From: Bhaskar Chowdhury <unixbhaskar@gmail.com>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
torvalds@linux-foundation.org, Jiri Slaby <jslaby@suse.cz>,
stable@vger.kernel.org, lwn@lwn.net
Subject: Re: Linux 3.16.72
Date: Tue, 13 Aug 2019 20:19:49 +0530 [thread overview]
Message-ID: <20190813144944.GA5049@Gentoo> (raw)
In-Reply-To: <41c24fa324ac0b4ea1077a79458bb488c86f6d49.camel@decadent.org.uk>
[-- Attachment #1: Type: text/plain, Size: 235269 bytes --]
Thanks, a bunch Ben :)
On 14:35 Tue 13 Aug 2019, Ben Hutchings wrote:
>I'm announcing the release of the 3.16.72 kernel.
>
>All users of the 3.16 kernel series should upgrade.
>
>The updated 3.16.y git tree can be found at:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-3.16.y
>and can be browsed at the normal kernel.org git web browser:
> https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git
>
>The diff from 3.16.71 is attached to this message.
>
>Ben.
>
>------------
>
> Documentation/kernel-parameters.txt | 5 +
> Documentation/siphash.txt | 100 ++++++++++
> Documentation/usb/power-management.txt | 14 +-
> Documentation/virtual/kvm/api.txt | 16 +-
> MAINTAINERS | 7 +
> Makefile | 2 +-
> arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi | 1 +
> arch/arm/mach-imx/cpuidle-imx6q.c | 27 +--
> arch/mips/kernel/scall64-o32.S | 2 +-
> arch/powerpc/include/asm/vdso_datapage.h | 8 +-
> arch/powerpc/kernel/signal_32.c | 3 +
> arch/powerpc/kernel/signal_64.c | 5 +
> arch/powerpc/kernel/vdso32/gettimeofday.S | 2 +-
> arch/powerpc/kernel/vdso64/gettimeofday.S | 2 +-
> arch/x86/include/asm/calling.h | 18 ++
> arch/x86/include/asm/cpufeatures.h | 41 ++--
> arch/x86/include/asm/kvm_host.h | 13 +-
> arch/x86/include/asm/xen/hypercall.h | 3 +
> arch/x86/kernel/cpu/bugs.c | 105 +++++++++-
> arch/x86/kernel/cpu/common.c | 42 ++--
> arch/x86/kernel/entry_64.S | 73 +++++--
> arch/x86/kernel/kprobes/core.c | 48 ++++-
> arch/x86/kernel/process.c | 8 +-
> arch/x86/kvm/cpuid.c | 5 +
> arch/x86/kvm/mmu.c | 13 +-
> arch/x86/kvm/mmu.h | 2 +-
> arch/x86/kvm/vmx.c | 15 --
> arch/x86/kvm/x86.c | 18 +-
> arch/xtensa/kernel/stacktrace.c | 6 +-
> block/bio.c | 5 +-
> drivers/acpi/acpica/nsobject.c | 4 +
> drivers/block/floppy.c | 32 +++-
> drivers/block/xsysace.c | 2 +
> drivers/bluetooth/hci_ath.c | 3 +
> drivers/bluetooth/hci_ldisc.c | 9 +
> drivers/bluetooth/hci_uart.h | 1 +
> drivers/gpio/gpio-adnp.c | 6 +-
> drivers/iio/adc/ad_sigma_delta.c | 1 +
> drivers/iio/adc/at91_adc.c | 28 +--
> drivers/iio/dac/mcp4725.c | 1 +
> drivers/iio/industrialio-buffer.c | 6 +-
> drivers/iio/industrialio-core.c | 4 +-
> drivers/infiniband/hw/mlx4/alias_GUID.c | 2 +-
> drivers/input/tablet/gtco.c | 20 +-
> drivers/iommu/amd_iommu_init.c | 2 +-
> drivers/iommu/intel-iommu.c | 3 +
> drivers/md/dm-table.c | 39 ++++
> drivers/md/dm.c | 31 ++-
> drivers/media/usb/tlg2300/pd-common.h | 2 +-
> drivers/mtd/chips/cfi_cmdset_0002.c | 6 +-
> drivers/net/ethernet/3com/3c515.c | 2 +-
> drivers/net/ethernet/8390/mac8390.c | 37 ++--
> drivers/net/ethernet/neterion/vxge/vxge-config.c | 1 +
> drivers/net/macvtap.c | 3 -
> drivers/net/phy/phy_device.c | 5 +-
> drivers/net/ppp/pptp.c | 2 +-
> drivers/net/slip/slhc.c | 2 +-
> drivers/net/team/team.c | 6 +
> drivers/net/tun.c | 6 +-
> drivers/net/wireless/rt2x00/rt2x00.h | 1 -
> drivers/net/wireless/rt2x00/rt2x00mac.c | 10 -
> drivers/net/wireless/rt2x00/rt2x00queue.c | 15 +-
> drivers/pci/quirks.c | 2 +
> drivers/s390/scsi/zfcp_erp.c | 17 ++
> drivers/s390/scsi/zfcp_ext.h | 2 +
> drivers/s390/scsi/zfcp_scsi.c | 4 +
> drivers/scsi/libsas/sas_expander.c | 9 +-
> drivers/staging/comedi/drivers/vmk80xx.c | 8 +-
> drivers/staging/iio/meter/ade7854.c | 2 +-
> drivers/staging/rtl8712/rtl8712_cmd.c | 10 +-
> drivers/staging/rtl8712/rtl8712_cmd.h | 2 +-
> drivers/staging/speakup/speakup_soft.c | 12 +-
> drivers/staging/speakup/spk_priv.h | 1 +
> drivers/staging/speakup/synth.c | 6 +
> drivers/staging/usbip/stub_rx.c | 12 +-
> drivers/staging/usbip/usbip_common.h | 7 +
> drivers/tty/serial/atmel_serial.c | 4 +
> drivers/tty/serial/max310x.c | 2 +
> drivers/tty/serial/mxs-auart.c | 4 +
> drivers/tty/serial/sh-sci.c | 12 +-
> drivers/usb/core/driver.c | 13 --
> drivers/usb/core/message.c | 4 +-
> drivers/usb/host/xhci-hub.c | 19 +-
> drivers/usb/host/xhci.h | 8 +
> drivers/usb/misc/yurex.c | 1 +
> drivers/usb/serial/cp210x.c | 1 +
> drivers/usb/serial/ftdi_sio.c | 2 +
> drivers/usb/serial/ftdi_sio_ids.h | 4 +-
> drivers/usb/serial/mos7720.c | 4 +-
> drivers/usb/storage/realtek_cr.c | 13 +-
> drivers/vhost/net.c | 31 +--
> drivers/vhost/scsi.c | 15 +-
> drivers/vhost/vhost.c | 20 +-
> drivers/vhost/vhost.h | 6 +-
> drivers/w1/masters/ds2490.c | 6 +-
> drivers/xen/balloon.c | 16 +-
> fs/afs/fsclient.c | 6 +-
> fs/btrfs/compression.c | 18 ++
> fs/btrfs/compression.h | 1 +
> fs/btrfs/props.c | 5 +-
> fs/ceph/dir.c | 6 +-
> fs/cifs/cifsglob.h | 2 +
> fs/cifs/file.c | 30 ++-
> fs/cifs/inode.c | 4 +
> fs/cifs/misc.c | 25 ++-
> fs/cifs/smb2misc.c | 6 +-
> fs/cifs/smb2ops.c | 2 +
> fs/ext4/file.c | 2 +-
> fs/ext4/resize.c | 11 +-
> fs/lockd/host.c | 3 +-
> fs/proc/meminfo.c | 34 +---
> fs/proc/proc_sysctl.c | 7 +-
> fs/udf/truncate.c | 3 +
> fs/ufs/util.h | 2 +-
> include/linux/kprobes.h | 1 +
> include/linux/lockdep.h | 15 ++
> include/linux/mm.h | 1 +
> include/linux/siphash.h | 90 +++++++++
> include/linux/string.h | 3 +
> include/linux/usb.h | 2 -
> include/net/ip.h | 12 +-
> include/net/ipv6.h | 4 +-
> include/net/netfilter/nf_conntrack.h | 2 +
> include/net/netns/ipv4.h | 2 +
> include/net/sctp/checksum.h | 2 +-
> kernel/events/core.c | 2 +
> kernel/futex.c | 4 +
> kernel/sched/fair.c | 35 +++-
> kernel/trace/ftrace.c | 5 +-
> kernel/trace/ring_buffer.c | 2 +-
> lib/Kconfig.debug | 10 +
> lib/Makefile | 3 +-
> lib/siphash.c | 232 +++++++++++++++++++++++
> lib/string.c | 20 ++
> lib/test_siphash.c | 131 +++++++++++++
> mm/page_alloc.c | 43 +++++
> mm/vmstat.c | 5 -
> net/batman-adv/bridge_loop_avoidance.c | 16 +-
> net/batman-adv/translation-table.c | 32 +++-
> net/bridge/br_multicast.c | 4 +-
> net/bridge/br_netfilter.c | 3 +
> net/bridge/netfilter/ebtables.c | 3 +-
> net/core/net-sysfs.c | 6 +-
> net/dccp/feat.c | 7 +-
> net/dccp/ipv6.c | 4 +-
> net/ipv4/igmp.c | 4 +-
> net/ipv4/ip_output.c | 7 +-
> net/ipv4/ip_tunnel_core.c | 3 +-
> net/ipv4/ipmr.c | 7 +-
> net/ipv4/raw.c | 2 +-
> net/ipv4/route.c | 16 +-
> net/ipv4/xfrm4_mode_tunnel.c | 2 +-
> net/ipv4/xfrm4_policy.c | 60 ++++--
> net/ipv6/ip6_flowlabel.c | 24 ++-
> net/ipv6/ip6_output.c | 23 +--
> net/ipv6/ip6mr.c | 11 +-
> net/ipv6/output_core.c | 53 +++++-
> net/ipv6/tcp_ipv6.c | 8 +-
> net/ipv6/udp_offload.c | 6 +
> net/ipv6/xfrm6_tunnel.c | 4 +
> net/l2tp/l2tp_core.c | 10 +-
> net/mac80211/debugfs_netdev.c | 2 +-
> net/netfilter/ipvs/ip_vs_xmit.c | 5 +-
> net/netfilter/nf_conntrack_core.c | 36 ++++
> net/netfilter/nf_conntrack_netlink.c | 34 +++-
> net/packet/af_packet.c | 37 ++--
> net/rose/rose_loopback.c | 34 ++--
> net/sunrpc/cache.c | 3 +
> net/tipc/sysctl.c | 4 +-
> net/xfrm/xfrm_user.c | 2 +-
> security/device_cgroup.c | 2 +-
> sound/core/init.c | 18 +-
> sound/core/oss/pcm_oss.c | 43 +++--
> sound/core/pcm_native.c | 9 +-
> sound/core/rawmidi.c | 2 +
> sound/core/seq/oss/seq_oss_synth.c | 7 +-
> sound/core/seq/seq_clientmgr.c | 6 +-
> tools/lib/traceevent/event-parse.c | 2 +-
> tools/perf/tests/evsel-tp-sched.c | 1 +
> virt/kvm/kvm_main.c | 3 +
> 180 files changed, 1973 insertions(+), 565 deletions(-)
>
>Aditya Pakki (1):
> serial: max310x: Fix to avoid potential NULL pointer dereference
>
>Al Viro (1):
> ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
>
>Alan Stern (4):
> USB: core: Fix unterminated string returned by usb_string()
> USB: core: Fix bug caused by duplicate interface PM usage counter
> USB: yurex: Fix protection fault after device removal
> USB: w1 ds2490: Fix bug caused by improper use of altsetting array
>
>Anand Jain (1):
> btrfs: prop: fix vanished compression property after failed set
>
>Andre Przywara (1):
> PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller
>
>Andy Lutomirski (2):
> x86/asm/entry/64: Disentangle error_entry/exit gsbase/ebx/usermode code
> x86/entry/64: Really create an error-entry-from-usermode code path
>
>Arnd Bergmann (1):
> 3c515: fix integer overflow warning
>
>Aurelien Aptel (1):
> CIFS: keep FileInfo handle live during oplock break
>
>Aurelien Jarno (1):
> MIPS: scall64-o32: Fix indirect syscall number load
>
>Axel Lin (1):
> gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input
>
>Ben Gardon (1):
> kvm: mmu: Fix overflow on kvm mmu page limit calculation
>
>Ben Hutchings (3):
> x86: cpufeatures: Renumber feature word 7
> Revert "inet: update the IP ID generation algorithm to higher standards."
> Linux 3.16.72
>
>Changbin Du (1):
> perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test()
>
>Chen Jie (1):
> futex: Ensure that futex address is aligned in handle_futex_death()
>
>Christophe Leroy (1):
> powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64
>
>Colin Ian King (1):
> vxge: fix return of a free'd memblock on a failed dma mapping
>
>Dan Carpenter (2):
> staging: rtl8712: uninitialized memory in read_bbreg_hdl()
> xen: Prevent buffer overflow in privcmd ioctl
>
>David Howells (1):
> afs: Fix StoreData op marshalling
>
>Denis Efremov (4):
> floppy: fix div-by-zero in setup_format_params
> floppy: fix out-of-bounds read in next_valid_format
> floppy: fix invalid pointer dereference in drive_name
> floppy: fix out-of-bounds read in copy_buffer
>
>Dragos Bogdan (1):
> iio: ad_sigma_delta: select channel when reading register
>
>Eric Dumazet (7):
> tcp: do not use ipv6 header for ipv4 flow
> dccp: do not use ipv6 header for ipv4 flow
> net/rose: fix unbound loop in rose_loopback_timer()
> l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv()
> ipv6/flowlabel: wait rcu grace period before put_pid()
> l2ip: fix possible use-after-free
> inet: switch IP ID generator to siphash
>
>Erik Schmauss (1):
> ACPICA: Namespace: remove address node from global list after method termination
>
>Fabrice Gasnier (1):
> iio: core: fix a possible circular locking dependency
>
>Finn Thain (1):
> mac8390: Fix mmio access size probe
>
>Florian Westphal (2):
> netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
> netfilter: ctnetlink: don't use conntrack/expect object addresses as id
>
>Frank Sorenson (1):
> cifs: do not attempt cifs operation on smb2+ rename error
>
>Frederic Weisbecker (1):
> locking/lockdep: Add IRQs disabled/enabled assertion APIs: lockdep_assert_irqs_enabled()/disabled()
>
>Geert Uytterhoeven (1):
> net: mac8390: Use standard memcpy_{from,to}io()
>
>Georg Ottinger (1):
> iio: adc: at91: disable adc channel interrupt in timeout case
>
>George McCollister (1):
> USB: serial: ftdi_sio: add additional NovaTech products
>
>Grant Hernandez (1):
> Input: gtco - bounds check collection indent level
>
>Greg Kroah-Hartman (1):
> USB: serial: cp210x: add new device id
>
>Guenter Roeck (1):
> xsysace: Fix error handling in ace_setup
>
>Gustavo A. R. Silva (2):
> ALSA: rawmidi: Fix potential Spectre v1 vulnerability
> ALSA: seq: oss: Fix Spectre v1 vulnerability
>
>Hangbin Liu (1):
> team: fix possible recursive locking when add slaves
>
>Hannes Frederic Sowa (3):
> ipv4: hash net ptr into fragmentation bucket selection
> ipv4: ip_tunnel: use net namespace from rtable not socket
> ipv6: hash net ptr into fragmentation bucket selection
>
>Heiner Kallweit (1):
> net: phy: don't clear BMCR in genphy_soft_reset
>
>Hoan Nguyen An (1):
> serial: sh-sci: Fix setting SCSCR_TIE while transferring data
>
>Ian Abbott (2):
> staging: comedi: vmk80xx: Fix use of uninitialized semaphore
> staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf
>
>Igor Redko (1):
> mm/page_alloc.c: calculate 'available' memory in a separate function
>
>Ilya Dryomov (1):
> dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors
>
>Jack Morgenstein (1):
> IB/mlx4: Fix race condition between catas error reset and aliasguid flows
>
>Jan Kara (1):
> udf: Fix crash on IO error during truncate
>
>Jann Horn (1):
> device_cgroup: fix RCU imbalance in error case
>
>Jason A. Donenfeld (1):
> siphash: add cryptographically secure PRF
>
>Jason Wang (4):
> vhost_net: introduce vhost_exceeds_weight()
> vhost: introduce vhost_exceeds_weight()
> vhost_net: fix possible infinite loop
> vhost: scsi: add weight support
>
>Jason Yan (1):
> scsi: libsas: fix a race condition when smp task timeout
>
>Jean-Francois Dagenais (1):
> iio: dac: mcp4725: add missing powerdown bits in store eeprom
>
>Jeff Layton (1):
> ceph: ensure d_name stability in ceph_dentry_hash()
>
>Jie Liu (1):
> tipc: set sysctl_tipc_rmem and named_timeout right range
>
>Jim Mattson (1):
> kvm: x86: IA32_ARCH_CAPABILITIES is always supported
>
>Joerg Roedel (1):
> iommu/amd: Set exclusion range correctly
>
>Johannes Berg (1):
> mac80211: don't attempt to rename ERR_PTR() debugfs dirs
>
>Johannes Thumshirn (1):
> btrfs: correctly validate compression type
>
>Johannes Weiner (1):
> proc: meminfo: estimate available memory more conservatively
>
>Josh Poimboeuf (3):
> x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
> x86/speculation: Enable Spectre v1 swapgs mitigations
> x86/entry/64: Use JMP instead of JMPQ
>
>Juergen Gross (1):
> xen: let alloc_xenballooned_pages() fail if not enough memory free
>
>Jérôme Glisse (1):
> block: do not leak memory in bio_copy_user_iov()
>
>Kangjie Lu (2):
> tty: atmel_serial: fix a potential NULL pointer dereference
> tty: mxs-auart: fix a potential NULL pointer dereference
>
>Kohji Okuno (1):
> ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time
>
>Konstantin Khlebnikov (1):
> mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n
>
>Lars-Peter Clausen (1):
> iio: Fix scan mask selection
>
>Leonard Pollak (1):
> Staging: iio: meter: fixed typo
>
>Lin Yi (1):
> USB: serial: mos7720: fix mos_parport refcount imbalance on error path
>
>Linus Torvalds (1):
> slip: make slhc_free() silently accept an error pointer
>
>Liu Jian (1):
> mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer
>
>Lu Baolu (1):
> iommu/vt-d: Check capability before disabling protected memory
>
>Lukas Czerner (2):
> ext4: fix data corruption caused by unaligned direct AIO
> ext4: add missing brelse() in add_new_gdb_meta_bg()
>
>Malte Leip (1):
> usb: usbip: fix isoc packet num validation in get_pipe
>
>Marco Felsch (1):
> ARM: dts: pfla02: increase phy reset duration
>
>Markus Elfring (1):
> iio: Use kmalloc_array() in iio_scan_mask_set()
>
>Masami Hiramatsu (3):
> x86/kprobes: Verify stack frame on kretprobe
> kprobes: Mark ftrace mcount handler functions nokprobe
> x86/kprobes: Avoid kretprobe recursion bug
>
>Mathias Nyman (1):
> xhci: Don't let USB3 ports stuck in polling state prevent suspend
>
>Max Filippov (1):
> xtensa: fix return_address
>
>Mel Gorman (1):
> sched/fair: Do not re-read ->h_load_next during hierarchical load calculation
>
>Michael Ellerman (1):
> powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038
>
>Michael Neuling (1):
> powerpc/tm: Fix oops on sigreturn on systems without TM
>
>Mike Snitzer (1):
> dm: disable DISCARD if the underlying storage no longer supports it
>
>NeilBrown (2):
> NFS: fix mount/umount race in nlmclnt.
> sunrpc: don't mark uninitialised items as VALID.
>
>Nick Desaulniers (1):
> lib/string.c: implement a basic bcmp
>
>Nikolay Aleksandrov (1):
> net: bridge: multicast: use rcu to access port list from br_multicast_start_querier
>
>Paolo Abeni (1):
> vhost_net: use packet weight for rx handler, too
>
>Peter Zijlstra (1):
> trace: Fix preempt_enable_no_resched() abuse
>
>Phil Auld (1):
> sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup
>
>Rikard Falkeborn (1):
> tools lib traceevent: Fix missing equality check for strcmp
>
>Ronnie Sahlberg (1):
> cifs: fix handle leak in smb2_query_symlink()
>
>Sabrina Dubroca (1):
> ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment
>
>Samuel Thibault (1):
> staging: speakup_soft: Fix alternate speech with other synths
>
>Sean Christopherson (2):
> KVM: Reject device ioctls from processes other than the VM's creator
> KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts
>
>Steffen Klassert (3):
> xfrm4: Fix header checks in _decode_session4.
> xfrm4: Reload skb header pointers after calling pskb_may_pull.
> xfrm4: Fix uninitialized memory read in _decode_session4
>
>Steffen Maier (2):
> scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
> scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices
>
>Stephane Eranian (1):
> perf/core: Restore mmap record type correctly
>
>Su Yanjun (1):
> xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
>
>Sven Eckelmann (3):
> batman-adv: Reduce claim hash refcnt only for removed entry
> batman-adv: Reduce tt_local hash refcnt only for removed entry
> batman-adv: Reduce tt_global hash refcnt only for removed entry
>
>Takashi Iwai (3):
> ALSA: pcm: Fix possible OOB access in PCM oss plugins
> ALSA: pcm: Don't suspend stream in unrecoverable PCM state
> ALSA: core: Fix card races between register and disconnect
>
>Thomas Gleixner (2):
> x86/speculation: Prevent deadlock on ssb_state::lock
> x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
>
>Vijayakumar Durai (1):
> rt2x00: do not increment sequence number while re-transmitting
>
>Vlad Yasevich (4):
> ipv6: Select fragment id during UFO segmentation if not set.
> Revert "drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets"
> ipv6: Fix fragment id assignment on LE arches.
> ipv6: Make __ipv6_select_ident static
>
>Vladis Dronov (1):
> Bluetooth: hci_uart: check for missing tty operations
>
>Wanpeng Li (1):
> x86/entry/64: Fix context tracking state warning when load_gs_index fails
>
>Willem de Bruijn (3):
> ipv6: invert flowlabel sharing check in process and user mode
> packet: in recvmsg msg_name return at least sizeof sockaddr_ll
> packet: validate msg_namelen in send directly
>
>Xie XiuQi (1):
> sched/numa: Fix a possible divide-by-zero
>
>Xin Long (3):
> ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
> netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING
> sctp: get sctphdr by offset in sctp_compute_cksum
>
>YueHaibing (5):
> xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
> net-sysfs: call dev_hold if kobject_init_and_add success
> fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links
> dccp: Fix memleak in __feat_register_sp
> fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
>
>Zubin Mithra (1):
> ALSA: seq: Fix OOB-reads from strlcpy
>
>haibinzhang(张海斌) (1):
> vhost-net: set packet weight of tx polling to 2 * vq size
>
>--
>Ben Hutchings
>When in doubt, use brute force. - Ken Thompson
>
>
>diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
>index 67a21b2ef3e4..2fe0b85b693d 100644
>--- a/Documentation/kernel-parameters.txt
>+++ b/Documentation/kernel-parameters.txt
>@@ -1917,6 +1917,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
> improves system performance, but it may also
> expose users to several CPU vulnerabilities.
> Equivalent to: nopti [X86]
>+ nospectre_v1 [X86]
> nospectre_v2 [X86]
> spectre_v2_user=off [X86]
> spec_store_bypass_disable=off [X86]
>@@ -2215,6 +2216,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
> register save and restore. The kernel will only save
> legacy floating-point registers on task switch.
>
>+ nospectre_v1 [X86] Disable mitigations for Spectre Variant 1
>+ (bounds check bypass). With this option data leaks are
>+ possible in the system.
>+
> nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2
> (indirect branch prediction) vulnerability. System may
> allow data leaks with this option, which is equivalent
>diff --git a/Documentation/siphash.txt b/Documentation/siphash.txt
>new file mode 100644
>index 000000000000..e8e6ddbbaab4
>--- /dev/null
>+++ b/Documentation/siphash.txt
>@@ -0,0 +1,100 @@
>+ SipHash - a short input PRF
>+-----------------------------------------------
>+Written by Jason A. Donenfeld <jason@zx2c4.com>
>+
>+SipHash is a cryptographically secure PRF -- a keyed hash function -- that
>+performs very well for short inputs, hence the name. It was designed by
>+cryptographers Daniel J. Bernstein and Jean-Philippe Aumasson. It is intended
>+as a replacement for some uses of: `jhash`, `md5_transform`, `sha_transform`,
>+and so forth.
>+
>+SipHash takes a secret key filled with randomly generated numbers and either
>+an input buffer or several input integers. It spits out an integer that is
>+indistinguishable from random. You may then use that integer as part of secure
>+sequence numbers, secure cookies, or mask it off for use in a hash table.
>+
>+1. Generating a key
>+
>+Keys should always be generated from a cryptographically secure source of
>+random numbers, either using get_random_bytes or get_random_once:
>+
>+siphash_key_t key;
>+get_random_bytes(&key, sizeof(key));
>+
>+If you're not deriving your key from here, you're doing it wrong.
>+
>+2. Using the functions
>+
>+There are two variants of the function, one that takes a list of integers, and
>+one that takes a buffer:
>+
>+u64 siphash(const void *data, size_t len, const siphash_key_t *key);
>+
>+And:
>+
>+u64 siphash_1u64(u64, const siphash_key_t *key);
>+u64 siphash_2u64(u64, u64, const siphash_key_t *key);
>+u64 siphash_3u64(u64, u64, u64, const siphash_key_t *key);
>+u64 siphash_4u64(u64, u64, u64, u64, const siphash_key_t *key);
>+u64 siphash_1u32(u32, const siphash_key_t *key);
>+u64 siphash_2u32(u32, u32, const siphash_key_t *key);
>+u64 siphash_3u32(u32, u32, u32, const siphash_key_t *key);
>+u64 siphash_4u32(u32, u32, u32, u32, const siphash_key_t *key);
>+
>+If you pass the generic siphash function something of a constant length, it
>+will constant fold at compile-time and automatically choose one of the
>+optimized functions.
>+
>+3. Hashtable key function usage:
>+
>+struct some_hashtable {
>+ DECLARE_HASHTABLE(hashtable, 8);
>+ siphash_key_t key;
>+};
>+
>+void init_hashtable(struct some_hashtable *table)
>+{
>+ get_random_bytes(&table->key, sizeof(table->key));
>+}
>+
>+static inline hlist_head *some_hashtable_bucket(struct some_hashtable *table, struct interesting_input *input)
>+{
>+ return &table->hashtable[siphash(input, sizeof(*input), &table->key) & (HASH_SIZE(table->hashtable) - 1)];
>+}
>+
>+You may then iterate like usual over the returned hash bucket.
>+
>+4. Security
>+
>+SipHash has a very high security margin, with its 128-bit key. So long as the
>+key is kept secret, it is impossible for an attacker to guess the outputs of
>+the function, even if being able to observe many outputs, since 2^128 outputs
>+is significant.
>+
>+Linux implements the "2-4" variant of SipHash.
>+
>+5. Struct-passing Pitfalls
>+
>+Often times the XuY functions will not be large enough, and instead you'll
>+want to pass a pre-filled struct to siphash. When doing this, it's important
>+to always ensure the struct has no padding holes. The easiest way to do this
>+is to simply arrange the members of the struct in descending order of size,
>+and to use offsetendof() instead of sizeof() for getting the size. For
>+performance reasons, if possible, it's probably a good thing to align the
>+struct to the right boundary. Here's an example:
>+
>+const struct {
>+ struct in6_addr saddr;
>+ u32 counter;
>+ u16 dport;
>+} __aligned(SIPHASH_ALIGNMENT) combined = {
>+ .saddr = *(struct in6_addr *)saddr,
>+ .counter = counter,
>+ .dport = dport
>+};
>+u64 h = siphash(&combined, offsetofend(typeof(combined), dport), &secret);
>+
>+6. Resources
>+
>+Read the SipHash paper if you're interested in learning more:
>+https://131002.net/siphash/siphash.pdf
>diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt
>index 1392b61d6ebe..3073ea800389 100644
>--- a/Documentation/usb/power-management.txt
>+++ b/Documentation/usb/power-management.txt
>@@ -345,11 +345,15 @@ autosuspend the interface's device. When the usage counter is = 0
> then the interface is considered to be idle, and the kernel may
> autosuspend the device.
>
>-Drivers need not be concerned about balancing changes to the usage
>-counter; the USB core will undo any remaining "get"s when a driver
>-is unbound from its interface. As a corollary, drivers must not call
>-any of the usb_autopm_* functions after their disconnect() routine has
>-returned.
>+Drivers must be careful to balance their overall changes to the usage
>+counter. Unbalanced "get"s will remain in effect when a driver is
>+unbound from its interface, preventing the device from going into
>+runtime suspend should the interface be bound to a driver again. On
>+the other hand, drivers are allowed to achieve this balance by calling
>+the usb_autopm_* functions even after their disconnect routine
>+has returned -- say from within a work-queue routine -- provided they
>+retain an active reference to the interface (via usb_get_intf and
>+usb_put_intf).
>
> Drivers using the async routines are responsible for their own
> synchronization and mutual exclusion.
>diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
>index e86da4377402..fcafeed97244 100644
>--- a/Documentation/virtual/kvm/api.txt
>+++ b/Documentation/virtual/kvm/api.txt
>@@ -13,7 +13,7 @@ of a virtual machine. The ioctls belong to three classes
>
> - VM ioctls: These query and set attributes that affect an entire virtual
> machine, for example memory layout. In addition a VM ioctl is used to
>- create virtual cpus (vcpus).
>+ create virtual cpus (vcpus) and devices.
>
> Only run VM ioctls from the same process (address space) that was used
> to create the VM.
>@@ -24,6 +24,11 @@ of a virtual machine. The ioctls belong to three classes
> Only run vcpu ioctls from the same thread that was used to create the
> vcpu.
>
>+ - device ioctls: These query and set attributes that control the operation
>+ of a single device.
>+
>+ device ioctls must be issued from the same process (address space) that
>+ was used to create the VM.
>
> 2. File descriptors
> -------------------
>@@ -32,10 +37,11 @@ The kvm API is centered around file descriptors. An initial
> open("/dev/kvm") obtains a handle to the kvm subsystem; this handle
> can be used to issue system ioctls. A KVM_CREATE_VM ioctl on this
> handle will create a VM file descriptor which can be used to issue VM
>-ioctls. A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu
>-and return a file descriptor pointing to it. Finally, ioctls on a vcpu
>-fd can be used to control the vcpu, including the important task of
>-actually running guest code.
>+ioctls. A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will
>+create a virtual cpu or device and return a file descriptor pointing to
>+the new resource. Finally, ioctls on a vcpu or device fd can be used
>+to control the vcpu or device. For vcpus, this includes the important
>+task of actually running guest code.
>
> In general file descriptors can be migrated among processes by means
> of fork() and the SCM_RIGHTS facility of unix domain socket. These
>diff --git a/MAINTAINERS b/MAINTAINERS
>index b2a5243e9d0b..61dbb398b540 100644
>--- a/MAINTAINERS
>+++ b/MAINTAINERS
>@@ -8188,6 +8188,13 @@ F: arch/arm/mach-s3c24xx/mach-bast.c
> F: arch/arm/mach-s3c24xx/bast-ide.c
> F: arch/arm/mach-s3c24xx/bast-irq.c
>
>+SIPHASH PRF ROUTINES
>+M: Jason A. Donenfeld <Jason@zx2c4.com>
>+S: Maintained
>+F: lib/siphash.c
>+F: lib/test_siphash.c
>+F: include/linux/siphash.h
>+
> TI DAVINCI MACHINE SUPPORT
> M: Sekhar Nori <nsekhar@ti.com>
> M: Kevin Hilman <khilman@deeprootsystems.com>
>diff --git a/Makefile b/Makefile
>index c2c6a3580e8a..e2d6e0b9f22d 100644
>--- a/Makefile
>+++ b/Makefile
>@@ -1,6 +1,6 @@
> VERSION = 3
> PATCHLEVEL = 16
>-SUBLEVEL = 71
>+SUBLEVEL = 72
> EXTRAVERSION =
> NAME = Museum of Fishiegoodies
>
>diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
>index 50c7718cb84e..0214e1199a06 100644
>--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
>+++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
>@@ -302,6 +302,7 @@
> pinctrl-names = "default";
> pinctrl-0 = <&pinctrl_enet>;
> phy-mode = "rgmii";
>+ phy-reset-duration = <10>; /* in msecs */
> phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>;
> status = "disabled";
> };
>diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c
>index 6bcae0479049..e338a6d23b77 100644
>--- a/arch/arm/mach-imx/cpuidle-imx6q.c
>+++ b/arch/arm/mach-imx/cpuidle-imx6q.c
>@@ -14,30 +14,23 @@
> #include "common.h"
> #include "cpuidle.h"
>
>-static atomic_t master = ATOMIC_INIT(0);
>-static DEFINE_SPINLOCK(master_lock);
>+static int num_idle_cpus = 0;
>+static DEFINE_SPINLOCK(cpuidle_lock);
>
> static int imx6q_enter_wait(struct cpuidle_device *dev,
> struct cpuidle_driver *drv, int index)
> {
>- if (atomic_inc_return(&master) == num_online_cpus()) {
>- /*
>- * With this lock, we prevent other cpu to exit and enter
>- * this function again and become the master.
>- */
>- if (!spin_trylock(&master_lock))
>- goto idle;
>+ spin_lock(&cpuidle_lock);
>+ if (++num_idle_cpus == num_online_cpus())
> imx6q_set_lpm(WAIT_UNCLOCKED);
>- cpu_do_idle();
>- imx6q_set_lpm(WAIT_CLOCKED);
>- spin_unlock(&master_lock);
>- goto done;
>- }
>+ spin_unlock(&cpuidle_lock);
>
>-idle:
> cpu_do_idle();
>-done:
>- atomic_dec(&master);
>+
>+ spin_lock(&cpuidle_lock);
>+ if (num_idle_cpus-- == num_online_cpus())
>+ imx6q_set_lpm(WAIT_CLOCKED);
>+ spin_unlock(&cpuidle_lock);
>
> return index;
> }
>diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
>index 37361502d63b..ff9987fd5fd0 100644
>--- a/arch/mips/kernel/scall64-o32.S
>+++ b/arch/mips/kernel/scall64-o32.S
>@@ -124,7 +124,7 @@ NESTED(handle_sys, PT_SIZE, sp)
> subu t1, v0, __NR_O32_Linux
> move a1, v0
> bnez t1, 1f /* __NR_syscall at offset 0 */
>- lw a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
>+ ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
> .set pop
>
> 1: jal syscall_trace_enter
>diff --git a/arch/powerpc/include/asm/vdso_datapage.h b/arch/powerpc/include/asm/vdso_datapage.h
>index b73a8199f161..1e0ee59c8276 100644
>--- a/arch/powerpc/include/asm/vdso_datapage.h
>+++ b/arch/powerpc/include/asm/vdso_datapage.h
>@@ -82,10 +82,10 @@ struct vdso_data {
> __u32 icache_block_size; /* L1 i-cache block size */
> __u32 dcache_log_block_size; /* L1 d-cache log block size */
> __u32 icache_log_block_size; /* L1 i-cache log block size */
>- __s32 wtom_clock_sec; /* Wall to monotonic clock */
>- __s32 wtom_clock_nsec;
>- struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */
>- __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */
>+ __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */
>+ __s32 wtom_clock_nsec; /* Wall to monotonic clock nsec */
>+ __s64 wtom_clock_sec; /* Wall to monotonic clock sec */
>+ struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */
> __u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls */
> __u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
> };
>diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
>index e7e8c4db2651..90d1d10eff05 100644
>--- a/arch/powerpc/kernel/signal_32.c
>+++ b/arch/powerpc/kernel/signal_32.c
>@@ -1274,6 +1274,9 @@ long sys_rt_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
> goto bad;
>
> if (MSR_TM_ACTIVE(msr_hi<<32)) {
>+ /* Trying to start TM on non TM system */
>+ if (!cpu_has_feature(CPU_FTR_TM))
>+ goto bad;
> /* We only recheckpoint on return if we're
> * transaction.
> */
>diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
>index 0bcae29336c0..5437dae4f12f 100644
>--- a/arch/powerpc/kernel/signal_64.c
>+++ b/arch/powerpc/kernel/signal_64.c
>@@ -702,6 +702,11 @@ int sys_rt_sigreturn(unsigned long r3, unsigned long r4, unsigned long r5,
> if (MSR_TM_ACTIVE(msr)) {
> /* We recheckpoint on return. */
> struct ucontext __user *uc_transact;
>+
>+ /* Trying to start TM on non TM system */
>+ if (!cpu_has_feature(CPU_FTR_TM))
>+ goto badframe;
>+
> if (__get_user(uc_transact, &uc->uc_link))
> goto badframe;
> if (restore_tm_sigcontexts(regs, &uc->uc_mcontext,
>diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S
>index 6b2b69616e77..8bacb8721961 100644
>--- a/arch/powerpc/kernel/vdso32/gettimeofday.S
>+++ b/arch/powerpc/kernel/vdso32/gettimeofday.S
>@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
> * can be used, r7 contains NSEC_PER_SEC.
> */
>
>- lwz r5,WTOM_CLOCK_SEC(r9)
>+ lwz r5,(WTOM_CLOCK_SEC+LOPART)(r9)
> lwz r6,WTOM_CLOCK_NSEC(r9)
>
> /* We now have our offset in r5,r6. We create a fake dependency
>diff --git a/arch/powerpc/kernel/vdso64/gettimeofday.S b/arch/powerpc/kernel/vdso64/gettimeofday.S
>index 382021324883..6a6a8495bd55 100644
>--- a/arch/powerpc/kernel/vdso64/gettimeofday.S
>+++ b/arch/powerpc/kernel/vdso64/gettimeofday.S
>@@ -85,7 +85,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
> * At this point, r4,r5 contain our sec/nsec values.
> */
>
>- lwa r6,WTOM_CLOCK_SEC(r3)
>+ ld r6,WTOM_CLOCK_SEC(r3)
> lwa r9,WTOM_CLOCK_NSEC(r3)
>
> /* We now have our result in r6,r9. We create a fake dependency
>diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h
>index cb4c73bfeb48..129e29721835 100644
>--- a/arch/x86/include/asm/calling.h
>+++ b/arch/x86/include/asm/calling.h
>@@ -47,6 +47,7 @@ For 32-bit we have the following conventions - kernel is built with
> */
>
> #include <asm/dwarf2.h>
>+#include <asm/cpufeatures.h>
>
> #ifdef CONFIG_X86_64
>
>@@ -195,6 +196,23 @@ For 32-bit we have the following conventions - kernel is built with
> .byte 0xf1
> .endm
>
>+/*
>+ * Mitigate Spectre v1 for conditional swapgs code paths.
>+ *
>+ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to
>+ * prevent a speculative swapgs when coming from kernel space.
>+ *
>+ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path,
>+ * to prevent the swapgs from getting speculatively skipped when coming from
>+ * user space.
>+ */
>+.macro FENCE_SWAPGS_USER_ENTRY
>+ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER
>+.endm
>+.macro FENCE_SWAPGS_KERNEL_ENTRY
>+ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL
>+.endm
>+
> #else /* CONFIG_X86_64 */
>
> /*
>diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
>index 99137cbe34b8..ba48ab887acf 100644
>--- a/arch/x86/include/asm/cpufeatures.h
>+++ b/arch/x86/include/asm/cpufeatures.h
>@@ -177,29 +177,33 @@
> #define X86_FEATURE_ARAT ( 7*32+ 1) /* Always Running APIC Timer */
> #define X86_FEATURE_CPB ( 7*32+ 2) /* AMD Core Performance Boost */
> #define X86_FEATURE_EPB ( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */
>-#define X86_FEATURE_XSAVEOPT ( 7*32+ 4) /* Optimized Xsave */
>+#define X86_FEATURE_INVPCID_SINGLE ( 7*32+4) /* Effectively INVPCID && CR4.PCIDE=1 */
> #define X86_FEATURE_PLN ( 7*32+ 5) /* Intel Power Limit Notification */
> #define X86_FEATURE_PTS ( 7*32+ 6) /* Intel Package Thermal Status */
> #define X86_FEATURE_DTHERM ( 7*32+ 7) /* Digital Thermal Sensor */
> #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */
> #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
>-#define X86_FEATURE_INVPCID_SINGLE ( 7*32+10) /* Effectively INVPCID && CR4.PCIDE=1 */
>-#define X86_FEATURE_RSB_CTXSW ( 7*32+11) /* "" Fill RSB on context switches */
>-#define X86_FEATURE_USE_IBPB ( 7*32+12) /* "" Indirect Branch Prediction Barrier enabled */
>-#define X86_FEATURE_USE_IBRS_FW ( 7*32+13) /* "" Use IBRS during runtime firmware calls */
>-#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+14) /* "" Disable Speculative Store Bypass. */
>-#define X86_FEATURE_LS_CFG_SSBD ( 7*32+15) /* "" AMD SSBD implementation */
>-#define X86_FEATURE_IBRS ( 7*32+16) /* Indirect Branch Restricted Speculation */
>-#define X86_FEATURE_IBPB ( 7*32+17) /* Indirect Branch Prediction Barrier */
>-#define X86_FEATURE_STIBP ( 7*32+18) /* Single Thread Indirect Branch Predictors */
>-#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+19) /* "" MSR SPEC_CTRL is implemented */
>-#define X86_FEATURE_SSBD ( 7*32+20) /* Speculative Store Bypass Disable */
>-#define X86_FEATURE_ZEN ( 7*32+21) /* "" CPU is AMD family 0x17 (Zen) */
>-#define X86_FEATURE_L1TF_PTEINV ( 7*32+22) /* "" L1TF workaround PTE inversion */
>-#define X86_FEATURE_IBRS_ENHANCED ( 7*32+23) /* Enhanced IBRS */
>-#define X86_FEATURE_RETPOLINE ( 7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */
>-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
>-/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
>+#define X86_FEATURE_FENCE_SWAPGS_USER ( 7*32+10) /* "" LFENCE in user entry SWAPGS path */
>+#define X86_FEATURE_FENCE_SWAPGS_KERNEL ( 7*32+11) /* "" LFENCE in kernel entry SWAPGS path */
>+#define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */
>+#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
>+
>+#define X86_FEATURE_XSAVEOPT ( 7*32+15) /* Optimized Xsave */
>+#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
>+#define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */
>+
>+#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */
>+
>+#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
>+#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
>+#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
>+#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation */
>+#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
>+#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
>+#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
>+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
>+#define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
>+#define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
> #define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
>
> /* Virtualization flags: Linux defined, word 8 */
>@@ -274,5 +278,6 @@
> #define X86_BUG_L1TF X86_BUG(9) /* CPU is affected by L1 Terminal Fault */
> #define X86_BUG_MDS X86_BUG(10) /* CPU is affected by Microarchitectural data sampling */
> #define X86_BUG_MSBDS_ONLY X86_BUG(11) /* CPU is only affected by the MSDBS variant of BUG_MDS */
>+#define X86_BUG_SWAPGS X86_BUG(12) /* CPU is affected by speculation through SWAPGS */
>
> #endif /* _ASM_X86_CPUFEATURES_H */
>diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
>index e9eae4fbdde2..92a9ba2595b3 100644
>--- a/arch/x86/include/asm/kvm_host.h
>+++ b/arch/x86/include/asm/kvm_host.h
>@@ -88,7 +88,7 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
> #define IOPL_SHIFT 12
>
> #define KVM_PERMILLE_MMU_PAGES 20
>-#define KVM_MIN_ALLOC_MMU_PAGES 64
>+#define KVM_MIN_ALLOC_MMU_PAGES 64UL
> #define KVM_MMU_HASH_SHIFT 10
> #define KVM_NUM_MMU_PAGES (1 << KVM_MMU_HASH_SHIFT)
> #define KVM_MIN_FREE_MMU_PAGES 5
>@@ -363,6 +363,7 @@ struct kvm_vcpu_arch {
> int mp_state;
> u64 ia32_misc_enable_msr;
> bool tpr_access_reporting;
>+ u64 arch_capabilities;
>
> /*
> * Paging state of the vcpu
>@@ -551,9 +552,9 @@ struct kvm_apic_map {
> };
>
> struct kvm_arch {
>- unsigned int n_used_mmu_pages;
>- unsigned int n_requested_mmu_pages;
>- unsigned int n_max_mmu_pages;
>+ unsigned long n_used_mmu_pages;
>+ unsigned long n_requested_mmu_pages;
>+ unsigned long n_max_mmu_pages;
> unsigned int indirect_shadow_pages;
> unsigned long mmu_valid_gen;
> struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
>@@ -809,8 +810,8 @@ void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
> gfn_t gfn_offset, unsigned long mask);
> void kvm_mmu_zap_all(struct kvm *kvm);
> void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm);
>-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
>-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages);
>+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
>+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long kvm_nr_mmu_pages);
>
> int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3);
>
>diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
>index da45f9fc1913..5876b28f9331 100644
>--- a/arch/x86/include/asm/xen/hypercall.h
>+++ b/arch/x86/include/asm/xen/hypercall.h
>@@ -215,6 +215,9 @@ privcmd_call(unsigned call,
> __HYPERCALL_DECLS;
> __HYPERCALL_5ARG(a1, a2, a3, a4, a5);
>
>+ if (call >= PAGE_SIZE / sizeof(hypercall_page[0]))
>+ return -EINVAL;
>+
> stac();
> asm volatile(CALL_NOSPEC
> : __HYPERCALL_5PARAM
>diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
>index e325029ff01a..f9e23ee19bcb 100644
>--- a/arch/x86/kernel/cpu/bugs.c
>+++ b/arch/x86/kernel/cpu/bugs.c
>@@ -30,6 +30,7 @@
> #include <asm/intel-family.h>
> #include <asm/e820.h>
>
>+static void __init spectre_v1_select_mitigation(void);
> static void __init spectre_v2_select_mitigation(void);
> static void __init ssb_select_mitigation(void);
> static void __init l1tf_select_mitigation(void);
>@@ -148,17 +149,11 @@ void __init check_bugs(void)
> if (boot_cpu_has(X86_FEATURE_STIBP))
> x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
>
>- /* Select the proper spectre mitigation before patching alternatives */
>+ /* Select the proper CPU mitigations before patching alternatives: */
>+ spectre_v1_select_mitigation();
> spectre_v2_select_mitigation();
>-
>- /*
>- * Select proper mitigation for any exposure to the Speculative Store
>- * Bypass vulnerability.
>- */
> ssb_select_mitigation();
>-
> l1tf_select_mitigation();
>-
> mds_select_mitigation();
>
> arch_smt_update();
>@@ -317,6 +312,98 @@ static int __init mds_cmdline(char *str)
> }
> early_param("mds", mds_cmdline);
>
>+#undef pr_fmt
>+#define pr_fmt(fmt) "Spectre V1 : " fmt
>+
>+enum spectre_v1_mitigation {
>+ SPECTRE_V1_MITIGATION_NONE,
>+ SPECTRE_V1_MITIGATION_AUTO,
>+};
>+
>+static enum spectre_v1_mitigation spectre_v1_mitigation =
>+ SPECTRE_V1_MITIGATION_AUTO;
>+
>+static const char * const spectre_v1_strings[] = {
>+ [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
>+ [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
>+};
>+
>+/*
>+ * Does SMAP provide full mitigation against speculative kernel access to
>+ * userspace?
>+ */
>+static bool smap_works_speculatively(void)
>+{
>+ if (!boot_cpu_has(X86_FEATURE_SMAP))
>+ return false;
>+
>+ /*
>+ * On CPUs which are vulnerable to Meltdown, SMAP does not
>+ * prevent speculative access to user data in the L1 cache.
>+ * Consider SMAP to be non-functional as a mitigation on these
>+ * CPUs.
>+ */
>+ if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
>+ return false;
>+
>+ return true;
>+}
>+
>+static void __init spectre_v1_select_mitigation(void)
>+{
>+ if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
>+ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
>+ return;
>+ }
>+
>+ if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
>+ /*
>+ * With Spectre v1, a user can speculatively control either
>+ * path of a conditional swapgs with a user-controlled GS
>+ * value. The mitigation is to add lfences to both code paths.
>+ *
>+ * If FSGSBASE is enabled, the user can put a kernel address in
>+ * GS, in which case SMAP provides no protection.
>+ *
>+ * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the
>+ * FSGSBASE enablement patches have been merged. ]
>+ *
>+ * If FSGSBASE is disabled, the user can only put a user space
>+ * address in GS. That makes an attack harder, but still
>+ * possible if there's no SMAP protection.
>+ */
>+ if (!smap_works_speculatively()) {
>+ /*
>+ * Mitigation can be provided from SWAPGS itself or
>+ * PTI as the CR3 write in the Meltdown mitigation
>+ * is serializing.
>+ *
>+ * If neither is there, mitigate with an LFENCE to
>+ * stop speculation through swapgs.
>+ */
>+ if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
>+ !boot_cpu_has(X86_FEATURE_KAISER))
>+ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
>+
>+ /*
>+ * Enable lfences in the kernel entry (non-swapgs)
>+ * paths, to prevent user entry from speculatively
>+ * skipping swapgs.
>+ */
>+ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
>+ }
>+ }
>+
>+ pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
>+}
>+
>+static int __init nospectre_v1_cmdline(char *str)
>+{
>+ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
>+ return 0;
>+}
>+early_param("nospectre_v1", nospectre_v1_cmdline);
>+
> #undef pr_fmt
> #define pr_fmt(fmt) "Spectre V2 : " fmt
>
>@@ -1210,7 +1297,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
> break;
>
> case X86_BUG_SPECTRE_V1:
>- return sprintf(buf, "Mitigation: __user pointer sanitization\n");
>+ return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
>
> case X86_BUG_SPECTRE_V2:
> return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
>diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
>index 9d4638d437de..337fcac8c8a0 100644
>--- a/arch/x86/kernel/cpu/common.c
>+++ b/arch/x86/kernel/cpu/common.c
>@@ -813,6 +813,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
> #define NO_L1TF BIT(3)
> #define NO_MDS BIT(4)
> #define MSBDS_ONLY BIT(5)
>+#define NO_SWAPGS BIT(6)
>
> #define VULNWL(_vendor, _family, _model, _whitelist) \
> { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
>@@ -836,29 +837,37 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
> VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION),
> VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION),
>
>- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY),
>- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY),
>- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY),
>- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY),
>- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY),
>- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY),
>+ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>
> VULNWL_INTEL(CORE_YONAH, NO_SSB),
>
>- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY),
>+ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>
>- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF),
>- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF),
>- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF),
>+ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS),
>+ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS),
>+ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS),
>+
>+ /*
>+ * Technically, swapgs isn't serializing on AMD (despite it previously
>+ * being documented as such in the APM). But according to AMD, %gs is
>+ * updated non-speculatively, and the issuing of %gs-relative memory
>+ * operands will be blocked until the %gs update completes, which is
>+ * good enough for our purposes.
>+ */
>
> /* AMD Family 0xf - 0x12 */
>- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
>- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
>- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
>- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
>+ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
>+ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
>+ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
>+ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
>
> /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
>- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS),
>+ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS),
> {}
> };
>
>@@ -895,6 +904,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
> setup_force_cpu_bug(X86_BUG_MSBDS_ONLY);
> }
>
>+ if (!cpu_matches(NO_SWAPGS))
>+ setup_force_cpu_bug(X86_BUG_SWAPGS);
>+
> if (cpu_matches(NO_MELTDOWN))
> return;
>
>diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
>index 6e5feb342ee4..467069f38f21 100644
>--- a/arch/x86/kernel/entry_64.S
>+++ b/arch/x86/kernel/entry_64.S
>@@ -265,14 +265,19 @@ ENDPROC(native_usergs_sysret64)
> testl $3, CS-RBP(%rsi)
> je 1f
> SWAPGS
>+ FENCE_SWAPGS_USER_ENTRY
> SWITCH_KERNEL_CR3
>+ jmp 2f
>+1:
>+ FENCE_SWAPGS_KERNEL_ENTRY
>+2:
> /*
> * irq_count is used to check if a CPU is already on an interrupt stack
> * or not. While this is essentially redundant with preempt_count it is
> * a little cheaper to use a separate counter in the PDA (short of
> * moving irq_enter into assembly, which would be too much work)
> */
>-1: incl PER_CPU_VAR(irq_count)
>+ incl PER_CPU_VAR(irq_count)
> cmovzq PER_CPU_VAR(irq_stack_ptr),%rsp
> CFI_DEF_CFA_REGISTER rsi
>
>@@ -337,6 +342,13 @@ ENTRY(save_paranoid)
> movq %rax, %cr3
> 2:
> #endif
>+ /*
>+ * The above doesn't do an unconditional CR3 write, even in the PTI
>+ * case. So do an lfence to prevent GS speculation, regardless of
>+ * whether PTI is enabled.
>+ */
>+ FENCE_SWAPGS_KERNEL_ENTRY
>+
> ret
> CFI_ENDPROC
> END(save_paranoid)
>@@ -1445,10 +1457,27 @@ ENTRY(error_entry)
> */
> SWITCH_KERNEL_CR3
> testl $3,CS+8(%rsp)
>- je error_kernelspace
>-error_swapgs:
>+ jz .Lerror_kernelspace
>+
>+ /*
>+ * We entered from user mode or we're pretending to have entered
>+ * from user mode due to an IRET fault.
>+ */
> SWAPGS
>-error_sti:
>+ FENCE_SWAPGS_USER_ENTRY
>+
>+.Lerror_entry_from_usermode_after_swapgs:
>+ /*
>+ * We need to tell lockdep that IRQs are off. We can't do this until
>+ * we fix gsbase, and we should do it before enter_from_user_mode
>+ * (which can take locks).
>+ */
>+ TRACE_IRQS_OFF
>+ ret
>+
>+.Lerror_entry_done_lfence:
>+ FENCE_SWAPGS_KERNEL_ENTRY
>+.Lerror_entry_done:
> TRACE_IRQS_OFF
> ret
>
>@@ -1458,28 +1487,46 @@ ENTRY(error_entry)
> * truncated RIP for IRET exceptions returning to compat mode. Check
> * for these here too.
> */
>-error_kernelspace:
>+.Lerror_kernelspace:
> leaq native_irq_return_iret(%rip),%rcx
> cmpq %rcx,RIP+8(%rsp)
>- je error_bad_iret
>+ je .Lerror_bad_iret
> movl %ecx,%eax /* zero extend */
> cmpq %rax,RIP+8(%rsp)
>- je bstep_iret
>+ je .Lbstep_iret
> cmpq $gs_change,RIP+8(%rsp)
>- je error_swapgs
>- jmp error_sti
>+ jne .Lerror_entry_done_lfence
>+
>+ /*
>+ * hack: gs_change can fail with user gsbase. If this happens, fix up
>+ * gsbase and proceed. We'll fix up the exception and land in
>+ * gs_change's error handler with kernel gsbase.
>+ */
>+ SWAPGS
>+ FENCE_SWAPGS_USER_ENTRY
>+ jmp .Lerror_entry_done
>
>-bstep_iret:
>+.Lbstep_iret:
> /* Fix truncated RIP */
> movq %rcx,RIP+8(%rsp)
> /* fall through */
>
>-error_bad_iret:
>+.Lerror_bad_iret:
>+ /*
>+ * We came from an IRET to user mode, so we have user gsbase.
>+ * Switch to kernel gsbase:
>+ */
> SWAPGS
>+ FENCE_SWAPGS_USER_ENTRY
>+
>+ /*
>+ * Pretend that the exception came from user mode: set up pt_regs
>+ * as if we faulted immediately after IRET.
>+ */
> mov %rsp,%rdi
> call fixup_bad_iret
> mov %rax,%rsp
>- jmp error_sti
>+ jmp .Lerror_entry_from_usermode_after_swapgs
> CFI_ENDPROC
> END(error_entry)
>
>@@ -1579,6 +1626,7 @@ ENTRY(nmi)
> * to switch CR3 here.
> */
> cld
>+ FENCE_SWAPGS_USER_ENTRY
> movq %rsp, %rdx
> movq PER_CPU_VAR(kernel_stack), %rsp
> addq $KERNEL_STACK_OFFSET, %rsp
>@@ -1624,6 +1672,7 @@ ENTRY(nmi)
> movq %rax, %cr3
> 2:
> #endif
>+ FENCE_SWAPGS_KERNEL_ENTRY
> call do_nmi
>
> #ifdef CONFIG_PAGE_TABLE_ISOLATION
>diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
>index 608f18c62412..cb6657f35f41 100644
>--- a/arch/x86/kernel/kprobes/core.c
>+++ b/arch/x86/kernel/kprobes/core.c
>@@ -494,6 +494,7 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
> unsigned long *sara = stack_addr(regs);
>
> ri->ret_addr = (kprobe_opcode_t *) *sara;
>+ ri->fp = sara;
>
> /* Replace the return addr with trampoline addr */
> *sara = (unsigned long) &kretprobe_trampoline;
>@@ -685,26 +686,48 @@ static void __used kretprobe_trampoline_holder(void)
> NOKPROBE_SYMBOL(kretprobe_trampoline_holder);
> NOKPROBE_SYMBOL(kretprobe_trampoline);
>
>+static struct kprobe kretprobe_kprobe = {
>+ .addr = (void *)kretprobe_trampoline,
>+};
>+
> /*
> * Called from kretprobe_trampoline
> */
> __visible __used void *trampoline_handler(struct pt_regs *regs)
> {
>+ struct kprobe_ctlblk *kcb;
> struct kretprobe_instance *ri = NULL;
> struct hlist_head *head, empty_rp;
> struct hlist_node *tmp;
> unsigned long flags, orig_ret_address = 0;
> unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
> kprobe_opcode_t *correct_ret_addr = NULL;
>+ void *frame_pointer;
>+ bool skipped = false;
>+
>+ preempt_disable();
>+
>+ /*
>+ * Set a dummy kprobe for avoiding kretprobe recursion.
>+ * Since kretprobe never run in kprobe handler, kprobe must not
>+ * be running at this point.
>+ */
>+ kcb = get_kprobe_ctlblk();
>+ __this_cpu_write(current_kprobe, &kretprobe_kprobe);
>+ kcb->kprobe_status = KPROBE_HIT_ACTIVE;
>
> INIT_HLIST_HEAD(&empty_rp);
> kretprobe_hash_lock(current, &head, &flags);
> /* fixup registers */
> #ifdef CONFIG_X86_64
> regs->cs = __KERNEL_CS;
>+ /* On x86-64, we use pt_regs->sp for return address holder. */
>+ frame_pointer = ®s->sp;
> #else
> regs->cs = __KERNEL_CS | get_kernel_rpl();
> regs->gs = 0;
>+ /* On x86-32, we use pt_regs->flags for return address holder. */
>+ frame_pointer = ®s->flags;
> #endif
> regs->ip = trampoline_address;
> regs->orig_ax = ~0UL;
>@@ -726,8 +749,25 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
> if (ri->task != current)
> /* another task is sharing our hash bucket */
> continue;
>+ /*
>+ * Return probes must be pushed on this hash list correct
>+ * order (same as return order) so that it can be poped
>+ * correctly. However, if we find it is pushed it incorrect
>+ * order, this means we find a function which should not be
>+ * probed, because the wrong order entry is pushed on the
>+ * path of processing other kretprobe itself.
>+ */
>+ if (ri->fp != frame_pointer) {
>+ if (!skipped)
>+ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n");
>+ skipped = true;
>+ continue;
>+ }
>
> orig_ret_address = (unsigned long)ri->ret_addr;
>+ if (skipped)
>+ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n",
>+ ri->rp->kp.addr);
>
> if (orig_ret_address != trampoline_address)
> /*
>@@ -745,14 +785,15 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
> if (ri->task != current)
> /* another task is sharing our hash bucket */
> continue;
>+ if (ri->fp != frame_pointer)
>+ continue;
>
> orig_ret_address = (unsigned long)ri->ret_addr;
> if (ri->rp && ri->rp->handler) {
> __this_cpu_write(current_kprobe, &ri->rp->kp);
>- get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
> ri->ret_addr = correct_ret_addr;
> ri->rp->handler(ri, regs);
>- __this_cpu_write(current_kprobe, NULL);
>+ __this_cpu_write(current_kprobe, &kretprobe_kprobe);
> }
>
> recycle_rp_inst(ri, &empty_rp);
>@@ -768,6 +809,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
>
> kretprobe_hash_unlock(current, &flags);
>
>+ __this_cpu_write(current_kprobe, NULL);
>+ preempt_enable();
>+
> hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
> hlist_del(&ri->hlist);
> kfree(ri);
>diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
>index 074510b5ea77..feca78bf2a6b 100644
>--- a/arch/x86/kernel/process.c
>+++ b/arch/x86/kernel/process.c
>@@ -351,6 +351,8 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp,
> u64 msr = x86_spec_ctrl_base;
> bool updmsr = false;
>
>+ lockdep_assert_irqs_disabled();
>+
> /*
> * If TIF_SSBD is different, select the proper mitigation
> * method. Note that if SSBD mitigation is disabled or permanentely
>@@ -402,10 +404,12 @@ static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk)
>
> void speculation_ctrl_update(unsigned long tif)
> {
>+ unsigned long flags;
>+
> /* Forced update. Make sure all relevant TIF flags are different */
>- preempt_disable();
>+ local_irq_save(flags);
> __speculation_ctrl_update(~tif, tif);
>- preempt_enable();
>+ local_irq_restore(flags);
> }
>
> /* Called from seccomp/prctl update */
>diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
>index 95cd58cdee99..6531ffcb174b 100644
>--- a/arch/x86/kvm/cpuid.c
>+++ b/arch/x86/kvm/cpuid.c
>@@ -395,6 +395,11 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
> entry->ebx |= F(TSC_ADJUST);
> entry->edx &= kvm_cpuid_7_0_edx_x86_features;
> cpuid_mask(&entry->edx, 10);
>+ /*
>+ * We emulate ARCH_CAPABILITIES in software even
>+ * if the host doesn't support it.
>+ */
>+ entry->edx |= F(ARCH_CAPABILITIES);
> } else {
> entry->ebx = 0;
> entry->edx = 0;
>diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
>index c81ccc0d8da0..886fb53b4604 100644
>--- a/arch/x86/kvm/mmu.c
>+++ b/arch/x86/kvm/mmu.c
>@@ -1492,7 +1492,7 @@ static int is_empty_shadow_page(u64 *spt)
> * aggregate version in order to make the slab shrinker
> * faster
> */
>-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, int nr)
>+static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
> {
> kvm->arch.n_used_mmu_pages += nr;
> percpu_counter_add(&kvm_total_used_mmu_pages, nr);
>@@ -2207,7 +2207,7 @@ static bool prepare_zap_oldest_mmu_page(struct kvm *kvm,
> * Changing the number of mmu pages allocated to the vm
> * Note: if goal_nr_mmu_pages is too small, you will get dead lock
> */
>-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages)
>+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages)
> {
> LIST_HEAD(invalid_list);
>
>@@ -4505,10 +4505,10 @@ int kvm_mmu_module_init(void)
> /*
> * Caculate mmu pages needed for kvm.
> */
>-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
>+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
> {
>- unsigned int nr_mmu_pages;
>- unsigned int nr_pages = 0;
>+ unsigned long nr_mmu_pages;
>+ unsigned long nr_pages = 0;
> struct kvm_memslots *slots;
> struct kvm_memory_slot *memslot;
>
>@@ -4518,8 +4518,7 @@ unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
> nr_pages += memslot->npages;
>
> nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
>- nr_mmu_pages = max(nr_mmu_pages,
>- (unsigned int) KVM_MIN_ALLOC_MMU_PAGES);
>+ nr_mmu_pages = max(nr_mmu_pages, KVM_MIN_ALLOC_MMU_PAGES);
>
> return nr_mmu_pages;
> }
>diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
>index 58b2f51fdfdc..f3dc8f614512 100644
>--- a/arch/x86/kvm/mmu.h
>+++ b/arch/x86/kvm/mmu.h
>@@ -81,7 +81,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
> bool execonly);
> bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);
>
>-static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
>+static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm)
> {
> if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
> return kvm->arch.n_max_mmu_pages -
>diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>index bd6b883f3075..00dd9ea13c22 100644
>--- a/arch/x86/kvm/vmx.c
>+++ b/arch/x86/kvm/vmx.c
>@@ -433,7 +433,6 @@ struct vcpu_vmx {
> u64 msr_guest_kernel_gs_base;
> #endif
>
>- u64 arch_capabilities;
> u64 spec_ctrl;
>
> u32 vm_entry_controls_shadow;
>@@ -2481,12 +2480,6 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
>
> msr_info->data = to_vmx(vcpu)->spec_ctrl;
> break;
>- case MSR_IA32_ARCH_CAPABILITIES:
>- if (!msr_info->host_initiated &&
>- !guest_cpuid_has_arch_capabilities(vcpu))
>- return 1;
>- msr_info->data = to_vmx(vcpu)->arch_capabilities;
>- break;
> case MSR_IA32_SYSENTER_CS:
> msr_info->data = vmcs_read32(GUEST_SYSENTER_CS);
> break;
>@@ -2636,11 +2629,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD,
> MSR_TYPE_W);
> break;
>- case MSR_IA32_ARCH_CAPABILITIES:
>- if (!msr_info->host_initiated)
>- return 1;
>- vmx->arch_capabilities = data;
>- break;
> case MSR_IA32_CR_PAT:
> if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
> if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
>@@ -4583,9 +4571,6 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
> ++vmx->nmsrs;
> }
>
>- if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
>- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, vmx->arch_capabilities);
>-
> vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl);
>
> /* 22.2.1, 20.8.1 */
>diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>index cab3ca9d3f03..2c0f1ea119d6 100644
>--- a/arch/x86/kvm/x86.c
>+++ b/arch/x86/kvm/x86.c
>@@ -2089,6 +2089,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> case MSR_F15H_EX_CFG:
> break;
>
>+ case MSR_IA32_ARCH_CAPABILITIES:
>+ if (!msr_info->host_initiated)
>+ return 1;
>+ vcpu->arch.arch_capabilities = data;
>+ break;
> case MSR_EFER:
> return set_efer(vcpu, data);
> case MSR_K7_HWCR:
>@@ -2479,6 +2484,12 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> case MSR_IA32_UCODE_REV:
> msr_info->data = 0x100000000ULL;
> break;
>+ case MSR_IA32_ARCH_CAPABILITIES:
>+ if (!msr_info->host_initiated &&
>+ !guest_cpuid_has_arch_capabilities(vcpu))
>+ return 1;
>+ msr_info->data = vcpu->arch.arch_capabilities;
>+ break;
> case MSR_MTRRcap:
> msr_info->data = 0x500 | KVM_NR_VAR_MTRR;
> break;
>@@ -3518,7 +3529,7 @@ static int kvm_vm_ioctl_set_identity_map_addr(struct kvm *kvm,
> }
>
> static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
>- u32 kvm_nr_mmu_pages)
>+ unsigned long kvm_nr_mmu_pages)
> {
> if (kvm_nr_mmu_pages < KVM_MIN_ALLOC_MMU_PAGES)
> return -EINVAL;
>@@ -3532,7 +3543,7 @@ static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
> return 0;
> }
>
>-static int kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
>+static unsigned long kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
> {
> return kvm->arch.n_max_mmu_pages;
> }
>@@ -6957,6 +6968,9 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
> {
> int r;
>
>+ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
>+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES,
>+ vcpu->arch.arch_capabilities);
> vcpu->arch.mtrr_state.have_fixed = 1;
> r = vcpu_load(vcpu);
> if (r)
>diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c
>index 7d2c317bd98b..922525c0d25c 100644
>--- a/arch/xtensa/kernel/stacktrace.c
>+++ b/arch/xtensa/kernel/stacktrace.c
>@@ -107,10 +107,14 @@ static int return_address_cb(struct stackframe *frame, void *data)
> return 1;
> }
>
>+/*
>+ * level == 0 is for the return address from the caller of this function,
>+ * not from this function itself.
>+ */
> unsigned long return_address(unsigned level)
> {
> struct return_addr_data r = {
>- .skip = level + 1,
>+ .skip = level,
> };
> walk_stackframe(stack_pointer(NULL), return_address_cb, &r);
> return r.addr;
>diff --git a/block/bio.c b/block/bio.c
>index 4218dab2bb47..3163dac6735d 100644
>--- a/block/bio.c
>+++ b/block/bio.c
>@@ -1216,8 +1216,11 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
> }
> }
>
>- if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes)
>+ if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) {
>+ if (!map_data)
>+ __free_page(page);
> break;
>+ }
>
> len -= bytes;
> offset = 0;
>diff --git a/drivers/acpi/acpica/nsobject.c b/drivers/acpi/acpica/nsobject.c
>index f1ea8e56cd87..7abcfa6b055c 100644
>--- a/drivers/acpi/acpica/nsobject.c
>+++ b/drivers/acpi/acpica/nsobject.c
>@@ -222,6 +222,10 @@ void acpi_ns_detach_object(struct acpi_namespace_node *node)
> }
> }
>
>+ if (obj_desc->common.type == ACPI_TYPE_REGION) {
>+ acpi_ut_remove_address_range(obj_desc->region.space_id, node);
>+ }
>+
> /* Clear the Node entry in all cases */
>
> node->object = NULL;
>diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
>index df51673d6591..3999b8c6a09d 100644
>--- a/drivers/block/floppy.c
>+++ b/drivers/block/floppy.c
>@@ -2113,6 +2113,9 @@ static void setup_format_params(int track)
> raw_cmd->kernel_data = floppy_track_buffer;
> raw_cmd->length = 4 * F_SECT_PER_TRACK;
>
>+ if (!F_SECT_PER_TRACK)
>+ return;
>+
> /* allow for about 30ms for data transport per track */
> head_shift = (F_SECT_PER_TRACK + 5) / 6;
>
>@@ -3233,8 +3236,12 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
> int cnt;
>
> /* sanity checking for parameters. */
>- if (g->sect <= 0 ||
>- g->head <= 0 ||
>+ if ((int)g->sect <= 0 ||
>+ (int)g->head <= 0 ||
>+ /* check for overflow in max_sector */
>+ (int)(g->sect * g->head) <= 0 ||
>+ /* check for zero in F_SECT_PER_TRACK */
>+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
> g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
> /* check if reserved bits are set */
> (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
>@@ -3378,6 +3385,24 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
> return 0;
> }
>
>+static bool valid_floppy_drive_params(const short autodetect[8],
>+ int native_format)
>+{
>+ size_t floppy_type_size = ARRAY_SIZE(floppy_type);
>+ size_t i = 0;
>+
>+ for (i = 0; i < 8; ++i) {
>+ if (autodetect[i] < 0 ||
>+ autodetect[i] >= floppy_type_size)
>+ return false;
>+ }
>+
>+ if (native_format < 0 || native_format >= floppy_type_size)
>+ return false;
>+
>+ return true;
>+}
>+
> static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd,
> unsigned long param)
> {
>@@ -3504,6 +3529,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
> SUPBOUND(size, strlen((const char *)outparam) + 1);
> break;
> case FDSETDRVPRM:
>+ if (!valid_floppy_drive_params(inparam.dp.autodetect,
>+ inparam.dp.native_format))
>+ return -EINVAL;
> *UDP = inparam.dp;
> break;
> case FDGETDRVPRM:
>diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c
>index ab3ea62e5dfc..f98a9207ec7e 100644
>--- a/drivers/block/xsysace.c
>+++ b/drivers/block/xsysace.c
>@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device *ace)
> return 0;
>
> err_read:
>+ /* prevent double queue cleanup */
>+ ace->gd->queue = NULL;
> put_disk(ace->gd);
> err_alloc_disk:
> blk_cleanup_queue(ace->queue);
>diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c
>index 0bc8a6a6a148..353ed68db711 100644
>--- a/drivers/bluetooth/hci_ath.c
>+++ b/drivers/bluetooth/hci_ath.c
>@@ -112,6 +112,9 @@ static int ath_open(struct hci_uart *hu)
>
> BT_DBG("hu %p", hu);
>
>+ if (!hci_uart_has_flow_control(hu))
>+ return -EOPNOTSUPP;
>+
> ath = kzalloc(sizeof(*ath), GFP_KERNEL);
> if (!ath)
> return -ENOMEM;
>diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
>index e00f8f5b5c8e..9ad437053e22 100644
>--- a/drivers/bluetooth/hci_ldisc.c
>+++ b/drivers/bluetooth/hci_ldisc.c
>@@ -261,6 +261,15 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
> return 0;
> }
>
>+/* Check the underlying device or tty has flow control support */
>+bool hci_uart_has_flow_control(struct hci_uart *hu)
>+{
>+ if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops->tiocmset)
>+ return true;
>+
>+ return false;
>+}
>+
> /* ------ LDISC part ------ */
> /* hci_uart_tty_open
> *
>diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h
>index 12df101ca942..58e0bb8c041b 100644
>--- a/drivers/bluetooth/hci_uart.h
>+++ b/drivers/bluetooth/hci_uart.h
>@@ -90,6 +90,7 @@ int hci_uart_register_proto(struct hci_uart_proto *p);
> int hci_uart_unregister_proto(struct hci_uart_proto *p);
> int hci_uart_tx_wakeup(struct hci_uart *hu);
> int hci_uart_init_ready(struct hci_uart *hu);
>+bool hci_uart_has_flow_control(struct hci_uart *hu);
>
> #ifdef CONFIG_BT_HCIUART_H4
> int h4_init(void);
>diff --git a/drivers/gpio/gpio-adnp.c b/drivers/gpio/gpio-adnp.c
>index b2239d678d01..f2c092676e01 100644
>--- a/drivers/gpio/gpio-adnp.c
>+++ b/drivers/gpio/gpio-adnp.c
>@@ -140,8 +140,10 @@ static int adnp_gpio_direction_input(struct gpio_chip *chip, unsigned offset)
> if (err < 0)
> goto out;
>
>- if (err & BIT(pos))
>- err = -EACCES;
>+ if (value & BIT(pos)) {
>+ err = -EPERM;
>+ goto out;
>+ }
>
> err = 0;
>
>diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
>index dbcea7941059..3837cbdaf100 100644
>--- a/drivers/iio/adc/ad_sigma_delta.c
>+++ b/drivers/iio/adc/ad_sigma_delta.c
>@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta,
> if (sigma_delta->info->has_registers) {
> data[0] = reg << sigma_delta->info->addr_shift;
> data[0] |= sigma_delta->info->read_mask;
>+ data[0] |= sigma_delta->comm;
> spi_message_add_tail(&t[0], &m);
> }
> spi_message_add_tail(&t[1], &m);
>diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c
>index 10d5ec213091..2f7ad2538cec 100644
>--- a/drivers/iio/adc/at91_adc.c
>+++ b/drivers/iio/adc/at91_adc.c
>@@ -702,23 +702,29 @@ static int at91_adc_read_raw(struct iio_dev *idev,
> ret = wait_event_interruptible_timeout(st->wq_data_avail,
> st->done,
> msecs_to_jiffies(1000));
>- if (ret == 0)
>- ret = -ETIMEDOUT;
>- if (ret < 0) {
>- mutex_unlock(&st->lock);
>- return ret;
>- }
>-
>- *val = st->last_value;
>
>+ /* Disable interrupts, regardless if adc conversion was
>+ * successful or not
>+ */
> at91_adc_writel(st, AT91_ADC_CHDR,
> AT91_ADC_CH(chan->channel));
> at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel));
>
>- st->last_value = 0;
>- st->done = false;
>+ if (ret > 0) {
>+ /* a valid conversion took place */
>+ *val = st->last_value;
>+ st->last_value = 0;
>+ st->done = false;
>+ ret = IIO_VAL_INT;
>+ } else if (ret == 0) {
>+ /* conversion timeout */
>+ dev_err(&idev->dev, "ADC Channel %d timeout.\n",
>+ chan->channel);
>+ ret = -ETIMEDOUT;
>+ }
>+
> mutex_unlock(&st->lock);
>- return IIO_VAL_INT;
>+ return ret;
>
> case IIO_CHAN_INFO_SCALE:
> *val = st->vref_mv;
>diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c
>index b4dde8315210..89f695a958e9 100644
>--- a/drivers/iio/dac/mcp4725.c
>+++ b/drivers/iio/dac/mcp4725.c
>@@ -86,6 +86,7 @@ static ssize_t mcp4725_store_eeprom(struct device *dev,
> return 0;
>
> inoutbuf[0] = 0x60; /* write EEPROM */
>+ inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0;
> inoutbuf[1] = data->dac_value >> 4;
> inoutbuf[2] = (data->dac_value & 0xf) << 4;
>
>diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
>index 7562531ebf0e..77b19ca8b763 100644
>--- a/drivers/iio/industrialio-buffer.c
>+++ b/drivers/iio/industrialio-buffer.c
>@@ -836,10 +836,8 @@ int iio_scan_mask_set(struct iio_dev *indio_dev,
> const unsigned long *mask;
> unsigned long *trialmask;
>
>- trialmask = kmalloc(sizeof(*trialmask)*
>- BITS_TO_LONGS(indio_dev->masklength),
>- GFP_KERNEL);
>-
>+ trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength),
>+ sizeof(*trialmask), GFP_KERNEL);
> if (trialmask == NULL)
> return -ENOMEM;
> if (!indio_dev->masklength) {
>diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
>index 4d1b400ed260..5ea56edcdf42 100644
>--- a/drivers/iio/industrialio-core.c
>+++ b/drivers/iio/industrialio-core.c
>@@ -1195,12 +1195,12 @@ EXPORT_SYMBOL(iio_device_register);
> **/
> void iio_device_unregister(struct iio_dev *indio_dev)
> {
>- mutex_lock(&indio_dev->info_exist_lock);
>-
> device_del(&indio_dev->dev);
>
> if (indio_dev->chrdev.dev)
> cdev_del(&indio_dev->chrdev);
>+
>+ mutex_lock(&indio_dev->info_exist_lock);
> iio_device_unregister_debugfs(indio_dev);
>
> iio_disable_all_buffers(indio_dev);
>diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c
>index 0eb141c41416..fb60229bf191 100644
>--- a/drivers/infiniband/hw/mlx4/alias_GUID.c
>+++ b/drivers/infiniband/hw/mlx4/alias_GUID.c
>@@ -579,8 +579,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev)
> unsigned long flags;
>
> for (i = 0 ; i < dev->num_ports; i++) {
>- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work);
> det = &sriov->alias_guid.ports_guid[i];
>+ cancel_delayed_work_sync(&det->alias_guid_work);
> spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags);
> while (!list_empty(&det->cb_list)) {
> cb_ctx = list_entry(det->cb_list.next,
>diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
>index fe1ab5067b5d..cf3af3a3297a 100644
>--- a/drivers/input/tablet/gtco.c
>+++ b/drivers/input/tablet/gtco.c
>@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
>
> /* Max size of a single report */
> #define REPORT_MAX_SIZE 10
>+#define MAX_COLLECTION_LEVELS 10
>
>
> /* Bitmask whether pen is in range */
>@@ -224,8 +225,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
> char maintype = 'x';
> char globtype[12];
> int indent = 0;
>- char indentstr[10] = "";
>-
>+ char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 };
>
> dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
>
>@@ -351,6 +351,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
> case TAG_MAIN_COL_START:
> maintype = 'S';
>
>+ if (indent == MAX_COLLECTION_LEVELS) {
>+ dev_err(ddev, "Collection level %d would exceed limit of %d\n",
>+ indent + 1,
>+ MAX_COLLECTION_LEVELS);
>+ break;
>+ }
>+
> if (data == 0) {
> dev_dbg(ddev, "======>>>>>> Physical\n");
> strcpy(globtype, "Physical");
>@@ -370,8 +377,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
> break;
>
> case TAG_MAIN_COL_END:
>- dev_dbg(ddev, "<<<<<<======\n");
> maintype = 'E';
>+
>+ if (indent == 0) {
>+ dev_err(ddev, "Collection level already at zero\n");
>+ break;
>+ }
>+
>+ dev_dbg(ddev, "<<<<<<======\n");
>+
> indent--;
> for (x = 0; x < indent; x++)
> indentstr[x] = '-';
>diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
>index 48b726f4ad48..006f4f9a3170 100644
>--- a/drivers/iommu/amd_iommu_init.c
>+++ b/drivers/iommu/amd_iommu_init.c
>@@ -293,7 +293,7 @@ static void iommu_write_l2(struct amd_iommu *iommu, u8 address, u32 val)
> static void iommu_set_exclusion_range(struct amd_iommu *iommu)
> {
> u64 start = iommu->exclusion_start & PAGE_MASK;
>- u64 limit = (start + iommu->exclusion_length) & PAGE_MASK;
>+ u64 limit = (start + iommu->exclusion_length - 1) & PAGE_MASK;
> u64 entry;
>
> if (!iommu->exclusion_start)
>diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
>index b60eb1cca150..c2a44d2ca5b6 100644
>--- a/drivers/iommu/intel-iommu.c
>+++ b/drivers/iommu/intel-iommu.c
>@@ -1394,6 +1394,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu)
> u32 pmen;
> unsigned long flags;
>
>+ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap))
>+ return;
>+
> raw_spin_lock_irqsave(&iommu->register_lock, flags);
> pmen = readl(iommu->reg + DMAR_PMEN_REG);
> pmen &= ~DMA_PMEN_EPM;
>diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
>index f5f1837dfa5b..b010f9600d87 100644
>--- a/drivers/md/dm-table.c
>+++ b/drivers/md/dm-table.c
>@@ -1432,6 +1432,36 @@ static bool dm_table_supports_write_same(struct dm_table *t)
> return true;
> }
>
>+static int device_requires_stable_pages(struct dm_target *ti,
>+ struct dm_dev *dev, sector_t start,
>+ sector_t len, void *data)
>+{
>+ struct request_queue *q = bdev_get_queue(dev->bdev);
>+
>+ return q && bdi_cap_stable_pages_required(&q->backing_dev_info);
>+}
>+
>+/*
>+ * If any underlying device requires stable pages, a table must require
>+ * them as well. Only targets that support iterate_devices are considered:
>+ * don't want error, zero, etc to require stable pages.
>+ */
>+static bool dm_table_requires_stable_pages(struct dm_table *t)
>+{
>+ struct dm_target *ti;
>+ unsigned i;
>+
>+ for (i = 0; i < dm_table_get_num_targets(t); i++) {
>+ ti = dm_table_get_target(t, i);
>+
>+ if (ti->type->iterate_devices &&
>+ ti->type->iterate_devices(ti, device_requires_stable_pages, NULL))
>+ return true;
>+ }
>+
>+ return false;
>+}
>+
> void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q,
> struct queue_limits *limits)
> {
>@@ -1473,6 +1503,15 @@ void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q,
>
> dm_table_set_integrity(t);
>
>+ /*
>+ * Some devices don't use blk_integrity but still want stable pages
>+ * because they do their own checksumming.
>+ */
>+ if (dm_table_requires_stable_pages(t))
>+ q->backing_dev_info.capabilities |= BDI_CAP_STABLE_WRITES;
>+ else
>+ q->backing_dev_info.capabilities &= ~BDI_CAP_STABLE_WRITES;
>+
> /*
> * Determine whether or not this queue's I/O timings contribute
> * to the entropy pool, Only request-based targets use this.
>diff --git a/drivers/md/dm.c b/drivers/md/dm.c
>index 043ad8d8d700..30ae713aecf8 100644
>--- a/drivers/md/dm.c
>+++ b/drivers/md/dm.c
>@@ -756,6 +756,15 @@ static void dec_pending(struct dm_io *io, int error)
> }
> }
>
>+static void disable_discard(struct mapped_device *md)
>+{
>+ struct queue_limits *limits = dm_get_queue_limits(md);
>+
>+ /* device doesn't really support DISCARD, disable it */
>+ limits->max_discard_sectors = 0;
>+ queue_flag_clear(QUEUE_FLAG_DISCARD, md->queue);
>+}
>+
> static void disable_write_same(struct mapped_device *md)
> {
> struct queue_limits *limits = dm_get_queue_limits(md);
>@@ -792,9 +801,14 @@ static void clone_endio(struct bio *bio, int error)
> }
> }
>
>- if (unlikely(r == -EREMOTEIO && (bio->bi_rw & REQ_WRITE_SAME) &&
>- !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors))
>- disable_write_same(md);
>+ if (unlikely(r == -EREMOTEIO)) {
>+ if (bio->bi_rw & REQ_DISCARD &&
>+ !bdev_get_queue(bio->bi_bdev)->limits.max_discard_sectors)
>+ disable_discard(md);
>+ else if (bio->bi_rw & REQ_WRITE_SAME &&
>+ !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors)
>+ disable_write_same(md);
>+ }
>
> free_tio(md, tio);
> dec_pending(io, error);
>@@ -996,9 +1010,14 @@ static void dm_done(struct request *clone, int error, bool mapped)
> r = rq_end_io(tio->ti, clone, error, &tio->info);
> }
>
>- if (unlikely(r == -EREMOTEIO && (clone->cmd_flags & REQ_WRITE_SAME) &&
>- !clone->q->limits.max_write_same_sectors))
>- disable_write_same(tio->md);
>+ if (unlikely(r == -EREMOTEIO)) {
>+ if (clone->cmd_flags & REQ_DISCARD &&
>+ !clone->q->limits.max_discard_sectors)
>+ disable_discard(tio->md);
>+ else if (clone->cmd_flags & REQ_WRITE_SAME &&
>+ !clone->q->limits.max_write_same_sectors)
>+ disable_write_same(tio->md);
>+ }
>
> if (r <= 0)
> /* The target wants to complete the I/O */
>diff --git a/drivers/media/usb/tlg2300/pd-common.h b/drivers/media/usb/tlg2300/pd-common.h
>index 9e23ad32d2fe..562a58886ca2 100644
>--- a/drivers/media/usb/tlg2300/pd-common.h
>+++ b/drivers/media/usb/tlg2300/pd-common.h
>@@ -257,7 +257,7 @@ void set_debug_mode(struct video_device *vfd, int debug_mode);
> #else
> #define in_hibernation(pd) (0)
> #endif
>-#define get_pm_count(p) (atomic_read(&(p)->interface->pm_usage_cnt))
>+#define get_pm_count(p) (atomic_read(&(p)->interface->dev.power.usage_count))
>
> #define log(a, ...) printk(KERN_DEBUG "\t[ %s : %.3d ] "a"\n", \
> __func__, __LINE__, ## __VA_ARGS__)
>diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
>index 92303daf44dc..40047a2f4696 100644
>--- a/drivers/mtd/chips/cfi_cmdset_0002.c
>+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
>@@ -1538,7 +1538,11 @@ static int __xipram do_write_buffer(struct map_info *map, struct flchip *chip,
> continue;
> }
>
>- if (time_after(jiffies, timeo) && !chip_ready(map, adr))
>+ /*
>+ * We check "time_after" and "!chip_good" before checking "chip_good" to avoid
>+ * the failure due to scheduling.
>+ */
>+ if (time_after(jiffies, timeo) && !chip_good(map, adr, datum))
> break;
>
> if (chip_good(map, adr, datum)) {
>diff --git a/drivers/net/ethernet/3com/3c515.c b/drivers/net/ethernet/3com/3c515.c
>index 94c656f5a05d..d4552e2c7189 100644
>--- a/drivers/net/ethernet/3com/3c515.c
>+++ b/drivers/net/ethernet/3com/3c515.c
>@@ -1524,7 +1524,7 @@ static void update_stats(int ioaddr, struct net_device *dev)
> static void set_rx_mode(struct net_device *dev)
> {
> int ioaddr = dev->base_addr;
>- short new_mode;
>+ unsigned short new_mode;
>
> if (dev->flags & IFF_PROMISC) {
> if (corkscrew_debug > 3)
>diff --git a/drivers/net/ethernet/8390/mac8390.c b/drivers/net/ethernet/8390/mac8390.c
>index 90e825e8abfe..02beb18942d2 100644
>--- a/drivers/net/ethernet/8390/mac8390.c
>+++ b/drivers/net/ethernet/8390/mac8390.c
>@@ -153,11 +153,6 @@ static void dayna_block_input(struct net_device *dev, int count,
> static void dayna_block_output(struct net_device *dev, int count,
> const unsigned char *buf, int start_page);
>
>-#define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c))
>-#define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c))
>-
>-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c))
>-
> /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */
> static void slow_sane_get_8390_hdr(struct net_device *dev,
> struct e8390_pkt_hdr *hdr, int ring_page);
>@@ -244,19 +239,26 @@ static enum mac8390_type __init mac8390_ident(struct nubus_dev *dev)
>
> static enum mac8390_access __init mac8390_testio(volatile unsigned long membase)
> {
>- unsigned long outdata = 0xA5A0B5B0;
>- unsigned long indata = 0x00000000;
>+ u32 outdata = 0xA5A0B5B0;
>+ u32 indata = 0;
>+
> /* Try writing 32 bits */
>- memcpy_toio(membase, &outdata, 4);
>- /* Now compare them */
>- if (memcmp_withio(&outdata, membase, 4) == 0)
>+ nubus_writel(outdata, membase);
>+ /* Now read it back */
>+ indata = nubus_readl(membase);
>+ if (outdata == indata)
> return ACCESS_32;
>+
>+ outdata = 0xC5C0D5D0;
>+ indata = 0;
>+
> /* Write 16 bit output */
> word_memcpy_tocard(membase, &outdata, 4);
> /* Now read it back */
> word_memcpy_fromcard(&indata, membase, 4);
> if (outdata == indata)
> return ACCESS_16;
>+
> return ACCESS_UNKNOWN;
> }
>
>@@ -742,7 +744,7 @@ static void sane_get_8390_hdr(struct net_device *dev,
> struct e8390_pkt_hdr *hdr, int ring_page)
> {
> unsigned long hdr_start = (ring_page - WD_START_PG)<<8;
>- memcpy_fromio(hdr, dev->mem_start + hdr_start, 4);
>+ memcpy_fromio(hdr, (void __iomem *)dev->mem_start + hdr_start, 4);
> /* Fix endianness */
> hdr->count = swab16(hdr->count);
> }
>@@ -756,13 +758,16 @@ static void sane_block_input(struct net_device *dev, int count,
> if (xfer_start + count > ei_status.rmem_end) {
> /* We must wrap the input move. */
> int semi_count = ei_status.rmem_end - xfer_start;
>- memcpy_fromio(skb->data, dev->mem_start + xfer_base,
>+ memcpy_fromio(skb->data,
>+ (void __iomem *)dev->mem_start + xfer_base,
> semi_count);
> count -= semi_count;
>- memcpy_fromio(skb->data + semi_count, ei_status.rmem_start,
>- count);
>+ memcpy_fromio(skb->data + semi_count,
>+ (void __iomem *)ei_status.rmem_start, count);
> } else {
>- memcpy_fromio(skb->data, dev->mem_start + xfer_base, count);
>+ memcpy_fromio(skb->data,
>+ (void __iomem *)dev->mem_start + xfer_base,
>+ count);
> }
> }
>
>@@ -771,7 +776,7 @@ static void sane_block_output(struct net_device *dev, int count,
> {
> long shmem = (start_page - WD_START_PG)<<8;
>
>- memcpy_toio(dev->mem_start + shmem, buf, count);
>+ memcpy_toio((void __iomem *)dev->mem_start + shmem, buf, count);
> }
>
> /* dayna block input/output */
>diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
>index 4332ebbd7162..39f4b38fd068 100644
>--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
>+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
>@@ -2381,6 +2381,7 @@ static void *__vxge_hw_blockpool_malloc(struct __vxge_hw_device *devh, u32 size,
> vxge_os_dma_free(devh->pdev, memblock,
> &dma_object->acc_handle);
> status = VXGE_HW_ERR_OUT_OF_MEMORY;
>+ memblock = NULL;
> goto exit;
> }
>
>diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
>index 47eba38ae526..75cc676a3239 100644
>--- a/drivers/net/macvtap.c
>+++ b/drivers/net/macvtap.c
>@@ -16,7 +16,6 @@
> #include <linux/idr.h>
> #include <linux/fs.h>
>
>-#include <net/ipv6.h>
> #include <net/net_namespace.h>
> #include <net/rtnetlink.h>
> #include <net/sock.h>
>@@ -571,8 +570,6 @@ static int macvtap_skb_from_vnet_hdr(struct sk_buff *skb,
> break;
> case VIRTIO_NET_HDR_GSO_UDP:
> gso_type = SKB_GSO_UDP;
>- if (skb->protocol == htons(ETH_P_IPV6))
>- ipv6_proxy_select_ident(skb);
> break;
> default:
> return -EINVAL;
>diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
>index 7a6d2f8c5201..77fcb1bd81bc 100644
>--- a/drivers/net/phy/phy_device.c
>+++ b/drivers/net/phy/phy_device.c
>@@ -1072,7 +1072,10 @@ int genphy_soft_reset(struct phy_device *phydev)
> {
> int ret;
>
>- ret = phy_write(phydev, MII_BMCR, BMCR_RESET);
>+ ret = phy_read(phydev, MII_BMCR);
>+ if (ret < 0)
>+ return ret;
>+ ret = phy_write(phydev, MII_BMCR, ret | BMCR_RESET);
> if (ret < 0)
> return ret;
>
>diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
>index 5dd0fe1635b9..a97b20773508 100644
>--- a/drivers/net/ppp/pptp.c
>+++ b/drivers/net/ppp/pptp.c
>@@ -284,7 +284,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
> nf_reset(skb);
>
> skb->ip_summed = CHECKSUM_NONE;
>- ip_select_ident(skb, NULL);
>+ ip_select_ident(sock_net(sk), skb, NULL);
> ip_send_check(iph);
>
> ip_local_out(skb);
>diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
>index b52eabc168a0..f8234b5439f5 100644
>--- a/drivers/net/slip/slhc.c
>+++ b/drivers/net/slip/slhc.c
>@@ -153,7 +153,7 @@ slhc_init(int rslots, int tslots)
> void
> slhc_free(struct slcompress *comp)
> {
>- if ( comp == NULLSLCOMPR )
>+ if ( IS_ERR_OR_NULL(comp) )
> return;
>
> if ( comp->tstate != NULLSLSTATE )
>diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
>index d6511041c766..8d408cd7c170 100644
>--- a/drivers/net/team/team.c
>+++ b/drivers/net/team/team.c
>@@ -1116,6 +1116,12 @@ static int team_port_add(struct team *team, struct net_device *port_dev)
> return -EINVAL;
> }
>
>+ if (netdev_has_upper_dev(dev, port_dev)) {
>+ netdev_err(dev, "Device %s is already an upper device of the team interface\n",
>+ portname);
>+ return -EBUSY;
>+ }
>+
> if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
> vlan_uses_dev(dev)) {
> netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n",
>diff --git a/drivers/net/tun.c b/drivers/net/tun.c
>index 48ac45f26fa3..1bbcb278e6df 100644
>--- a/drivers/net/tun.c
>+++ b/drivers/net/tun.c
>@@ -65,7 +65,6 @@
> #include <linux/nsproxy.h>
> #include <linux/virtio_net.h>
> #include <linux/rcupdate.h>
>-#include <net/ipv6.h>
> #include <net/net_namespace.h>
> #include <net/netns/generic.h>
> #include <net/rtnetlink.h>
>@@ -1143,8 +1142,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
> break;
> }
>
>- skb_reset_network_header(skb);
>-
> if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) {
> pr_debug("GSO!\n");
> switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
>@@ -1156,8 +1153,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
> break;
> case VIRTIO_NET_HDR_GSO_UDP:
> skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
>- if (skb->protocol == htons(ETH_P_IPV6))
>- ipv6_proxy_select_ident(skb);
> break;
> default:
> tun->dev->stats.rx_frame_errors++;
>@@ -1187,6 +1182,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
> skb_shinfo(skb)->tx_flags |= SKBTX_SHARED_FRAG;
> }
>
>+ skb_reset_network_header(skb);
> skb_probe_transport_header(skb, 0);
>
> rxhash = skb_get_hash(skb);
>diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
>index d13f25cd70d5..91aebb03841e 100644
>--- a/drivers/net/wireless/rt2x00/rt2x00.h
>+++ b/drivers/net/wireless/rt2x00/rt2x00.h
>@@ -666,7 +666,6 @@ enum rt2x00_state_flags {
> CONFIG_CHANNEL_HT40,
> CONFIG_POWERSAVING,
> CONFIG_HT_DISABLED,
>- CONFIG_QOS_DISABLED,
>
> /*
> * Mark we currently are sequentially reading TX_STA_FIFO register
>diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
>index 004dff9b962d..e7c152dd0bef 100644
>--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
>+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
>@@ -682,18 +682,8 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
> rt2x00dev->intf_associated--;
>
> rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated);
>-
>- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
> }
>
>- /*
>- * Check for access point which do not support 802.11e . We have to
>- * generate data frames sequence number in S/W for such AP, because
>- * of H/W bug.
>- */
>- if (changes & BSS_CHANGED_QOS && !bss_conf->qos)
>- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
>-
> /*
> * When the erp information has changed, we should perform
> * additional configuration steps. For all other changes we are done.
>diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
>index 22d49d575d3f..8705092a052e 100644
>--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
>+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
>@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
> if (!test_bit(REQUIRE_SW_SEQNO, &rt2x00dev->cap_flags)) {
> /*
> * rt2800 has a H/W (or F/W) bug, device incorrectly increase
>- * seqno on retransmited data (non-QOS) frames. To workaround
>- * the problem let's generate seqno in software if QOS is
>- * disabled.
>+ * seqno on retransmitted data (non-QOS) and management frames.
>+ * To workaround the problem let's generate seqno in software.
>+ * Except for beacons which are transmitted periodically by H/W
>+ * hence hardware has to assign seqno for them.
> */
>- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags))
>- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
>- else
>+ if (ieee80211_is_beacon(hdr->frame_control)) {
>+ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
> /* H/W will generate sequence number */
> return;
>+ }
>+
>+ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
> }
>
> /*
>diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
>index f5d1f51101cf..57cc4e7d2bbc 100644
>--- a/drivers/pci/quirks.c
>+++ b/drivers/pci/quirks.c
>@@ -3514,6 +3514,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123,
> /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
> DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130,
> quirk_dma_func1_alias);
>+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9170,
>+ quirk_dma_func1_alias);
> /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c47 + c57 */
> DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9172,
> quirk_dma_func1_alias);
>diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
>index 21a6f6d76bbb..3a62c049696e 100644
>--- a/drivers/s390/scsi/zfcp_erp.c
>+++ b/drivers/s390/scsi/zfcp_erp.c
>@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(struct zfcp_erp_action *erp_action)
> add_timer(&erp_action->timer);
> }
>
>+void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
>+ int clear, char *dbftag)
>+{
>+ unsigned long flags;
>+ struct zfcp_port *port;
>+
>+ write_lock_irqsave(&adapter->erp_lock, flags);
>+ read_lock(&adapter->port_list_lock);
>+ list_for_each_entry(port, &adapter->port_list, list)
>+ _zfcp_erp_port_forced_reopen(port, clear, dbftag);
>+ read_unlock(&adapter->port_list_lock);
>+ write_unlock_irqrestore(&adapter->erp_lock, flags);
>+}
>+
> static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter,
> int clear, char *id)
> {
>@@ -1313,6 +1327,9 @@ static void zfcp_erp_try_rport_unblock(struct zfcp_port *port)
> struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
> int lun_status;
>
>+ if (sdev->sdev_state == SDEV_DEL ||
>+ sdev->sdev_state == SDEV_CANCEL)
>+ continue;
> if (zsdev->port != port)
> continue;
> /* LUN under port of interest */
>diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
>index c5023d6811a8..cfe2a3b2d3b2 100644
>--- a/drivers/s390/scsi/zfcp_ext.h
>+++ b/drivers/s390/scsi/zfcp_ext.h
>@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(struct zfcp_port *, u32);
> extern int zfcp_erp_port_reopen(struct zfcp_port *, int, char *);
> extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *);
> extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *);
>+extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
>+ int clear, char *dbftag);
> extern void zfcp_erp_set_lun_status(struct scsi_device *, u32);
> extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32);
> extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *);
>diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
>index f213786fe96c..9e9f0ad00bef 100644
>--- a/drivers/s390/scsi/zfcp_scsi.c
>+++ b/drivers/s390/scsi/zfcp_scsi.c
>@@ -347,6 +347,10 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt)
> struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
> int ret = SUCCESS, fc_ret;
>
>+ if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) {
>+ zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p");
>+ zfcp_erp_wait(adapter);
>+ }
> zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
> zfcp_erp_wait(adapter);
> fc_ret = fc_block_scsi_eh(scpnt);
>diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
>index 7d5d66edae87..65826111d996 100644
>--- a/drivers/scsi/libsas/sas_expander.c
>+++ b/drivers/scsi/libsas/sas_expander.c
>@@ -47,17 +47,16 @@ static void smp_task_timedout(unsigned long _task)
> unsigned long flags;
>
> spin_lock_irqsave(&task->task_state_lock, flags);
>- if (!(task->task_state_flags & SAS_TASK_STATE_DONE))
>+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
> task->task_state_flags |= SAS_TASK_STATE_ABORTED;
>+ complete(&task->slow_task->completion);
>+ }
> spin_unlock_irqrestore(&task->task_state_lock, flags);
>-
>- complete(&task->slow_task->completion);
> }
>
> static void smp_task_done(struct sas_task *task)
> {
>- if (!del_timer(&task->slow_task->timer))
>- return;
>+ del_timer(&task->slow_task->timer);
> complete(&task->slow_task->completion);
> }
>
>diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c
>index 0adf3cffddb0..87b6e1aa107a 100644
>--- a/drivers/staging/comedi/drivers/vmk80xx.c
>+++ b/drivers/staging/comedi/drivers/vmk80xx.c
>@@ -757,10 +757,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev)
>
> size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize);
> devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
>- if (!devpriv->usb_tx_buf) {
>- kfree(devpriv->usb_rx_buf);
>+ if (!devpriv->usb_tx_buf)
> return -ENOMEM;
>- }
>
> return 0;
> }
>@@ -872,6 +870,8 @@ static int vmk80xx_auto_attach(struct comedi_device *dev,
>
> devpriv->model = boardinfo->model;
>
>+ sema_init(&devpriv->limit_sem, 8);
>+
> ret = vmk80xx_find_usb_endpoints(dev);
> if (ret)
> return ret;
>@@ -880,8 +880,6 @@ static int vmk80xx_auto_attach(struct comedi_device *dev,
> if (ret)
> return ret;
>
>- sema_init(&devpriv->limit_sem, 8);
>-
> usb_set_intfdata(intf, devpriv);
>
> if (devpriv->model == VMK8061_MODEL) {
>diff --git a/drivers/staging/iio/meter/ade7854.c b/drivers/staging/iio/meter/ade7854.c
>index bcfdb650c2c5..c318e263c1bb 100644
>--- a/drivers/staging/iio/meter/ade7854.c
>+++ b/drivers/staging/iio/meter/ade7854.c
>@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(S_IWUSR | S_IRUGO,
> static IIO_DEV_ATTR_IPEAK(S_IWUSR | S_IRUGO,
> ade7854_read_32bit,
> ade7854_write_32bit,
>- ADE7854_VPEAK);
>+ ADE7854_IPEAK);
> static IIO_DEV_ATTR_APHCAL(S_IWUSR | S_IRUGO,
> ade7854_read_16bit,
> ade7854_write_16bit,
>diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c
>index 8ca7d7e68dca..2a0225900d89 100644
>--- a/drivers/staging/rtl8712/rtl8712_cmd.c
>+++ b/drivers/staging/rtl8712/rtl8712_cmd.c
>@@ -155,19 +155,11 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
>
> static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
> {
>- u32 val;
>- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd);
> struct readBB_parm *prdbbparm;
> struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
>
> prdbbparm = (struct readBB_parm *)pcmd->parmbuf;
>- if (pcmd->rsp && pcmd->rspsz > 0)
>- memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
>- pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
>- if (pcmd_callback == NULL)
>- r8712_free_cmd_obj(pcmd);
>- else
>- pcmd_callback(padapter, pcmd);
>+ r8712_free_cmd_obj(pcmd);
> return H2C_SUCCESS;
> }
>
>diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h
>index 039ab3e97172..efa2fc98907f 100644
>--- a/drivers/staging/rtl8712/rtl8712_cmd.h
>+++ b/drivers/staging/rtl8712/rtl8712_cmd.h
>@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd {
> static struct _cmd_callback cmd_callback[] = {
> {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/
> {GEN_CMD_CODE(_Write_MACREG), NULL},
>- {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback},
>+ {GEN_CMD_CODE(_Read_BBREG), NULL},
> {GEN_CMD_CODE(_Write_BBREG), NULL},
> {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback},
> {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/
>diff --git a/drivers/staging/speakup/speakup_soft.c b/drivers/staging/speakup/speakup_soft.c
>index 9ed726509261..c5bf6b1aa80e 100644
>--- a/drivers/staging/speakup/speakup_soft.c
>+++ b/drivers/staging/speakup/speakup_soft.c
>@@ -213,10 +213,13 @@ static ssize_t softsynth_read(struct file *fp, char __user *buf, size_t count,
> DEFINE_WAIT(wait);
>
> spin_lock_irqsave(&speakup_info.spinlock, flags);
>+ synth_soft.alive = 1;
> while (1) {
> prepare_to_wait(&speakup_event, &wait, TASK_INTERRUPTIBLE);
>- if (!synth_buffer_empty() || speakup_info.flushing)
>- break;
>+ if (synth_current() == &synth_soft) {
>+ if (!synth_buffer_empty() || speakup_info.flushing)
>+ break;
>+ }
> spin_unlock_irqrestore(&speakup_info.spinlock, flags);
> if (fp->f_flags & O_NONBLOCK) {
> finish_wait(&speakup_event, &wait);
>@@ -234,6 +237,8 @@ static ssize_t softsynth_read(struct file *fp, char __user *buf, size_t count,
> cp = buf;
> init = get_initstring();
> while (chars_sent < count) {
>+ if (synth_current() != &synth_soft)
>+ break;
> if (speakup_info.flushing) {
> speakup_info.flushing = 0;
> ch = '\x18';
>@@ -286,7 +291,8 @@ static unsigned int softsynth_poll(struct file *fp,
> poll_wait(fp, &speakup_event, wait);
>
> spin_lock_irqsave(&speakup_info.spinlock, flags);
>- if (!synth_buffer_empty() || speakup_info.flushing)
>+ if (synth_current() == &synth_soft &&
>+ (!synth_buffer_empty() || speakup_info.flushing))
> ret = POLLIN | POLLRDNORM;
> spin_unlock_irqrestore(&speakup_info.spinlock, flags);
> return ret;
>diff --git a/drivers/staging/speakup/spk_priv.h b/drivers/staging/speakup/spk_priv.h
>index 637ba6760ec0..b669021455dd 100644
>--- a/drivers/staging/speakup/spk_priv.h
>+++ b/drivers/staging/speakup/spk_priv.h
>@@ -72,6 +72,7 @@ extern int synth_request_region(u_long, u_long);
> extern int synth_release_region(u_long, u_long);
> extern int synth_add(struct spk_synth *in_synth);
> extern void synth_remove(struct spk_synth *in_synth);
>+struct spk_synth *synth_current(void);
>
> extern struct speakup_info_t speakup_info;
>
>diff --git a/drivers/staging/speakup/synth.c b/drivers/staging/speakup/synth.c
>index 172cf62b1aaf..1219089af4b5 100644
>--- a/drivers/staging/speakup/synth.c
>+++ b/drivers/staging/speakup/synth.c
>@@ -475,4 +475,10 @@ void synth_remove(struct spk_synth *in_synth)
> }
> EXPORT_SYMBOL_GPL(synth_remove);
>
>+struct spk_synth *synth_current(void)
>+{
>+ return synth;
>+}
>+EXPORT_SYMBOL_GPL(synth_current);
>+
> short spk_punc_masks[] = { 0, SOME, MOST, PUNC, PUNC|B_SYM };
>diff --git a/drivers/staging/usbip/stub_rx.c b/drivers/staging/usbip/stub_rx.c
>index 2ed1118d3d8b..7f10bc79a719 100644
>--- a/drivers/staging/usbip/stub_rx.c
>+++ b/drivers/staging/usbip/stub_rx.c
>@@ -375,16 +375,10 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
> }
>
> if (usb_endpoint_xfer_isoc(epd)) {
>- /* validate packet size and number of packets */
>- unsigned int maxp, packets, bytes;
>-
>- maxp = usb_endpoint_maxp(epd);
>- maxp *= usb_endpoint_maxp_mult(epd);
>- bytes = pdu->u.cmd_submit.transfer_buffer_length;
>- packets = DIV_ROUND_UP(bytes, maxp);
>-
>+ /* validate number of packets */
> if (pdu->u.cmd_submit.number_of_packets < 0 ||
>- pdu->u.cmd_submit.number_of_packets > packets) {
>+ pdu->u.cmd_submit.number_of_packets >
>+ USBIP_MAX_ISO_PACKETS) {
> dev_err(&sdev->udev->dev,
> "CMD_SUBMIT: isoc invalid num packets %d\n",
> pdu->u.cmd_submit.number_of_packets);
>diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h
>index 58787c49fb68..8b358911563b 100644
>--- a/drivers/staging/usbip/usbip_common.h
>+++ b/drivers/staging/usbip/usbip_common.h
>@@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_usbip_debug;
> #define USBIP_DIR_OUT 0x00
> #define USBIP_DIR_IN 0x01
>
>+/*
>+ * Arbitrary limit for the maximum number of isochronous packets in an URB,
>+ * compare for example the uhci_submit_isochronous function in
>+ * drivers/usb/host/uhci-q.c
>+ */
>+#define USBIP_MAX_ISO_PACKETS 1024
>+
> /**
> * struct usbip_header_basic - data pertinent to every request
> * @command: the usbip request type
>diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
>index bc1c68c926bd..d8676716467b 100644
>--- a/drivers/tty/serial/atmel_serial.c
>+++ b/drivers/tty/serial/atmel_serial.c
>@@ -1045,6 +1045,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
> sg_dma_len(&atmel_port->sg_rx)/2,
> DMA_DEV_TO_MEM,
> DMA_PREP_INTERRUPT);
>+ if (!desc) {
>+ dev_err(port->dev, "Preparing DMA cyclic failed\n");
>+ goto chan_err;
>+ }
> desc->callback = atmel_complete_rx_dma;
> desc->callback_param = port;
> atmel_port->desc_rx = desc;
>diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
>index ba285cd45b59..8ccab7cf437c 100644
>--- a/drivers/tty/serial/max310x.c
>+++ b/drivers/tty/serial/max310x.c
>@@ -1324,6 +1324,8 @@ static int max310x_spi_probe(struct spi_device *spi)
> if (spi->dev.of_node) {
> const struct of_device_id *of_id =
> of_match_device(max310x_dt_ids, &spi->dev);
>+ if (!of_id)
>+ return -ENODEV;
>
> devtype = (struct max310x_devtype *)of_id->data;
> } else {
>diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
>index 8f6d6b5a2eeb..acacce37ec66 100644
>--- a/drivers/tty/serial/mxs-auart.c
>+++ b/drivers/tty/serial/mxs-auart.c
>@@ -1075,6 +1075,10 @@ static int mxs_auart_probe(struct platform_device *pdev)
>
> s->port.mapbase = r->start;
> s->port.membase = ioremap(r->start, resource_size(r));
>+ if (!s->port.membase) {
>+ ret = -ENOMEM;
>+ goto out_free_clk;
>+ }
> s->port.ops = &mxs_auart_ops;
> s->port.iotype = UPIO_MEM;
> s->port.fifosize = MXS_AUART_FIFO_SIZE;
>diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
>index e2224213111c..0dc1d1ac4a9a 100644
>--- a/drivers/tty/serial/sh-sci.c
>+++ b/drivers/tty/serial/sh-sci.c
>@@ -633,19 +633,9 @@ static void sci_transmit_chars(struct uart_port *port)
>
> if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
> uart_write_wakeup(port);
>- if (uart_circ_empty(xmit)) {
>+ if (uart_circ_empty(xmit))
> sci_stop_tx(port);
>- } else {
>- ctrl = serial_port_in(port, SCSCR);
>-
>- if (port->type != PORT_SCI) {
>- serial_port_in(port, SCxSR); /* Dummy read */
>- serial_port_out(port, SCxSR, SCxSR_TDxE_CLEAR(port));
>- }
>
>- ctrl |= SCSCR_TIE;
>- serial_port_out(port, SCSCR, ctrl);
>- }
> }
>
> /* On SH3, SCIF may read end-of-break as a space->mark char */
>diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
>index d002c23af6f4..71dfbff5839d 100644
>--- a/drivers/usb/core/driver.c
>+++ b/drivers/usb/core/driver.c
>@@ -483,11 +483,6 @@ static int usb_unbind_interface(struct device *dev)
> pm_runtime_disable(dev);
> pm_runtime_set_suspended(dev);
>
>- /* Undo any residual pm_autopm_get_interface_* calls */
>- for (r = atomic_read(&intf->pm_usage_cnt); r > 0; --r)
>- usb_autopm_put_interface_no_suspend(intf);
>- atomic_set(&intf->pm_usage_cnt, 0);
>-
> if (!error)
> usb_autosuspend_device(udev);
>
>@@ -1638,7 +1633,6 @@ void usb_autopm_put_interface(struct usb_interface *intf)
> int status;
>
> usb_mark_last_busy(udev);
>- atomic_dec(&intf->pm_usage_cnt);
> status = pm_runtime_put_sync(&intf->dev);
> dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
> __func__, atomic_read(&intf->dev.power.usage_count),
>@@ -1667,7 +1661,6 @@ void usb_autopm_put_interface_async(struct usb_interface *intf)
> int status;
>
> usb_mark_last_busy(udev);
>- atomic_dec(&intf->pm_usage_cnt);
> status = pm_runtime_put(&intf->dev);
> dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
> __func__, atomic_read(&intf->dev.power.usage_count),
>@@ -1689,7 +1682,6 @@ void usb_autopm_put_interface_no_suspend(struct usb_interface *intf)
> struct usb_device *udev = interface_to_usbdev(intf);
>
> usb_mark_last_busy(udev);
>- atomic_dec(&intf->pm_usage_cnt);
> pm_runtime_put_noidle(&intf->dev);
> }
> EXPORT_SYMBOL_GPL(usb_autopm_put_interface_no_suspend);
>@@ -1720,8 +1712,6 @@ int usb_autopm_get_interface(struct usb_interface *intf)
> status = pm_runtime_get_sync(&intf->dev);
> if (status < 0)
> pm_runtime_put_sync(&intf->dev);
>- else
>- atomic_inc(&intf->pm_usage_cnt);
> dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
> __func__, atomic_read(&intf->dev.power.usage_count),
> status);
>@@ -1755,8 +1745,6 @@ int usb_autopm_get_interface_async(struct usb_interface *intf)
> status = pm_runtime_get(&intf->dev);
> if (status < 0 && status != -EINPROGRESS)
> pm_runtime_put_noidle(&intf->dev);
>- else
>- atomic_inc(&intf->pm_usage_cnt);
> dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
> __func__, atomic_read(&intf->dev.power.usage_count),
> status);
>@@ -1780,7 +1768,6 @@ void usb_autopm_get_interface_no_resume(struct usb_interface *intf)
> struct usb_device *udev = interface_to_usbdev(intf);
>
> usb_mark_last_busy(udev);
>- atomic_inc(&intf->pm_usage_cnt);
> pm_runtime_get_noresume(&intf->dev);
> }
> EXPORT_SYMBOL_GPL(usb_autopm_get_interface_no_resume);
>diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
>index 6af648c307b7..f7019c7e9bc5 100644
>--- a/drivers/usb/core/message.c
>+++ b/drivers/usb/core/message.c
>@@ -822,9 +822,11 @@ int usb_string(struct usb_device *dev, int index, char *buf, size_t size)
>
> if (dev->state == USB_STATE_SUSPENDED)
> return -EHOSTUNREACH;
>- if (size <= 0 || !buf || !index)
>+ if (size <= 0 || !buf)
> return -EINVAL;
> buf[0] = 0;
>+ if (index <= 0 || index >= 256)
>+ return -EINVAL;
> tbuf = kmalloc(256, GFP_NOIO);
> if (!tbuf)
> return -ENOMEM;
>diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
>index fd697bba07ff..dc3270e48dfb 100644
>--- a/drivers/usb/host/xhci-hub.c
>+++ b/drivers/usb/host/xhci-hub.c
>@@ -1199,20 +1199,25 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
> port_index = max_ports;
> while (port_index--) {
> u32 t1, t2;
>-
>+ int retries = 10;
>+retry:
> t1 = readl(port_array[port_index]);
> t2 = xhci_port_state_to_neutral(t1);
> portsc_buf[port_index] = 0;
>
>- /* Bail out if a USB3 port has a new device in link training */
>- if ((hcd->speed >= HCD_USB3) &&
>+ /*
>+ * Give a USB3 port in link training time to finish, but don't
>+ * prevent suspend as port might be stuck
>+ */
>+ if ((hcd->speed >= HCD_USB3) && retries-- &&
> (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
>- bus_state->bus_suspended = 0;
> spin_unlock_irqrestore(&xhci->lock, flags);
>- xhci_dbg(xhci, "Bus suspend bailout, port in polling\n");
>- return -EBUSY;
>+ msleep(XHCI_PORT_POLLING_LFPS_TIME);
>+ spin_lock_irqsave(&xhci->lock, flags);
>+ xhci_dbg(xhci, "port %d polling in bus suspend, waiting\n",
>+ port_index);
>+ goto retry;
> }
>-
> /* suspend ports in U0, or bail out for new connect changes */
> if ((t1 & PORT_PE) && (t1 & PORT_PLS_MASK) == XDEV_U0) {
> if ((t1 & PORT_CSC) && wake_enabled) {
>diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
>index feb702516470..bd191fbfdf40 100644
>--- a/drivers/usb/host/xhci.h
>+++ b/drivers/usb/host/xhci.h
>@@ -413,6 +413,14 @@ struct xhci_op_regs {
> */
> #define XHCI_DEFAULT_BESL 4
>
>+/*
>+ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports
>+ * to complete link training. usually link trainig completes much faster
>+ * so check status 10 times with 36ms sleep in places we need to wait for
>+ * polling to complete.
>+ */
>+#define XHCI_PORT_POLLING_LFPS_TIME 36
>+
> /**
> * struct xhci_intr_reg - Interrupt Register Set
> * @irq_pending: IMAN - Interrupt Management Register. Used to enable
>diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
>index 3114c8d061e9..1c9d08157708 100644
>--- a/drivers/usb/misc/yurex.c
>+++ b/drivers/usb/misc/yurex.c
>@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_interface *interface)
> usb_deregister_dev(interface, &yurex_class);
>
> /* prevent more I/O from starting */
>+ usb_poison_urb(dev->urb);
> mutex_lock(&dev->io_mutex);
> dev->interface = NULL;
> mutex_unlock(&dev->io_mutex);
>diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
>index b60dac48587c..3e22dd294879 100644
>--- a/drivers/usb/serial/cp210x.c
>+++ b/drivers/usb/serial/cp210x.c
>@@ -76,6 +76,7 @@ static const struct usb_device_id id_table[] = {
> { USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */
> { USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */
> { USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */
>+ { USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */
> { USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */
> { USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */
> { USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */
>diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
>index aa2bec8687fd..3f89153bc122 100644
>--- a/drivers/usb/serial/ftdi_sio.c
>+++ b/drivers/usb/serial/ftdi_sio.c
>@@ -617,6 +617,8 @@ static const struct usb_device_id id_table_combined[] = {
> .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
> { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
> .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
>+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
>+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
> { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
> { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) },
> { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) },
>diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
>index ecc2424eb8e0..5258cec99219 100644
>--- a/drivers/usb/serial/ftdi_sio_ids.h
>+++ b/drivers/usb/serial/ftdi_sio_ids.h
>@@ -566,7 +566,9 @@
> /*
> * NovaTech product ids (FTDI_VID)
> */
>-#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */
>+#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */
>+#define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */
>+#define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */
>
> /*
> * Synapse Wireless product ids (FTDI_VID)
>diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
>index 56c4f6d074ca..454898c4a137 100644
>--- a/drivers/usb/serial/mos7720.c
>+++ b/drivers/usb/serial/mos7720.c
>@@ -362,8 +362,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
> if (!urbtrack)
> return -ENOMEM;
>
>- kref_get(&mos_parport->ref_count);
>- urbtrack->mos_parport = mos_parport;
> urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC);
> if (!urbtrack->urb) {
> kfree(urbtrack);
>@@ -384,6 +382,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
> usb_sndctrlpipe(usbdev, 0),
> (unsigned char *)urbtrack->setup,
> NULL, 0, async_complete, urbtrack);
>+ kref_get(&mos_parport->ref_count);
>+ urbtrack->mos_parport = mos_parport;
> kref_init(&urbtrack->ref_count);
> INIT_LIST_HEAD(&urbtrack->urblist_entry);
>
>diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c
>index 281be56d5648..56bfef517f68 100644
>--- a/drivers/usb/storage/realtek_cr.c
>+++ b/drivers/usb/storage/realtek_cr.c
>@@ -767,18 +767,16 @@ static void rts51x_suspend_timer_fn(unsigned long data)
> break;
> case RTS51X_STAT_IDLE:
> case RTS51X_STAT_SS:
>- usb_stor_dbg(us, "RTS51X_STAT_SS, intf->pm_usage_cnt:%d, power.usage:%d\n",
>- atomic_read(&us->pusb_intf->pm_usage_cnt),
>+ usb_stor_dbg(us, "RTS51X_STAT_SS, power.usage:%d\n",
> atomic_read(&us->pusb_intf->dev.power.usage_count));
>
>- if (atomic_read(&us->pusb_intf->pm_usage_cnt) > 0) {
>+ if (atomic_read(&us->pusb_intf->dev.power.usage_count) > 0) {
> usb_stor_dbg(us, "Ready to enter SS state\n");
> rts51x_set_stat(chip, RTS51X_STAT_SS);
> /* ignore mass storage interface's children */
> pm_suspend_ignore_children(&us->pusb_intf->dev, true);
> usb_autopm_put_interface_async(us->pusb_intf);
>- usb_stor_dbg(us, "RTS51X_STAT_SS 01, intf->pm_usage_cnt:%d, power.usage:%d\n",
>- atomic_read(&us->pusb_intf->pm_usage_cnt),
>+ usb_stor_dbg(us, "RTS51X_STAT_SS 01, power.usage:%d\n",
> atomic_read(&us->pusb_intf->dev.power.usage_count));
> }
> break;
>@@ -811,11 +809,10 @@ static void rts51x_invoke_transport(struct scsi_cmnd *srb, struct us_data *us)
> int ret;
>
> if (working_scsi(srb)) {
>- usb_stor_dbg(us, "working scsi, intf->pm_usage_cnt:%d, power.usage:%d\n",
>- atomic_read(&us->pusb_intf->pm_usage_cnt),
>+ usb_stor_dbg(us, "working scsi, power.usage:%d\n",
> atomic_read(&us->pusb_intf->dev.power.usage_count));
>
>- if (atomic_read(&us->pusb_intf->pm_usage_cnt) <= 0) {
>+ if (atomic_read(&us->pusb_intf->dev.power.usage_count) <= 0) {
> ret = usb_autopm_get_interface(us->pusb_intf);
> usb_stor_dbg(us, "working scsi, ret=%d\n", ret);
> }
>diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
>index f544cfaa0a10..3f16c299263f 100644
>--- a/drivers/vhost/net.c
>+++ b/drivers/vhost/net.c
>@@ -39,6 +39,12 @@ MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
> * Using this limit prevents one virtqueue from starving others. */
> #define VHOST_NET_WEIGHT 0x80000
>
>+/* Max number of packets transferred before requeueing the job.
>+ * Using this limit prevents one virtqueue from starving others with small
>+ * pkts.
>+ */
>+#define VHOST_NET_PKT_WEIGHT 256
>+
> /* MAX number of TX used buffers for outstanding zerocopy */
> #define VHOST_MAX_PEND 128
> #define VHOST_GOODCOPY_LEN 256
>@@ -351,6 +357,7 @@ static void handle_tx(struct vhost_net *net)
> struct socket *sock;
> struct vhost_net_ubuf_ref *uninitialized_var(ubufs);
> bool zcopy, zcopy_used;
>+ int sent_pkts = 0;
>
> mutex_lock(&vq->mutex);
> sock = vq->private_data;
>@@ -362,7 +369,7 @@ static void handle_tx(struct vhost_net *net)
> hdr_size = nvq->vhost_hlen;
> zcopy = nvq->ubufs;
>
>- for (;;) {
>+ do {
> /* Release DMAs done buffers first */
> if (zcopy)
> vhost_zerocopy_signal_used(net, vq);
>@@ -450,11 +457,7 @@ static void handle_tx(struct vhost_net *net)
> vhost_zerocopy_signal_used(net, vq);
> total_len += len;
> vhost_net_tx_packet(net);
>- if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
>- vhost_poll_queue(&vq->poll);
>- break;
>- }
>- }
>+ } while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));
> out:
> mutex_unlock(&vq->mutex);
> }
>@@ -575,6 +578,7 @@ static void handle_rx(struct vhost_net *net)
> size_t vhost_hlen, sock_hlen;
> size_t vhost_len, sock_len;
> struct socket *sock;
>+ int recv_pkts = 0;
>
> mutex_lock(&vq->mutex);
> sock = vq->private_data;
>@@ -589,7 +593,10 @@ static void handle_rx(struct vhost_net *net)
> vq->log : NULL;
> mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
>
>- while ((sock_len = peek_head_len(sock->sk))) {
>+ do {
>+ sock_len = peek_head_len(sock->sk);
>+ if (!sock_len)
>+ break;
> sock_len += sock_hlen;
> vhost_len = sock_len + vhost_hlen;
> headcount = get_rx_bufs(vq, vq->heads, vhost_len,
>@@ -659,11 +666,8 @@ static void handle_rx(struct vhost_net *net)
> if (unlikely(vq_log))
> vhost_log_write(vq, vq_log, log, vhost_len);
> total_len += vhost_len;
>- if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
>- vhost_poll_queue(&vq->poll);
>- break;
>- }
>- }
>+ } while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len)));
>+
> out:
> mutex_unlock(&vq->mutex);
> }
>@@ -732,7 +736,8 @@ static int vhost_net_open(struct inode *inode, struct file *f)
> n->vqs[i].vhost_hlen = 0;
> n->vqs[i].sock_hlen = 0;
> }
>- vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX);
>+ vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX,
>+ VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT);
>
> vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev);
> vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev);
>diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
>index 0dfb3fd6e836..498de4bfcd60 100644
>--- a/drivers/vhost/scsi.c
>+++ b/drivers/vhost/scsi.c
>@@ -60,6 +60,12 @@
> #define TCM_VHOST_PREALLOC_UPAGES 2048
> #define TCM_VHOST_PREALLOC_PROT_SGLS 512
>
>+/* Max number of requests before requeueing the job.
>+ * Using this limit prevents one virtqueue from starving others with
>+ * request.
>+ */
>+#define VHOST_SCSI_WEIGHT 256
>+
> struct vhost_scsi_inflight {
> /* Wait for the flush operation to finish */
> struct completion comp;
>@@ -992,7 +998,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
> u64 tag;
> u32 exp_data_len, data_first, data_num, data_direction, prot_first;
> unsigned out, in, i;
>- int head, ret, data_niov, prot_niov, prot_bytes;
>+ int head, ret, data_niov, prot_niov, prot_bytes, c = 0;
> size_t req_size;
> u16 lun;
> u8 *target, *lunp, task_attr;
>@@ -1010,7 +1016,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
>
> vhost_disable_notify(&vs->dev, vq);
>
>- for (;;) {
>+ do {
> head = vhost_get_vq_desc(vq, vq->iov,
> ARRAY_SIZE(vq->iov), &out, &in,
> NULL, NULL);
>@@ -1213,7 +1219,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
> */
> INIT_WORK(&cmd->work, tcm_vhost_submission_work);
> queue_work(tcm_vhost_workqueue, &cmd->work);
>- }
>+ } while (likely(!vhost_exceeds_weight(vq, ++c, 0)));
>
> mutex_unlock(&vq->mutex);
> return;
>@@ -1576,7 +1582,8 @@ static int vhost_scsi_open(struct inode *inode, struct file *f)
> vqs[i] = &vs->vqs[i].vq;
> vs->vqs[i].vq.handle_kick = vhost_scsi_handle_kick;
> }
>- vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ);
>+ vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ,
>+ VHOST_SCSI_WEIGHT, 0);
>
> tcm_vhost_init_inflight(vs, NULL);
>
>diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
>index 337e1d04871f..48507ef0542a 100644
>--- a/drivers/vhost/vhost.c
>+++ b/drivers/vhost/vhost.c
>@@ -292,8 +292,24 @@ static void vhost_dev_free_iovecs(struct vhost_dev *dev)
> vhost_vq_free_iovecs(dev->vqs[i]);
> }
>
>+bool vhost_exceeds_weight(struct vhost_virtqueue *vq,
>+ int pkts, int total_len)
>+{
>+ struct vhost_dev *dev = vq->dev;
>+
>+ if ((dev->byte_weight && total_len >= dev->byte_weight) ||
>+ pkts >= dev->weight) {
>+ vhost_poll_queue(&vq->poll);
>+ return true;
>+ }
>+
>+ return false;
>+}
>+EXPORT_SYMBOL_GPL(vhost_exceeds_weight);
>+
> void vhost_dev_init(struct vhost_dev *dev,
>- struct vhost_virtqueue **vqs, int nvqs)
>+ struct vhost_virtqueue **vqs, int nvqs,
>+ int weight, int byte_weight)
> {
> struct vhost_virtqueue *vq;
> int i;
>@@ -308,6 +324,8 @@ void vhost_dev_init(struct vhost_dev *dev,
> spin_lock_init(&dev->work_lock);
> INIT_LIST_HEAD(&dev->work_list);
> dev->worker = NULL;
>+ dev->weight = weight;
>+ dev->byte_weight = byte_weight;
>
> for (i = 0; i < dev->nvqs; ++i) {
> vq = dev->vqs[i];
>diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
>index 3eda654b8f5a..6c4c8aade233 100644
>--- a/drivers/vhost/vhost.h
>+++ b/drivers/vhost/vhost.h
>@@ -123,9 +123,13 @@ struct vhost_dev {
> spinlock_t work_lock;
> struct list_head work_list;
> struct task_struct *worker;
>+ int weight;
>+ int byte_weight;
> };
>
>-void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, int nvqs);
>+bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int total_len);
>+void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs,
>+ int nvqs, int weight, int byte_weight);
> long vhost_dev_set_owner(struct vhost_dev *dev);
> bool vhost_dev_has_owner(struct vhost_dev *dev);
> long vhost_dev_check_owner(struct vhost_dev *);
>diff --git a/drivers/w1/masters/ds2490.c b/drivers/w1/masters/ds2490.c
>index 176b88fa694c..ed420aa9216b 100644
>--- a/drivers/w1/masters/ds2490.c
>+++ b/drivers/w1/masters/ds2490.c
>@@ -1041,15 +1041,15 @@ static int ds_probe(struct usb_interface *intf,
> /* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */
> alt = 3;
> err = usb_set_interface(dev->udev,
>- intf->altsetting[alt].desc.bInterfaceNumber, alt);
>+ intf->cur_altsetting->desc.bInterfaceNumber, alt);
> if (err) {
> dev_err(&dev->udev->dev, "Failed to set alternative setting %d "
> "for %d interface: err=%d.\n", alt,
>- intf->altsetting[alt].desc.bInterfaceNumber, err);
>+ intf->cur_altsetting->desc.bInterfaceNumber, err);
> goto err_out_clear;
> }
>
>- iface_desc = &intf->altsetting[alt];
>+ iface_desc = intf->cur_altsetting;
> if (iface_desc->desc.bNumEndpoints != NUM_EP-1) {
> printk(KERN_INFO "Num endpoints=%d. It is not DS9490R.\n", iface_desc->desc.bNumEndpoints);
> err = -EINVAL;
>diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
>index 8db7abb6ef5a..cdb055207753 100644
>--- a/drivers/xen/balloon.c
>+++ b/drivers/xen/balloon.c
>@@ -502,8 +502,15 @@ static void balloon_process(struct work_struct *work)
> state = reserve_additional_memory(credit);
> }
>
>- if (credit < 0)
>- state = decrease_reservation(-credit, GFP_BALLOON);
>+ if (credit < 0) {
>+ long n_pages;
>+
>+ n_pages = min(-credit, si_mem_available());
>+ state = decrease_reservation(n_pages, GFP_BALLOON);
>+ if (state == BP_DONE && n_pages != -credit &&
>+ n_pages < totalreserve_pages)
>+ state = BP_EAGAIN;
>+ }
>
> state = update_schedule(state);
>
>@@ -561,6 +568,9 @@ int alloc_xenballooned_pages(int nr_pages, struct page **pages, bool highmem)
> enum bp_state st;
> if (page)
> balloon_append(page);
>+ if (si_mem_available() < nr_pages)
>+ return -ENOMEM;
>+
> st = decrease_reservation(nr_pages - pgno,
> highmem ? GFP_HIGHUSER : GFP_USER);
> if (st != BP_DONE)
>@@ -692,7 +702,7 @@ static int __init balloon_init(void)
> balloon_stats.schedule_delay = 1;
> balloon_stats.max_schedule_delay = 32;
> balloon_stats.retry_count = 1;
>- balloon_stats.max_retry_count = RETRY_UNLIMITED;
>+ balloon_stats.max_retry_count = 4;
>
> #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
> balloon_stats.hotplug_pages = 0;
>diff --git a/fs/afs/fsclient.c b/fs/afs/fsclient.c
>index c2e930ec2888..696db173e26f 100644
>--- a/fs/afs/fsclient.c
>+++ b/fs/afs/fsclient.c
>@@ -1382,8 +1382,8 @@ static int afs_fs_setattr_size64(struct afs_server *server, struct key *key,
>
> xdr_encode_AFS_StoreStatus(&bp, attr);
>
>- *bp++ = 0; /* position of start of write */
>- *bp++ = 0;
>+ *bp++ = htonl(attr->ia_size >> 32); /* position of start of write */
>+ *bp++ = htonl((u32) attr->ia_size);
> *bp++ = 0; /* size of write */
> *bp++ = 0;
> *bp++ = htonl(attr->ia_size >> 32); /* new file length */
>@@ -1433,7 +1433,7 @@ static int afs_fs_setattr_size(struct afs_server *server, struct key *key,
>
> xdr_encode_AFS_StoreStatus(&bp, attr);
>
>- *bp++ = 0; /* position of start of write */
>+ *bp++ = htonl(attr->ia_size); /* position of start of write */
> *bp++ = 0; /* size of write */
> *bp++ = htonl(attr->ia_size); /* new file length */
>
>diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
>index 6db91cdbd92d..6a02cb3e5650 100644
>--- a/fs/btrfs/compression.c
>+++ b/fs/btrfs/compression.c
>@@ -42,6 +42,8 @@
> #include "extent_io.h"
> #include "extent_map.h"
>
>+static const char* const btrfs_compress_types[] = { "", "zlib", "lzo" };
>+
> struct compressed_bio {
> /* number of bios pending for this compressed extent */
> atomic_t pending_bios;
>@@ -81,6 +83,22 @@ struct compressed_bio {
> u32 sums;
> };
>
>+bool btrfs_compress_is_valid_type(const char *str, size_t len)
>+{
>+ int i;
>+
>+ for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
>+ size_t comp_len = strlen(btrfs_compress_types[i]);
>+
>+ if (len < comp_len)
>+ continue;
>+
>+ if (!strncmp(btrfs_compress_types[i], str, comp_len))
>+ return true;
>+ }
>+ return false;
>+}
>+
> static int btrfs_decompress_biovec(int type, struct page **pages_in,
> u64 disk_start, struct bio_vec *bvec,
> int vcnt, size_t srclen);
>diff --git a/fs/btrfs/compression.h b/fs/btrfs/compression.h
>index d181f70caae0..5f15b34d88f7 100644
>--- a/fs/btrfs/compression.h
>+++ b/fs/btrfs/compression.h
>@@ -80,4 +80,5 @@ struct btrfs_compress_op {
> extern struct btrfs_compress_op btrfs_zlib_compress;
> extern struct btrfs_compress_op btrfs_lzo_compress;
>
>+bool btrfs_compress_is_valid_type(const char *str, size_t len);
> #endif
>diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c
>index 129b1dd28527..8b041d83533a 100644
>--- a/fs/btrfs/props.c
>+++ b/fs/btrfs/props.c
>@@ -22,6 +22,7 @@
> #include "hash.h"
> #include "transaction.h"
> #include "xattr.h"
>+#include "compression.h"
>
> #define BTRFS_PROP_HANDLERS_HT_BITS 8
> static DEFINE_HASHTABLE(prop_handlers_ht, BTRFS_PROP_HANDLERS_HT_BITS);
>@@ -378,9 +379,7 @@ int btrfs_subvol_inherit_props(struct btrfs_trans_handle *trans,
>
> static int prop_compression_validate(const char *value, size_t len)
> {
>- if (!strncmp("lzo", value, len))
>- return 0;
>- else if (!strncmp("zlib", value, len))
>+ if (btrfs_compress_is_valid_type(value, len))
> return 0;
>
> return -EINVAL;
>diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
>index 5e2005030f54..bdda508cc85d 100644
>--- a/fs/ceph/dir.c
>+++ b/fs/ceph/dir.c
>@@ -1327,6 +1327,7 @@ void ceph_dentry_lru_del(struct dentry *dn)
> unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn)
> {
> struct ceph_inode_info *dci = ceph_inode(dir);
>+ unsigned hash;
>
> switch (dci->i_dir_layout.dl_dir_hash) {
> case 0: /* for backward compat */
>@@ -1334,8 +1335,11 @@ unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn)
> return dn->d_name.hash;
>
> default:
>- return ceph_str_hash(dci->i_dir_layout.dl_dir_hash,
>+ spin_lock(&dn->d_lock);
>+ hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash,
> dn->d_name.name, dn->d_name.len);
>+ spin_unlock(&dn->d_lock);
>+ return hash;
> }
> }
>
>diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
>index 23f5cb1ee904..ff85c3129e9d 100644
>--- a/fs/cifs/cifsglob.h
>+++ b/fs/cifs/cifsglob.h
>@@ -1092,6 +1092,7 @@ cifsFileInfo_get_locked(struct cifsFileInfo *cifs_file)
> }
>
> struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file);
>+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr);
> void cifsFileInfo_put(struct cifsFileInfo *cifs_file);
>
> #define CIFS_CACHE_READ_FLG 1
>@@ -1579,6 +1580,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock;
> #endif /* CONFIG_CIFS_ACL */
>
> void cifs_oplock_break(struct work_struct *work);
>+void cifs_queue_oplock_break(struct cifsFileInfo *cfile);
>
> extern const struct slow_work_ops cifs_oplock_break_ops;
> extern struct workqueue_struct *cifsiod_wq;
>diff --git a/fs/cifs/file.c b/fs/cifs/file.c
>index 4b8870f889e3..9b3d28b79329 100644
>--- a/fs/cifs/file.c
>+++ b/fs/cifs/file.c
>@@ -359,12 +359,30 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file)
> return cifs_file;
> }
>
>-/*
>- * Release a reference on the file private data. This may involve closing
>- * the filehandle out on the server. Must be called without holding
>- * tcon->open_file_lock and cifs_file->file_info_lock.
>+/**
>+ * cifsFileInfo_put - release a reference of file priv data
>+ *
>+ * Always potentially wait for oplock handler. See _cifsFileInfo_put().
> */
> void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
>+{
>+ _cifsFileInfo_put(cifs_file, true);
>+}
>+
>+/**
>+ * _cifsFileInfo_put - release a reference of file priv data
>+ *
>+ * This may involve closing the filehandle @cifs_file out on the
>+ * server. Must be called without holding tcon->open_file_lock and
>+ * cifs_file->file_info_lock.
>+ *
>+ * If @wait_for_oplock_handler is true and we are releasing the last
>+ * reference, wait for any running oplock break handler of the file
>+ * and cancel any pending one. If calling this function from the
>+ * oplock break handler, you need to pass false.
>+ *
>+ */
>+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler)
> {
> struct inode *inode = cifs_file->dentry->d_inode;
> struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink);
>@@ -412,7 +430,8 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
>
> spin_unlock(&tcon->open_file_lock);
>
>- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
>+ oplock_break_cancelled = wait_oplock_handler ?
>+ cancel_work_sync(&cifs_file->oplock_break) : false;
>
> if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
> struct TCP_Server_Info *server = tcon->ses->server;
>@@ -3701,6 +3720,7 @@ void cifs_oplock_break(struct work_struct *work)
> cinode);
> cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
> }
>+ _cifsFileInfo_put(cfile, false /* do not wait for ourself */);
> cifs_done_oplock_break(cinode);
> }
>
>diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
>index 09ca7c978700..f681091ec3db 100644
>--- a/fs/cifs/inode.c
>+++ b/fs/cifs/inode.c
>@@ -1627,6 +1627,10 @@ cifs_do_rename(const unsigned int xid, struct dentry *from_dentry,
> if (rc == 0 || rc != -EBUSY)
> goto do_rename_exit;
>
>+ /* Don't fall back to using SMB on SMB 2+ mount */
>+ if (server->vals->protocol_id != 0)
>+ goto do_rename_exit;
>+
> /* open-file renames don't work across directories */
> if (to_dentry->d_parent != from_dentry->d_parent)
> goto do_rename_exit;
>diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
>index f03fecafc5d5..debc26b95cd7 100644
>--- a/fs/cifs/misc.c
>+++ b/fs/cifs/misc.c
>@@ -477,8 +477,7 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv)
> CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
> &pCifsInode->flags);
>
>- queue_work(cifsoplockd_wq,
>- &netfile->oplock_break);
>+ cifs_queue_oplock_break(netfile);
> netfile->oplock_break_cancelled = false;
>
> spin_unlock(&tcon->open_file_lock);
>@@ -610,6 +609,28 @@ void cifs_put_writer(struct cifsInodeInfo *cinode)
> spin_unlock(&cinode->writers_lock);
> }
>
>+/**
>+ * cifs_queue_oplock_break - queue the oplock break handler for cfile
>+ *
>+ * This function is called from the demultiplex thread when it
>+ * receives an oplock break for @cfile.
>+ *
>+ * Assumes the tcon->open_file_lock is held.
>+ * Assumes cfile->file_info_lock is NOT held.
>+ */
>+void cifs_queue_oplock_break(struct cifsFileInfo *cfile)
>+{
>+ /*
>+ * Bump the handle refcount now while we hold the
>+ * open_file_lock to enforce the validity of it for the oplock
>+ * break handler. The matching put is done at the end of the
>+ * handler.
>+ */
>+ cifsFileInfo_get(cfile);
>+
>+ queue_work(cifsoplockd_wq, &cfile->oplock_break);
>+}
>+
> void cifs_done_oplock_break(struct cifsInodeInfo *cinode)
> {
> clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
>diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
>index 1485ab8c2d65..f80fcc6921ee 100644
>--- a/fs/cifs/smb2misc.c
>+++ b/fs/cifs/smb2misc.c
>@@ -458,7 +458,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
> clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
> &cinode->flags);
>
>- queue_work(cifsoplockd_wq, &cfile->oplock_break);
>+ cifs_queue_oplock_break(cfile);
> kfree(lw);
> return true;
> }
>@@ -602,8 +602,8 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
> CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
> &cinode->flags);
> spin_unlock(&cfile->file_info_lock);
>- queue_work(cifsoplockd_wq,
>- &cfile->oplock_break);
>+
>+ cifs_queue_oplock_break(cfile);
>
> spin_unlock(&tcon->open_file_lock);
> spin_unlock(&cifs_tcp_ses_lock);
>diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
>index 376ccd96127f..d95a547cf94e 100644
>--- a/fs/cifs/smb2ops.c
>+++ b/fs/cifs/smb2ops.c
>@@ -906,6 +906,8 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
>
> rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_buf);
>
>+ if (!rc)
>+ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
> if (!rc || !err_buf) {
> kfree(utf16_path);
> return -ENOENT;
>diff --git a/fs/ext4/file.c b/fs/ext4/file.c
>index 40c86790109e..201f683bea89 100644
>--- a/fs/ext4/file.c
>+++ b/fs/ext4/file.c
>@@ -79,7 +79,7 @@ ext4_unaligned_aio(struct inode *inode, struct iov_iter *from, loff_t pos)
> struct super_block *sb = inode->i_sb;
> int blockmask = sb->s_blocksize - 1;
>
>- if (pos >= i_size_read(inode))
>+ if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize))
> return 0;
>
> if ((pos | iov_iter_alignment(from)) & blockmask)
>diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
>index 80c3f1ed1afa..63597cd0265c 100644
>--- a/fs/ext4/resize.c
>+++ b/fs/ext4/resize.c
>@@ -908,11 +908,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
> memcpy(n_group_desc, o_group_desc,
> EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
> n_group_desc[gdb_num] = gdb_bh;
>+
>+ BUFFER_TRACE(gdb_bh, "get_write_access");
>+ err = ext4_journal_get_write_access(handle, gdb_bh);
>+ if (err) {
>+ kvfree(n_group_desc);
>+ brelse(gdb_bh);
>+ return err;
>+ }
>+
> EXT4_SB(sb)->s_group_desc = n_group_desc;
> EXT4_SB(sb)->s_gdb_count++;
> ext4_kvfree(o_group_desc);
>- BUFFER_TRACE(gdb_bh, "get_write_access");
>- err = ext4_journal_get_write_access(handle, gdb_bh);
> return err;
> }
>
>diff --git a/fs/lockd/host.c b/fs/lockd/host.c
>index b31117c12102..6f12147a2fea 100644
>--- a/fs/lockd/host.c
>+++ b/fs/lockd/host.c
>@@ -288,12 +288,11 @@ void nlmclnt_release_host(struct nlm_host *host)
>
> WARN_ON_ONCE(host->h_server);
>
>- if (atomic_dec_and_test(&host->h_count)) {
>+ if (atomic_dec_and_mutex_lock(&host->h_count, &nlm_host_mutex)) {
> WARN_ON_ONCE(!list_empty(&host->h_lockowners));
> WARN_ON_ONCE(!list_empty(&host->h_granted));
> WARN_ON_ONCE(!list_empty(&host->h_reclaim));
>
>- mutex_lock(&nlm_host_mutex);
> nlm_destroy_host_locked(host);
> mutex_unlock(&nlm_host_mutex);
> }
>diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
>index 7445af0b1aa3..a0bc66039269 100644
>--- a/fs/proc/meminfo.c
>+++ b/fs/proc/meminfo.c
>@@ -27,10 +27,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
> struct vmalloc_info vmi;
> long cached;
> long available;
>- unsigned long pagecache;
>- unsigned long wmark_low = 0;
> unsigned long pages[NR_LRU_LISTS];
>- struct zone *zone;
> int lru;
>
> /*
>@@ -51,36 +48,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
> for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
> pages[lru] = global_page_state(NR_LRU_BASE + lru);
>
>- for_each_zone(zone)
>- wmark_low += zone->watermark[WMARK_LOW];
>-
>- /*
>- * Estimate the amount of memory available for userspace allocations,
>- * without causing swapping.
>- *
>- * Free memory cannot be taken below the low watermark, before the
>- * system starts swapping.
>- */
>- available = i.freeram - wmark_low;
>-
>- /*
>- * Not all the page cache can be freed, otherwise the system will
>- * start swapping. Assume at least half of the page cache, or the
>- * low watermark worth of cache, needs to stay.
>- */
>- pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE];
>- pagecache -= min(pagecache / 2, wmark_low);
>- available += pagecache;
>-
>- /*
>- * Part of the reclaimable slab consists of items that are in use,
>- * and cannot be freed. Cap this estimate at the low watermark.
>- */
>- available += global_page_state(NR_SLAB_RECLAIMABLE) -
>- min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low);
>-
>- if (available < 0)
>- available = 0;
>+ available = si_mem_available();
>
> /*
> * Tagged format, for easy grepping and expansion.
>diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
>index bfb8e8d588b8..eb7067de78db 100644
>--- a/fs/proc/proc_sysctl.c
>+++ b/fs/proc/proc_sysctl.c
>@@ -1550,8 +1550,11 @@ static void drop_sysctl_table(struct ctl_table_header *header)
> if (--header->nreg)
> return;
>
>- put_links(header);
>- start_unregistering(header);
>+ if (parent) {
>+ put_links(header);
>+ start_unregistering(header);
>+ }
>+
> if (!--header->count)
> kfree_rcu(header, rcu);
>
>diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c
>index 8a9657d7f7c6..8df2632a2966 100644
>--- a/fs/udf/truncate.c
>+++ b/fs/udf/truncate.c
>@@ -261,6 +261,9 @@ void udf_truncate_extents(struct inode *inode)
> epos.block = eloc;
> epos.bh = udf_tread(sb,
> udf_get_lb_pblock(sb, &eloc, 0));
>+ /* Error reading indirect block? */
>+ if (!epos.bh)
>+ return;
> if (elen)
> indirect_ext_len =
> (elen + sb->s_blocksize - 1) >>
>diff --git a/fs/ufs/util.h b/fs/ufs/util.h
>index 3f9463f8cf2f..f877d5cadd98 100644
>--- a/fs/ufs/util.h
>+++ b/fs/ufs/util.h
>@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
> case UFS_UID_44BSD:
> return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
> case UFS_UID_EFT:
>- if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
>+ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
> return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
> /* Fall through */
> default:
>diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
>index 8c0ff78ff45a..83fac3e091c2 100644
>--- a/include/linux/kprobes.h
>+++ b/include/linux/kprobes.h
>@@ -197,6 +197,7 @@ struct kretprobe_instance {
> struct kretprobe *rp;
> kprobe_opcode_t *ret_addr;
> struct task_struct *task;
>+ void *fp;
> char data[0];
> };
>
>diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
>index 64c7425afbce..f2bca5a77851 100644
>--- a/include/linux/lockdep.h
>+++ b/include/linux/lockdep.h
>@@ -525,9 +525,24 @@ do { \
> lock_acquire(&(lock)->dep_map, 0, 0, 1, 1, NULL, _THIS_IP_); \
> lock_release(&(lock)->dep_map, 0, _THIS_IP_); \
> } while (0)
>+
>+#define lockdep_assert_irqs_enabled() do { \
>+ WARN_ONCE(debug_locks && !current->lockdep_recursion && \
>+ !current->hardirqs_enabled, \
>+ "IRQs not enabled as expected\n"); \
>+ } while (0)
>+
>+#define lockdep_assert_irqs_disabled() do { \
>+ WARN_ONCE(debug_locks && !current->lockdep_recursion && \
>+ current->hardirqs_enabled, \
>+ "IRQs not disabled as expected\n"); \
>+ } while (0)
>+
> #else
> # define might_lock(lock) do { } while (0)
> # define might_lock_read(lock) do { } while (0)
>+# define lockdep_assert_irqs_enabled() do { } while (0)
>+# define lockdep_assert_irqs_disabled() do { } while (0)
> #endif
>
> #ifdef CONFIG_PROVE_RCU
>diff --git a/include/linux/mm.h b/include/linux/mm.h
>index a576467cd4a5..e67e12641b63 100644
>--- a/include/linux/mm.h
>+++ b/include/linux/mm.h
>@@ -1699,6 +1699,7 @@ extern int __meminit init_per_zone_wmark_min(void);
> extern void mem_init(void);
> extern void __init mmap_init(void);
> extern void show_mem(unsigned int flags);
>+extern long si_mem_available(void);
> extern void si_meminfo(struct sysinfo * val);
> extern void si_meminfo_node(struct sysinfo *val, int nid);
>
>diff --git a/include/linux/siphash.h b/include/linux/siphash.h
>new file mode 100644
>index 000000000000..c8c7ae2e687b
>--- /dev/null
>+++ b/include/linux/siphash.h
>@@ -0,0 +1,90 @@
>+/* Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
>+ *
>+ * This file is provided under a dual BSD/GPLv2 license.
>+ *
>+ * SipHash: a fast short-input PRF
>+ * https://131002.net/siphash/
>+ *
>+ * This implementation is specifically for SipHash2-4.
>+ */
>+
>+#ifndef _LINUX_SIPHASH_H
>+#define _LINUX_SIPHASH_H
>+
>+#include <linux/types.h>
>+#include <linux/kernel.h>
>+
>+#define SIPHASH_ALIGNMENT __alignof__(u64)
>+typedef struct {
>+ u64 key[2];
>+} siphash_key_t;
>+
>+static inline bool siphash_key_is_zero(const siphash_key_t *key)
>+{
>+ return !(key->key[0] | key->key[1]);
>+}
>+
>+u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key);
>+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
>+u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key);
>+#endif
>+
>+u64 siphash_1u64(const u64 a, const siphash_key_t *key);
>+u64 siphash_2u64(const u64 a, const u64 b, const siphash_key_t *key);
>+u64 siphash_3u64(const u64 a, const u64 b, const u64 c,
>+ const siphash_key_t *key);
>+u64 siphash_4u64(const u64 a, const u64 b, const u64 c, const u64 d,
>+ const siphash_key_t *key);
>+u64 siphash_1u32(const u32 a, const siphash_key_t *key);
>+u64 siphash_3u32(const u32 a, const u32 b, const u32 c,
>+ const siphash_key_t *key);
>+
>+static inline u64 siphash_2u32(const u32 a, const u32 b,
>+ const siphash_key_t *key)
>+{
>+ return siphash_1u64((u64)b << 32 | a, key);
>+}
>+static inline u64 siphash_4u32(const u32 a, const u32 b, const u32 c,
>+ const u32 d, const siphash_key_t *key)
>+{
>+ return siphash_2u64((u64)b << 32 | a, (u64)d << 32 | c, key);
>+}
>+
>+
>+static inline u64 ___siphash_aligned(const __le64 *data, size_t len,
>+ const siphash_key_t *key)
>+{
>+ if (__builtin_constant_p(len) && len == 4)
>+ return siphash_1u32(le32_to_cpup((const __le32 *)data), key);
>+ if (__builtin_constant_p(len) && len == 8)
>+ return siphash_1u64(le64_to_cpu(data[0]), key);
>+ if (__builtin_constant_p(len) && len == 16)
>+ return siphash_2u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
>+ key);
>+ if (__builtin_constant_p(len) && len == 24)
>+ return siphash_3u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
>+ le64_to_cpu(data[2]), key);
>+ if (__builtin_constant_p(len) && len == 32)
>+ return siphash_4u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
>+ le64_to_cpu(data[2]), le64_to_cpu(data[3]),
>+ key);
>+ return __siphash_aligned(data, len, key);
>+}
>+
>+/**
>+ * siphash - compute 64-bit siphash PRF value
>+ * @data: buffer to hash
>+ * @size: size of @data
>+ * @key: the siphash key
>+ */
>+static inline u64 siphash(const void *data, size_t len,
>+ const siphash_key_t *key)
>+{
>+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
>+ if (!IS_ALIGNED((unsigned long)data, SIPHASH_ALIGNMENT))
>+ return __siphash_unaligned(data, len, key);
>+#endif
>+ return ___siphash_aligned(data, len, key);
>+}
>+
>+#endif /* _LINUX_SIPHASH_H */
>diff --git a/include/linux/string.h b/include/linux/string.h
>index dd71dd08a840..85491dd76903 100644
>--- a/include/linux/string.h
>+++ b/include/linux/string.h
>@@ -113,6 +113,9 @@ extern void * memscan(void *,int,__kernel_size_t);
> #ifndef __HAVE_ARCH_MEMCMP
> extern int memcmp(const void *,const void *,__kernel_size_t);
> #endif
>+#ifndef __HAVE_ARCH_BCMP
>+extern int bcmp(const void *,const void *,__kernel_size_t);
>+#endif
> #ifndef __HAVE_ARCH_MEMCHR
> extern void * memchr(const void *,int,__kernel_size_t);
> #endif
>diff --git a/include/linux/usb.h b/include/linux/usb.h
>index a53e036b2252..64a39f02a5f6 100644
>--- a/include/linux/usb.h
>+++ b/include/linux/usb.h
>@@ -125,7 +125,6 @@ enum usb_interface_condition {
> * @dev: driver model's view of this device
> * @usb_dev: if an interface is bound to the USB major, this will point
> * to the sysfs representation for that device.
>- * @pm_usage_cnt: PM usage counter for this interface
> * @reset_ws: Used for scheduling resets from atomic context.
> * @reset_running: set to 1 if the interface is currently running a
> * queued reset so that usb_cancel_queued_reset() doesn't try to
>@@ -186,7 +185,6 @@ struct usb_interface {
>
> struct device dev; /* interface specific device info */
> struct device *usb_dev;
>- atomic_t pm_usage_cnt; /* usage counter for autosuspend */
> struct work_struct reset_ws; /* for resets in atomic context */
> };
> #define to_usb_interface(d) container_of(d, struct usb_interface, dev)
>diff --git a/include/net/ip.h b/include/net/ip.h
>index 27dd9826e05d..8ec53320c902 100644
>--- a/include/net/ip.h
>+++ b/include/net/ip.h
>@@ -319,9 +319,10 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb)
> }
>
> u32 ip_idents_reserve(u32 hash, int segs);
>-void __ip_select_ident(struct iphdr *iph, int segs);
>+void __ip_select_ident(struct net *net, struct iphdr *iph, int segs);
>
>-static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, int segs)
>+static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
>+ struct sock *sk, int segs)
> {
> struct iphdr *iph = ip_hdr(skb);
>
>@@ -338,13 +339,14 @@ static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, in
> iph->id = 0;
> }
> } else {
>- __ip_select_ident(iph, segs);
>+ __ip_select_ident(net, iph, segs);
> }
> }
>
>-static inline void ip_select_ident(struct sk_buff *skb, struct sock *sk)
>+static inline void ip_select_ident(struct net *net, struct sk_buff *skb,
>+ struct sock *sk)
> {
>- ip_select_ident_segs(skb, sk, 1);
>+ ip_select_ident_segs(net, skb, sk, 1);
> }
>
> static inline __wsum inet_compute_pseudo(struct sk_buff *skb, int proto)
>diff --git a/include/net/ipv6.h b/include/net/ipv6.h
>index c30ba46ef2f0..c4e455f4bfe6 100644
>--- a/include/net/ipv6.h
>+++ b/include/net/ipv6.h
>@@ -688,7 +688,9 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add
> return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
> }
>
>-void ipv6_proxy_select_ident(struct sk_buff *skb);
>+void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr,
>+ struct rt6_info *rt);
>+void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb);
>
> int ip6_dst_hoplimit(struct dst_entry *dst);
>
>diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
>index 5c53572b5f0d..3b66e31a7819 100644
>--- a/include/net/netfilter/nf_conntrack.h
>+++ b/include/net/netfilter/nf_conntrack.h
>@@ -289,6 +289,8 @@ void init_nf_conntrack_hash_rnd(void);
>
> void nf_conntrack_tmpl_insert(struct net *net, struct nf_conn *tmpl);
>
>+u32 nf_ct_get_id(const struct nf_conn *ct);
>+
> #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
> #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
>
>diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
>index 80a1c572b9a0..213f53d4f6b2 100644
>--- a/include/net/netns/ipv4.h
>+++ b/include/net/netns/ipv4.h
>@@ -7,6 +7,7 @@
>
> #include <linux/uidgid.h>
> #include <net/inet_frag.h>
>+#include <linux/siphash.h>
>
> struct tcpm_hash_bucket;
> struct ctl_table_header;
>@@ -98,5 +99,6 @@ struct netns_ipv4 {
> #endif
> #endif
> atomic_t rt_genid;
>+ siphash_key_t ip_id_key;
> };
> #endif
>diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h
>index 32ee65a30aff..1c6e6c0766ca 100644
>--- a/include/net/sctp/checksum.h
>+++ b/include/net/sctp/checksum.h
>@@ -61,7 +61,7 @@ static inline __wsum sctp_csum_combine(__wsum csum, __wsum csum2,
> static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
> unsigned int offset)
> {
>- struct sctphdr *sh = sctp_hdr(skb);
>+ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset);
> const struct skb_checksum_ops ops = {
> .update = sctp_csum_update,
> .combine = sctp_csum_combine,
>diff --git a/kernel/events/core.c b/kernel/events/core.c
>index e8be52939ed1..3beed0ea98d9 100644
>--- a/kernel/events/core.c
>+++ b/kernel/events/core.c
>@@ -5445,6 +5445,7 @@ static void perf_event_mmap_output(struct perf_event *event,
> struct perf_output_handle handle;
> struct perf_sample_data sample;
> int size = mmap_event->event_id.header.size;
>+ u32 type = mmap_event->event_id.header.type;
> int ret;
>
> if (!perf_event_mmap_match(event, data))
>@@ -5488,6 +5489,7 @@ static void perf_event_mmap_output(struct perf_event *event,
> perf_output_end(&handle);
> out:
> mmap_event->event_id.header.size = size;
>+ mmap_event->event_id.header.type = type;
> }
>
> static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
>diff --git a/kernel/futex.c b/kernel/futex.c
>index 0ee2f54d74fb..99679c0040cc 100644
>--- a/kernel/futex.c
>+++ b/kernel/futex.c
>@@ -2909,6 +2909,10 @@ int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)
> {
> u32 uval, uninitialized_var(nval), mval;
>
>+ /* Futex address must be 32bit aligned */
>+ if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0)
>+ return -1;
>+
> retry:
> if (get_user(uval, uaddr))
> return -1;
>diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
>index 328410652be6..f967ff776e5b 100644
>--- a/kernel/sched/fair.c
>+++ b/kernel/sched/fair.c
>@@ -1503,6 +1503,10 @@ static u64 numa_get_avg_runtime(struct task_struct *p, u64 *period)
> if (p->last_task_numa_placement) {
> delta = runtime - p->last_sum_exec_runtime;
> *period = now - p->last_task_numa_placement;
>+
>+ /* Avoid time going backwards, prevent potential divide error: */
>+ if (unlikely((s64)*period < 0))
>+ *period = 0;
> } else {
> delta = p->se.avg.runnable_avg_sum;
> *period = p->se.avg.runnable_avg_period;
>@@ -3704,6 +3708,8 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer)
> return HRTIMER_NORESTART;
> }
>
>+extern const u64 max_cfs_quota_period;
>+
> static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
> {
> struct cfs_bandwidth *cfs_b =
>@@ -3711,6 +3717,7 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
> ktime_t now;
> int overrun;
> int idle = 0;
>+ int count = 0;
>
> raw_spin_lock(&cfs_b->lock);
> for (;;) {
>@@ -3720,6 +3727,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
> if (!overrun)
> break;
>
>+ if (++count > 3) {
>+ u64 new, old = ktime_to_ns(cfs_b->period);
>+
>+ new = (old * 147) / 128; /* ~115% */
>+ new = min(new, max_cfs_quota_period);
>+
>+ cfs_b->period = ns_to_ktime(new);
>+
>+ /* since max is 1s, this is limited to 1e9^2, which fits in u64 */
>+ cfs_b->quota *= new;
>+ cfs_b->quota = div64_u64(cfs_b->quota, old);
>+
>+ pr_warn_ratelimited(
>+ "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n",
>+ smp_processor_id(),
>+ div_u64(new, NSEC_PER_USEC),
>+ div_u64(cfs_b->quota, NSEC_PER_USEC));
>+
>+ /* reset count so we don't come right back in here */
>+ count = 0;
>+ }
>+
> idle = do_sched_cfs_period_timer(cfs_b, overrun);
> }
> raw_spin_unlock(&cfs_b->lock);
>@@ -5487,10 +5516,10 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
> if (cfs_rq->last_h_load_update == now)
> return;
>
>- cfs_rq->h_load_next = NULL;
>+ ACCESS_ONCE(cfs_rq->h_load_next) = NULL;
> for_each_sched_entity(se) {
> cfs_rq = cfs_rq_of(se);
>- cfs_rq->h_load_next = se;
>+ ACCESS_ONCE(cfs_rq->h_load_next) = se;
> if (cfs_rq->last_h_load_update == now)
> break;
> }
>@@ -5500,7 +5529,7 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
> cfs_rq->last_h_load_update = now;
> }
>
>- while ((se = cfs_rq->h_load_next) != NULL) {
>+ while ((se = ACCESS_ONCE(cfs_rq->h_load_next)) != NULL) {
> load = cfs_rq->h_load;
> load = div64_ul(load * se->avg.load_avg_contrib,
> cfs_rq->runnable_load_avg + 1);
>diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
>index 8ee705e1d472..c59d43d54d32 100644
>--- a/kernel/trace/ftrace.c
>+++ b/kernel/trace/ftrace.c
>@@ -32,6 +32,7 @@
> #include <linux/list.h>
> #include <linux/hash.h>
> #include <linux/rcupdate.h>
>+#include <linux/kprobes.h>
>
> #include <trace/events/sched.h>
>
>@@ -4508,7 +4509,7 @@ static struct ftrace_ops control_ops = {
> INIT_OPS_HASH(control_ops)
> };
>
>-static inline void
>+static nokprobe_inline void
> __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
> struct ftrace_ops *ignored, struct pt_regs *regs)
> {
>@@ -4561,11 +4562,13 @@ static void ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
> {
> __ftrace_ops_list_func(ip, parent_ip, NULL, regs);
> }
>+NOKPROBE_SYMBOL(ftrace_ops_list_func);
> #else
> static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip)
> {
> __ftrace_ops_list_func(ip, parent_ip, NULL, NULL);
> }
>+NOKPROBE_SYMBOL(ftrace_ops_no_ops);
> #endif
>
> static void clear_ftrace_swapper(void)
>diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
>index 107e8ce1a87e..89d99ccb1617 100644
>--- a/kernel/trace/ring_buffer.c
>+++ b/kernel/trace/ring_buffer.c
>@@ -729,7 +729,7 @@ u64 ring_buffer_time_stamp(struct ring_buffer *buffer, int cpu)
>
> preempt_disable_notrace();
> time = rb_time_stamp(buffer);
>- preempt_enable_no_resched_notrace();
>+ preempt_enable_notrace();
>
> return time;
> }
>diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
>index 7a638aa3545b..3678fc124dc1 100644
>--- a/lib/Kconfig.debug
>+++ b/lib/Kconfig.debug
>@@ -1550,6 +1550,16 @@ config TEST_STRING_HELPERS
> config TEST_KSTRTOX
> tristate "Test kstrto*() family of functions at runtime"
>
>+config TEST_HASH
>+ tristate "Perform selftest on hash functions"
>+ default n
>+ help
>+ Enable this option to test the kernel's siphash (<linux/siphash.h>)
>+ hash functions on boot (or module load).
>+
>+ This is intended to help people writing architecture-specific
>+ optimized versions. If unsure, say N.
>+
> endmenu # runtime tests
>
> config PROVIDE_OHCI1394_DMA_INIT
>diff --git a/lib/Makefile b/lib/Makefile
>index ba967a19edba..31a4389ff179 100644
>--- a/lib/Makefile
>+++ b/lib/Makefile
>@@ -26,10 +26,11 @@ obj-y += bcd.o div64.o sort.o parser.o halfmd4.o debug_locks.o random32.o \
> bust_spinlocks.o hexdump.o kasprintf.o bitmap.o scatterlist.o \
> gcd.o lcm.o list_sort.o uuid.o flex_array.o iovec.o clz_ctz.o \
> bsearch.o find_last_bit.o find_next_bit.o llist.o memweight.o kfifo.o \
>- percpu-refcount.o percpu_ida.o hash.o
>+ percpu-refcount.o percpu_ida.o hash.o siphash.o
> obj-y += string_helpers.o
> obj-$(CONFIG_TEST_STRING_HELPERS) += test-string_helpers.o
> obj-y += kstrtox.o
>+obj-$(CONFIG_TEST_HASH) += test_siphash.o
> obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o
> obj-$(CONFIG_TEST_MODULE) += test_module.o
> obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o
>diff --git a/lib/siphash.c b/lib/siphash.c
>new file mode 100644
>index 000000000000..c43cf406e71b
>--- /dev/null
>+++ b/lib/siphash.c
>@@ -0,0 +1,232 @@
>+/* Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
>+ *
>+ * This file is provided under a dual BSD/GPLv2 license.
>+ *
>+ * SipHash: a fast short-input PRF
>+ * https://131002.net/siphash/
>+ *
>+ * This implementation is specifically for SipHash2-4.
>+ */
>+
>+#include <linux/siphash.h>
>+#include <asm/unaligned.h>
>+
>+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
>+#include <linux/dcache.h>
>+#include <asm/word-at-a-time.h>
>+#endif
>+
>+#define SIPROUND \
>+ do { \
>+ v0 += v1; v1 = rol64(v1, 13); v1 ^= v0; v0 = rol64(v0, 32); \
>+ v2 += v3; v3 = rol64(v3, 16); v3 ^= v2; \
>+ v0 += v3; v3 = rol64(v3, 21); v3 ^= v0; \
>+ v2 += v1; v1 = rol64(v1, 17); v1 ^= v2; v2 = rol64(v2, 32); \
>+ } while (0)
>+
>+#define PREAMBLE(len) \
>+ u64 v0 = 0x736f6d6570736575ULL; \
>+ u64 v1 = 0x646f72616e646f6dULL; \
>+ u64 v2 = 0x6c7967656e657261ULL; \
>+ u64 v3 = 0x7465646279746573ULL; \
>+ u64 b = ((u64)(len)) << 56; \
>+ v3 ^= key->key[1]; \
>+ v2 ^= key->key[0]; \
>+ v1 ^= key->key[1]; \
>+ v0 ^= key->key[0];
>+
>+#define POSTAMBLE \
>+ v3 ^= b; \
>+ SIPROUND; \
>+ SIPROUND; \
>+ v0 ^= b; \
>+ v2 ^= 0xff; \
>+ SIPROUND; \
>+ SIPROUND; \
>+ SIPROUND; \
>+ SIPROUND; \
>+ return (v0 ^ v1) ^ (v2 ^ v3);
>+
>+u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key)
>+{
>+ const u8 *end = data + len - (len % sizeof(u64));
>+ const u8 left = len & (sizeof(u64) - 1);
>+ u64 m;
>+ PREAMBLE(len)
>+ for (; data != end; data += sizeof(u64)) {
>+ m = le64_to_cpup(data);
>+ v3 ^= m;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= m;
>+ }
>+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
>+ if (left)
>+ b |= le64_to_cpu((__force __le64)(load_unaligned_zeropad(data) &
>+ bytemask_from_count(left)));
>+#else
>+ switch (left) {
>+ case 7: b |= ((u64)end[6]) << 48;
>+ case 6: b |= ((u64)end[5]) << 40;
>+ case 5: b |= ((u64)end[4]) << 32;
>+ case 4: b |= le32_to_cpup(data); break;
>+ case 3: b |= ((u64)end[2]) << 16;
>+ case 2: b |= le16_to_cpup(data); break;
>+ case 1: b |= end[0];
>+ }
>+#endif
>+ POSTAMBLE
>+}
>+EXPORT_SYMBOL(__siphash_aligned);
>+
>+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
>+u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key)
>+{
>+ const u8 *end = data + len - (len % sizeof(u64));
>+ const u8 left = len & (sizeof(u64) - 1);
>+ u64 m;
>+ PREAMBLE(len)
>+ for (; data != end; data += sizeof(u64)) {
>+ m = get_unaligned_le64(data);
>+ v3 ^= m;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= m;
>+ }
>+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
>+ if (left)
>+ b |= le64_to_cpu((__force __le64)(load_unaligned_zeropad(data) &
>+ bytemask_from_count(left)));
>+#else
>+ switch (left) {
>+ case 7: b |= ((u64)end[6]) << 48;
>+ case 6: b |= ((u64)end[5]) << 40;
>+ case 5: b |= ((u64)end[4]) << 32;
>+ case 4: b |= get_unaligned_le32(end); break;
>+ case 3: b |= ((u64)end[2]) << 16;
>+ case 2: b |= get_unaligned_le16(end); break;
>+ case 1: b |= end[0];
>+ }
>+#endif
>+ POSTAMBLE
>+}
>+EXPORT_SYMBOL(__siphash_unaligned);
>+#endif
>+
>+/**
>+ * siphash_1u64 - compute 64-bit siphash PRF value of a u64
>+ * @first: first u64
>+ * @key: the siphash key
>+ */
>+u64 siphash_1u64(const u64 first, const siphash_key_t *key)
>+{
>+ PREAMBLE(8)
>+ v3 ^= first;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= first;
>+ POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_1u64);
>+
>+/**
>+ * siphash_2u64 - compute 64-bit siphash PRF value of 2 u64
>+ * @first: first u64
>+ * @second: second u64
>+ * @key: the siphash key
>+ */
>+u64 siphash_2u64(const u64 first, const u64 second, const siphash_key_t *key)
>+{
>+ PREAMBLE(16)
>+ v3 ^= first;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= first;
>+ v3 ^= second;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= second;
>+ POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_2u64);
>+
>+/**
>+ * siphash_3u64 - compute 64-bit siphash PRF value of 3 u64
>+ * @first: first u64
>+ * @second: second u64
>+ * @third: third u64
>+ * @key: the siphash key
>+ */
>+u64 siphash_3u64(const u64 first, const u64 second, const u64 third,
>+ const siphash_key_t *key)
>+{
>+ PREAMBLE(24)
>+ v3 ^= first;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= first;
>+ v3 ^= second;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= second;
>+ v3 ^= third;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= third;
>+ POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_3u64);
>+
>+/**
>+ * siphash_4u64 - compute 64-bit siphash PRF value of 4 u64
>+ * @first: first u64
>+ * @second: second u64
>+ * @third: third u64
>+ * @forth: forth u64
>+ * @key: the siphash key
>+ */
>+u64 siphash_4u64(const u64 first, const u64 second, const u64 third,
>+ const u64 forth, const siphash_key_t *key)
>+{
>+ PREAMBLE(32)
>+ v3 ^= first;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= first;
>+ v3 ^= second;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= second;
>+ v3 ^= third;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= third;
>+ v3 ^= forth;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= forth;
>+ POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_4u64);
>+
>+u64 siphash_1u32(const u32 first, const siphash_key_t *key)
>+{
>+ PREAMBLE(4)
>+ b |= first;
>+ POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_1u32);
>+
>+u64 siphash_3u32(const u32 first, const u32 second, const u32 third,
>+ const siphash_key_t *key)
>+{
>+ u64 combined = (u64)second << 32 | first;
>+ PREAMBLE(12)
>+ v3 ^= combined;
>+ SIPROUND;
>+ SIPROUND;
>+ v0 ^= combined;
>+ b |= third;
>+ POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_3u32);
>diff --git a/lib/string.c b/lib/string.c
>index 80e8bdb60538..94928426f511 100644
>--- a/lib/string.c
>+++ b/lib/string.c
>@@ -776,6 +776,26 @@ __visible int memcmp(const void *cs, const void *ct, size_t count)
> EXPORT_SYMBOL(memcmp);
> #endif
>
>+#ifndef __HAVE_ARCH_BCMP
>+/**
>+ * bcmp - returns 0 if and only if the buffers have identical contents.
>+ * @a: pointer to first buffer.
>+ * @b: pointer to second buffer.
>+ * @len: size of buffers.
>+ *
>+ * The sign or magnitude of a non-zero return value has no particular
>+ * meaning, and architectures may implement their own more efficient bcmp(). So
>+ * while this particular implementation is a simple (tail) call to memcmp, do
>+ * not rely on anything but whether the return value is zero or non-zero.
>+ */
>+#undef bcmp
>+int bcmp(const void *a, const void *b, size_t len)
>+{
>+ return memcmp(a, b, len);
>+}
>+EXPORT_SYMBOL(bcmp);
>+#endif
>+
> #ifndef __HAVE_ARCH_MEMSCAN
> /**
> * memscan - Find a character in an area of memory.
>diff --git a/lib/test_siphash.c b/lib/test_siphash.c
>new file mode 100644
>index 000000000000..d972acfc15e4
>--- /dev/null
>+++ b/lib/test_siphash.c
>@@ -0,0 +1,131 @@
>+/* Test cases for siphash.c
>+ *
>+ * Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
>+ *
>+ * This file is provided under a dual BSD/GPLv2 license.
>+ *
>+ * SipHash: a fast short-input PRF
>+ * https://131002.net/siphash/
>+ *
>+ * This implementation is specifically for SipHash2-4.
>+ */
>+
>+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>+
>+#include <linux/siphash.h>
>+#include <linux/kernel.h>
>+#include <linux/string.h>
>+#include <linux/errno.h>
>+#include <linux/module.h>
>+
>+/* Test vectors taken from official reference source available at:
>+ * https://131002.net/siphash/siphash24.c
>+ */
>+
>+static const siphash_key_t test_key_siphash =
>+ {{ 0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL }};
>+
>+static const u64 test_vectors_siphash[64] = {
>+ 0x726fdb47dd0e0e31ULL, 0x74f839c593dc67fdULL, 0x0d6c8009d9a94f5aULL,
>+ 0x85676696d7fb7e2dULL, 0xcf2794e0277187b7ULL, 0x18765564cd99a68dULL,
>+ 0xcbc9466e58fee3ceULL, 0xab0200f58b01d137ULL, 0x93f5f5799a932462ULL,
>+ 0x9e0082df0ba9e4b0ULL, 0x7a5dbbc594ddb9f3ULL, 0xf4b32f46226bada7ULL,
>+ 0x751e8fbc860ee5fbULL, 0x14ea5627c0843d90ULL, 0xf723ca908e7af2eeULL,
>+ 0xa129ca6149be45e5ULL, 0x3f2acc7f57c29bdbULL, 0x699ae9f52cbe4794ULL,
>+ 0x4bc1b3f0968dd39cULL, 0xbb6dc91da77961bdULL, 0xbed65cf21aa2ee98ULL,
>+ 0xd0f2cbb02e3b67c7ULL, 0x93536795e3a33e88ULL, 0xa80c038ccd5ccec8ULL,
>+ 0xb8ad50c6f649af94ULL, 0xbce192de8a85b8eaULL, 0x17d835b85bbb15f3ULL,
>+ 0x2f2e6163076bcfadULL, 0xde4daaaca71dc9a5ULL, 0xa6a2506687956571ULL,
>+ 0xad87a3535c49ef28ULL, 0x32d892fad841c342ULL, 0x7127512f72f27cceULL,
>+ 0xa7f32346f95978e3ULL, 0x12e0b01abb051238ULL, 0x15e034d40fa197aeULL,
>+ 0x314dffbe0815a3b4ULL, 0x027990f029623981ULL, 0xcadcd4e59ef40c4dULL,
>+ 0x9abfd8766a33735cULL, 0x0e3ea96b5304a7d0ULL, 0xad0c42d6fc585992ULL,
>+ 0x187306c89bc215a9ULL, 0xd4a60abcf3792b95ULL, 0xf935451de4f21df2ULL,
>+ 0xa9538f0419755787ULL, 0xdb9acddff56ca510ULL, 0xd06c98cd5c0975ebULL,
>+ 0xe612a3cb9ecba951ULL, 0xc766e62cfcadaf96ULL, 0xee64435a9752fe72ULL,
>+ 0xa192d576b245165aULL, 0x0a8787bf8ecb74b2ULL, 0x81b3e73d20b49b6fULL,
>+ 0x7fa8220ba3b2eceaULL, 0x245731c13ca42499ULL, 0xb78dbfaf3a8d83bdULL,
>+ 0xea1ad565322a1a0bULL, 0x60e61c23a3795013ULL, 0x6606d7e446282b93ULL,
>+ 0x6ca4ecb15c5f91e1ULL, 0x9f626da15c9625f3ULL, 0xe51b38608ef25f57ULL,
>+ 0x958a324ceb064572ULL
>+};
>+
>+static int __init siphash_test_init(void)
>+{
>+ u8 in[64] __aligned(SIPHASH_ALIGNMENT);
>+ u8 in_unaligned[65] __aligned(SIPHASH_ALIGNMENT);
>+ u8 i;
>+ int ret = 0;
>+
>+ for (i = 0; i < 64; ++i) {
>+ in[i] = i;
>+ in_unaligned[i + 1] = i;
>+ if (siphash(in, i, &test_key_siphash) !=
>+ test_vectors_siphash[i]) {
>+ pr_info("siphash self-test aligned %u: FAIL\n", i + 1);
>+ ret = -EINVAL;
>+ }
>+ if (siphash(in_unaligned + 1, i, &test_key_siphash) !=
>+ test_vectors_siphash[i]) {
>+ pr_info("siphash self-test unaligned %u: FAIL\n", i + 1);
>+ ret = -EINVAL;
>+ }
>+ }
>+ if (siphash_1u64(0x0706050403020100ULL, &test_key_siphash) !=
>+ test_vectors_siphash[8]) {
>+ pr_info("siphash self-test 1u64: FAIL\n");
>+ ret = -EINVAL;
>+ }
>+ if (siphash_2u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
>+ &test_key_siphash) != test_vectors_siphash[16]) {
>+ pr_info("siphash self-test 2u64: FAIL\n");
>+ ret = -EINVAL;
>+ }
>+ if (siphash_3u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
>+ 0x1716151413121110ULL, &test_key_siphash) !=
>+ test_vectors_siphash[24]) {
>+ pr_info("siphash self-test 3u64: FAIL\n");
>+ ret = -EINVAL;
>+ }
>+ if (siphash_4u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
>+ 0x1716151413121110ULL, 0x1f1e1d1c1b1a1918ULL,
>+ &test_key_siphash) != test_vectors_siphash[32]) {
>+ pr_info("siphash self-test 4u64: FAIL\n");
>+ ret = -EINVAL;
>+ }
>+ if (siphash_1u32(0x03020100U, &test_key_siphash) !=
>+ test_vectors_siphash[4]) {
>+ pr_info("siphash self-test 1u32: FAIL\n");
>+ ret = -EINVAL;
>+ }
>+ if (siphash_2u32(0x03020100U, 0x07060504U, &test_key_siphash) !=
>+ test_vectors_siphash[8]) {
>+ pr_info("siphash self-test 2u32: FAIL\n");
>+ ret = -EINVAL;
>+ }
>+ if (siphash_3u32(0x03020100U, 0x07060504U,
>+ 0x0b0a0908U, &test_key_siphash) !=
>+ test_vectors_siphash[12]) {
>+ pr_info("siphash self-test 3u32: FAIL\n");
>+ ret = -EINVAL;
>+ }
>+ if (siphash_4u32(0x03020100U, 0x07060504U,
>+ 0x0b0a0908U, 0x0f0e0d0cU, &test_key_siphash) !=
>+ test_vectors_siphash[16]) {
>+ pr_info("siphash self-test 4u32: FAIL\n");
>+ ret = -EINVAL;
>+ }
>+ if (!ret)
>+ pr_info("self-tests: pass\n");
>+ return ret;
>+}
>+
>+static void __exit siphash_test_exit(void)
>+{
>+}
>+
>+module_init(siphash_test_init);
>+module_exit(siphash_test_exit);
>+
>+MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
>+MODULE_LICENSE("Dual BSD/GPL");
>diff --git a/mm/page_alloc.c b/mm/page_alloc.c
>index 7a783dc67305..b491f75f7491 100644
>--- a/mm/page_alloc.c
>+++ b/mm/page_alloc.c
>@@ -3072,6 +3072,49 @@ static inline void show_node(struct zone *zone)
> printk("Node %d ", zone_to_nid(zone));
> }
>
>+long si_mem_available(void)
>+{
>+ long available;
>+ unsigned long pagecache;
>+ unsigned long wmark_low = 0;
>+ unsigned long pages[NR_LRU_LISTS];
>+ struct zone *zone;
>+ int lru;
>+
>+ for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
>+ pages[lru] = global_page_state(NR_LRU_BASE + lru);
>+
>+ for_each_zone(zone)
>+ wmark_low += zone->watermark[WMARK_LOW];
>+
>+ /*
>+ * Estimate the amount of memory available for userspace allocations,
>+ * without causing swapping.
>+ */
>+ available = global_page_state(NR_FREE_PAGES) - totalreserve_pages;
>+
>+ /*
>+ * Not all the page cache can be freed, otherwise the system will
>+ * start swapping. Assume at least half of the page cache, or the
>+ * low watermark worth of cache, needs to stay.
>+ */
>+ pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE];
>+ pagecache -= min(pagecache / 2, wmark_low);
>+ available += pagecache;
>+
>+ /*
>+ * Part of the reclaimable slab consists of items that are in use,
>+ * and cannot be freed. Cap this estimate at the low watermark.
>+ */
>+ available += global_page_state(NR_SLAB_RECLAIMABLE) -
>+ min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low);
>+
>+ if (available < 0)
>+ available = 0;
>+ return available;
>+}
>+EXPORT_SYMBOL_GPL(si_mem_available);
>+
> void si_meminfo(struct sysinfo *val)
> {
> val->totalram = totalram_pages;
>diff --git a/mm/vmstat.c b/mm/vmstat.c
>index ae3c911843fa..8272a99dce41 100644
>--- a/mm/vmstat.c
>+++ b/mm/vmstat.c
>@@ -861,13 +861,8 @@ const char * const vmstat_text[] = {
> "thp_zero_page_alloc_failed",
> #endif
> #ifdef CONFIG_DEBUG_TLBFLUSH
>-#ifdef CONFIG_SMP
> "nr_tlb_remote_flush",
> "nr_tlb_remote_flush_received",
>-#else
>- "", /* nr_tlb_remote_flush */
>- "", /* nr_tlb_remote_flush_received */
>-#endif /* CONFIG_SMP */
> "nr_tlb_local_flush_all",
> "nr_tlb_local_flush_one",
> #endif /* CONFIG_DEBUG_TLBFLUSH */
>diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
>index 335401d6351c..2a1611e65904 100644
>--- a/net/batman-adv/bridge_loop_avoidance.c
>+++ b/net/batman-adv/bridge_loop_avoidance.c
>@@ -677,6 +677,8 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
> const uint8_t *mac, const unsigned short vid)
> {
> struct batadv_bla_claim search_claim, *claim;
>+ struct batadv_bla_claim *claim_removed_entry;
>+ struct hlist_node *claim_removed_node;
>
> ether_addr_copy(search_claim.addr, mac);
> search_claim.vid = vid;
>@@ -687,10 +689,18 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
> batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_del_claim(): %pM, vid %d\n",
> mac, BATADV_PRINT_VID(vid));
>
>- batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim,
>- batadv_choose_claim, claim);
>- batadv_claim_free_ref(claim); /* reference from the hash is gone */
>+ claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash,
>+ batadv_compare_claim,
>+ batadv_choose_claim, claim);
>+ if (!claim_removed_node)
>+ goto free_claim;
>
>+ /* reference from the hash is gone */
>+ claim_removed_entry = hlist_entry(claim_removed_node,
>+ struct batadv_bla_claim, hash_entry);
>+ batadv_claim_free_ref(claim_removed_entry);
>+
>+free_claim:
> /* don't need the reference from hash_find() anymore */
> batadv_claim_free_ref(claim);
> }
>diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
>index c9ac7d948a21..422d54f6a243 100644
>--- a/net/batman-adv/translation-table.c
>+++ b/net/batman-adv/translation-table.c
>@@ -483,14 +483,26 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv,
> struct batadv_tt_global_entry *tt_global,
> const char *message)
> {
>+ struct batadv_tt_global_entry *tt_removed_entry;
>+ struct hlist_node *tt_removed_node;
>+
> batadv_dbg(BATADV_DBG_TT, bat_priv,
> "Deleting global tt entry %pM (vid: %d): %s\n",
> tt_global->common.addr,
> BATADV_PRINT_VID(tt_global->common.vid), message);
>
>- batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt,
>- batadv_choose_tt, &tt_global->common);
>- batadv_tt_global_entry_free_ref(tt_global);
>+ tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash,
>+ batadv_compare_tt,
>+ batadv_choose_tt,
>+ &tt_global->common);
>+ if (!tt_removed_node)
>+ return;
>+
>+ /* drop reference of remove hash entry */
>+ tt_removed_entry = hlist_entry(tt_removed_node,
>+ struct batadv_tt_global_entry,
>+ common.hash_entry);
>+ batadv_tt_global_entry_free_ref(tt_removed_entry);
> }
>
> /**
>@@ -1021,9 +1033,10 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
> const uint8_t *addr, unsigned short vid,
> const char *message, bool roaming)
> {
>+ struct batadv_tt_local_entry *tt_removed_entry;
> struct batadv_tt_local_entry *tt_local_entry;
> uint16_t flags, curr_flags = BATADV_NO_FLAGS;
>- void *tt_entry_exists;
>+ struct hlist_node *tt_removed_node;
>
> tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid);
> if (!tt_local_entry)
>@@ -1052,15 +1065,18 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
> */
> batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL);
>
>- tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash,
>+ tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash,
> batadv_compare_tt,
> batadv_choose_tt,
> &tt_local_entry->common);
>- if (!tt_entry_exists)
>+ if (!tt_removed_node)
> goto out;
>
>- /* extra call to free the local tt entry */
>- batadv_tt_local_entry_free_ref(tt_local_entry);
>+ /* drop reference of remove hash entry */
>+ tt_removed_entry = hlist_entry(tt_removed_node,
>+ struct batadv_tt_local_entry,
>+ common.hash_entry);
>+ batadv_tt_local_entry_free_ref(tt_removed_entry);
>
> out:
> if (tt_local_entry)
>diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
>index 3c594185de36..7725dd99fdc6 100644
>--- a/net/bridge/br_multicast.c
>+++ b/net/bridge/br_multicast.c
>@@ -2036,7 +2036,8 @@ static void br_multicast_start_querier(struct net_bridge *br,
>
> __br_multicast_open(br, query);
>
>- list_for_each_entry(port, &br->port_list, list) {
>+ rcu_read_lock();
>+ list_for_each_entry_rcu(port, &br->port_list, list) {
> if (port->state == BR_STATE_DISABLED ||
> port->state == BR_STATE_BLOCKING)
> continue;
>@@ -2048,6 +2049,7 @@ static void br_multicast_start_querier(struct net_bridge *br,
> br_multicast_enable(&port->ip6_own_query);
> #endif
> }
>+ rcu_read_unlock();
> }
>
> int br_multicast_toggle(struct net_bridge *br, unsigned long val)
>diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
>index 2cf4e30ac41a..7ddb8b322556 100644
>--- a/net/bridge/br_netfilter.c
>+++ b/net/bridge/br_netfilter.c
>@@ -659,6 +659,8 @@ static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
> return NF_DROP;
>
> skb->protocol = htons(ETH_P_IPV6);
>+ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
>+
> NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
> br_nf_pre_routing_finish_ipv6);
>
>@@ -715,6 +717,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
> return NF_DROP;
> store_orig_dstaddr(skb);
> skb->protocol = htons(ETH_P_IP);
>+ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
>
> NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
> br_nf_pre_routing_finish);
>diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
>index 2df71bc7959d..75929f9bd4e6 100644
>--- a/net/bridge/netfilter/ebtables.c
>+++ b/net/bridge/netfilter/ebtables.c
>@@ -2011,7 +2011,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
> if (match_kern)
> match_kern->match_size = ret;
>
>- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
>+ /* rule should have no remaining data after target */
>+ if (type == EBT_COMPAT_TARGET && size_left)
> return -EINVAL;
>
> match32 = (struct compat_ebt_entry_mwt *) buf;
>diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
>index cd332d0fa930..7550d098e3b7 100644
>--- a/net/core/net-sysfs.c
>+++ b/net/core/net-sysfs.c
>@@ -788,6 +788,8 @@ static int rx_queue_add_kobject(struct net_device *net, int index)
> if (error)
> return error;
>
>+ dev_hold(queue->dev);
>+
> if (net->sysfs_rx_queue_group) {
> error = sysfs_create_group(kobj, net->sysfs_rx_queue_group);
> if (error) {
>@@ -797,7 +799,6 @@ static int rx_queue_add_kobject(struct net_device *net, int index)
> }
>
> kobject_uevent(kobj, KOBJ_ADD);
>- dev_hold(queue->dev);
>
> return error;
> }
>@@ -1146,6 +1147,8 @@ static int netdev_queue_add_kobject(struct net_device *net, int index)
> if (error)
> return error;
>
>+ dev_hold(queue->dev);
>+
> #ifdef CONFIG_BQL
> error = sysfs_create_group(kobj, &dql_group);
> if (error) {
>@@ -1155,7 +1158,6 @@ static int netdev_queue_add_kobject(struct net_device *net, int index)
> #endif
>
> kobject_uevent(kobj, KOBJ_ADD);
>- dev_hold(queue->dev);
>
> return 0;
> }
>diff --git a/net/dccp/feat.c b/net/dccp/feat.c
>index 9733ddbc96cb..fa99d53f29e5 100644
>--- a/net/dccp/feat.c
>+++ b/net/dccp/feat.c
>@@ -738,7 +738,12 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
> if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
> return -ENOMEM;
>
>- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
>+ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
>+ kfree(fval.sp.vec);
>+ return -ENOMEM;
>+ }
>+
>+ return 0;
> }
>
> /**
>diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
>index 30455bf91b18..c3ed865d262f 100644
>--- a/net/dccp/ipv6.c
>+++ b/net/dccp/ipv6.c
>@@ -491,8 +491,8 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
> newnp->ipv6_mc_list = NULL;
> newnp->ipv6_ac_list = NULL;
> newnp->ipv6_fl_list = NULL;
>- newnp->mcast_oif = inet6_iif(skb);
>- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
>+ newnp->mcast_oif = inet_iif(skb);
>+ newnp->mcast_hops = ip_hdr(skb)->ttl;
>
> /*
> * No need to charge this sock to the relevant IPv6 refcnt debug socks count
>diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
>index 48444c4c3c51..680ce5f4fb65 100644
>--- a/net/ipv4/igmp.c
>+++ b/net/ipv4/igmp.c
>@@ -395,7 +395,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
>
> pip->protocol = IPPROTO_IGMP;
> pip->tot_len = 0; /* filled in later */
>- ip_select_ident(skb, NULL);
>+ ip_select_ident(net, skb, NULL);
> ((u8 *)&pip[1])[0] = IPOPT_RA;
> ((u8 *)&pip[1])[1] = 4;
> ((u8 *)&pip[1])[2] = 0;
>@@ -739,7 +739,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
> iph->daddr = dst;
> iph->saddr = fl4.saddr;
> iph->protocol = IPPROTO_IGMP;
>- ip_select_ident(skb, NULL);
>+ ip_select_ident(net, skb, NULL);
> ((u8 *)&iph[1])[0] = IPOPT_RA;
> ((u8 *)&iph[1])[1] = 4;
> ((u8 *)&iph[1])[2] = 0;
>diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
>index 109eddf0248a..2a05dfc9a35e 100644
>--- a/net/ipv4/ip_output.c
>+++ b/net/ipv4/ip_output.c
>@@ -150,7 +150,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
> iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
> iph->saddr = saddr;
> iph->protocol = sk->sk_protocol;
>- ip_select_ident(skb, sk);
>+ ip_select_ident(sock_net(sk), skb, sk);
>
> if (opt && opt->opt.optlen) {
> iph->ihl += opt->opt.optlen>>2;
>@@ -432,7 +432,8 @@ int ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl)
> ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0);
> }
>
>- ip_select_ident_segs(skb, sk, skb_shinfo(skb)->gso_segs ?: 1);
>+ ip_select_ident_segs(sock_net(sk), skb, sk,
>+ skb_shinfo(skb)->gso_segs ?: 1);
>
> /* TODO : should we use skb->sk here instead of sk ? */
> skb->priority = sk->sk_priority;
>@@ -1385,7 +1386,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
> iph->ttl = ttl;
> iph->protocol = sk->sk_protocol;
> ip_copy_addrs(iph, fl4);
>- ip_select_ident(skb, sk);
>+ ip_select_ident(net, skb, sk);
>
> if (opt) {
> iph->ihl += opt->optlen>>2;
>diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
>index 88c386cf7d85..ce63ab21b6cd 100644
>--- a/net/ipv4/ip_tunnel_core.c
>+++ b/net/ipv4/ip_tunnel_core.c
>@@ -74,7 +74,8 @@ int iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
> iph->daddr = dst;
> iph->saddr = src;
> iph->ttl = ttl;
>- __ip_select_ident(iph, skb_shinfo(skb)->gso_segs ?: 1);
>+ __ip_select_ident(dev_net(rt->dst.dev), iph,
>+ skb_shinfo(skb)->gso_segs ?: 1);
>
> err = ip_local_out_sk(sk, skb);
> if (unlikely(net_xmit_eval(err)))
>diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
>index 643ec0bb80a5..5859c0f5bd41 100644
>--- a/net/ipv4/ipmr.c
>+++ b/net/ipv4/ipmr.c
>@@ -1647,7 +1647,8 @@ static struct notifier_block ip_mr_notifier = {
> * important for multicast video.
> */
>
>-static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
>+static void ip_encap(struct net *net, struct sk_buff *skb,
>+ __be32 saddr, __be32 daddr)
> {
> struct iphdr *iph;
> const struct iphdr *old_iph = ip_hdr(skb);
>@@ -1666,7 +1667,7 @@ static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
> iph->protocol = IPPROTO_IPIP;
> iph->ihl = 5;
> iph->tot_len = htons(skb->len);
>- ip_select_ident(skb, NULL);
>+ ip_select_ident(net, skb, NULL);
> ip_send_check(iph);
>
> memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
>@@ -1763,7 +1764,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
> * What do we do with netfilter? -- RR
> */
> if (vif->flags & VIFF_TUNNEL) {
>- ip_encap(skb, vif->local, vif->remote);
>+ ip_encap(net, skb, vif->local, vif->remote);
> /* FIXME: extra output firewall step used to be here. --RR */
> vif->dev->stats.tx_packets++;
> vif->dev->stats.tx_bytes += skb->len;
>diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
>index e43a585abb35..04700c745ca0 100644
>--- a/net/ipv4/raw.c
>+++ b/net/ipv4/raw.c
>@@ -399,7 +399,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
> iph->check = 0;
> iph->tot_len = htons(length);
> if (!iph->id)
>- ip_select_ident(skb, NULL);
>+ ip_select_ident(net, skb, NULL);
>
> iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
> }
>diff --git a/net/ipv4/route.c b/net/ipv4/route.c
>index 660848116761..858596c80e0e 100644
>--- a/net/ipv4/route.c
>+++ b/net/ipv4/route.c
>@@ -484,19 +484,19 @@ u32 ip_idents_reserve(u32 hash, int segs)
> }
> EXPORT_SYMBOL(ip_idents_reserve);
>
>-void __ip_select_ident(struct iphdr *iph, int segs)
>+void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
> {
>- static u32 ip_idents_hashrnd __read_mostly;
>- static u32 ip_idents_hashrnd_extra __read_mostly;
> u32 hash, id;
>
>- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd));
>- net_get_random_once(&ip_idents_hashrnd_extra, sizeof(ip_idents_hashrnd_extra));
>+ /* Note the following code is not safe, but this is okay. */
>+ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
>+ get_random_bytes(&net->ipv4.ip_id_key,
>+ sizeof(net->ipv4.ip_id_key));
>
>- hash = jhash_3words((__force u32)iph->daddr,
>+ hash = siphash_3u32((__force u32)iph->daddr,
> (__force u32)iph->saddr,
>- iph->protocol ^ ip_idents_hashrnd_extra,
>- ip_idents_hashrnd);
>+ iph->protocol,
>+ &net->ipv4.ip_id_key);
> id = ip_idents_reserve(hash, segs);
> iph->id = htons(id);
> }
>diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
>index 91771a7c802f..35feda676464 100644
>--- a/net/ipv4/xfrm4_mode_tunnel.c
>+++ b/net/ipv4/xfrm4_mode_tunnel.c
>@@ -63,7 +63,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
>
> top_iph->saddr = x->props.saddr.a4;
> top_iph->daddr = x->id.daddr.a4;
>- ip_select_ident(skb, NULL);
>+ ip_select_ident(dev_net(dst->dev), skb, NULL);
>
> return 0;
> }
>diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
>index 3a4c1f93023a..1b99e1406186 100644
>--- a/net/ipv4/xfrm4_policy.c
>+++ b/net/ipv4/xfrm4_policy.c
>@@ -103,7 +103,8 @@ static void
> _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> {
> const struct iphdr *iph = ip_hdr(skb);
>- u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
>+ int ihl = iph->ihl;
>+ u8 *xprth = skb_network_header(skb) + ihl * 4;
> struct flowi4 *fl4 = &fl->u.ip4;
> int oif = 0;
>
>@@ -114,6 +115,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> fl4->flowi4_mark = skb->mark;
> fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
>
>+ fl4->flowi4_proto = iph->protocol;
>+ fl4->daddr = reverse ? iph->saddr : iph->daddr;
>+ fl4->saddr = reverse ? iph->daddr : iph->saddr;
>+ fl4->flowi4_tos = iph->tos;
>+
> if (!ip_is_fragment(iph)) {
> switch (iph->protocol) {
> case IPPROTO_UDP:
>@@ -123,7 +129,10 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> case IPPROTO_DCCP:
> if (xprth + 4 < skb->data ||
> pskb_may_pull(skb, xprth + 4 - skb->data)) {
>- __be16 *ports = (__be16 *)xprth;
>+ __be16 *ports;
>+
>+ xprth = skb_network_header(skb) + ihl * 4;
>+ ports = (__be16 *)xprth;
>
> fl4->fl4_sport = ports[!!reverse];
> fl4->fl4_dport = ports[!reverse];
>@@ -131,8 +140,12 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> break;
>
> case IPPROTO_ICMP:
>- if (pskb_may_pull(skb, xprth + 2 - skb->data)) {
>- u8 *icmp = xprth;
>+ if (xprth + 2 < skb->data ||
>+ pskb_may_pull(skb, xprth + 2 - skb->data)) {
>+ u8 *icmp;
>+
>+ xprth = skb_network_header(skb) + ihl * 4;
>+ icmp = xprth;
>
> fl4->fl4_icmp_type = icmp[0];
> fl4->fl4_icmp_code = icmp[1];
>@@ -140,33 +153,50 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> break;
>
> case IPPROTO_ESP:
>- if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
>- __be32 *ehdr = (__be32 *)xprth;
>+ if (xprth + 4 < skb->data ||
>+ pskb_may_pull(skb, xprth + 4 - skb->data)) {
>+ __be32 *ehdr;
>+
>+ xprth = skb_network_header(skb) + ihl * 4;
>+ ehdr = (__be32 *)xprth;
>
> fl4->fl4_ipsec_spi = ehdr[0];
> }
> break;
>
> case IPPROTO_AH:
>- if (pskb_may_pull(skb, xprth + 8 - skb->data)) {
>- __be32 *ah_hdr = (__be32 *)xprth;
>+ if (xprth + 8 < skb->data ||
>+ pskb_may_pull(skb, xprth + 8 - skb->data)) {
>+ __be32 *ah_hdr;
>+
>+ xprth = skb_network_header(skb) + ihl * 4;
>+ ah_hdr = (__be32 *)xprth;
>
> fl4->fl4_ipsec_spi = ah_hdr[1];
> }
> break;
>
> case IPPROTO_COMP:
>- if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
>- __be16 *ipcomp_hdr = (__be16 *)xprth;
>+ if (xprth + 4 < skb->data ||
>+ pskb_may_pull(skb, xprth + 4 - skb->data)) {
>+ __be16 *ipcomp_hdr;
>+
>+ xprth = skb_network_header(skb) + ihl * 4;
>+ ipcomp_hdr = (__be16 *)xprth;
>
> fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
> }
> break;
>
> case IPPROTO_GRE:
>- if (pskb_may_pull(skb, xprth + 12 - skb->data)) {
>- __be16 *greflags = (__be16 *)xprth;
>- __be32 *gre_hdr = (__be32 *)xprth;
>+ if (xprth + 12 < skb->data ||
>+ pskb_may_pull(skb, xprth + 12 - skb->data)) {
>+ __be16 *greflags;
>+ __be32 *gre_hdr;
>+
>+ xprth = skb_network_header(skb) + ihl * 4;
>+ greflags = (__be16 *)xprth;
>+ gre_hdr = (__be32 *)xprth;
>
> if (greflags[0] & GRE_KEY) {
> if (greflags[0] & GRE_CSUM)
>@@ -181,10 +211,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> break;
> }
> }
>- fl4->flowi4_proto = iph->protocol;
>- fl4->daddr = reverse ? iph->saddr : iph->daddr;
>- fl4->saddr = reverse ? iph->daddr : iph->saddr;
>- fl4->flowi4_tos = iph->tos;
> }
>
> static inline int xfrm4_garbage_collect(struct dst_ops *ops)
>diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
>index f40ba684d69b..d8e8008aa7a4 100644
>--- a/net/ipv6/ip6_flowlabel.c
>+++ b/net/ipv6/ip6_flowlabel.c
>@@ -94,16 +94,22 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label)
> return fl;
> }
>
>+static void fl_free_rcu(struct rcu_head *head)
>+{
>+ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu);
>+
>+ if (fl->share == IPV6_FL_S_PROCESS)
>+ put_pid(fl->owner.pid);
>+ release_net(fl->fl_net);
>+ kfree(fl->opt);
>+ kfree(fl);
>+}
>+
>
> static void fl_free(struct ip6_flowlabel *fl)
> {
>- if (fl) {
>- if (fl->share == IPV6_FL_S_PROCESS)
>- put_pid(fl->owner.pid);
>- release_net(fl->fl_net);
>- kfree(fl->opt);
>- kfree_rcu(fl, rcu);
>- }
>+ if (fl)
>+ call_rcu(&fl->rcu, fl_free_rcu);
> }
>
> static void fl_release(struct ip6_flowlabel *fl)
>@@ -630,9 +636,9 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
> if (fl1->share == IPV6_FL_S_EXCL ||
> fl1->share != fl->share ||
> ((fl1->share == IPV6_FL_S_PROCESS) &&
>- (fl1->owner.pid == fl->owner.pid)) ||
>+ (fl1->owner.pid != fl->owner.pid)) ||
> ((fl1->share == IPV6_FL_S_USER) &&
>- uid_eq(fl1->owner.uid, fl->owner.uid)))
>+ !uid_eq(fl1->owner.uid, fl->owner.uid)))
> goto release;
>
> err = -ENOMEM;
>diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
>index bb98cde51476..1e68db035daf 100644
>--- a/net/ipv6/ip6_output.c
>+++ b/net/ipv6/ip6_output.c
>@@ -538,23 +538,6 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
> skb_copy_secmark(to, from);
> }
>
>-static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
>-{
>- static u32 ip6_idents_hashrnd __read_mostly;
>- static u32 ip6_idents_hashrnd_extra __read_mostly;
>- u32 hash, id;
>-
>- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
>- net_get_random_once(&ip6_idents_hashrnd_extra, sizeof(ip6_idents_hashrnd_extra));
>-
>- hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd);
>- hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash);
>- hash = jhash_1word(hash, ip6_idents_hashrnd_extra);
>-
>- id = ip_idents_reserve(hash, 1);
>- fhdr->identification = htonl(id);
>-}
>-
> int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
> {
> struct sk_buff *frag;
>@@ -649,7 +632,7 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
> skb_reset_network_header(skb);
> memcpy(skb_network_header(skb), tmp_hdr, hlen);
>
>- ipv6_select_ident(fh, rt);
>+ ipv6_select_ident(net, fh, rt);
> fh->nexthdr = nexthdr;
> fh->reserved = 0;
> fh->frag_off = htons(IP6_MF);
>@@ -802,7 +785,7 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
> fh->nexthdr = nexthdr;
> fh->reserved = 0;
> if (!frag_id) {
>- ipv6_select_ident(fh, rt);
>+ ipv6_select_ident(net, fh, rt);
> frag_id = fh->identification;
> } else
> fh->identification = frag_id;
>@@ -1096,7 +1079,7 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
> sizeof(struct frag_hdr)) & ~7;
> skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
>- ipv6_select_ident(&fhdr, rt);
>+ ipv6_select_ident(sock_net(sk), &fhdr, rt);
> skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
>
> append:
>diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
>index 42978998534c..5733b05558a5 100644
>--- a/net/ipv6/ip6mr.c
>+++ b/net/ipv6/ip6mr.c
>@@ -1662,6 +1662,10 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
> struct net *net = sock_net(sk);
> struct mr6_table *mrt;
>
>+ if (sk->sk_type != SOCK_RAW ||
>+ inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
>+ return -EOPNOTSUPP;
>+
> mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
> if (mrt == NULL)
> return -ENOENT;
>@@ -1673,9 +1677,6 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
>
> switch (optname) {
> case MRT6_INIT:
>- if (sk->sk_type != SOCK_RAW ||
>- inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
>- return -EOPNOTSUPP;
> if (optlen < sizeof(int))
> return -EINVAL;
>
>@@ -1812,6 +1813,10 @@ int ip6_mroute_getsockopt(struct sock *sk, int optname, char __user *optval,
> struct net *net = sock_net(sk);
> struct mr6_table *mrt;
>
>+ if (sk->sk_type != SOCK_RAW ||
>+ inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
>+ return -EOPNOTSUPP;
>+
> mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
> if (mrt == NULL)
> return -ENOENT;
>diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
>index e32c1ff35f78..a8274abad231 100644
>--- a/net/ipv6/output_core.c
>+++ b/net/ipv6/output_core.c
>@@ -9,6 +9,36 @@
> #include <net/addrconf.h>
> #include <net/secure_seq.h>
>
>+static u32 __ipv6_select_ident(struct net *net,
>+ struct in6_addr *dst, struct in6_addr *src)
>+{
>+ const struct {
>+ struct in6_addr dst;
>+ struct in6_addr src;
>+ } __aligned(SIPHASH_ALIGNMENT) combined = {
>+ .dst = *dst,
>+ .src = *src,
>+ };
>+ u32 hash, id;
>+
>+ /* Note the following code is not safe, but this is okay. */
>+ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
>+ get_random_bytes(&net->ipv4.ip_id_key,
>+ sizeof(net->ipv4.ip_id_key));
>+
>+ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
>+
>+ /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
>+ * set the hight order instead thus minimizing possible future
>+ * collisions.
>+ */
>+ id = ip_idents_reserve(hash, 1);
>+ if (unlikely(!id))
>+ id = 1 << 31;
>+
>+ return id;
>+}
>+
> /* This function exists only for tap drivers that must support broken
> * clients requesting UFO without specifying an IPv6 fragment ID.
> *
>@@ -17,12 +47,11 @@
> *
> * The network header must be set before calling this.
> */
>-void ipv6_proxy_select_ident(struct sk_buff *skb)
>+void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
> {
>- static u32 ip6_proxy_idents_hashrnd __read_mostly;
> struct in6_addr buf[2];
> struct in6_addr *addrs;
>- u32 hash, id;
>+ u32 id;
>
> addrs = skb_header_pointer(skb,
> skb_network_offset(skb) +
>@@ -31,17 +60,21 @@ void ipv6_proxy_select_ident(struct sk_buff *skb)
> if (!addrs)
> return;
>
>- net_get_random_once(&ip6_proxy_idents_hashrnd,
>- sizeof(ip6_proxy_idents_hashrnd));
>-
>- hash = __ipv6_addr_jhash(&addrs[1], ip6_proxy_idents_hashrnd);
>- hash = __ipv6_addr_jhash(&addrs[0], hash);
>-
>- id = ip_idents_reserve(hash, 1);
>+ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]);
> skb_shinfo(skb)->ip6_frag_id = htonl(id);
> }
> EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
>
>+void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr,
>+ struct rt6_info *rt)
>+{
>+ u32 id;
>+
>+ id = __ipv6_select_ident(net, &rt->rt6i_dst.addr, &rt->rt6i_src.addr);
>+ fhdr->identification = htonl(id);
>+}
>+EXPORT_SYMBOL(ipv6_select_ident);
>+
> int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
> {
> unsigned int offset = sizeof(struct ipv6hdr);
>diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
>index 70a0f92cbbc0..4370371e0aa6 100644
>--- a/net/ipv6/tcp_ipv6.c
>+++ b/net/ipv6/tcp_ipv6.c
>@@ -1183,11 +1183,11 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
> newnp->ipv6_fl_list = NULL;
> newnp->pktoptions = NULL;
> newnp->opt = NULL;
>- newnp->mcast_oif = inet6_iif(skb);
>- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
>- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
>+ newnp->mcast_oif = inet_iif(skb);
>+ newnp->mcast_hops = ip_hdr(skb)->ttl;
>+ newnp->rcv_flowinfo = 0;
> if (np->repflow)
>- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
>+ newnp->flow_label = 0;
>
> /*
> * No need to charge this sock to the relevant IPv6 refcnt debug socks count
>diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
>index fa9ea1a72f99..28d02353743f 100644
>--- a/net/ipv6/udp_offload.c
>+++ b/net/ipv6/udp_offload.c
>@@ -75,6 +75,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
>
> skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
>
>+ /* Set the IPv6 fragment id if not set yet */
>+ if (!skb_shinfo(skb)->ip6_frag_id)
>+ ipv6_proxy_select_ident(dev_net(skb->dev), skb);
>+
> segs = NULL;
> goto out;
> }
>@@ -120,6 +124,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
> fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
> fptr->nexthdr = nexthdr;
> fptr->reserved = 0;
>+ if (!skb_shinfo(skb)->ip6_frag_id)
>+ ipv6_proxy_select_ident(dev_net(skb->dev), skb);
> fptr->identification = skb_shinfo(skb)->ip6_frag_id;
>
> /* Fragment the skb. ipv6 header and the remaining fields of the
>diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
>index 1c66465a42dd..f1491b0004cd 100644
>--- a/net/ipv6/xfrm6_tunnel.c
>+++ b/net/ipv6/xfrm6_tunnel.c
>@@ -390,6 +390,10 @@ static void __exit xfrm6_tunnel_fini(void)
> xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
> xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
> unregister_pernet_subsys(&xfrm6_tunnel_net_ops);
>+ /* Someone maybe has gotten the xfrm6_tunnel_spi.
>+ * So need to wait it.
>+ */
>+ rcu_barrier();
> kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
> }
>
>diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
>index 661252aeb7e0..c8b5c8c355b4 100644
>--- a/net/l2tp/l2tp_core.c
>+++ b/net/l2tp/l2tp_core.c
>@@ -217,8 +217,8 @@ struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
>
> rcu_read_lock_bh();
> list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
>- if (tunnel->tunnel_id == tunnel_id) {
>- l2tp_tunnel_inc_refcount(tunnel);
>+ if (tunnel->tunnel_id == tunnel_id &&
>+ atomic_inc_not_zero(&tunnel->ref_count)) {
> rcu_read_unlock_bh();
>
> return tunnel;
>@@ -238,8 +238,8 @@ struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
>
> rcu_read_lock_bh();
> list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
>- if (++count > nth) {
>- l2tp_tunnel_inc_refcount(tunnel);
>+ if (++count > nth &&
>+ atomic_inc_not_zero(&tunnel->ref_count)) {
> rcu_read_unlock_bh();
> return tunnel;
> }
>@@ -997,7 +997,7 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
> {
> struct l2tp_tunnel *tunnel;
>
>- tunnel = l2tp_tunnel(sk);
>+ tunnel = rcu_dereference_sk_user_data(sk);
> if (tunnel == NULL)
> goto pass_up;
>
>diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
>index 1ab5e1a51c98..607d8fdd5e68 100644
>--- a/net/mac80211/debugfs_netdev.c
>+++ b/net/mac80211/debugfs_netdev.c
>@@ -735,7 +735,7 @@ void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
>
> dir = sdata->vif.debugfs_dir;
>
>- if (!dir)
>+ if (IS_ERR_OR_NULL(dir))
> return;
>
> sprintf(buf, "netdev:%s", sdata->name);
>diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
>index 7abd786d9d89..44fa945ed6b4 100644
>--- a/net/netfilter/ipvs/ip_vs_xmit.c
>+++ b/net/netfilter/ipvs/ip_vs_xmit.c
>@@ -813,7 +813,8 @@ int
> ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
> struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
> {
>- struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
>+ struct net *net = skb_net(skb);
>+ struct netns_ipvs *ipvs = net_ipvs(net);
> struct rtable *rt; /* Route to the other host */
> __be32 saddr; /* Source for tunnel */
> struct net_device *tdev; /* Device to other host */
>@@ -882,7 +883,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
> iph->daddr = cp->daddr.ip;
> iph->saddr = saddr;
> iph->ttl = old_iph->ttl;
>- ip_select_ident(skb, NULL);
>+ ip_select_ident(net, skb, NULL);
>
> /* Another hack: avoid icmp_send in ip_fragment */
> skb->ignore_df = 1;
>diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>index cdd47388723b..170681b21d25 100644
>--- a/net/netfilter/nf_conntrack_core.c
>+++ b/net/netfilter/nf_conntrack_core.c
>@@ -23,6 +23,7 @@
> #include <linux/slab.h>
> #include <linux/random.h>
> #include <linux/jhash.h>
>+#include <linux/siphash.h>
> #include <linux/err.h>
> #include <linux/percpu.h>
> #include <linux/moduleparam.h>
>@@ -52,6 +53,7 @@
> #include <net/netfilter/nf_nat.h>
> #include <net/netfilter/nf_nat_core.h>
> #include <net/netfilter/nf_nat_helper.h>
>+#include <net/netns/hash.h>
>
> #define NF_CONNTRACK_VERSION "0.5.0"
>
>@@ -232,6 +234,40 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
> }
> EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
>
>+/* Generate a almost-unique pseudo-id for a given conntrack.
>+ *
>+ * intentionally doesn't re-use any of the seeds used for hash
>+ * table location, we assume id gets exposed to userspace.
>+ *
>+ * Following nf_conn items do not change throughout lifetime
>+ * of the nf_conn after it has been committed to main hash table:
>+ *
>+ * 1. nf_conn address
>+ * 2. nf_conn->ext address
>+ * 3. nf_conn->master address (normally NULL)
>+ * 4. tuple
>+ * 5. the associated net namespace
>+ */
>+u32 nf_ct_get_id(const struct nf_conn *ct)
>+{
>+ static __read_mostly siphash_key_t ct_id_seed;
>+ unsigned long a, b, c, d;
>+
>+ net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
>+
>+ a = (unsigned long)ct;
>+ b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
>+ c = (unsigned long)ct->ext;
>+ d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
>+ &ct_id_seed);
>+#ifdef CONFIG_64BIT
>+ return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
>+#else
>+ return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed);
>+#endif
>+}
>+EXPORT_SYMBOL_GPL(nf_ct_get_id);
>+
> static void
> clean_from_lists(struct nf_conn *ct)
> {
>diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
>index faa736bae869..b9bf8b0f4ec1 100644
>--- a/net/netfilter/nf_conntrack_netlink.c
>+++ b/net/netfilter/nf_conntrack_netlink.c
>@@ -29,6 +29,7 @@
> #include <linux/spinlock.h>
> #include <linux/interrupt.h>
> #include <linux/slab.h>
>+#include <linux/siphash.h>
>
> #include <linux/netfilter.h>
> #include <net/netlink.h>
>@@ -435,7 +436,9 @@ ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
> static inline int
> ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
> {
>- if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
>+ __be32 id = (__force __be32)nf_ct_get_id(ct);
>+
>+ if (nla_put_be32(skb, CTA_ID, id))
> goto nla_put_failure;
> return 0;
>
>@@ -1047,8 +1050,9 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
> ct = nf_ct_tuplehash_to_ctrack(h);
>
> if (cda[CTA_ID]) {
>- u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
>- if (id != (u32)(unsigned long)ct) {
>+ __be32 id = nla_get_be32(cda[CTA_ID]);
>+
>+ if (id != (__force __be32)nf_ct_get_id(ct)) {
> nf_ct_put(ct);
> return -ENOENT;
> }
>@@ -2321,6 +2325,25 @@ ctnetlink_exp_dump_mask(struct sk_buff *skb,
>
> static const union nf_inet_addr any_addr;
>
>+static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
>+{
>+ static __read_mostly siphash_key_t exp_id_seed;
>+ unsigned long a, b, c, d;
>+
>+ net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
>+
>+ a = (unsigned long)exp;
>+ b = (unsigned long)exp->helper;
>+ c = (unsigned long)exp->master;
>+ d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
>+
>+#ifdef CONFIG_64BIT
>+ return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
>+#else
>+ return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
>+#endif
>+}
>+
> static int
> ctnetlink_exp_dump_expect(struct sk_buff *skb,
> const struct nf_conntrack_expect *exp)
>@@ -2368,7 +2391,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,
> }
> #endif
> if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
>- nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
>+ nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
> nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
> nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
> goto nla_put_failure;
>@@ -2664,7 +2687,8 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
>
> if (cda[CTA_EXPECT_ID]) {
> __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
>- if (ntohl(id) != (u32)(unsigned long)exp) {
>+
>+ if (id != nf_expect_get_id(exp)) {
> nf_ct_expect_put(exp);
> return -ENOENT;
> }
>diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
>index 20a844788443..0777d98d3dec 100644
>--- a/net/packet/af_packet.c
>+++ b/net/packet/af_packet.c
>@@ -2278,8 +2278,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
> void *ph;
> DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name);
> bool need_wait = !(msg->msg_flags & MSG_DONTWAIT);
>+ unsigned char *addr = NULL;
> int tp_len, size_max;
>- unsigned char *addr;
> int len_sum = 0;
> int status = TP_STATUS_AVAILABLE;
> int hlen, tlen;
>@@ -2289,7 +2289,6 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
> if (likely(saddr == NULL)) {
> dev = packet_cached_dev_get(po);
> proto = po->num;
>- addr = NULL;
> } else {
> err = -EINVAL;
> if (msg->msg_namelen < sizeof(struct sockaddr_ll))
>@@ -2299,10 +2298,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
> sll_addr)))
> goto out;
> proto = saddr->sll_protocol;
>- addr = saddr->sll_halen ? saddr->sll_addr : NULL;
> dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
>- if (addr && dev && saddr->sll_halen < dev->addr_len)
>- goto out_put;
>+ if (po->sk.sk_socket->type == SOCK_DGRAM) {
>+ if (dev && msg->msg_namelen < dev->addr_len +
>+ offsetof(struct sockaddr_ll, sll_addr))
>+ goto out_put;
>+ addr = saddr->sll_addr;
>+ }
> }
>
> err = -ENXIO;
>@@ -2435,7 +2437,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
> struct sk_buff *skb;
> struct net_device *dev;
> __be16 proto;
>- unsigned char *addr;
>+ unsigned char *addr = NULL;
> int err, reserve = 0;
> struct virtio_net_hdr vnet_hdr = { 0 };
> int offset = 0;
>@@ -2453,7 +2455,6 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
> if (likely(saddr == NULL)) {
> dev = packet_cached_dev_get(po);
> proto = po->num;
>- addr = NULL;
> } else {
> err = -EINVAL;
> if (msg->msg_namelen < sizeof(struct sockaddr_ll))
>@@ -2461,10 +2462,13 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
> if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
> goto out;
> proto = saddr->sll_protocol;
>- addr = saddr->sll_halen ? saddr->sll_addr : NULL;
> dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
>- if (addr && dev && saddr->sll_halen < dev->addr_len)
>- goto out_unlock;
>+ if (sock->type == SOCK_DGRAM) {
>+ if (dev && msg->msg_namelen < dev->addr_len +
>+ offsetof(struct sockaddr_ll, sll_addr))
>+ goto out_unlock;
>+ addr = saddr->sll_addr;
>+ }
> }
>
> err = -ENXIO;
>@@ -3027,19 +3031,28 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
> sock_recv_ts_and_drops(msg, sk, skb);
>
> if (msg->msg_name) {
>+ int copy_len;
>+
> /* If the address length field is there to be filled
> * in, we fill it in now.
> */
> if (sock->type == SOCK_PACKET) {
> __sockaddr_check_size(sizeof(struct sockaddr_pkt));
> msg->msg_namelen = sizeof(struct sockaddr_pkt);
>+ copy_len = msg->msg_namelen;
> } else {
> struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
> msg->msg_namelen = sll->sll_halen +
> offsetof(struct sockaddr_ll, sll_addr);
>+ copy_len = msg->msg_namelen;
>+ if (msg->msg_namelen < sizeof(struct sockaddr_ll)) {
>+ memset(msg->msg_name +
>+ offsetof(struct sockaddr_ll, sll_addr),
>+ 0, sizeof(sll->sll_addr));
>+ msg->msg_namelen = sizeof(struct sockaddr_ll);
>+ }
> }
>- memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
>- msg->msg_namelen);
>+ memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
> }
>
> if (pkt_sk(sk)->auxdata) {
>diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
>index 344456206b70..d5199b25b821 100644
>--- a/net/rose/rose_loopback.c
>+++ b/net/rose/rose_loopback.c
>@@ -16,15 +16,19 @@
> #include <linux/init.h>
>
> static struct sk_buff_head loopback_queue;
>+#define ROSE_LOOPBACK_LIMIT 1000
> static struct timer_list loopback_timer;
>
> static void rose_set_loopback_timer(void);
>+static void rose_loopback_timer(unsigned long);
>
> void rose_loopback_init(void)
> {
> skb_queue_head_init(&loopback_queue);
>
> init_timer(&loopback_timer);
>+ loopback_timer.data = 0;
>+ loopback_timer.function = &rose_loopback_timer;
> }
>
> static int rose_loopback_running(void)
>@@ -34,33 +38,27 @@ static int rose_loopback_running(void)
>
> int rose_loopback_queue(struct sk_buff *skb, struct rose_neigh *neigh)
> {
>- struct sk_buff *skbn;
>-
>- skbn = skb_clone(skb, GFP_ATOMIC);
>+ struct sk_buff *skbn = NULL;
>
>- kfree_skb(skb);
>+ if (skb_queue_len(&loopback_queue) < ROSE_LOOPBACK_LIMIT)
>+ skbn = skb_clone(skb, GFP_ATOMIC);
>
>- if (skbn != NULL) {
>+ if (skbn) {
>+ consume_skb(skb);
> skb_queue_tail(&loopback_queue, skbn);
>
> if (!rose_loopback_running())
> rose_set_loopback_timer();
>+ } else {
>+ kfree_skb(skb);
> }
>
> return 1;
> }
>
>-static void rose_loopback_timer(unsigned long);
>-
> static void rose_set_loopback_timer(void)
> {
>- del_timer(&loopback_timer);
>-
>- loopback_timer.data = 0;
>- loopback_timer.function = &rose_loopback_timer;
>- loopback_timer.expires = jiffies + 10;
>-
>- add_timer(&loopback_timer);
>+ mod_timer(&loopback_timer, jiffies + 10);
> }
>
> static void rose_loopback_timer(unsigned long param)
>@@ -71,8 +69,12 @@ static void rose_loopback_timer(unsigned long param)
> struct sock *sk;
> unsigned short frametype;
> unsigned int lci_i, lci_o;
>+ int count;
>
>- while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
>+ for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) {
>+ skb = skb_dequeue(&loopback_queue);
>+ if (!skb)
>+ return;
> if (skb->len < ROSE_MIN_LEN) {
> kfree_skb(skb);
> continue;
>@@ -109,6 +111,8 @@ static void rose_loopback_timer(unsigned long param)
> kfree_skb(skb);
> }
> }
>+ if (!skb_queue_empty(&loopback_queue))
>+ mod_timer(&loopback_timer, jiffies + 1);
> }
>
> void __exit rose_loopback_clear(void)
>diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
>index cdfa7f4c0a59..4a5598a42cd6 100644
>--- a/net/sunrpc/cache.c
>+++ b/net/sunrpc/cache.c
>@@ -50,6 +50,7 @@ static void cache_init(struct cache_head *h)
> h->last_refresh = now;
> }
>
>+static inline int cache_is_valid(struct cache_head *h);
> static void cache_fresh_locked(struct cache_head *head, time_t expiry);
> static void cache_fresh_unlocked(struct cache_head *head,
> struct cache_detail *detail);
>@@ -98,6 +99,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
> *hp = tmp->next;
> tmp->next = NULL;
> detail->entries --;
>+ if (cache_is_valid(tmp) == -EAGAIN)
>+ set_bit(CACHE_NEGATIVE, &tmp->flags);
> cache_fresh_locked(tmp, 0);
> freeme = tmp;
> break;
>diff --git a/net/tipc/sysctl.c b/net/tipc/sysctl.c
>index f3fef93325a8..a4125b069833 100644
>--- a/net/tipc/sysctl.c
>+++ b/net/tipc/sysctl.c
>@@ -37,6 +37,7 @@
>
> #include <linux/sysctl.h>
>
>+static int one = 1;
> static struct ctl_table_header *tipc_ctl_hdr;
>
> static struct ctl_table tipc_table[] = {
>@@ -45,7 +46,8 @@ static struct ctl_table tipc_table[] = {
> .data = &sysctl_tipc_rmem,
> .maxlen = sizeof(sysctl_tipc_rmem),
> .mode = 0644,
>- .proc_handler = proc_dointvec,
>+ .proc_handler = proc_dointvec_minmax,
>+ .extra1 = &one,
> },
> {}
> };
>diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
>index 62fbbdc58566..b0f84a040f32 100644
>--- a/net/xfrm/xfrm_user.c
>+++ b/net/xfrm/xfrm_user.c
>@@ -1255,7 +1255,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
> ret = verify_policy_dir(p->dir);
> if (ret)
> return ret;
>- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir))
>+ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir))
> return -EINVAL;
>
> return 0;
>diff --git a/security/device_cgroup.c b/security/device_cgroup.c
>index d9d69e6930ed..8fee5f7be4f1 100644
>--- a/security/device_cgroup.c
>+++ b/security/device_cgroup.c
>@@ -568,7 +568,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root,
> devcg->behavior == DEVCG_DEFAULT_ALLOW) {
> rc = dev_exception_add(devcg, ex);
> if (rc)
>- break;
>+ return rc;
> } else {
> /*
> * in the other possible cases:
>diff --git a/sound/core/init.c b/sound/core/init.c
>index 7bdfd19e24a8..e0d04b91d561 100644
>--- a/sound/core/init.c
>+++ b/sound/core/init.c
>@@ -389,14 +389,7 @@ int snd_card_disconnect(struct snd_card *card)
> card->shutdown = 1;
> spin_unlock(&card->files_lock);
>
>- /* phase 1: disable fops (user space) operations for ALSA API */
>- mutex_lock(&snd_card_mutex);
>- snd_cards[card->number] = NULL;
>- clear_bit(card->number, snd_cards_lock);
>- mutex_unlock(&snd_card_mutex);
>-
>- /* phase 2: replace file->f_op with special dummy operations */
>-
>+ /* replace file->f_op with special dummy operations */
> spin_lock(&card->files_lock);
> list_for_each_entry(mfile, &card->files_list, list) {
> /* it's critical part, use endless loop */
>@@ -412,7 +405,7 @@ int snd_card_disconnect(struct snd_card *card)
> }
> spin_unlock(&card->files_lock);
>
>- /* phase 3: notify all connected devices about disconnection */
>+ /* notify all connected devices about disconnection */
> /* at this point, they cannot respond to any calls except release() */
>
> #if IS_ENABLED(CONFIG_SND_MIXER_OSS)
>@@ -430,6 +423,13 @@ int snd_card_disconnect(struct snd_card *card)
> device_del(&card->card_dev);
> card->registered = false;
> }
>+
>+ /* disable fops (user space) operations for ALSA API */
>+ mutex_lock(&snd_card_mutex);
>+ snd_cards[card->number] = NULL;
>+ clear_bit(card->number, snd_cards_lock);
>+ mutex_unlock(&snd_card_mutex);
>+
> #ifdef CONFIG_PM
> wake_up(&card->power_sleep);
> #endif
>diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
>index 41bae2baea71..f853b62befa1 100644
>--- a/sound/core/oss/pcm_oss.c
>+++ b/sound/core/oss/pcm_oss.c
>@@ -951,6 +951,28 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
> oss_frame_size = snd_pcm_format_physical_width(params_format(params)) *
> params_channels(params) / 8;
>
>+ err = snd_pcm_oss_period_size(substream, params, sparams);
>+ if (err < 0)
>+ goto failure;
>+
>+ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
>+ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
>+ if (err < 0)
>+ goto failure;
>+
>+ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
>+ runtime->oss.periods, NULL);
>+ if (err < 0)
>+ goto failure;
>+
>+ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
>+
>+ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams);
>+ if (err < 0) {
>+ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
>+ goto failure;
>+ }
>+
> #ifdef CONFIG_SND_PCM_OSS_PLUGINS
> snd_pcm_oss_plugin_clear(substream);
> if (!direct) {
>@@ -985,27 +1007,6 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
> }
> #endif
>
>- err = snd_pcm_oss_period_size(substream, params, sparams);
>- if (err < 0)
>- goto failure;
>-
>- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
>- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
>- if (err < 0)
>- goto failure;
>-
>- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
>- runtime->oss.periods, NULL);
>- if (err < 0)
>- goto failure;
>-
>- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
>-
>- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) {
>- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
>- goto failure;
>- }
>-
> memset(sw_params, 0, sizeof(*sw_params));
> if (runtime->oss.trigger) {
> sw_params->start_threshold = 1;
>diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
>index 7c407ab2d82a..a0ee065a9f8c 100644
>--- a/sound/core/pcm_native.c
>+++ b/sound/core/pcm_native.c
>@@ -1063,8 +1063,15 @@ static int snd_pcm_pause(struct snd_pcm_substream *substream, int push)
> static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state)
> {
> struct snd_pcm_runtime *runtime = substream->runtime;
>- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED)
>+ switch (runtime->status->state) {
>+ case SNDRV_PCM_STATE_SUSPENDED:
> return -EBUSY;
>+ /* unresumable PCM state; return -EBUSY for skipping suspend */
>+ case SNDRV_PCM_STATE_OPEN:
>+ case SNDRV_PCM_STATE_SETUP:
>+ case SNDRV_PCM_STATE_DISCONNECTED:
>+ return -EBUSY;
>+ }
> runtime->trigger_master = substream;
> return 0;
> }
>diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
>index 2bd5b8524181..09e05c0b59a1 100644
>--- a/sound/core/rawmidi.c
>+++ b/sound/core/rawmidi.c
>@@ -29,6 +29,7 @@
> #include <linux/mutex.h>
> #include <linux/module.h>
> #include <linux/delay.h>
>+#include <linux/nospec.h>
> #include <sound/rawmidi.h>
> #include <sound/info.h>
> #include <sound/control.h>
>@@ -601,6 +602,7 @@ static int __snd_rawmidi_info_select(struct snd_card *card,
> return -ENXIO;
> if (info->stream < 0 || info->stream > 1)
> return -EINVAL;
>+ info->stream = array_index_nospec(info->stream, 2);
> pstr = &rmidi->streams[info->stream];
> if (pstr->substream_count == 0)
> return -ENOENT;
>diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
>index 8bf5335d953b..6ab2de7695d8 100644
>--- a/sound/core/seq/oss/seq_oss_synth.c
>+++ b/sound/core/seq/oss/seq_oss_synth.c
>@@ -617,13 +617,14 @@ int
> snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf)
> {
> struct seq_oss_synth *rec;
>+ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
>
>- if (dev < 0 || dev >= dp->max_synthdev)
>+ if (!info)
> return -ENXIO;
>
>- if (dp->synths[dev].is_midi) {
>+ if (info->is_midi) {
> struct midi_info minf;
>- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
>+ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf);
> inf->synth_type = SYNTH_TYPE_MIDI;
> inf->synth_subtype = 0;
> inf->nr_voices = 16;
>diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
>index 60fb2c708d75..f6396e012a0f 100644
>--- a/sound/core/seq/seq_clientmgr.c
>+++ b/sound/core/seq/seq_clientmgr.c
>@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client,
>
> /* fill the info fields */
> if (client_info.name[0])
>- strlcpy(client->name, client_info.name, sizeof(client->name));
>+ strscpy(client->name, client_info.name, sizeof(client->name));
>
> client->filter = client_info.filter;
> client->event_lost = client_info.event_lost;
>@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client,
> /* set queue name */
> if (! info.name[0])
> snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue);
>- strlcpy(q->name, info.name, sizeof(q->name));
>+ strscpy(q->name, info.name, sizeof(q->name));
> queuefree(q);
>
> if (copy_to_user(arg, &info, sizeof(info)))
>@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client,
> queuefree(q);
> return -EPERM;
> }
>- strlcpy(q->name, info.name, sizeof(q->name));
>+ strscpy(q->name, info.name, sizeof(q->name));
> queuefree(q);
>
> return 0;
>diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
>index 95b2df232d71..383aaaebad6c 100644
>--- a/tools/lib/traceevent/event-parse.c
>+++ b/tools/lib/traceevent/event-parse.c
>@@ -2065,7 +2065,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer)
> return val & 0xffffffff;
>
> if (strcmp(type, "u64") == 0 ||
>- strcmp(type, "s64"))
>+ strcmp(type, "s64") == 0)
> return val;
>
> if (strcmp(type, "s8") == 0)
>diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c
>index c81bd9a31db7..fd3a453a21cf 100644
>--- a/tools/perf/tests/evsel-tp-sched.c
>+++ b/tools/perf/tests/evsel-tp-sched.c
>@@ -77,5 +77,6 @@ int test__perf_evsel__tp_sched_test(void)
> if (perf_evsel__test_field(evsel, "target_cpu", 4, true))
> ret = -1;
>
>+ perf_evsel__delete(evsel);
> return ret;
> }
>diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
>index ad0c85a63c80..cc0b4c5f5c72 100644
>--- a/virt/kvm/kvm_main.c
>+++ b/virt/kvm/kvm_main.c
>@@ -2240,6 +2240,9 @@ static long kvm_device_ioctl(struct file *filp, unsigned int ioctl,
> {
> struct kvm_device *dev = filp->private_data;
>
>+ if (dev->kvm->mm != current->mm)
>+ return -EIO;
>+
> switch (ioctl) {
> case KVM_SET_DEVICE_ATTR:
> return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg);
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2019-08-13 14:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-13 13:35 Linux 3.16.72 Ben Hutchings
2019-08-13 14:49 ` Bhaskar Chowdhury [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190813144944.GA5049@Gentoo \
--to=unixbhaskar@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=lwn@lwn.net \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.