summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2017-02-25 06:57:22 -0500
committerAnthony G. Basile <blueness@gentoo.org>2017-02-25 06:57:22 -0500
commitb29d22f84076b2b7b21dd32836b57ca262dcd8db (patch)
treea679d884201331901989ab65ec6a279cd62cbdfc
parentgrsecurity-3.1-4.9.11-201702181444 (diff)
downloadhardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.tar.gz
hardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.tar.bz2
hardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.zip
grsecurity-3.1-4.9.12-20170223183020170223
-rw-r--r--4.9.11/1009_linux-4.9.10.patch2157
-rw-r--r--4.9.11/1010_linux-4.9.11.patch1893
-rw-r--r--4.9.12/0000_README (renamed from 4.9.11/0000_README)10
-rw-r--r--4.9.12/4420_grsecurity-3.1-4.9.12-201702231830.patch (renamed from 4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch)299
-rw-r--r--4.9.12/4425_grsec_remove_EI_PAX.patch (renamed from 4.9.11/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--4.9.12/4426_default_XATTR_PAX_FLAGS.patch (renamed from 4.9.11/4426_default_XATTR_PAX_FLAGS.patch)0
-rw-r--r--4.9.12/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.9.11/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.9.12/4430_grsec-remove-localversion-grsec.patch (renamed from 4.9.11/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.9.12/4435_grsec-mute-warnings.patch (renamed from 4.9.11/4435_grsec-mute-warnings.patch)0
-rw-r--r--4.9.12/4440_grsec-remove-protected-paths.patch (renamed from 4.9.11/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.9.12/4450_grsec-kconfig-default-gids.patch (renamed from 4.9.11/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--4.9.12/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.9.11/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.9.12/4470_disable-compat_vdso.patch (renamed from 4.9.11/4470_disable-compat_vdso.patch)0
-rw-r--r--4.9.12/4475_emutramp_default_on.patch (renamed from 4.9.11/4475_emutramp_default_on.patch)0
14 files changed, 161 insertions, 4198 deletions
diff --git a/4.9.11/1009_linux-4.9.10.patch b/4.9.11/1009_linux-4.9.10.patch
deleted file mode 100644
index 1767b59..0000000
--- a/4.9.11/1009_linux-4.9.10.patch
+++ /dev/null
@@ -1,2157 +0,0 @@
-diff --git a/Makefile b/Makefile
-index c0c41c9..d2fe757 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 9
--SUBLEVEL = 9
-+SUBLEVEL = 10
- EXTRAVERSION =
- NAME = Roaring Lionus
-
-diff --git a/arch/arc/kernel/unaligned.c b/arch/arc/kernel/unaligned.c
-index 91ebe38..5f69c3b 100644
---- a/arch/arc/kernel/unaligned.c
-+++ b/arch/arc/kernel/unaligned.c
-@@ -243,7 +243,7 @@ int misaligned_fixup(unsigned long address, struct pt_regs *regs,
-
- /* clear any remanants of delay slot */
- if (delay_mode(regs)) {
-- regs->ret = regs->bta ~1U;
-+ regs->ret = regs->bta & ~1U;
- regs->status32 &= ~STATUS_DE_MASK;
- } else {
- regs->ret += state.instr_len;
-diff --git a/arch/arm/boot/dts/imx6dl.dtsi b/arch/arm/boot/dts/imx6dl.dtsi
-index 1ade195..7aa120f 100644
---- a/arch/arm/boot/dts/imx6dl.dtsi
-+++ b/arch/arm/boot/dts/imx6dl.dtsi
-@@ -137,7 +137,7 @@
- &gpio4 {
- gpio-ranges = <&iomuxc 5 136 1>, <&iomuxc 6 145 1>, <&iomuxc 7 150 1>,
- <&iomuxc 8 146 1>, <&iomuxc 9 151 1>, <&iomuxc 10 147 1>,
-- <&iomuxc 11 151 1>, <&iomuxc 12 148 1>, <&iomuxc 13 153 1>,
-+ <&iomuxc 11 152 1>, <&iomuxc 12 148 1>, <&iomuxc 13 153 1>,
- <&iomuxc 14 149 1>, <&iomuxc 15 154 1>, <&iomuxc 16 39 7>,
- <&iomuxc 23 56 1>, <&iomuxc 24 61 7>, <&iomuxc 31 46 1>;
- };
-diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
-index ce131ed..ae738a6 100644
---- a/arch/arm/kernel/ptrace.c
-+++ b/arch/arm/kernel/ptrace.c
-@@ -600,7 +600,7 @@ static int gpr_set(struct task_struct *target,
- const void *kbuf, const void __user *ubuf)
- {
- int ret;
-- struct pt_regs newregs;
-+ struct pt_regs newregs = *task_pt_regs(target);
-
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- &newregs,
-diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
-index 3a2e678..0122ad1 100644
---- a/arch/arm/mm/fault.c
-+++ b/arch/arm/mm/fault.c
-@@ -610,9 +610,9 @@ static int __init early_abort_handler(unsigned long addr, unsigned int fsr,
-
- void __init early_abt_enable(void)
- {
-- fsr_info[22].fn = early_abort_handler;
-+ fsr_info[FSR_FS_AEA].fn = early_abort_handler;
- local_abt_enable();
-- fsr_info[22].fn = do_bad;
-+ fsr_info[FSR_FS_AEA].fn = do_bad;
- }
-
- #ifndef CONFIG_ARM_LPAE
-diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h
-index 67532f2..afc1f84 100644
---- a/arch/arm/mm/fault.h
-+++ b/arch/arm/mm/fault.h
-@@ -11,11 +11,15 @@
- #define FSR_FS5_0 (0x3f)
-
- #ifdef CONFIG_ARM_LPAE
-+#define FSR_FS_AEA 17
-+
- static inline int fsr_fs(unsigned int fsr)
- {
- return fsr & FSR_FS5_0;
- }
- #else
-+#define FSR_FS_AEA 22
-+
- static inline int fsr_fs(unsigned int fsr)
- {
- return (fsr & FSR_FS3_0) | (fsr & FSR_FS4) >> 6;
-diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
-index 9e1499f..13f5fad 100644
---- a/arch/powerpc/include/asm/reg.h
-+++ b/arch/powerpc/include/asm/reg.h
-@@ -641,9 +641,10 @@
- #define SRR1_ISI_N_OR_G 0x10000000 /* ISI: Access is no-exec or G */
- #define SRR1_ISI_PROT 0x08000000 /* ISI: Other protection fault */
- #define SRR1_WAKEMASK 0x00380000 /* reason for wakeup */
--#define SRR1_WAKEMASK_P8 0x003c0000 /* reason for wakeup on POWER8 */
-+#define SRR1_WAKEMASK_P8 0x003c0000 /* reason for wakeup on POWER8 and 9 */
- #define SRR1_WAKESYSERR 0x00300000 /* System error */
- #define SRR1_WAKEEE 0x00200000 /* External interrupt */
-+#define SRR1_WAKEHVI 0x00240000 /* Hypervisor Virtualization Interrupt (P9) */
- #define SRR1_WAKEMT 0x00280000 /* mtctrl */
- #define SRR1_WAKEHMI 0x00280000 /* Hypervisor maintenance */
- #define SRR1_WAKEDEC 0x00180000 /* Decrementer interrupt */
-diff --git a/arch/powerpc/include/asm/xics.h b/arch/powerpc/include/asm/xics.h
-index f0b2385..e0b9e57 100644
---- a/arch/powerpc/include/asm/xics.h
-+++ b/arch/powerpc/include/asm/xics.h
-@@ -44,6 +44,7 @@ static inline int icp_hv_init(void) { return -ENODEV; }
-
- #ifdef CONFIG_PPC_POWERNV
- extern int icp_opal_init(void);
-+extern void icp_opal_flush_interrupt(void);
- #else
- static inline int icp_opal_init(void) { return -ENODEV; }
- #endif
-diff --git a/arch/powerpc/mm/tlb-radix.c b/arch/powerpc/mm/tlb-radix.c
-index 3493cf4..71697ff 100644
---- a/arch/powerpc/mm/tlb-radix.c
-+++ b/arch/powerpc/mm/tlb-radix.c
-@@ -50,9 +50,7 @@ static inline void _tlbiel_pid(unsigned long pid, unsigned long ric)
- for (set = 0; set < POWER9_TLB_SETS_RADIX ; set++) {
- __tlbiel_pid(pid, set, ric);
- }
-- if (cpu_has_feature(CPU_FTR_POWER9_DD1))
-- asm volatile(PPC_INVALIDATE_ERAT : : :"memory");
-- return;
-+ asm volatile(PPC_INVALIDATE_ERAT "; isync" : : :"memory");
- }
-
- static inline void _tlbie_pid(unsigned long pid, unsigned long ric)
-@@ -85,8 +83,6 @@ static inline void _tlbiel_va(unsigned long va, unsigned long pid,
- asm volatile(PPC_TLBIEL(%0, %4, %3, %2, %1)
- : : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory");
- asm volatile("ptesync": : :"memory");
-- if (cpu_has_feature(CPU_FTR_POWER9_DD1))
-- asm volatile(PPC_INVALIDATE_ERAT : : :"memory");
- }
-
- static inline void _tlbie_va(unsigned long va, unsigned long pid,
-diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c
-index c789258..eec0e8d 100644
---- a/arch/powerpc/platforms/powernv/smp.c
-+++ b/arch/powerpc/platforms/powernv/smp.c
-@@ -155,8 +155,10 @@ static void pnv_smp_cpu_kill_self(void)
- wmask = SRR1_WAKEMASK_P8;
-
- idle_states = pnv_get_supported_cpuidle_states();
-+
- /* We don't want to take decrementer interrupts while we are offline,
-- * so clear LPCR:PECE1. We keep PECE2 enabled.
-+ * so clear LPCR:PECE1. We keep PECE2 (and LPCR_PECE_HVEE on P9)
-+ * enabled as to let IPIs in.
- */
- mtspr(SPRN_LPCR, mfspr(SPRN_LPCR) & ~(u64)LPCR_PECE1);
-
-@@ -206,8 +208,12 @@ static void pnv_smp_cpu_kill_self(void)
- * contains 0.
- */
- if (((srr1 & wmask) == SRR1_WAKEEE) ||
-+ ((srr1 & wmask) == SRR1_WAKEHVI) ||
- (local_paca->irq_happened & PACA_IRQ_EE)) {
-- icp_native_flush_interrupt();
-+ if (cpu_has_feature(CPU_FTR_ARCH_300))
-+ icp_opal_flush_interrupt();
-+ else
-+ icp_native_flush_interrupt();
- } else if ((srr1 & wmask) == SRR1_WAKEHDBELL) {
- unsigned long msg = PPC_DBELL_TYPE(PPC_DBELL_SERVER);
- asm volatile(PPC_MSGCLR(%0) : : "r" (msg));
-@@ -221,6 +227,8 @@ static void pnv_smp_cpu_kill_self(void)
- if (srr1 && !generic_check_cpu_restart(cpu))
- DBG("CPU%d Unexpected exit while offline !\n", cpu);
- }
-+
-+ /* Re-enable decrementer interrupts */
- mtspr(SPRN_LPCR, mfspr(SPRN_LPCR) | LPCR_PECE1);
- DBG("CPU%d coming online...\n", cpu);
- }
-diff --git a/arch/powerpc/sysdev/xics/icp-opal.c b/arch/powerpc/sysdev/xics/icp-opal.c
-index 60c5765..c96c0cb 100644
---- a/arch/powerpc/sysdev/xics/icp-opal.c
-+++ b/arch/powerpc/sysdev/xics/icp-opal.c
-@@ -132,6 +132,35 @@ static irqreturn_t icp_opal_ipi_action(int irq, void *dev_id)
- return smp_ipi_demux();
- }
-
-+/*
-+ * Called when an interrupt is received on an off-line CPU to
-+ * clear the interrupt, so that the CPU can go back to nap mode.
-+ */
-+void icp_opal_flush_interrupt(void)
-+{
-+ unsigned int xirr;
-+ unsigned int vec;
-+
-+ do {
-+ xirr = icp_opal_get_xirr();
-+ vec = xirr & 0x00ffffff;
-+ if (vec == XICS_IRQ_SPURIOUS)
-+ break;
-+ if (vec == XICS_IPI) {
-+ /* Clear pending IPI */
-+ int cpu = smp_processor_id();
-+ kvmppc_set_host_ipi(cpu, 0);
-+ opal_int_set_mfrr(get_hard_smp_processor_id(cpu), 0xff);
-+ } else {
-+ pr_err("XICS: hw interrupt 0x%x to offline cpu, "
-+ "disabling\n", vec);
-+ xics_mask_unknown_vec(vec);
-+ }
-+
-+ /* EOI the interrupt */
-+ } while (opal_int_eoi(xirr) > 0);
-+}
-+
- #endif /* CONFIG_SMP */
-
- static const struct icp_ops icp_opal_ops = {
-diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
-index 984a7bf..83db0ea 100644
---- a/arch/x86/include/asm/processor.h
-+++ b/arch/x86/include/asm/processor.h
-@@ -104,6 +104,7 @@ struct cpuinfo_x86 {
- __u8 x86_phys_bits;
- /* CPUID returned core id bits: */
- __u8 x86_coreid_bits;
-+ __u8 cu_id;
- /* Max extended CPUID function supported: */
- __u32 extended_cpuid_level;
- /* Maximum supported CPUID level, -1=no CPUID: */
-diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
-index 7249f15..d1e2556 100644
---- a/arch/x86/kernel/apic/io_apic.c
-+++ b/arch/x86/kernel/apic/io_apic.c
-@@ -1876,7 +1876,6 @@ static struct irq_chip ioapic_chip __read_mostly = {
- .irq_ack = irq_chip_ack_parent,
- .irq_eoi = ioapic_ack_level,
- .irq_set_affinity = ioapic_set_affinity,
-- .irq_retrigger = irq_chip_retrigger_hierarchy,
- .flags = IRQCHIP_SKIP_SET_WAKE,
- };
-
-@@ -1888,7 +1887,6 @@ static struct irq_chip ioapic_ir_chip __read_mostly = {
- .irq_ack = irq_chip_ack_parent,
- .irq_eoi = ioapic_ir_ack_level,
- .irq_set_affinity = ioapic_set_affinity,
-- .irq_retrigger = irq_chip_retrigger_hierarchy,
- .flags = IRQCHIP_SKIP_SET_WAKE,
- };
-
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index 1d31672..2b4cf04 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -309,8 +309,22 @@ static void amd_get_topology(struct cpuinfo_x86 *c)
-
- /* get information required for multi-node processors */
- if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
-+ u32 eax, ebx, ecx, edx;
-
-- node_id = cpuid_ecx(0x8000001e) & 7;
-+ cpuid(0x8000001e, &eax, &ebx, &ecx, &edx);
-+
-+ node_id = ecx & 0xff;
-+ smp_num_siblings = ((ebx >> 8) & 0xff) + 1;
-+
-+ if (c->x86 == 0x15)
-+ c->cu_id = ebx & 0xff;
-+
-+ if (c->x86 >= 0x17) {
-+ c->cpu_core_id = ebx & 0xff;
-+
-+ if (smp_num_siblings > 1)
-+ c->x86_max_cores /= smp_num_siblings;
-+ }
-
- /*
- * We may have multiple LLCs if L3 caches exist, so check if we
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 023c7bf..4eece91 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1015,6 +1015,7 @@ static void identify_cpu(struct cpuinfo_x86 *c)
- c->x86_model_id[0] = '\0'; /* Unset */
- c->x86_max_cores = 1;
- c->x86_coreid_bits = 0;
-+ c->cu_id = 0xff;
- #ifdef CONFIG_X86_64
- c->x86_clflush_size = 64;
- c->x86_phys_bits = 36;
-diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
-index e9bbe02..36171bc 100644
---- a/arch/x86/kernel/smpboot.c
-+++ b/arch/x86/kernel/smpboot.c
-@@ -423,9 +423,15 @@ static bool match_smt(struct cpuinfo_x86 *c, struct cpuinfo_x86 *o)
- int cpu1 = c->cpu_index, cpu2 = o->cpu_index;
-
- if (c->phys_proc_id == o->phys_proc_id &&
-- per_cpu(cpu_llc_id, cpu1) == per_cpu(cpu_llc_id, cpu2) &&
-- c->cpu_core_id == o->cpu_core_id)
-- return topology_sane(c, o, "smt");
-+ per_cpu(cpu_llc_id, cpu1) == per_cpu(cpu_llc_id, cpu2)) {
-+ if (c->cpu_core_id == o->cpu_core_id)
-+ return topology_sane(c, o, "smt");
-+
-+ if ((c->cu_id != 0xff) &&
-+ (o->cu_id != 0xff) &&
-+ (c->cu_id == o->cu_id))
-+ return topology_sane(c, o, "smt");
-+ }
-
- } else if (c->phys_proc_id == o->phys_proc_id &&
- c->cpu_core_id == o->cpu_core_id) {
-diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
-index ea9c49a..8aa6bea 100644
---- a/arch/x86/mm/dump_pagetables.c
-+++ b/arch/x86/mm/dump_pagetables.c
-@@ -15,6 +15,7 @@
- #include <linux/debugfs.h>
- #include <linux/mm.h>
- #include <linux/init.h>
-+#include <linux/sched.h>
- #include <linux/seq_file.h>
-
- #include <asm/pgtable.h>
-@@ -406,6 +407,7 @@ static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd,
- } else
- note_page(m, &st, __pgprot(0), 1);
-
-+ cond_resched();
- start++;
- }
-
-diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
-index e9c0993..e8817e2 100644
---- a/crypto/algif_aead.c
-+++ b/crypto/algif_aead.c
-@@ -671,9 +671,9 @@ static int aead_recvmsg_sync(struct socket *sock, struct msghdr *msg, int flags)
- unlock:
- list_for_each_entry_safe(rsgl, tmp, &ctx->list, list) {
- af_alg_free_sg(&rsgl->sgl);
-+ list_del(&rsgl->list);
- if (rsgl != &ctx->first_rsgl)
- sock_kfree_s(sk, rsgl, sizeof(*rsgl));
-- list_del(&rsgl->list);
- }
- INIT_LIST_HEAD(&ctx->list);
- aead_wmem_wakeup(sk);
-diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
-index 312c4b4..6eb6733 100644
---- a/drivers/acpi/nfit/core.c
-+++ b/drivers/acpi/nfit/core.c
-@@ -2704,6 +2704,7 @@ static int acpi_nfit_flush_probe(struct nvdimm_bus_descriptor *nd_desc)
- struct acpi_nfit_desc *acpi_desc = to_acpi_nfit_desc(nd_desc);
- struct device *dev = acpi_desc->dev;
- struct acpi_nfit_flush_work flush;
-+ int rc;
-
- /* bounce the device lock to flush acpi_nfit_add / acpi_nfit_notify */
- device_lock(dev);
-@@ -2716,7 +2717,10 @@ static int acpi_nfit_flush_probe(struct nvdimm_bus_descriptor *nd_desc)
- INIT_WORK_ONSTACK(&flush.work, flush_probe);
- COMPLETION_INITIALIZER_ONSTACK(flush.cmp);
- queue_work(nfit_wq, &flush.work);
-- return wait_for_completion_interruptible(&flush.cmp);
-+
-+ rc = wait_for_completion_interruptible(&flush.cmp);
-+ cancel_work_sync(&flush.work);
-+ return rc;
- }
-
- static int acpi_nfit_clear_to_send(struct nvdimm_bus_descriptor *nd_desc,
-diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index 4737520..80fa656 100644
---- a/drivers/cpufreq/intel_pstate.c
-+++ b/drivers/cpufreq/intel_pstate.c
-@@ -820,6 +820,25 @@ static void intel_pstate_hwp_enable(struct cpudata *cpudata)
- wrmsrl_on_cpu(cpudata->cpu, MSR_PM_ENABLE, 0x1);
- }
-
-+#define MSR_IA32_POWER_CTL_BIT_EE 19
-+
-+/* Disable energy efficiency optimization */
-+static void intel_pstate_disable_ee(int cpu)
-+{
-+ u64 power_ctl;
-+ int ret;
-+
-+ ret = rdmsrl_on_cpu(cpu, MSR_IA32_POWER_CTL, &power_ctl);
-+ if (ret)
-+ return;
-+
-+ if (!(power_ctl & BIT(MSR_IA32_POWER_CTL_BIT_EE))) {
-+ pr_info("Disabling energy efficiency optimization\n");
-+ power_ctl |= BIT(MSR_IA32_POWER_CTL_BIT_EE);
-+ wrmsrl_on_cpu(cpu, MSR_IA32_POWER_CTL, power_ctl);
-+ }
-+}
-+
- static int atom_get_min_pstate(void)
- {
- u64 value;
-@@ -1420,6 +1439,11 @@ static const struct x86_cpu_id intel_pstate_cpu_oob_ids[] __initconst = {
- {}
- };
-
-+static const struct x86_cpu_id intel_pstate_cpu_ee_disable_ids[] = {
-+ ICPU(INTEL_FAM6_KABYLAKE_DESKTOP, core_params),
-+ {}
-+};
-+
- static int intel_pstate_init_cpu(unsigned int cpunum)
- {
- struct cpudata *cpu;
-@@ -1435,6 +1459,12 @@ static int intel_pstate_init_cpu(unsigned int cpunum)
- cpu->cpu = cpunum;
-
- if (hwp_active) {
-+ const struct x86_cpu_id *id;
-+
-+ id = x86_match_cpu(intel_pstate_cpu_ee_disable_ids);
-+ if (id)
-+ intel_pstate_disable_ee(cpunum);
-+
- intel_pstate_hwp_enable(cpu);
- pid_params.sample_rate_ms = 50;
- pid_params.sample_rate_ns = 50 * NSEC_PER_MSEC;
-diff --git a/drivers/crypto/ccp/ccp-dev-v5.c b/drivers/crypto/ccp/ccp-dev-v5.c
-index faf3cb3..a388bf2 100644
---- a/drivers/crypto/ccp/ccp-dev-v5.c
-+++ b/drivers/crypto/ccp/ccp-dev-v5.c
-@@ -955,7 +955,7 @@ static irqreturn_t ccp5_irq_handler(int irq, void *data)
- static void ccp5_config(struct ccp_device *ccp)
- {
- /* Public side */
-- iowrite32(0x00001249, ccp->io_regs + CMD5_REQID_CONFIG_OFFSET);
-+ iowrite32(0x0, ccp->io_regs + CMD5_REQID_CONFIG_OFFSET);
- }
-
- static void ccp5other_config(struct ccp_device *ccp)
-diff --git a/drivers/crypto/ccp/ccp-dev.h b/drivers/crypto/ccp/ccp-dev.h
-index da5f4a6..340aef1 100644
---- a/drivers/crypto/ccp/ccp-dev.h
-+++ b/drivers/crypto/ccp/ccp-dev.h
-@@ -238,6 +238,7 @@ struct ccp_dma_chan {
- struct ccp_device *ccp;
-
- spinlock_t lock;
-+ struct list_head created;
- struct list_head pending;
- struct list_head active;
- struct list_head complete;
-diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c
-index 6553912..e5d9278 100644
---- a/drivers/crypto/ccp/ccp-dmaengine.c
-+++ b/drivers/crypto/ccp/ccp-dmaengine.c
-@@ -63,6 +63,7 @@ static void ccp_free_chan_resources(struct dma_chan *dma_chan)
- ccp_free_desc_resources(chan->ccp, &chan->complete);
- ccp_free_desc_resources(chan->ccp, &chan->active);
- ccp_free_desc_resources(chan->ccp, &chan->pending);
-+ ccp_free_desc_resources(chan->ccp, &chan->created);
-
- spin_unlock_irqrestore(&chan->lock, flags);
- }
-@@ -273,6 +274,7 @@ static dma_cookie_t ccp_tx_submit(struct dma_async_tx_descriptor *tx_desc)
- spin_lock_irqsave(&chan->lock, flags);
-
- cookie = dma_cookie_assign(tx_desc);
-+ list_del(&desc->entry);
- list_add_tail(&desc->entry, &chan->pending);
-
- spin_unlock_irqrestore(&chan->lock, flags);
-@@ -426,7 +428,7 @@ static struct ccp_dma_desc *ccp_create_desc(struct dma_chan *dma_chan,
-
- spin_lock_irqsave(&chan->lock, sflags);
-
-- list_add_tail(&desc->entry, &chan->pending);
-+ list_add_tail(&desc->entry, &chan->created);
-
- spin_unlock_irqrestore(&chan->lock, sflags);
-
-@@ -610,6 +612,7 @@ static int ccp_terminate_all(struct dma_chan *dma_chan)
- /*TODO: Purge the complete list? */
- ccp_free_desc_resources(chan->ccp, &chan->active);
- ccp_free_desc_resources(chan->ccp, &chan->pending);
-+ ccp_free_desc_resources(chan->ccp, &chan->created);
-
- spin_unlock_irqrestore(&chan->lock, flags);
-
-@@ -679,6 +682,7 @@ int ccp_dmaengine_register(struct ccp_device *ccp)
- chan->ccp = ccp;
-
- spin_lock_init(&chan->lock);
-+ INIT_LIST_HEAD(&chan->created);
- INIT_LIST_HEAD(&chan->pending);
- INIT_LIST_HEAD(&chan->active);
- INIT_LIST_HEAD(&chan->complete);
-diff --git a/drivers/crypto/chelsio/chcr_core.c b/drivers/crypto/chelsio/chcr_core.c
-index fb5f9bb..6aece3f 100644
---- a/drivers/crypto/chelsio/chcr_core.c
-+++ b/drivers/crypto/chelsio/chcr_core.c
-@@ -51,6 +51,7 @@ static struct cxgb4_uld_info chcr_uld_info = {
- int assign_chcr_device(struct chcr_dev **dev)
- {
- struct uld_ctx *u_ctx;
-+ int ret = -ENXIO;
-
- /*
- * Which device to use if multiple devices are available TODO
-@@ -58,15 +59,14 @@ int assign_chcr_device(struct chcr_dev **dev)
- * must go to the same device to maintain the ordering.
- */
- mutex_lock(&dev_mutex); /* TODO ? */
-- u_ctx = list_first_entry(&uld_ctx_list, struct uld_ctx, entry);
-- if (!u_ctx) {
-- mutex_unlock(&dev_mutex);
-- return -ENXIO;
-+ list_for_each_entry(u_ctx, &uld_ctx_list, entry)
-+ if (u_ctx && u_ctx->dev) {
-+ *dev = u_ctx->dev;
-+ ret = 0;
-+ break;
- }
--
-- *dev = u_ctx->dev;
- mutex_unlock(&dev_mutex);
-- return 0;
-+ return ret;
- }
-
- static int chcr_dev_add(struct uld_ctx *u_ctx)
-@@ -203,10 +203,8 @@ static int chcr_uld_state_change(void *handle, enum cxgb4_state state)
-
- static int __init chcr_crypto_init(void)
- {
-- if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info)) {
-+ if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info))
- pr_err("ULD register fail: No chcr crypto support in cxgb4");
-- return -1;
-- }
-
- return 0;
- }
-diff --git a/drivers/crypto/qat/qat_c62x/adf_drv.c b/drivers/crypto/qat/qat_c62x/adf_drv.c
-index bc5cbc1..5b2d78a 100644
---- a/drivers/crypto/qat/qat_c62x/adf_drv.c
-+++ b/drivers/crypto/qat/qat_c62x/adf_drv.c
-@@ -233,7 +233,7 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
- &hw_data->accel_capabilities_mask);
-
- /* Find and map all the device's BARS */
-- i = 0;
-+ i = (hw_data->fuses & ADF_DEVICE_FUSECTL_MASK) ? 1 : 0;
- bar_mask = pci_select_bars(pdev, IORESOURCE_MEM);
- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
- ADF_PCI_MAX_BARS * 2) {
-diff --git a/drivers/crypto/qat/qat_common/adf_accel_devices.h b/drivers/crypto/qat/qat_common/adf_accel_devices.h
-index e882253..33f0a62 100644
---- a/drivers/crypto/qat/qat_common/adf_accel_devices.h
-+++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h
-@@ -69,6 +69,7 @@
- #define ADF_ERRSOU5 (0x3A000 + 0xD8)
- #define ADF_DEVICE_FUSECTL_OFFSET 0x40
- #define ADF_DEVICE_LEGFUSE_OFFSET 0x4C
-+#define ADF_DEVICE_FUSECTL_MASK 0x80000000
- #define ADF_PCI_MAX_BARS 3
- #define ADF_DEVICE_NAME_LENGTH 32
- #define ADF_ETR_MAX_RINGS_PER_BANK 16
-diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c
-index 1e480f1..8c4fd25 100644
---- a/drivers/crypto/qat/qat_common/qat_hal.c
-+++ b/drivers/crypto/qat/qat_common/qat_hal.c
-@@ -456,7 +456,7 @@ static int qat_hal_init_esram(struct icp_qat_fw_loader_handle *handle)
- unsigned int csr_val;
- int times = 30;
-
-- if (handle->pci_dev->device == ADF_C3XXX_PCI_DEVICE_ID)
-+ if (handle->pci_dev->device != ADF_DH895XCC_PCI_DEVICE_ID)
- return 0;
-
- csr_val = ADF_CSR_RD(csr_addr, 0);
-@@ -716,7 +716,7 @@ int qat_hal_init(struct adf_accel_dev *accel_dev)
- (void __iomem *)((uintptr_t)handle->hal_cap_ae_xfer_csr_addr_v +
- LOCAL_TO_XFER_REG_OFFSET);
- handle->pci_dev = pci_info->pci_dev;
-- if (handle->pci_dev->device != ADF_C3XXX_PCI_DEVICE_ID) {
-+ if (handle->pci_dev->device == ADF_DH895XCC_PCI_DEVICE_ID) {
- sram_bar =
- &pci_info->pci_bars[hw_data->get_sram_bar_id(hw_data)];
- handle->hal_sram_addr_v = sram_bar->virt_addr;
-diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
-index e6862a7..4e19bde 100644
---- a/drivers/gpu/drm/drm_atomic.c
-+++ b/drivers/gpu/drm/drm_atomic.c
-@@ -1759,16 +1759,16 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
-
- if (ret && arg->flags & DRM_MODE_PAGE_FLIP_EVENT) {
- /*
-- * TEST_ONLY and PAGE_FLIP_EVENT are mutually exclusive,
-- * if they weren't, this code should be called on success
-- * for TEST_ONLY too.
-+ * Free the allocated event. drm_atomic_helper_setup_commit
-+ * can allocate an event too, so only free it if it's ours
-+ * to prevent a double free in drm_atomic_state_clear.
- */
--
- for_each_crtc_in_state(state, crtc, crtc_state, i) {
-- if (!crtc_state->event)
-- continue;
--
-- drm_event_cancel_free(dev, &crtc_state->event->base);
-+ struct drm_pending_vblank_event *event = crtc_state->event;
-+ if (event && (event->base.fence || event->base.file_priv)) {
-+ drm_event_cancel_free(dev, &event->base);
-+ crtc_state->event = NULL;
-+ }
- }
- }
-
-diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-index a218c2e..0c400f8 100644
---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-@@ -1215,14 +1215,14 @@ validate_exec_list(struct drm_device *dev,
- if (exec[i].offset !=
- gen8_canonical_addr(exec[i].offset & PAGE_MASK))
- return -EINVAL;
--
-- /* From drm_mm perspective address space is continuous,
-- * so from this point we're always using non-canonical
-- * form internally.
-- */
-- exec[i].offset = gen8_noncanonical_addr(exec[i].offset);
- }
-
-+ /* From drm_mm perspective address space is continuous,
-+ * so from this point we're always using non-canonical
-+ * form internally.
-+ */
-+ exec[i].offset = gen8_noncanonical_addr(exec[i].offset);
-+
- if (exec[i].alignment && !is_power_of_2(exec[i].alignment))
- return -EINVAL;
-
-diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index 8079e5b..b9be8a6 100644
---- a/drivers/gpu/drm/i915/intel_display.c
-+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -4280,10 +4280,10 @@ static void page_flip_completed(struct intel_crtc *intel_crtc)
- drm_crtc_vblank_put(&intel_crtc->base);
-
- wake_up_all(&dev_priv->pending_flip_queue);
-- queue_work(dev_priv->wq, &work->unpin_work);
--
- trace_i915_flip_complete(intel_crtc->plane,
- work->pending_flip_obj);
-+
-+ queue_work(dev_priv->wq, &work->unpin_work);
- }
-
- static int intel_crtc_wait_for_pending_flips(struct drm_crtc *crtc)
-diff --git a/drivers/gpu/drm/i915/intel_dpll_mgr.c b/drivers/gpu/drm/i915/intel_dpll_mgr.c
-index 1c59ca5..cae27c5 100644
---- a/drivers/gpu/drm/i915/intel_dpll_mgr.c
-+++ b/drivers/gpu/drm/i915/intel_dpll_mgr.c
-@@ -1723,7 +1723,8 @@ bxt_get_dpll(struct intel_crtc *crtc,
- return NULL;
-
- if ((encoder->type == INTEL_OUTPUT_DP ||
-- encoder->type == INTEL_OUTPUT_EDP) &&
-+ encoder->type == INTEL_OUTPUT_EDP ||
-+ encoder->type == INTEL_OUTPUT_DP_MST) &&
- !bxt_ddi_dp_set_dpll_hw_state(clock, &dpll_hw_state))
- return NULL;
-
-diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
-index 16f91c8..5fb4c6d 100644
---- a/drivers/hv/channel.c
-+++ b/drivers/hv/channel.c
-@@ -39,7 +39,7 @@
- * vmbus_setevent- Trigger an event notification on the specified
- * channel.
- */
--static void vmbus_setevent(struct vmbus_channel *channel)
-+void vmbus_setevent(struct vmbus_channel *channel)
- {
- struct hv_monitor_page *monitorpage;
-
-@@ -65,6 +65,7 @@ static void vmbus_setevent(struct vmbus_channel *channel)
- vmbus_set_event(channel);
- }
- }
-+EXPORT_SYMBOL_GPL(vmbus_setevent);
-
- /*
- * vmbus_open - Open the specified channel.
-@@ -635,8 +636,6 @@ int vmbus_sendpacket_ctl(struct vmbus_channel *channel, void *buffer,
- u32 packetlen_aligned = ALIGN(packetlen, sizeof(u64));
- struct kvec bufferlist[3];
- u64 aligned_data = 0;
-- int ret;
-- bool signal = false;
- bool lock = channel->acquire_ring_lock;
- int num_vecs = ((bufferlen != 0) ? 3 : 1);
-
-@@ -656,33 +655,9 @@ int vmbus_sendpacket_ctl(struct vmbus_channel *channel, void *buffer,
- bufferlist[2].iov_base = &aligned_data;
- bufferlist[2].iov_len = (packetlen_aligned - packetlen);
-
-- ret = hv_ringbuffer_write(&channel->outbound, bufferlist, num_vecs,
-- &signal, lock, channel->signal_policy);
--
-- /*
-- * Signalling the host is conditional on many factors:
-- * 1. The ring state changed from being empty to non-empty.
-- * This is tracked by the variable "signal".
-- * 2. The variable kick_q tracks if more data will be placed
-- * on the ring. We will not signal if more data is
-- * to be placed.
-- *
-- * Based on the channel signal state, we will decide
-- * which signaling policy will be applied.
-- *
-- * If we cannot write to the ring-buffer; signal the host
-- * even if we may not have written anything. This is a rare
-- * enough condition that it should not matter.
-- * NOTE: in this case, the hvsock channel is an exception, because
-- * it looks the host side's hvsock implementation has a throttling
-- * mechanism which can hurt the performance otherwise.
-- */
--
-- if (((ret == 0) && kick_q && signal) ||
-- (ret && !is_hvsock_channel(channel)))
-- vmbus_setevent(channel);
-+ return hv_ringbuffer_write(channel, bufferlist, num_vecs,
-+ lock, kick_q);
-
-- return ret;
- }
- EXPORT_SYMBOL(vmbus_sendpacket_ctl);
-
-@@ -723,7 +698,6 @@ int vmbus_sendpacket_pagebuffer_ctl(struct vmbus_channel *channel,
- u32 flags,
- bool kick_q)
- {
-- int ret;
- int i;
- struct vmbus_channel_packet_page_buffer desc;
- u32 descsize;
-@@ -731,7 +705,6 @@ int vmbus_sendpacket_pagebuffer_ctl(struct vmbus_channel *channel,
- u32 packetlen_aligned;
- struct kvec bufferlist[3];
- u64 aligned_data = 0;
-- bool signal = false;
- bool lock = channel->acquire_ring_lock;
-
- if (pagecount > MAX_PAGE_BUFFER_COUNT)
-@@ -769,29 +742,8 @@ int vmbus_sendpacket_pagebuffer_ctl(struct vmbus_channel *channel,
- bufferlist[2].iov_base = &aligned_data;
- bufferlist[2].iov_len = (packetlen_aligned - packetlen);
-
-- ret = hv_ringbuffer_write(&channel->outbound, bufferlist, 3,
-- &signal, lock, channel->signal_policy);
--
-- /*
-- * Signalling the host is conditional on many factors:
-- * 1. The ring state changed from being empty to non-empty.
-- * This is tracked by the variable "signal".
-- * 2. The variable kick_q tracks if more data will be placed
-- * on the ring. We will not signal if more data is
-- * to be placed.
-- *
-- * Based on the channel signal state, we will decide
-- * which signaling policy will be applied.
-- *
-- * If we cannot write to the ring-buffer; signal the host
-- * even if we may not have written anything. This is a rare
-- * enough condition that it should not matter.
-- */
--
-- if (((ret == 0) && kick_q && signal) || (ret))
-- vmbus_setevent(channel);
--
-- return ret;
-+ return hv_ringbuffer_write(channel, bufferlist, 3,
-+ lock, kick_q);
- }
- EXPORT_SYMBOL_GPL(vmbus_sendpacket_pagebuffer_ctl);
-
-@@ -822,12 +774,10 @@ int vmbus_sendpacket_mpb_desc(struct vmbus_channel *channel,
- u32 desc_size,
- void *buffer, u32 bufferlen, u64 requestid)
- {
-- int ret;
- u32 packetlen;
- u32 packetlen_aligned;
- struct kvec bufferlist[3];
- u64 aligned_data = 0;
-- bool signal = false;
- bool lock = channel->acquire_ring_lock;
-
- packetlen = desc_size + bufferlen;
-@@ -848,13 +798,8 @@ int vmbus_sendpacket_mpb_desc(struct vmbus_channel *channel,
- bufferlist[2].iov_base = &aligned_data;
- bufferlist[2].iov_len = (packetlen_aligned - packetlen);
-
-- ret = hv_ringbuffer_write(&channel->outbound, bufferlist, 3,
-- &signal, lock, channel->signal_policy);
--
-- if (ret == 0 && signal)
-- vmbus_setevent(channel);
--
-- return ret;
-+ return hv_ringbuffer_write(channel, bufferlist, 3,
-+ lock, true);
- }
- EXPORT_SYMBOL_GPL(vmbus_sendpacket_mpb_desc);
-
-@@ -866,14 +811,12 @@ int vmbus_sendpacket_multipagebuffer(struct vmbus_channel *channel,
- struct hv_multipage_buffer *multi_pagebuffer,
- void *buffer, u32 bufferlen, u64 requestid)
- {
-- int ret;
- struct vmbus_channel_packet_multipage_buffer desc;
- u32 descsize;
- u32 packetlen;
- u32 packetlen_aligned;
- struct kvec bufferlist[3];
- u64 aligned_data = 0;
-- bool signal = false;
- bool lock = channel->acquire_ring_lock;
- u32 pfncount = NUM_PAGES_SPANNED(multi_pagebuffer->offset,
- multi_pagebuffer->len);
-@@ -913,13 +856,8 @@ int vmbus_sendpacket_multipagebuffer(struct vmbus_channel *channel,
- bufferlist[2].iov_base = &aligned_data;
- bufferlist[2].iov_len = (packetlen_aligned - packetlen);
-
-- ret = hv_ringbuffer_write(&channel->outbound, bufferlist, 3,
-- &signal, lock, channel->signal_policy);
--
-- if (ret == 0 && signal)
-- vmbus_setevent(channel);
--
-- return ret;
-+ return hv_ringbuffer_write(channel, bufferlist, 3,
-+ lock, true);
- }
- EXPORT_SYMBOL_GPL(vmbus_sendpacket_multipagebuffer);
-
-@@ -941,16 +879,9 @@ __vmbus_recvpacket(struct vmbus_channel *channel, void *buffer,
- u32 bufferlen, u32 *buffer_actual_len, u64 *requestid,
- bool raw)
- {
-- int ret;
-- bool signal = false;
-+ return hv_ringbuffer_read(channel, buffer, bufferlen,
-+ buffer_actual_len, requestid, raw);
-
-- ret = hv_ringbuffer_read(&channel->inbound, buffer, bufferlen,
-- buffer_actual_len, requestid, &signal, raw);
--
-- if (signal)
-- vmbus_setevent(channel);
--
-- return ret;
- }
-
- int vmbus_recvpacket(struct vmbus_channel *channel, void *buffer,
-diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
-index 1bc1d479..caf3418 100644
---- a/drivers/hv/channel_mgmt.c
-+++ b/drivers/hv/channel_mgmt.c
-@@ -449,8 +449,6 @@ static void vmbus_process_offer(struct vmbus_channel *newchannel)
- }
-
- dev_type = hv_get_dev_type(newchannel);
-- if (dev_type == HV_NIC)
-- set_channel_signal_state(newchannel, HV_SIGNAL_POLICY_EXPLICIT);
-
- init_vp_index(newchannel, dev_type);
-
-diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
-index a5b4442..2b13f2a 100644
---- a/drivers/hv/hyperv_vmbus.h
-+++ b/drivers/hv/hyperv_vmbus.h
-@@ -527,14 +527,14 @@ int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
-
- void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info);
-
--int hv_ringbuffer_write(struct hv_ring_buffer_info *ring_info,
-+int hv_ringbuffer_write(struct vmbus_channel *channel,
- struct kvec *kv_list,
-- u32 kv_count, bool *signal, bool lock,
-- enum hv_signal_policy policy);
-+ u32 kv_count, bool lock,
-+ bool kick_q);
-
--int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info,
-+int hv_ringbuffer_read(struct vmbus_channel *channel,
- void *buffer, u32 buflen, u32 *buffer_actual_len,
-- u64 *requestid, bool *signal, bool raw);
-+ u64 *requestid, bool raw);
-
- void hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
- struct hv_ring_buffer_debug_info *debug_info);
-diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
-index 08043da..308dbda 100644
---- a/drivers/hv/ring_buffer.c
-+++ b/drivers/hv/ring_buffer.c
-@@ -66,21 +66,25 @@ u32 hv_end_read(struct hv_ring_buffer_info *rbi)
- * once the ring buffer is empty, it will clear the
- * interrupt_mask and re-check to see if new data has
- * arrived.
-+ *
-+ * KYS: Oct. 30, 2016:
-+ * It looks like Windows hosts have logic to deal with DOS attacks that
-+ * can be triggered if it receives interrupts when it is not expecting
-+ * the interrupt. The host expects interrupts only when the ring
-+ * transitions from empty to non-empty (or full to non full on the guest
-+ * to host ring).
-+ * So, base the signaling decision solely on the ring state until the
-+ * host logic is fixed.
- */
-
--static bool hv_need_to_signal(u32 old_write, struct hv_ring_buffer_info *rbi,
-- enum hv_signal_policy policy)
-+static void hv_signal_on_write(u32 old_write, struct vmbus_channel *channel,
-+ bool kick_q)
- {
-+ struct hv_ring_buffer_info *rbi = &channel->outbound;
-+
- virt_mb();
- if (READ_ONCE(rbi->ring_buffer->interrupt_mask))
-- return false;
--
-- /*
-- * When the client wants to control signaling,
-- * we only honour the host interrupt mask.
-- */
-- if (policy == HV_SIGNAL_POLICY_EXPLICIT)
-- return true;
-+ return;
-
- /* check interrupt_mask before read_index */
- virt_rmb();
-@@ -89,9 +93,9 @@ static bool hv_need_to_signal(u32 old_write, struct hv_ring_buffer_info *rbi,
- * ring transitions from being empty to non-empty.
- */
- if (old_write == READ_ONCE(rbi->ring_buffer->read_index))
-- return true;
-+ vmbus_setevent(channel);
-
-- return false;
-+ return;
- }
-
- /* Get the next write location for the specified ring buffer. */
-@@ -280,9 +284,9 @@ void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info)
- }
-
- /* Write to the ring buffer. */
--int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info,
-- struct kvec *kv_list, u32 kv_count, bool *signal, bool lock,
-- enum hv_signal_policy policy)
-+int hv_ringbuffer_write(struct vmbus_channel *channel,
-+ struct kvec *kv_list, u32 kv_count, bool lock,
-+ bool kick_q)
- {
- int i = 0;
- u32 bytes_avail_towrite;
-@@ -292,6 +296,7 @@ int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info,
- u32 old_write;
- u64 prev_indices = 0;
- unsigned long flags = 0;
-+ struct hv_ring_buffer_info *outring_info = &channel->outbound;
-
- for (i = 0; i < kv_count; i++)
- totalbytes_towrite += kv_list[i].iov_len;
-@@ -344,13 +349,13 @@ int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info,
- if (lock)
- spin_unlock_irqrestore(&outring_info->ring_lock, flags);
-
-- *signal = hv_need_to_signal(old_write, outring_info, policy);
-+ hv_signal_on_write(old_write, channel, kick_q);
- return 0;
- }
-
--int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info,
-+int hv_ringbuffer_read(struct vmbus_channel *channel,
- void *buffer, u32 buflen, u32 *buffer_actual_len,
-- u64 *requestid, bool *signal, bool raw)
-+ u64 *requestid, bool raw)
- {
- u32 bytes_avail_toread;
- u32 next_read_location = 0;
-@@ -359,6 +364,7 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info,
- u32 offset;
- u32 packetlen;
- int ret = 0;
-+ struct hv_ring_buffer_info *inring_info = &channel->inbound;
-
- if (buflen <= 0)
- return -EINVAL;
-@@ -377,6 +383,7 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info,
- return ret;
- }
-
-+ init_cached_read_index(channel);
- next_read_location = hv_get_next_read_location(inring_info);
- next_read_location = hv_copyfrom_ringbuffer(inring_info, &desc,
- sizeof(desc),
-@@ -416,7 +423,7 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info,
- /* Update the read index */
- hv_set_next_read_location(inring_info, next_read_location);
-
-- *signal = hv_need_to_signal_on_read(inring_info);
-+ hv_signal_on_read(channel);
-
- return ret;
- }
-diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
-index 1869152..9b732c5 100644
---- a/drivers/infiniband/sw/rxe/rxe_mr.c
-+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
-@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)
-
- case RXE_MEM_TYPE_MR:
- case RXE_MEM_TYPE_FMR:
-- return ((iova < mem->iova) ||
-- ((iova + length) > (mem->iova + mem->length))) ?
-- -EFAULT : 0;
-+ if (iova < mem->iova ||
-+ length > mem->length ||
-+ iova > mem->iova + mem->length - length)
-+ return -EFAULT;
-+ return 0;
-
- default:
- return -EFAULT;
-diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
-index dd3d88a..ccf6247 100644
---- a/drivers/infiniband/sw/rxe/rxe_resp.c
-+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
-@@ -472,7 +472,7 @@ static enum resp_states check_rkey(struct rxe_qp *qp,
- goto err2;
- }
-
-- resid = mtu;
-+ qp->resp.resid = mtu;
- } else {
- if (pktlen != resid) {
- state = RESPST_ERR_LENGTH;
-diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
-index 92595b9..022be0e 100644
---- a/drivers/input/misc/uinput.c
-+++ b/drivers/input/misc/uinput.c
-@@ -263,13 +263,21 @@ static int uinput_create_device(struct uinput_device *udev)
- return -EINVAL;
- }
-
-- if (test_bit(ABS_MT_SLOT, dev->absbit)) {
-- nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
-- error = input_mt_init_slots(dev, nslot, 0);
-- if (error)
-+ if (test_bit(EV_ABS, dev->evbit)) {
-+ input_alloc_absinfo(dev);
-+ if (!dev->absinfo) {
-+ error = -EINVAL;
- goto fail1;
-- } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
-- input_set_events_per_packet(dev, 60);
-+ }
-+
-+ if (test_bit(ABS_MT_SLOT, dev->absbit)) {
-+ nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
-+ error = input_mt_init_slots(dev, nslot, 0);
-+ if (error)
-+ goto fail1;
-+ } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
-+ input_set_events_per_packet(dev, 60);
-+ }
- }
-
- if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
-diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c
-index 31a89c8..2c96542 100644
---- a/drivers/md/dm-rq.c
-+++ b/drivers/md/dm-rq.c
-@@ -804,6 +804,10 @@ static void dm_old_request_fn(struct request_queue *q)
- int srcu_idx;
- struct dm_table *map = dm_get_live_table(md, &srcu_idx);
-
-+ if (unlikely(!map)) {
-+ dm_put_live_table(md, srcu_idx);
-+ return;
-+ }
- ti = dm_table_find_target(map, pos);
- dm_put_live_table(md, srcu_idx);
- }
-diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
-index 878950a..2cf8b1d 100644
---- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
-+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
-@@ -1007,9 +1007,7 @@
-
- static inline void dsaf_write_reg(void __iomem *base, u32 reg, u32 value)
- {
-- u8 __iomem *reg_addr = ACCESS_ONCE(base);
--
-- writel(value, reg_addr + reg);
-+ writel(value, base + reg);
- }
-
- #define dsaf_write_dev(a, reg, value) \
-@@ -1017,9 +1015,7 @@ static inline void dsaf_write_reg(void __iomem *base, u32 reg, u32 value)
-
- static inline u32 dsaf_read_reg(u8 __iomem *base, u32 reg)
- {
-- u8 __iomem *reg_addr = ACCESS_ONCE(base);
--
-- return readl(reg_addr + reg);
-+ return readl(base + reg);
- }
-
- static inline void dsaf_write_syscon(struct regmap *base, u32 reg, u32 value)
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
-index 27ff401..51c6a57 100644
---- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
-@@ -991,6 +991,7 @@ static int mlx5e_set_rxfh(struct net_device *dev, const u32 *indir,
- {
- struct mlx5e_priv *priv = netdev_priv(dev);
- int inlen = MLX5_ST_SZ_BYTES(modify_tir_in);
-+ bool hash_changed = false;
- void *in;
-
- if ((hfunc != ETH_RSS_HASH_NO_CHANGE) &&
-@@ -1012,14 +1013,21 @@ static int mlx5e_set_rxfh(struct net_device *dev, const u32 *indir,
- mlx5e_redirect_rqt(priv, rqtn, MLX5E_INDIR_RQT_SIZE, 0);
- }
-
-- if (key)
-+ if (hfunc != ETH_RSS_HASH_NO_CHANGE &&
-+ hfunc != priv->params.rss_hfunc) {
-+ priv->params.rss_hfunc = hfunc;
-+ hash_changed = true;
-+ }
-+
-+ if (key) {
- memcpy(priv->params.toeplitz_hash_key, key,
- sizeof(priv->params.toeplitz_hash_key));
-+ hash_changed = hash_changed ||
-+ priv->params.rss_hfunc == ETH_RSS_HASH_TOP;
-+ }
-
-- if (hfunc != ETH_RSS_HASH_NO_CHANGE)
-- priv->params.rss_hfunc = hfunc;
--
-- mlx5e_modify_tirs_hash(priv, in, inlen);
-+ if (hash_changed)
-+ mlx5e_modify_tirs_hash(priv, in, inlen);
-
- mutex_unlock(&priv->state_lock);
-
-diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
-index 720b5fa..c2ac39a 100644
---- a/drivers/net/hyperv/netvsc.c
-+++ b/drivers/net/hyperv/netvsc.c
-@@ -1288,6 +1288,9 @@ void netvsc_channel_cb(void *context)
- ndev = hv_get_drvdata(device);
- buffer = get_per_channel_state(channel);
-
-+ /* commit_rd_index() -> hv_signal_on_read() needs this. */
-+ init_cached_read_index(channel);
-+
- do {
- desc = get_next_pkt_raw(channel);
- if (desc != NULL) {
-@@ -1340,6 +1343,9 @@ void netvsc_channel_cb(void *context)
-
- bufferlen = bytes_recvd;
- }
-+
-+ init_cached_read_index(channel);
-+
- } while (1);
-
- if (bufferlen > NETVSC_PACKET_SIZE)
-diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c
-index 8b6e37c..20bfb37 100644
---- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c
-+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c
-@@ -96,7 +96,7 @@ int rtl92c_init_sw_vars(struct ieee80211_hw *hw)
- struct rtl_priv *rtlpriv = rtl_priv(hw);
- struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
- struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
-- char *fw_name = "rtlwifi/rtl8192cfwU.bin";
-+ char *fw_name;
-
- rtl8192ce_bt_reg_init(hw);
-
-@@ -168,8 +168,13 @@ int rtl92c_init_sw_vars(struct ieee80211_hw *hw)
- }
-
- /* request fw */
-- if (IS_81XXC_VENDOR_UMC_B_CUT(rtlhal->version))
-+ if (IS_VENDOR_UMC_A_CUT(rtlhal->version) &&
-+ !IS_92C_SERIAL(rtlhal->version))
-+ fw_name = "rtlwifi/rtl8192cfwU.bin";
-+ else if (IS_81XXC_VENDOR_UMC_B_CUT(rtlhal->version))
- fw_name = "rtlwifi/rtl8192cfwU_B.bin";
-+ else
-+ fw_name = "rtlwifi/rtl8192cfw.bin";
-
- rtlpriv->max_fw_size = 0x4000;
- pr_info("Using firmware %s\n", fw_name);
-diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index bf2744e..0cdcb21 100644
---- a/drivers/net/xen-netfront.c
-+++ b/drivers/net/xen-netfront.c
-@@ -1397,6 +1397,8 @@ static void xennet_disconnect_backend(struct netfront_info *info)
- for (i = 0; i < num_queues && info->queues; ++i) {
- struct netfront_queue *queue = &info->queues[i];
-
-+ del_timer_sync(&queue->rx_refill_timer);
-+
- if (queue->tx_irq && (queue->tx_irq == queue->rx_irq))
- unbind_from_irqhandler(queue->tx_irq, queue);
- if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) {
-@@ -1751,7 +1753,6 @@ static void xennet_destroy_queues(struct netfront_info *info)
-
- if (netif_running(info->netdev))
- napi_disable(&queue->napi);
-- del_timer_sync(&queue->rx_refill_timer);
- netif_napi_del(&queue->napi);
- }
-
-diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c
-index 1480734..aefca64 100644
---- a/drivers/nvdimm/namespace_devs.c
-+++ b/drivers/nvdimm/namespace_devs.c
-@@ -962,8 +962,8 @@ static ssize_t __size_store(struct device *dev, unsigned long long val)
- struct nvdimm_drvdata *ndd;
- struct nd_label_id label_id;
- u32 flags = 0, remainder;
-+ int rc, i, id = -1;
- u8 *uuid = NULL;
-- int rc, i;
-
- if (dev->driver || ndns->claim)
- return -EBUSY;
-@@ -972,11 +972,13 @@ static ssize_t __size_store(struct device *dev, unsigned long long val)
- struct nd_namespace_pmem *nspm = to_nd_namespace_pmem(dev);
-
- uuid = nspm->uuid;
-+ id = nspm->id;
- } else if (is_namespace_blk(dev)) {
- struct nd_namespace_blk *nsblk = to_nd_namespace_blk(dev);
-
- uuid = nsblk->uuid;
- flags = NSLABEL_FLAG_LOCAL;
-+ id = nsblk->id;
- }
-
- /*
-@@ -1039,10 +1041,11 @@ static ssize_t __size_store(struct device *dev, unsigned long long val)
-
- /*
- * Try to delete the namespace if we deleted all of its
-- * allocation, this is not the seed device for the region, and
-- * it is not actively claimed by a btt instance.
-+ * allocation, this is not the seed or 0th device for the
-+ * region, and it is not actively claimed by a btt, pfn, or dax
-+ * instance.
- */
-- if (val == 0 && nd_region->ns_seed != dev && !ndns->claim)
-+ if (val == 0 && id != 0 && nd_region->ns_seed != dev && !ndns->claim)
- nd_device_unregister(dev, ND_ASYNC);
-
- return rc;
-diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c
-index a2ac9e6..6c033c9 100644
---- a/drivers/nvdimm/pfn_devs.c
-+++ b/drivers/nvdimm/pfn_devs.c
-@@ -627,15 +627,12 @@ static int nd_pfn_init(struct nd_pfn *nd_pfn)
- size = resource_size(&nsio->res);
- npfns = (size - start_pad - end_trunc - SZ_8K) / SZ_4K;
- if (nd_pfn->mode == PFN_MODE_PMEM) {
-- unsigned long memmap_size;
--
- /*
- * vmemmap_populate_hugepages() allocates the memmap array in
- * HPAGE_SIZE chunks.
- */
-- memmap_size = ALIGN(64 * npfns, HPAGE_SIZE);
-- offset = ALIGN(start + SZ_8K + memmap_size + dax_label_reserve,
-- nd_pfn->align) - start;
-+ offset = ALIGN(start + SZ_8K + 64 * npfns + dax_label_reserve,
-+ max(nd_pfn->align, HPAGE_SIZE)) - start;
- } else if (nd_pfn->mode == PFN_MODE_RAM)
- offset = ALIGN(start + SZ_8K + dax_label_reserve,
- nd_pfn->align) - start;
-diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
-index 75f820ca..27ff38f 100644
---- a/drivers/s390/scsi/zfcp_fsf.c
-+++ b/drivers/s390/scsi/zfcp_fsf.c
-@@ -1583,7 +1583,7 @@ static void zfcp_fsf_open_wka_port_handler(struct zfcp_fsf_req *req)
- int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
- {
- struct zfcp_qdio *qdio = wka_port->adapter->qdio;
-- struct zfcp_fsf_req *req = NULL;
-+ struct zfcp_fsf_req *req;
- int retval = -EIO;
-
- spin_lock_irq(&qdio->req_q_lock);
-@@ -1612,7 +1612,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
- zfcp_fsf_req_free(req);
- out:
- spin_unlock_irq(&qdio->req_q_lock);
-- if (req && !IS_ERR(req))
-+ if (!retval)
- zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
- return retval;
- }
-@@ -1638,7 +1638,7 @@ static void zfcp_fsf_close_wka_port_handler(struct zfcp_fsf_req *req)
- int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
- {
- struct zfcp_qdio *qdio = wka_port->adapter->qdio;
-- struct zfcp_fsf_req *req = NULL;
-+ struct zfcp_fsf_req *req;
- int retval = -EIO;
-
- spin_lock_irq(&qdio->req_q_lock);
-@@ -1667,7 +1667,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
- zfcp_fsf_req_free(req);
- out:
- spin_unlock_irq(&qdio->req_q_lock);
-- if (req && !IS_ERR(req))
-+ if (!retval)
- zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id);
- return retval;
- }
-diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
-index 341ea32..792d3e7 100644
---- a/drivers/scsi/aacraid/comminit.c
-+++ b/drivers/scsi/aacraid/comminit.c
-@@ -50,9 +50,13 @@ struct aac_common aac_config = {
-
- static inline int aac_is_msix_mode(struct aac_dev *dev)
- {
-- u32 status;
-+ u32 status = 0;
-
-- status = src_readl(dev, MUnit.OMR);
-+ if (dev->pdev->device == PMC_DEVICE_S6 ||
-+ dev->pdev->device == PMC_DEVICE_S7 ||
-+ dev->pdev->device == PMC_DEVICE_S8) {
-+ status = src_readl(dev, MUnit.OMR);
-+ }
- return (status & AAC_INT_MODE_MSIX);
- }
-
-diff --git a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
-index e3b911c..91dfd58 100644
---- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
-+++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
-@@ -3929,6 +3929,7 @@ static struct configfs_attribute *ibmvscsis_tpg_attrs[] = {
- static const struct target_core_fabric_ops ibmvscsis_ops = {
- .module = THIS_MODULE,
- .name = "ibmvscsis",
-+ .max_data_sg_nents = MAX_TXU / PAGE_SIZE,
- .get_fabric_name = ibmvscsis_get_fabric_name,
- .tpg_get_wwn = ibmvscsis_get_fabric_wwn,
- .tpg_get_tag = ibmvscsis_get_tag,
-diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
-index f84a608..8a7941b 100644
---- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
-+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
-@@ -51,6 +51,7 @@
- #include <linux/workqueue.h>
- #include <linux/delay.h>
- #include <linux/pci.h>
-+#include <linux/pci-aspm.h>
- #include <linux/interrupt.h>
- #include <linux/aer.h>
- #include <linux/raid_class.h>
-@@ -8706,6 +8707,8 @@ _scsih_probe(struct pci_dev *pdev, const struct pci_device_id *id)
-
- switch (hba_mpi_version) {
- case MPI2_VERSION:
-+ pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S |
-+ PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM);
- /* Use mpt2sas driver host template for SAS 2.0 HBA's */
- shost = scsi_host_alloc(&mpt2sas_driver_template,
- sizeof(struct MPT3SAS_ADAPTER));
-diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
-index 078d797..bea819e 100644
---- a/drivers/scsi/qla2xxx/qla_os.c
-+++ b/drivers/scsi/qla2xxx/qla_os.c
-@@ -1459,7 +1459,7 @@ qla2x00_abort_all_cmds(scsi_qla_host_t *vha, int res)
- /* Don't abort commands in adapter during EEH
- * recovery as it's not accessible/responding.
- */
-- if (!ha->flags.eeh_busy) {
-+ if (GET_CMD_SP(sp) && !ha->flags.eeh_busy) {
- /* Get a reference to the sp and drop the lock.
- * The reference ensures this sp->done() call
- * - and not the call in qla2xxx_eh_abort() -
-diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
-index 6b42348..ea9617c 100644
---- a/drivers/target/target_core_device.c
-+++ b/drivers/target/target_core_device.c
-@@ -351,7 +351,15 @@ int core_enable_device_list_for_node(
- kfree(new);
- return -EINVAL;
- }
-- BUG_ON(orig->se_lun_acl != NULL);
-+ if (orig->se_lun_acl != NULL) {
-+ pr_warn_ratelimited("Detected existing explicit"
-+ " se_lun_acl->se_lun_group reference for %s"
-+ " mapped_lun: %llu, failing\n",
-+ nacl->initiatorname, mapped_lun);
-+ mutex_unlock(&nacl->lun_entry_mutex);
-+ kfree(new);
-+ return -EINVAL;
-+ }
-
- rcu_assign_pointer(new->se_lun, lun);
- rcu_assign_pointer(new->se_lun_acl, lun_acl);
-diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
-index 04f616b..aabd660 100644
---- a/drivers/target/target_core_sbc.c
-+++ b/drivers/target/target_core_sbc.c
-@@ -450,6 +450,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success,
- int *post_ret)
- {
- struct se_device *dev = cmd->se_dev;
-+ sense_reason_t ret = TCM_NO_SENSE;
-
- /*
- * Only set SCF_COMPARE_AND_WRITE_POST to force a response fall-through
-@@ -457,9 +458,12 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success,
- * sent to the backend driver.
- */
- spin_lock_irq(&cmd->t_state_lock);
-- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) {
-+ if (cmd->transport_state & CMD_T_SENT) {
- cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST;
- *post_ret = 1;
-+
-+ if (cmd->scsi_status == SAM_STAT_CHECK_CONDITION)
-+ ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
- }
- spin_unlock_irq(&cmd->t_state_lock);
-
-@@ -469,7 +473,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success,
- */
- up(&dev->caw_sem);
-
-- return TCM_NO_SENSE;
-+ return ret;
- }
-
- static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success,
-diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index 7dfefd6..767d1eb6 100644
---- a/drivers/target/target_core_transport.c
-+++ b/drivers/target/target_core_transport.c
-@@ -457,8 +457,20 @@ static void target_complete_nacl(struct kref *kref)
- {
- struct se_node_acl *nacl = container_of(kref,
- struct se_node_acl, acl_kref);
-+ struct se_portal_group *se_tpg = nacl->se_tpg;
-
-- complete(&nacl->acl_free_comp);
-+ if (!nacl->dynamic_stop) {
-+ complete(&nacl->acl_free_comp);
-+ return;
-+ }
-+
-+ mutex_lock(&se_tpg->acl_node_mutex);
-+ list_del(&nacl->acl_list);
-+ mutex_unlock(&se_tpg->acl_node_mutex);
-+
-+ core_tpg_wait_for_nacl_pr_ref(nacl);
-+ core_free_device_list_for_node(nacl, se_tpg);
-+ kfree(nacl);
- }
-
- void target_put_nacl(struct se_node_acl *nacl)
-@@ -499,12 +511,39 @@ EXPORT_SYMBOL(transport_deregister_session_configfs);
- void transport_free_session(struct se_session *se_sess)
- {
- struct se_node_acl *se_nacl = se_sess->se_node_acl;
-+
- /*
- * Drop the se_node_acl->nacl_kref obtained from within
- * core_tpg_get_initiator_node_acl().
- */
- if (se_nacl) {
-+ struct se_portal_group *se_tpg = se_nacl->se_tpg;
-+ const struct target_core_fabric_ops *se_tfo = se_tpg->se_tpg_tfo;
-+ unsigned long flags;
-+
- se_sess->se_node_acl = NULL;
-+
-+ /*
-+ * Also determine if we need to drop the extra ->cmd_kref if
-+ * it had been previously dynamically generated, and
-+ * the endpoint is not caching dynamic ACLs.
-+ */
-+ mutex_lock(&se_tpg->acl_node_mutex);
-+ if (se_nacl->dynamic_node_acl &&
-+ !se_tfo->tpg_check_demo_mode_cache(se_tpg)) {
-+ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags);
-+ if (list_empty(&se_nacl->acl_sess_list))
-+ se_nacl->dynamic_stop = true;
-+ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags);
-+
-+ if (se_nacl->dynamic_stop)
-+ list_del(&se_nacl->acl_list);
-+ }
-+ mutex_unlock(&se_tpg->acl_node_mutex);
-+
-+ if (se_nacl->dynamic_stop)
-+ target_put_nacl(se_nacl);
-+
- target_put_nacl(se_nacl);
- }
- if (se_sess->sess_cmd_map) {
-@@ -518,16 +557,12 @@ EXPORT_SYMBOL(transport_free_session);
- void transport_deregister_session(struct se_session *se_sess)
- {
- struct se_portal_group *se_tpg = se_sess->se_tpg;
-- const struct target_core_fabric_ops *se_tfo;
-- struct se_node_acl *se_nacl;
- unsigned long flags;
-- bool drop_nacl = false;
-
- if (!se_tpg) {
- transport_free_session(se_sess);
- return;
- }
-- se_tfo = se_tpg->se_tpg_tfo;
-
- spin_lock_irqsave(&se_tpg->session_lock, flags);
- list_del(&se_sess->sess_list);
-@@ -535,33 +570,15 @@ void transport_deregister_session(struct se_session *se_sess)
- se_sess->fabric_sess_ptr = NULL;
- spin_unlock_irqrestore(&se_tpg->session_lock, flags);
-
-- /*
-- * Determine if we need to do extra work for this initiator node's
-- * struct se_node_acl if it had been previously dynamically generated.
-- */
-- se_nacl = se_sess->se_node_acl;
--
-- mutex_lock(&se_tpg->acl_node_mutex);
-- if (se_nacl && se_nacl->dynamic_node_acl) {
-- if (!se_tfo->tpg_check_demo_mode_cache(se_tpg)) {
-- list_del(&se_nacl->acl_list);
-- drop_nacl = true;
-- }
-- }
-- mutex_unlock(&se_tpg->acl_node_mutex);
--
-- if (drop_nacl) {
-- core_tpg_wait_for_nacl_pr_ref(se_nacl);
-- core_free_device_list_for_node(se_nacl, se_tpg);
-- se_sess->se_node_acl = NULL;
-- kfree(se_nacl);
-- }
- pr_debug("TARGET_CORE[%s]: Deregistered fabric_sess\n",
- se_tpg->se_tpg_tfo->get_fabric_name());
- /*
- * If last kref is dropping now for an explicit NodeACL, awake sleeping
- * ->acl_free_comp caller to wakeup configfs se_node_acl->acl_group
- * removal context from within transport_free_session() code.
-+ *
-+ * For dynamic ACL, target_put_nacl() uses target_complete_nacl()
-+ * to release all remaining generate_node_acl=1 created ACL resources.
- */
-
- transport_free_session(se_sess);
-@@ -3086,7 +3103,6 @@ static void target_tmr_work(struct work_struct *work)
- spin_unlock_irqrestore(&cmd->t_state_lock, flags);
- goto check_stop;
- }
-- cmd->t_state = TRANSPORT_ISTATE_PROCESSING;
- spin_unlock_irqrestore(&cmd->t_state_lock, flags);
-
- cmd->se_tfo->queue_tm_rsp(cmd);
-@@ -3099,11 +3115,25 @@ int transport_generic_handle_tmr(
- struct se_cmd *cmd)
- {
- unsigned long flags;
-+ bool aborted = false;
-
- spin_lock_irqsave(&cmd->t_state_lock, flags);
-- cmd->transport_state |= CMD_T_ACTIVE;
-+ if (cmd->transport_state & CMD_T_ABORTED) {
-+ aborted = true;
-+ } else {
-+ cmd->t_state = TRANSPORT_ISTATE_PROCESSING;
-+ cmd->transport_state |= CMD_T_ACTIVE;
-+ }
- spin_unlock_irqrestore(&cmd->t_state_lock, flags);
-
-+ if (aborted) {
-+ pr_warn_ratelimited("handle_tmr caught CMD_T_ABORTED TMR %d"
-+ "ref_tag: %llu tag: %llu\n", cmd->se_tmr_req->function,
-+ cmd->se_tmr_req->ref_task_tag, cmd->tag);
-+ transport_cmd_check_stop_to_fabric(cmd);
-+ return 0;
-+ }
-+
- INIT_WORK(&cmd->work, target_tmr_work);
- queue_work(cmd->se_dev->tmr_wq, &cmd->work);
- return 0;
-diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c
-index 094a144..18848ba 100644
---- a/drivers/target/target_core_xcopy.c
-+++ b/drivers/target/target_core_xcopy.c
-@@ -836,7 +836,7 @@ static void target_xcopy_do_work(struct work_struct *work)
- " CHECK_CONDITION -> sending response\n", rc);
- ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
- }
-- target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION);
-+ target_complete_cmd(ec_cmd, ec_cmd->scsi_status);
- }
-
- sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
-diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
-index 7acbd2c..1782804 100644
---- a/fs/btrfs/ioctl.c
-+++ b/fs/btrfs/ioctl.c
-@@ -5648,6 +5648,10 @@ long btrfs_ioctl(struct file *file, unsigned int
- #ifdef CONFIG_COMPAT
- long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- {
-+ /*
-+ * These all access 32-bit values anyway so no further
-+ * handling is necessary.
-+ */
- switch (cmd) {
- case FS_IOC32_GETFLAGS:
- cmd = FS_IOC_GETFLAGS;
-@@ -5658,8 +5662,6 @@ long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- case FS_IOC32_GETVERSION:
- cmd = FS_IOC_GETVERSION;
- break;
-- default:
-- return -ENOIOCTLCMD;
- }
-
- return btrfs_ioctl(file, cmd, (unsigned long) compat_ptr(arg));
-diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
-index da7fbf1..fa3b155 100644
---- a/include/linux/cpumask.h
-+++ b/include/linux/cpumask.h
-@@ -560,7 +560,7 @@ static inline void cpumask_copy(struct cpumask *dstp,
- static inline int cpumask_parse_user(const char __user *buf, int len,
- struct cpumask *dstp)
- {
-- return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpu_ids);
-+ return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
- }
-
- /**
-@@ -575,7 +575,7 @@ static inline int cpumask_parselist_user(const char __user *buf, int len,
- struct cpumask *dstp)
- {
- return bitmap_parselist_user(buf, len, cpumask_bits(dstp),
-- nr_cpu_ids);
-+ nr_cpumask_bits);
- }
-
- /**
-@@ -590,7 +590,7 @@ static inline int cpumask_parse(const char *buf, struct cpumask *dstp)
- char *nl = strchr(buf, '\n');
- unsigned int len = nl ? (unsigned int)(nl - buf) : strlen(buf);
-
-- return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpu_ids);
-+ return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
- }
-
- /**
-@@ -602,7 +602,7 @@ static inline int cpumask_parse(const char *buf, struct cpumask *dstp)
- */
- static inline int cpulist_parse(const char *buf, struct cpumask *dstp)
- {
-- return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpu_ids);
-+ return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpumask_bits);
- }
-
- /**
-diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
-index cd184bd..c92a083 100644
---- a/include/linux/hyperv.h
-+++ b/include/linux/hyperv.h
-@@ -128,6 +128,7 @@ struct hv_ring_buffer_info {
- u32 ring_data_startoffset;
- u32 priv_write_index;
- u32 priv_read_index;
-+ u32 cached_read_index;
- };
-
- /*
-@@ -180,6 +181,19 @@ static inline u32 hv_get_bytes_to_write(struct hv_ring_buffer_info *rbi)
- return write;
- }
-
-+static inline u32 hv_get_cached_bytes_to_write(
-+ const struct hv_ring_buffer_info *rbi)
-+{
-+ u32 read_loc, write_loc, dsize, write;
-+
-+ dsize = rbi->ring_datasize;
-+ read_loc = rbi->cached_read_index;
-+ write_loc = rbi->ring_buffer->write_index;
-+
-+ write = write_loc >= read_loc ? dsize - (write_loc - read_loc) :
-+ read_loc - write_loc;
-+ return write;
-+}
- /*
- * VMBUS version is 32 bit entity broken up into
- * two 16 bit quantities: major_number. minor_number.
-@@ -1447,6 +1461,7 @@ void hv_event_tasklet_enable(struct vmbus_channel *channel);
-
- void hv_process_channel_removal(struct vmbus_channel *channel, u32 relid);
-
-+void vmbus_setevent(struct vmbus_channel *channel);
- /*
- * Negotiated version with the Host.
- */
-@@ -1479,10 +1494,11 @@ hv_get_ring_buffer(struct hv_ring_buffer_info *ring_info)
- * there is room for the producer to send the pending packet.
- */
-
--static inline bool hv_need_to_signal_on_read(struct hv_ring_buffer_info *rbi)
-+static inline void hv_signal_on_read(struct vmbus_channel *channel)
- {
-- u32 cur_write_sz;
-+ u32 cur_write_sz, cached_write_sz;
- u32 pending_sz;
-+ struct hv_ring_buffer_info *rbi = &channel->inbound;
-
- /*
- * Issue a full memory barrier before making the signaling decision.
-@@ -1500,14 +1516,26 @@ static inline bool hv_need_to_signal_on_read(struct hv_ring_buffer_info *rbi)
- pending_sz = READ_ONCE(rbi->ring_buffer->pending_send_sz);
- /* If the other end is not blocked on write don't bother. */
- if (pending_sz == 0)
-- return false;
-+ return;
-
- cur_write_sz = hv_get_bytes_to_write(rbi);
-
-- if (cur_write_sz >= pending_sz)
-- return true;
-+ if (cur_write_sz < pending_sz)
-+ return;
-+
-+ cached_write_sz = hv_get_cached_bytes_to_write(rbi);
-+ if (cached_write_sz < pending_sz)
-+ vmbus_setevent(channel);
-+
-+ return;
-+}
-+
-+static inline void
-+init_cached_read_index(struct vmbus_channel *channel)
-+{
-+ struct hv_ring_buffer_info *rbi = &channel->inbound;
-
-- return false;
-+ rbi->cached_read_index = rbi->ring_buffer->read_index;
- }
-
- /*
-@@ -1571,6 +1599,8 @@ static inline void put_pkt_raw(struct vmbus_channel *channel,
- * This call commits the read index and potentially signals the host.
- * Here is the pattern for using the "in-place" consumption APIs:
- *
-+ * init_cached_read_index();
-+ *
- * while (get_next_pkt_raw() {
- * process the packet "in-place";
- * put_pkt_raw();
-@@ -1589,8 +1619,7 @@ static inline void commit_rd_index(struct vmbus_channel *channel)
- virt_rmb();
- ring_info->ring_buffer->read_index = ring_info->priv_read_index;
-
-- if (hv_need_to_signal_on_read(ring_info))
-- vmbus_set_event(channel);
-+ hv_signal_on_read(channel);
- }
-
-
-diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
-index c211900..48bc1ac 100644
---- a/include/target/target_core_base.h
-+++ b/include/target/target_core_base.h
-@@ -538,6 +538,7 @@ struct se_node_acl {
- char initiatorname[TRANSPORT_IQN_LEN];
- /* Used to signal demo mode created ACL, disabled by default */
- bool dynamic_node_acl;
-+ bool dynamic_stop;
- u32 queue_depth;
- u32 acl_index;
- enum target_prot_type saved_prot_type;
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index b1cfd74..4b33231 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -3461,14 +3461,15 @@ struct perf_read_data {
- int ret;
- };
-
--static int find_cpu_to_read(struct perf_event *event, int local_cpu)
-+static int __perf_event_read_cpu(struct perf_event *event, int event_cpu)
- {
-- int event_cpu = event->oncpu;
- u16 local_pkg, event_pkg;
-
- if (event->group_caps & PERF_EV_CAP_READ_ACTIVE_PKG) {
-- event_pkg = topology_physical_package_id(event_cpu);
-- local_pkg = topology_physical_package_id(local_cpu);
-+ int local_cpu = smp_processor_id();
-+
-+ event_pkg = topology_physical_package_id(event_cpu);
-+ local_pkg = topology_physical_package_id(local_cpu);
-
- if (event_pkg == local_pkg)
- return local_cpu;
-@@ -3598,7 +3599,7 @@ u64 perf_event_read_local(struct perf_event *event)
-
- static int perf_event_read(struct perf_event *event, bool group)
- {
-- int ret = 0, cpu_to_read, local_cpu;
-+ int event_cpu, ret = 0;
-
- /*
- * If event is enabled and currently active on a CPU, update the
-@@ -3611,21 +3612,25 @@ static int perf_event_read(struct perf_event *event, bool group)
- .ret = 0,
- };
-
-- local_cpu = get_cpu();
-- cpu_to_read = find_cpu_to_read(event, local_cpu);
-- put_cpu();
-+ event_cpu = READ_ONCE(event->oncpu);
-+ if ((unsigned)event_cpu >= nr_cpu_ids)
-+ return 0;
-+
-+ preempt_disable();
-+ event_cpu = __perf_event_read_cpu(event, event_cpu);
-
- /*
- * Purposely ignore the smp_call_function_single() return
- * value.
- *
-- * If event->oncpu isn't a valid CPU it means the event got
-+ * If event_cpu isn't a valid CPU it means the event got
- * scheduled out and that will have updated the event count.
- *
- * Therefore, either way, we'll have an up-to-date event count
- * after this.
- */
-- (void)smp_call_function_single(cpu_to_read, __perf_event_read, &data, 1);
-+ (void)smp_call_function_single(event_cpu, __perf_event_read, &data, 1);
-+ preempt_enable();
- ret = data.ret;
- } else if (event->state == PERF_EVENT_STATE_INACTIVE) {
- struct perf_event_context *ctx = event->ctx;
-diff --git a/kernel/stacktrace.c b/kernel/stacktrace.c
-index b6e4c16..9c15a91 100644
---- a/kernel/stacktrace.c
-+++ b/kernel/stacktrace.c
-@@ -18,10 +18,8 @@ void print_stack_trace(struct stack_trace *trace, int spaces)
- if (WARN_ON(!trace->entries))
- return;
-
-- for (i = 0; i < trace->nr_entries; i++) {
-- printk("%*c", 1 + spaces, ' ');
-- print_ip_sym(trace->entries[i]);
-- }
-+ for (i = 0; i < trace->nr_entries; i++)
-+ printk("%*c%pS\n", 1 + spaces, ' ', (void *)trace->entries[i]);
- }
- EXPORT_SYMBOL_GPL(print_stack_trace);
-
-@@ -29,7 +27,6 @@ int snprint_stack_trace(char *buf, size_t size,
- struct stack_trace *trace, int spaces)
- {
- int i;
-- unsigned long ip;
- int generated;
- int total = 0;
-
-@@ -37,9 +34,8 @@ int snprint_stack_trace(char *buf, size_t size,
- return 0;
-
- for (i = 0; i < trace->nr_entries; i++) {
-- ip = trace->entries[i];
-- generated = snprintf(buf, size, "%*c[<%p>] %pS\n",
-- 1 + spaces, ' ', (void *) ip, (void *) ip);
-+ generated = snprintf(buf, size, "%*c%pS\n", 1 + spaces, ' ',
-+ (void *)trace->entries[i]);
-
- total += generated;
-
-diff --git a/mm/slub.c b/mm/slub.c
-index 2b3e740..7aa0e97 100644
---- a/mm/slub.c
-+++ b/mm/slub.c
-@@ -1419,6 +1419,10 @@ static int init_cache_random_seq(struct kmem_cache *s)
- int err;
- unsigned long i, count = oo_objects(s->oo);
-
-+ /* Bailout if already initialised */
-+ if (s->random_seq)
-+ return 0;
-+
- err = cache_random_seq_create(s, count, GFP_KERNEL);
- if (err) {
- pr_err("SLUB: Unable to initialize free list for %s\n",
-diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
-index 42120d9..50e1b7f 100644
---- a/net/mac80211/mesh.c
-+++ b/net/mac80211/mesh.c
-@@ -339,7 +339,7 @@ int mesh_add_vendor_ies(struct ieee80211_sub_if_data *sdata,
- /* fast-forward to vendor IEs */
- offset = ieee80211_ie_split_vendor(ifmsh->ie, ifmsh->ie_len, 0);
-
-- if (offset) {
-+ if (offset < ifmsh->ie_len) {
- len = ifmsh->ie_len - offset;
- data = ifmsh->ie + offset;
- if (skb_tailroom(skb) < len)
-diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
-index 1b3c18c..cd7a419 100644
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -5874,6 +5874,7 @@ do { \
- break;
- }
- cfg->ht_opmode = ht_opmode;
-+ mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
- }
- FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
- 1, 65535, mask,
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 09fd610..c2da45a 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -5858,7 +5858,7 @@ static int selinux_setprocattr(struct task_struct *p,
- return error;
-
- /* Obtain a SID for the context, if one was specified. */
-- if (size && str[1] && str[1] != '\n') {
-+ if (size && str[0] && str[0] != '\n') {
- if (str[size-1] == '\n') {
- str[size-1] = 0;
- size--;
-diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
-index c850345..dfa5156 100644
---- a/sound/core/seq/seq_memory.c
-+++ b/sound/core/seq/seq_memory.c
-@@ -419,7 +419,6 @@ int snd_seq_pool_done(struct snd_seq_pool *pool)
- {
- unsigned long flags;
- struct snd_seq_event_cell *ptr;
-- int max_count = 5 * HZ;
-
- if (snd_BUG_ON(!pool))
- return -EINVAL;
-@@ -432,14 +431,8 @@ int snd_seq_pool_done(struct snd_seq_pool *pool)
- if (waitqueue_active(&pool->output_sleep))
- wake_up(&pool->output_sleep);
-
-- while (atomic_read(&pool->counter) > 0) {
-- if (max_count == 0) {
-- pr_warn("ALSA: snd_seq_pool_done timeout: %d cells remain\n", atomic_read(&pool->counter));
-- break;
-- }
-+ while (atomic_read(&pool->counter) > 0)
- schedule_timeout_uninterruptible(1);
-- max_count--;
-- }
-
- /* release all resources */
- spin_lock_irqsave(&pool->lock, flags);
-diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
-index 0bec02e..450c518 100644
---- a/sound/core/seq/seq_queue.c
-+++ b/sound/core/seq/seq_queue.c
-@@ -181,6 +181,8 @@ void __exit snd_seq_queues_delete(void)
- }
- }
-
-+static void queue_use(struct snd_seq_queue *queue, int client, int use);
-+
- /* allocate a new queue -
- * return queue index value or negative value for error
- */
-@@ -192,11 +194,11 @@ int snd_seq_queue_alloc(int client, int locked, unsigned int info_flags)
- if (q == NULL)
- return -ENOMEM;
- q->info_flags = info_flags;
-+ queue_use(q, client, 1);
- if (queue_list_add(q) < 0) {
- queue_delete(q);
- return -ENOMEM;
- }
-- snd_seq_queue_use(q->queue, client, 1); /* use this queue */
- return q->queue;
- }
-
-@@ -502,19 +504,9 @@ int snd_seq_queue_timer_set_tempo(int queueid, int client,
- return result;
- }
-
--
--/* use or unuse this queue -
-- * if it is the first client, starts the timer.
-- * if it is not longer used by any clients, stop the timer.
-- */
--int snd_seq_queue_use(int queueid, int client, int use)
-+/* use or unuse this queue */
-+static void queue_use(struct snd_seq_queue *queue, int client, int use)
- {
-- struct snd_seq_queue *queue;
--
-- queue = queueptr(queueid);
-- if (queue == NULL)
-- return -EINVAL;
-- mutex_lock(&queue->timer_mutex);
- if (use) {
- if (!test_and_set_bit(client, queue->clients_bitmap))
- queue->clients++;
-@@ -529,6 +521,21 @@ int snd_seq_queue_use(int queueid, int client, int use)
- } else {
- snd_seq_timer_close(queue);
- }
-+}
-+
-+/* use or unuse this queue -
-+ * if it is the first client, starts the timer.
-+ * if it is not longer used by any clients, stop the timer.
-+ */
-+int snd_seq_queue_use(int queueid, int client, int use)
-+{
-+ struct snd_seq_queue *queue;
-+
-+ queue = queueptr(queueid);
-+ if (queue == NULL)
-+ return -EINVAL;
-+ mutex_lock(&queue->timer_mutex);
-+ queue_use(queue, client, use);
- mutex_unlock(&queue->timer_mutex);
- queuefree(queue);
- return 0;
-diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
-index 56e5204..4bf4833 100644
---- a/sound/pci/hda/patch_hdmi.c
-+++ b/sound/pci/hda/patch_hdmi.c
-@@ -3638,6 +3638,7 @@ HDA_CODEC_ENTRY(0x10de0070, "GPU 70 HDMI/DP", patch_nvhdmi),
- HDA_CODEC_ENTRY(0x10de0071, "GPU 71 HDMI/DP", patch_nvhdmi),
- HDA_CODEC_ENTRY(0x10de0072, "GPU 72 HDMI/DP", patch_nvhdmi),
- HDA_CODEC_ENTRY(0x10de007d, "GPU 7d HDMI/DP", patch_nvhdmi),
-+HDA_CODEC_ENTRY(0x10de0080, "GPU 80 HDMI/DP", patch_nvhdmi),
- HDA_CODEC_ENTRY(0x10de0082, "GPU 82 HDMI/DP", patch_nvhdmi),
- HDA_CODEC_ENTRY(0x10de0083, "GPU 83 HDMI/DP", patch_nvhdmi),
- HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch),
-diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c
-index 90009c0..ab3c280 100644
---- a/sound/usb/line6/driver.c
-+++ b/sound/usb/line6/driver.c
-@@ -754,8 +754,9 @@ int line6_probe(struct usb_interface *interface,
- goto error;
- }
-
-+ line6_get_interval(line6);
-+
- if (properties->capabilities & LINE6_CAP_CONTROL) {
-- line6_get_interval(line6);
- ret = line6_init_cap_control(line6);
- if (ret < 0)
- goto error;
-diff --git a/tools/perf/builtin-diff.c b/tools/perf/builtin-diff.c
-index 9ff0db4..933aeec 100644
---- a/tools/perf/builtin-diff.c
-+++ b/tools/perf/builtin-diff.c
-@@ -1199,7 +1199,7 @@ static int ui_init(void)
- BUG_ON(1);
- }
-
-- perf_hpp__register_sort_field(fmt);
-+ perf_hpp__prepend_sort_field(fmt);
- return 0;
- }
-
-diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c
-index 3738839..18cfcdc9 100644
---- a/tools/perf/ui/hist.c
-+++ b/tools/perf/ui/hist.c
-@@ -521,6 +521,12 @@ void perf_hpp_list__register_sort_field(struct perf_hpp_list *list,
- list_add_tail(&format->sort_list, &list->sorts);
- }
-
-+void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list,
-+ struct perf_hpp_fmt *format)
-+{
-+ list_add(&format->sort_list, &list->sorts);
-+}
-+
- void perf_hpp__column_unregister(struct perf_hpp_fmt *format)
- {
- list_del(&format->list);
-@@ -560,6 +566,10 @@ void perf_hpp__setup_output_field(struct perf_hpp_list *list)
- perf_hpp_list__for_each_sort_list(list, fmt) {
- struct perf_hpp_fmt *pos;
-
-+ /* skip sort-only fields ("sort_compute" in perf diff) */
-+ if (!fmt->entry && !fmt->color)
-+ continue;
-+
- perf_hpp_list__for_each_format(list, pos) {
- if (fmt_equal(fmt, pos))
- goto next;
-diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h
-index 9928fed..a440a04 100644
---- a/tools/perf/util/hist.h
-+++ b/tools/perf/util/hist.h
-@@ -282,6 +282,8 @@ void perf_hpp_list__column_register(struct perf_hpp_list *list,
- struct perf_hpp_fmt *format);
- void perf_hpp_list__register_sort_field(struct perf_hpp_list *list,
- struct perf_hpp_fmt *format);
-+void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list,
-+ struct perf_hpp_fmt *format);
-
- static inline void perf_hpp__column_register(struct perf_hpp_fmt *format)
- {
-@@ -293,6 +295,11 @@ static inline void perf_hpp__register_sort_field(struct perf_hpp_fmt *format)
- perf_hpp_list__register_sort_field(&perf_hpp_list, format);
- }
-
-+static inline void perf_hpp__prepend_sort_field(struct perf_hpp_fmt *format)
-+{
-+ perf_hpp_list__prepend_sort_field(&perf_hpp_list, format);
-+}
-+
- #define perf_hpp_list__for_each_format(_list, format) \
- list_for_each_entry(format, &(_list)->fields, list)
-
diff --git a/4.9.11/1010_linux-4.9.11.patch b/4.9.11/1010_linux-4.9.11.patch
deleted file mode 100644
index 59eb5c7..0000000
--- a/4.9.11/1010_linux-4.9.11.patch
+++ /dev/null
@@ -1,1893 +0,0 @@
-diff --git a/Makefile b/Makefile
-index d2fe757..18b0c5a 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 9
--SUBLEVEL = 10
-+SUBLEVEL = 11
- EXTRAVERSION =
- NAME = Roaring Lionus
-
-diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
-index ebb4e95..96d80df 100644
---- a/arch/x86/kernel/fpu/core.c
-+++ b/arch/x86/kernel/fpu/core.c
-@@ -236,7 +236,8 @@ void fpstate_init(union fpregs_state *state)
- * it will #GP. Make sure it is replaced after the memset().
- */
- if (static_cpu_has(X86_FEATURE_XSAVES))
-- state->xsave.header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT;
-+ state->xsave.header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT |
-+ xfeatures_mask;
-
- if (static_cpu_has(X86_FEATURE_FXSR))
- fpstate_init_fxstate(&state->fxsave);
-diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
-index f2e8bed..4d3ddc2 100644
---- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
-+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
-@@ -507,8 +507,11 @@ void mlx4_en_recover_from_oom(struct mlx4_en_priv *priv)
- return;
-
- for (ring = 0; ring < priv->rx_ring_num; ring++) {
-- if (mlx4_en_is_ring_empty(priv->rx_ring[ring]))
-+ if (mlx4_en_is_ring_empty(priv->rx_ring[ring])) {
-+ local_bh_disable();
- napi_reschedule(&priv->rx_cq[ring]->napi);
-+ local_bh_enable();
-+ }
- }
- }
-
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
-index 71382df..81d8e3b 100644
---- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
-@@ -765,7 +765,8 @@ void mlx5e_disable_vlan_filter(struct mlx5e_priv *priv);
- int mlx5e_modify_rqs_vsd(struct mlx5e_priv *priv, bool vsd);
-
- int mlx5e_redirect_rqt(struct mlx5e_priv *priv, u32 rqtn, int sz, int ix);
--void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv);
-+void mlx5e_build_indir_tir_ctx_hash(struct mlx5e_priv *priv, void *tirc,
-+ enum mlx5e_traffic_types tt);
-
- int mlx5e_open_locked(struct net_device *netdev);
- int mlx5e_close_locked(struct net_device *netdev);
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
-index 51c6a57..126cfeb 100644
---- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
-@@ -975,15 +975,18 @@ static int mlx5e_get_rxfh(struct net_device *netdev, u32 *indir, u8 *key,
-
- static void mlx5e_modify_tirs_hash(struct mlx5e_priv *priv, void *in, int inlen)
- {
-- struct mlx5_core_dev *mdev = priv->mdev;
- void *tirc = MLX5_ADDR_OF(modify_tir_in, in, ctx);
-- int i;
-+ struct mlx5_core_dev *mdev = priv->mdev;
-+ int ctxlen = MLX5_ST_SZ_BYTES(tirc);
-+ int tt;
-
- MLX5_SET(modify_tir_in, in, bitmask.hash, 1);
-- mlx5e_build_tir_ctx_hash(tirc, priv);
-
-- for (i = 0; i < MLX5E_NUM_INDIR_TIRS; i++)
-- mlx5_core_modify_tir(mdev, priv->indir_tir[i].tirn, in, inlen);
-+ for (tt = 0; tt < MLX5E_NUM_INDIR_TIRS; tt++) {
-+ memset(tirc, 0, ctxlen);
-+ mlx5e_build_indir_tir_ctx_hash(priv, tirc, tt);
-+ mlx5_core_modify_tir(mdev, priv->indir_tir[tt].tirn, in, inlen);
-+ }
- }
-
- static int mlx5e_set_rxfh(struct net_device *dev, const u32 *indir,
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
-index 5dc3e24..b3067137 100644
---- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
-@@ -1978,8 +1978,23 @@ static void mlx5e_build_tir_ctx_lro(void *tirc, struct mlx5e_priv *priv)
- MLX5_SET(tirc, tirc, lro_timeout_period_usecs, priv->params.lro_timeout);
- }
-
--void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv)
-+void mlx5e_build_indir_tir_ctx_hash(struct mlx5e_priv *priv, void *tirc,
-+ enum mlx5e_traffic_types tt)
- {
-+ void *hfso = MLX5_ADDR_OF(tirc, tirc, rx_hash_field_selector_outer);
-+
-+#define MLX5_HASH_IP (MLX5_HASH_FIELD_SEL_SRC_IP |\
-+ MLX5_HASH_FIELD_SEL_DST_IP)
-+
-+#define MLX5_HASH_IP_L4PORTS (MLX5_HASH_FIELD_SEL_SRC_IP |\
-+ MLX5_HASH_FIELD_SEL_DST_IP |\
-+ MLX5_HASH_FIELD_SEL_L4_SPORT |\
-+ MLX5_HASH_FIELD_SEL_L4_DPORT)
-+
-+#define MLX5_HASH_IP_IPSEC_SPI (MLX5_HASH_FIELD_SEL_SRC_IP |\
-+ MLX5_HASH_FIELD_SEL_DST_IP |\
-+ MLX5_HASH_FIELD_SEL_IPSEC_SPI)
-+
- MLX5_SET(tirc, tirc, rx_hash_fn,
- mlx5e_rx_hash_fn(priv->params.rss_hfunc));
- if (priv->params.rss_hfunc == ETH_RSS_HASH_TOP) {
-@@ -1991,6 +2006,88 @@ void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv)
- MLX5_SET(tirc, tirc, rx_hash_symmetric, 1);
- memcpy(rss_key, priv->params.toeplitz_hash_key, len);
- }
-+
-+ switch (tt) {
-+ case MLX5E_TT_IPV4_TCP:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV4);
-+ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
-+ MLX5_L4_PROT_TYPE_TCP);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP_L4PORTS);
-+ break;
-+
-+ case MLX5E_TT_IPV6_TCP:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV6);
-+ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
-+ MLX5_L4_PROT_TYPE_TCP);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP_L4PORTS);
-+ break;
-+
-+ case MLX5E_TT_IPV4_UDP:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV4);
-+ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
-+ MLX5_L4_PROT_TYPE_UDP);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP_L4PORTS);
-+ break;
-+
-+ case MLX5E_TT_IPV6_UDP:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV6);
-+ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
-+ MLX5_L4_PROT_TYPE_UDP);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP_L4PORTS);
-+ break;
-+
-+ case MLX5E_TT_IPV4_IPSEC_AH:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV4);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP_IPSEC_SPI);
-+ break;
-+
-+ case MLX5E_TT_IPV6_IPSEC_AH:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV6);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP_IPSEC_SPI);
-+ break;
-+
-+ case MLX5E_TT_IPV4_IPSEC_ESP:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV4);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP_IPSEC_SPI);
-+ break;
-+
-+ case MLX5E_TT_IPV6_IPSEC_ESP:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV6);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP_IPSEC_SPI);
-+ break;
-+
-+ case MLX5E_TT_IPV4:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV4);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP);
-+ break;
-+
-+ case MLX5E_TT_IPV6:
-+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-+ MLX5_L3_PROT_TYPE_IPV6);
-+ MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-+ MLX5_HASH_IP);
-+ break;
-+ default:
-+ WARN_ONCE(true, "%s: bad traffic type!\n", __func__);
-+ }
- }
-
- static int mlx5e_modify_tirs_lro(struct mlx5e_priv *priv)
-@@ -2360,110 +2457,13 @@ void mlx5e_cleanup_nic_tx(struct mlx5e_priv *priv)
- static void mlx5e_build_indir_tir_ctx(struct mlx5e_priv *priv, u32 *tirc,
- enum mlx5e_traffic_types tt)
- {
-- void *hfso = MLX5_ADDR_OF(tirc, tirc, rx_hash_field_selector_outer);
--
- MLX5_SET(tirc, tirc, transport_domain, priv->mdev->mlx5e_res.td.tdn);
-
--#define MLX5_HASH_IP (MLX5_HASH_FIELD_SEL_SRC_IP |\
-- MLX5_HASH_FIELD_SEL_DST_IP)
--
--#define MLX5_HASH_IP_L4PORTS (MLX5_HASH_FIELD_SEL_SRC_IP |\
-- MLX5_HASH_FIELD_SEL_DST_IP |\
-- MLX5_HASH_FIELD_SEL_L4_SPORT |\
-- MLX5_HASH_FIELD_SEL_L4_DPORT)
--
--#define MLX5_HASH_IP_IPSEC_SPI (MLX5_HASH_FIELD_SEL_SRC_IP |\
-- MLX5_HASH_FIELD_SEL_DST_IP |\
-- MLX5_HASH_FIELD_SEL_IPSEC_SPI)
--
- mlx5e_build_tir_ctx_lro(tirc, priv);
-
- MLX5_SET(tirc, tirc, disp_type, MLX5_TIRC_DISP_TYPE_INDIRECT);
- MLX5_SET(tirc, tirc, indirect_table, priv->indir_rqt.rqtn);
-- mlx5e_build_tir_ctx_hash(tirc, priv);
--
-- switch (tt) {
-- case MLX5E_TT_IPV4_TCP:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV4);
-- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
-- MLX5_L4_PROT_TYPE_TCP);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP_L4PORTS);
-- break;
--
-- case MLX5E_TT_IPV6_TCP:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV6);
-- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
-- MLX5_L4_PROT_TYPE_TCP);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP_L4PORTS);
-- break;
--
-- case MLX5E_TT_IPV4_UDP:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV4);
-- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
-- MLX5_L4_PROT_TYPE_UDP);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP_L4PORTS);
-- break;
--
-- case MLX5E_TT_IPV6_UDP:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV6);
-- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
-- MLX5_L4_PROT_TYPE_UDP);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP_L4PORTS);
-- break;
--
-- case MLX5E_TT_IPV4_IPSEC_AH:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV4);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP_IPSEC_SPI);
-- break;
--
-- case MLX5E_TT_IPV6_IPSEC_AH:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV6);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP_IPSEC_SPI);
-- break;
--
-- case MLX5E_TT_IPV4_IPSEC_ESP:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV4);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP_IPSEC_SPI);
-- break;
--
-- case MLX5E_TT_IPV6_IPSEC_ESP:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV6);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP_IPSEC_SPI);
-- break;
--
-- case MLX5E_TT_IPV4:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV4);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP);
-- break;
--
-- case MLX5E_TT_IPV6:
-- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
-- MLX5_L3_PROT_TYPE_IPV6);
-- MLX5_SET(rx_hash_field_select, hfso, selected_fields,
-- MLX5_HASH_IP);
-- break;
-- default:
-- WARN_ONCE(true,
-- "mlx5e_build_indir_tir_ctx: bad traffic type!\n");
-- }
-+ mlx5e_build_indir_tir_ctx_hash(priv, tirc, tt);
- }
-
- static void mlx5e_build_direct_tir_ctx(struct mlx5e_priv *priv, u32 *tirc,
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
-index 914e546..7e20e4b 100644
---- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
-@@ -1110,9 +1110,8 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg,
- return rule;
- }
- rule = add_rule_fte(fte, fg, dest);
-- unlock_ref_node(&fte->node);
- if (IS_ERR(rule))
-- goto unlock_fg;
-+ goto unlock_fte;
- else
- goto add_rule;
- }
-@@ -1130,6 +1129,7 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg,
- goto unlock_fg;
- }
- tree_init_node(&fte->node, 0, del_fte);
-+ nested_lock_ref_node(&fte->node, FS_MUTEX_CHILD);
- rule = add_rule_fte(fte, fg, dest);
- if (IS_ERR(rule)) {
- kfree(fte);
-@@ -1142,6 +1142,8 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg,
- list_add(&fte->node.list, prev);
- add_rule:
- tree_add_node(&rule->node, &fte->node);
-+unlock_fte:
-+ unlock_ref_node(&fte->node);
- unlock_fg:
- unlock_ref_node(&fg->node);
- return rule;
-diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
-index 7df4ff1..7d19029 100644
---- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
-+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
-@@ -305,8 +305,12 @@ static int dwmac1000_irq_status(struct mac_device_info *hw,
- {
- void __iomem *ioaddr = hw->pcsr;
- u32 intr_status = readl(ioaddr + GMAC_INT_STATUS);
-+ u32 intr_mask = readl(ioaddr + GMAC_INT_MASK);
- int ret = 0;
-
-+ /* Discard masked bits */
-+ intr_status &= ~intr_mask;
-+
- /* Not used events (e.g. MMC interrupts) are not handled. */
- if ((intr_status & GMAC_INT_STATUS_MMCTIS))
- x->mmc_tx_irq_n++;
-diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c
-index 6255973..1b65f0f 100644
---- a/drivers/net/loopback.c
-+++ b/drivers/net/loopback.c
-@@ -164,6 +164,7 @@ static void loopback_setup(struct net_device *dev)
- {
- dev->mtu = 64 * 1024;
- dev->hard_header_len = ETH_HLEN; /* 14 */
-+ dev->min_header_len = ETH_HLEN; /* 14 */
- dev->addr_len = ETH_ALEN; /* 6 */
- dev->type = ARPHRD_LOOPBACK; /* 0x0001*/
- dev->flags = IFF_LOOPBACK;
-diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index 6f38daf..adea6f5 100644
---- a/drivers/net/macvtap.c
-+++ b/drivers/net/macvtap.c
-@@ -682,7 +682,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
- ssize_t n;
-
- if (q->flags & IFF_VNET_HDR) {
-- vnet_hdr_len = q->vnet_hdr_sz;
-+ vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
-
- err = -EINVAL;
- if (len < vnet_hdr_len)
-@@ -822,7 +822,7 @@ static ssize_t macvtap_put_user(struct macvtap_queue *q,
-
- if (q->flags & IFF_VNET_HDR) {
- struct virtio_net_hdr vnet_hdr;
-- vnet_hdr_len = q->vnet_hdr_sz;
-+ vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
- if (iov_iter_count(iter) < vnet_hdr_len)
- return -EINVAL;
-
-diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 18402d7..b31aca8 100644
---- a/drivers/net/tun.c
-+++ b/drivers/net/tun.c
-@@ -1187,9 +1187,11 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
- }
-
- if (tun->flags & IFF_VNET_HDR) {
-- if (len < tun->vnet_hdr_sz)
-+ int vnet_hdr_sz = READ_ONCE(tun->vnet_hdr_sz);
-+
-+ if (len < vnet_hdr_sz)
- return -EINVAL;
-- len -= tun->vnet_hdr_sz;
-+ len -= vnet_hdr_sz;
-
- n = copy_from_iter(&gso, sizeof(gso), from);
- if (n != sizeof(gso))
-@@ -1201,7 +1203,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
-
- if (tun16_to_cpu(tun, gso.hdr_len) > len)
- return -EINVAL;
-- iov_iter_advance(from, tun->vnet_hdr_sz - sizeof(gso));
-+ iov_iter_advance(from, vnet_hdr_sz - sizeof(gso));
- }
-
- if ((tun->flags & TUN_TYPE_MASK) == IFF_TAP) {
-@@ -1348,7 +1350,7 @@ static ssize_t tun_put_user(struct tun_struct *tun,
- vlan_hlen = VLAN_HLEN;
-
- if (tun->flags & IFF_VNET_HDR)
-- vnet_hdr_sz = tun->vnet_hdr_sz;
-+ vnet_hdr_sz = READ_ONCE(tun->vnet_hdr_sz);
-
- total = skb->len + vlan_hlen + vnet_hdr_sz;
-
-diff --git a/drivers/net/usb/catc.c b/drivers/net/usb/catc.c
-index d9ca05d..4086415 100644
---- a/drivers/net/usb/catc.c
-+++ b/drivers/net/usb/catc.c
-@@ -777,7 +777,7 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
- struct net_device *netdev;
- struct catc *catc;
- u8 broadcast[ETH_ALEN];
-- int i, pktsz;
-+ int pktsz, ret;
-
- if (usb_set_interface(usbdev,
- intf->altsetting->desc.bInterfaceNumber, 1)) {
-@@ -812,12 +812,8 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
- if ((!catc->ctrl_urb) || (!catc->tx_urb) ||
- (!catc->rx_urb) || (!catc->irq_urb)) {
- dev_err(&intf->dev, "No free urbs available.\n");
-- usb_free_urb(catc->ctrl_urb);
-- usb_free_urb(catc->tx_urb);
-- usb_free_urb(catc->rx_urb);
-- usb_free_urb(catc->irq_urb);
-- free_netdev(netdev);
-- return -ENOMEM;
-+ ret = -ENOMEM;
-+ goto fail_free;
- }
-
- /* The F5U011 has the same vendor/product as the netmate but a device version of 0x130 */
-@@ -845,15 +841,24 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
- catc->irq_buf, 2, catc_irq_done, catc, 1);
-
- if (!catc->is_f5u011) {
-+ u32 *buf;
-+ int i;
-+
- dev_dbg(dev, "Checking memory size\n");
-
-- i = 0x12345678;
-- catc_write_mem(catc, 0x7a80, &i, 4);
-- i = 0x87654321;
-- catc_write_mem(catc, 0xfa80, &i, 4);
-- catc_read_mem(catc, 0x7a80, &i, 4);
-+ buf = kmalloc(4, GFP_KERNEL);
-+ if (!buf) {
-+ ret = -ENOMEM;
-+ goto fail_free;
-+ }
-+
-+ *buf = 0x12345678;
-+ catc_write_mem(catc, 0x7a80, buf, 4);
-+ *buf = 0x87654321;
-+ catc_write_mem(catc, 0xfa80, buf, 4);
-+ catc_read_mem(catc, 0x7a80, buf, 4);
-
-- switch (i) {
-+ switch (*buf) {
- case 0x12345678:
- catc_set_reg(catc, TxBufCount, 8);
- catc_set_reg(catc, RxBufCount, 32);
-@@ -868,6 +873,8 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
- dev_dbg(dev, "32k Memory\n");
- break;
- }
-+
-+ kfree(buf);
-
- dev_dbg(dev, "Getting MAC from SEEROM.\n");
-
-@@ -914,16 +921,21 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
- usb_set_intfdata(intf, catc);
-
- SET_NETDEV_DEV(netdev, &intf->dev);
-- if (register_netdev(netdev) != 0) {
-- usb_set_intfdata(intf, NULL);
-- usb_free_urb(catc->ctrl_urb);
-- usb_free_urb(catc->tx_urb);
-- usb_free_urb(catc->rx_urb);
-- usb_free_urb(catc->irq_urb);
-- free_netdev(netdev);
-- return -EIO;
-- }
-+ ret = register_netdev(netdev);
-+ if (ret)
-+ goto fail_clear_intfdata;
-+
- return 0;
-+
-+fail_clear_intfdata:
-+ usb_set_intfdata(intf, NULL);
-+fail_free:
-+ usb_free_urb(catc->ctrl_urb);
-+ usb_free_urb(catc->tx_urb);
-+ usb_free_urb(catc->rx_urb);
-+ usb_free_urb(catc->irq_urb);
-+ free_netdev(netdev);
-+ return ret;
- }
-
- static void catc_disconnect(struct usb_interface *intf)
-diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
-index 1434e5d..ee40ac2 100644
---- a/drivers/net/usb/pegasus.c
-+++ b/drivers/net/usb/pegasus.c
-@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb)
-
- static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
- {
-+ u8 *buf;
- int ret;
-
-+ buf = kmalloc(size, GFP_NOIO);
-+ if (!buf)
-+ return -ENOMEM;
-+
- ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
- PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
-- indx, data, size, 1000);
-+ indx, buf, size, 1000);
- if (ret < 0)
- netif_dbg(pegasus, drv, pegasus->net,
- "%s returned %d\n", __func__, ret);
-+ else if (ret <= size)
-+ memcpy(data, buf, ret);
-+ kfree(buf);
- return ret;
- }
-
--static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
-+static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
-+ const void *data)
- {
-+ u8 *buf;
- int ret;
-
-+ buf = kmemdup(data, size, GFP_NOIO);
-+ if (!buf)
-+ return -ENOMEM;
-+
- ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
- PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
-- indx, data, size, 100);
-+ indx, buf, size, 100);
- if (ret < 0)
- netif_dbg(pegasus, drv, pegasus->net,
- "%s returned %d\n", __func__, ret);
-+ kfree(buf);
- return ret;
- }
-
- static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
- {
-+ u8 *buf;
- int ret;
-
-+ buf = kmemdup(&data, 1, GFP_NOIO);
-+ if (!buf)
-+ return -ENOMEM;
-+
- ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
- PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
-- indx, &data, 1, 1000);
-+ indx, buf, 1, 1000);
- if (ret < 0)
- netif_dbg(pegasus, drv, pegasus->net,
- "%s returned %d\n", __func__, ret);
-+ kfree(buf);
- return ret;
- }
-
-diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
-index 7c72bfa..dc4f7ea 100644
---- a/drivers/net/usb/rtl8150.c
-+++ b/drivers/net/usb/rtl8150.c
-@@ -155,16 +155,36 @@ static const char driver_name [] = "rtl8150";
- */
- static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
- {
-- return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
-- RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
-- indx, 0, data, size, 500);
-+ void *buf;
-+ int ret;
-+
-+ buf = kmalloc(size, GFP_NOIO);
-+ if (!buf)
-+ return -ENOMEM;
-+
-+ ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
-+ RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
-+ indx, 0, buf, size, 500);
-+ if (ret > 0 && ret <= size)
-+ memcpy(data, buf, ret);
-+ kfree(buf);
-+ return ret;
- }
-
--static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
-+static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data)
- {
-- return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
-- RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
-- indx, 0, data, size, 500);
-+ void *buf;
-+ int ret;
-+
-+ buf = kmemdup(data, size, GFP_NOIO);
-+ if (!buf)
-+ return -ENOMEM;
-+
-+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
-+ RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
-+ indx, 0, buf, size, 500);
-+ kfree(buf);
-+ return ret;
- }
-
- static void async_set_reg_cb(struct urb *urb)
-diff --git a/include/linux/can/core.h b/include/linux/can/core.h
-index a087500..df08a41 100644
---- a/include/linux/can/core.h
-+++ b/include/linux/can/core.h
-@@ -45,10 +45,9 @@ struct can_proto {
- extern int can_proto_register(const struct can_proto *cp);
- extern void can_proto_unregister(const struct can_proto *cp);
-
--extern int can_rx_register(struct net_device *dev, canid_t can_id,
-- canid_t mask,
-- void (*func)(struct sk_buff *, void *),
-- void *data, char *ident);
-+int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
-+ void (*func)(struct sk_buff *, void *),
-+ void *data, char *ident, struct sock *sk);
-
- extern void can_rx_unregister(struct net_device *dev, canid_t can_id,
- canid_t mask,
-diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index d83590e..bb9b102 100644
---- a/include/linux/netdevice.h
-+++ b/include/linux/netdevice.h
-@@ -1508,6 +1508,7 @@ enum netdev_priv_flags {
- * @mtu: Interface MTU value
- * @type: Interface hardware type
- * @hard_header_len: Maximum hardware header length.
-+ * @min_header_len: Minimum hardware header length
- *
- * @needed_headroom: Extra headroom the hardware may need, but not in all
- * cases can this be guaranteed
-@@ -1728,6 +1729,7 @@ struct net_device {
- unsigned int mtu;
- unsigned short type;
- unsigned short hard_header_len;
-+ unsigned short min_header_len;
-
- unsigned short needed_headroom;
- unsigned short needed_tailroom;
-@@ -2783,6 +2785,8 @@ static inline bool dev_validate_header(const struct net_device *dev,
- {
- if (likely(len >= dev->hard_header_len))
- return true;
-+ if (len < dev->min_header_len)
-+ return false;
-
- if (capable(CAP_SYS_RAWIO)) {
- memset(ll_header + len, 0, dev->hard_header_len - len);
-diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
-index 3ebb168..a34b141 100644
---- a/include/net/cipso_ipv4.h
-+++ b/include/net/cipso_ipv4.h
-@@ -309,6 +309,10 @@ static inline int cipso_v4_validate(const struct sk_buff *skb,
- }
-
- for (opt_iter = 6; opt_iter < opt_len;) {
-+ if (opt_iter + 1 == opt_len) {
-+ err_offset = opt_iter;
-+ goto out;
-+ }
- tag_len = opt[opt_iter + 1];
- if ((tag_len == 0) || (tag_len > (opt_len - opt_iter))) {
- err_offset = opt_iter + 1;
-diff --git a/include/net/ipv6.h b/include/net/ipv6.h
-index f11ca83..7f15f95 100644
---- a/include/net/ipv6.h
-+++ b/include/net/ipv6.h
-@@ -871,7 +871,7 @@ int ip6_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb);
- * upper-layer output functions
- */
- int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
-- struct ipv6_txoptions *opt, int tclass);
-+ __u32 mark, struct ipv6_txoptions *opt, int tclass);
-
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr);
-
-diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h
-index fc7c0db..3f40132 100644
---- a/include/net/lwtunnel.h
-+++ b/include/net/lwtunnel.h
-@@ -176,7 +176,10 @@ static inline int lwtunnel_valid_encap_type(u16 encap_type)
- }
- static inline int lwtunnel_valid_encap_type_attr(struct nlattr *attr, int len)
- {
-- return -EOPNOTSUPP;
-+ /* return 0 since we are not walking attr looking for
-+ * RTA_ENCAP_TYPE attribute on nexthops.
-+ */
-+ return 0;
- }
-
- static inline int lwtunnel_build_state(struct net_device *dev, u16 encap_type,
-diff --git a/net/can/af_can.c b/net/can/af_can.c
-index 1108079..5488e4a 100644
---- a/net/can/af_can.c
-+++ b/net/can/af_can.c
-@@ -445,6 +445,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask,
- * @func: callback function on filter match
- * @data: returned parameter for callback function
- * @ident: string for calling module identification
-+ * @sk: socket pointer (might be NULL)
- *
- * Description:
- * Invokes the callback function with the received sk_buff and the given
-@@ -468,7 +469,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask,
- */
- int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
- void (*func)(struct sk_buff *, void *), void *data,
-- char *ident)
-+ char *ident, struct sock *sk)
- {
- struct receiver *r;
- struct hlist_head *rl;
-@@ -496,6 +497,7 @@ int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
- r->func = func;
- r->data = data;
- r->ident = ident;
-+ r->sk = sk;
-
- hlist_add_head_rcu(&r->list, rl);
- d->entries++;
-@@ -520,8 +522,11 @@ EXPORT_SYMBOL(can_rx_register);
- static void can_rx_delete_receiver(struct rcu_head *rp)
- {
- struct receiver *r = container_of(rp, struct receiver, rcu);
-+ struct sock *sk = r->sk;
-
- kmem_cache_free(rcv_cache, r);
-+ if (sk)
-+ sock_put(sk);
- }
-
- /**
-@@ -596,8 +601,11 @@ void can_rx_unregister(struct net_device *dev, canid_t can_id, canid_t mask,
- spin_unlock(&can_rcvlists_lock);
-
- /* schedule the receiver item for deletion */
-- if (r)
-+ if (r) {
-+ if (r->sk)
-+ sock_hold(r->sk);
- call_rcu(&r->rcu, can_rx_delete_receiver);
-+ }
- }
- EXPORT_SYMBOL(can_rx_unregister);
-
-diff --git a/net/can/af_can.h b/net/can/af_can.h
-index fca0fe9..b86f512 100644
---- a/net/can/af_can.h
-+++ b/net/can/af_can.h
-@@ -50,13 +50,14 @@
-
- struct receiver {
- struct hlist_node list;
-- struct rcu_head rcu;
- canid_t can_id;
- canid_t mask;
- unsigned long matches;
- void (*func)(struct sk_buff *, void *);
- void *data;
- char *ident;
-+ struct sock *sk;
-+ struct rcu_head rcu;
- };
-
- #define CAN_SFF_RCV_ARRAY_SZ (1 << CAN_SFF_ID_BITS)
-diff --git a/net/can/bcm.c b/net/can/bcm.c
-index 5e9ed5e..e4f694d 100644
---- a/net/can/bcm.c
-+++ b/net/can/bcm.c
-@@ -1225,7 +1225,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
- err = can_rx_register(dev, op->can_id,
- REGMASK(op->can_id),
- bcm_rx_handler, op,
-- "bcm");
-+ "bcm", sk);
-
- op->rx_reg_dev = dev;
- dev_put(dev);
-@@ -1234,7 +1234,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
- } else
- err = can_rx_register(NULL, op->can_id,
- REGMASK(op->can_id),
-- bcm_rx_handler, op, "bcm");
-+ bcm_rx_handler, op, "bcm", sk);
- if (err) {
- /* this bcm rx op is broken -> remove it */
- list_del(&op->list);
-diff --git a/net/can/gw.c b/net/can/gw.c
-index 4551687..77c8af4 100644
---- a/net/can/gw.c
-+++ b/net/can/gw.c
-@@ -442,7 +442,7 @@ static inline int cgw_register_filter(struct cgw_job *gwj)
- {
- return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,
- gwj->ccgw.filter.can_mask, can_can_gw_rcv,
-- gwj, "gw");
-+ gwj, "gw", NULL);
- }
-
- static inline void cgw_unregister_filter(struct cgw_job *gwj)
-diff --git a/net/can/raw.c b/net/can/raw.c
-index b075f02..6dc546a 100644
---- a/net/can/raw.c
-+++ b/net/can/raw.c
-@@ -190,7 +190,7 @@ static int raw_enable_filters(struct net_device *dev, struct sock *sk,
- for (i = 0; i < count; i++) {
- err = can_rx_register(dev, filter[i].can_id,
- filter[i].can_mask,
-- raw_rcv, sk, "raw");
-+ raw_rcv, sk, "raw", sk);
- if (err) {
- /* clean up successfully registered filters */
- while (--i >= 0)
-@@ -211,7 +211,7 @@ static int raw_enable_errfilter(struct net_device *dev, struct sock *sk,
-
- if (err_mask)
- err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG,
-- raw_rcv, sk, "raw");
-+ raw_rcv, sk, "raw", sk);
-
- return err;
- }
-diff --git a/net/core/dev.c b/net/core/dev.c
-index df51c50..60b0a604 100644
---- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -1696,24 +1696,19 @@ EXPORT_SYMBOL_GPL(net_dec_egress_queue);
-
- static struct static_key netstamp_needed __read_mostly;
- #ifdef HAVE_JUMP_LABEL
--/* We are not allowed to call static_key_slow_dec() from irq context
-- * If net_disable_timestamp() is called from irq context, defer the
-- * static_key_slow_dec() calls.
-- */
- static atomic_t netstamp_needed_deferred;
--#endif
--
--void net_enable_timestamp(void)
-+static void netstamp_clear(struct work_struct *work)
- {
--#ifdef HAVE_JUMP_LABEL
- int deferred = atomic_xchg(&netstamp_needed_deferred, 0);
-
-- if (deferred) {
-- while (--deferred)
-- static_key_slow_dec(&netstamp_needed);
-- return;
-- }
-+ while (deferred--)
-+ static_key_slow_dec(&netstamp_needed);
-+}
-+static DECLARE_WORK(netstamp_work, netstamp_clear);
- #endif
-+
-+void net_enable_timestamp(void)
-+{
- static_key_slow_inc(&netstamp_needed);
- }
- EXPORT_SYMBOL(net_enable_timestamp);
-@@ -1721,12 +1716,12 @@ EXPORT_SYMBOL(net_enable_timestamp);
- void net_disable_timestamp(void)
- {
- #ifdef HAVE_JUMP_LABEL
-- if (in_interrupt()) {
-- atomic_inc(&netstamp_needed_deferred);
-- return;
-- }
--#endif
-+ /* net_disable_timestamp() can be called from non process context */
-+ atomic_inc(&netstamp_needed_deferred);
-+ schedule_work(&netstamp_work);
-+#else
- static_key_slow_dec(&netstamp_needed);
-+#endif
- }
- EXPORT_SYMBOL(net_disable_timestamp);
-
-diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index 715e5d1..7506c03 100644
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -227,7 +227,7 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req
- opt = ireq->ipv6_opt;
- if (!opt)
- opt = rcu_dereference(np->opt);
-- err = ip6_xmit(sk, skb, &fl6, opt, np->tclass);
-+ err = ip6_xmit(sk, skb, &fl6, sk->sk_mark, opt, np->tclass);
- rcu_read_unlock();
- err = net_xmit_eval(err);
- }
-@@ -281,7 +281,7 @@ static void dccp_v6_ctl_send_reset(const struct sock *sk, struct sk_buff *rxskb)
- dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
- if (!IS_ERR(dst)) {
- skb_dst_set(skb, dst);
-- ip6_xmit(ctl_sk, skb, &fl6, NULL, 0);
-+ ip6_xmit(ctl_sk, skb, &fl6, 0, NULL, 0);
- DCCP_INC_STATS(DCCP_MIB_OUTSEGS);
- DCCP_INC_STATS(DCCP_MIB_OUTRSTS);
- return;
-diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
-index da38621..0f99297 100644
---- a/net/dsa/dsa2.c
-+++ b/net/dsa/dsa2.c
-@@ -273,6 +273,7 @@ static int dsa_user_port_apply(struct device_node *port, u32 index,
- if (err) {
- dev_warn(ds->dev, "Failed to create slave %d: %d\n",
- index, err);
-+ ds->ports[index].netdev = NULL;
- return err;
- }
-
-diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
-index 02acfff..24d7aff 100644
---- a/net/ethernet/eth.c
-+++ b/net/ethernet/eth.c
-@@ -356,6 +356,7 @@ void ether_setup(struct net_device *dev)
- dev->header_ops = &eth_header_ops;
- dev->type = ARPHRD_ETHER;
- dev->hard_header_len = ETH_HLEN;
-+ dev->min_header_len = ETH_HLEN;
- dev->mtu = ETH_DATA_LEN;
- dev->addr_len = ETH_ALEN;
- dev->tx_queue_len = 1000; /* Ethernet wants good queues */
-diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
-index 72d6f05..ae20616 100644
---- a/net/ipv4/cipso_ipv4.c
-+++ b/net/ipv4/cipso_ipv4.c
-@@ -1587,6 +1587,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
- goto validate_return_locked;
- }
-
-+ if (opt_iter + 1 == opt_len) {
-+ err_offset = opt_iter;
-+ goto validate_return_locked;
-+ }
- tag_len = tag[1];
- if (tag_len > (opt_len - opt_iter)) {
- err_offset = opt_iter + 1;
-diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
-index 32a08bc..1bc623d 100644
---- a/net/ipv4/igmp.c
-+++ b/net/ipv4/igmp.c
-@@ -1172,6 +1172,7 @@ static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im)
- psf->sf_crcount = im->crcount;
- }
- in_dev_put(pmc->interface);
-+ kfree(pmc);
- }
- spin_unlock_bh(&im->lock);
- }
-diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
-index 877bdb0..e5c1dbe 100644
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -1606,6 +1606,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,
- sk->sk_protocol = ip_hdr(skb)->protocol;
- sk->sk_bound_dev_if = arg->bound_dev_if;
- sk->sk_sndbuf = sysctl_wmem_default;
-+ sk->sk_mark = fl4.flowi4_mark;
- err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
- len, 0, &ipc, &rt, MSG_DONTWAIT);
- if (unlikely(err)) {
-diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index f226f408..65336f3 100644
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -1215,7 +1215,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
- pktinfo->ipi_ifindex = 0;
- pktinfo->ipi_spec_dst.s_addr = 0;
- }
-- skb_dst_drop(skb);
-+ /* We need to keep the dst for __ip_options_echo()
-+ * We could restrict the test to opt.ts_needtime || opt.srr,
-+ * but the following is good enough as IP options are not often used.
-+ */
-+ if (unlikely(IPCB(skb)->opt.optlen))
-+ skb_dst_force(skb);
-+ else
-+ skb_dst_drop(skb);
- }
-
- int ip_setsockopt(struct sock *sk, int level,
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index 96b8e2b..105c074 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -642,6 +642,8 @@ static int ping_v4_push_pending_frames(struct sock *sk, struct pingfakehdr *pfh,
- {
- struct sk_buff *skb = skb_peek(&sk->sk_write_queue);
-
-+ if (!skb)
-+ return 0;
- pfh->wcheck = csum_partial((char *)&pfh->icmph,
- sizeof(struct icmphdr), pfh->wcheck);
- pfh->icmph.checksum = csum_fold(pfh->wcheck);
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 814af89..6a90a0e 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -772,6 +772,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
- ret = -EAGAIN;
- break;
- }
-+ /* if __tcp_splice_read() got nothing while we have
-+ * an skb in receive queue, we do not want to loop.
-+ * This might happen with URG data.
-+ */
-+ if (!skb_queue_empty(&sk->sk_receive_queue))
-+ break;
- sk_wait_data(sk, &timeo, NULL);
- if (signal_pending(current)) {
- ret = sock_intr_errno(timeo);
-diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
-index 896e9df..65d6189 100644
---- a/net/ipv4/tcp_output.c
-+++ b/net/ipv4/tcp_output.c
-@@ -2436,9 +2436,11 @@ u32 __tcp_select_window(struct sock *sk)
- int full_space = min_t(int, tp->window_clamp, allowed_space);
- int window;
-
-- if (mss > full_space)
-+ if (unlikely(mss > full_space)) {
- mss = full_space;
--
-+ if (mss <= 0)
-+ return 0;
-+ }
- if (free_space < (full_space >> 1)) {
- icsk->icsk_ack.quick = 0;
-
-diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
-index 532c3ef..798a095 100644
---- a/net/ipv6/inet6_connection_sock.c
-+++ b/net/ipv6/inet6_connection_sock.c
-@@ -173,7 +173,7 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused
- /* Restore final destination back after routing done */
- fl6.daddr = sk->sk_v6_daddr;
-
-- res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
-+ res = ip6_xmit(sk, skb, &fl6, sk->sk_mark, rcu_dereference(np->opt),
- np->tclass);
- rcu_read_unlock();
- return res;
-diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index d7d6d3a..0a59220 100644
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
-
-
- static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
-- u8 type, u8 code, int offset, __be32 info)
-+ u8 type, u8 code, int offset, __be32 info)
- {
-- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
-- __be16 *p = (__be16 *)(skb->data + offset);
-- int grehlen = offset + 4;
-+ const struct gre_base_hdr *greh;
-+ const struct ipv6hdr *ipv6h;
-+ int grehlen = sizeof(*greh);
- struct ip6_tnl *t;
-+ int key_off = 0;
- __be16 flags;
-+ __be32 key;
-
-- flags = p[0];
-- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
-- if (flags&(GRE_VERSION|GRE_ROUTING))
-- return;
-- if (flags&GRE_KEY) {
-- grehlen += 4;
-- if (flags&GRE_CSUM)
-- grehlen += 4;
-- }
-+ if (!pskb_may_pull(skb, offset + grehlen))
-+ return;
-+ greh = (const struct gre_base_hdr *)(skb->data + offset);
-+ flags = greh->flags;
-+ if (flags & (GRE_VERSION | GRE_ROUTING))
-+ return;
-+ if (flags & GRE_CSUM)
-+ grehlen += 4;
-+ if (flags & GRE_KEY) {
-+ key_off = grehlen + offset;
-+ grehlen += 4;
- }
-
-- /* If only 8 bytes returned, keyed message will be dropped here */
-- if (!pskb_may_pull(skb, grehlen))
-+ if (!pskb_may_pull(skb, offset + grehlen))
- return;
- ipv6h = (const struct ipv6hdr *)skb->data;
-- p = (__be16 *)(skb->data + offset);
-+ greh = (const struct gre_base_hdr *)(skb->data + offset);
-+ key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
-
- t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
-- flags & GRE_KEY ?
-- *(((__be32 *)p) + (grehlen / 4) - 1) : 0,
-- p[1]);
-+ key, greh->protocol);
- if (!t)
- return;
-
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index 59eb4ed..9a87bfb 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -163,7 +163,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
- * which are using proper atomic operations or spinlocks.
- */
- int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
-- struct ipv6_txoptions *opt, int tclass)
-+ __u32 mark, struct ipv6_txoptions *opt, int tclass)
- {
- struct net *net = sock_net(sk);
- const struct ipv6_pinfo *np = inet6_sk(sk);
-@@ -230,7 +230,7 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
-
- skb->protocol = htons(ETH_P_IPV6);
- skb->priority = sk->sk_priority;
-- skb->mark = sk->sk_mark;
-+ skb->mark = mark;
-
- mtu = dst_mtu(dst);
- if ((skb->len <= mtu) || skb->ignore_df || skb_is_gso(skb)) {
-diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
-index f95437f..f6ba452 100644
---- a/net/ipv6/ip6_tunnel.c
-+++ b/net/ipv6/ip6_tunnel.c
-@@ -400,18 +400,19 @@ ip6_tnl_dev_uninit(struct net_device *dev)
-
- __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
- {
-- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
-- __u8 nexthdr = ipv6h->nexthdr;
-- __u16 off = sizeof(*ipv6h);
-+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw;
-+ unsigned int nhoff = raw - skb->data;
-+ unsigned int off = nhoff + sizeof(*ipv6h);
-+ u8 next, nexthdr = ipv6h->nexthdr;
-
- while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) {
-- __u16 optlen = 0;
- struct ipv6_opt_hdr *hdr;
-- if (raw + off + sizeof(*hdr) > skb->data &&
-- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr)))
-+ u16 optlen;
-+
-+ if (!pskb_may_pull(skb, off + sizeof(*hdr)))
- break;
-
-- hdr = (struct ipv6_opt_hdr *) (raw + off);
-+ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
- if (nexthdr == NEXTHDR_FRAGMENT) {
- struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr;
- if (frag_hdr->frag_off)
-@@ -422,20 +423,29 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
- } else {
- optlen = ipv6_optlen(hdr);
- }
-+ /* cache hdr->nexthdr, since pskb_may_pull() might
-+ * invalidate hdr
-+ */
-+ next = hdr->nexthdr;
- if (nexthdr == NEXTHDR_DEST) {
-- __u16 i = off + 2;
-+ u16 i = 2;
-+
-+ /* Remember : hdr is no longer valid at this point. */
-+ if (!pskb_may_pull(skb, off + optlen))
-+ break;
-+
- while (1) {
- struct ipv6_tlv_tnl_enc_lim *tel;
-
- /* No more room for encapsulation limit */
-- if (i + sizeof (*tel) > off + optlen)
-+ if (i + sizeof(*tel) > optlen)
- break;
-
-- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i];
-+ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);
- /* return index of option if found and valid */
- if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
- tel->length == 1)
-- return i;
-+ return i + off - nhoff;
- /* else jump to next option */
- if (tel->type)
- i += tel->length + 2;
-@@ -443,7 +453,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
- i++;
- }
- }
-- nexthdr = hdr->nexthdr;
-+ nexthdr = next;
- off += optlen;
- }
- return 0;
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 14a3903..1bdc703 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -81,7 +81,7 @@ static void mld_gq_timer_expire(unsigned long data);
- static void mld_ifc_timer_expire(unsigned long data);
- static void mld_ifc_event(struct inet6_dev *idev);
- static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
--static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr);
-+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
- static void mld_clear_delrec(struct inet6_dev *idev);
- static bool mld_in_v1_mode(const struct inet6_dev *idev);
- static int sf_setstate(struct ifmcaddr6 *pmc);
-@@ -692,9 +692,9 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc)
- dev_mc_del(dev, buf);
- }
-
-- if (mc->mca_flags & MAF_NOREPORT)
-- goto done;
- spin_unlock_bh(&mc->mca_lock);
-+ if (mc->mca_flags & MAF_NOREPORT)
-+ return;
-
- if (!mc->idev->dead)
- igmp6_leave_group(mc);
-@@ -702,8 +702,6 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc)
- spin_lock_bh(&mc->mca_lock);
- if (del_timer(&mc->mca_timer))
- atomic_dec(&mc->mca_refcnt);
--done:
-- ip6_mc_clear_src(mc);
- spin_unlock_bh(&mc->mca_lock);
- }
-
-@@ -748,10 +746,11 @@ static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
- spin_unlock_bh(&idev->mc_lock);
- }
-
--static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
-+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
- {
- struct ifmcaddr6 *pmc, *pmc_prev;
-- struct ip6_sf_list *psf, *psf_next;
-+ struct ip6_sf_list *psf;
-+ struct in6_addr *pmca = &im->mca_addr;
-
- spin_lock_bh(&idev->mc_lock);
- pmc_prev = NULL;
-@@ -768,14 +767,21 @@ static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
- }
- spin_unlock_bh(&idev->mc_lock);
-
-+ spin_lock_bh(&im->mca_lock);
- if (pmc) {
-- for (psf = pmc->mca_tomb; psf; psf = psf_next) {
-- psf_next = psf->sf_next;
-- kfree(psf);
-+ im->idev = pmc->idev;
-+ im->mca_crcount = idev->mc_qrv;
-+ im->mca_sfmode = pmc->mca_sfmode;
-+ if (pmc->mca_sfmode == MCAST_INCLUDE) {
-+ im->mca_tomb = pmc->mca_tomb;
-+ im->mca_sources = pmc->mca_sources;
-+ for (psf = im->mca_sources; psf; psf = psf->sf_next)
-+ psf->sf_crcount = im->mca_crcount;
- }
- in6_dev_put(pmc->idev);
- kfree(pmc);
- }
-+ spin_unlock_bh(&im->mca_lock);
- }
-
- static void mld_clear_delrec(struct inet6_dev *idev)
-@@ -904,7 +910,7 @@ int ipv6_dev_mc_inc(struct net_device *dev, const struct in6_addr *addr)
- mca_get(mc);
- write_unlock_bh(&idev->lock);
-
-- mld_del_delrec(idev, &mc->mca_addr);
-+ mld_del_delrec(idev, mc);
- igmp6_group_added(mc);
- ma_put(mc);
- return 0;
-@@ -927,6 +933,7 @@ int __ipv6_dev_mc_dec(struct inet6_dev *idev, const struct in6_addr *addr)
- write_unlock_bh(&idev->lock);
-
- igmp6_group_dropped(ma);
-+ ip6_mc_clear_src(ma);
-
- ma_put(ma);
- return 0;
-@@ -2501,15 +2508,17 @@ void ipv6_mc_down(struct inet6_dev *idev)
- /* Withdraw multicast list */
-
- read_lock_bh(&idev->lock);
-- mld_ifc_stop_timer(idev);
-- mld_gq_stop_timer(idev);
-- mld_dad_stop_timer(idev);
-
- for (i = idev->mc_list; i; i = i->next)
- igmp6_group_dropped(i);
-- read_unlock_bh(&idev->lock);
-
-- mld_clear_delrec(idev);
-+ /* Should stop timer after group drop. or we will
-+ * start timer again in mld_ifc_event()
-+ */
-+ mld_ifc_stop_timer(idev);
-+ mld_gq_stop_timer(idev);
-+ mld_dad_stop_timer(idev);
-+ read_unlock_bh(&idev->lock);
- }
-
- static void ipv6_mc_reset(struct inet6_dev *idev)
-@@ -2531,8 +2540,10 @@ void ipv6_mc_up(struct inet6_dev *idev)
-
- read_lock_bh(&idev->lock);
- ipv6_mc_reset(idev);
-- for (i = idev->mc_list; i; i = i->next)
-+ for (i = idev->mc_list; i; i = i->next) {
-+ mld_del_delrec(idev, i);
- igmp6_group_added(i);
-+ }
- read_unlock_bh(&idev->lock);
- }
-
-@@ -2565,6 +2576,7 @@ void ipv6_mc_destroy_dev(struct inet6_dev *idev)
-
- /* Deactivate timers */
- ipv6_mc_down(idev);
-+ mld_clear_delrec(idev);
-
- /* Delete all-nodes address. */
- /* We cannot call ipv6_dev_mc_dec() directly, our caller in
-@@ -2579,11 +2591,9 @@ void ipv6_mc_destroy_dev(struct inet6_dev *idev)
- write_lock_bh(&idev->lock);
- while ((i = idev->mc_list) != NULL) {
- idev->mc_list = i->next;
-- write_unlock_bh(&idev->lock);
-
-- igmp6_group_dropped(i);
-+ write_unlock_bh(&idev->lock);
- ma_put(i);
--
- write_lock_bh(&idev->lock);
- }
- write_unlock_bh(&idev->lock);
-diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
-index b1cdf80..40d7405 100644
---- a/net/ipv6/sit.c
-+++ b/net/ipv6/sit.c
-@@ -1390,6 +1390,7 @@ static int ipip6_tunnel_init(struct net_device *dev)
- err = dst_cache_init(&tunnel->dst_cache, GFP_KERNEL);
- if (err) {
- free_percpu(dev->tstats);
-+ dev->tstats = NULL;
- return err;
- }
-
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index b9f1fee..6673965 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -467,7 +467,7 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
- opt = ireq->ipv6_opt;
- if (!opt)
- opt = rcu_dereference(np->opt);
-- err = ip6_xmit(sk, skb, fl6, opt, np->tclass);
-+ err = ip6_xmit(sk, skb, fl6, sk->sk_mark, opt, np->tclass);
- rcu_read_unlock();
- err = net_xmit_eval(err);
- }
-@@ -837,7 +837,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
- dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
- if (!IS_ERR(dst)) {
- skb_dst_set(buff, dst);
-- ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);
-+ ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL, tclass);
- TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
- if (rst)
- TCP_INC_STATS(net, TCP_MIB_OUTRSTS);
-@@ -987,6 +987,16 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
- return 0; /* don't send reset */
- }
-
-+static void tcp_v6_restore_cb(struct sk_buff *skb)
-+{
-+ /* We need to move header back to the beginning if xfrm6_policy_check()
-+ * and tcp_v6_fill_cb() are going to be called again.
-+ * ip6_datagram_recv_specific_ctl() also expects IP6CB to be there.
-+ */
-+ memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6,
-+ sizeof(struct inet6_skb_parm));
-+}
-+
- static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
- struct request_sock *req,
- struct dst_entry *dst,
-@@ -1178,8 +1188,10 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- sk_gfp_mask(sk, GFP_ATOMIC));
- consume_skb(ireq->pktopts);
- ireq->pktopts = NULL;
-- if (newnp->pktoptions)
-+ if (newnp->pktoptions) {
-+ tcp_v6_restore_cb(newnp->pktoptions);
- skb_set_owner_r(newnp->pktoptions, newsk);
-+ }
- }
- }
-
-@@ -1194,16 +1206,6 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- return NULL;
- }
-
--static void tcp_v6_restore_cb(struct sk_buff *skb)
--{
-- /* We need to move header back to the beginning if xfrm6_policy_check()
-- * and tcp_v6_fill_cb() are going to be called again.
-- * ip6_datagram_recv_specific_ctl() also expects IP6CB to be there.
-- */
-- memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6,
-- sizeof(struct inet6_skb_parm));
--}
--
- /* The socket must have it's spinlock held when we get
- * here, unless it is a TCP_LISTEN socket.
- *
-diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
-index 2599af6..181e755c 100644
---- a/net/l2tp/l2tp_core.h
-+++ b/net/l2tp/l2tp_core.h
-@@ -273,6 +273,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb,
- int l2tp_nl_register_ops(enum l2tp_pwtype pw_type,
- const struct l2tp_nl_cmd_ops *ops);
- void l2tp_nl_unregister_ops(enum l2tp_pwtype pw_type);
-+int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg);
-
- /* Session reference counts. Incremented when code obtains a reference
- * to a session.
-diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
-index 8938b6b..c0f0750 100644
---- a/net/l2tp/l2tp_ip.c
-+++ b/net/l2tp/l2tp_ip.c
-@@ -11,6 +11,7 @@
-
- #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-
-+#include <asm/ioctls.h>
- #include <linux/icmp.h>
- #include <linux/module.h>
- #include <linux/skbuff.h>
-@@ -560,6 +561,30 @@ static int l2tp_ip_recvmsg(struct sock *sk, struct msghdr *msg,
- return err ? err : copied;
- }
-
-+int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg)
-+{
-+ struct sk_buff *skb;
-+ int amount;
-+
-+ switch (cmd) {
-+ case SIOCOUTQ:
-+ amount = sk_wmem_alloc_get(sk);
-+ break;
-+ case SIOCINQ:
-+ spin_lock_bh(&sk->sk_receive_queue.lock);
-+ skb = skb_peek(&sk->sk_receive_queue);
-+ amount = skb ? skb->len : 0;
-+ spin_unlock_bh(&sk->sk_receive_queue.lock);
-+ break;
-+
-+ default:
-+ return -ENOIOCTLCMD;
-+ }
-+
-+ return put_user(amount, (int __user *)arg);
-+}
-+EXPORT_SYMBOL(l2tp_ioctl);
-+
- static struct proto l2tp_ip_prot = {
- .name = "L2TP/IP",
- .owner = THIS_MODULE,
-@@ -568,7 +593,7 @@ static struct proto l2tp_ip_prot = {
- .bind = l2tp_ip_bind,
- .connect = l2tp_ip_connect,
- .disconnect = l2tp_ip_disconnect,
-- .ioctl = udp_ioctl,
-+ .ioctl = l2tp_ioctl,
- .destroy = l2tp_ip_destroy_sock,
- .setsockopt = ip_setsockopt,
- .getsockopt = ip_getsockopt,
-diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
-index aa821cb..1a65c9a 100644
---- a/net/l2tp/l2tp_ip6.c
-+++ b/net/l2tp/l2tp_ip6.c
-@@ -729,7 +729,7 @@ static struct proto l2tp_ip6_prot = {
- .bind = l2tp_ip6_bind,
- .connect = l2tp_ip6_connect,
- .disconnect = l2tp_ip6_disconnect,
-- .ioctl = udp_ioctl,
-+ .ioctl = l2tp_ioctl,
- .destroy = l2tp_ip6_destroy_sock,
- .setsockopt = ipv6_setsockopt,
- .getsockopt = ipv6_getsockopt,
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 94e4a59..458722b 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -2813,7 +2813,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
- struct virtio_net_hdr vnet_hdr = { 0 };
- int offset = 0;
- struct packet_sock *po = pkt_sk(sk);
-- int hlen, tlen;
-+ int hlen, tlen, linear;
- int extra_len = 0;
-
- /*
-@@ -2874,8 +2874,9 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
- err = -ENOBUFS;
- hlen = LL_RESERVED_SPACE(dev);
- tlen = dev->needed_tailroom;
-- skb = packet_alloc_skb(sk, hlen + tlen, hlen, len,
-- __virtio16_to_cpu(vio_le(), vnet_hdr.hdr_len),
-+ linear = __virtio16_to_cpu(vio_le(), vnet_hdr.hdr_len);
-+ linear = max(linear, min_t(int, len, dev->hard_header_len));
-+ skb = packet_alloc_skb(sk, hlen + tlen, hlen, len, linear,
- msg->msg_flags & MSG_DONTWAIT, &err);
- if (skb == NULL)
- goto out_unlock;
-diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c
-index f935429..b12bc2a 100644
---- a/net/sched/cls_matchall.c
-+++ b/net/sched/cls_matchall.c
-@@ -16,16 +16,11 @@
- #include <net/sch_generic.h>
- #include <net/pkt_cls.h>
-
--struct cls_mall_filter {
-+struct cls_mall_head {
- struct tcf_exts exts;
- struct tcf_result res;
- u32 handle;
-- struct rcu_head rcu;
- u32 flags;
--};
--
--struct cls_mall_head {
-- struct cls_mall_filter *filter;
- struct rcu_head rcu;
- };
-
-@@ -33,38 +28,29 @@ static int mall_classify(struct sk_buff *skb, const struct tcf_proto *tp,
- struct tcf_result *res)
- {
- struct cls_mall_head *head = rcu_dereference_bh(tp->root);
-- struct cls_mall_filter *f = head->filter;
-
-- if (tc_skip_sw(f->flags))
-+ if (tc_skip_sw(head->flags))
- return -1;
-
-- return tcf_exts_exec(skb, &f->exts, res);
-+ return tcf_exts_exec(skb, &head->exts, res);
- }
-
- static int mall_init(struct tcf_proto *tp)
- {
-- struct cls_mall_head *head;
--
-- head = kzalloc(sizeof(*head), GFP_KERNEL);
-- if (!head)
-- return -ENOBUFS;
--
-- rcu_assign_pointer(tp->root, head);
--
- return 0;
- }
-
--static void mall_destroy_filter(struct rcu_head *head)
-+static void mall_destroy_rcu(struct rcu_head *rcu)
- {
-- struct cls_mall_filter *f = container_of(head, struct cls_mall_filter, rcu);
-+ struct cls_mall_head *head = container_of(rcu, struct cls_mall_head,
-+ rcu);
-
-- tcf_exts_destroy(&f->exts);
--
-- kfree(f);
-+ tcf_exts_destroy(&head->exts);
-+ kfree(head);
- }
-
- static int mall_replace_hw_filter(struct tcf_proto *tp,
-- struct cls_mall_filter *f,
-+ struct cls_mall_head *head,
- unsigned long cookie)
- {
- struct net_device *dev = tp->q->dev_queue->dev;
-@@ -74,7 +60,7 @@ static int mall_replace_hw_filter(struct tcf_proto *tp,
- offload.type = TC_SETUP_MATCHALL;
- offload.cls_mall = &mall_offload;
- offload.cls_mall->command = TC_CLSMATCHALL_REPLACE;
-- offload.cls_mall->exts = &f->exts;
-+ offload.cls_mall->exts = &head->exts;
- offload.cls_mall->cookie = cookie;
-
- return dev->netdev_ops->ndo_setup_tc(dev, tp->q->handle, tp->protocol,
-@@ -82,7 +68,7 @@ static int mall_replace_hw_filter(struct tcf_proto *tp,
- }
-
- static void mall_destroy_hw_filter(struct tcf_proto *tp,
-- struct cls_mall_filter *f,
-+ struct cls_mall_head *head,
- unsigned long cookie)
- {
- struct net_device *dev = tp->q->dev_queue->dev;
-@@ -103,29 +89,20 @@ static bool mall_destroy(struct tcf_proto *tp, bool force)
- {
- struct cls_mall_head *head = rtnl_dereference(tp->root);
- struct net_device *dev = tp->q->dev_queue->dev;
-- struct cls_mall_filter *f = head->filter;
-
-- if (!force && f)
-- return false;
-+ if (!head)
-+ return true;
-
-- if (f) {
-- if (tc_should_offload(dev, tp, f->flags))
-- mall_destroy_hw_filter(tp, f, (unsigned long) f);
-+ if (tc_should_offload(dev, tp, head->flags))
-+ mall_destroy_hw_filter(tp, head, (unsigned long) head);
-
-- call_rcu(&f->rcu, mall_destroy_filter);
-- }
-- kfree_rcu(head, rcu);
-+ call_rcu(&head->rcu, mall_destroy_rcu);
- return true;
- }
-
- static unsigned long mall_get(struct tcf_proto *tp, u32 handle)
- {
-- struct cls_mall_head *head = rtnl_dereference(tp->root);
-- struct cls_mall_filter *f = head->filter;
--
-- if (f && f->handle == handle)
-- return (unsigned long) f;
-- return 0;
-+ return 0UL;
- }
-
- static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = {
-@@ -134,7 +111,7 @@ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = {
- };
-
- static int mall_set_parms(struct net *net, struct tcf_proto *tp,
-- struct cls_mall_filter *f,
-+ struct cls_mall_head *head,
- unsigned long base, struct nlattr **tb,
- struct nlattr *est, bool ovr)
- {
-@@ -147,11 +124,11 @@ static int mall_set_parms(struct net *net, struct tcf_proto *tp,
- return err;
-
- if (tb[TCA_MATCHALL_CLASSID]) {
-- f->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]);
-- tcf_bind_filter(tp, &f->res, base);
-+ head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]);
-+ tcf_bind_filter(tp, &head->res, base);
- }
-
-- tcf_exts_change(tp, &f->exts, &e);
-+ tcf_exts_change(tp, &head->exts, &e);
-
- return 0;
- }
-@@ -162,21 +139,17 @@ static int mall_change(struct net *net, struct sk_buff *in_skb,
- unsigned long *arg, bool ovr)
- {
- struct cls_mall_head *head = rtnl_dereference(tp->root);
-- struct cls_mall_filter *fold = (struct cls_mall_filter *) *arg;
- struct net_device *dev = tp->q->dev_queue->dev;
-- struct cls_mall_filter *f;
- struct nlattr *tb[TCA_MATCHALL_MAX + 1];
-+ struct cls_mall_head *new;
- u32 flags = 0;
- int err;
-
- if (!tca[TCA_OPTIONS])
- return -EINVAL;
-
-- if (head->filter)
-- return -EBUSY;
--
-- if (fold)
-- return -EINVAL;
-+ if (head)
-+ return -EEXIST;
-
- err = nla_parse_nested(tb, TCA_MATCHALL_MAX,
- tca[TCA_OPTIONS], mall_policy);
-@@ -189,23 +162,23 @@ static int mall_change(struct net *net, struct sk_buff *in_skb,
- return -EINVAL;
- }
-
-- f = kzalloc(sizeof(*f), GFP_KERNEL);
-- if (!f)
-+ new = kzalloc(sizeof(*new), GFP_KERNEL);
-+ if (!new)
- return -ENOBUFS;
-
-- tcf_exts_init(&f->exts, TCA_MATCHALL_ACT, 0);
-+ tcf_exts_init(&new->exts, TCA_MATCHALL_ACT, 0);
-
- if (!handle)
- handle = 1;
-- f->handle = handle;
-- f->flags = flags;
-+ new->handle = handle;
-+ new->flags = flags;
-
-- err = mall_set_parms(net, tp, f, base, tb, tca[TCA_RATE], ovr);
-+ err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], ovr);
- if (err)
- goto errout;
-
- if (tc_should_offload(dev, tp, flags)) {
-- err = mall_replace_hw_filter(tp, f, (unsigned long) f);
-+ err = mall_replace_hw_filter(tp, new, (unsigned long) new);
- if (err) {
- if (tc_skip_sw(flags))
- goto errout;
-@@ -214,39 +187,29 @@ static int mall_change(struct net *net, struct sk_buff *in_skb,
- }
- }
-
-- *arg = (unsigned long) f;
-- rcu_assign_pointer(head->filter, f);
--
-+ *arg = (unsigned long) head;
-+ rcu_assign_pointer(tp->root, new);
-+ if (head)
-+ call_rcu(&head->rcu, mall_destroy_rcu);
- return 0;
-
- errout:
-- kfree(f);
-+ kfree(new);
- return err;
- }
-
- static int mall_delete(struct tcf_proto *tp, unsigned long arg)
- {
-- struct cls_mall_head *head = rtnl_dereference(tp->root);
-- struct cls_mall_filter *f = (struct cls_mall_filter *) arg;
-- struct net_device *dev = tp->q->dev_queue->dev;
--
-- if (tc_should_offload(dev, tp, f->flags))
-- mall_destroy_hw_filter(tp, f, (unsigned long) f);
--
-- RCU_INIT_POINTER(head->filter, NULL);
-- tcf_unbind_filter(tp, &f->res);
-- call_rcu(&f->rcu, mall_destroy_filter);
-- return 0;
-+ return -EOPNOTSUPP;
- }
-
- static void mall_walk(struct tcf_proto *tp, struct tcf_walker *arg)
- {
- struct cls_mall_head *head = rtnl_dereference(tp->root);
-- struct cls_mall_filter *f = head->filter;
-
- if (arg->count < arg->skip)
- goto skip;
-- if (arg->fn(tp, (unsigned long) f, arg) < 0)
-+ if (arg->fn(tp, (unsigned long) head, arg) < 0)
- arg->stop = 1;
- skip:
- arg->count++;
-@@ -255,28 +218,28 @@ static void mall_walk(struct tcf_proto *tp, struct tcf_walker *arg)
- static int mall_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
- struct sk_buff *skb, struct tcmsg *t)
- {
-- struct cls_mall_filter *f = (struct cls_mall_filter *) fh;
-+ struct cls_mall_head *head = (struct cls_mall_head *) fh;
- struct nlattr *nest;
-
-- if (!f)
-+ if (!head)
- return skb->len;
-
-- t->tcm_handle = f->handle;
-+ t->tcm_handle = head->handle;
-
- nest = nla_nest_start(skb, TCA_OPTIONS);
- if (!nest)
- goto nla_put_failure;
-
-- if (f->res.classid &&
-- nla_put_u32(skb, TCA_MATCHALL_CLASSID, f->res.classid))
-+ if (head->res.classid &&
-+ nla_put_u32(skb, TCA_MATCHALL_CLASSID, head->res.classid))
- goto nla_put_failure;
-
-- if (tcf_exts_dump(skb, &f->exts))
-+ if (tcf_exts_dump(skb, &head->exts))
- goto nla_put_failure;
-
- nla_nest_end(skb, nest);
-
-- if (tcf_exts_dump_stats(skb, &f->exts) < 0)
-+ if (tcf_exts_dump_stats(skb, &head->exts) < 0)
- goto nla_put_failure;
-
- return skb->len;
-diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
-index 176af30..6a2532d 100644
---- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -222,7 +222,8 @@ static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
- SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
-
- rcu_read_lock();
-- res = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), np->tclass);
-+ res = ip6_xmit(sk, skb, fl6, sk->sk_mark, rcu_dereference(np->opt),
-+ np->tclass);
- rcu_read_unlock();
- return res;
- }
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index ca12aa3..6cbe5bd 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7427,7 +7427,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- */
- release_sock(sk);
- current_timeo = schedule_timeout(current_timeo);
-- BUG_ON(sk != asoc->base.sk);
-+ if (sk != asoc->base.sk)
-+ goto do_error;
- lock_sock(sk);
-
- *timeo_p = current_timeo;
diff --git a/4.9.11/0000_README b/4.9.12/0000_README
index 27a4c3e..fde5541 100644
--- a/4.9.11/0000_README
+++ b/4.9.12/0000_README
@@ -2,15 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1009_linux-4.9.10.patch
-From: http://www.kernel.org
-Desc: Linux 4.9.10
-
-Patch: 1010_linux-4.9.11.patch
-From: http://www.kernel.org
-Desc: Linux 4.9.11
-
-Patch: 4420_grsecurity-3.1-4.9.11-201702181444.patch
+Patch: 4420_grsecurity-3.1-4.9.12-201702231830.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch b/4.9.12/4420_grsecurity-3.1-4.9.12-201702231830.patch
index 91575ee..ce908bf 100644
--- a/4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch
+++ b/4.9.12/4420_grsecurity-3.1-4.9.12-201702231830.patch
@@ -419,7 +419,7 @@ index 3d0ae15..84e5412 100644
cmd_syscalls = $(CONFIG_SHELL) $< $(CC) $(c_flags) $(missing_syscalls_flags)
diff --git a/Makefile b/Makefile
-index 18b0c5a..54a9fea 100644
+index 3cd6f6f..43e4233 100644
--- a/Makefile
+++ b/Makefile
@@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -26426,7 +26426,7 @@ index 17f2186..f394307 100644
/*
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
-index 83db0ea..137bc2c 100644
+index 83db0ea..0ad5d22 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -136,7 +136,7 @@ struct cpuinfo_x86 {
@@ -26447,18 +26447,10 @@ index 83db0ea..137bc2c 100644
#define cpu_data(cpu) per_cpu(cpu_info, cpu)
#else
#define cpu_info boot_cpu_data
-@@ -206,9 +206,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx,
+@@ -206,9 +206,13 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx,
: "memory");
}
-+/* invpcid (%rdx),%rax */
-+#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02"
-+
-+#define INVPCID_SINGLE_ADDRESS 0UL
-+#define INVPCID_SINGLE_CONTEXT 1UL
-+#define INVPCID_ALL_GLOBAL 2UL
-+#define INVPCID_ALL_NONGLOBAL 3UL
-+
+#define PCID_KERNEL 0UL
+#define PCID_USER 1UL
+#define PCID_NOFLUSH (1UL << 63)
@@ -26470,7 +26462,7 @@ index 83db0ea..137bc2c 100644
}
#ifdef CONFIG_X86_32
-@@ -308,11 +320,9 @@ struct tss_struct {
+@@ -308,11 +312,9 @@ struct tss_struct {
} ____cacheline_aligned;
@@ -26483,7 +26475,7 @@ index 83db0ea..137bc2c 100644
/*
* Save the original ist values for checking stack pointers during debugging
-@@ -341,6 +351,7 @@ DECLARE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __visible;
+@@ -341,6 +343,7 @@ DECLARE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __visible;
DECLARE_INIT_PER_CPU(irq_stack_union);
DECLARE_PER_CPU(char *, irq_stack_ptr);
@@ -26491,7 +26483,7 @@ index 83db0ea..137bc2c 100644
DECLARE_PER_CPU(unsigned int, irq_count);
extern asmlinkage void ignore_sysret(void);
#else /* X86_64 */
-@@ -389,6 +400,7 @@ struct thread_struct {
+@@ -389,6 +392,7 @@ struct thread_struct {
unsigned short ds;
unsigned short fsindex;
unsigned short gsindex;
@@ -26499,7 +26491,7 @@ index 83db0ea..137bc2c 100644
#endif
u32 status; /* thread synchronous flags */
-@@ -405,6 +417,9 @@ struct thread_struct {
+@@ -405,6 +409,9 @@ struct thread_struct {
unsigned long gs;
#endif
@@ -26509,7 +26501,7 @@ index 83db0ea..137bc2c 100644
/* Save middle states of ptrace breakpoints */
struct perf_event *ptrace_bps[HBP_NUM];
/* Debug status used for traps, single steps, etc... */
-@@ -426,17 +441,11 @@ struct thread_struct {
+@@ -426,17 +433,11 @@ struct thread_struct {
unsigned io_bitmap_max;
mm_segment_t addr_limit;
@@ -26529,7 +26521,7 @@ index 83db0ea..137bc2c 100644
/*
* Thread-synchronous status.
-@@ -488,12 +497,8 @@ static inline void native_swapgs(void)
+@@ -488,12 +489,8 @@ static inline void native_swapgs(void)
static inline unsigned long current_top_of_stack(void)
{
@@ -26542,7 +26534,7 @@ index 83db0ea..137bc2c 100644
}
#ifdef CONFIG_PARAVIRT
-@@ -718,20 +723,30 @@ static inline void spin_lock_prefetch(const void *x)
+@@ -718,20 +715,30 @@ static inline void spin_lock_prefetch(const void *x)
#define TOP_OF_INIT_STACK ((unsigned long)&init_stack + sizeof(init_stack) - \
TOP_OF_KERNEL_STACK_PADDING)
@@ -26574,7 +26566,7 @@ index 83db0ea..137bc2c 100644
}
/*
-@@ -744,12 +759,7 @@ static inline void spin_lock_prefetch(const void *x)
+@@ -744,12 +751,7 @@ static inline void spin_lock_prefetch(const void *x)
* "struct pt_regs" is possible, but they may contain the
* completely wrong values.
*/
@@ -26588,7 +26580,7 @@ index 83db0ea..137bc2c 100644
#define KSTK_ESP(task) (task_pt_regs(task)->sp)
-@@ -763,13 +773,13 @@ static inline void spin_lock_prefetch(const void *x)
+@@ -763,13 +765,13 @@ static inline void spin_lock_prefetch(const void *x)
* particular problem by preventing anything from being mapped
* at the maximum canonical address.
*/
@@ -26604,7 +26596,7 @@ index 83db0ea..137bc2c 100644
#define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \
IA32_PAGE_OFFSET : TASK_SIZE_MAX)
-@@ -782,6 +792,7 @@ static inline void spin_lock_prefetch(const void *x)
+@@ -782,6 +784,7 @@ static inline void spin_lock_prefetch(const void *x)
#define INIT_THREAD { \
.sp0 = TOP_OF_INIT_STACK, \
.addr_limit = KERNEL_DS, \
@@ -26612,7 +26604,7 @@ index 83db0ea..137bc2c 100644
}
#define task_pt_regs(tsk) ((struct pt_regs *)(tsk)->thread.sp0 - 1)
-@@ -800,6 +811,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
+@@ -800,6 +803,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
*/
#define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
@@ -26623,7 +26615,7 @@ index 83db0ea..137bc2c 100644
#define KSTK_EIP(task) (task_pt_regs(task)->ip)
/* Get/set a process' ability to use the timestamp counter instruction */
-@@ -845,7 +860,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)
+@@ -845,7 +852,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)
return 0;
}
@@ -26632,7 +26624,7 @@ index 83db0ea..137bc2c 100644
extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
void default_idle(void);
-@@ -855,6 +870,6 @@ bool xen_set_default_idle(void);
+@@ -855,6 +862,6 @@ bool xen_set_default_idle(void);
#define xen_set_default_idle 0
#endif
@@ -27484,7 +27476,7 @@ index ad6f5eb0..1b4909d 100644
#ifdef CONFIG_COMPAT
diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
-index 6fa8594..30950f3 100644
+index 6fa8594..c5b8ce1 100644
--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -89,7 +89,9 @@ static inline void cr4_set_bits(unsigned long mask)
@@ -27515,15 +27507,12 @@ index 6fa8594..30950f3 100644
return this_cpu_read(cpu_tlbstate.cr4);
}
-@@ -135,6 +140,25 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
+@@ -135,6 +140,22 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
static inline void __native_flush_tlb(void)
{
+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
-+ u64 descriptor[2];
-+
-+ descriptor[0] = PCID_KERNEL;
-+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_NONGLOBAL) : "memory");
++ invpcid_flush_all_nonglobals();
+ return;
+ }
+
@@ -27541,58 +27530,35 @@ index 6fa8594..30950f3 100644
/*
* If current->mm == NULL then we borrow a mm which may change during a
* task switch and therefore we must not be preempted while we write CR3
-@@ -147,13 +171,21 @@ static inline void __native_flush_tlb(void)
-
- static inline void __native_flush_tlb_global_irq_disabled(void)
- {
-- unsigned long cr4;
-+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
-+ u64 descriptor[2];
-
-- cr4 = this_cpu_read(cpu_tlbstate.cr4);
-- /* clear PGE */
-- native_write_cr4(cr4 & ~X86_CR4_PGE);
-- /* write old PGE again and flush TLBs */
-- native_write_cr4(cr4);
-+ descriptor[0] = PCID_KERNEL;
-+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
-+ } else {
-+ unsigned long cr4;
-+
-+ cr4 = this_cpu_read(cpu_tlbstate.cr4);
-+ BUG_ON(cr4 != __read_cr4());
-+ /* clear PGE */
-+ native_write_cr4(cr4 & ~X86_CR4_PGE);
-+ /* write old PGE again and flush TLBs */
-+ native_write_cr4(cr4);
-+ }
- }
+@@ -150,6 +171,7 @@ static inline void __native_flush_tlb_global_irq_disabled(void)
+ unsigned long cr4;
- static inline void __native_flush_tlb_global(void)
-@@ -183,6 +215,43 @@ static inline void __native_flush_tlb_global(void)
+ cr4 = this_cpu_read(cpu_tlbstate.cr4);
++ BUG_ON(cr4 != __read_cr4());
+ /* clear PGE */
+ native_write_cr4(cr4 & ~X86_CR4_PGE);
+ /* write old PGE again and flush TLBs */
+@@ -183,6 +205,40 @@ static inline void __native_flush_tlb_global(void)
static inline void __native_flush_tlb_single(unsigned long addr)
{
+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
-+ u64 descriptor[2];
-+
-+ descriptor[0] = PCID_KERNEL;
-+ descriptor[1] = addr;
++ unsigned long pcid = PCID_KERNEL;
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) {
+ if (addr < TASK_SIZE_MAX)
-+ descriptor[1] += pax_user_shadow_base;
-+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
++ invpcid_flush_one(pcid, addr + pax_user_shadow_base);
++ else
++ invpcid_flush_one(pcid, addr);
+ }
+
-+ descriptor[0] = PCID_USER;
-+ descriptor[1] = addr;
++ pcid = PCID_USER;
+ }
+#endif
+
-+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
++ invpcid_flush_one(pcid, addr);
+ return;
+ }
+
@@ -28723,7 +28689,7 @@ index 4858733..3353d988 100644
#endif
initial_code = (unsigned long)wakeup_long64;
diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S
-index 0c26b1b..dcc0a4f 100644
+index 0c26b1b..dfa105a 100644
--- a/arch/x86/kernel/acpi/wakeup_32.S
+++ b/arch/x86/kernel/acpi/wakeup_32.S
@@ -2,6 +2,7 @@
@@ -28734,7 +28700,16 @@ index 0c26b1b..dcc0a4f 100644
# Copyright 2003, 2008 Pavel Machek <pavel@suse.cz>, distribute under GPLv2
-@@ -31,13 +32,11 @@ wakeup_pmode_return:
+@@ -14,8 +15,6 @@ wakeup_pmode_return:
+ movw %ax, %ss
+ movw %ax, %fs
+ movw %ax, %gs
+-
+- movw $__USER_DS, %ax
+ movw %ax, %ds
+ movw %ax, %es
+
+@@ -31,13 +30,11 @@ wakeup_pmode_return:
# and restore the stack ... but you need gdt for this to work
movl saved_context_esp, %esp
@@ -28750,7 +28725,7 @@ index 0c26b1b..dcc0a4f 100644
bogus_magic:
jmp bogus_magic
-@@ -59,7 +58,7 @@ save_registers:
+@@ -59,7 +56,7 @@ save_registers:
popl saved_context_eflags
movl $ret_point, saved_eip
@@ -28759,7 +28734,7 @@ index 0c26b1b..dcc0a4f 100644
restore_registers:
-@@ -69,13 +68,14 @@ restore_registers:
+@@ -69,13 +66,14 @@ restore_registers:
movl saved_context_edi, %edi
pushl saved_context_eflags
popfl
@@ -28778,7 +28753,7 @@ index 0c26b1b..dcc0a4f 100644
addl $4, %esp
# In case of S3 failure, we'll emerge here. Jump
-@@ -83,9 +83,9 @@ ENTRY(do_suspend_lowlevel)
+@@ -83,9 +81,9 @@ ENTRY(do_suspend_lowlevel)
jmp ret_point
.p2align 4,,7
ret_point:
@@ -42699,7 +42674,7 @@ index f65a33f..f408a99 100644
}
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index a7655f6..895549a 100644
+index a7655f6..0cab8dd 100644
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -47,7 +47,11 @@ void leave_mm(int cpu)
@@ -42714,7 +42689,7 @@ index a7655f6..895549a 100644
/*
* This gets called in the idle path where RCU
* functions differently. Tracing normally
-@@ -61,6 +65,51 @@ EXPORT_SYMBOL_GPL(leave_mm);
+@@ -61,6 +65,47 @@ EXPORT_SYMBOL_GPL(leave_mm);
#endif /* CONFIG_SMP */
@@ -42741,13 +42716,9 @@ index a7655f6..895549a 100644
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
-+ u64 descriptor[2];
-+ descriptor[0] = PCID_USER;
-+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
-+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) {
-+ descriptor[0] = PCID_KERNEL;
-+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
-+ }
++ invpcid_flush_single_context(PCID_USER);
++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF))
++ invpcid_flush_single_context(PCID_KERNEL);
+ } else {
+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
+ if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
@@ -42766,7 +42737,7 @@ index a7655f6..895549a 100644
void switch_mm(struct mm_struct *prev, struct mm_struct *next,
struct task_struct *tsk)
{
-@@ -75,6 +124,9 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
+@@ -75,6 +120,9 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
struct task_struct *tsk)
{
unsigned cpu = smp_processor_id();
@@ -42776,7 +42747,7 @@ index a7655f6..895549a 100644
if (likely(prev != next)) {
if (IS_ENABLED(CONFIG_VMAP_STACK)) {
-@@ -89,9 +141,14 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
+@@ -89,9 +137,14 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
if (unlikely(pgd_none(*pgd)))
set_pgd(pgd, init_mm.pgd[stack_pgd_index]);
@@ -42791,7 +42762,7 @@ index a7655f6..895549a 100644
this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
this_cpu_write(cpu_tlbstate.active_mm, next);
#endif
-@@ -111,7 +168,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
+@@ -111,7 +164,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
* We need to prevent an outcome in which CPU 1 observes
* the new PTE value and CPU 0 observes bit 1 clear in
* mm_cpumask. (If that occurs, then the IPI will never
@@ -42800,7 +42771,7 @@ index a7655f6..895549a 100644
*
* The bad outcome can occur if either CPU's load is
* reordered before that CPU's store, so both CPUs must
-@@ -126,7 +183,11 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
+@@ -126,7 +179,11 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
* ordering guarantee we need.
*
*/
@@ -42812,7 +42783,7 @@ index a7655f6..895549a 100644
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
-@@ -152,9 +213,31 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
+@@ -152,9 +209,31 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
if (unlikely(prev->context.ldt != next->context.ldt))
load_mm_ldt(next);
#endif
@@ -42845,7 +42816,7 @@ index a7655f6..895549a 100644
this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
-@@ -175,13 +258,30 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
+@@ -175,13 +254,30 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
* As above, load_cr3() is serializing and orders TLB
* fills with respect to the mm_cpumask write.
*/
@@ -45142,10 +45113,18 @@ index eff224d..ab792d2 100644
+ pax_ret check_events
ENDPROC(check_events)
diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
-index feb6d40..c8fd8e7 100644
+index feb6d40..4292c19 100644
--- a/arch/x86/xen/xen-asm_32.S
+++ b/arch/x86/xen/xen-asm_32.S
-@@ -28,7 +28,7 @@ check_events:
+@@ -15,6 +15,7 @@
+ #include <asm/processor-flags.h>
+ #include <asm/segment.h>
+ #include <asm/asm.h>
++#include <asm/alternative-asm.h>
+
+ #include <xen/interface/xen.h>
+
+@@ -28,7 +29,7 @@ check_events:
push %eax
push %ecx
push %edx
@@ -45154,7 +45133,7 @@ index feb6d40..c8fd8e7 100644
pop %edx
pop %ecx
pop %eax
-@@ -85,7 +85,7 @@ ENTRY(xen_iret)
+@@ -85,7 +86,7 @@ ENTRY(xen_iret)
pushw %fs
movl $(__KERNEL_PERCPU), %eax
movl %eax, %fs
@@ -45204,7 +45183,7 @@ index 7f8d8ab..3032b77 100644
#endif /* CONFIG_XEN_PVH */
diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
-index 3cbce3b..f1221bc 100644
+index 3cbce3b..c58120b 100644
--- a/arch/x86/xen/xen-ops.h
+++ b/arch/x86/xen/xen-ops.h
@@ -16,8 +16,6 @@ void xen_syscall_target(void);
@@ -45216,6 +45195,19 @@ index 3cbce3b..f1221bc 100644
struct trap_info;
void xen_copy_trap_info(struct trap_info *traps);
+@@ -133,9 +131,9 @@ static inline void __init xen_efi_init(void)
+ extern char name##_end[] __visible; \
+ extern char name##_reloc[] __visible
+
+-DECL_ASM(void, xen_irq_enable_direct, void);
+-DECL_ASM(void, xen_irq_disable_direct, void);
+-DECL_ASM(unsigned long, xen_save_fl_direct, void);
++DECL_ASM(asmlinkage void, xen_irq_enable_direct, void);
++DECL_ASM(asmlinkage void, xen_irq_disable_direct, void);
++DECL_ASM(asmlinkage unsigned long, xen_save_fl_direct, void);
+ DECL_ASM(void, xen_restore_fl_direct, unsigned long);
+
+ /* These are not functions, and cannot be called normally */
diff --git a/arch/xtensa/variants/dc232b/include/variant/core.h b/arch/xtensa/variants/dc232b/include/variant/core.h
index 525bd3d..ef888b1 100644
--- a/arch/xtensa/variants/dc232b/include/variant/core.h
@@ -60577,7 +60569,7 @@ index ca4abe1..0b029ef 100644
}
diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h
-index 6b420a5..d5acb8f 100644
+index c3ea03c..7412315 100644
--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -433,12 +433,12 @@ struct cache {
@@ -60599,7 +60591,7 @@ index 6b420a5..d5acb8f 100644
struct gc_stat {
diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
-index 81d3db4..46e8b68 100644
+index 2efdce0..e30d873 100644
--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -336,15 +336,17 @@ static void btree_complete_write(struct btree *b, struct btree_write *w)
@@ -60863,7 +60855,7 @@ index 5c4bdde..99659fe 100644
struct bio *bio = &io->bio.bio;
diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c
-index 40ffe5e..6757bd6 100644
+index a37c177..a4dfbfc 100644
--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -24,7 +24,7 @@
@@ -60917,7 +60909,7 @@ index 40ffe5e..6757bd6 100644
struct data_insert_op *op = container_of(cl, struct data_insert_op, cl);
struct bio *bio = op->bio, *n;
-@@ -313,8 +316,9 @@ static void bch_data_insert_start(struct closure *cl)
+@@ -311,8 +314,9 @@ static void bch_data_insert_start(struct closure *cl)
* If s->bypass is true, instead of inserting the data it invalidates the
* region of the cache represented by s->cache_bio and op->inode.
*/
@@ -60928,7 +60920,7 @@ index 40ffe5e..6757bd6 100644
struct data_insert_op *op = container_of(cl, struct data_insert_op, cl);
trace_bcache_write(op->c, op->inode, op->bio,
-@@ -322,7 +326,7 @@ void bch_data_insert(struct closure *cl)
+@@ -320,7 +324,7 @@ void bch_data_insert(struct closure *cl)
bch_keylist_init(&op->insert_keys);
bio_get(op->bio);
@@ -60937,7 +60929,7 @@ index 40ffe5e..6757bd6 100644
}
/* Congested? */
-@@ -570,8 +574,9 @@ static int cache_lookup_fn(struct btree_op *op, struct btree *b, struct bkey *k)
+@@ -568,8 +572,9 @@ static int cache_lookup_fn(struct btree_op *op, struct btree *b, struct bkey *k)
return n == bio ? MAP_DONE : MAP_CONTINUE;
}
@@ -60948,7 +60940,7 @@ index 40ffe5e..6757bd6 100644
struct search *s = container_of(cl, struct search, iop.cl);
struct bio *bio = &s->bio.bio;
int ret;
-@@ -631,8 +636,9 @@ static void do_bio_hook(struct search *s, struct bio *orig_bio)
+@@ -629,8 +634,9 @@ static void do_bio_hook(struct search *s, struct bio *orig_bio)
bio_cnt_set(bio, 3);
}
@@ -60959,7 +60951,7 @@ index 40ffe5e..6757bd6 100644
struct search *s = container_of(cl, struct search, cl);
bio_complete(s);
-@@ -676,19 +682,21 @@ static inline struct search *search_alloc(struct bio *bio,
+@@ -674,19 +680,21 @@ static inline struct search *search_alloc(struct bio *bio,
/* Cached devices */
@@ -60984,7 +60976,7 @@ index 40ffe5e..6757bd6 100644
struct search *s = container_of(cl, struct search, cl);
if (s->iop.replace_collision)
-@@ -697,11 +705,12 @@ static void cached_dev_cache_miss_done(struct closure *cl)
+@@ -695,11 +703,12 @@ static void cached_dev_cache_miss_done(struct closure *cl)
if (s->iop.bio)
bio_free_pages(s->iop.bio);
@@ -60999,7 +60991,7 @@ index 40ffe5e..6757bd6 100644
struct search *s = container_of(cl, struct search, cl);
struct bio *bio = &s->bio.bio;
-@@ -720,8 +729,9 @@ static void cached_dev_read_error(struct closure *cl)
+@@ -718,8 +727,9 @@ static void cached_dev_read_error(struct closure *cl)
continue_at(cl, cached_dev_cache_miss_done, NULL);
}
@@ -61010,7 +61002,7 @@ index 40ffe5e..6757bd6 100644
struct search *s = container_of(cl, struct search, cl);
struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
-@@ -760,8 +770,9 @@ static void cached_dev_read_done(struct closure *cl)
+@@ -758,8 +768,9 @@ static void cached_dev_read_done(struct closure *cl)
continue_at(cl, cached_dev_cache_miss_done, NULL);
}
@@ -61021,7 +61013,7 @@ index 40ffe5e..6757bd6 100644
struct search *s = container_of(cl, struct search, cl);
struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
-@@ -859,13 +870,14 @@ static void cached_dev_read(struct cached_dev *dc, struct search *s)
+@@ -857,13 +868,14 @@ static void cached_dev_read(struct cached_dev *dc, struct search *s)
/* Process writes */
@@ -61038,7 +61030,7 @@ index 40ffe5e..6757bd6 100644
}
static void cached_dev_write(struct cached_dev *dc, struct search *s)
-@@ -937,8 +949,9 @@ static void cached_dev_write(struct cached_dev *dc, struct search *s)
+@@ -935,8 +947,9 @@ static void cached_dev_write(struct cached_dev *dc, struct search *s)
continue_at(cl, cached_dev_write_complete, NULL);
}
@@ -61049,7 +61041,7 @@ index 40ffe5e..6757bd6 100644
struct search *s = container_of(cl, struct search, cl);
struct bio *bio = &s->bio.bio;
-@@ -1058,8 +1071,9 @@ static int flash_dev_cache_miss(struct btree *b, struct search *s,
+@@ -1056,8 +1069,9 @@ static int flash_dev_cache_miss(struct btree *b, struct search *s,
return MAP_CONTINUE;
}
@@ -61187,7 +61179,7 @@ index adbff14..018c2d2 100644
struct cache_stat_collector collector;
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
-index 849ad44..a9e695e 100644
+index 66669c8..3296d7e 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -240,8 +240,9 @@ static void __write_super(struct cache_sb *sb, struct bio *bio)
@@ -79806,10 +79798,10 @@ index cf04a36..54dd630 100644
!(SDEBUG_OPT_NO_CDB_NOISE & sdebug_opts))) {
char b[120];
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
-index 2cca9cf..cbe4c6d 100644
+index e64eae4..465011a 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
-@@ -1513,7 +1513,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
+@@ -1514,7 +1514,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
shost = sdev->host;
scsi_init_cmd_errh(cmd);
cmd->result = DID_NO_CONNECT << 16;
@@ -79818,7 +79810,7 @@ index 2cca9cf..cbe4c6d 100644
/*
* SCSI request completion path will do scsi_device_unbusy(),
-@@ -1536,9 +1536,9 @@ static void scsi_softirq_done(struct request *rq)
+@@ -1537,9 +1537,9 @@ static void scsi_softirq_done(struct request *rq)
INIT_LIST_HEAD(&cmd->eh_entry);
@@ -79830,7 +79822,7 @@ index 2cca9cf..cbe4c6d 100644
disposition = scsi_decide_disposition(cmd);
if (disposition != SUCCESS &&
-@@ -1579,7 +1579,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
+@@ -1580,7 +1580,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
struct Scsi_Host *host = cmd->device->host;
int rtn = 0;
@@ -80008,7 +80000,7 @@ index 51e5629..caef5f7 100644
if (!sdp->request_queue->rq_timeout) {
if (sdp->type != TYPE_MOD)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index dbe5b4b..1242bc3 100644
+index 121de0a..f2ba1bb 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1083,7 +1083,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
@@ -123707,7 +123699,7 @@ index 368bfb9..5b43f37 100644
{
const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
diff --git a/fs/splice.c b/fs/splice.c
-index 63b8f54..8292069 100644
+index 8dd79ec..0a56b1a 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -188,7 +188,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
@@ -123719,7 +123711,7 @@ index 63b8f54..8292069 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
goto out;
-@@ -227,7 +227,7 @@ ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
+@@ -228,7 +228,7 @@ ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
{
int ret;
@@ -123728,7 +123720,7 @@ index 63b8f54..8292069 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
} else if (pipe->nrbufs == pipe->buffers) {
-@@ -359,7 +359,7 @@ static ssize_t kernel_readv(struct file *file, const struct kvec *vec,
+@@ -360,7 +360,7 @@ static ssize_t kernel_readv(struct file *file, const struct kvec *vec,
old_fs = get_fs();
set_fs(get_ds());
/* The cast to a user pointer is valid due to the set_fs() */
@@ -123737,7 +123729,7 @@ index 63b8f54..8292069 100644
set_fs(old_fs);
return res;
-@@ -374,7 +374,7 @@ ssize_t kernel_write(struct file *file, const char *buf, size_t count,
+@@ -375,7 +375,7 @@ ssize_t kernel_write(struct file *file, const char *buf, size_t count,
old_fs = get_fs();
set_fs(get_ds());
/* The cast to a user pointer is valid due to the set_fs() */
@@ -123746,7 +123738,7 @@ index 63b8f54..8292069 100644
set_fs(old_fs);
return res;
-@@ -533,7 +533,7 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
+@@ -534,7 +534,7 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
pipe_buf_release(pipe, buf);
pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
pipe->nrbufs--;
@@ -123755,7 +123747,7 @@ index 63b8f54..8292069 100644
sd->need_wakeup = true;
}
-@@ -564,10 +564,10 @@ static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_des
+@@ -565,10 +565,10 @@ static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_des
return -ERESTARTSYS;
while (!pipe->nrbufs) {
@@ -123768,7 +123760,7 @@ index 63b8f54..8292069 100644
return 0;
if (sd->flags & SPLICE_F_NONBLOCK)
-@@ -781,7 +781,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
+@@ -782,7 +782,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
pipe_buf_release(pipe, buf);
pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
pipe->nrbufs--;
@@ -123777,7 +123769,7 @@ index 63b8f54..8292069 100644
sd.need_wakeup = true;
} else {
buf->offset += ret;
-@@ -944,7 +944,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+@@ -945,7 +945,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
* out of the pipe right after the splice_to_pipe(). So set
* PIPE_READERS appropriately.
*/
@@ -123786,7 +123778,7 @@ index 63b8f54..8292069 100644
current->splice_pipe = pipe;
}
-@@ -1087,7 +1087,7 @@ EXPORT_SYMBOL(do_splice_direct);
+@@ -1088,7 +1088,7 @@ EXPORT_SYMBOL(do_splice_direct);
static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags)
{
for (;;) {
@@ -123795,7 +123787,7 @@ index 63b8f54..8292069 100644
send_sig(SIGPIPE, current, 0);
return -EPIPE;
}
-@@ -1097,9 +1097,9 @@ static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags)
+@@ -1098,9 +1098,9 @@ static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags)
return -EAGAIN;
if (signal_pending(current))
return -ERESTARTSYS;
@@ -123807,7 +123799,7 @@ index 63b8f54..8292069 100644
}
}
-@@ -1446,9 +1446,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1447,9 +1447,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -123819,7 +123811,7 @@ index 63b8f54..8292069 100644
if (flags & SPLICE_F_NONBLOCK) {
ret = -EAGAIN;
break;
-@@ -1480,7 +1480,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1481,7 +1481,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
pipe_lock(pipe);
while (pipe->nrbufs >= pipe->buffers) {
@@ -123828,7 +123820,7 @@ index 63b8f54..8292069 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
break;
-@@ -1493,9 +1493,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1494,9 +1494,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
ret = -ERESTARTSYS;
break;
}
@@ -123840,7 +123832,7 @@ index 63b8f54..8292069 100644
}
pipe_unlock(pipe);
-@@ -1531,14 +1531,14 @@ static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
+@@ -1532,14 +1532,14 @@ static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
pipe_double_lock(ipipe, opipe);
do {
@@ -123857,7 +123849,7 @@ index 63b8f54..8292069 100644
break;
/*
-@@ -1635,7 +1635,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1636,7 +1636,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
pipe_double_lock(ipipe, opipe);
do {
@@ -123866,7 +123858,7 @@ index 63b8f54..8292069 100644
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
-@@ -1680,7 +1680,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1681,7 +1681,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
* return EAGAIN if we have the potential of some data in the
* future, otherwise just return 0
*/
@@ -140150,7 +140142,7 @@ index 063962f..d34f2da 100644
static inline struct hugetlb_cgroup *hugetlb_cgroup_from_page(struct page *page)
{
diff --git a/include/linux/hwmon-sysfs.h b/include/linux/hwmon-sysfs.h
-index 1c7b89a..7dda400 100644
+index 1c7b89a..7dda4003 100644
--- a/include/linux/hwmon-sysfs.h
+++ b/include/linux/hwmon-sysfs.h
@@ -25,7 +25,8 @@
@@ -149727,7 +149719,7 @@ index ba8a015..37d2e1d 100644
int threads = max_threads;
int min = MIN_THREADS;
diff --git a/kernel/futex.c b/kernel/futex.c
-index 2c4be46..46c5c89 100644
+index 38b68c2..1940ab9 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -210,7 +210,7 @@ struct futex_pi_state {
@@ -151741,7 +151733,7 @@ index 4f0f060..d6c1a7d 100644
/**
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
-index f7a55e9..85fe3ba 100644
+index 9c5b231..aaa4a5c 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -588,7 +588,7 @@ static int log_store(int facility, int level,
@@ -164833,6 +164825,20 @@ index 0df2aa6..7db59f7 100644
.init = sysctl_core_net_init,
.exit = sysctl_core_net_exit,
};
+diff --git a/net/dccp/input.c b/net/dccp/input.c
+index ba34718..8fedc2d 100644
+--- a/net/dccp/input.c
++++ b/net/dccp/input.c
+@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
+ skb) < 0)
+ return 1;
+- goto discard;
++ consume_skb(skb);
++ return 0;
+ }
+ if (dh->dccph_type == DCCP_PKT_RESET)
+ goto discard;
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 13d6b1a..eaa0cee 100644
--- a/net/decnet/af_decnet.c
@@ -209399,10 +209405,10 @@ index 0000000..1181e93
+size_mei_msg_data_65529_fields size mei_msg_data 0 65529 NULL
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fns.data b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data
new file mode 100644
-index 0000000..75e575c
+index 0000000..103f4c7
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data
-@@ -0,0 +1,5032 @@
+@@ -0,0 +1,5033 @@
+logi_dj_recv_query_paired_devices_fndecl_13_fns logi_dj_recv_query_paired_devices fndecl 0 13 NULL
+response_length_ib_uverbs_ex_destroy_wq_resp_15_fns response_length ib_uverbs_ex_destroy_wq_resp 0 15 NULL
+kfd_wait_on_events_fndecl_19_fns kfd_wait_on_events fndecl 2 19 NULL
@@ -213550,6 +213556,7 @@ index 0000000..75e575c
+__hwahc_op_set_ptk_fndecl_54157_fns __hwahc_op_set_ptk fndecl 5 54157 NULL
+b43_nphy_load_samples_fndecl_54162_fns b43_nphy_load_samples fndecl 3 54162 NULL
+cpu_type_read_fndecl_54191_fns cpu_type_read fndecl 3 54191 NULL
++smsusb_sendrequest_fndecl_54196_fns smsusb_sendrequest fndecl 3 54196 NULL
+p_filesz_elf32_phdr_54204_fns p_filesz elf32_phdr 0 54204 NULL
+numeraseregions_mtd_info_54223_fns numeraseregions mtd_info 0 54223 NULL
+__kfifo_to_user_fndecl_54232_fns __kfifo_to_user fndecl 3 54232 NULL
@@ -225693,7 +225700,7 @@ index 0a578fe..b81f62d 100644
})
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 7f9ee29..71d4ab0 100644
+index 7f9ee29..39268bd 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -93,12 +93,17 @@ LIST_HEAD(vm_list);
@@ -225763,7 +225770,21 @@ index 7f9ee29..71d4ab0 100644
.release = kvm_vm_release,
.unlocked_ioctl = kvm_vm_ioctl,
#ifdef CONFIG_KVM_COMPAT
-@@ -3231,7 +3244,7 @@ static long kvm_dev_ioctl(struct file *filp,
+@@ -3181,11 +3194,13 @@ static int kvm_dev_ioctl_create_vm(unsigned long type)
+ return PTR_ERR(file);
+ }
+
++#ifndef CONFIG_GRKERNSEC_SYSFS_RESTRICT
+ if (kvm_create_vm_debugfs(kvm, r) < 0) {
+ put_unused_fd(r);
+ fput(file);
+ return -ENOMEM;
+ }
++#endif
+
+ fd_install(r, file);
+ return r;
+@@ -3231,7 +3246,7 @@ static long kvm_dev_ioctl(struct file *filp,
return r;
}
@@ -225772,7 +225793,7 @@ index 7f9ee29..71d4ab0 100644
.unlocked_ioctl = kvm_dev_ioctl,
.compat_ioctl = kvm_dev_ioctl,
.llseek = noop_llseek,
-@@ -3257,7 +3270,7 @@ static void hardware_enable_nolock(void *junk)
+@@ -3257,7 +3272,7 @@ static void hardware_enable_nolock(void *junk)
if (r) {
cpumask_clear_cpu(cpu, cpus_hardware_enabled);
@@ -225781,7 +225802,7 @@ index 7f9ee29..71d4ab0 100644
pr_info("kvm: enabling virtualization on CPU%d failed\n", cpu);
}
}
-@@ -3314,10 +3327,10 @@ static int hardware_enable_all(void)
+@@ -3314,10 +3329,10 @@ static int hardware_enable_all(void)
kvm_usage_count++;
if (kvm_usage_count == 1) {
@@ -225794,7 +225815,7 @@ index 7f9ee29..71d4ab0 100644
hardware_disable_all_nolock();
r = -EBUSY;
}
-@@ -3877,8 +3890,9 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3877,8 +3892,9 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
/* A kmem cache lets us meet the alignment requirements of fx_save. */
if (!vcpu_align)
vcpu_align = __alignof__(struct kvm_vcpu);
@@ -225806,7 +225827,7 @@ index 7f9ee29..71d4ab0 100644
if (!kvm_vcpu_cache) {
r = -ENOMEM;
goto out_free_3;
-@@ -3888,9 +3902,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3888,9 +3904,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
if (r)
goto out_free;
@@ -225818,7 +225839,7 @@ index 7f9ee29..71d4ab0 100644
r = misc_register(&kvm_dev);
if (r) {
-@@ -3900,9 +3916,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3900,9 +3918,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
register_syscore_ops(&kvm_syscore_ops);
diff --git a/4.9.11/4425_grsec_remove_EI_PAX.patch b/4.9.12/4425_grsec_remove_EI_PAX.patch
index 594598a..594598a 100644
--- a/4.9.11/4425_grsec_remove_EI_PAX.patch
+++ b/4.9.12/4425_grsec_remove_EI_PAX.patch
diff --git a/4.9.11/4426_default_XATTR_PAX_FLAGS.patch b/4.9.12/4426_default_XATTR_PAX_FLAGS.patch
index f7e97b5..f7e97b5 100644
--- a/4.9.11/4426_default_XATTR_PAX_FLAGS.patch
+++ b/4.9.12/4426_default_XATTR_PAX_FLAGS.patch
diff --git a/4.9.11/4427_force_XATTR_PAX_tmpfs.patch b/4.9.12/4427_force_XATTR_PAX_tmpfs.patch
index 3871139..3871139 100644
--- a/4.9.11/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.9.12/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.9.11/4430_grsec-remove-localversion-grsec.patch b/4.9.12/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.9.11/4430_grsec-remove-localversion-grsec.patch
+++ b/4.9.12/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.9.11/4435_grsec-mute-warnings.patch b/4.9.12/4435_grsec-mute-warnings.patch
index 8929222..8929222 100644
--- a/4.9.11/4435_grsec-mute-warnings.patch
+++ b/4.9.12/4435_grsec-mute-warnings.patch
diff --git a/4.9.11/4440_grsec-remove-protected-paths.patch b/4.9.12/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.9.11/4440_grsec-remove-protected-paths.patch
+++ b/4.9.12/4440_grsec-remove-protected-paths.patch
diff --git a/4.9.11/4450_grsec-kconfig-default-gids.patch b/4.9.12/4450_grsec-kconfig-default-gids.patch
index cee6e27..cee6e27 100644
--- a/4.9.11/4450_grsec-kconfig-default-gids.patch
+++ b/4.9.12/4450_grsec-kconfig-default-gids.patch
diff --git a/4.9.11/4465_selinux-avc_audit-log-curr_ip.patch b/4.9.12/4465_selinux-avc_audit-log-curr_ip.patch
index 06a5294..06a5294 100644
--- a/4.9.11/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.9.12/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.9.11/4470_disable-compat_vdso.patch b/4.9.12/4470_disable-compat_vdso.patch
index a1401d8..a1401d8 100644
--- a/4.9.11/4470_disable-compat_vdso.patch
+++ b/4.9.12/4470_disable-compat_vdso.patch
diff --git a/4.9.11/4475_emutramp_default_on.patch b/4.9.12/4475_emutramp_default_on.patch
index feb8c7b..feb8c7b 100644
--- a/4.9.11/4475_emutramp_default_on.patch
+++ b/4.9.12/4475_emutramp_default_on.patch