DMA
4333 - help
4334 - Say Y here to include support for Aztech AZF3328 (PCI168)
4335 - soundcards.
4336 -@@ -463,7 +463,7 @@ config SND_EMU10K1
4337 - select SND_HWDEP
4338 - select SND_RAWMIDI
4339 - select SND_AC97_CODEC
4340 -- select ZONE_DMA
4341 -+ depends on ZONE_DMA
4342 - help
4343 - Say Y to include support for Sound Blaster PCI 512, Live!,
4344 - Audigy and E-mu APS (partially supported) soundcards.
4345 -@@ -479,7 +479,7 @@ config SND_EMU10K1X
4346 - tristate "Emu10k1X (Dell OEM Version)"
4347 - select SND_AC97_CODEC
4348 - select SND_RAWMIDI
4349 -- select ZONE_DMA
4350 -+ depends on ZONE_DMA
4351 - help
4352 - Say Y here to include support for the Dell OEM version of the
4353 - Sound Blaster Live!.
4354 -@@ -513,7 +513,7 @@ config SND_ES1938
4355 - select SND_OPL3_LIB
4356 - select SND_MPU401_UART
4357 - select SND_AC97_CODEC
4358 -- select ZONE_DMA
4359 -+ depends on ZONE_DMA
4360 - help
4361 - Say Y here to include support for soundcards based on ESS Solo-1
4362 - (ES1938, ES1946, ES1969) chips.
4363 -@@ -525,7 +525,7 @@ config SND_ES1968
4364 - tristate "ESS ES1968/1978 (Maestro-1/2/2E)"
4365 - select SND_MPU401_UART
4366 - select SND_AC97_CODEC
4367 -- select ZONE_DMA
4368 -+ depends on ZONE_DMA
4369 - help
4370 - Say Y here to include support for soundcards based on ESS Maestro
4371 - 1/2/2E chips.
4372 -@@ -612,7 +612,7 @@ config SND_ICE1712
4373 - select SND_MPU401_UART
4374 - select SND_AC97_CODEC
4375 - select BITREVERSE
4376 -- select ZONE_DMA
4377 -+ depends on ZONE_DMA
4378 - help
4379 - Say Y here to include support for soundcards based on the
4380 - ICE1712 (Envy24) chip.
4381 -@@ -700,7 +700,7 @@ config SND_LX6464ES
4382 - config SND_MAESTRO3
4383 - tristate "ESS Allegro/Maestro3"
4384 - select SND_AC97_CODEC
4385 -- select ZONE_DMA
4386 -+ depends on ZONE_DMA
4387 - help
4388 - Say Y here to include support for soundcards based on ESS Maestro 3
4389 - (Allegro) chips.
4390 -@@ -806,7 +806,7 @@ config SND_SIS7019
4391 - tristate "SiS 7019 Audio Accelerator"
4392 - depends on X86_32
4393 - select SND_AC97_CODEC
4394 -- select ZONE_DMA
4395 -+ depends on ZONE_DMA
4396 - help
4397 - Say Y here to include support for the SiS 7019 Audio Accelerator.
4398 -
4399 -@@ -818,7 +818,7 @@ config SND_SONICVIBES
4400 - select SND_OPL3_LIB
4401 - select SND_MPU401_UART
4402 - select SND_AC97_CODEC
4403 -- select ZONE_DMA
4404 -+ depends on ZONE_DMA
4405 - help
4406 - Say Y here to include support for soundcards based on the S3
4407 - SonicVibes chip.
4408 -@@ -830,7 +830,7 @@ config SND_TRIDENT
4409 - tristate "Trident 4D-Wave DX/NX; SiS 7018"
4410 - select SND_MPU401_UART
4411 - select SND_AC97_CODEC
4412 -- select ZONE_DMA
4413 -+ depends on ZONE_DMA
4414 - help
4415 - Say Y here to include support for soundcards based on Trident
4416 - 4D-Wave DX/NX or SiS 7018 chips.
4417 -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
4418 -index acbfbe08..f22f5c4 100644
4419 ---- a/sound/pci/hda/patch_hdmi.c
4420 -+++ b/sound/pci/hda/patch_hdmi.c
4421 -@@ -50,8 +50,9 @@ MODULE_PARM_DESC(static_hdmi_pcm, "Don't restrict PCM parameters per ELD info");
4422 - #define is_haswell(codec) ((codec)->core.vendor_id == 0x80862807)
4423 - #define is_broadwell(codec) ((codec)->core.vendor_id == 0x80862808)
4424 - #define is_skylake(codec) ((codec)->core.vendor_id == 0x80862809)
4425 -+#define is_broxton(codec) ((codec)->core.vendor_id == 0x8086280a)
4426 - #define is_haswell_plus(codec) (is_haswell(codec) || is_broadwell(codec) \
4427 -- || is_skylake(codec))
4428 -+ || is_skylake(codec) || is_broxton(codec))
4429 -
4430 - #define is_valleyview(codec) ((codec)->core.vendor_id == 0x80862882)
4431 - #define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883)
4432 -diff --git a/tools/net/Makefile b/tools/net/Makefile
4433 -index ee577ea..ddf8880 100644
4434 ---- a/tools/net/Makefile
4435 -+++ b/tools/net/Makefile
4436 -@@ -4,6 +4,9 @@ CC = gcc
4437 - LEX = flex
4438 - YACC = bison
4439 -
4440 -+CFLAGS += -Wall -O2
4441 -+CFLAGS += -D__EXPORTED_HEADERS__ -I../../include/uapi -I../../include
4442 -+
4443 - %.yacc.c: %.y
4444 - $(YACC) -o $@ -d $<
4445 -
4446 -@@ -12,15 +15,13 @@ YACC = bison
4447 -
4448 - all : bpf_jit_disasm bpf_dbg bpf_asm
4449 -
4450 --bpf_jit_disasm : CFLAGS = -Wall -O2 -DPACKAGE='bpf_jit_disasm'
4451 -+bpf_jit_disasm : CFLAGS += -DPACKAGE='bpf_jit_disasm'
4452 - bpf_jit_disasm : LDLIBS = -lopcodes -lbfd -ldl
4453 - bpf_jit_disasm : bpf_jit_disasm.o
4454 -
4455 --bpf_dbg : CFLAGS = -Wall -O2
4456 - bpf_dbg : LDLIBS = -lreadline
4457 - bpf_dbg : bpf_dbg.o
4458 -
4459 --bpf_asm : CFLAGS = -Wall -O2 -I.
4460 - bpf_asm : LDLIBS =
4461 - bpf_asm : bpf_asm.o bpf_exp.yacc.o bpf_exp.lex.o
4462 - bpf_exp.lex.o : bpf_exp.yacc.c
4463
4464 diff --git a/4.3.3/4420_grsecurity-3.1-4.3.3-201512162141.patch b/4.3.3/4420_grsecurity-3.1-4.3.3-201512222129.patch
4465 similarity index 99%
4466 rename from 4.3.3/4420_grsecurity-3.1-4.3.3-201512162141.patch
4467 rename to 4.3.3/4420_grsecurity-3.1-4.3.3-201512222129.patch
4468 index 4b7bff5..2c1d2ad 100644
4469 --- a/4.3.3/4420_grsecurity-3.1-4.3.3-201512162141.patch
4470 +++ b/4.3.3/4420_grsecurity-3.1-4.3.3-201512222129.patch
4471 @@ -313,7 +313,7 @@ index 13f888a..250729b 100644
4472 A typical pattern in a Kbuild file looks like this:
4473
4474 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
4475 -index 22a4b68..8c70743 100644
4476 +index 22a4b68..0ec4c2a 100644
4477 --- a/Documentation/kernel-parameters.txt
4478 +++ b/Documentation/kernel-parameters.txt
4479 @@ -1246,6 +1246,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
4480 @@ -341,7 +341,7 @@ index 22a4b68..8c70743 100644
4481 nosmap [X86]
4482 Disable SMAP (Supervisor Mode Access Prevention)
4483 even if it is supported by processor.
4484 -@@ -2677,6 +2688,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
4485 +@@ -2677,6 +2688,35 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
4486 the specified number of seconds. This is to be used if
4487 your oopses keep scrolling off the screen.
4488
4489 @@ -366,6 +366,11 @@ index 22a4b68..8c70743 100644
4490 + from the first 4GB of memory as the bootmem allocator
4491 + passes the memory pages to the buddy allocator.
4492 +
4493 ++ pax_size_overflow_report_only
4494 ++ Enables rate-limited logging of size_overflow plugin
4495 ++ violations while disabling killing of the violating
4496 ++ task.
4497 ++
4498 + pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF
4499 + when the processor supports PCID.
4500 +
4501 @@ -3811,7 +3816,7 @@ index 845769e..4278fd7 100644
4502 atomic64_set(&mm->context.id, asid);
4503 }
4504 diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
4505 -index 0d629b8..01867c8 100644
4506 +index 0d629b8..f13ad33 100644
4507 --- a/arch/arm/mm/fault.c
4508 +++ b/arch/arm/mm/fault.c
4509 @@ -25,6 +25,7 @@
4510 @@ -3859,7 +3864,7 @@ index 0d629b8..01867c8 100644
4511 #endif
4512
4513 +#ifdef CONFIG_PAX_PAGEEXEC
4514 -+ if (fsr & FSR_LNX_PF) {
4515 ++ if ((tsk->mm->pax_flags & MF_PAX_PAGEEXEC) && (fsr & FSR_LNX_PF)) {
4516 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
4517 + do_group_exit(SIGKILL);
4518 + }
4519 @@ -32731,7 +32736,7 @@ index 903ec1e..41b4708 100644
4520 }
4521
4522 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
4523 -index eef44d9..b0fb164 100644
4524 +index eef44d9..79b0e58 100644
4525 --- a/arch/x86/mm/fault.c
4526 +++ b/arch/x86/mm/fault.c
4527 @@ -14,6 +14,8 @@
4528 @@ -33203,7 +33208,7 @@ index eef44d9..b0fb164 100644
4529 +
4530 +#ifdef CONFIG_PAX_SEGMEXEC
4531 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
4532 -+ if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
4533 ++ if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
4534 + return true;
4535 + return false;
4536 + }
4537 @@ -36996,6 +37001,28 @@ index ad3f276..bef6d50 100644
4538 return ERR_PTR(-EINVAL);
4539
4540 nr_pages += end - start;
4541 +diff --git a/block/blk-core.c b/block/blk-core.c
4542 +index 18e92a6..1834d7c 100644
4543 +--- a/block/blk-core.c
4544 ++++ b/block/blk-core.c
4545 +@@ -1616,8 +1616,6 @@ static void blk_queue_bio(struct request_queue *q, struct bio *bio)
4546 + struct request *req;
4547 + unsigned int request_count = 0;
4548 +
4549 +- blk_queue_split(q, &bio, q->bio_split);
4550 +-
4551 + /*
4552 + * low level driver can indicate that it wants pages above a
4553 + * certain limit bounced to low memory (ie for highmem, or even
4554 +@@ -1625,6 +1623,8 @@ static void blk_queue_bio(struct request_queue *q, struct bio *bio)
4555 + */
4556 + blk_queue_bounce(q, &bio);
4557 +
4558 ++ blk_queue_split(q, &bio, q->bio_split);
4559 ++
4560 + if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) {
4561 + bio->bi_error = -EIO;
4562 + bio_endio(bio);
4563 diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
4564 index 0736729..2ec3b48 100644
4565 --- a/block/blk-iopoll.c
4566 @@ -75725,6 +75752,32 @@ index f70119f..b7d2bb4 100644
4567
4568 /* for init */
4569 int __init btrfs_delayed_inode_init(void);
4570 +diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c
4571 +index 6a98bdd..fed3da6 100644
4572 +--- a/fs/btrfs/extent_map.c
4573 ++++ b/fs/btrfs/extent_map.c
4574 +@@ -235,7 +235,9 @@ static void try_merge_map(struct extent_map_tree *tree, struct extent_map *em)
4575 + em->start = merge->start;
4576 + em->orig_start = merge->orig_start;
4577 + em->len += merge->len;
4578 +- em->block_len += merge->block_len;
4579 ++ if (em->block_start != EXTENT_MAP_HOLE &&
4580 ++ em->block_start != EXTENT_MAP_INLINE)
4581 ++ em->block_len += merge->block_len;
4582 + em->block_start = merge->block_start;
4583 + em->mod_len = (em->mod_len + em->mod_start) - merge->mod_start;
4584 + em->mod_start = merge->mod_start;
4585 +@@ -252,7 +254,9 @@ static void try_merge_map(struct extent_map_tree *tree, struct extent_map *em)
4586 + merge = rb_entry(rb, struct extent_map, rb_node);
4587 + if (rb && mergable_maps(em, merge)) {
4588 + em->len += merge->len;
4589 +- em->block_len += merge->block_len;
4590 ++ if (em->block_start != EXTENT_MAP_HOLE &&
4591 ++ em->block_start != EXTENT_MAP_INLINE)
4592 ++ em->block_len += merge->block_len;
4593 + rb_erase(&merge->rb_node, &tree->map);
4594 + RB_CLEAR_NODE(&merge->rb_node);
4595 + em->mod_len = (merge->mod_start + merge->mod_len) - em->mod_start;
4596 diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
4597 index 396e3d5..e752d29 100644
4598 --- a/fs/btrfs/inode.c
4599 @@ -77174,7 +77227,7 @@ index e4141f2..d8263e8 100644
4600 i += packet_length_size;
4601 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
4602 diff --git a/fs/exec.c b/fs/exec.c
4603 -index b06623a..895c666 100644
4604 +index b06623a..1c50b96 100644
4605 --- a/fs/exec.c
4606 +++ b/fs/exec.c
4607 @@ -56,8 +56,20 @@
4608 @@ -77670,7 +77723,7 @@ index b06623a..895c666 100644
4609 out:
4610 if (bprm->mm) {
4611 acct_arg_size(bprm, 0);
4612 -@@ -1749,3 +1924,313 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
4613 +@@ -1749,3 +1924,319 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
4614 argv, envp, flags);
4615 }
4616 #endif
4617 @@ -77976,11 +78029,17 @@ index b06623a..895c666 100644
4618 +
4619 +#ifdef CONFIG_PAX_SIZE_OVERFLOW
4620 +
4621 ++static DEFINE_RATELIMIT_STATE(size_overflow_ratelimit, 15 * HZ, 3);
4622 ++extern bool pax_size_overflow_report_only;
4623 ++
4624 +void __nocapture(1, 3, 4) __used report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
4625 +{
4626 -+ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
4627 -+ dump_stack();
4628 -+ do_group_exit(SIGKILL);
4629 ++ if (!pax_size_overflow_report_only || __ratelimit(&size_overflow_ratelimit)) {
4630 ++ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
4631 ++ dump_stack();
4632 ++ }
4633 ++ if (!pax_size_overflow_report_only)
4634 ++ do_group_exit(SIGKILL);
4635 +}
4636 +EXPORT_SYMBOL(report_size_overflow);
4637 +#endif
4638 @@ -82413,7 +82472,7 @@ index eed2050..fb443f2 100644
4639 static struct pid *
4640 get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
4641 diff --git a/fs/proc/base.c b/fs/proc/base.c
4642 -index 29595af..6ab6000 100644
4643 +index 29595af..aeaaf2e 100644
4644 --- a/fs/proc/base.c
4645 +++ b/fs/proc/base.c
4646 @@ -113,6 +113,14 @@ struct pid_entry {
4647 @@ -82794,7 +82853,15 @@ index 29595af..6ab6000 100644
4648 if (!dir_emit_dots(file, ctx))
4649 goto out;
4650
4651 -@@ -2519,7 +2645,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
4652 +@@ -2484,6 +2610,7 @@ static ssize_t proc_coredump_filter_write(struct file *file,
4653 + mm = get_task_mm(task);
4654 + if (!mm)
4655 + goto out_no_mm;
4656 ++ ret = 0;
4657 +
4658 + for (i = 0, mask = 1; i < MMF_DUMP_FILTER_BITS; i++, mask <<= 1) {
4659 + if (val & mask)
4660 +@@ -2519,7 +2646,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
4661 if (result)
4662 return result;
4663
4664 @@ -82803,7 +82870,7 @@ index 29595af..6ab6000 100644
4665 result = -EACCES;
4666 goto out_unlock;
4667 }
4668 -@@ -2738,7 +2864,7 @@ static const struct pid_entry tgid_base_stuff[] = {
4669 +@@ -2738,7 +2865,7 @@ static const struct pid_entry tgid_base_stuff[] = {
4670 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
4671 #endif
4672 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
4673 @@ -82812,7 +82879,7 @@ index 29595af..6ab6000 100644
4674 ONE("syscall", S_IRUSR, proc_pid_syscall),
4675 #endif
4676 REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
4677 -@@ -2763,10 +2889,10 @@ static const struct pid_entry tgid_base_stuff[] = {
4678 +@@ -2763,10 +2890,10 @@ static const struct pid_entry tgid_base_stuff[] = {
4679 #ifdef CONFIG_SECURITY
4680 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
4681 #endif
4682 @@ -82825,7 +82892,7 @@ index 29595af..6ab6000 100644
4683 ONE("stack", S_IRUSR, proc_pid_stack),
4684 #endif
4685 #ifdef CONFIG_SCHED_INFO
4686 -@@ -2800,6 +2926,9 @@ static const struct pid_entry tgid_base_stuff[] = {
4687 +@@ -2800,6 +2927,9 @@ static const struct pid_entry tgid_base_stuff[] = {
4688 #ifdef CONFIG_HARDWALL
4689 ONE("hardwall", S_IRUGO, proc_pid_hardwall),
4690 #endif
4691 @@ -82835,7 +82902,7 @@ index 29595af..6ab6000 100644
4692 #ifdef CONFIG_USER_NS
4693 REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
4694 REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
4695 -@@ -2932,7 +3061,14 @@ static int proc_pid_instantiate(struct inode *dir,
4696 +@@ -2932,7 +3062,14 @@ static int proc_pid_instantiate(struct inode *dir,
4697 if (!inode)
4698 goto out;
4699
4700 @@ -82850,7 +82917,7 @@ index 29595af..6ab6000 100644
4701 inode->i_op = &proc_tgid_base_inode_operations;
4702 inode->i_fop = &proc_tgid_base_operations;
4703 inode->i_flags|=S_IMMUTABLE;
4704 -@@ -2970,7 +3106,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
4705 +@@ -2970,7 +3107,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
4706 if (!task)
4707 goto out;
4708
4709 @@ -82862,7 +82929,7 @@ index 29595af..6ab6000 100644
4710 put_task_struct(task);
4711 out:
4712 return ERR_PTR(result);
4713 -@@ -3084,7 +3224,7 @@ static const struct pid_entry tid_base_stuff[] = {
4714 +@@ -3084,7 +3225,7 @@ static const struct pid_entry tid_base_stuff[] = {
4715 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
4716 #endif
4717 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
4718 @@ -82871,7 +82938,7 @@ index 29595af..6ab6000 100644
4719 ONE("syscall", S_IRUSR, proc_pid_syscall),
4720 #endif
4721 REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
4722 -@@ -3111,10 +3251,10 @@ static const struct pid_entry tid_base_stuff[] = {
4723 +@@ -3111,10 +3252,10 @@ static const struct pid_entry tid_base_stuff[] = {
4724 #ifdef CONFIG_SECURITY
4725 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
4726 #endif
4727 @@ -84997,6 +85064,28 @@ index 8e2010d..95549ab 100644
4728 #endif /* DEBUG */
4729
4730 /*
4731 +diff --git a/fs/xfs/libxfs/xfs_da_btree.c b/fs/xfs/libxfs/xfs_da_btree.c
4732 +index be43248..6bb4442 100644
4733 +--- a/fs/xfs/libxfs/xfs_da_btree.c
4734 ++++ b/fs/xfs/libxfs/xfs_da_btree.c
4735 +@@ -2007,6 +2007,7 @@ xfs_da_grow_inode_int(
4736 + struct xfs_inode *dp = args->dp;
4737 + int w = args->whichfork;
4738 + xfs_rfsblock_t nblks = dp->i_d.di_nblocks;
4739 ++ xfs_rfsblock_t nblocks;
4740 + struct xfs_bmbt_irec map, *mapp;
4741 + int nmap, error, got, i, mapi;
4742 +
4743 +@@ -2075,7 +2076,8 @@ xfs_da_grow_inode_int(
4744 + }
4745 +
4746 + /* account for newly allocated blocks in reserved blocks total */
4747 +- args->total -= dp->i_d.di_nblocks - nblks;
4748 ++ nblocks = dp->i_d.di_nblocks - nblks;
4749 ++ args->total -= nblocks;
4750 +
4751 + out_free_map:
4752 + if (mapp != &map)
4753 diff --git a/fs/xfs/xfs_dir2_readdir.c b/fs/xfs/xfs_dir2_readdir.c
4754 index a989a9c..db30c9a 100644
4755 --- a/fs/xfs/xfs_dir2_readdir.c
4756 @@ -105589,7 +105678,7 @@ index b32ad7d..05f6420 100644
4757 next_state = Reset;
4758 return 0;
4759 diff --git a/init/main.c b/init/main.c
4760 -index 9e64d70..141e0b4 100644
4761 +index 9e64d70..2f40cd9 100644
4762 --- a/init/main.c
4763 +++ b/init/main.c
4764 @@ -97,6 +97,8 @@ extern void radix_tree_init(void);
4765 @@ -105601,7 +105690,7 @@ index 9e64d70..141e0b4 100644
4766 /*
4767 * Debug helper: via this flag we know that we are in 'early bootup code'
4768 * where only the boot processor is running with IRQ disabled. This means
4769 -@@ -158,6 +160,37 @@ static int __init set_reset_devices(char *str)
4770 +@@ -158,6 +160,48 @@ static int __init set_reset_devices(char *str)
4771
4772 __setup("reset_devices", set_reset_devices);
4773
4774 @@ -105636,10 +105725,21 @@ index 9e64d70..141e0b4 100644
4775 +__setup("pax_softmode=", setup_pax_softmode);
4776 +#endif
4777 +
4778 ++#ifdef CONFIG_PAX_SIZE_OVERFLOW
4779 ++bool pax_size_overflow_report_only __read_only;
4780 ++
4781 ++static int __init setup_pax_size_overflow_report_only(char *str)
4782 ++{
4783 ++ pax_size_overflow_report_only = true;
4784 ++ return 0;
4785 ++}
4786 ++early_param("pax_size_overflow_report_only", setup_pax_size_overflow_report_only);
4787 ++#endif
4788 ++
4789 static const char *argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
4790 const char *envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
4791 static const char *panic_later, *panic_param;
4792 -@@ -731,7 +764,7 @@ static bool __init_or_module initcall_blacklisted(initcall_t fn)
4793 +@@ -731,7 +775,7 @@ static bool __init_or_module initcall_blacklisted(initcall_t fn)
4794 struct blacklist_entry *entry;
4795 char *fn_name;
4796
4797 @@ -105648,7 +105748,7 @@ index 9e64d70..141e0b4 100644
4798 if (!fn_name)
4799 return false;
4800
4801 -@@ -783,7 +816,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
4802 +@@ -783,7 +827,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
4803 {
4804 int count = preempt_count();
4805 int ret;
4806 @@ -105657,7 +105757,7 @@ index 9e64d70..141e0b4 100644
4807
4808 if (initcall_blacklisted(fn))
4809 return -EPERM;
4810 -@@ -793,18 +826,17 @@ int __init_or_module do_one_initcall(initcall_t fn)
4811 +@@ -793,18 +837,17 @@ int __init_or_module do_one_initcall(initcall_t fn)
4812 else
4813 ret = fn();
4814
4815 @@ -105680,7 +105780,7 @@ index 9e64d70..141e0b4 100644
4816 return ret;
4817 }
4818
4819 -@@ -909,8 +941,8 @@ static int run_init_process(const char *init_filename)
4820 +@@ -909,8 +952,8 @@ static int run_init_process(const char *init_filename)
4821 {
4822 argv_init[0] = init_filename;
4823 return do_execve(getname_kernel(init_filename),
4824 @@ -105691,7 +105791,7 @@ index 9e64d70..141e0b4 100644
4825 }
4826
4827 static int try_to_run_init_process(const char *init_filename)
4828 -@@ -927,6 +959,10 @@ static int try_to_run_init_process(const char *init_filename)
4829 +@@ -927,6 +970,10 @@ static int try_to_run_init_process(const char *init_filename)
4830 return ret;
4831 }
4832
4833 @@ -105702,7 +105802,7 @@ index 9e64d70..141e0b4 100644
4834 static noinline void __init kernel_init_freeable(void);
4835
4836 static int __ref kernel_init(void *unused)
4837 -@@ -951,6 +987,11 @@ static int __ref kernel_init(void *unused)
4838 +@@ -951,6 +998,11 @@ static int __ref kernel_init(void *unused)
4839 ramdisk_execute_command, ret);
4840 }
4841
4842 @@ -105714,7 +105814,7 @@ index 9e64d70..141e0b4 100644
4843 /*
4844 * We try each of these until one succeeds.
4845 *
4846 -@@ -1008,7 +1049,7 @@ static noinline void __init kernel_init_freeable(void)
4847 +@@ -1008,7 +1060,7 @@ static noinline void __init kernel_init_freeable(void)
4848 do_basic_setup();
4849
4850 /* Open the /dev/console on the rootfs, this should never fail */
4851 @@ -105723,7 +105823,7 @@ index 9e64d70..141e0b4 100644
4852 pr_err("Warning: unable to open an initial console.\n");
4853
4854 (void) sys_dup(0);
4855 -@@ -1021,11 +1062,13 @@ static noinline void __init kernel_init_freeable(void)
4856 +@@ -1021,11 +1073,13 @@ static noinline void __init kernel_init_freeable(void)
4857 if (!ramdisk_execute_command)
4858 ramdisk_execute_command = "/init";
4859
4860 @@ -109683,10 +109783,45 @@ index 99513e1..0caa643 100644
4861 }
4862
4863 diff --git a/kernel/ptrace.c b/kernel/ptrace.c
4864 -index 787320d..9e9535d 100644
4865 +index 787320d..9873654 100644
4866 --- a/kernel/ptrace.c
4867 +++ b/kernel/ptrace.c
4868 -@@ -219,6 +219,13 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
4869 +@@ -207,18 +207,45 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
4870 + return ret;
4871 + }
4872 +
4873 +-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
4874 ++static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
4875 + {
4876 ++ struct user_namespace *tns = tcred->user_ns;
4877 ++ struct user_namespace *curns = current_cred()->user_ns;
4878 ++
4879 ++ /* When a root-owned process enters a user namespace created by a
4880 ++ * malicious user, the user shouldn't be able to execute code under
4881 ++ * uid 0 by attaching to the root-owned process via ptrace.
4882 ++ * Therefore, similar to the capable_wrt_inode_uidgid() check,
4883 ++ * verify that all the uids and gids of the target process are
4884 ++ * mapped into the current namespace.
4885 ++ * No fsuid/fsgid check because __ptrace_may_access doesn't do it
4886 ++ * either.
4887 ++ */
4888 ++ if (!kuid_has_mapping(curns, tcred->euid) ||
4889 ++ !kuid_has_mapping(curns, tcred->suid) ||
4890 ++ !kuid_has_mapping(curns, tcred->uid) ||
4891 ++ !kgid_has_mapping(curns, tcred->egid) ||
4892 ++ !kgid_has_mapping(curns, tcred->sgid) ||
4893 ++ !kgid_has_mapping(curns, tcred->gid))
4894 ++ return false;
4895 ++
4896 + if (mode & PTRACE_MODE_NOAUDIT)
4897 +- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
4898 ++ return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
4899 + else
4900 +- return has_ns_capability(current, ns, CAP_SYS_PTRACE);
4901 ++ return has_ns_capability(current, tns, CAP_SYS_PTRACE);
4902 + }
4903 +
4904 + /* Returns 0 on success, -errno on denial. */
4905 static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
4906 {
4907 const struct cred *cred = current_cred(), *tcred;
4908 @@ -109700,7 +109835,7 @@ index 787320d..9e9535d 100644
4909
4910 /* May we inspect the given task?
4911 * This check is used both for attaching with ptrace
4912 -@@ -233,13 +240,28 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
4913 +@@ -233,15 +260,30 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
4914 if (same_thread_group(task, current))
4915 return 0;
4916 rcu_read_lock();
4917 @@ -109733,9 +109868,21 @@ index 787320d..9e9535d 100644
4918 + gid_eq(caller_gid, tcred->sgid) &&
4919 + gid_eq(caller_gid, tcred->gid))
4920 goto ok;
4921 - if (ptrace_has_cap(tcred->user_ns, mode))
4922 +- if (ptrace_has_cap(tcred->user_ns, mode))
4923 ++ if (ptrace_has_cap(tcred, mode))
4924 goto ok;
4925 -@@ -306,7 +328,7 @@ static int ptrace_attach(struct task_struct *task, long request,
4926 + rcu_read_unlock();
4927 + return -EPERM;
4928 +@@ -252,7 +294,7 @@ ok:
4929 + dumpable = get_dumpable(task->mm);
4930 + rcu_read_lock();
4931 + if (dumpable != SUID_DUMP_USER &&
4932 +- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
4933 ++ !ptrace_has_cap(__task_cred(task), mode)) {
4934 + rcu_read_unlock();
4935 + return -EPERM;
4936 + }
4937 +@@ -306,7 +348,7 @@ static int ptrace_attach(struct task_struct *task, long request,
4938 goto out;
4939
4940 task_lock(task);
4941 @@ -109744,7 +109891,7 @@ index 787320d..9e9535d 100644
4942 task_unlock(task);
4943 if (retval)
4944 goto unlock_creds;
4945 -@@ -321,7 +343,7 @@ static int ptrace_attach(struct task_struct *task, long request,
4946 +@@ -321,7 +363,7 @@ static int ptrace_attach(struct task_struct *task, long request,
4947 if (seize)
4948 flags |= PT_SEIZED;
4949 rcu_read_lock();
4950 @@ -109753,7 +109900,7 @@ index 787320d..9e9535d 100644
4951 flags |= PT_PTRACE_CAP;
4952 rcu_read_unlock();
4953 task->ptrace = flags;
4954 -@@ -514,7 +536,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
4955 +@@ -514,7 +556,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
4956 break;
4957 return -EIO;
4958 }
4959 @@ -109762,7 +109909,7 @@ index 787320d..9e9535d 100644
4960 return -EFAULT;
4961 copied += retval;
4962 src += retval;
4963 -@@ -815,7 +837,7 @@ int ptrace_request(struct task_struct *child, long request,
4964 +@@ -815,7 +857,7 @@ int ptrace_request(struct task_struct *child, long request,
4965 bool seized = child->ptrace & PT_SEIZED;
4966 int ret = -EIO;
4967 siginfo_t siginfo, *si;
4968 @@ -109771,7 +109918,7 @@ index 787320d..9e9535d 100644
4969 unsigned long __user *datalp = datavp;
4970 unsigned long flags;
4971
4972 -@@ -1061,14 +1083,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
4973 +@@ -1061,14 +1103,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
4974 goto out;
4975 }
4976
4977 @@ -109794,7 +109941,7 @@ index 787320d..9e9535d 100644
4978 goto out_put_task_struct;
4979 }
4980
4981 -@@ -1096,7 +1125,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
4982 +@@ -1096,7 +1145,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
4983 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
4984 if (copied != sizeof(tmp))
4985 return -EIO;
4986 @@ -109803,7 +109950,7 @@ index 787320d..9e9535d 100644
4987 }
4988
4989 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
4990 -@@ -1189,7 +1218,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
4991 +@@ -1189,7 +1238,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
4992 }
4993
4994 COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
4995 @@ -109812,7 +109959,7 @@ index 787320d..9e9535d 100644
4996 {
4997 struct task_struct *child;
4998 long ret;
4999 -@@ -1205,14 +1234,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
5000 +@@ -1205,14 +1254,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
5001 goto out;
5002 }
5003
5004 @@ -120164,7 +120311,7 @@ index 8a1741b..20d20e7 100644
5005 if (!err)
5006 err = put_user(SCM_RIGHTS, &cm->cmsg_type);
5007 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
5008 -index fab4599..e553f88 100644
5009 +index fab4599..e488a92 100644
5010 --- a/net/core/skbuff.c
5011 +++ b/net/core/skbuff.c
5012 @@ -2103,7 +2103,7 @@ EXPORT_SYMBOL(__skb_checksum);
5013 @@ -120193,8 +120340,18 @@ index fab4599..e553f88 100644
5014 NULL);
5015 }
5016
5017 +@@ -3643,7 +3645,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
5018 + serr->ee.ee_info = tstype;
5019 + if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
5020 + serr->ee.ee_data = skb_shinfo(skb)->tskey;
5021 +- if (sk->sk_protocol == IPPROTO_TCP)
5022 ++ if (sk->sk_protocol == IPPROTO_TCP &&
5023 ++ sk->sk_type == SOCK_STREAM)
5024 + serr->ee.ee_data -= sk->sk_tskey;
5025 + }
5026 +
5027 diff --git a/net/core/sock.c b/net/core/sock.c
5028 -index 3307c02..08b1281 100644
5029 +index 3307c02..3a9bfdc 100644
5030 --- a/net/core/sock.c
5031 +++ b/net/core/sock.c
5032 @@ -441,7 +441,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
5033 @@ -120233,7 +120390,17 @@ index 3307c02..08b1281 100644
5034 goto discard_and_relse;
5035 }
5036
5037 -@@ -908,6 +908,7 @@ set_rcvbuf:
5038 +@@ -862,7 +862,8 @@ set_rcvbuf:
5039 +
5040 + if (val & SOF_TIMESTAMPING_OPT_ID &&
5041 + !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
5042 +- if (sk->sk_protocol == IPPROTO_TCP) {
5043 ++ if (sk->sk_protocol == IPPROTO_TCP &&
5044 ++ sk->sk_type == SOCK_STREAM) {
5045 + if (sk->sk_state != TCP_ESTABLISHED) {
5046 + ret = -EINVAL;
5047 + break;
5048 +@@ -908,6 +909,7 @@ set_rcvbuf:
5049 }
5050 break;
5051
5052 @@ -120241,7 +120408,7 @@ index 3307c02..08b1281 100644
5053 case SO_ATTACH_BPF:
5054 ret = -EINVAL;
5055 if (optlen == sizeof(u32)) {
5056 -@@ -920,7 +921,7 @@ set_rcvbuf:
5057 +@@ -920,7 +922,7 @@ set_rcvbuf:
5058 ret = sk_attach_bpf(ufd, sk);
5059 }
5060 break;
5061 @@ -120250,7 +120417,7 @@ index 3307c02..08b1281 100644
5062 case SO_DETACH_FILTER:
5063 ret = sk_detach_filter(sk);
5064 break;
5065 -@@ -1022,12 +1023,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
5066 +@@ -1022,12 +1024,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
5067 struct timeval tm;
5068 } v;
5069
5070 @@ -120266,7 +120433,7 @@ index 3307c02..08b1281 100644
5071 return -EINVAL;
5072
5073 memset(&v, 0, sizeof(v));
5074 -@@ -1165,11 +1166,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
5075 +@@ -1165,11 +1167,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
5076
5077 case SO_PEERNAME:
5078 {
5079 @@ -120280,7 +120447,7 @@ index 3307c02..08b1281 100644
5080 return -EINVAL;
5081 if (copy_to_user(optval, address, len))
5082 return -EFAULT;
5083 -@@ -1257,7 +1258,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
5084 +@@ -1257,7 +1259,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
5085
5086 if (len > lv)
5087 len = lv;
5088 @@ -120289,7 +120456,7 @@ index 3307c02..08b1281 100644
5089 return -EFAULT;
5090 lenout:
5091 if (put_user(len, optlen))
5092 -@@ -1550,7 +1551,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
5093 +@@ -1550,7 +1552,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
5094 newsk->sk_err = 0;
5095 newsk->sk_priority = 0;
5096 newsk->sk_incoming_cpu = raw_smp_processor_id();
5097 @@ -120298,7 +120465,7 @@ index 3307c02..08b1281 100644
5098 /*
5099 * Before updating sk_refcnt, we must commit prior changes to memory
5100 * (Documentation/RCU/rculist_nulls.txt for details)
5101 -@@ -2359,7 +2360,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
5102 +@@ -2359,7 +2361,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
5103 */
5104 smp_wmb();
5105 atomic_set(&sk->sk_refcnt, 1);
5106 @@ -120307,7 +120474,7 @@ index 3307c02..08b1281 100644
5107 }
5108 EXPORT_SYMBOL(sock_init_data);
5109
5110 -@@ -2487,6 +2488,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
5111 +@@ -2487,6 +2489,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
5112 int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
5113 int level, int type)
5114 {
5115 @@ -120315,7 +120482,7 @@ index 3307c02..08b1281 100644
5116 struct sock_exterr_skb *serr;
5117 struct sk_buff *skb;
5118 int copied, err;
5119 -@@ -2508,7 +2510,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
5120 +@@ -2508,7 +2511,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
5121 sock_recv_timestamp(msg, sk, skb);
5122
5123 serr = SKB_EXT_ERR(skb);
5124 @@ -121854,7 +122021,7 @@ index c10a9ee..c621a01 100644
5125 return -ENOMEM;
5126 }
5127 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
5128 -index 3939dd2..ea4fbed 100644
5129 +index 3939dd2..7372e9a 100644
5130 --- a/net/ipv6/addrconf.c
5131 +++ b/net/ipv6/addrconf.c
5132 @@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
5133 @@ -121985,7 +122152,25 @@ index 3939dd2..ea4fbed 100644
5134 struct net *net = ctl->extra2;
5135 struct ipv6_stable_secret *secret = ctl->data;
5136
5137 -@@ -5397,7 +5410,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct ctl_table *ctl,
5138 +@@ -5343,13 +5356,10 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
5139 + goto out;
5140 + }
5141 +
5142 +- if (!write) {
5143 +- err = snprintf(str, sizeof(str), "%pI6",
5144 +- &secret->secret);
5145 +- if (err >= sizeof(str)) {
5146 +- err = -EIO;
5147 +- goto out;
5148 +- }
5149 ++ err = snprintf(str, sizeof(str), "%pI6", &secret->secret);
5150 ++ if (err >= sizeof(str)) {
5151 ++ err = -EIO;
5152 ++ goto out;
5153 + }
5154 +
5155 + err = proc_dostring(&lctl, write, buffer, lenp, ppos);
5156 +@@ -5397,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct ctl_table *ctl,
5157 int *valp = ctl->data;
5158 int val = *valp;
5159 loff_t pos = *ppos;
Report Message
Find on MARC Find on Google Groups