diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2017-02-25 06:57:22 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2017-02-25 06:57:22 -0500 |
commit | b29d22f84076b2b7b21dd32836b57ca262dcd8db (patch) | |
tree | a679d884201331901989ab65ec6a279cd62cbdfc | |
parent | grsecurity-3.1-4.9.11-201702181444 (diff) | |
download | hardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.tar.gz hardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.tar.bz2 hardened-patchset-b29d22f84076b2b7b21dd32836b57ca262dcd8db.zip |
grsecurity-3.1-4.9.12-20170223183020170223
-rw-r--r-- | 4.9.11/1009_linux-4.9.10.patch | 2157 | ||||
-rw-r--r-- | 4.9.11/1010_linux-4.9.11.patch | 1893 | ||||
-rw-r--r-- | 4.9.12/0000_README (renamed from 4.9.11/0000_README) | 10 | ||||
-rw-r--r-- | 4.9.12/4420_grsecurity-3.1-4.9.12-201702231830.patch (renamed from 4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch) | 299 | ||||
-rw-r--r-- | 4.9.12/4425_grsec_remove_EI_PAX.patch (renamed from 4.9.11/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4426_default_XATTR_PAX_FLAGS.patch (renamed from 4.9.11/4426_default_XATTR_PAX_FLAGS.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.9.11/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4430_grsec-remove-localversion-grsec.patch (renamed from 4.9.11/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4435_grsec-mute-warnings.patch (renamed from 4.9.11/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4440_grsec-remove-protected-paths.patch (renamed from 4.9.11/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4450_grsec-kconfig-default-gids.patch (renamed from 4.9.11/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.9.11/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4470_disable-compat_vdso.patch (renamed from 4.9.11/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 4.9.12/4475_emutramp_default_on.patch (renamed from 4.9.11/4475_emutramp_default_on.patch) | 0 |
14 files changed, 161 insertions, 4198 deletions
diff --git a/4.9.11/1009_linux-4.9.10.patch b/4.9.11/1009_linux-4.9.10.patch deleted file mode 100644 index 1767b59..0000000 --- a/4.9.11/1009_linux-4.9.10.patch +++ /dev/null @@ -1,2157 +0,0 @@ -diff --git a/Makefile b/Makefile -index c0c41c9..d2fe757 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 4 - PATCHLEVEL = 9 --SUBLEVEL = 9 -+SUBLEVEL = 10 - EXTRAVERSION = - NAME = Roaring Lionus - -diff --git a/arch/arc/kernel/unaligned.c b/arch/arc/kernel/unaligned.c -index 91ebe38..5f69c3b 100644 ---- a/arch/arc/kernel/unaligned.c -+++ b/arch/arc/kernel/unaligned.c -@@ -243,7 +243,7 @@ int misaligned_fixup(unsigned long address, struct pt_regs *regs, - - /* clear any remanants of delay slot */ - if (delay_mode(regs)) { -- regs->ret = regs->bta ~1U; -+ regs->ret = regs->bta & ~1U; - regs->status32 &= ~STATUS_DE_MASK; - } else { - regs->ret += state.instr_len; -diff --git a/arch/arm/boot/dts/imx6dl.dtsi b/arch/arm/boot/dts/imx6dl.dtsi -index 1ade195..7aa120f 100644 ---- a/arch/arm/boot/dts/imx6dl.dtsi -+++ b/arch/arm/boot/dts/imx6dl.dtsi -@@ -137,7 +137,7 @@ - &gpio4 { - gpio-ranges = <&iomuxc 5 136 1>, <&iomuxc 6 145 1>, <&iomuxc 7 150 1>, - <&iomuxc 8 146 1>, <&iomuxc 9 151 1>, <&iomuxc 10 147 1>, -- <&iomuxc 11 151 1>, <&iomuxc 12 148 1>, <&iomuxc 13 153 1>, -+ <&iomuxc 11 152 1>, <&iomuxc 12 148 1>, <&iomuxc 13 153 1>, - <&iomuxc 14 149 1>, <&iomuxc 15 154 1>, <&iomuxc 16 39 7>, - <&iomuxc 23 56 1>, <&iomuxc 24 61 7>, <&iomuxc 31 46 1>; - }; -diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c -index ce131ed..ae738a6 100644 ---- a/arch/arm/kernel/ptrace.c -+++ b/arch/arm/kernel/ptrace.c -@@ -600,7 +600,7 @@ static int gpr_set(struct task_struct *target, - const void *kbuf, const void __user *ubuf) - { - int ret; -- struct pt_regs newregs; -+ struct pt_regs newregs = *task_pt_regs(target); - - ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, - &newregs, -diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c -index 3a2e678..0122ad1 100644 ---- a/arch/arm/mm/fault.c -+++ b/arch/arm/mm/fault.c -@@ -610,9 +610,9 @@ static int __init early_abort_handler(unsigned long addr, unsigned int fsr, - - void __init early_abt_enable(void) - { -- fsr_info[22].fn = early_abort_handler; -+ fsr_info[FSR_FS_AEA].fn = early_abort_handler; - local_abt_enable(); -- fsr_info[22].fn = do_bad; -+ fsr_info[FSR_FS_AEA].fn = do_bad; - } - - #ifndef CONFIG_ARM_LPAE -diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h -index 67532f2..afc1f84 100644 ---- a/arch/arm/mm/fault.h -+++ b/arch/arm/mm/fault.h -@@ -11,11 +11,15 @@ - #define FSR_FS5_0 (0x3f) - - #ifdef CONFIG_ARM_LPAE -+#define FSR_FS_AEA 17 -+ - static inline int fsr_fs(unsigned int fsr) - { - return fsr & FSR_FS5_0; - } - #else -+#define FSR_FS_AEA 22 -+ - static inline int fsr_fs(unsigned int fsr) - { - return (fsr & FSR_FS3_0) | (fsr & FSR_FS4) >> 6; -diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h -index 9e1499f..13f5fad 100644 ---- a/arch/powerpc/include/asm/reg.h -+++ b/arch/powerpc/include/asm/reg.h -@@ -641,9 +641,10 @@ - #define SRR1_ISI_N_OR_G 0x10000000 /* ISI: Access is no-exec or G */ - #define SRR1_ISI_PROT 0x08000000 /* ISI: Other protection fault */ - #define SRR1_WAKEMASK 0x00380000 /* reason for wakeup */ --#define SRR1_WAKEMASK_P8 0x003c0000 /* reason for wakeup on POWER8 */ -+#define SRR1_WAKEMASK_P8 0x003c0000 /* reason for wakeup on POWER8 and 9 */ - #define SRR1_WAKESYSERR 0x00300000 /* System error */ - #define SRR1_WAKEEE 0x00200000 /* External interrupt */ -+#define SRR1_WAKEHVI 0x00240000 /* Hypervisor Virtualization Interrupt (P9) */ - #define SRR1_WAKEMT 0x00280000 /* mtctrl */ - #define SRR1_WAKEHMI 0x00280000 /* Hypervisor maintenance */ - #define SRR1_WAKEDEC 0x00180000 /* Decrementer interrupt */ -diff --git a/arch/powerpc/include/asm/xics.h b/arch/powerpc/include/asm/xics.h -index f0b2385..e0b9e57 100644 ---- a/arch/powerpc/include/asm/xics.h -+++ b/arch/powerpc/include/asm/xics.h -@@ -44,6 +44,7 @@ static inline int icp_hv_init(void) { return -ENODEV; } - - #ifdef CONFIG_PPC_POWERNV - extern int icp_opal_init(void); -+extern void icp_opal_flush_interrupt(void); - #else - static inline int icp_opal_init(void) { return -ENODEV; } - #endif -diff --git a/arch/powerpc/mm/tlb-radix.c b/arch/powerpc/mm/tlb-radix.c -index 3493cf4..71697ff 100644 ---- a/arch/powerpc/mm/tlb-radix.c -+++ b/arch/powerpc/mm/tlb-radix.c -@@ -50,9 +50,7 @@ static inline void _tlbiel_pid(unsigned long pid, unsigned long ric) - for (set = 0; set < POWER9_TLB_SETS_RADIX ; set++) { - __tlbiel_pid(pid, set, ric); - } -- if (cpu_has_feature(CPU_FTR_POWER9_DD1)) -- asm volatile(PPC_INVALIDATE_ERAT : : :"memory"); -- return; -+ asm volatile(PPC_INVALIDATE_ERAT "; isync" : : :"memory"); - } - - static inline void _tlbie_pid(unsigned long pid, unsigned long ric) -@@ -85,8 +83,6 @@ static inline void _tlbiel_va(unsigned long va, unsigned long pid, - asm volatile(PPC_TLBIEL(%0, %4, %3, %2, %1) - : : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory"); - asm volatile("ptesync": : :"memory"); -- if (cpu_has_feature(CPU_FTR_POWER9_DD1)) -- asm volatile(PPC_INVALIDATE_ERAT : : :"memory"); - } - - static inline void _tlbie_va(unsigned long va, unsigned long pid, -diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c -index c789258..eec0e8d 100644 ---- a/arch/powerpc/platforms/powernv/smp.c -+++ b/arch/powerpc/platforms/powernv/smp.c -@@ -155,8 +155,10 @@ static void pnv_smp_cpu_kill_self(void) - wmask = SRR1_WAKEMASK_P8; - - idle_states = pnv_get_supported_cpuidle_states(); -+ - /* We don't want to take decrementer interrupts while we are offline, -- * so clear LPCR:PECE1. We keep PECE2 enabled. -+ * so clear LPCR:PECE1. We keep PECE2 (and LPCR_PECE_HVEE on P9) -+ * enabled as to let IPIs in. - */ - mtspr(SPRN_LPCR, mfspr(SPRN_LPCR) & ~(u64)LPCR_PECE1); - -@@ -206,8 +208,12 @@ static void pnv_smp_cpu_kill_self(void) - * contains 0. - */ - if (((srr1 & wmask) == SRR1_WAKEEE) || -+ ((srr1 & wmask) == SRR1_WAKEHVI) || - (local_paca->irq_happened & PACA_IRQ_EE)) { -- icp_native_flush_interrupt(); -+ if (cpu_has_feature(CPU_FTR_ARCH_300)) -+ icp_opal_flush_interrupt(); -+ else -+ icp_native_flush_interrupt(); - } else if ((srr1 & wmask) == SRR1_WAKEHDBELL) { - unsigned long msg = PPC_DBELL_TYPE(PPC_DBELL_SERVER); - asm volatile(PPC_MSGCLR(%0) : : "r" (msg)); -@@ -221,6 +227,8 @@ static void pnv_smp_cpu_kill_self(void) - if (srr1 && !generic_check_cpu_restart(cpu)) - DBG("CPU%d Unexpected exit while offline !\n", cpu); - } -+ -+ /* Re-enable decrementer interrupts */ - mtspr(SPRN_LPCR, mfspr(SPRN_LPCR) | LPCR_PECE1); - DBG("CPU%d coming online...\n", cpu); - } -diff --git a/arch/powerpc/sysdev/xics/icp-opal.c b/arch/powerpc/sysdev/xics/icp-opal.c -index 60c5765..c96c0cb 100644 ---- a/arch/powerpc/sysdev/xics/icp-opal.c -+++ b/arch/powerpc/sysdev/xics/icp-opal.c -@@ -132,6 +132,35 @@ static irqreturn_t icp_opal_ipi_action(int irq, void *dev_id) - return smp_ipi_demux(); - } - -+/* -+ * Called when an interrupt is received on an off-line CPU to -+ * clear the interrupt, so that the CPU can go back to nap mode. -+ */ -+void icp_opal_flush_interrupt(void) -+{ -+ unsigned int xirr; -+ unsigned int vec; -+ -+ do { -+ xirr = icp_opal_get_xirr(); -+ vec = xirr & 0x00ffffff; -+ if (vec == XICS_IRQ_SPURIOUS) -+ break; -+ if (vec == XICS_IPI) { -+ /* Clear pending IPI */ -+ int cpu = smp_processor_id(); -+ kvmppc_set_host_ipi(cpu, 0); -+ opal_int_set_mfrr(get_hard_smp_processor_id(cpu), 0xff); -+ } else { -+ pr_err("XICS: hw interrupt 0x%x to offline cpu, " -+ "disabling\n", vec); -+ xics_mask_unknown_vec(vec); -+ } -+ -+ /* EOI the interrupt */ -+ } while (opal_int_eoi(xirr) > 0); -+} -+ - #endif /* CONFIG_SMP */ - - static const struct icp_ops icp_opal_ops = { -diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 984a7bf..83db0ea 100644 ---- a/arch/x86/include/asm/processor.h -+++ b/arch/x86/include/asm/processor.h -@@ -104,6 +104,7 @@ struct cpuinfo_x86 { - __u8 x86_phys_bits; - /* CPUID returned core id bits: */ - __u8 x86_coreid_bits; -+ __u8 cu_id; - /* Max extended CPUID function supported: */ - __u32 extended_cpuid_level; - /* Maximum supported CPUID level, -1=no CPUID: */ -diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c -index 7249f15..d1e2556 100644 ---- a/arch/x86/kernel/apic/io_apic.c -+++ b/arch/x86/kernel/apic/io_apic.c -@@ -1876,7 +1876,6 @@ static struct irq_chip ioapic_chip __read_mostly = { - .irq_ack = irq_chip_ack_parent, - .irq_eoi = ioapic_ack_level, - .irq_set_affinity = ioapic_set_affinity, -- .irq_retrigger = irq_chip_retrigger_hierarchy, - .flags = IRQCHIP_SKIP_SET_WAKE, - }; - -@@ -1888,7 +1887,6 @@ static struct irq_chip ioapic_ir_chip __read_mostly = { - .irq_ack = irq_chip_ack_parent, - .irq_eoi = ioapic_ir_ack_level, - .irq_set_affinity = ioapic_set_affinity, -- .irq_retrigger = irq_chip_retrigger_hierarchy, - .flags = IRQCHIP_SKIP_SET_WAKE, - }; - -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 1d31672..2b4cf04 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -309,8 +309,22 @@ static void amd_get_topology(struct cpuinfo_x86 *c) - - /* get information required for multi-node processors */ - if (boot_cpu_has(X86_FEATURE_TOPOEXT)) { -+ u32 eax, ebx, ecx, edx; - -- node_id = cpuid_ecx(0x8000001e) & 7; -+ cpuid(0x8000001e, &eax, &ebx, &ecx, &edx); -+ -+ node_id = ecx & 0xff; -+ smp_num_siblings = ((ebx >> 8) & 0xff) + 1; -+ -+ if (c->x86 == 0x15) -+ c->cu_id = ebx & 0xff; -+ -+ if (c->x86 >= 0x17) { -+ c->cpu_core_id = ebx & 0xff; -+ -+ if (smp_num_siblings > 1) -+ c->x86_max_cores /= smp_num_siblings; -+ } - - /* - * We may have multiple LLCs if L3 caches exist, so check if we -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 023c7bf..4eece91 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -1015,6 +1015,7 @@ static void identify_cpu(struct cpuinfo_x86 *c) - c->x86_model_id[0] = '\0'; /* Unset */ - c->x86_max_cores = 1; - c->x86_coreid_bits = 0; -+ c->cu_id = 0xff; - #ifdef CONFIG_X86_64 - c->x86_clflush_size = 64; - c->x86_phys_bits = 36; -diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index e9bbe02..36171bc 100644 ---- a/arch/x86/kernel/smpboot.c -+++ b/arch/x86/kernel/smpboot.c -@@ -423,9 +423,15 @@ static bool match_smt(struct cpuinfo_x86 *c, struct cpuinfo_x86 *o) - int cpu1 = c->cpu_index, cpu2 = o->cpu_index; - - if (c->phys_proc_id == o->phys_proc_id && -- per_cpu(cpu_llc_id, cpu1) == per_cpu(cpu_llc_id, cpu2) && -- c->cpu_core_id == o->cpu_core_id) -- return topology_sane(c, o, "smt"); -+ per_cpu(cpu_llc_id, cpu1) == per_cpu(cpu_llc_id, cpu2)) { -+ if (c->cpu_core_id == o->cpu_core_id) -+ return topology_sane(c, o, "smt"); -+ -+ if ((c->cu_id != 0xff) && -+ (o->cu_id != 0xff) && -+ (c->cu_id == o->cu_id)) -+ return topology_sane(c, o, "smt"); -+ } - - } else if (c->phys_proc_id == o->phys_proc_id && - c->cpu_core_id == o->cpu_core_id) { -diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c -index ea9c49a..8aa6bea 100644 ---- a/arch/x86/mm/dump_pagetables.c -+++ b/arch/x86/mm/dump_pagetables.c -@@ -15,6 +15,7 @@ - #include <linux/debugfs.h> - #include <linux/mm.h> - #include <linux/init.h> -+#include <linux/sched.h> - #include <linux/seq_file.h> - - #include <asm/pgtable.h> -@@ -406,6 +407,7 @@ static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd, - } else - note_page(m, &st, __pgprot(0), 1); - -+ cond_resched(); - start++; - } - -diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c -index e9c0993..e8817e2 100644 ---- a/crypto/algif_aead.c -+++ b/crypto/algif_aead.c -@@ -671,9 +671,9 @@ static int aead_recvmsg_sync(struct socket *sock, struct msghdr *msg, int flags) - unlock: - list_for_each_entry_safe(rsgl, tmp, &ctx->list, list) { - af_alg_free_sg(&rsgl->sgl); -+ list_del(&rsgl->list); - if (rsgl != &ctx->first_rsgl) - sock_kfree_s(sk, rsgl, sizeof(*rsgl)); -- list_del(&rsgl->list); - } - INIT_LIST_HEAD(&ctx->list); - aead_wmem_wakeup(sk); -diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c -index 312c4b4..6eb6733 100644 ---- a/drivers/acpi/nfit/core.c -+++ b/drivers/acpi/nfit/core.c -@@ -2704,6 +2704,7 @@ static int acpi_nfit_flush_probe(struct nvdimm_bus_descriptor *nd_desc) - struct acpi_nfit_desc *acpi_desc = to_acpi_nfit_desc(nd_desc); - struct device *dev = acpi_desc->dev; - struct acpi_nfit_flush_work flush; -+ int rc; - - /* bounce the device lock to flush acpi_nfit_add / acpi_nfit_notify */ - device_lock(dev); -@@ -2716,7 +2717,10 @@ static int acpi_nfit_flush_probe(struct nvdimm_bus_descriptor *nd_desc) - INIT_WORK_ONSTACK(&flush.work, flush_probe); - COMPLETION_INITIALIZER_ONSTACK(flush.cmp); - queue_work(nfit_wq, &flush.work); -- return wait_for_completion_interruptible(&flush.cmp); -+ -+ rc = wait_for_completion_interruptible(&flush.cmp); -+ cancel_work_sync(&flush.work); -+ return rc; - } - - static int acpi_nfit_clear_to_send(struct nvdimm_bus_descriptor *nd_desc, -diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index 4737520..80fa656 100644 ---- a/drivers/cpufreq/intel_pstate.c -+++ b/drivers/cpufreq/intel_pstate.c -@@ -820,6 +820,25 @@ static void intel_pstate_hwp_enable(struct cpudata *cpudata) - wrmsrl_on_cpu(cpudata->cpu, MSR_PM_ENABLE, 0x1); - } - -+#define MSR_IA32_POWER_CTL_BIT_EE 19 -+ -+/* Disable energy efficiency optimization */ -+static void intel_pstate_disable_ee(int cpu) -+{ -+ u64 power_ctl; -+ int ret; -+ -+ ret = rdmsrl_on_cpu(cpu, MSR_IA32_POWER_CTL, &power_ctl); -+ if (ret) -+ return; -+ -+ if (!(power_ctl & BIT(MSR_IA32_POWER_CTL_BIT_EE))) { -+ pr_info("Disabling energy efficiency optimization\n"); -+ power_ctl |= BIT(MSR_IA32_POWER_CTL_BIT_EE); -+ wrmsrl_on_cpu(cpu, MSR_IA32_POWER_CTL, power_ctl); -+ } -+} -+ - static int atom_get_min_pstate(void) - { - u64 value; -@@ -1420,6 +1439,11 @@ static const struct x86_cpu_id intel_pstate_cpu_oob_ids[] __initconst = { - {} - }; - -+static const struct x86_cpu_id intel_pstate_cpu_ee_disable_ids[] = { -+ ICPU(INTEL_FAM6_KABYLAKE_DESKTOP, core_params), -+ {} -+}; -+ - static int intel_pstate_init_cpu(unsigned int cpunum) - { - struct cpudata *cpu; -@@ -1435,6 +1459,12 @@ static int intel_pstate_init_cpu(unsigned int cpunum) - cpu->cpu = cpunum; - - if (hwp_active) { -+ const struct x86_cpu_id *id; -+ -+ id = x86_match_cpu(intel_pstate_cpu_ee_disable_ids); -+ if (id) -+ intel_pstate_disable_ee(cpunum); -+ - intel_pstate_hwp_enable(cpu); - pid_params.sample_rate_ms = 50; - pid_params.sample_rate_ns = 50 * NSEC_PER_MSEC; -diff --git a/drivers/crypto/ccp/ccp-dev-v5.c b/drivers/crypto/ccp/ccp-dev-v5.c -index faf3cb3..a388bf2 100644 ---- a/drivers/crypto/ccp/ccp-dev-v5.c -+++ b/drivers/crypto/ccp/ccp-dev-v5.c -@@ -955,7 +955,7 @@ static irqreturn_t ccp5_irq_handler(int irq, void *data) - static void ccp5_config(struct ccp_device *ccp) - { - /* Public side */ -- iowrite32(0x00001249, ccp->io_regs + CMD5_REQID_CONFIG_OFFSET); -+ iowrite32(0x0, ccp->io_regs + CMD5_REQID_CONFIG_OFFSET); - } - - static void ccp5other_config(struct ccp_device *ccp) -diff --git a/drivers/crypto/ccp/ccp-dev.h b/drivers/crypto/ccp/ccp-dev.h -index da5f4a6..340aef1 100644 ---- a/drivers/crypto/ccp/ccp-dev.h -+++ b/drivers/crypto/ccp/ccp-dev.h -@@ -238,6 +238,7 @@ struct ccp_dma_chan { - struct ccp_device *ccp; - - spinlock_t lock; -+ struct list_head created; - struct list_head pending; - struct list_head active; - struct list_head complete; -diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c -index 6553912..e5d9278 100644 ---- a/drivers/crypto/ccp/ccp-dmaengine.c -+++ b/drivers/crypto/ccp/ccp-dmaengine.c -@@ -63,6 +63,7 @@ static void ccp_free_chan_resources(struct dma_chan *dma_chan) - ccp_free_desc_resources(chan->ccp, &chan->complete); - ccp_free_desc_resources(chan->ccp, &chan->active); - ccp_free_desc_resources(chan->ccp, &chan->pending); -+ ccp_free_desc_resources(chan->ccp, &chan->created); - - spin_unlock_irqrestore(&chan->lock, flags); - } -@@ -273,6 +274,7 @@ static dma_cookie_t ccp_tx_submit(struct dma_async_tx_descriptor *tx_desc) - spin_lock_irqsave(&chan->lock, flags); - - cookie = dma_cookie_assign(tx_desc); -+ list_del(&desc->entry); - list_add_tail(&desc->entry, &chan->pending); - - spin_unlock_irqrestore(&chan->lock, flags); -@@ -426,7 +428,7 @@ static struct ccp_dma_desc *ccp_create_desc(struct dma_chan *dma_chan, - - spin_lock_irqsave(&chan->lock, sflags); - -- list_add_tail(&desc->entry, &chan->pending); -+ list_add_tail(&desc->entry, &chan->created); - - spin_unlock_irqrestore(&chan->lock, sflags); - -@@ -610,6 +612,7 @@ static int ccp_terminate_all(struct dma_chan *dma_chan) - /*TODO: Purge the complete list? */ - ccp_free_desc_resources(chan->ccp, &chan->active); - ccp_free_desc_resources(chan->ccp, &chan->pending); -+ ccp_free_desc_resources(chan->ccp, &chan->created); - - spin_unlock_irqrestore(&chan->lock, flags); - -@@ -679,6 +682,7 @@ int ccp_dmaengine_register(struct ccp_device *ccp) - chan->ccp = ccp; - - spin_lock_init(&chan->lock); -+ INIT_LIST_HEAD(&chan->created); - INIT_LIST_HEAD(&chan->pending); - INIT_LIST_HEAD(&chan->active); - INIT_LIST_HEAD(&chan->complete); -diff --git a/drivers/crypto/chelsio/chcr_core.c b/drivers/crypto/chelsio/chcr_core.c -index fb5f9bb..6aece3f 100644 ---- a/drivers/crypto/chelsio/chcr_core.c -+++ b/drivers/crypto/chelsio/chcr_core.c -@@ -51,6 +51,7 @@ static struct cxgb4_uld_info chcr_uld_info = { - int assign_chcr_device(struct chcr_dev **dev) - { - struct uld_ctx *u_ctx; -+ int ret = -ENXIO; - - /* - * Which device to use if multiple devices are available TODO -@@ -58,15 +59,14 @@ int assign_chcr_device(struct chcr_dev **dev) - * must go to the same device to maintain the ordering. - */ - mutex_lock(&dev_mutex); /* TODO ? */ -- u_ctx = list_first_entry(&uld_ctx_list, struct uld_ctx, entry); -- if (!u_ctx) { -- mutex_unlock(&dev_mutex); -- return -ENXIO; -+ list_for_each_entry(u_ctx, &uld_ctx_list, entry) -+ if (u_ctx && u_ctx->dev) { -+ *dev = u_ctx->dev; -+ ret = 0; -+ break; - } -- -- *dev = u_ctx->dev; - mutex_unlock(&dev_mutex); -- return 0; -+ return ret; - } - - static int chcr_dev_add(struct uld_ctx *u_ctx) -@@ -203,10 +203,8 @@ static int chcr_uld_state_change(void *handle, enum cxgb4_state state) - - static int __init chcr_crypto_init(void) - { -- if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info)) { -+ if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info)) - pr_err("ULD register fail: No chcr crypto support in cxgb4"); -- return -1; -- } - - return 0; - } -diff --git a/drivers/crypto/qat/qat_c62x/adf_drv.c b/drivers/crypto/qat/qat_c62x/adf_drv.c -index bc5cbc1..5b2d78a 100644 ---- a/drivers/crypto/qat/qat_c62x/adf_drv.c -+++ b/drivers/crypto/qat/qat_c62x/adf_drv.c -@@ -233,7 +233,7 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - &hw_data->accel_capabilities_mask); - - /* Find and map all the device's BARS */ -- i = 0; -+ i = (hw_data->fuses & ADF_DEVICE_FUSECTL_MASK) ? 1 : 0; - bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); - for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, - ADF_PCI_MAX_BARS * 2) { -diff --git a/drivers/crypto/qat/qat_common/adf_accel_devices.h b/drivers/crypto/qat/qat_common/adf_accel_devices.h -index e882253..33f0a62 100644 ---- a/drivers/crypto/qat/qat_common/adf_accel_devices.h -+++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h -@@ -69,6 +69,7 @@ - #define ADF_ERRSOU5 (0x3A000 + 0xD8) - #define ADF_DEVICE_FUSECTL_OFFSET 0x40 - #define ADF_DEVICE_LEGFUSE_OFFSET 0x4C -+#define ADF_DEVICE_FUSECTL_MASK 0x80000000 - #define ADF_PCI_MAX_BARS 3 - #define ADF_DEVICE_NAME_LENGTH 32 - #define ADF_ETR_MAX_RINGS_PER_BANK 16 -diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c -index 1e480f1..8c4fd25 100644 ---- a/drivers/crypto/qat/qat_common/qat_hal.c -+++ b/drivers/crypto/qat/qat_common/qat_hal.c -@@ -456,7 +456,7 @@ static int qat_hal_init_esram(struct icp_qat_fw_loader_handle *handle) - unsigned int csr_val; - int times = 30; - -- if (handle->pci_dev->device == ADF_C3XXX_PCI_DEVICE_ID) -+ if (handle->pci_dev->device != ADF_DH895XCC_PCI_DEVICE_ID) - return 0; - - csr_val = ADF_CSR_RD(csr_addr, 0); -@@ -716,7 +716,7 @@ int qat_hal_init(struct adf_accel_dev *accel_dev) - (void __iomem *)((uintptr_t)handle->hal_cap_ae_xfer_csr_addr_v + - LOCAL_TO_XFER_REG_OFFSET); - handle->pci_dev = pci_info->pci_dev; -- if (handle->pci_dev->device != ADF_C3XXX_PCI_DEVICE_ID) { -+ if (handle->pci_dev->device == ADF_DH895XCC_PCI_DEVICE_ID) { - sram_bar = - &pci_info->pci_bars[hw_data->get_sram_bar_id(hw_data)]; - handle->hal_sram_addr_v = sram_bar->virt_addr; -diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c -index e6862a7..4e19bde 100644 ---- a/drivers/gpu/drm/drm_atomic.c -+++ b/drivers/gpu/drm/drm_atomic.c -@@ -1759,16 +1759,16 @@ int drm_mode_atomic_ioctl(struct drm_device *dev, - - if (ret && arg->flags & DRM_MODE_PAGE_FLIP_EVENT) { - /* -- * TEST_ONLY and PAGE_FLIP_EVENT are mutually exclusive, -- * if they weren't, this code should be called on success -- * for TEST_ONLY too. -+ * Free the allocated event. drm_atomic_helper_setup_commit -+ * can allocate an event too, so only free it if it's ours -+ * to prevent a double free in drm_atomic_state_clear. - */ -- - for_each_crtc_in_state(state, crtc, crtc_state, i) { -- if (!crtc_state->event) -- continue; -- -- drm_event_cancel_free(dev, &crtc_state->event->base); -+ struct drm_pending_vblank_event *event = crtc_state->event; -+ if (event && (event->base.fence || event->base.file_priv)) { -+ drm_event_cancel_free(dev, &event->base); -+ crtc_state->event = NULL; -+ } - } - } - -diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index a218c2e..0c400f8 100644 ---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c -+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -@@ -1215,14 +1215,14 @@ validate_exec_list(struct drm_device *dev, - if (exec[i].offset != - gen8_canonical_addr(exec[i].offset & PAGE_MASK)) - return -EINVAL; -- -- /* From drm_mm perspective address space is continuous, -- * so from this point we're always using non-canonical -- * form internally. -- */ -- exec[i].offset = gen8_noncanonical_addr(exec[i].offset); - } - -+ /* From drm_mm perspective address space is continuous, -+ * so from this point we're always using non-canonical -+ * form internally. -+ */ -+ exec[i].offset = gen8_noncanonical_addr(exec[i].offset); -+ - if (exec[i].alignment && !is_power_of_2(exec[i].alignment)) - return -EINVAL; - -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 8079e5b..b9be8a6 100644 ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -4280,10 +4280,10 @@ static void page_flip_completed(struct intel_crtc *intel_crtc) - drm_crtc_vblank_put(&intel_crtc->base); - - wake_up_all(&dev_priv->pending_flip_queue); -- queue_work(dev_priv->wq, &work->unpin_work); -- - trace_i915_flip_complete(intel_crtc->plane, - work->pending_flip_obj); -+ -+ queue_work(dev_priv->wq, &work->unpin_work); - } - - static int intel_crtc_wait_for_pending_flips(struct drm_crtc *crtc) -diff --git a/drivers/gpu/drm/i915/intel_dpll_mgr.c b/drivers/gpu/drm/i915/intel_dpll_mgr.c -index 1c59ca5..cae27c5 100644 ---- a/drivers/gpu/drm/i915/intel_dpll_mgr.c -+++ b/drivers/gpu/drm/i915/intel_dpll_mgr.c -@@ -1723,7 +1723,8 @@ bxt_get_dpll(struct intel_crtc *crtc, - return NULL; - - if ((encoder->type == INTEL_OUTPUT_DP || -- encoder->type == INTEL_OUTPUT_EDP) && -+ encoder->type == INTEL_OUTPUT_EDP || -+ encoder->type == INTEL_OUTPUT_DP_MST) && - !bxt_ddi_dp_set_dpll_hw_state(clock, &dpll_hw_state)) - return NULL; - -diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c -index 16f91c8..5fb4c6d 100644 ---- a/drivers/hv/channel.c -+++ b/drivers/hv/channel.c -@@ -39,7 +39,7 @@ - * vmbus_setevent- Trigger an event notification on the specified - * channel. - */ --static void vmbus_setevent(struct vmbus_channel *channel) -+void vmbus_setevent(struct vmbus_channel *channel) - { - struct hv_monitor_page *monitorpage; - -@@ -65,6 +65,7 @@ static void vmbus_setevent(struct vmbus_channel *channel) - vmbus_set_event(channel); - } - } -+EXPORT_SYMBOL_GPL(vmbus_setevent); - - /* - * vmbus_open - Open the specified channel. -@@ -635,8 +636,6 @@ int vmbus_sendpacket_ctl(struct vmbus_channel *channel, void *buffer, - u32 packetlen_aligned = ALIGN(packetlen, sizeof(u64)); - struct kvec bufferlist[3]; - u64 aligned_data = 0; -- int ret; -- bool signal = false; - bool lock = channel->acquire_ring_lock; - int num_vecs = ((bufferlen != 0) ? 3 : 1); - -@@ -656,33 +655,9 @@ int vmbus_sendpacket_ctl(struct vmbus_channel *channel, void *buffer, - bufferlist[2].iov_base = &aligned_data; - bufferlist[2].iov_len = (packetlen_aligned - packetlen); - -- ret = hv_ringbuffer_write(&channel->outbound, bufferlist, num_vecs, -- &signal, lock, channel->signal_policy); -- -- /* -- * Signalling the host is conditional on many factors: -- * 1. The ring state changed from being empty to non-empty. -- * This is tracked by the variable "signal". -- * 2. The variable kick_q tracks if more data will be placed -- * on the ring. We will not signal if more data is -- * to be placed. -- * -- * Based on the channel signal state, we will decide -- * which signaling policy will be applied. -- * -- * If we cannot write to the ring-buffer; signal the host -- * even if we may not have written anything. This is a rare -- * enough condition that it should not matter. -- * NOTE: in this case, the hvsock channel is an exception, because -- * it looks the host side's hvsock implementation has a throttling -- * mechanism which can hurt the performance otherwise. -- */ -- -- if (((ret == 0) && kick_q && signal) || -- (ret && !is_hvsock_channel(channel))) -- vmbus_setevent(channel); -+ return hv_ringbuffer_write(channel, bufferlist, num_vecs, -+ lock, kick_q); - -- return ret; - } - EXPORT_SYMBOL(vmbus_sendpacket_ctl); - -@@ -723,7 +698,6 @@ int vmbus_sendpacket_pagebuffer_ctl(struct vmbus_channel *channel, - u32 flags, - bool kick_q) - { -- int ret; - int i; - struct vmbus_channel_packet_page_buffer desc; - u32 descsize; -@@ -731,7 +705,6 @@ int vmbus_sendpacket_pagebuffer_ctl(struct vmbus_channel *channel, - u32 packetlen_aligned; - struct kvec bufferlist[3]; - u64 aligned_data = 0; -- bool signal = false; - bool lock = channel->acquire_ring_lock; - - if (pagecount > MAX_PAGE_BUFFER_COUNT) -@@ -769,29 +742,8 @@ int vmbus_sendpacket_pagebuffer_ctl(struct vmbus_channel *channel, - bufferlist[2].iov_base = &aligned_data; - bufferlist[2].iov_len = (packetlen_aligned - packetlen); - -- ret = hv_ringbuffer_write(&channel->outbound, bufferlist, 3, -- &signal, lock, channel->signal_policy); -- -- /* -- * Signalling the host is conditional on many factors: -- * 1. The ring state changed from being empty to non-empty. -- * This is tracked by the variable "signal". -- * 2. The variable kick_q tracks if more data will be placed -- * on the ring. We will not signal if more data is -- * to be placed. -- * -- * Based on the channel signal state, we will decide -- * which signaling policy will be applied. -- * -- * If we cannot write to the ring-buffer; signal the host -- * even if we may not have written anything. This is a rare -- * enough condition that it should not matter. -- */ -- -- if (((ret == 0) && kick_q && signal) || (ret)) -- vmbus_setevent(channel); -- -- return ret; -+ return hv_ringbuffer_write(channel, bufferlist, 3, -+ lock, kick_q); - } - EXPORT_SYMBOL_GPL(vmbus_sendpacket_pagebuffer_ctl); - -@@ -822,12 +774,10 @@ int vmbus_sendpacket_mpb_desc(struct vmbus_channel *channel, - u32 desc_size, - void *buffer, u32 bufferlen, u64 requestid) - { -- int ret; - u32 packetlen; - u32 packetlen_aligned; - struct kvec bufferlist[3]; - u64 aligned_data = 0; -- bool signal = false; - bool lock = channel->acquire_ring_lock; - - packetlen = desc_size + bufferlen; -@@ -848,13 +798,8 @@ int vmbus_sendpacket_mpb_desc(struct vmbus_channel *channel, - bufferlist[2].iov_base = &aligned_data; - bufferlist[2].iov_len = (packetlen_aligned - packetlen); - -- ret = hv_ringbuffer_write(&channel->outbound, bufferlist, 3, -- &signal, lock, channel->signal_policy); -- -- if (ret == 0 && signal) -- vmbus_setevent(channel); -- -- return ret; -+ return hv_ringbuffer_write(channel, bufferlist, 3, -+ lock, true); - } - EXPORT_SYMBOL_GPL(vmbus_sendpacket_mpb_desc); - -@@ -866,14 +811,12 @@ int vmbus_sendpacket_multipagebuffer(struct vmbus_channel *channel, - struct hv_multipage_buffer *multi_pagebuffer, - void *buffer, u32 bufferlen, u64 requestid) - { -- int ret; - struct vmbus_channel_packet_multipage_buffer desc; - u32 descsize; - u32 packetlen; - u32 packetlen_aligned; - struct kvec bufferlist[3]; - u64 aligned_data = 0; -- bool signal = false; - bool lock = channel->acquire_ring_lock; - u32 pfncount = NUM_PAGES_SPANNED(multi_pagebuffer->offset, - multi_pagebuffer->len); -@@ -913,13 +856,8 @@ int vmbus_sendpacket_multipagebuffer(struct vmbus_channel *channel, - bufferlist[2].iov_base = &aligned_data; - bufferlist[2].iov_len = (packetlen_aligned - packetlen); - -- ret = hv_ringbuffer_write(&channel->outbound, bufferlist, 3, -- &signal, lock, channel->signal_policy); -- -- if (ret == 0 && signal) -- vmbus_setevent(channel); -- -- return ret; -+ return hv_ringbuffer_write(channel, bufferlist, 3, -+ lock, true); - } - EXPORT_SYMBOL_GPL(vmbus_sendpacket_multipagebuffer); - -@@ -941,16 +879,9 @@ __vmbus_recvpacket(struct vmbus_channel *channel, void *buffer, - u32 bufferlen, u32 *buffer_actual_len, u64 *requestid, - bool raw) - { -- int ret; -- bool signal = false; -+ return hv_ringbuffer_read(channel, buffer, bufferlen, -+ buffer_actual_len, requestid, raw); - -- ret = hv_ringbuffer_read(&channel->inbound, buffer, bufferlen, -- buffer_actual_len, requestid, &signal, raw); -- -- if (signal) -- vmbus_setevent(channel); -- -- return ret; - } - - int vmbus_recvpacket(struct vmbus_channel *channel, void *buffer, -diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c -index 1bc1d479..caf3418 100644 ---- a/drivers/hv/channel_mgmt.c -+++ b/drivers/hv/channel_mgmt.c -@@ -449,8 +449,6 @@ static void vmbus_process_offer(struct vmbus_channel *newchannel) - } - - dev_type = hv_get_dev_type(newchannel); -- if (dev_type == HV_NIC) -- set_channel_signal_state(newchannel, HV_SIGNAL_POLICY_EXPLICIT); - - init_vp_index(newchannel, dev_type); - -diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h -index a5b4442..2b13f2a 100644 ---- a/drivers/hv/hyperv_vmbus.h -+++ b/drivers/hv/hyperv_vmbus.h -@@ -527,14 +527,14 @@ int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info, - - void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info); - --int hv_ringbuffer_write(struct hv_ring_buffer_info *ring_info, -+int hv_ringbuffer_write(struct vmbus_channel *channel, - struct kvec *kv_list, -- u32 kv_count, bool *signal, bool lock, -- enum hv_signal_policy policy); -+ u32 kv_count, bool lock, -+ bool kick_q); - --int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, -+int hv_ringbuffer_read(struct vmbus_channel *channel, - void *buffer, u32 buflen, u32 *buffer_actual_len, -- u64 *requestid, bool *signal, bool raw); -+ u64 *requestid, bool raw); - - void hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info, - struct hv_ring_buffer_debug_info *debug_info); -diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c -index 08043da..308dbda 100644 ---- a/drivers/hv/ring_buffer.c -+++ b/drivers/hv/ring_buffer.c -@@ -66,21 +66,25 @@ u32 hv_end_read(struct hv_ring_buffer_info *rbi) - * once the ring buffer is empty, it will clear the - * interrupt_mask and re-check to see if new data has - * arrived. -+ * -+ * KYS: Oct. 30, 2016: -+ * It looks like Windows hosts have logic to deal with DOS attacks that -+ * can be triggered if it receives interrupts when it is not expecting -+ * the interrupt. The host expects interrupts only when the ring -+ * transitions from empty to non-empty (or full to non full on the guest -+ * to host ring). -+ * So, base the signaling decision solely on the ring state until the -+ * host logic is fixed. - */ - --static bool hv_need_to_signal(u32 old_write, struct hv_ring_buffer_info *rbi, -- enum hv_signal_policy policy) -+static void hv_signal_on_write(u32 old_write, struct vmbus_channel *channel, -+ bool kick_q) - { -+ struct hv_ring_buffer_info *rbi = &channel->outbound; -+ - virt_mb(); - if (READ_ONCE(rbi->ring_buffer->interrupt_mask)) -- return false; -- -- /* -- * When the client wants to control signaling, -- * we only honour the host interrupt mask. -- */ -- if (policy == HV_SIGNAL_POLICY_EXPLICIT) -- return true; -+ return; - - /* check interrupt_mask before read_index */ - virt_rmb(); -@@ -89,9 +93,9 @@ static bool hv_need_to_signal(u32 old_write, struct hv_ring_buffer_info *rbi, - * ring transitions from being empty to non-empty. - */ - if (old_write == READ_ONCE(rbi->ring_buffer->read_index)) -- return true; -+ vmbus_setevent(channel); - -- return false; -+ return; - } - - /* Get the next write location for the specified ring buffer. */ -@@ -280,9 +284,9 @@ void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info) - } - - /* Write to the ring buffer. */ --int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info, -- struct kvec *kv_list, u32 kv_count, bool *signal, bool lock, -- enum hv_signal_policy policy) -+int hv_ringbuffer_write(struct vmbus_channel *channel, -+ struct kvec *kv_list, u32 kv_count, bool lock, -+ bool kick_q) - { - int i = 0; - u32 bytes_avail_towrite; -@@ -292,6 +296,7 @@ int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info, - u32 old_write; - u64 prev_indices = 0; - unsigned long flags = 0; -+ struct hv_ring_buffer_info *outring_info = &channel->outbound; - - for (i = 0; i < kv_count; i++) - totalbytes_towrite += kv_list[i].iov_len; -@@ -344,13 +349,13 @@ int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info, - if (lock) - spin_unlock_irqrestore(&outring_info->ring_lock, flags); - -- *signal = hv_need_to_signal(old_write, outring_info, policy); -+ hv_signal_on_write(old_write, channel, kick_q); - return 0; - } - --int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, -+int hv_ringbuffer_read(struct vmbus_channel *channel, - void *buffer, u32 buflen, u32 *buffer_actual_len, -- u64 *requestid, bool *signal, bool raw) -+ u64 *requestid, bool raw) - { - u32 bytes_avail_toread; - u32 next_read_location = 0; -@@ -359,6 +364,7 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, - u32 offset; - u32 packetlen; - int ret = 0; -+ struct hv_ring_buffer_info *inring_info = &channel->inbound; - - if (buflen <= 0) - return -EINVAL; -@@ -377,6 +383,7 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, - return ret; - } - -+ init_cached_read_index(channel); - next_read_location = hv_get_next_read_location(inring_info); - next_read_location = hv_copyfrom_ringbuffer(inring_info, &desc, - sizeof(desc), -@@ -416,7 +423,7 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, - /* Update the read index */ - hv_set_next_read_location(inring_info, next_read_location); - -- *signal = hv_need_to_signal_on_read(inring_info); -+ hv_signal_on_read(channel); - - return ret; - } -diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c -index 1869152..9b732c5 100644 ---- a/drivers/infiniband/sw/rxe/rxe_mr.c -+++ b/drivers/infiniband/sw/rxe/rxe_mr.c -@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length) - - case RXE_MEM_TYPE_MR: - case RXE_MEM_TYPE_FMR: -- return ((iova < mem->iova) || -- ((iova + length) > (mem->iova + mem->length))) ? -- -EFAULT : 0; -+ if (iova < mem->iova || -+ length > mem->length || -+ iova > mem->iova + mem->length - length) -+ return -EFAULT; -+ return 0; - - default: - return -EFAULT; -diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c -index dd3d88a..ccf6247 100644 ---- a/drivers/infiniband/sw/rxe/rxe_resp.c -+++ b/drivers/infiniband/sw/rxe/rxe_resp.c -@@ -472,7 +472,7 @@ static enum resp_states check_rkey(struct rxe_qp *qp, - goto err2; - } - -- resid = mtu; -+ qp->resp.resid = mtu; - } else { - if (pktlen != resid) { - state = RESPST_ERR_LENGTH; -diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index 92595b9..022be0e 100644 ---- a/drivers/input/misc/uinput.c -+++ b/drivers/input/misc/uinput.c -@@ -263,13 +263,21 @@ static int uinput_create_device(struct uinput_device *udev) - return -EINVAL; - } - -- if (test_bit(ABS_MT_SLOT, dev->absbit)) { -- nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; -- error = input_mt_init_slots(dev, nslot, 0); -- if (error) -+ if (test_bit(EV_ABS, dev->evbit)) { -+ input_alloc_absinfo(dev); -+ if (!dev->absinfo) { -+ error = -EINVAL; - goto fail1; -- } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { -- input_set_events_per_packet(dev, 60); -+ } -+ -+ if (test_bit(ABS_MT_SLOT, dev->absbit)) { -+ nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; -+ error = input_mt_init_slots(dev, nslot, 0); -+ if (error) -+ goto fail1; -+ } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { -+ input_set_events_per_packet(dev, 60); -+ } - } - - if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) { -diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c -index 31a89c8..2c96542 100644 ---- a/drivers/md/dm-rq.c -+++ b/drivers/md/dm-rq.c -@@ -804,6 +804,10 @@ static void dm_old_request_fn(struct request_queue *q) - int srcu_idx; - struct dm_table *map = dm_get_live_table(md, &srcu_idx); - -+ if (unlikely(!map)) { -+ dm_put_live_table(md, srcu_idx); -+ return; -+ } - ti = dm_table_find_target(map, pos); - dm_put_live_table(md, srcu_idx); - } -diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h -index 878950a..2cf8b1d 100644 ---- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h -+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h -@@ -1007,9 +1007,7 @@ - - static inline void dsaf_write_reg(void __iomem *base, u32 reg, u32 value) - { -- u8 __iomem *reg_addr = ACCESS_ONCE(base); -- -- writel(value, reg_addr + reg); -+ writel(value, base + reg); - } - - #define dsaf_write_dev(a, reg, value) \ -@@ -1017,9 +1015,7 @@ static inline void dsaf_write_reg(void __iomem *base, u32 reg, u32 value) - - static inline u32 dsaf_read_reg(u8 __iomem *base, u32 reg) - { -- u8 __iomem *reg_addr = ACCESS_ONCE(base); -- -- return readl(reg_addr + reg); -+ return readl(base + reg); - } - - static inline void dsaf_write_syscon(struct regmap *base, u32 reg, u32 value) -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c -index 27ff401..51c6a57 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c -@@ -991,6 +991,7 @@ static int mlx5e_set_rxfh(struct net_device *dev, const u32 *indir, - { - struct mlx5e_priv *priv = netdev_priv(dev); - int inlen = MLX5_ST_SZ_BYTES(modify_tir_in); -+ bool hash_changed = false; - void *in; - - if ((hfunc != ETH_RSS_HASH_NO_CHANGE) && -@@ -1012,14 +1013,21 @@ static int mlx5e_set_rxfh(struct net_device *dev, const u32 *indir, - mlx5e_redirect_rqt(priv, rqtn, MLX5E_INDIR_RQT_SIZE, 0); - } - -- if (key) -+ if (hfunc != ETH_RSS_HASH_NO_CHANGE && -+ hfunc != priv->params.rss_hfunc) { -+ priv->params.rss_hfunc = hfunc; -+ hash_changed = true; -+ } -+ -+ if (key) { - memcpy(priv->params.toeplitz_hash_key, key, - sizeof(priv->params.toeplitz_hash_key)); -+ hash_changed = hash_changed || -+ priv->params.rss_hfunc == ETH_RSS_HASH_TOP; -+ } - -- if (hfunc != ETH_RSS_HASH_NO_CHANGE) -- priv->params.rss_hfunc = hfunc; -- -- mlx5e_modify_tirs_hash(priv, in, inlen); -+ if (hash_changed) -+ mlx5e_modify_tirs_hash(priv, in, inlen); - - mutex_unlock(&priv->state_lock); - -diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c -index 720b5fa..c2ac39a 100644 ---- a/drivers/net/hyperv/netvsc.c -+++ b/drivers/net/hyperv/netvsc.c -@@ -1288,6 +1288,9 @@ void netvsc_channel_cb(void *context) - ndev = hv_get_drvdata(device); - buffer = get_per_channel_state(channel); - -+ /* commit_rd_index() -> hv_signal_on_read() needs this. */ -+ init_cached_read_index(channel); -+ - do { - desc = get_next_pkt_raw(channel); - if (desc != NULL) { -@@ -1340,6 +1343,9 @@ void netvsc_channel_cb(void *context) - - bufferlen = bytes_recvd; - } -+ -+ init_cached_read_index(channel); -+ - } while (1); - - if (bufferlen > NETVSC_PACKET_SIZE) -diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c -index 8b6e37c..20bfb37 100644 ---- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c -+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c -@@ -96,7 +96,7 @@ int rtl92c_init_sw_vars(struct ieee80211_hw *hw) - struct rtl_priv *rtlpriv = rtl_priv(hw); - struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); - struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); -- char *fw_name = "rtlwifi/rtl8192cfwU.bin"; -+ char *fw_name; - - rtl8192ce_bt_reg_init(hw); - -@@ -168,8 +168,13 @@ int rtl92c_init_sw_vars(struct ieee80211_hw *hw) - } - - /* request fw */ -- if (IS_81XXC_VENDOR_UMC_B_CUT(rtlhal->version)) -+ if (IS_VENDOR_UMC_A_CUT(rtlhal->version) && -+ !IS_92C_SERIAL(rtlhal->version)) -+ fw_name = "rtlwifi/rtl8192cfwU.bin"; -+ else if (IS_81XXC_VENDOR_UMC_B_CUT(rtlhal->version)) - fw_name = "rtlwifi/rtl8192cfwU_B.bin"; -+ else -+ fw_name = "rtlwifi/rtl8192cfw.bin"; - - rtlpriv->max_fw_size = 0x4000; - pr_info("Using firmware %s\n", fw_name); -diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c -index bf2744e..0cdcb21 100644 ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -1397,6 +1397,8 @@ static void xennet_disconnect_backend(struct netfront_info *info) - for (i = 0; i < num_queues && info->queues; ++i) { - struct netfront_queue *queue = &info->queues[i]; - -+ del_timer_sync(&queue->rx_refill_timer); -+ - if (queue->tx_irq && (queue->tx_irq == queue->rx_irq)) - unbind_from_irqhandler(queue->tx_irq, queue); - if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) { -@@ -1751,7 +1753,6 @@ static void xennet_destroy_queues(struct netfront_info *info) - - if (netif_running(info->netdev)) - napi_disable(&queue->napi); -- del_timer_sync(&queue->rx_refill_timer); - netif_napi_del(&queue->napi); - } - -diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c -index 1480734..aefca64 100644 ---- a/drivers/nvdimm/namespace_devs.c -+++ b/drivers/nvdimm/namespace_devs.c -@@ -962,8 +962,8 @@ static ssize_t __size_store(struct device *dev, unsigned long long val) - struct nvdimm_drvdata *ndd; - struct nd_label_id label_id; - u32 flags = 0, remainder; -+ int rc, i, id = -1; - u8 *uuid = NULL; -- int rc, i; - - if (dev->driver || ndns->claim) - return -EBUSY; -@@ -972,11 +972,13 @@ static ssize_t __size_store(struct device *dev, unsigned long long val) - struct nd_namespace_pmem *nspm = to_nd_namespace_pmem(dev); - - uuid = nspm->uuid; -+ id = nspm->id; - } else if (is_namespace_blk(dev)) { - struct nd_namespace_blk *nsblk = to_nd_namespace_blk(dev); - - uuid = nsblk->uuid; - flags = NSLABEL_FLAG_LOCAL; -+ id = nsblk->id; - } - - /* -@@ -1039,10 +1041,11 @@ static ssize_t __size_store(struct device *dev, unsigned long long val) - - /* - * Try to delete the namespace if we deleted all of its -- * allocation, this is not the seed device for the region, and -- * it is not actively claimed by a btt instance. -+ * allocation, this is not the seed or 0th device for the -+ * region, and it is not actively claimed by a btt, pfn, or dax -+ * instance. - */ -- if (val == 0 && nd_region->ns_seed != dev && !ndns->claim) -+ if (val == 0 && id != 0 && nd_region->ns_seed != dev && !ndns->claim) - nd_device_unregister(dev, ND_ASYNC); - - return rc; -diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c -index a2ac9e6..6c033c9 100644 ---- a/drivers/nvdimm/pfn_devs.c -+++ b/drivers/nvdimm/pfn_devs.c -@@ -627,15 +627,12 @@ static int nd_pfn_init(struct nd_pfn *nd_pfn) - size = resource_size(&nsio->res); - npfns = (size - start_pad - end_trunc - SZ_8K) / SZ_4K; - if (nd_pfn->mode == PFN_MODE_PMEM) { -- unsigned long memmap_size; -- - /* - * vmemmap_populate_hugepages() allocates the memmap array in - * HPAGE_SIZE chunks. - */ -- memmap_size = ALIGN(64 * npfns, HPAGE_SIZE); -- offset = ALIGN(start + SZ_8K + memmap_size + dax_label_reserve, -- nd_pfn->align) - start; -+ offset = ALIGN(start + SZ_8K + 64 * npfns + dax_label_reserve, -+ max(nd_pfn->align, HPAGE_SIZE)) - start; - } else if (nd_pfn->mode == PFN_MODE_RAM) - offset = ALIGN(start + SZ_8K + dax_label_reserve, - nd_pfn->align) - start; -diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c -index 75f820ca..27ff38f 100644 ---- a/drivers/s390/scsi/zfcp_fsf.c -+++ b/drivers/s390/scsi/zfcp_fsf.c -@@ -1583,7 +1583,7 @@ static void zfcp_fsf_open_wka_port_handler(struct zfcp_fsf_req *req) - int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port) - { - struct zfcp_qdio *qdio = wka_port->adapter->qdio; -- struct zfcp_fsf_req *req = NULL; -+ struct zfcp_fsf_req *req; - int retval = -EIO; - - spin_lock_irq(&qdio->req_q_lock); -@@ -1612,7 +1612,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port) - zfcp_fsf_req_free(req); - out: - spin_unlock_irq(&qdio->req_q_lock); -- if (req && !IS_ERR(req)) -+ if (!retval) - zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id); - return retval; - } -@@ -1638,7 +1638,7 @@ static void zfcp_fsf_close_wka_port_handler(struct zfcp_fsf_req *req) - int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port) - { - struct zfcp_qdio *qdio = wka_port->adapter->qdio; -- struct zfcp_fsf_req *req = NULL; -+ struct zfcp_fsf_req *req; - int retval = -EIO; - - spin_lock_irq(&qdio->req_q_lock); -@@ -1667,7 +1667,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port) - zfcp_fsf_req_free(req); - out: - spin_unlock_irq(&qdio->req_q_lock); -- if (req && !IS_ERR(req)) -+ if (!retval) - zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id); - return retval; - } -diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c -index 341ea32..792d3e7 100644 ---- a/drivers/scsi/aacraid/comminit.c -+++ b/drivers/scsi/aacraid/comminit.c -@@ -50,9 +50,13 @@ struct aac_common aac_config = { - - static inline int aac_is_msix_mode(struct aac_dev *dev) - { -- u32 status; -+ u32 status = 0; - -- status = src_readl(dev, MUnit.OMR); -+ if (dev->pdev->device == PMC_DEVICE_S6 || -+ dev->pdev->device == PMC_DEVICE_S7 || -+ dev->pdev->device == PMC_DEVICE_S8) { -+ status = src_readl(dev, MUnit.OMR); -+ } - return (status & AAC_INT_MODE_MSIX); - } - -diff --git a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c -index e3b911c..91dfd58 100644 ---- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c -+++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c -@@ -3929,6 +3929,7 @@ static struct configfs_attribute *ibmvscsis_tpg_attrs[] = { - static const struct target_core_fabric_ops ibmvscsis_ops = { - .module = THIS_MODULE, - .name = "ibmvscsis", -+ .max_data_sg_nents = MAX_TXU / PAGE_SIZE, - .get_fabric_name = ibmvscsis_get_fabric_name, - .tpg_get_wwn = ibmvscsis_get_fabric_wwn, - .tpg_get_tag = ibmvscsis_get_tag, -diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -index f84a608..8a7941b 100644 ---- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c -+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -@@ -51,6 +51,7 @@ - #include <linux/workqueue.h> - #include <linux/delay.h> - #include <linux/pci.h> -+#include <linux/pci-aspm.h> - #include <linux/interrupt.h> - #include <linux/aer.h> - #include <linux/raid_class.h> -@@ -8706,6 +8707,8 @@ _scsih_probe(struct pci_dev *pdev, const struct pci_device_id *id) - - switch (hba_mpi_version) { - case MPI2_VERSION: -+ pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S | -+ PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM); - /* Use mpt2sas driver host template for SAS 2.0 HBA's */ - shost = scsi_host_alloc(&mpt2sas_driver_template, - sizeof(struct MPT3SAS_ADAPTER)); -diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c -index 078d797..bea819e 100644 ---- a/drivers/scsi/qla2xxx/qla_os.c -+++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -1459,7 +1459,7 @@ qla2x00_abort_all_cmds(scsi_qla_host_t *vha, int res) - /* Don't abort commands in adapter during EEH - * recovery as it's not accessible/responding. - */ -- if (!ha->flags.eeh_busy) { -+ if (GET_CMD_SP(sp) && !ha->flags.eeh_busy) { - /* Get a reference to the sp and drop the lock. - * The reference ensures this sp->done() call - * - and not the call in qla2xxx_eh_abort() - -diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c -index 6b42348..ea9617c 100644 ---- a/drivers/target/target_core_device.c -+++ b/drivers/target/target_core_device.c -@@ -351,7 +351,15 @@ int core_enable_device_list_for_node( - kfree(new); - return -EINVAL; - } -- BUG_ON(orig->se_lun_acl != NULL); -+ if (orig->se_lun_acl != NULL) { -+ pr_warn_ratelimited("Detected existing explicit" -+ " se_lun_acl->se_lun_group reference for %s" -+ " mapped_lun: %llu, failing\n", -+ nacl->initiatorname, mapped_lun); -+ mutex_unlock(&nacl->lun_entry_mutex); -+ kfree(new); -+ return -EINVAL; -+ } - - rcu_assign_pointer(new->se_lun, lun); - rcu_assign_pointer(new->se_lun_acl, lun_acl); -diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c -index 04f616b..aabd660 100644 ---- a/drivers/target/target_core_sbc.c -+++ b/drivers/target/target_core_sbc.c -@@ -450,6 +450,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success, - int *post_ret) - { - struct se_device *dev = cmd->se_dev; -+ sense_reason_t ret = TCM_NO_SENSE; - - /* - * Only set SCF_COMPARE_AND_WRITE_POST to force a response fall-through -@@ -457,9 +458,12 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success, - * sent to the backend driver. - */ - spin_lock_irq(&cmd->t_state_lock); -- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) { -+ if (cmd->transport_state & CMD_T_SENT) { - cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST; - *post_ret = 1; -+ -+ if (cmd->scsi_status == SAM_STAT_CHECK_CONDITION) -+ ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; - } - spin_unlock_irq(&cmd->t_state_lock); - -@@ -469,7 +473,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success, - */ - up(&dev->caw_sem); - -- return TCM_NO_SENSE; -+ return ret; - } - - static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success, -diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index 7dfefd6..767d1eb6 100644 ---- a/drivers/target/target_core_transport.c -+++ b/drivers/target/target_core_transport.c -@@ -457,8 +457,20 @@ static void target_complete_nacl(struct kref *kref) - { - struct se_node_acl *nacl = container_of(kref, - struct se_node_acl, acl_kref); -+ struct se_portal_group *se_tpg = nacl->se_tpg; - -- complete(&nacl->acl_free_comp); -+ if (!nacl->dynamic_stop) { -+ complete(&nacl->acl_free_comp); -+ return; -+ } -+ -+ mutex_lock(&se_tpg->acl_node_mutex); -+ list_del(&nacl->acl_list); -+ mutex_unlock(&se_tpg->acl_node_mutex); -+ -+ core_tpg_wait_for_nacl_pr_ref(nacl); -+ core_free_device_list_for_node(nacl, se_tpg); -+ kfree(nacl); - } - - void target_put_nacl(struct se_node_acl *nacl) -@@ -499,12 +511,39 @@ EXPORT_SYMBOL(transport_deregister_session_configfs); - void transport_free_session(struct se_session *se_sess) - { - struct se_node_acl *se_nacl = se_sess->se_node_acl; -+ - /* - * Drop the se_node_acl->nacl_kref obtained from within - * core_tpg_get_initiator_node_acl(). - */ - if (se_nacl) { -+ struct se_portal_group *se_tpg = se_nacl->se_tpg; -+ const struct target_core_fabric_ops *se_tfo = se_tpg->se_tpg_tfo; -+ unsigned long flags; -+ - se_sess->se_node_acl = NULL; -+ -+ /* -+ * Also determine if we need to drop the extra ->cmd_kref if -+ * it had been previously dynamically generated, and -+ * the endpoint is not caching dynamic ACLs. -+ */ -+ mutex_lock(&se_tpg->acl_node_mutex); -+ if (se_nacl->dynamic_node_acl && -+ !se_tfo->tpg_check_demo_mode_cache(se_tpg)) { -+ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags); -+ if (list_empty(&se_nacl->acl_sess_list)) -+ se_nacl->dynamic_stop = true; -+ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags); -+ -+ if (se_nacl->dynamic_stop) -+ list_del(&se_nacl->acl_list); -+ } -+ mutex_unlock(&se_tpg->acl_node_mutex); -+ -+ if (se_nacl->dynamic_stop) -+ target_put_nacl(se_nacl); -+ - target_put_nacl(se_nacl); - } - if (se_sess->sess_cmd_map) { -@@ -518,16 +557,12 @@ EXPORT_SYMBOL(transport_free_session); - void transport_deregister_session(struct se_session *se_sess) - { - struct se_portal_group *se_tpg = se_sess->se_tpg; -- const struct target_core_fabric_ops *se_tfo; -- struct se_node_acl *se_nacl; - unsigned long flags; -- bool drop_nacl = false; - - if (!se_tpg) { - transport_free_session(se_sess); - return; - } -- se_tfo = se_tpg->se_tpg_tfo; - - spin_lock_irqsave(&se_tpg->session_lock, flags); - list_del(&se_sess->sess_list); -@@ -535,33 +570,15 @@ void transport_deregister_session(struct se_session *se_sess) - se_sess->fabric_sess_ptr = NULL; - spin_unlock_irqrestore(&se_tpg->session_lock, flags); - -- /* -- * Determine if we need to do extra work for this initiator node's -- * struct se_node_acl if it had been previously dynamically generated. -- */ -- se_nacl = se_sess->se_node_acl; -- -- mutex_lock(&se_tpg->acl_node_mutex); -- if (se_nacl && se_nacl->dynamic_node_acl) { -- if (!se_tfo->tpg_check_demo_mode_cache(se_tpg)) { -- list_del(&se_nacl->acl_list); -- drop_nacl = true; -- } -- } -- mutex_unlock(&se_tpg->acl_node_mutex); -- -- if (drop_nacl) { -- core_tpg_wait_for_nacl_pr_ref(se_nacl); -- core_free_device_list_for_node(se_nacl, se_tpg); -- se_sess->se_node_acl = NULL; -- kfree(se_nacl); -- } - pr_debug("TARGET_CORE[%s]: Deregistered fabric_sess\n", - se_tpg->se_tpg_tfo->get_fabric_name()); - /* - * If last kref is dropping now for an explicit NodeACL, awake sleeping - * ->acl_free_comp caller to wakeup configfs se_node_acl->acl_group - * removal context from within transport_free_session() code. -+ * -+ * For dynamic ACL, target_put_nacl() uses target_complete_nacl() -+ * to release all remaining generate_node_acl=1 created ACL resources. - */ - - transport_free_session(se_sess); -@@ -3086,7 +3103,6 @@ static void target_tmr_work(struct work_struct *work) - spin_unlock_irqrestore(&cmd->t_state_lock, flags); - goto check_stop; - } -- cmd->t_state = TRANSPORT_ISTATE_PROCESSING; - spin_unlock_irqrestore(&cmd->t_state_lock, flags); - - cmd->se_tfo->queue_tm_rsp(cmd); -@@ -3099,11 +3115,25 @@ int transport_generic_handle_tmr( - struct se_cmd *cmd) - { - unsigned long flags; -+ bool aborted = false; - - spin_lock_irqsave(&cmd->t_state_lock, flags); -- cmd->transport_state |= CMD_T_ACTIVE; -+ if (cmd->transport_state & CMD_T_ABORTED) { -+ aborted = true; -+ } else { -+ cmd->t_state = TRANSPORT_ISTATE_PROCESSING; -+ cmd->transport_state |= CMD_T_ACTIVE; -+ } - spin_unlock_irqrestore(&cmd->t_state_lock, flags); - -+ if (aborted) { -+ pr_warn_ratelimited("handle_tmr caught CMD_T_ABORTED TMR %d" -+ "ref_tag: %llu tag: %llu\n", cmd->se_tmr_req->function, -+ cmd->se_tmr_req->ref_task_tag, cmd->tag); -+ transport_cmd_check_stop_to_fabric(cmd); -+ return 0; -+ } -+ - INIT_WORK(&cmd->work, target_tmr_work); - queue_work(cmd->se_dev->tmr_wq, &cmd->work); - return 0; -diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c -index 094a144..18848ba 100644 ---- a/drivers/target/target_core_xcopy.c -+++ b/drivers/target/target_core_xcopy.c -@@ -836,7 +836,7 @@ static void target_xcopy_do_work(struct work_struct *work) - " CHECK_CONDITION -> sending response\n", rc); - ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION; - } -- target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION); -+ target_complete_cmd(ec_cmd, ec_cmd->scsi_status); - } - - sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) -diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index 7acbd2c..1782804 100644 ---- a/fs/btrfs/ioctl.c -+++ b/fs/btrfs/ioctl.c -@@ -5648,6 +5648,10 @@ long btrfs_ioctl(struct file *file, unsigned int - #ifdef CONFIG_COMPAT - long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - { -+ /* -+ * These all access 32-bit values anyway so no further -+ * handling is necessary. -+ */ - switch (cmd) { - case FS_IOC32_GETFLAGS: - cmd = FS_IOC_GETFLAGS; -@@ -5658,8 +5662,6 @@ long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - case FS_IOC32_GETVERSION: - cmd = FS_IOC_GETVERSION; - break; -- default: -- return -ENOIOCTLCMD; - } - - return btrfs_ioctl(file, cmd, (unsigned long) compat_ptr(arg)); -diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h -index da7fbf1..fa3b155 100644 ---- a/include/linux/cpumask.h -+++ b/include/linux/cpumask.h -@@ -560,7 +560,7 @@ static inline void cpumask_copy(struct cpumask *dstp, - static inline int cpumask_parse_user(const char __user *buf, int len, - struct cpumask *dstp) - { -- return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpu_ids); -+ return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpumask_bits); - } - - /** -@@ -575,7 +575,7 @@ static inline int cpumask_parselist_user(const char __user *buf, int len, - struct cpumask *dstp) - { - return bitmap_parselist_user(buf, len, cpumask_bits(dstp), -- nr_cpu_ids); -+ nr_cpumask_bits); - } - - /** -@@ -590,7 +590,7 @@ static inline int cpumask_parse(const char *buf, struct cpumask *dstp) - char *nl = strchr(buf, '\n'); - unsigned int len = nl ? (unsigned int)(nl - buf) : strlen(buf); - -- return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpu_ids); -+ return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpumask_bits); - } - - /** -@@ -602,7 +602,7 @@ static inline int cpumask_parse(const char *buf, struct cpumask *dstp) - */ - static inline int cpulist_parse(const char *buf, struct cpumask *dstp) - { -- return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpu_ids); -+ return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpumask_bits); - } - - /** -diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h -index cd184bd..c92a083 100644 ---- a/include/linux/hyperv.h -+++ b/include/linux/hyperv.h -@@ -128,6 +128,7 @@ struct hv_ring_buffer_info { - u32 ring_data_startoffset; - u32 priv_write_index; - u32 priv_read_index; -+ u32 cached_read_index; - }; - - /* -@@ -180,6 +181,19 @@ static inline u32 hv_get_bytes_to_write(struct hv_ring_buffer_info *rbi) - return write; - } - -+static inline u32 hv_get_cached_bytes_to_write( -+ const struct hv_ring_buffer_info *rbi) -+{ -+ u32 read_loc, write_loc, dsize, write; -+ -+ dsize = rbi->ring_datasize; -+ read_loc = rbi->cached_read_index; -+ write_loc = rbi->ring_buffer->write_index; -+ -+ write = write_loc >= read_loc ? dsize - (write_loc - read_loc) : -+ read_loc - write_loc; -+ return write; -+} - /* - * VMBUS version is 32 bit entity broken up into - * two 16 bit quantities: major_number. minor_number. -@@ -1447,6 +1461,7 @@ void hv_event_tasklet_enable(struct vmbus_channel *channel); - - void hv_process_channel_removal(struct vmbus_channel *channel, u32 relid); - -+void vmbus_setevent(struct vmbus_channel *channel); - /* - * Negotiated version with the Host. - */ -@@ -1479,10 +1494,11 @@ hv_get_ring_buffer(struct hv_ring_buffer_info *ring_info) - * there is room for the producer to send the pending packet. - */ - --static inline bool hv_need_to_signal_on_read(struct hv_ring_buffer_info *rbi) -+static inline void hv_signal_on_read(struct vmbus_channel *channel) - { -- u32 cur_write_sz; -+ u32 cur_write_sz, cached_write_sz; - u32 pending_sz; -+ struct hv_ring_buffer_info *rbi = &channel->inbound; - - /* - * Issue a full memory barrier before making the signaling decision. -@@ -1500,14 +1516,26 @@ static inline bool hv_need_to_signal_on_read(struct hv_ring_buffer_info *rbi) - pending_sz = READ_ONCE(rbi->ring_buffer->pending_send_sz); - /* If the other end is not blocked on write don't bother. */ - if (pending_sz == 0) -- return false; -+ return; - - cur_write_sz = hv_get_bytes_to_write(rbi); - -- if (cur_write_sz >= pending_sz) -- return true; -+ if (cur_write_sz < pending_sz) -+ return; -+ -+ cached_write_sz = hv_get_cached_bytes_to_write(rbi); -+ if (cached_write_sz < pending_sz) -+ vmbus_setevent(channel); -+ -+ return; -+} -+ -+static inline void -+init_cached_read_index(struct vmbus_channel *channel) -+{ -+ struct hv_ring_buffer_info *rbi = &channel->inbound; - -- return false; -+ rbi->cached_read_index = rbi->ring_buffer->read_index; - } - - /* -@@ -1571,6 +1599,8 @@ static inline void put_pkt_raw(struct vmbus_channel *channel, - * This call commits the read index and potentially signals the host. - * Here is the pattern for using the "in-place" consumption APIs: - * -+ * init_cached_read_index(); -+ * - * while (get_next_pkt_raw() { - * process the packet "in-place"; - * put_pkt_raw(); -@@ -1589,8 +1619,7 @@ static inline void commit_rd_index(struct vmbus_channel *channel) - virt_rmb(); - ring_info->ring_buffer->read_index = ring_info->priv_read_index; - -- if (hv_need_to_signal_on_read(ring_info)) -- vmbus_set_event(channel); -+ hv_signal_on_read(channel); - } - - -diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h -index c211900..48bc1ac 100644 ---- a/include/target/target_core_base.h -+++ b/include/target/target_core_base.h -@@ -538,6 +538,7 @@ struct se_node_acl { - char initiatorname[TRANSPORT_IQN_LEN]; - /* Used to signal demo mode created ACL, disabled by default */ - bool dynamic_node_acl; -+ bool dynamic_stop; - u32 queue_depth; - u32 acl_index; - enum target_prot_type saved_prot_type; -diff --git a/kernel/events/core.c b/kernel/events/core.c -index b1cfd74..4b33231 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -3461,14 +3461,15 @@ struct perf_read_data { - int ret; - }; - --static int find_cpu_to_read(struct perf_event *event, int local_cpu) -+static int __perf_event_read_cpu(struct perf_event *event, int event_cpu) - { -- int event_cpu = event->oncpu; - u16 local_pkg, event_pkg; - - if (event->group_caps & PERF_EV_CAP_READ_ACTIVE_PKG) { -- event_pkg = topology_physical_package_id(event_cpu); -- local_pkg = topology_physical_package_id(local_cpu); -+ int local_cpu = smp_processor_id(); -+ -+ event_pkg = topology_physical_package_id(event_cpu); -+ local_pkg = topology_physical_package_id(local_cpu); - - if (event_pkg == local_pkg) - return local_cpu; -@@ -3598,7 +3599,7 @@ u64 perf_event_read_local(struct perf_event *event) - - static int perf_event_read(struct perf_event *event, bool group) - { -- int ret = 0, cpu_to_read, local_cpu; -+ int event_cpu, ret = 0; - - /* - * If event is enabled and currently active on a CPU, update the -@@ -3611,21 +3612,25 @@ static int perf_event_read(struct perf_event *event, bool group) - .ret = 0, - }; - -- local_cpu = get_cpu(); -- cpu_to_read = find_cpu_to_read(event, local_cpu); -- put_cpu(); -+ event_cpu = READ_ONCE(event->oncpu); -+ if ((unsigned)event_cpu >= nr_cpu_ids) -+ return 0; -+ -+ preempt_disable(); -+ event_cpu = __perf_event_read_cpu(event, event_cpu); - - /* - * Purposely ignore the smp_call_function_single() return - * value. - * -- * If event->oncpu isn't a valid CPU it means the event got -+ * If event_cpu isn't a valid CPU it means the event got - * scheduled out and that will have updated the event count. - * - * Therefore, either way, we'll have an up-to-date event count - * after this. - */ -- (void)smp_call_function_single(cpu_to_read, __perf_event_read, &data, 1); -+ (void)smp_call_function_single(event_cpu, __perf_event_read, &data, 1); -+ preempt_enable(); - ret = data.ret; - } else if (event->state == PERF_EVENT_STATE_INACTIVE) { - struct perf_event_context *ctx = event->ctx; -diff --git a/kernel/stacktrace.c b/kernel/stacktrace.c -index b6e4c16..9c15a91 100644 ---- a/kernel/stacktrace.c -+++ b/kernel/stacktrace.c -@@ -18,10 +18,8 @@ void print_stack_trace(struct stack_trace *trace, int spaces) - if (WARN_ON(!trace->entries)) - return; - -- for (i = 0; i < trace->nr_entries; i++) { -- printk("%*c", 1 + spaces, ' '); -- print_ip_sym(trace->entries[i]); -- } -+ for (i = 0; i < trace->nr_entries; i++) -+ printk("%*c%pS\n", 1 + spaces, ' ', (void *)trace->entries[i]); - } - EXPORT_SYMBOL_GPL(print_stack_trace); - -@@ -29,7 +27,6 @@ int snprint_stack_trace(char *buf, size_t size, - struct stack_trace *trace, int spaces) - { - int i; -- unsigned long ip; - int generated; - int total = 0; - -@@ -37,9 +34,8 @@ int snprint_stack_trace(char *buf, size_t size, - return 0; - - for (i = 0; i < trace->nr_entries; i++) { -- ip = trace->entries[i]; -- generated = snprintf(buf, size, "%*c[<%p>] %pS\n", -- 1 + spaces, ' ', (void *) ip, (void *) ip); -+ generated = snprintf(buf, size, "%*c%pS\n", 1 + spaces, ' ', -+ (void *)trace->entries[i]); - - total += generated; - -diff --git a/mm/slub.c b/mm/slub.c -index 2b3e740..7aa0e97 100644 ---- a/mm/slub.c -+++ b/mm/slub.c -@@ -1419,6 +1419,10 @@ static int init_cache_random_seq(struct kmem_cache *s) - int err; - unsigned long i, count = oo_objects(s->oo); - -+ /* Bailout if already initialised */ -+ if (s->random_seq) -+ return 0; -+ - err = cache_random_seq_create(s, count, GFP_KERNEL); - if (err) { - pr_err("SLUB: Unable to initialize free list for %s\n", -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c -index 42120d9..50e1b7f 100644 ---- a/net/mac80211/mesh.c -+++ b/net/mac80211/mesh.c -@@ -339,7 +339,7 @@ int mesh_add_vendor_ies(struct ieee80211_sub_if_data *sdata, - /* fast-forward to vendor IEs */ - offset = ieee80211_ie_split_vendor(ifmsh->ie, ifmsh->ie_len, 0); - -- if (offset) { -+ if (offset < ifmsh->ie_len) { - len = ifmsh->ie_len - offset; - data = ifmsh->ie + offset; - if (skb_tailroom(skb) < len) -diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c -index 1b3c18c..cd7a419 100644 ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -5874,6 +5874,7 @@ do { \ - break; - } - cfg->ht_opmode = ht_opmode; -+ mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1)); - } - FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout, - 1, 65535, mask, -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 09fd610..c2da45a 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -5858,7 +5858,7 @@ static int selinux_setprocattr(struct task_struct *p, - return error; - - /* Obtain a SID for the context, if one was specified. */ -- if (size && str[1] && str[1] != '\n') { -+ if (size && str[0] && str[0] != '\n') { - if (str[size-1] == '\n') { - str[size-1] = 0; - size--; -diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c -index c850345..dfa5156 100644 ---- a/sound/core/seq/seq_memory.c -+++ b/sound/core/seq/seq_memory.c -@@ -419,7 +419,6 @@ int snd_seq_pool_done(struct snd_seq_pool *pool) - { - unsigned long flags; - struct snd_seq_event_cell *ptr; -- int max_count = 5 * HZ; - - if (snd_BUG_ON(!pool)) - return -EINVAL; -@@ -432,14 +431,8 @@ int snd_seq_pool_done(struct snd_seq_pool *pool) - if (waitqueue_active(&pool->output_sleep)) - wake_up(&pool->output_sleep); - -- while (atomic_read(&pool->counter) > 0) { -- if (max_count == 0) { -- pr_warn("ALSA: snd_seq_pool_done timeout: %d cells remain\n", atomic_read(&pool->counter)); -- break; -- } -+ while (atomic_read(&pool->counter) > 0) - schedule_timeout_uninterruptible(1); -- max_count--; -- } - - /* release all resources */ - spin_lock_irqsave(&pool->lock, flags); -diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c -index 0bec02e..450c518 100644 ---- a/sound/core/seq/seq_queue.c -+++ b/sound/core/seq/seq_queue.c -@@ -181,6 +181,8 @@ void __exit snd_seq_queues_delete(void) - } - } - -+static void queue_use(struct snd_seq_queue *queue, int client, int use); -+ - /* allocate a new queue - - * return queue index value or negative value for error - */ -@@ -192,11 +194,11 @@ int snd_seq_queue_alloc(int client, int locked, unsigned int info_flags) - if (q == NULL) - return -ENOMEM; - q->info_flags = info_flags; -+ queue_use(q, client, 1); - if (queue_list_add(q) < 0) { - queue_delete(q); - return -ENOMEM; - } -- snd_seq_queue_use(q->queue, client, 1); /* use this queue */ - return q->queue; - } - -@@ -502,19 +504,9 @@ int snd_seq_queue_timer_set_tempo(int queueid, int client, - return result; - } - -- --/* use or unuse this queue - -- * if it is the first client, starts the timer. -- * if it is not longer used by any clients, stop the timer. -- */ --int snd_seq_queue_use(int queueid, int client, int use) -+/* use or unuse this queue */ -+static void queue_use(struct snd_seq_queue *queue, int client, int use) - { -- struct snd_seq_queue *queue; -- -- queue = queueptr(queueid); -- if (queue == NULL) -- return -EINVAL; -- mutex_lock(&queue->timer_mutex); - if (use) { - if (!test_and_set_bit(client, queue->clients_bitmap)) - queue->clients++; -@@ -529,6 +521,21 @@ int snd_seq_queue_use(int queueid, int client, int use) - } else { - snd_seq_timer_close(queue); - } -+} -+ -+/* use or unuse this queue - -+ * if it is the first client, starts the timer. -+ * if it is not longer used by any clients, stop the timer. -+ */ -+int snd_seq_queue_use(int queueid, int client, int use) -+{ -+ struct snd_seq_queue *queue; -+ -+ queue = queueptr(queueid); -+ if (queue == NULL) -+ return -EINVAL; -+ mutex_lock(&queue->timer_mutex); -+ queue_use(queue, client, use); - mutex_unlock(&queue->timer_mutex); - queuefree(queue); - return 0; -diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c -index 56e5204..4bf4833 100644 ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -3638,6 +3638,7 @@ HDA_CODEC_ENTRY(0x10de0070, "GPU 70 HDMI/DP", patch_nvhdmi), - HDA_CODEC_ENTRY(0x10de0071, "GPU 71 HDMI/DP", patch_nvhdmi), - HDA_CODEC_ENTRY(0x10de0072, "GPU 72 HDMI/DP", patch_nvhdmi), - HDA_CODEC_ENTRY(0x10de007d, "GPU 7d HDMI/DP", patch_nvhdmi), -+HDA_CODEC_ENTRY(0x10de0080, "GPU 80 HDMI/DP", patch_nvhdmi), - HDA_CODEC_ENTRY(0x10de0082, "GPU 82 HDMI/DP", patch_nvhdmi), - HDA_CODEC_ENTRY(0x10de0083, "GPU 83 HDMI/DP", patch_nvhdmi), - HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), -diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c -index 90009c0..ab3c280 100644 ---- a/sound/usb/line6/driver.c -+++ b/sound/usb/line6/driver.c -@@ -754,8 +754,9 @@ int line6_probe(struct usb_interface *interface, - goto error; - } - -+ line6_get_interval(line6); -+ - if (properties->capabilities & LINE6_CAP_CONTROL) { -- line6_get_interval(line6); - ret = line6_init_cap_control(line6); - if (ret < 0) - goto error; -diff --git a/tools/perf/builtin-diff.c b/tools/perf/builtin-diff.c -index 9ff0db4..933aeec 100644 ---- a/tools/perf/builtin-diff.c -+++ b/tools/perf/builtin-diff.c -@@ -1199,7 +1199,7 @@ static int ui_init(void) - BUG_ON(1); - } - -- perf_hpp__register_sort_field(fmt); -+ perf_hpp__prepend_sort_field(fmt); - return 0; - } - -diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c -index 3738839..18cfcdc9 100644 ---- a/tools/perf/ui/hist.c -+++ b/tools/perf/ui/hist.c -@@ -521,6 +521,12 @@ void perf_hpp_list__register_sort_field(struct perf_hpp_list *list, - list_add_tail(&format->sort_list, &list->sorts); - } - -+void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list, -+ struct perf_hpp_fmt *format) -+{ -+ list_add(&format->sort_list, &list->sorts); -+} -+ - void perf_hpp__column_unregister(struct perf_hpp_fmt *format) - { - list_del(&format->list); -@@ -560,6 +566,10 @@ void perf_hpp__setup_output_field(struct perf_hpp_list *list) - perf_hpp_list__for_each_sort_list(list, fmt) { - struct perf_hpp_fmt *pos; - -+ /* skip sort-only fields ("sort_compute" in perf diff) */ -+ if (!fmt->entry && !fmt->color) -+ continue; -+ - perf_hpp_list__for_each_format(list, pos) { - if (fmt_equal(fmt, pos)) - goto next; -diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h -index 9928fed..a440a04 100644 ---- a/tools/perf/util/hist.h -+++ b/tools/perf/util/hist.h -@@ -282,6 +282,8 @@ void perf_hpp_list__column_register(struct perf_hpp_list *list, - struct perf_hpp_fmt *format); - void perf_hpp_list__register_sort_field(struct perf_hpp_list *list, - struct perf_hpp_fmt *format); -+void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list, -+ struct perf_hpp_fmt *format); - - static inline void perf_hpp__column_register(struct perf_hpp_fmt *format) - { -@@ -293,6 +295,11 @@ static inline void perf_hpp__register_sort_field(struct perf_hpp_fmt *format) - perf_hpp_list__register_sort_field(&perf_hpp_list, format); - } - -+static inline void perf_hpp__prepend_sort_field(struct perf_hpp_fmt *format) -+{ -+ perf_hpp_list__prepend_sort_field(&perf_hpp_list, format); -+} -+ - #define perf_hpp_list__for_each_format(_list, format) \ - list_for_each_entry(format, &(_list)->fields, list) - diff --git a/4.9.11/1010_linux-4.9.11.patch b/4.9.11/1010_linux-4.9.11.patch deleted file mode 100644 index 59eb5c7..0000000 --- a/4.9.11/1010_linux-4.9.11.patch +++ /dev/null @@ -1,1893 +0,0 @@ -diff --git a/Makefile b/Makefile -index d2fe757..18b0c5a 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 4 - PATCHLEVEL = 9 --SUBLEVEL = 10 -+SUBLEVEL = 11 - EXTRAVERSION = - NAME = Roaring Lionus - -diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c -index ebb4e95..96d80df 100644 ---- a/arch/x86/kernel/fpu/core.c -+++ b/arch/x86/kernel/fpu/core.c -@@ -236,7 +236,8 @@ void fpstate_init(union fpregs_state *state) - * it will #GP. Make sure it is replaced after the memset(). - */ - if (static_cpu_has(X86_FEATURE_XSAVES)) -- state->xsave.header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT; -+ state->xsave.header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT | -+ xfeatures_mask; - - if (static_cpu_has(X86_FEATURE_FXSR)) - fpstate_init_fxstate(&state->fxsave); -diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c -index f2e8bed..4d3ddc2 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c -+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c -@@ -507,8 +507,11 @@ void mlx4_en_recover_from_oom(struct mlx4_en_priv *priv) - return; - - for (ring = 0; ring < priv->rx_ring_num; ring++) { -- if (mlx4_en_is_ring_empty(priv->rx_ring[ring])) -+ if (mlx4_en_is_ring_empty(priv->rx_ring[ring])) { -+ local_bh_disable(); - napi_reschedule(&priv->rx_cq[ring]->napi); -+ local_bh_enable(); -+ } - } - } - -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h -index 71382df..81d8e3b 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en.h -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h -@@ -765,7 +765,8 @@ void mlx5e_disable_vlan_filter(struct mlx5e_priv *priv); - int mlx5e_modify_rqs_vsd(struct mlx5e_priv *priv, bool vsd); - - int mlx5e_redirect_rqt(struct mlx5e_priv *priv, u32 rqtn, int sz, int ix); --void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv); -+void mlx5e_build_indir_tir_ctx_hash(struct mlx5e_priv *priv, void *tirc, -+ enum mlx5e_traffic_types tt); - - int mlx5e_open_locked(struct net_device *netdev); - int mlx5e_close_locked(struct net_device *netdev); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c -index 51c6a57..126cfeb 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c -@@ -975,15 +975,18 @@ static int mlx5e_get_rxfh(struct net_device *netdev, u32 *indir, u8 *key, - - static void mlx5e_modify_tirs_hash(struct mlx5e_priv *priv, void *in, int inlen) - { -- struct mlx5_core_dev *mdev = priv->mdev; - void *tirc = MLX5_ADDR_OF(modify_tir_in, in, ctx); -- int i; -+ struct mlx5_core_dev *mdev = priv->mdev; -+ int ctxlen = MLX5_ST_SZ_BYTES(tirc); -+ int tt; - - MLX5_SET(modify_tir_in, in, bitmask.hash, 1); -- mlx5e_build_tir_ctx_hash(tirc, priv); - -- for (i = 0; i < MLX5E_NUM_INDIR_TIRS; i++) -- mlx5_core_modify_tir(mdev, priv->indir_tir[i].tirn, in, inlen); -+ for (tt = 0; tt < MLX5E_NUM_INDIR_TIRS; tt++) { -+ memset(tirc, 0, ctxlen); -+ mlx5e_build_indir_tir_ctx_hash(priv, tirc, tt); -+ mlx5_core_modify_tir(mdev, priv->indir_tir[tt].tirn, in, inlen); -+ } - } - - static int mlx5e_set_rxfh(struct net_device *dev, const u32 *indir, -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c -index 5dc3e24..b3067137 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c -@@ -1978,8 +1978,23 @@ static void mlx5e_build_tir_ctx_lro(void *tirc, struct mlx5e_priv *priv) - MLX5_SET(tirc, tirc, lro_timeout_period_usecs, priv->params.lro_timeout); - } - --void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv) -+void mlx5e_build_indir_tir_ctx_hash(struct mlx5e_priv *priv, void *tirc, -+ enum mlx5e_traffic_types tt) - { -+ void *hfso = MLX5_ADDR_OF(tirc, tirc, rx_hash_field_selector_outer); -+ -+#define MLX5_HASH_IP (MLX5_HASH_FIELD_SEL_SRC_IP |\ -+ MLX5_HASH_FIELD_SEL_DST_IP) -+ -+#define MLX5_HASH_IP_L4PORTS (MLX5_HASH_FIELD_SEL_SRC_IP |\ -+ MLX5_HASH_FIELD_SEL_DST_IP |\ -+ MLX5_HASH_FIELD_SEL_L4_SPORT |\ -+ MLX5_HASH_FIELD_SEL_L4_DPORT) -+ -+#define MLX5_HASH_IP_IPSEC_SPI (MLX5_HASH_FIELD_SEL_SRC_IP |\ -+ MLX5_HASH_FIELD_SEL_DST_IP |\ -+ MLX5_HASH_FIELD_SEL_IPSEC_SPI) -+ - MLX5_SET(tirc, tirc, rx_hash_fn, - mlx5e_rx_hash_fn(priv->params.rss_hfunc)); - if (priv->params.rss_hfunc == ETH_RSS_HASH_TOP) { -@@ -1991,6 +2006,88 @@ void mlx5e_build_tir_ctx_hash(void *tirc, struct mlx5e_priv *priv) - MLX5_SET(tirc, tirc, rx_hash_symmetric, 1); - memcpy(rss_key, priv->params.toeplitz_hash_key, len); - } -+ -+ switch (tt) { -+ case MLX5E_TT_IPV4_TCP: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV4); -+ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, -+ MLX5_L4_PROT_TYPE_TCP); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP_L4PORTS); -+ break; -+ -+ case MLX5E_TT_IPV6_TCP: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV6); -+ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, -+ MLX5_L4_PROT_TYPE_TCP); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP_L4PORTS); -+ break; -+ -+ case MLX5E_TT_IPV4_UDP: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV4); -+ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, -+ MLX5_L4_PROT_TYPE_UDP); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP_L4PORTS); -+ break; -+ -+ case MLX5E_TT_IPV6_UDP: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV6); -+ MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, -+ MLX5_L4_PROT_TYPE_UDP); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP_L4PORTS); -+ break; -+ -+ case MLX5E_TT_IPV4_IPSEC_AH: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV4); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP_IPSEC_SPI); -+ break; -+ -+ case MLX5E_TT_IPV6_IPSEC_AH: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV6); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP_IPSEC_SPI); -+ break; -+ -+ case MLX5E_TT_IPV4_IPSEC_ESP: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV4); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP_IPSEC_SPI); -+ break; -+ -+ case MLX5E_TT_IPV6_IPSEC_ESP: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV6); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP_IPSEC_SPI); -+ break; -+ -+ case MLX5E_TT_IPV4: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV4); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP); -+ break; -+ -+ case MLX5E_TT_IPV6: -+ MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -+ MLX5_L3_PROT_TYPE_IPV6); -+ MLX5_SET(rx_hash_field_select, hfso, selected_fields, -+ MLX5_HASH_IP); -+ break; -+ default: -+ WARN_ONCE(true, "%s: bad traffic type!\n", __func__); -+ } - } - - static int mlx5e_modify_tirs_lro(struct mlx5e_priv *priv) -@@ -2360,110 +2457,13 @@ void mlx5e_cleanup_nic_tx(struct mlx5e_priv *priv) - static void mlx5e_build_indir_tir_ctx(struct mlx5e_priv *priv, u32 *tirc, - enum mlx5e_traffic_types tt) - { -- void *hfso = MLX5_ADDR_OF(tirc, tirc, rx_hash_field_selector_outer); -- - MLX5_SET(tirc, tirc, transport_domain, priv->mdev->mlx5e_res.td.tdn); - --#define MLX5_HASH_IP (MLX5_HASH_FIELD_SEL_SRC_IP |\ -- MLX5_HASH_FIELD_SEL_DST_IP) -- --#define MLX5_HASH_IP_L4PORTS (MLX5_HASH_FIELD_SEL_SRC_IP |\ -- MLX5_HASH_FIELD_SEL_DST_IP |\ -- MLX5_HASH_FIELD_SEL_L4_SPORT |\ -- MLX5_HASH_FIELD_SEL_L4_DPORT) -- --#define MLX5_HASH_IP_IPSEC_SPI (MLX5_HASH_FIELD_SEL_SRC_IP |\ -- MLX5_HASH_FIELD_SEL_DST_IP |\ -- MLX5_HASH_FIELD_SEL_IPSEC_SPI) -- - mlx5e_build_tir_ctx_lro(tirc, priv); - - MLX5_SET(tirc, tirc, disp_type, MLX5_TIRC_DISP_TYPE_INDIRECT); - MLX5_SET(tirc, tirc, indirect_table, priv->indir_rqt.rqtn); -- mlx5e_build_tir_ctx_hash(tirc, priv); -- -- switch (tt) { -- case MLX5E_TT_IPV4_TCP: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV4); -- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, -- MLX5_L4_PROT_TYPE_TCP); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP_L4PORTS); -- break; -- -- case MLX5E_TT_IPV6_TCP: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV6); -- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, -- MLX5_L4_PROT_TYPE_TCP); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP_L4PORTS); -- break; -- -- case MLX5E_TT_IPV4_UDP: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV4); -- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, -- MLX5_L4_PROT_TYPE_UDP); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP_L4PORTS); -- break; -- -- case MLX5E_TT_IPV6_UDP: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV6); -- MLX5_SET(rx_hash_field_select, hfso, l4_prot_type, -- MLX5_L4_PROT_TYPE_UDP); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP_L4PORTS); -- break; -- -- case MLX5E_TT_IPV4_IPSEC_AH: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV4); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP_IPSEC_SPI); -- break; -- -- case MLX5E_TT_IPV6_IPSEC_AH: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV6); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP_IPSEC_SPI); -- break; -- -- case MLX5E_TT_IPV4_IPSEC_ESP: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV4); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP_IPSEC_SPI); -- break; -- -- case MLX5E_TT_IPV6_IPSEC_ESP: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV6); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP_IPSEC_SPI); -- break; -- -- case MLX5E_TT_IPV4: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV4); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP); -- break; -- -- case MLX5E_TT_IPV6: -- MLX5_SET(rx_hash_field_select, hfso, l3_prot_type, -- MLX5_L3_PROT_TYPE_IPV6); -- MLX5_SET(rx_hash_field_select, hfso, selected_fields, -- MLX5_HASH_IP); -- break; -- default: -- WARN_ONCE(true, -- "mlx5e_build_indir_tir_ctx: bad traffic type!\n"); -- } -+ mlx5e_build_indir_tir_ctx_hash(priv, tirc, tt); - } - - static void mlx5e_build_direct_tir_ctx(struct mlx5e_priv *priv, u32 *tirc, -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c -index 914e546..7e20e4b 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c -@@ -1110,9 +1110,8 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg, - return rule; - } - rule = add_rule_fte(fte, fg, dest); -- unlock_ref_node(&fte->node); - if (IS_ERR(rule)) -- goto unlock_fg; -+ goto unlock_fte; - else - goto add_rule; - } -@@ -1130,6 +1129,7 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg, - goto unlock_fg; - } - tree_init_node(&fte->node, 0, del_fte); -+ nested_lock_ref_node(&fte->node, FS_MUTEX_CHILD); - rule = add_rule_fte(fte, fg, dest); - if (IS_ERR(rule)) { - kfree(fte); -@@ -1142,6 +1142,8 @@ static struct mlx5_flow_rule *add_rule_fg(struct mlx5_flow_group *fg, - list_add(&fte->node.list, prev); - add_rule: - tree_add_node(&rule->node, &fte->node); -+unlock_fte: -+ unlock_ref_node(&fte->node); - unlock_fg: - unlock_ref_node(&fg->node); - return rule; -diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c -index 7df4ff1..7d19029 100644 ---- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c -+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c -@@ -305,8 +305,12 @@ static int dwmac1000_irq_status(struct mac_device_info *hw, - { - void __iomem *ioaddr = hw->pcsr; - u32 intr_status = readl(ioaddr + GMAC_INT_STATUS); -+ u32 intr_mask = readl(ioaddr + GMAC_INT_MASK); - int ret = 0; - -+ /* Discard masked bits */ -+ intr_status &= ~intr_mask; -+ - /* Not used events (e.g. MMC interrupts) are not handled. */ - if ((intr_status & GMAC_INT_STATUS_MMCTIS)) - x->mmc_tx_irq_n++; -diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c -index 6255973..1b65f0f 100644 ---- a/drivers/net/loopback.c -+++ b/drivers/net/loopback.c -@@ -164,6 +164,7 @@ static void loopback_setup(struct net_device *dev) - { - dev->mtu = 64 * 1024; - dev->hard_header_len = ETH_HLEN; /* 14 */ -+ dev->min_header_len = ETH_HLEN; /* 14 */ - dev->addr_len = ETH_ALEN; /* 6 */ - dev->type = ARPHRD_LOOPBACK; /* 0x0001*/ - dev->flags = IFF_LOOPBACK; -diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 6f38daf..adea6f5 100644 ---- a/drivers/net/macvtap.c -+++ b/drivers/net/macvtap.c -@@ -682,7 +682,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - ssize_t n; - - if (q->flags & IFF_VNET_HDR) { -- vnet_hdr_len = q->vnet_hdr_sz; -+ vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); - - err = -EINVAL; - if (len < vnet_hdr_len) -@@ -822,7 +822,7 @@ static ssize_t macvtap_put_user(struct macvtap_queue *q, - - if (q->flags & IFF_VNET_HDR) { - struct virtio_net_hdr vnet_hdr; -- vnet_hdr_len = q->vnet_hdr_sz; -+ vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); - if (iov_iter_count(iter) < vnet_hdr_len) - return -EINVAL; - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 18402d7..b31aca8 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -1187,9 +1187,11 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - } - - if (tun->flags & IFF_VNET_HDR) { -- if (len < tun->vnet_hdr_sz) -+ int vnet_hdr_sz = READ_ONCE(tun->vnet_hdr_sz); -+ -+ if (len < vnet_hdr_sz) - return -EINVAL; -- len -= tun->vnet_hdr_sz; -+ len -= vnet_hdr_sz; - - n = copy_from_iter(&gso, sizeof(gso), from); - if (n != sizeof(gso)) -@@ -1201,7 +1203,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - - if (tun16_to_cpu(tun, gso.hdr_len) > len) - return -EINVAL; -- iov_iter_advance(from, tun->vnet_hdr_sz - sizeof(gso)); -+ iov_iter_advance(from, vnet_hdr_sz - sizeof(gso)); - } - - if ((tun->flags & TUN_TYPE_MASK) == IFF_TAP) { -@@ -1348,7 +1350,7 @@ static ssize_t tun_put_user(struct tun_struct *tun, - vlan_hlen = VLAN_HLEN; - - if (tun->flags & IFF_VNET_HDR) -- vnet_hdr_sz = tun->vnet_hdr_sz; -+ vnet_hdr_sz = READ_ONCE(tun->vnet_hdr_sz); - - total = skb->len + vlan_hlen + vnet_hdr_sz; - -diff --git a/drivers/net/usb/catc.c b/drivers/net/usb/catc.c -index d9ca05d..4086415 100644 ---- a/drivers/net/usb/catc.c -+++ b/drivers/net/usb/catc.c -@@ -777,7 +777,7 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id - struct net_device *netdev; - struct catc *catc; - u8 broadcast[ETH_ALEN]; -- int i, pktsz; -+ int pktsz, ret; - - if (usb_set_interface(usbdev, - intf->altsetting->desc.bInterfaceNumber, 1)) { -@@ -812,12 +812,8 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id - if ((!catc->ctrl_urb) || (!catc->tx_urb) || - (!catc->rx_urb) || (!catc->irq_urb)) { - dev_err(&intf->dev, "No free urbs available.\n"); -- usb_free_urb(catc->ctrl_urb); -- usb_free_urb(catc->tx_urb); -- usb_free_urb(catc->rx_urb); -- usb_free_urb(catc->irq_urb); -- free_netdev(netdev); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto fail_free; - } - - /* The F5U011 has the same vendor/product as the netmate but a device version of 0x130 */ -@@ -845,15 +841,24 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id - catc->irq_buf, 2, catc_irq_done, catc, 1); - - if (!catc->is_f5u011) { -+ u32 *buf; -+ int i; -+ - dev_dbg(dev, "Checking memory size\n"); - -- i = 0x12345678; -- catc_write_mem(catc, 0x7a80, &i, 4); -- i = 0x87654321; -- catc_write_mem(catc, 0xfa80, &i, 4); -- catc_read_mem(catc, 0x7a80, &i, 4); -+ buf = kmalloc(4, GFP_KERNEL); -+ if (!buf) { -+ ret = -ENOMEM; -+ goto fail_free; -+ } -+ -+ *buf = 0x12345678; -+ catc_write_mem(catc, 0x7a80, buf, 4); -+ *buf = 0x87654321; -+ catc_write_mem(catc, 0xfa80, buf, 4); -+ catc_read_mem(catc, 0x7a80, buf, 4); - -- switch (i) { -+ switch (*buf) { - case 0x12345678: - catc_set_reg(catc, TxBufCount, 8); - catc_set_reg(catc, RxBufCount, 32); -@@ -868,6 +873,8 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id - dev_dbg(dev, "32k Memory\n"); - break; - } -+ -+ kfree(buf); - - dev_dbg(dev, "Getting MAC from SEEROM.\n"); - -@@ -914,16 +921,21 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id - usb_set_intfdata(intf, catc); - - SET_NETDEV_DEV(netdev, &intf->dev); -- if (register_netdev(netdev) != 0) { -- usb_set_intfdata(intf, NULL); -- usb_free_urb(catc->ctrl_urb); -- usb_free_urb(catc->tx_urb); -- usb_free_urb(catc->rx_urb); -- usb_free_urb(catc->irq_urb); -- free_netdev(netdev); -- return -EIO; -- } -+ ret = register_netdev(netdev); -+ if (ret) -+ goto fail_clear_intfdata; -+ - return 0; -+ -+fail_clear_intfdata: -+ usb_set_intfdata(intf, NULL); -+fail_free: -+ usb_free_urb(catc->ctrl_urb); -+ usb_free_urb(catc->tx_urb); -+ usb_free_urb(catc->rx_urb); -+ usb_free_urb(catc->irq_urb); -+ free_netdev(netdev); -+ return ret; - } - - static void catc_disconnect(struct usb_interface *intf) -diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c -index 1434e5d..ee40ac2 100644 ---- a/drivers/net/usb/pegasus.c -+++ b/drivers/net/usb/pegasus.c -@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb) - - static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data) - { -+ u8 *buf; - int ret; - -+ buf = kmalloc(size, GFP_NOIO); -+ if (!buf) -+ return -ENOMEM; -+ - ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0), - PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0, -- indx, data, size, 1000); -+ indx, buf, size, 1000); - if (ret < 0) - netif_dbg(pegasus, drv, pegasus->net, - "%s returned %d\n", __func__, ret); -+ else if (ret <= size) -+ memcpy(data, buf, ret); -+ kfree(buf); - return ret; - } - --static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data) -+static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, -+ const void *data) - { -+ u8 *buf; - int ret; - -+ buf = kmemdup(data, size, GFP_NOIO); -+ if (!buf) -+ return -ENOMEM; -+ - ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0), - PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0, -- indx, data, size, 100); -+ indx, buf, size, 100); - if (ret < 0) - netif_dbg(pegasus, drv, pegasus->net, - "%s returned %d\n", __func__, ret); -+ kfree(buf); - return ret; - } - - static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data) - { -+ u8 *buf; - int ret; - -+ buf = kmemdup(&data, 1, GFP_NOIO); -+ if (!buf) -+ return -ENOMEM; -+ - ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0), - PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data, -- indx, &data, 1, 1000); -+ indx, buf, 1, 1000); - if (ret < 0) - netif_dbg(pegasus, drv, pegasus->net, - "%s returned %d\n", __func__, ret); -+ kfree(buf); - return ret; - } - -diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c -index 7c72bfa..dc4f7ea 100644 ---- a/drivers/net/usb/rtl8150.c -+++ b/drivers/net/usb/rtl8150.c -@@ -155,16 +155,36 @@ static const char driver_name [] = "rtl8150"; - */ - static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data) - { -- return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), -- RTL8150_REQ_GET_REGS, RTL8150_REQT_READ, -- indx, 0, data, size, 500); -+ void *buf; -+ int ret; -+ -+ buf = kmalloc(size, GFP_NOIO); -+ if (!buf) -+ return -ENOMEM; -+ -+ ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), -+ RTL8150_REQ_GET_REGS, RTL8150_REQT_READ, -+ indx, 0, buf, size, 500); -+ if (ret > 0 && ret <= size) -+ memcpy(data, buf, ret); -+ kfree(buf); -+ return ret; - } - --static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data) -+static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data) - { -- return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), -- RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE, -- indx, 0, data, size, 500); -+ void *buf; -+ int ret; -+ -+ buf = kmemdup(data, size, GFP_NOIO); -+ if (!buf) -+ return -ENOMEM; -+ -+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), -+ RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE, -+ indx, 0, buf, size, 500); -+ kfree(buf); -+ return ret; - } - - static void async_set_reg_cb(struct urb *urb) -diff --git a/include/linux/can/core.h b/include/linux/can/core.h -index a087500..df08a41 100644 ---- a/include/linux/can/core.h -+++ b/include/linux/can/core.h -@@ -45,10 +45,9 @@ struct can_proto { - extern int can_proto_register(const struct can_proto *cp); - extern void can_proto_unregister(const struct can_proto *cp); - --extern int can_rx_register(struct net_device *dev, canid_t can_id, -- canid_t mask, -- void (*func)(struct sk_buff *, void *), -- void *data, char *ident); -+int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask, -+ void (*func)(struct sk_buff *, void *), -+ void *data, char *ident, struct sock *sk); - - extern void can_rx_unregister(struct net_device *dev, canid_t can_id, - canid_t mask, -diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index d83590e..bb9b102 100644 ---- a/include/linux/netdevice.h -+++ b/include/linux/netdevice.h -@@ -1508,6 +1508,7 @@ enum netdev_priv_flags { - * @mtu: Interface MTU value - * @type: Interface hardware type - * @hard_header_len: Maximum hardware header length. -+ * @min_header_len: Minimum hardware header length - * - * @needed_headroom: Extra headroom the hardware may need, but not in all - * cases can this be guaranteed -@@ -1728,6 +1729,7 @@ struct net_device { - unsigned int mtu; - unsigned short type; - unsigned short hard_header_len; -+ unsigned short min_header_len; - - unsigned short needed_headroom; - unsigned short needed_tailroom; -@@ -2783,6 +2785,8 @@ static inline bool dev_validate_header(const struct net_device *dev, - { - if (likely(len >= dev->hard_header_len)) - return true; -+ if (len < dev->min_header_len) -+ return false; - - if (capable(CAP_SYS_RAWIO)) { - memset(ll_header + len, 0, dev->hard_header_len - len); -diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h -index 3ebb168..a34b141 100644 ---- a/include/net/cipso_ipv4.h -+++ b/include/net/cipso_ipv4.h -@@ -309,6 +309,10 @@ static inline int cipso_v4_validate(const struct sk_buff *skb, - } - - for (opt_iter = 6; opt_iter < opt_len;) { -+ if (opt_iter + 1 == opt_len) { -+ err_offset = opt_iter; -+ goto out; -+ } - tag_len = opt[opt_iter + 1]; - if ((tag_len == 0) || (tag_len > (opt_len - opt_iter))) { - err_offset = opt_iter + 1; -diff --git a/include/net/ipv6.h b/include/net/ipv6.h -index f11ca83..7f15f95 100644 ---- a/include/net/ipv6.h -+++ b/include/net/ipv6.h -@@ -871,7 +871,7 @@ int ip6_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb); - * upper-layer output functions - */ - int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, -- struct ipv6_txoptions *opt, int tclass); -+ __u32 mark, struct ipv6_txoptions *opt, int tclass); - - int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr); - -diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h -index fc7c0db..3f40132 100644 ---- a/include/net/lwtunnel.h -+++ b/include/net/lwtunnel.h -@@ -176,7 +176,10 @@ static inline int lwtunnel_valid_encap_type(u16 encap_type) - } - static inline int lwtunnel_valid_encap_type_attr(struct nlattr *attr, int len) - { -- return -EOPNOTSUPP; -+ /* return 0 since we are not walking attr looking for -+ * RTA_ENCAP_TYPE attribute on nexthops. -+ */ -+ return 0; - } - - static inline int lwtunnel_build_state(struct net_device *dev, u16 encap_type, -diff --git a/net/can/af_can.c b/net/can/af_can.c -index 1108079..5488e4a 100644 ---- a/net/can/af_can.c -+++ b/net/can/af_can.c -@@ -445,6 +445,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask, - * @func: callback function on filter match - * @data: returned parameter for callback function - * @ident: string for calling module identification -+ * @sk: socket pointer (might be NULL) - * - * Description: - * Invokes the callback function with the received sk_buff and the given -@@ -468,7 +469,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask, - */ - int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask, - void (*func)(struct sk_buff *, void *), void *data, -- char *ident) -+ char *ident, struct sock *sk) - { - struct receiver *r; - struct hlist_head *rl; -@@ -496,6 +497,7 @@ int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask, - r->func = func; - r->data = data; - r->ident = ident; -+ r->sk = sk; - - hlist_add_head_rcu(&r->list, rl); - d->entries++; -@@ -520,8 +522,11 @@ EXPORT_SYMBOL(can_rx_register); - static void can_rx_delete_receiver(struct rcu_head *rp) - { - struct receiver *r = container_of(rp, struct receiver, rcu); -+ struct sock *sk = r->sk; - - kmem_cache_free(rcv_cache, r); -+ if (sk) -+ sock_put(sk); - } - - /** -@@ -596,8 +601,11 @@ void can_rx_unregister(struct net_device *dev, canid_t can_id, canid_t mask, - spin_unlock(&can_rcvlists_lock); - - /* schedule the receiver item for deletion */ -- if (r) -+ if (r) { -+ if (r->sk) -+ sock_hold(r->sk); - call_rcu(&r->rcu, can_rx_delete_receiver); -+ } - } - EXPORT_SYMBOL(can_rx_unregister); - -diff --git a/net/can/af_can.h b/net/can/af_can.h -index fca0fe9..b86f512 100644 ---- a/net/can/af_can.h -+++ b/net/can/af_can.h -@@ -50,13 +50,14 @@ - - struct receiver { - struct hlist_node list; -- struct rcu_head rcu; - canid_t can_id; - canid_t mask; - unsigned long matches; - void (*func)(struct sk_buff *, void *); - void *data; - char *ident; -+ struct sock *sk; -+ struct rcu_head rcu; - }; - - #define CAN_SFF_RCV_ARRAY_SZ (1 << CAN_SFF_ID_BITS) -diff --git a/net/can/bcm.c b/net/can/bcm.c -index 5e9ed5e..e4f694d 100644 ---- a/net/can/bcm.c -+++ b/net/can/bcm.c -@@ -1225,7 +1225,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, - err = can_rx_register(dev, op->can_id, - REGMASK(op->can_id), - bcm_rx_handler, op, -- "bcm"); -+ "bcm", sk); - - op->rx_reg_dev = dev; - dev_put(dev); -@@ -1234,7 +1234,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, - } else - err = can_rx_register(NULL, op->can_id, - REGMASK(op->can_id), -- bcm_rx_handler, op, "bcm"); -+ bcm_rx_handler, op, "bcm", sk); - if (err) { - /* this bcm rx op is broken -> remove it */ - list_del(&op->list); -diff --git a/net/can/gw.c b/net/can/gw.c -index 4551687..77c8af4 100644 ---- a/net/can/gw.c -+++ b/net/can/gw.c -@@ -442,7 +442,7 @@ static inline int cgw_register_filter(struct cgw_job *gwj) - { - return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id, - gwj->ccgw.filter.can_mask, can_can_gw_rcv, -- gwj, "gw"); -+ gwj, "gw", NULL); - } - - static inline void cgw_unregister_filter(struct cgw_job *gwj) -diff --git a/net/can/raw.c b/net/can/raw.c -index b075f02..6dc546a 100644 ---- a/net/can/raw.c -+++ b/net/can/raw.c -@@ -190,7 +190,7 @@ static int raw_enable_filters(struct net_device *dev, struct sock *sk, - for (i = 0; i < count; i++) { - err = can_rx_register(dev, filter[i].can_id, - filter[i].can_mask, -- raw_rcv, sk, "raw"); -+ raw_rcv, sk, "raw", sk); - if (err) { - /* clean up successfully registered filters */ - while (--i >= 0) -@@ -211,7 +211,7 @@ static int raw_enable_errfilter(struct net_device *dev, struct sock *sk, - - if (err_mask) - err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG, -- raw_rcv, sk, "raw"); -+ raw_rcv, sk, "raw", sk); - - return err; - } -diff --git a/net/core/dev.c b/net/core/dev.c -index df51c50..60b0a604 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -1696,24 +1696,19 @@ EXPORT_SYMBOL_GPL(net_dec_egress_queue); - - static struct static_key netstamp_needed __read_mostly; - #ifdef HAVE_JUMP_LABEL --/* We are not allowed to call static_key_slow_dec() from irq context -- * If net_disable_timestamp() is called from irq context, defer the -- * static_key_slow_dec() calls. -- */ - static atomic_t netstamp_needed_deferred; --#endif -- --void net_enable_timestamp(void) -+static void netstamp_clear(struct work_struct *work) - { --#ifdef HAVE_JUMP_LABEL - int deferred = atomic_xchg(&netstamp_needed_deferred, 0); - -- if (deferred) { -- while (--deferred) -- static_key_slow_dec(&netstamp_needed); -- return; -- } -+ while (deferred--) -+ static_key_slow_dec(&netstamp_needed); -+} -+static DECLARE_WORK(netstamp_work, netstamp_clear); - #endif -+ -+void net_enable_timestamp(void) -+{ - static_key_slow_inc(&netstamp_needed); - } - EXPORT_SYMBOL(net_enable_timestamp); -@@ -1721,12 +1716,12 @@ EXPORT_SYMBOL(net_enable_timestamp); - void net_disable_timestamp(void) - { - #ifdef HAVE_JUMP_LABEL -- if (in_interrupt()) { -- atomic_inc(&netstamp_needed_deferred); -- return; -- } --#endif -+ /* net_disable_timestamp() can be called from non process context */ -+ atomic_inc(&netstamp_needed_deferred); -+ schedule_work(&netstamp_work); -+#else - static_key_slow_dec(&netstamp_needed); -+#endif - } - EXPORT_SYMBOL(net_disable_timestamp); - -diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c -index 715e5d1..7506c03 100644 ---- a/net/dccp/ipv6.c -+++ b/net/dccp/ipv6.c -@@ -227,7 +227,7 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req - opt = ireq->ipv6_opt; - if (!opt) - opt = rcu_dereference(np->opt); -- err = ip6_xmit(sk, skb, &fl6, opt, np->tclass); -+ err = ip6_xmit(sk, skb, &fl6, sk->sk_mark, opt, np->tclass); - rcu_read_unlock(); - err = net_xmit_eval(err); - } -@@ -281,7 +281,7 @@ static void dccp_v6_ctl_send_reset(const struct sock *sk, struct sk_buff *rxskb) - dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL); - if (!IS_ERR(dst)) { - skb_dst_set(skb, dst); -- ip6_xmit(ctl_sk, skb, &fl6, NULL, 0); -+ ip6_xmit(ctl_sk, skb, &fl6, 0, NULL, 0); - DCCP_INC_STATS(DCCP_MIB_OUTSEGS); - DCCP_INC_STATS(DCCP_MIB_OUTRSTS); - return; -diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c -index da38621..0f99297 100644 ---- a/net/dsa/dsa2.c -+++ b/net/dsa/dsa2.c -@@ -273,6 +273,7 @@ static int dsa_user_port_apply(struct device_node *port, u32 index, - if (err) { - dev_warn(ds->dev, "Failed to create slave %d: %d\n", - index, err); -+ ds->ports[index].netdev = NULL; - return err; - } - -diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c -index 02acfff..24d7aff 100644 ---- a/net/ethernet/eth.c -+++ b/net/ethernet/eth.c -@@ -356,6 +356,7 @@ void ether_setup(struct net_device *dev) - dev->header_ops = ð_header_ops; - dev->type = ARPHRD_ETHER; - dev->hard_header_len = ETH_HLEN; -+ dev->min_header_len = ETH_HLEN; - dev->mtu = ETH_DATA_LEN; - dev->addr_len = ETH_ALEN; - dev->tx_queue_len = 1000; /* Ethernet wants good queues */ -diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c -index 72d6f05..ae20616 100644 ---- a/net/ipv4/cipso_ipv4.c -+++ b/net/ipv4/cipso_ipv4.c -@@ -1587,6 +1587,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) - goto validate_return_locked; - } - -+ if (opt_iter + 1 == opt_len) { -+ err_offset = opt_iter; -+ goto validate_return_locked; -+ } - tag_len = tag[1]; - if (tag_len > (opt_len - opt_iter)) { - err_offset = opt_iter + 1; -diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c -index 32a08bc..1bc623d 100644 ---- a/net/ipv4/igmp.c -+++ b/net/ipv4/igmp.c -@@ -1172,6 +1172,7 @@ static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im) - psf->sf_crcount = im->crcount; - } - in_dev_put(pmc->interface); -+ kfree(pmc); - } - spin_unlock_bh(&im->lock); - } -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 877bdb0..e5c1dbe 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -1606,6 +1606,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, - sk->sk_protocol = ip_hdr(skb)->protocol; - sk->sk_bound_dev_if = arg->bound_dev_if; - sk->sk_sndbuf = sysctl_wmem_default; -+ sk->sk_mark = fl4.flowi4_mark; - err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, - len, 0, &ipc, &rt, MSG_DONTWAIT); - if (unlikely(err)) { -diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index f226f408..65336f3 100644 ---- a/net/ipv4/ip_sockglue.c -+++ b/net/ipv4/ip_sockglue.c -@@ -1215,7 +1215,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb) - pktinfo->ipi_ifindex = 0; - pktinfo->ipi_spec_dst.s_addr = 0; - } -- skb_dst_drop(skb); -+ /* We need to keep the dst for __ip_options_echo() -+ * We could restrict the test to opt.ts_needtime || opt.srr, -+ * but the following is good enough as IP options are not often used. -+ */ -+ if (unlikely(IPCB(skb)->opt.optlen)) -+ skb_dst_force(skb); -+ else -+ skb_dst_drop(skb); - } - - int ip_setsockopt(struct sock *sk, int level, -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 96b8e2b..105c074 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -642,6 +642,8 @@ static int ping_v4_push_pending_frames(struct sock *sk, struct pingfakehdr *pfh, - { - struct sk_buff *skb = skb_peek(&sk->sk_write_queue); - -+ if (!skb) -+ return 0; - pfh->wcheck = csum_partial((char *)&pfh->icmph, - sizeof(struct icmphdr), pfh->wcheck); - pfh->icmph.checksum = csum_fold(pfh->wcheck); -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 814af89..6a90a0e 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -772,6 +772,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos, - ret = -EAGAIN; - break; - } -+ /* if __tcp_splice_read() got nothing while we have -+ * an skb in receive queue, we do not want to loop. -+ * This might happen with URG data. -+ */ -+ if (!skb_queue_empty(&sk->sk_receive_queue)) -+ break; - sk_wait_data(sk, &timeo, NULL); - if (signal_pending(current)) { - ret = sock_intr_errno(timeo); -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 896e9df..65d6189 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -2436,9 +2436,11 @@ u32 __tcp_select_window(struct sock *sk) - int full_space = min_t(int, tp->window_clamp, allowed_space); - int window; - -- if (mss > full_space) -+ if (unlikely(mss > full_space)) { - mss = full_space; -- -+ if (mss <= 0) -+ return 0; -+ } - if (free_space < (full_space >> 1)) { - icsk->icsk_ack.quick = 0; - -diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c -index 532c3ef..798a095 100644 ---- a/net/ipv6/inet6_connection_sock.c -+++ b/net/ipv6/inet6_connection_sock.c -@@ -173,7 +173,7 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused - /* Restore final destination back after routing done */ - fl6.daddr = sk->sk_v6_daddr; - -- res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), -+ res = ip6_xmit(sk, skb, &fl6, sk->sk_mark, rcu_dereference(np->opt), - np->tclass); - rcu_read_unlock(); - return res; -diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index d7d6d3a..0a59220 100644 ---- a/net/ipv6/ip6_gre.c -+++ b/net/ipv6/ip6_gre.c -@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev) - - - static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, -- u8 type, u8 code, int offset, __be32 info) -+ u8 type, u8 code, int offset, __be32 info) - { -- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data; -- __be16 *p = (__be16 *)(skb->data + offset); -- int grehlen = offset + 4; -+ const struct gre_base_hdr *greh; -+ const struct ipv6hdr *ipv6h; -+ int grehlen = sizeof(*greh); - struct ip6_tnl *t; -+ int key_off = 0; - __be16 flags; -+ __be32 key; - -- flags = p[0]; -- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) { -- if (flags&(GRE_VERSION|GRE_ROUTING)) -- return; -- if (flags&GRE_KEY) { -- grehlen += 4; -- if (flags&GRE_CSUM) -- grehlen += 4; -- } -+ if (!pskb_may_pull(skb, offset + grehlen)) -+ return; -+ greh = (const struct gre_base_hdr *)(skb->data + offset); -+ flags = greh->flags; -+ if (flags & (GRE_VERSION | GRE_ROUTING)) -+ return; -+ if (flags & GRE_CSUM) -+ grehlen += 4; -+ if (flags & GRE_KEY) { -+ key_off = grehlen + offset; -+ grehlen += 4; - } - -- /* If only 8 bytes returned, keyed message will be dropped here */ -- if (!pskb_may_pull(skb, grehlen)) -+ if (!pskb_may_pull(skb, offset + grehlen)) - return; - ipv6h = (const struct ipv6hdr *)skb->data; -- p = (__be16 *)(skb->data + offset); -+ greh = (const struct gre_base_hdr *)(skb->data + offset); -+ key = key_off ? *(__be32 *)(skb->data + key_off) : 0; - - t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr, -- flags & GRE_KEY ? -- *(((__be32 *)p) + (grehlen / 4) - 1) : 0, -- p[1]); -+ key, greh->protocol); - if (!t) - return; - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 59eb4ed..9a87bfb 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -163,7 +163,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) - * which are using proper atomic operations or spinlocks. - */ - int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, -- struct ipv6_txoptions *opt, int tclass) -+ __u32 mark, struct ipv6_txoptions *opt, int tclass) - { - struct net *net = sock_net(sk); - const struct ipv6_pinfo *np = inet6_sk(sk); -@@ -230,7 +230,7 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, - - skb->protocol = htons(ETH_P_IPV6); - skb->priority = sk->sk_priority; -- skb->mark = sk->sk_mark; -+ skb->mark = mark; - - mtu = dst_mtu(dst); - if ((skb->len <= mtu) || skb->ignore_df || skb_is_gso(skb)) { -diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c -index f95437f..f6ba452 100644 ---- a/net/ipv6/ip6_tunnel.c -+++ b/net/ipv6/ip6_tunnel.c -@@ -400,18 +400,19 @@ ip6_tnl_dev_uninit(struct net_device *dev) - - __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) - { -- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw; -- __u8 nexthdr = ipv6h->nexthdr; -- __u16 off = sizeof(*ipv6h); -+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw; -+ unsigned int nhoff = raw - skb->data; -+ unsigned int off = nhoff + sizeof(*ipv6h); -+ u8 next, nexthdr = ipv6h->nexthdr; - - while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) { -- __u16 optlen = 0; - struct ipv6_opt_hdr *hdr; -- if (raw + off + sizeof(*hdr) > skb->data && -- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr))) -+ u16 optlen; -+ -+ if (!pskb_may_pull(skb, off + sizeof(*hdr))) - break; - -- hdr = (struct ipv6_opt_hdr *) (raw + off); -+ hdr = (struct ipv6_opt_hdr *)(skb->data + off); - if (nexthdr == NEXTHDR_FRAGMENT) { - struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr; - if (frag_hdr->frag_off) -@@ -422,20 +423,29 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) - } else { - optlen = ipv6_optlen(hdr); - } -+ /* cache hdr->nexthdr, since pskb_may_pull() might -+ * invalidate hdr -+ */ -+ next = hdr->nexthdr; - if (nexthdr == NEXTHDR_DEST) { -- __u16 i = off + 2; -+ u16 i = 2; -+ -+ /* Remember : hdr is no longer valid at this point. */ -+ if (!pskb_may_pull(skb, off + optlen)) -+ break; -+ - while (1) { - struct ipv6_tlv_tnl_enc_lim *tel; - - /* No more room for encapsulation limit */ -- if (i + sizeof (*tel) > off + optlen) -+ if (i + sizeof(*tel) > optlen) - break; - -- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i]; -+ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i); - /* return index of option if found and valid */ - if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT && - tel->length == 1) -- return i; -+ return i + off - nhoff; - /* else jump to next option */ - if (tel->type) - i += tel->length + 2; -@@ -443,7 +453,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) - i++; - } - } -- nexthdr = hdr->nexthdr; -+ nexthdr = next; - off += optlen; - } - return 0; -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c -index 14a3903..1bdc703 100644 ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -81,7 +81,7 @@ static void mld_gq_timer_expire(unsigned long data); - static void mld_ifc_timer_expire(unsigned long data); - static void mld_ifc_event(struct inet6_dev *idev); - static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc); --static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr); -+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc); - static void mld_clear_delrec(struct inet6_dev *idev); - static bool mld_in_v1_mode(const struct inet6_dev *idev); - static int sf_setstate(struct ifmcaddr6 *pmc); -@@ -692,9 +692,9 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc) - dev_mc_del(dev, buf); - } - -- if (mc->mca_flags & MAF_NOREPORT) -- goto done; - spin_unlock_bh(&mc->mca_lock); -+ if (mc->mca_flags & MAF_NOREPORT) -+ return; - - if (!mc->idev->dead) - igmp6_leave_group(mc); -@@ -702,8 +702,6 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc) - spin_lock_bh(&mc->mca_lock); - if (del_timer(&mc->mca_timer)) - atomic_dec(&mc->mca_refcnt); --done: -- ip6_mc_clear_src(mc); - spin_unlock_bh(&mc->mca_lock); - } - -@@ -748,10 +746,11 @@ static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im) - spin_unlock_bh(&idev->mc_lock); - } - --static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca) -+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im) - { - struct ifmcaddr6 *pmc, *pmc_prev; -- struct ip6_sf_list *psf, *psf_next; -+ struct ip6_sf_list *psf; -+ struct in6_addr *pmca = &im->mca_addr; - - spin_lock_bh(&idev->mc_lock); - pmc_prev = NULL; -@@ -768,14 +767,21 @@ static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca) - } - spin_unlock_bh(&idev->mc_lock); - -+ spin_lock_bh(&im->mca_lock); - if (pmc) { -- for (psf = pmc->mca_tomb; psf; psf = psf_next) { -- psf_next = psf->sf_next; -- kfree(psf); -+ im->idev = pmc->idev; -+ im->mca_crcount = idev->mc_qrv; -+ im->mca_sfmode = pmc->mca_sfmode; -+ if (pmc->mca_sfmode == MCAST_INCLUDE) { -+ im->mca_tomb = pmc->mca_tomb; -+ im->mca_sources = pmc->mca_sources; -+ for (psf = im->mca_sources; psf; psf = psf->sf_next) -+ psf->sf_crcount = im->mca_crcount; - } - in6_dev_put(pmc->idev); - kfree(pmc); - } -+ spin_unlock_bh(&im->mca_lock); - } - - static void mld_clear_delrec(struct inet6_dev *idev) -@@ -904,7 +910,7 @@ int ipv6_dev_mc_inc(struct net_device *dev, const struct in6_addr *addr) - mca_get(mc); - write_unlock_bh(&idev->lock); - -- mld_del_delrec(idev, &mc->mca_addr); -+ mld_del_delrec(idev, mc); - igmp6_group_added(mc); - ma_put(mc); - return 0; -@@ -927,6 +933,7 @@ int __ipv6_dev_mc_dec(struct inet6_dev *idev, const struct in6_addr *addr) - write_unlock_bh(&idev->lock); - - igmp6_group_dropped(ma); -+ ip6_mc_clear_src(ma); - - ma_put(ma); - return 0; -@@ -2501,15 +2508,17 @@ void ipv6_mc_down(struct inet6_dev *idev) - /* Withdraw multicast list */ - - read_lock_bh(&idev->lock); -- mld_ifc_stop_timer(idev); -- mld_gq_stop_timer(idev); -- mld_dad_stop_timer(idev); - - for (i = idev->mc_list; i; i = i->next) - igmp6_group_dropped(i); -- read_unlock_bh(&idev->lock); - -- mld_clear_delrec(idev); -+ /* Should stop timer after group drop. or we will -+ * start timer again in mld_ifc_event() -+ */ -+ mld_ifc_stop_timer(idev); -+ mld_gq_stop_timer(idev); -+ mld_dad_stop_timer(idev); -+ read_unlock_bh(&idev->lock); - } - - static void ipv6_mc_reset(struct inet6_dev *idev) -@@ -2531,8 +2540,10 @@ void ipv6_mc_up(struct inet6_dev *idev) - - read_lock_bh(&idev->lock); - ipv6_mc_reset(idev); -- for (i = idev->mc_list; i; i = i->next) -+ for (i = idev->mc_list; i; i = i->next) { -+ mld_del_delrec(idev, i); - igmp6_group_added(i); -+ } - read_unlock_bh(&idev->lock); - } - -@@ -2565,6 +2576,7 @@ void ipv6_mc_destroy_dev(struct inet6_dev *idev) - - /* Deactivate timers */ - ipv6_mc_down(idev); -+ mld_clear_delrec(idev); - - /* Delete all-nodes address. */ - /* We cannot call ipv6_dev_mc_dec() directly, our caller in -@@ -2579,11 +2591,9 @@ void ipv6_mc_destroy_dev(struct inet6_dev *idev) - write_lock_bh(&idev->lock); - while ((i = idev->mc_list) != NULL) { - idev->mc_list = i->next; -- write_unlock_bh(&idev->lock); - -- igmp6_group_dropped(i); -+ write_unlock_bh(&idev->lock); - ma_put(i); -- - write_lock_bh(&idev->lock); - } - write_unlock_bh(&idev->lock); -diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index b1cdf80..40d7405 100644 ---- a/net/ipv6/sit.c -+++ b/net/ipv6/sit.c -@@ -1390,6 +1390,7 @@ static int ipip6_tunnel_init(struct net_device *dev) - err = dst_cache_init(&tunnel->dst_cache, GFP_KERNEL); - if (err) { - free_percpu(dev->tstats); -+ dev->tstats = NULL; - return err; - } - -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index b9f1fee..6673965 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -467,7 +467,7 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst, - opt = ireq->ipv6_opt; - if (!opt) - opt = rcu_dereference(np->opt); -- err = ip6_xmit(sk, skb, fl6, opt, np->tclass); -+ err = ip6_xmit(sk, skb, fl6, sk->sk_mark, opt, np->tclass); - rcu_read_unlock(); - err = net_xmit_eval(err); - } -@@ -837,7 +837,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 - dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL); - if (!IS_ERR(dst)) { - skb_dst_set(buff, dst); -- ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass); -+ ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL, tclass); - TCP_INC_STATS(net, TCP_MIB_OUTSEGS); - if (rst) - TCP_INC_STATS(net, TCP_MIB_OUTRSTS); -@@ -987,6 +987,16 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) - return 0; /* don't send reset */ - } - -+static void tcp_v6_restore_cb(struct sk_buff *skb) -+{ -+ /* We need to move header back to the beginning if xfrm6_policy_check() -+ * and tcp_v6_fill_cb() are going to be called again. -+ * ip6_datagram_recv_specific_ctl() also expects IP6CB to be there. -+ */ -+ memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6, -+ sizeof(struct inet6_skb_parm)); -+} -+ - static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, - struct request_sock *req, - struct dst_entry *dst, -@@ -1178,8 +1188,10 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * - sk_gfp_mask(sk, GFP_ATOMIC)); - consume_skb(ireq->pktopts); - ireq->pktopts = NULL; -- if (newnp->pktoptions) -+ if (newnp->pktoptions) { -+ tcp_v6_restore_cb(newnp->pktoptions); - skb_set_owner_r(newnp->pktoptions, newsk); -+ } - } - } - -@@ -1194,16 +1206,6 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * - return NULL; - } - --static void tcp_v6_restore_cb(struct sk_buff *skb) --{ -- /* We need to move header back to the beginning if xfrm6_policy_check() -- * and tcp_v6_fill_cb() are going to be called again. -- * ip6_datagram_recv_specific_ctl() also expects IP6CB to be there. -- */ -- memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6, -- sizeof(struct inet6_skb_parm)); --} -- - /* The socket must have it's spinlock held when we get - * here, unless it is a TCP_LISTEN socket. - * -diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h -index 2599af6..181e755c 100644 ---- a/net/l2tp/l2tp_core.h -+++ b/net/l2tp/l2tp_core.h -@@ -273,6 +273,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, - int l2tp_nl_register_ops(enum l2tp_pwtype pw_type, - const struct l2tp_nl_cmd_ops *ops); - void l2tp_nl_unregister_ops(enum l2tp_pwtype pw_type); -+int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg); - - /* Session reference counts. Incremented when code obtains a reference - * to a session. -diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c -index 8938b6b..c0f0750 100644 ---- a/net/l2tp/l2tp_ip.c -+++ b/net/l2tp/l2tp_ip.c -@@ -11,6 +11,7 @@ - - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt - -+#include <asm/ioctls.h> - #include <linux/icmp.h> - #include <linux/module.h> - #include <linux/skbuff.h> -@@ -560,6 +561,30 @@ static int l2tp_ip_recvmsg(struct sock *sk, struct msghdr *msg, - return err ? err : copied; - } - -+int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg) -+{ -+ struct sk_buff *skb; -+ int amount; -+ -+ switch (cmd) { -+ case SIOCOUTQ: -+ amount = sk_wmem_alloc_get(sk); -+ break; -+ case SIOCINQ: -+ spin_lock_bh(&sk->sk_receive_queue.lock); -+ skb = skb_peek(&sk->sk_receive_queue); -+ amount = skb ? skb->len : 0; -+ spin_unlock_bh(&sk->sk_receive_queue.lock); -+ break; -+ -+ default: -+ return -ENOIOCTLCMD; -+ } -+ -+ return put_user(amount, (int __user *)arg); -+} -+EXPORT_SYMBOL(l2tp_ioctl); -+ - static struct proto l2tp_ip_prot = { - .name = "L2TP/IP", - .owner = THIS_MODULE, -@@ -568,7 +593,7 @@ static struct proto l2tp_ip_prot = { - .bind = l2tp_ip_bind, - .connect = l2tp_ip_connect, - .disconnect = l2tp_ip_disconnect, -- .ioctl = udp_ioctl, -+ .ioctl = l2tp_ioctl, - .destroy = l2tp_ip_destroy_sock, - .setsockopt = ip_setsockopt, - .getsockopt = ip_getsockopt, -diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c -index aa821cb..1a65c9a 100644 ---- a/net/l2tp/l2tp_ip6.c -+++ b/net/l2tp/l2tp_ip6.c -@@ -729,7 +729,7 @@ static struct proto l2tp_ip6_prot = { - .bind = l2tp_ip6_bind, - .connect = l2tp_ip6_connect, - .disconnect = l2tp_ip6_disconnect, -- .ioctl = udp_ioctl, -+ .ioctl = l2tp_ioctl, - .destroy = l2tp_ip6_destroy_sock, - .setsockopt = ipv6_setsockopt, - .getsockopt = ipv6_getsockopt, -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 94e4a59..458722b 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -2813,7 +2813,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) - struct virtio_net_hdr vnet_hdr = { 0 }; - int offset = 0; - struct packet_sock *po = pkt_sk(sk); -- int hlen, tlen; -+ int hlen, tlen, linear; - int extra_len = 0; - - /* -@@ -2874,8 +2874,9 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) - err = -ENOBUFS; - hlen = LL_RESERVED_SPACE(dev); - tlen = dev->needed_tailroom; -- skb = packet_alloc_skb(sk, hlen + tlen, hlen, len, -- __virtio16_to_cpu(vio_le(), vnet_hdr.hdr_len), -+ linear = __virtio16_to_cpu(vio_le(), vnet_hdr.hdr_len); -+ linear = max(linear, min_t(int, len, dev->hard_header_len)); -+ skb = packet_alloc_skb(sk, hlen + tlen, hlen, len, linear, - msg->msg_flags & MSG_DONTWAIT, &err); - if (skb == NULL) - goto out_unlock; -diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c -index f935429..b12bc2a 100644 ---- a/net/sched/cls_matchall.c -+++ b/net/sched/cls_matchall.c -@@ -16,16 +16,11 @@ - #include <net/sch_generic.h> - #include <net/pkt_cls.h> - --struct cls_mall_filter { -+struct cls_mall_head { - struct tcf_exts exts; - struct tcf_result res; - u32 handle; -- struct rcu_head rcu; - u32 flags; --}; -- --struct cls_mall_head { -- struct cls_mall_filter *filter; - struct rcu_head rcu; - }; - -@@ -33,38 +28,29 @@ static int mall_classify(struct sk_buff *skb, const struct tcf_proto *tp, - struct tcf_result *res) - { - struct cls_mall_head *head = rcu_dereference_bh(tp->root); -- struct cls_mall_filter *f = head->filter; - -- if (tc_skip_sw(f->flags)) -+ if (tc_skip_sw(head->flags)) - return -1; - -- return tcf_exts_exec(skb, &f->exts, res); -+ return tcf_exts_exec(skb, &head->exts, res); - } - - static int mall_init(struct tcf_proto *tp) - { -- struct cls_mall_head *head; -- -- head = kzalloc(sizeof(*head), GFP_KERNEL); -- if (!head) -- return -ENOBUFS; -- -- rcu_assign_pointer(tp->root, head); -- - return 0; - } - --static void mall_destroy_filter(struct rcu_head *head) -+static void mall_destroy_rcu(struct rcu_head *rcu) - { -- struct cls_mall_filter *f = container_of(head, struct cls_mall_filter, rcu); -+ struct cls_mall_head *head = container_of(rcu, struct cls_mall_head, -+ rcu); - -- tcf_exts_destroy(&f->exts); -- -- kfree(f); -+ tcf_exts_destroy(&head->exts); -+ kfree(head); - } - - static int mall_replace_hw_filter(struct tcf_proto *tp, -- struct cls_mall_filter *f, -+ struct cls_mall_head *head, - unsigned long cookie) - { - struct net_device *dev = tp->q->dev_queue->dev; -@@ -74,7 +60,7 @@ static int mall_replace_hw_filter(struct tcf_proto *tp, - offload.type = TC_SETUP_MATCHALL; - offload.cls_mall = &mall_offload; - offload.cls_mall->command = TC_CLSMATCHALL_REPLACE; -- offload.cls_mall->exts = &f->exts; -+ offload.cls_mall->exts = &head->exts; - offload.cls_mall->cookie = cookie; - - return dev->netdev_ops->ndo_setup_tc(dev, tp->q->handle, tp->protocol, -@@ -82,7 +68,7 @@ static int mall_replace_hw_filter(struct tcf_proto *tp, - } - - static void mall_destroy_hw_filter(struct tcf_proto *tp, -- struct cls_mall_filter *f, -+ struct cls_mall_head *head, - unsigned long cookie) - { - struct net_device *dev = tp->q->dev_queue->dev; -@@ -103,29 +89,20 @@ static bool mall_destroy(struct tcf_proto *tp, bool force) - { - struct cls_mall_head *head = rtnl_dereference(tp->root); - struct net_device *dev = tp->q->dev_queue->dev; -- struct cls_mall_filter *f = head->filter; - -- if (!force && f) -- return false; -+ if (!head) -+ return true; - -- if (f) { -- if (tc_should_offload(dev, tp, f->flags)) -- mall_destroy_hw_filter(tp, f, (unsigned long) f); -+ if (tc_should_offload(dev, tp, head->flags)) -+ mall_destroy_hw_filter(tp, head, (unsigned long) head); - -- call_rcu(&f->rcu, mall_destroy_filter); -- } -- kfree_rcu(head, rcu); -+ call_rcu(&head->rcu, mall_destroy_rcu); - return true; - } - - static unsigned long mall_get(struct tcf_proto *tp, u32 handle) - { -- struct cls_mall_head *head = rtnl_dereference(tp->root); -- struct cls_mall_filter *f = head->filter; -- -- if (f && f->handle == handle) -- return (unsigned long) f; -- return 0; -+ return 0UL; - } - - static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { -@@ -134,7 +111,7 @@ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { - }; - - static int mall_set_parms(struct net *net, struct tcf_proto *tp, -- struct cls_mall_filter *f, -+ struct cls_mall_head *head, - unsigned long base, struct nlattr **tb, - struct nlattr *est, bool ovr) - { -@@ -147,11 +124,11 @@ static int mall_set_parms(struct net *net, struct tcf_proto *tp, - return err; - - if (tb[TCA_MATCHALL_CLASSID]) { -- f->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); -- tcf_bind_filter(tp, &f->res, base); -+ head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); -+ tcf_bind_filter(tp, &head->res, base); - } - -- tcf_exts_change(tp, &f->exts, &e); -+ tcf_exts_change(tp, &head->exts, &e); - - return 0; - } -@@ -162,21 +139,17 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - unsigned long *arg, bool ovr) - { - struct cls_mall_head *head = rtnl_dereference(tp->root); -- struct cls_mall_filter *fold = (struct cls_mall_filter *) *arg; - struct net_device *dev = tp->q->dev_queue->dev; -- struct cls_mall_filter *f; - struct nlattr *tb[TCA_MATCHALL_MAX + 1]; -+ struct cls_mall_head *new; - u32 flags = 0; - int err; - - if (!tca[TCA_OPTIONS]) - return -EINVAL; - -- if (head->filter) -- return -EBUSY; -- -- if (fold) -- return -EINVAL; -+ if (head) -+ return -EEXIST; - - err = nla_parse_nested(tb, TCA_MATCHALL_MAX, - tca[TCA_OPTIONS], mall_policy); -@@ -189,23 +162,23 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - return -EINVAL; - } - -- f = kzalloc(sizeof(*f), GFP_KERNEL); -- if (!f) -+ new = kzalloc(sizeof(*new), GFP_KERNEL); -+ if (!new) - return -ENOBUFS; - -- tcf_exts_init(&f->exts, TCA_MATCHALL_ACT, 0); -+ tcf_exts_init(&new->exts, TCA_MATCHALL_ACT, 0); - - if (!handle) - handle = 1; -- f->handle = handle; -- f->flags = flags; -+ new->handle = handle; -+ new->flags = flags; - -- err = mall_set_parms(net, tp, f, base, tb, tca[TCA_RATE], ovr); -+ err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], ovr); - if (err) - goto errout; - - if (tc_should_offload(dev, tp, flags)) { -- err = mall_replace_hw_filter(tp, f, (unsigned long) f); -+ err = mall_replace_hw_filter(tp, new, (unsigned long) new); - if (err) { - if (tc_skip_sw(flags)) - goto errout; -@@ -214,39 +187,29 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - } - } - -- *arg = (unsigned long) f; -- rcu_assign_pointer(head->filter, f); -- -+ *arg = (unsigned long) head; -+ rcu_assign_pointer(tp->root, new); -+ if (head) -+ call_rcu(&head->rcu, mall_destroy_rcu); - return 0; - - errout: -- kfree(f); -+ kfree(new); - return err; - } - - static int mall_delete(struct tcf_proto *tp, unsigned long arg) - { -- struct cls_mall_head *head = rtnl_dereference(tp->root); -- struct cls_mall_filter *f = (struct cls_mall_filter *) arg; -- struct net_device *dev = tp->q->dev_queue->dev; -- -- if (tc_should_offload(dev, tp, f->flags)) -- mall_destroy_hw_filter(tp, f, (unsigned long) f); -- -- RCU_INIT_POINTER(head->filter, NULL); -- tcf_unbind_filter(tp, &f->res); -- call_rcu(&f->rcu, mall_destroy_filter); -- return 0; -+ return -EOPNOTSUPP; - } - - static void mall_walk(struct tcf_proto *tp, struct tcf_walker *arg) - { - struct cls_mall_head *head = rtnl_dereference(tp->root); -- struct cls_mall_filter *f = head->filter; - - if (arg->count < arg->skip) - goto skip; -- if (arg->fn(tp, (unsigned long) f, arg) < 0) -+ if (arg->fn(tp, (unsigned long) head, arg) < 0) - arg->stop = 1; - skip: - arg->count++; -@@ -255,28 +218,28 @@ static void mall_walk(struct tcf_proto *tp, struct tcf_walker *arg) - static int mall_dump(struct net *net, struct tcf_proto *tp, unsigned long fh, - struct sk_buff *skb, struct tcmsg *t) - { -- struct cls_mall_filter *f = (struct cls_mall_filter *) fh; -+ struct cls_mall_head *head = (struct cls_mall_head *) fh; - struct nlattr *nest; - -- if (!f) -+ if (!head) - return skb->len; - -- t->tcm_handle = f->handle; -+ t->tcm_handle = head->handle; - - nest = nla_nest_start(skb, TCA_OPTIONS); - if (!nest) - goto nla_put_failure; - -- if (f->res.classid && -- nla_put_u32(skb, TCA_MATCHALL_CLASSID, f->res.classid)) -+ if (head->res.classid && -+ nla_put_u32(skb, TCA_MATCHALL_CLASSID, head->res.classid)) - goto nla_put_failure; - -- if (tcf_exts_dump(skb, &f->exts)) -+ if (tcf_exts_dump(skb, &head->exts)) - goto nla_put_failure; - - nla_nest_end(skb, nest); - -- if (tcf_exts_dump_stats(skb, &f->exts) < 0) -+ if (tcf_exts_dump_stats(skb, &head->exts) < 0) - goto nla_put_failure; - - return skb->len; -diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index 176af30..6a2532d 100644 ---- a/net/sctp/ipv6.c -+++ b/net/sctp/ipv6.c -@@ -222,7 +222,8 @@ static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport) - SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); - - rcu_read_lock(); -- res = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), np->tclass); -+ res = ip6_xmit(sk, skb, fl6, sk->sk_mark, rcu_dereference(np->opt), -+ np->tclass); - rcu_read_unlock(); - return res; - } -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index ca12aa3..6cbe5bd 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -7427,7 +7427,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, - */ - release_sock(sk); - current_timeo = schedule_timeout(current_timeo); -- BUG_ON(sk != asoc->base.sk); -+ if (sk != asoc->base.sk) -+ goto do_error; - lock_sock(sk); - - *timeo_p = current_timeo; diff --git a/4.9.11/0000_README b/4.9.12/0000_README index 27a4c3e..fde5541 100644 --- a/4.9.11/0000_README +++ b/4.9.12/0000_README @@ -2,15 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1009_linux-4.9.10.patch -From: http://www.kernel.org -Desc: Linux 4.9.10 - -Patch: 1010_linux-4.9.11.patch -From: http://www.kernel.org -Desc: Linux 4.9.11 - -Patch: 4420_grsecurity-3.1-4.9.11-201702181444.patch +Patch: 4420_grsecurity-3.1-4.9.12-201702231830.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch b/4.9.12/4420_grsecurity-3.1-4.9.12-201702231830.patch index 91575ee..ce908bf 100644 --- a/4.9.11/4420_grsecurity-3.1-4.9.11-201702181444.patch +++ b/4.9.12/4420_grsecurity-3.1-4.9.12-201702231830.patch @@ -419,7 +419,7 @@ index 3d0ae15..84e5412 100644 cmd_syscalls = $(CONFIG_SHELL) $< $(CC) $(c_flags) $(missing_syscalls_flags) diff --git a/Makefile b/Makefile -index 18b0c5a..54a9fea 100644 +index 3cd6f6f..43e4233 100644 --- a/Makefile +++ b/Makefile @@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -26426,7 +26426,7 @@ index 17f2186..f394307 100644 /* diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 83db0ea..137bc2c 100644 +index 83db0ea..0ad5d22 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -136,7 +136,7 @@ struct cpuinfo_x86 { @@ -26447,18 +26447,10 @@ index 83db0ea..137bc2c 100644 #define cpu_data(cpu) per_cpu(cpu_info, cpu) #else #define cpu_info boot_cpu_data -@@ -206,9 +206,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx, +@@ -206,9 +206,13 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx, : "memory"); } -+/* invpcid (%rdx),%rax */ -+#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02" -+ -+#define INVPCID_SINGLE_ADDRESS 0UL -+#define INVPCID_SINGLE_CONTEXT 1UL -+#define INVPCID_ALL_GLOBAL 2UL -+#define INVPCID_ALL_NONGLOBAL 3UL -+ +#define PCID_KERNEL 0UL +#define PCID_USER 1UL +#define PCID_NOFLUSH (1UL << 63) @@ -26470,7 +26462,7 @@ index 83db0ea..137bc2c 100644 } #ifdef CONFIG_X86_32 -@@ -308,11 +320,9 @@ struct tss_struct { +@@ -308,11 +312,9 @@ struct tss_struct { } ____cacheline_aligned; @@ -26483,7 +26475,7 @@ index 83db0ea..137bc2c 100644 /* * Save the original ist values for checking stack pointers during debugging -@@ -341,6 +351,7 @@ DECLARE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __visible; +@@ -341,6 +343,7 @@ DECLARE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __visible; DECLARE_INIT_PER_CPU(irq_stack_union); DECLARE_PER_CPU(char *, irq_stack_ptr); @@ -26491,7 +26483,7 @@ index 83db0ea..137bc2c 100644 DECLARE_PER_CPU(unsigned int, irq_count); extern asmlinkage void ignore_sysret(void); #else /* X86_64 */ -@@ -389,6 +400,7 @@ struct thread_struct { +@@ -389,6 +392,7 @@ struct thread_struct { unsigned short ds; unsigned short fsindex; unsigned short gsindex; @@ -26499,7 +26491,7 @@ index 83db0ea..137bc2c 100644 #endif u32 status; /* thread synchronous flags */ -@@ -405,6 +417,9 @@ struct thread_struct { +@@ -405,6 +409,9 @@ struct thread_struct { unsigned long gs; #endif @@ -26509,7 +26501,7 @@ index 83db0ea..137bc2c 100644 /* Save middle states of ptrace breakpoints */ struct perf_event *ptrace_bps[HBP_NUM]; /* Debug status used for traps, single steps, etc... */ -@@ -426,17 +441,11 @@ struct thread_struct { +@@ -426,17 +433,11 @@ struct thread_struct { unsigned io_bitmap_max; mm_segment_t addr_limit; @@ -26529,7 +26521,7 @@ index 83db0ea..137bc2c 100644 /* * Thread-synchronous status. -@@ -488,12 +497,8 @@ static inline void native_swapgs(void) +@@ -488,12 +489,8 @@ static inline void native_swapgs(void) static inline unsigned long current_top_of_stack(void) { @@ -26542,7 +26534,7 @@ index 83db0ea..137bc2c 100644 } #ifdef CONFIG_PARAVIRT -@@ -718,20 +723,30 @@ static inline void spin_lock_prefetch(const void *x) +@@ -718,20 +715,30 @@ static inline void spin_lock_prefetch(const void *x) #define TOP_OF_INIT_STACK ((unsigned long)&init_stack + sizeof(init_stack) - \ TOP_OF_KERNEL_STACK_PADDING) @@ -26574,7 +26566,7 @@ index 83db0ea..137bc2c 100644 } /* -@@ -744,12 +759,7 @@ static inline void spin_lock_prefetch(const void *x) +@@ -744,12 +751,7 @@ static inline void spin_lock_prefetch(const void *x) * "struct pt_regs" is possible, but they may contain the * completely wrong values. */ @@ -26588,7 +26580,7 @@ index 83db0ea..137bc2c 100644 #define KSTK_ESP(task) (task_pt_regs(task)->sp) -@@ -763,13 +773,13 @@ static inline void spin_lock_prefetch(const void *x) +@@ -763,13 +765,13 @@ static inline void spin_lock_prefetch(const void *x) * particular problem by preventing anything from being mapped * at the maximum canonical address. */ @@ -26604,7 +26596,7 @@ index 83db0ea..137bc2c 100644 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \ IA32_PAGE_OFFSET : TASK_SIZE_MAX) -@@ -782,6 +792,7 @@ static inline void spin_lock_prefetch(const void *x) +@@ -782,6 +784,7 @@ static inline void spin_lock_prefetch(const void *x) #define INIT_THREAD { \ .sp0 = TOP_OF_INIT_STACK, \ .addr_limit = KERNEL_DS, \ @@ -26612,7 +26604,7 @@ index 83db0ea..137bc2c 100644 } #define task_pt_regs(tsk) ((struct pt_regs *)(tsk)->thread.sp0 - 1) -@@ -800,6 +811,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, +@@ -800,6 +803,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, */ #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3)) @@ -26623,7 +26615,7 @@ index 83db0ea..137bc2c 100644 #define KSTK_EIP(task) (task_pt_regs(task)->ip) /* Get/set a process' ability to use the timestamp counter instruction */ -@@ -845,7 +860,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves) +@@ -845,7 +852,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves) return 0; } @@ -26632,7 +26624,7 @@ index 83db0ea..137bc2c 100644 extern void free_init_pages(char *what, unsigned long begin, unsigned long end); void default_idle(void); -@@ -855,6 +870,6 @@ bool xen_set_default_idle(void); +@@ -855,6 +862,6 @@ bool xen_set_default_idle(void); #define xen_set_default_idle 0 #endif @@ -27484,7 +27476,7 @@ index ad6f5eb0..1b4909d 100644 #ifdef CONFIG_COMPAT diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h -index 6fa8594..30950f3 100644 +index 6fa8594..c5b8ce1 100644 --- a/arch/x86/include/asm/tlbflush.h +++ b/arch/x86/include/asm/tlbflush.h @@ -89,7 +89,9 @@ static inline void cr4_set_bits(unsigned long mask) @@ -27515,15 +27507,12 @@ index 6fa8594..30950f3 100644 return this_cpu_read(cpu_tlbstate.cr4); } -@@ -135,6 +140,25 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask) +@@ -135,6 +140,22 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask) static inline void __native_flush_tlb(void) { + if (static_cpu_has(X86_FEATURE_INVPCID)) { -+ u64 descriptor[2]; -+ -+ descriptor[0] = PCID_KERNEL; -+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_NONGLOBAL) : "memory"); ++ invpcid_flush_all_nonglobals(); + return; + } + @@ -27541,58 +27530,35 @@ index 6fa8594..30950f3 100644 /* * If current->mm == NULL then we borrow a mm which may change during a * task switch and therefore we must not be preempted while we write CR3 -@@ -147,13 +171,21 @@ static inline void __native_flush_tlb(void) - - static inline void __native_flush_tlb_global_irq_disabled(void) - { -- unsigned long cr4; -+ if (static_cpu_has(X86_FEATURE_INVPCID)) { -+ u64 descriptor[2]; - -- cr4 = this_cpu_read(cpu_tlbstate.cr4); -- /* clear PGE */ -- native_write_cr4(cr4 & ~X86_CR4_PGE); -- /* write old PGE again and flush TLBs */ -- native_write_cr4(cr4); -+ descriptor[0] = PCID_KERNEL; -+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory"); -+ } else { -+ unsigned long cr4; -+ -+ cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); -+ /* clear PGE */ -+ native_write_cr4(cr4 & ~X86_CR4_PGE); -+ /* write old PGE again and flush TLBs */ -+ native_write_cr4(cr4); -+ } - } +@@ -150,6 +171,7 @@ static inline void __native_flush_tlb_global_irq_disabled(void) + unsigned long cr4; - static inline void __native_flush_tlb_global(void) -@@ -183,6 +215,43 @@ static inline void __native_flush_tlb_global(void) + cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + /* clear PGE */ + native_write_cr4(cr4 & ~X86_CR4_PGE); + /* write old PGE again and flush TLBs */ +@@ -183,6 +205,40 @@ static inline void __native_flush_tlb_global(void) static inline void __native_flush_tlb_single(unsigned long addr) { + if (static_cpu_has(X86_FEATURE_INVPCID)) { -+ u64 descriptor[2]; -+ -+ descriptor[0] = PCID_KERNEL; -+ descriptor[1] = addr; ++ unsigned long pcid = PCID_KERNEL; + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) { + if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) { + if (addr < TASK_SIZE_MAX) -+ descriptor[1] += pax_user_shadow_base; -+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory"); ++ invpcid_flush_one(pcid, addr + pax_user_shadow_base); ++ else ++ invpcid_flush_one(pcid, addr); + } + -+ descriptor[0] = PCID_USER; -+ descriptor[1] = addr; ++ pcid = PCID_USER; + } +#endif + -+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory"); ++ invpcid_flush_one(pcid, addr); + return; + } + @@ -28723,7 +28689,7 @@ index 4858733..3353d988 100644 #endif initial_code = (unsigned long)wakeup_long64; diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S -index 0c26b1b..dcc0a4f 100644 +index 0c26b1b..dfa105a 100644 --- a/arch/x86/kernel/acpi/wakeup_32.S +++ b/arch/x86/kernel/acpi/wakeup_32.S @@ -2,6 +2,7 @@ @@ -28734,7 +28700,16 @@ index 0c26b1b..dcc0a4f 100644 # Copyright 2003, 2008 Pavel Machek <pavel@suse.cz>, distribute under GPLv2 -@@ -31,13 +32,11 @@ wakeup_pmode_return: +@@ -14,8 +15,6 @@ wakeup_pmode_return: + movw %ax, %ss + movw %ax, %fs + movw %ax, %gs +- +- movw $__USER_DS, %ax + movw %ax, %ds + movw %ax, %es + +@@ -31,13 +30,11 @@ wakeup_pmode_return: # and restore the stack ... but you need gdt for this to work movl saved_context_esp, %esp @@ -28750,7 +28725,7 @@ index 0c26b1b..dcc0a4f 100644 bogus_magic: jmp bogus_magic -@@ -59,7 +58,7 @@ save_registers: +@@ -59,7 +56,7 @@ save_registers: popl saved_context_eflags movl $ret_point, saved_eip @@ -28759,7 +28734,7 @@ index 0c26b1b..dcc0a4f 100644 restore_registers: -@@ -69,13 +68,14 @@ restore_registers: +@@ -69,13 +66,14 @@ restore_registers: movl saved_context_edi, %edi pushl saved_context_eflags popfl @@ -28778,7 +28753,7 @@ index 0c26b1b..dcc0a4f 100644 addl $4, %esp # In case of S3 failure, we'll emerge here. Jump -@@ -83,9 +83,9 @@ ENTRY(do_suspend_lowlevel) +@@ -83,9 +81,9 @@ ENTRY(do_suspend_lowlevel) jmp ret_point .p2align 4,,7 ret_point: @@ -42699,7 +42674,7 @@ index f65a33f..f408a99 100644 } diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c -index a7655f6..895549a 100644 +index a7655f6..0cab8dd 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -47,7 +47,11 @@ void leave_mm(int cpu) @@ -42714,7 +42689,7 @@ index a7655f6..895549a 100644 /* * This gets called in the idle path where RCU * functions differently. Tracing normally -@@ -61,6 +65,51 @@ EXPORT_SYMBOL_GPL(leave_mm); +@@ -61,6 +65,47 @@ EXPORT_SYMBOL_GPL(leave_mm); #endif /* CONFIG_SMP */ @@ -42741,13 +42716,9 @@ index a7655f6..895549a 100644 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) { + if (static_cpu_has(X86_FEATURE_INVPCID)) { -+ u64 descriptor[2]; -+ descriptor[0] = PCID_USER; -+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); -+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) { -+ descriptor[0] = PCID_KERNEL; -+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); -+ } ++ invpcid_flush_single_context(PCID_USER); ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) ++ invpcid_flush_single_context(PCID_KERNEL); + } else { + write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); + if (static_cpu_has(X86_FEATURE_STRONGUDEREF)) @@ -42766,7 +42737,7 @@ index a7655f6..895549a 100644 void switch_mm(struct mm_struct *prev, struct mm_struct *next, struct task_struct *tsk) { -@@ -75,6 +124,9 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, +@@ -75,6 +120,9 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, struct task_struct *tsk) { unsigned cpu = smp_processor_id(); @@ -42776,7 +42747,7 @@ index a7655f6..895549a 100644 if (likely(prev != next)) { if (IS_ENABLED(CONFIG_VMAP_STACK)) { -@@ -89,9 +141,14 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, +@@ -89,9 +137,14 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, if (unlikely(pgd_none(*pgd))) set_pgd(pgd, init_mm.pgd[stack_pgd_index]); @@ -42791,7 +42762,7 @@ index a7655f6..895549a 100644 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); this_cpu_write(cpu_tlbstate.active_mm, next); #endif -@@ -111,7 +168,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, +@@ -111,7 +164,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, * We need to prevent an outcome in which CPU 1 observes * the new PTE value and CPU 0 observes bit 1 clear in * mm_cpumask. (If that occurs, then the IPI will never @@ -42800,7 +42771,7 @@ index a7655f6..895549a 100644 * * The bad outcome can occur if either CPU's load is * reordered before that CPU's store, so both CPUs must -@@ -126,7 +183,11 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, +@@ -126,7 +179,11 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, * ordering guarantee we need. * */ @@ -42812,7 +42783,7 @@ index a7655f6..895549a 100644 trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); -@@ -152,9 +213,31 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, +@@ -152,9 +209,31 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, if (unlikely(prev->context.ldt != next->context.ldt)) load_mm_ldt(next); #endif @@ -42845,7 +42816,7 @@ index a7655f6..895549a 100644 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next); -@@ -175,13 +258,30 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, +@@ -175,13 +254,30 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, * As above, load_cr3() is serializing and orders TLB * fills with respect to the mm_cpumask write. */ @@ -45142,10 +45113,18 @@ index eff224d..ab792d2 100644 + pax_ret check_events ENDPROC(check_events) diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S -index feb6d40..c8fd8e7 100644 +index feb6d40..4292c19 100644 --- a/arch/x86/xen/xen-asm_32.S +++ b/arch/x86/xen/xen-asm_32.S -@@ -28,7 +28,7 @@ check_events: +@@ -15,6 +15,7 @@ + #include <asm/processor-flags.h> + #include <asm/segment.h> + #include <asm/asm.h> ++#include <asm/alternative-asm.h> + + #include <xen/interface/xen.h> + +@@ -28,7 +29,7 @@ check_events: push %eax push %ecx push %edx @@ -45154,7 +45133,7 @@ index feb6d40..c8fd8e7 100644 pop %edx pop %ecx pop %eax -@@ -85,7 +85,7 @@ ENTRY(xen_iret) +@@ -85,7 +86,7 @@ ENTRY(xen_iret) pushw %fs movl $(__KERNEL_PERCPU), %eax movl %eax, %fs @@ -45204,7 +45183,7 @@ index 7f8d8ab..3032b77 100644 #endif /* CONFIG_XEN_PVH */ diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h -index 3cbce3b..f1221bc 100644 +index 3cbce3b..c58120b 100644 --- a/arch/x86/xen/xen-ops.h +++ b/arch/x86/xen/xen-ops.h @@ -16,8 +16,6 @@ void xen_syscall_target(void); @@ -45216,6 +45195,19 @@ index 3cbce3b..f1221bc 100644 struct trap_info; void xen_copy_trap_info(struct trap_info *traps); +@@ -133,9 +131,9 @@ static inline void __init xen_efi_init(void) + extern char name##_end[] __visible; \ + extern char name##_reloc[] __visible + +-DECL_ASM(void, xen_irq_enable_direct, void); +-DECL_ASM(void, xen_irq_disable_direct, void); +-DECL_ASM(unsigned long, xen_save_fl_direct, void); ++DECL_ASM(asmlinkage void, xen_irq_enable_direct, void); ++DECL_ASM(asmlinkage void, xen_irq_disable_direct, void); ++DECL_ASM(asmlinkage unsigned long, xen_save_fl_direct, void); + DECL_ASM(void, xen_restore_fl_direct, unsigned long); + + /* These are not functions, and cannot be called normally */ diff --git a/arch/xtensa/variants/dc232b/include/variant/core.h b/arch/xtensa/variants/dc232b/include/variant/core.h index 525bd3d..ef888b1 100644 --- a/arch/xtensa/variants/dc232b/include/variant/core.h @@ -60577,7 +60569,7 @@ index ca4abe1..0b029ef 100644 } diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h -index 6b420a5..d5acb8f 100644 +index c3ea03c..7412315 100644 --- a/drivers/md/bcache/bcache.h +++ b/drivers/md/bcache/bcache.h @@ -433,12 +433,12 @@ struct cache { @@ -60599,7 +60591,7 @@ index 6b420a5..d5acb8f 100644 struct gc_stat { diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c -index 81d3db4..46e8b68 100644 +index 2efdce0..e30d873 100644 --- a/drivers/md/bcache/btree.c +++ b/drivers/md/bcache/btree.c @@ -336,15 +336,17 @@ static void btree_complete_write(struct btree *b, struct btree_write *w) @@ -60863,7 +60855,7 @@ index 5c4bdde..99659fe 100644 struct bio *bio = &io->bio.bio; diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c -index 40ffe5e..6757bd6 100644 +index a37c177..a4dfbfc 100644 --- a/drivers/md/bcache/request.c +++ b/drivers/md/bcache/request.c @@ -24,7 +24,7 @@ @@ -60917,7 +60909,7 @@ index 40ffe5e..6757bd6 100644 struct data_insert_op *op = container_of(cl, struct data_insert_op, cl); struct bio *bio = op->bio, *n; -@@ -313,8 +316,9 @@ static void bch_data_insert_start(struct closure *cl) +@@ -311,8 +314,9 @@ static void bch_data_insert_start(struct closure *cl) * If s->bypass is true, instead of inserting the data it invalidates the * region of the cache represented by s->cache_bio and op->inode. */ @@ -60928,7 +60920,7 @@ index 40ffe5e..6757bd6 100644 struct data_insert_op *op = container_of(cl, struct data_insert_op, cl); trace_bcache_write(op->c, op->inode, op->bio, -@@ -322,7 +326,7 @@ void bch_data_insert(struct closure *cl) +@@ -320,7 +324,7 @@ void bch_data_insert(struct closure *cl) bch_keylist_init(&op->insert_keys); bio_get(op->bio); @@ -60937,7 +60929,7 @@ index 40ffe5e..6757bd6 100644 } /* Congested? */ -@@ -570,8 +574,9 @@ static int cache_lookup_fn(struct btree_op *op, struct btree *b, struct bkey *k) +@@ -568,8 +572,9 @@ static int cache_lookup_fn(struct btree_op *op, struct btree *b, struct bkey *k) return n == bio ? MAP_DONE : MAP_CONTINUE; } @@ -60948,7 +60940,7 @@ index 40ffe5e..6757bd6 100644 struct search *s = container_of(cl, struct search, iop.cl); struct bio *bio = &s->bio.bio; int ret; -@@ -631,8 +636,9 @@ static void do_bio_hook(struct search *s, struct bio *orig_bio) +@@ -629,8 +634,9 @@ static void do_bio_hook(struct search *s, struct bio *orig_bio) bio_cnt_set(bio, 3); } @@ -60959,7 +60951,7 @@ index 40ffe5e..6757bd6 100644 struct search *s = container_of(cl, struct search, cl); bio_complete(s); -@@ -676,19 +682,21 @@ static inline struct search *search_alloc(struct bio *bio, +@@ -674,19 +680,21 @@ static inline struct search *search_alloc(struct bio *bio, /* Cached devices */ @@ -60984,7 +60976,7 @@ index 40ffe5e..6757bd6 100644 struct search *s = container_of(cl, struct search, cl); if (s->iop.replace_collision) -@@ -697,11 +705,12 @@ static void cached_dev_cache_miss_done(struct closure *cl) +@@ -695,11 +703,12 @@ static void cached_dev_cache_miss_done(struct closure *cl) if (s->iop.bio) bio_free_pages(s->iop.bio); @@ -60999,7 +60991,7 @@ index 40ffe5e..6757bd6 100644 struct search *s = container_of(cl, struct search, cl); struct bio *bio = &s->bio.bio; -@@ -720,8 +729,9 @@ static void cached_dev_read_error(struct closure *cl) +@@ -718,8 +727,9 @@ static void cached_dev_read_error(struct closure *cl) continue_at(cl, cached_dev_cache_miss_done, NULL); } @@ -61010,7 +61002,7 @@ index 40ffe5e..6757bd6 100644 struct search *s = container_of(cl, struct search, cl); struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); -@@ -760,8 +770,9 @@ static void cached_dev_read_done(struct closure *cl) +@@ -758,8 +768,9 @@ static void cached_dev_read_done(struct closure *cl) continue_at(cl, cached_dev_cache_miss_done, NULL); } @@ -61021,7 +61013,7 @@ index 40ffe5e..6757bd6 100644 struct search *s = container_of(cl, struct search, cl); struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); -@@ -859,13 +870,14 @@ static void cached_dev_read(struct cached_dev *dc, struct search *s) +@@ -857,13 +868,14 @@ static void cached_dev_read(struct cached_dev *dc, struct search *s) /* Process writes */ @@ -61038,7 +61030,7 @@ index 40ffe5e..6757bd6 100644 } static void cached_dev_write(struct cached_dev *dc, struct search *s) -@@ -937,8 +949,9 @@ static void cached_dev_write(struct cached_dev *dc, struct search *s) +@@ -935,8 +947,9 @@ static void cached_dev_write(struct cached_dev *dc, struct search *s) continue_at(cl, cached_dev_write_complete, NULL); } @@ -61049,7 +61041,7 @@ index 40ffe5e..6757bd6 100644 struct search *s = container_of(cl, struct search, cl); struct bio *bio = &s->bio.bio; -@@ -1058,8 +1071,9 @@ static int flash_dev_cache_miss(struct btree *b, struct search *s, +@@ -1056,8 +1069,9 @@ static int flash_dev_cache_miss(struct btree *b, struct search *s, return MAP_CONTINUE; } @@ -61187,7 +61179,7 @@ index adbff14..018c2d2 100644 struct cache_stat_collector collector; diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c -index 849ad44..a9e695e 100644 +index 66669c8..3296d7e 100644 --- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -240,8 +240,9 @@ static void __write_super(struct cache_sb *sb, struct bio *bio) @@ -79806,10 +79798,10 @@ index cf04a36..54dd630 100644 !(SDEBUG_OPT_NO_CDB_NOISE & sdebug_opts))) { char b[120]; diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 2cca9cf..cbe4c6d 100644 +index e64eae4..465011a 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1513,7 +1513,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -1514,7 +1514,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -79818,7 +79810,7 @@ index 2cca9cf..cbe4c6d 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1536,9 +1536,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1537,9 +1537,9 @@ static void scsi_softirq_done(struct request *rq) INIT_LIST_HEAD(&cmd->eh_entry); @@ -79830,7 +79822,7 @@ index 2cca9cf..cbe4c6d 100644 disposition = scsi_decide_disposition(cmd); if (disposition != SUCCESS && -@@ -1579,7 +1579,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd) +@@ -1580,7 +1580,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd) struct Scsi_Host *host = cmd->device->host; int rtn = 0; @@ -80008,7 +80000,7 @@ index 51e5629..caef5f7 100644 if (!sdp->request_queue->rq_timeout) { if (sdp->type != TYPE_MOD) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index dbe5b4b..1242bc3 100644 +index 121de0a..f2ba1bb 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1083,7 +1083,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) @@ -123707,7 +123699,7 @@ index 368bfb9..5b43f37 100644 { const struct seq_operations *op = ((struct seq_file *)file->private_data)->op; diff --git a/fs/splice.c b/fs/splice.c -index 63b8f54..8292069 100644 +index 8dd79ec..0a56b1a 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -188,7 +188,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, @@ -123719,7 +123711,7 @@ index 63b8f54..8292069 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; goto out; -@@ -227,7 +227,7 @@ ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf) +@@ -228,7 +228,7 @@ ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf) { int ret; @@ -123728,7 +123720,7 @@ index 63b8f54..8292069 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; } else if (pipe->nrbufs == pipe->buffers) { -@@ -359,7 +359,7 @@ static ssize_t kernel_readv(struct file *file, const struct kvec *vec, +@@ -360,7 +360,7 @@ static ssize_t kernel_readv(struct file *file, const struct kvec *vec, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -123737,7 +123729,7 @@ index 63b8f54..8292069 100644 set_fs(old_fs); return res; -@@ -374,7 +374,7 @@ ssize_t kernel_write(struct file *file, const char *buf, size_t count, +@@ -375,7 +375,7 @@ ssize_t kernel_write(struct file *file, const char *buf, size_t count, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -123746,7 +123738,7 @@ index 63b8f54..8292069 100644 set_fs(old_fs); return res; -@@ -533,7 +533,7 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des +@@ -534,7 +534,7 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des pipe_buf_release(pipe, buf); pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1); pipe->nrbufs--; @@ -123755,7 +123747,7 @@ index 63b8f54..8292069 100644 sd->need_wakeup = true; } -@@ -564,10 +564,10 @@ static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_des +@@ -565,10 +565,10 @@ static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_des return -ERESTARTSYS; while (!pipe->nrbufs) { @@ -123768,7 +123760,7 @@ index 63b8f54..8292069 100644 return 0; if (sd->flags & SPLICE_F_NONBLOCK) -@@ -781,7 +781,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out, +@@ -782,7 +782,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out, pipe_buf_release(pipe, buf); pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1); pipe->nrbufs--; @@ -123777,7 +123769,7 @@ index 63b8f54..8292069 100644 sd.need_wakeup = true; } else { buf->offset += ret; -@@ -944,7 +944,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, +@@ -945,7 +945,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, * out of the pipe right after the splice_to_pipe(). So set * PIPE_READERS appropriately. */ @@ -123786,7 +123778,7 @@ index 63b8f54..8292069 100644 current->splice_pipe = pipe; } -@@ -1087,7 +1087,7 @@ EXPORT_SYMBOL(do_splice_direct); +@@ -1088,7 +1088,7 @@ EXPORT_SYMBOL(do_splice_direct); static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags) { for (;;) { @@ -123795,7 +123787,7 @@ index 63b8f54..8292069 100644 send_sig(SIGPIPE, current, 0); return -EPIPE; } -@@ -1097,9 +1097,9 @@ static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags) +@@ -1098,9 +1098,9 @@ static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags) return -EAGAIN; if (signal_pending(current)) return -ERESTARTSYS; @@ -123807,7 +123799,7 @@ index 63b8f54..8292069 100644 } } -@@ -1446,9 +1446,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1447,9 +1447,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) ret = -ERESTARTSYS; break; } @@ -123819,7 +123811,7 @@ index 63b8f54..8292069 100644 if (flags & SPLICE_F_NONBLOCK) { ret = -EAGAIN; break; -@@ -1480,7 +1480,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1481,7 +1481,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) pipe_lock(pipe); while (pipe->nrbufs >= pipe->buffers) { @@ -123828,7 +123820,7 @@ index 63b8f54..8292069 100644 send_sig(SIGPIPE, current, 0); ret = -EPIPE; break; -@@ -1493,9 +1493,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) +@@ -1494,9 +1494,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) ret = -ERESTARTSYS; break; } @@ -123840,7 +123832,7 @@ index 63b8f54..8292069 100644 } pipe_unlock(pipe); -@@ -1531,14 +1531,14 @@ static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe, +@@ -1532,14 +1532,14 @@ static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe, pipe_double_lock(ipipe, opipe); do { @@ -123857,7 +123849,7 @@ index 63b8f54..8292069 100644 break; /* -@@ -1635,7 +1635,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, +@@ -1636,7 +1636,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, pipe_double_lock(ipipe, opipe); do { @@ -123866,7 +123858,7 @@ index 63b8f54..8292069 100644 send_sig(SIGPIPE, current, 0); if (!ret) ret = -EPIPE; -@@ -1680,7 +1680,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, +@@ -1681,7 +1681,7 @@ static int link_pipe(struct pipe_inode_info *ipipe, * return EAGAIN if we have the potential of some data in the * future, otherwise just return 0 */ @@ -140150,7 +140142,7 @@ index 063962f..d34f2da 100644 static inline struct hugetlb_cgroup *hugetlb_cgroup_from_page(struct page *page) { diff --git a/include/linux/hwmon-sysfs.h b/include/linux/hwmon-sysfs.h -index 1c7b89a..7dda400 100644 +index 1c7b89a..7dda4003 100644 --- a/include/linux/hwmon-sysfs.h +++ b/include/linux/hwmon-sysfs.h @@ -25,7 +25,8 @@ @@ -149727,7 +149719,7 @@ index ba8a015..37d2e1d 100644 int threads = max_threads; int min = MIN_THREADS; diff --git a/kernel/futex.c b/kernel/futex.c -index 2c4be46..46c5c89 100644 +index 38b68c2..1940ab9 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -210,7 +210,7 @@ struct futex_pi_state { @@ -151741,7 +151733,7 @@ index 4f0f060..d6c1a7d 100644 /** diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c -index f7a55e9..85fe3ba 100644 +index 9c5b231..aaa4a5c 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -588,7 +588,7 @@ static int log_store(int facility, int level, @@ -164833,6 +164825,20 @@ index 0df2aa6..7db59f7 100644 .init = sysctl_core_net_init, .exit = sysctl_core_net_exit, }; +diff --git a/net/dccp/input.c b/net/dccp/input.c +index ba34718..8fedc2d 100644 +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c index 13d6b1a..eaa0cee 100644 --- a/net/decnet/af_decnet.c @@ -209399,10 +209405,10 @@ index 0000000..1181e93 +size_mei_msg_data_65529_fields size mei_msg_data 0 65529 NULL diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fns.data b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data new file mode 100644 -index 0000000..75e575c +index 0000000..103f4c7 --- /dev/null +++ b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data -@@ -0,0 +1,5032 @@ +@@ -0,0 +1,5033 @@ +logi_dj_recv_query_paired_devices_fndecl_13_fns logi_dj_recv_query_paired_devices fndecl 0 13 NULL +response_length_ib_uverbs_ex_destroy_wq_resp_15_fns response_length ib_uverbs_ex_destroy_wq_resp 0 15 NULL +kfd_wait_on_events_fndecl_19_fns kfd_wait_on_events fndecl 2 19 NULL @@ -213550,6 +213556,7 @@ index 0000000..75e575c +__hwahc_op_set_ptk_fndecl_54157_fns __hwahc_op_set_ptk fndecl 5 54157 NULL +b43_nphy_load_samples_fndecl_54162_fns b43_nphy_load_samples fndecl 3 54162 NULL +cpu_type_read_fndecl_54191_fns cpu_type_read fndecl 3 54191 NULL ++smsusb_sendrequest_fndecl_54196_fns smsusb_sendrequest fndecl 3 54196 NULL +p_filesz_elf32_phdr_54204_fns p_filesz elf32_phdr 0 54204 NULL +numeraseregions_mtd_info_54223_fns numeraseregions mtd_info 0 54223 NULL +__kfifo_to_user_fndecl_54232_fns __kfifo_to_user fndecl 3 54232 NULL @@ -225693,7 +225700,7 @@ index 0a578fe..b81f62d 100644 }) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 7f9ee29..71d4ab0 100644 +index 7f9ee29..39268bd 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -93,12 +93,17 @@ LIST_HEAD(vm_list); @@ -225763,7 +225770,21 @@ index 7f9ee29..71d4ab0 100644 .release = kvm_vm_release, .unlocked_ioctl = kvm_vm_ioctl, #ifdef CONFIG_KVM_COMPAT -@@ -3231,7 +3244,7 @@ static long kvm_dev_ioctl(struct file *filp, +@@ -3181,11 +3194,13 @@ static int kvm_dev_ioctl_create_vm(unsigned long type) + return PTR_ERR(file); + } + ++#ifndef CONFIG_GRKERNSEC_SYSFS_RESTRICT + if (kvm_create_vm_debugfs(kvm, r) < 0) { + put_unused_fd(r); + fput(file); + return -ENOMEM; + } ++#endif + + fd_install(r, file); + return r; +@@ -3231,7 +3246,7 @@ static long kvm_dev_ioctl(struct file *filp, return r; } @@ -225772,7 +225793,7 @@ index 7f9ee29..71d4ab0 100644 .unlocked_ioctl = kvm_dev_ioctl, .compat_ioctl = kvm_dev_ioctl, .llseek = noop_llseek, -@@ -3257,7 +3270,7 @@ static void hardware_enable_nolock(void *junk) +@@ -3257,7 +3272,7 @@ static void hardware_enable_nolock(void *junk) if (r) { cpumask_clear_cpu(cpu, cpus_hardware_enabled); @@ -225781,7 +225802,7 @@ index 7f9ee29..71d4ab0 100644 pr_info("kvm: enabling virtualization on CPU%d failed\n", cpu); } } -@@ -3314,10 +3327,10 @@ static int hardware_enable_all(void) +@@ -3314,10 +3329,10 @@ static int hardware_enable_all(void) kvm_usage_count++; if (kvm_usage_count == 1) { @@ -225794,7 +225815,7 @@ index 7f9ee29..71d4ab0 100644 hardware_disable_all_nolock(); r = -EBUSY; } -@@ -3877,8 +3890,9 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3877,8 +3892,9 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, /* A kmem cache lets us meet the alignment requirements of fx_save. */ if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); @@ -225806,7 +225827,7 @@ index 7f9ee29..71d4ab0 100644 if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3; -@@ -3888,9 +3902,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3888,9 +3904,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (r) goto out_free; @@ -225818,7 +225839,7 @@ index 7f9ee29..71d4ab0 100644 r = misc_register(&kvm_dev); if (r) { -@@ -3900,9 +3916,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -3900,9 +3918,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, register_syscore_ops(&kvm_syscore_ops); diff --git a/4.9.11/4425_grsec_remove_EI_PAX.patch b/4.9.12/4425_grsec_remove_EI_PAX.patch index 594598a..594598a 100644 --- a/4.9.11/4425_grsec_remove_EI_PAX.patch +++ b/4.9.12/4425_grsec_remove_EI_PAX.patch diff --git a/4.9.11/4426_default_XATTR_PAX_FLAGS.patch b/4.9.12/4426_default_XATTR_PAX_FLAGS.patch index f7e97b5..f7e97b5 100644 --- a/4.9.11/4426_default_XATTR_PAX_FLAGS.patch +++ b/4.9.12/4426_default_XATTR_PAX_FLAGS.patch diff --git a/4.9.11/4427_force_XATTR_PAX_tmpfs.patch b/4.9.12/4427_force_XATTR_PAX_tmpfs.patch index 3871139..3871139 100644 --- a/4.9.11/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.9.12/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.9.11/4430_grsec-remove-localversion-grsec.patch b/4.9.12/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.9.11/4430_grsec-remove-localversion-grsec.patch +++ b/4.9.12/4430_grsec-remove-localversion-grsec.patch diff --git a/4.9.11/4435_grsec-mute-warnings.patch b/4.9.12/4435_grsec-mute-warnings.patch index 8929222..8929222 100644 --- a/4.9.11/4435_grsec-mute-warnings.patch +++ b/4.9.12/4435_grsec-mute-warnings.patch diff --git a/4.9.11/4440_grsec-remove-protected-paths.patch b/4.9.12/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.9.11/4440_grsec-remove-protected-paths.patch +++ b/4.9.12/4440_grsec-remove-protected-paths.patch diff --git a/4.9.11/4450_grsec-kconfig-default-gids.patch b/4.9.12/4450_grsec-kconfig-default-gids.patch index cee6e27..cee6e27 100644 --- a/4.9.11/4450_grsec-kconfig-default-gids.patch +++ b/4.9.12/4450_grsec-kconfig-default-gids.patch diff --git a/4.9.11/4465_selinux-avc_audit-log-curr_ip.patch b/4.9.12/4465_selinux-avc_audit-log-curr_ip.patch index 06a5294..06a5294 100644 --- a/4.9.11/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.9.12/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.9.11/4470_disable-compat_vdso.patch b/4.9.12/4470_disable-compat_vdso.patch index a1401d8..a1401d8 100644 --- a/4.9.11/4470_disable-compat_vdso.patch +++ b/4.9.12/4470_disable-compat_vdso.patch diff --git a/4.9.11/4475_emutramp_default_on.patch b/4.9.12/4475_emutramp_default_on.patch index feb8c7b..feb8c7b 100644 --- a/4.9.11/4475_emutramp_default_on.patch +++ b/4.9.12/4475_emutramp_default_on.patch |