diff options
author | Mike Pagano <mpagano@gentoo.org> | 2019-01-23 06:30:09 -0500 |
---|---|---|
committer | Mike Pagano <mpagano@gentoo.org> | 2019-01-23 06:30:09 -0500 |
commit | 45b8c6fc82cd3910d7ebdc1532a9001f27b5ed55 (patch) | |
tree | fbc8cc9d618eca96046ffd3d9ce140b572e2767a | |
parent | proj/linux-patches: Linux patch 4.14.94 (diff) | |
download | linux-patches-45b8c6fc.tar.gz linux-patches-45b8c6fc.tar.bz2 linux-patches-45b8c6fc.zip |
proj/linux-patches: Linux patch 4.14.954.14-102
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
-rw-r--r-- | 0000_README | 4 | ||||
-rw-r--r-- | 1094_linux-4.14.95.patch | 2077 |
2 files changed, 2081 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 41aba45d..e1a1f755 100644 --- a/0000_README +++ b/0000_README @@ -419,6 +419,10 @@ Patch: 1093_4.14.94.patch From: http://www.kernel.org Desc: Linux 4.14.94 +Patch: 1094_4.14.95.patch +From: http://www.kernel.org +Desc: Linux 4.14.95 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1094_linux-4.14.95.patch b/1094_linux-4.14.95.patch new file mode 100644 index 00000000..efaf68a6 --- /dev/null +++ b/1094_linux-4.14.95.patch @@ -0,0 +1,2077 @@ +diff --git a/Makefile b/Makefile +index e9a138dd964a..70cc37cb3e99 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 94 ++SUBLEVEL = 95 + EXTRAVERSION = + NAME = Petit Gorille + +diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h +index 73cc4309fe01..1d6d980f80ac 100644 +--- a/arch/arm64/include/asm/kvm_arm.h ++++ b/arch/arm64/include/asm/kvm_arm.h +@@ -23,6 +23,8 @@ + #include <asm/types.h> + + /* Hyp Configuration Register (HCR) bits */ ++#define HCR_API (UL(1) << 41) ++#define HCR_APK (UL(1) << 40) + #define HCR_E2H (UL(1) << 34) + #define HCR_ID (UL(1) << 33) + #define HCR_CD (UL(1) << 32) +@@ -82,6 +84,7 @@ + HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW) + #define HCR_VIRT_EXCP_MASK (HCR_VSE | HCR_VI | HCR_VF) + #define HCR_INT_OVERRIDE (HCR_FMO | HCR_IMO) ++#define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK) + #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H) + + /* TCR_EL2 Registers bits */ +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index 261f3f88364c..ec393275ba04 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -414,10 +414,9 @@ CPU_LE( bic x0, x0, #(1 << 25) ) // Clear the EE bit for EL2 + #endif + + /* Hyp configuration. */ +- mov x0, #HCR_RW // 64-bit EL1 ++ mov_q x0, HCR_HOST_NVHE_FLAGS + cbz x2, set_hcr +- orr x0, x0, #HCR_TGE // Enable Host Extensions +- orr x0, x0, #HCR_E2H ++ mov_q x0, HCR_HOST_VHE_FLAGS + set_hcr: + msr hcr_el2, x0 + isb +diff --git a/arch/arm64/kernel/kaslr.c b/arch/arm64/kernel/kaslr.c +index 47080c49cc7e..2bda224e8e71 100644 +--- a/arch/arm64/kernel/kaslr.c ++++ b/arch/arm64/kernel/kaslr.c +@@ -14,6 +14,7 @@ + #include <linux/sched.h> + #include <linux/types.h> + ++#include <asm/cacheflush.h> + #include <asm/fixmap.h> + #include <asm/kernel-pgtable.h> + #include <asm/memory.h> +@@ -43,7 +44,7 @@ static __init u64 get_kaslr_seed(void *fdt) + return ret; + } + +-static __init const u8 *get_cmdline(void *fdt) ++static __init const u8 *kaslr_get_cmdline(void *fdt) + { + static __initconst const u8 default_cmdline[] = CONFIG_CMDLINE; + +@@ -109,7 +110,7 @@ u64 __init kaslr_early_init(u64 dt_phys) + * Check if 'nokaslr' appears on the command line, and + * return 0 if that is the case. + */ +- cmdline = get_cmdline(fdt); ++ cmdline = kaslr_get_cmdline(fdt); + str = strstr(cmdline, "nokaslr"); + if (str == cmdline || (str > cmdline && *(str - 1) == ' ')) + return 0; +@@ -180,5 +181,8 @@ u64 __init kaslr_early_init(u64 dt_phys) + module_alloc_base += (module_range * (seed & ((1 << 21) - 1))) >> 21; + module_alloc_base &= PAGE_MASK; + ++ __flush_dcache_area(&module_alloc_base, sizeof(module_alloc_base)); ++ __flush_dcache_area(&memstart_offset_seed, sizeof(memstart_offset_seed)); ++ + return offset; + } +diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c +index b2f1992c6234..44845996b554 100644 +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -127,7 +127,7 @@ static void __hyp_text __deactivate_traps_nvhe(void) + mdcr_el2 |= MDCR_EL2_E2PB_MASK << MDCR_EL2_E2PB_SHIFT; + + write_sysreg(mdcr_el2, mdcr_el2); +- write_sysreg(HCR_RW, hcr_el2); ++ write_sysreg(HCR_HOST_NVHE_FLAGS, hcr_el2); + write_sysreg(CPTR_EL2_DEFAULT, cptr_el2); + } + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index 23e3d3e0ee5b..ae4450e891ab 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -3153,6 +3153,7 @@ config MIPS32_O32 + config MIPS32_N32 + bool "Kernel support for n32 binaries" + depends on 64BIT ++ select ARCH_WANT_COMPAT_IPC_PARSE_VERSION + select COMPAT + select MIPS32_COMPAT + select SYSVIPC_COMPAT if SYSVIPC +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index f0bc3312ed11..c4ef1c31e0c4 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -224,9 +224,11 @@ static struct irq_chip ltq_eiu_type = { + .irq_set_type = ltq_eiu_settype, + }; + +-static void ltq_hw_irqdispatch(int module) ++static void ltq_hw_irq_handler(struct irq_desc *desc) + { ++ int module = irq_desc_get_irq(desc) - 2; + u32 irq; ++ int hwirq; + + irq = ltq_icu_r32(module, LTQ_ICU_IM0_IOSR); + if (irq == 0) +@@ -237,7 +239,8 @@ static void ltq_hw_irqdispatch(int module) + * other bits might be bogus + */ + irq = __fls(irq); +- do_IRQ((int)irq + MIPS_CPU_IRQ_CASCADE + (INT_NUM_IM_OFFSET * module)); ++ hwirq = irq + MIPS_CPU_IRQ_CASCADE + (INT_NUM_IM_OFFSET * module); ++ generic_handle_irq(irq_linear_revmap(ltq_domain, hwirq)); + + /* if this is a EBU irq, we need to ack it or get a deadlock */ + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) +@@ -245,49 +248,6 @@ static void ltq_hw_irqdispatch(int module) + LTQ_EBU_PCC_ISTAT); + } + +-#define DEFINE_HWx_IRQDISPATCH(x) \ +- static void ltq_hw ## x ## _irqdispatch(void) \ +- { \ +- ltq_hw_irqdispatch(x); \ +- } +-DEFINE_HWx_IRQDISPATCH(0) +-DEFINE_HWx_IRQDISPATCH(1) +-DEFINE_HWx_IRQDISPATCH(2) +-DEFINE_HWx_IRQDISPATCH(3) +-DEFINE_HWx_IRQDISPATCH(4) +- +-#if MIPS_CPU_TIMER_IRQ == 7 +-static void ltq_hw5_irqdispatch(void) +-{ +- do_IRQ(MIPS_CPU_TIMER_IRQ); +-} +-#else +-DEFINE_HWx_IRQDISPATCH(5) +-#endif +- +-static void ltq_hw_irq_handler(struct irq_desc *desc) +-{ +- ltq_hw_irqdispatch(irq_desc_get_irq(desc) - 2); +-} +- +-asmlinkage void plat_irq_dispatch(void) +-{ +- unsigned int pending = read_c0_status() & read_c0_cause() & ST0_IM; +- int irq; +- +- if (!pending) { +- spurious_interrupt(); +- return; +- } +- +- pending >>= CAUSEB_IP; +- while (pending) { +- irq = fls(pending) - 1; +- do_IRQ(MIPS_CPU_IRQ_BASE + irq); +- pending &= ~BIT(irq); +- } +-} +- + static int icu_map(struct irq_domain *d, unsigned int irq, irq_hw_number_t hw) + { + struct irq_chip *chip = <q_irq_type; +@@ -343,28 +303,10 @@ int __init icu_of_init(struct device_node *node, struct device_node *parent) + for (i = 0; i < MAX_IM; i++) + irq_set_chained_handler(i + 2, ltq_hw_irq_handler); + +- if (cpu_has_vint) { +- pr_info("Setting up vectored interrupts\n"); +- set_vi_handler(2, ltq_hw0_irqdispatch); +- set_vi_handler(3, ltq_hw1_irqdispatch); +- set_vi_handler(4, ltq_hw2_irqdispatch); +- set_vi_handler(5, ltq_hw3_irqdispatch); +- set_vi_handler(6, ltq_hw4_irqdispatch); +- set_vi_handler(7, ltq_hw5_irqdispatch); +- } +- + ltq_domain = irq_domain_add_linear(node, + (MAX_IM * INT_NUM_IM_OFFSET) + MIPS_CPU_IRQ_CASCADE, + &irq_domain_ops, 0); + +-#ifndef CONFIG_MIPS_MT_SMP +- set_c0_status(IE_IRQ0 | IE_IRQ1 | IE_IRQ2 | +- IE_IRQ3 | IE_IRQ4 | IE_IRQ5); +-#else +- set_c0_status(IE_SW0 | IE_SW1 | IE_IRQ0 | IE_IRQ1 | +- IE_IRQ2 | IE_IRQ3 | IE_IRQ4 | IE_IRQ5); +-#endif +- + /* tell oprofile which irq to use */ + ltq_perfcount_irq = irq_create_mapping(ltq_domain, LTQ_PERF_IRQ); + +diff --git a/arch/mips/pci/msi-octeon.c b/arch/mips/pci/msi-octeon.c +index 2a5bb849b10e..288b58b00dc8 100644 +--- a/arch/mips/pci/msi-octeon.c ++++ b/arch/mips/pci/msi-octeon.c +@@ -369,7 +369,9 @@ int __init octeon_msi_initialize(void) + int irq; + struct irq_chip *msi; + +- if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) { ++ if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_INVALID) { ++ return 0; ++ } else if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) { + msi_rcv_reg[0] = CVMX_PEXP_NPEI_MSI_RCV0; + msi_rcv_reg[1] = CVMX_PEXP_NPEI_MSI_RCV1; + msi_rcv_reg[2] = CVMX_PEXP_NPEI_MSI_RCV2; +diff --git a/crypto/authenc.c b/crypto/authenc.c +index 0db344d5a01a..053287dfad65 100644 +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key, + return -EINVAL; + if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM) + return -EINVAL; +- if (RTA_PAYLOAD(rta) < sizeof(*param)) ++ ++ /* ++ * RTA_OK() didn't align the rtattr's payload when validating that it ++ * fits in the buffer. Yet, the keys should start on the next 4-byte ++ * aligned boundary. To avoid confusion, require that the rtattr ++ * payload be exactly the param struct, which has a 4-byte aligned size. ++ */ ++ if (RTA_PAYLOAD(rta) != sizeof(*param)) + return -EINVAL; ++ BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO); + + param = RTA_DATA(rta); + keys->enckeylen = be32_to_cpu(param->enckeylen); + +- key += RTA_ALIGN(rta->rta_len); +- keylen -= RTA_ALIGN(rta->rta_len); ++ key += rta->rta_len; ++ keylen -= rta->rta_len; + + if (keylen < keys->enckeylen) + return -EINVAL; +diff --git a/crypto/authencesn.c b/crypto/authencesn.c +index 6de852ce4cf8..4ba4470deee1 100644 +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -279,7 +279,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq, + struct aead_request *req = areq->data; + + err = err ?: crypto_authenc_esn_decrypt_tail(req, 0); +- aead_request_complete(req, err); ++ authenc_esn_request_complete(req, err); + } + + static int crypto_authenc_esn_decrypt(struct aead_request *req) +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 6d61633a7f89..7910dd8b1d3a 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -81,7 +81,7 @@ + #include <linux/uaccess.h> + + static DEFINE_IDR(loop_index_idr); +-static DEFINE_MUTEX(loop_index_mutex); ++static DEFINE_MUTEX(loop_ctl_mutex); + + static int max_part; + static int part_shift; +@@ -1018,7 +1018,7 @@ static int loop_clr_fd(struct loop_device *lo) + */ + if (atomic_read(&lo->lo_refcnt) > 1) { + lo->lo_flags |= LO_FLAGS_AUTOCLEAR; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return 0; + } + +@@ -1070,12 +1070,12 @@ static int loop_clr_fd(struct loop_device *lo) + if (!part_shift) + lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN; + loop_unprepare_queue(lo); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + /* +- * Need not hold lo_ctl_mutex to fput backing file. +- * Calling fput holding lo_ctl_mutex triggers a circular ++ * Need not hold loop_ctl_mutex to fput backing file. ++ * Calling fput holding loop_ctl_mutex triggers a circular + * lock dependency possibility warning as fput can take +- * bd_mutex which is usually taken before lo_ctl_mutex. ++ * bd_mutex which is usually taken before loop_ctl_mutex. + */ + fput(filp); + return 0; +@@ -1097,6 +1097,12 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info) + if ((unsigned int) info->lo_encrypt_key_size > LO_KEY_SIZE) + return -EINVAL; + ++ if (lo->lo_offset != info->lo_offset || ++ lo->lo_sizelimit != info->lo_sizelimit) { ++ sync_blockdev(lo->lo_device); ++ kill_bdev(lo->lo_device); ++ } ++ + /* I/O need to be drained during transfer transition */ + blk_mq_freeze_queue(lo->lo_queue); + +@@ -1125,6 +1131,14 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info) + + if (lo->lo_offset != info->lo_offset || + lo->lo_sizelimit != info->lo_sizelimit) { ++ /* kill_bdev should have truncated all the pages */ ++ if (lo->lo_device->bd_inode->i_mapping->nrpages) { ++ err = -EAGAIN; ++ pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n", ++ __func__, lo->lo_number, lo->lo_file_name, ++ lo->lo_device->bd_inode->i_mapping->nrpages); ++ goto exit; ++ } + if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit)) { + err = -EFBIG; + goto exit; +@@ -1175,12 +1189,12 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info) + static int + loop_get_status(struct loop_device *lo, struct loop_info64 *info) + { +- struct file *file; ++ struct path path; + struct kstat stat; + int ret; + + if (lo->lo_state != Lo_bound) { +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return -ENXIO; + } + +@@ -1199,17 +1213,17 @@ loop_get_status(struct loop_device *lo, struct loop_info64 *info) + lo->lo_encrypt_key_size); + } + +- /* Drop lo_ctl_mutex while we call into the filesystem. */ +- file = get_file(lo->lo_backing_file); +- mutex_unlock(&lo->lo_ctl_mutex); +- ret = vfs_getattr(&file->f_path, &stat, STATX_INO, +- AT_STATX_SYNC_AS_STAT); ++ /* Drop loop_ctl_mutex while we call into the filesystem. */ ++ path = lo->lo_backing_file->f_path; ++ path_get(&path); ++ mutex_unlock(&loop_ctl_mutex); ++ ret = vfs_getattr(&path, &stat, STATX_INO, AT_STATX_SYNC_AS_STAT); + if (!ret) { + info->lo_device = huge_encode_dev(stat.dev); + info->lo_inode = stat.ino; + info->lo_rdevice = huge_encode_dev(stat.rdev); + } +- fput(file); ++ path_put(&path); + return ret; + } + +@@ -1294,7 +1308,7 @@ loop_get_status_old(struct loop_device *lo, struct loop_info __user *arg) { + int err; + + if (!arg) { +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return -EINVAL; + } + err = loop_get_status(lo, &info64); +@@ -1312,7 +1326,7 @@ loop_get_status64(struct loop_device *lo, struct loop_info64 __user *arg) { + int err; + + if (!arg) { +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return -EINVAL; + } + err = loop_get_status(lo, &info64); +@@ -1346,22 +1360,39 @@ static int loop_set_dio(struct loop_device *lo, unsigned long arg) + + static int loop_set_block_size(struct loop_device *lo, unsigned long arg) + { ++ int err = 0; ++ + if (lo->lo_state != Lo_bound) + return -ENXIO; + + if (arg < 512 || arg > PAGE_SIZE || !is_power_of_2(arg)) + return -EINVAL; + ++ if (lo->lo_queue->limits.logical_block_size != arg) { ++ sync_blockdev(lo->lo_device); ++ kill_bdev(lo->lo_device); ++ } ++ + blk_mq_freeze_queue(lo->lo_queue); + ++ /* kill_bdev should have truncated all the pages */ ++ if (lo->lo_queue->limits.logical_block_size != arg && ++ lo->lo_device->bd_inode->i_mapping->nrpages) { ++ err = -EAGAIN; ++ pr_warn("%s: loop%d (%s) has still dirty pages (nrpages=%lu)\n", ++ __func__, lo->lo_number, lo->lo_file_name, ++ lo->lo_device->bd_inode->i_mapping->nrpages); ++ goto out_unfreeze; ++ } ++ + blk_queue_logical_block_size(lo->lo_queue, arg); + blk_queue_physical_block_size(lo->lo_queue, arg); + blk_queue_io_min(lo->lo_queue, arg); + loop_update_dio(lo); +- ++out_unfreeze: + blk_mq_unfreeze_queue(lo->lo_queue); + +- return 0; ++ return err; + } + + static int lo_ioctl(struct block_device *bdev, fmode_t mode, +@@ -1370,7 +1401,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + struct loop_device *lo = bdev->bd_disk->private_data; + int err; + +- mutex_lock_nested(&lo->lo_ctl_mutex, 1); ++ mutex_lock_nested(&loop_ctl_mutex, 1); + switch (cmd) { + case LOOP_SET_FD: + err = loop_set_fd(lo, mode, bdev, arg); +@@ -1379,7 +1410,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + err = loop_change_fd(lo, bdev, arg); + break; + case LOOP_CLR_FD: +- /* loop_clr_fd would have unlocked lo_ctl_mutex on success */ ++ /* loop_clr_fd would have unlocked loop_ctl_mutex on success */ + err = loop_clr_fd(lo); + if (!err) + goto out_unlocked; +@@ -1392,7 +1423,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + break; + case LOOP_GET_STATUS: + err = loop_get_status_old(lo, (struct loop_info __user *) arg); +- /* loop_get_status() unlocks lo_ctl_mutex */ ++ /* loop_get_status() unlocks loop_ctl_mutex */ + goto out_unlocked; + case LOOP_SET_STATUS64: + err = -EPERM; +@@ -1402,7 +1433,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + break; + case LOOP_GET_STATUS64: + err = loop_get_status64(lo, (struct loop_info64 __user *) arg); +- /* loop_get_status() unlocks lo_ctl_mutex */ ++ /* loop_get_status() unlocks loop_ctl_mutex */ + goto out_unlocked; + case LOOP_SET_CAPACITY: + err = -EPERM; +@@ -1422,7 +1453,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + default: + err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL; + } +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + out_unlocked: + return err; +@@ -1539,7 +1570,7 @@ loop_get_status_compat(struct loop_device *lo, + int err; + + if (!arg) { +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return -EINVAL; + } + err = loop_get_status(lo, &info64); +@@ -1556,16 +1587,16 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode, + + switch(cmd) { + case LOOP_SET_STATUS: +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + err = loop_set_status_compat( + lo, (const struct compat_loop_info __user *) arg); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + case LOOP_GET_STATUS: +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + err = loop_get_status_compat( + lo, (struct compat_loop_info __user *) arg); +- /* loop_get_status() unlocks lo_ctl_mutex */ ++ /* loop_get_status() unlocks loop_ctl_mutex */ + break; + case LOOP_SET_CAPACITY: + case LOOP_CLR_FD: +@@ -1587,9 +1618,11 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode, + static int lo_open(struct block_device *bdev, fmode_t mode) + { + struct loop_device *lo; +- int err = 0; ++ int err; + +- mutex_lock(&loop_index_mutex); ++ err = mutex_lock_killable(&loop_ctl_mutex); ++ if (err) ++ return err; + lo = bdev->bd_disk->private_data; + if (!lo) { + err = -ENXIO; +@@ -1598,18 +1631,20 @@ static int lo_open(struct block_device *bdev, fmode_t mode) + + atomic_inc(&lo->lo_refcnt); + out: +- mutex_unlock(&loop_index_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return err; + } + +-static void __lo_release(struct loop_device *lo) ++static void lo_release(struct gendisk *disk, fmode_t mode) + { ++ struct loop_device *lo; + int err; + ++ mutex_lock(&loop_ctl_mutex); ++ lo = disk->private_data; + if (atomic_dec_return(&lo->lo_refcnt)) +- return; ++ goto out_unlock; + +- mutex_lock(&lo->lo_ctl_mutex); + if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) { + /* + * In autoclear mode, stop the loop thread +@@ -1627,14 +1662,8 @@ static void __lo_release(struct loop_device *lo) + blk_mq_unfreeze_queue(lo->lo_queue); + } + +- mutex_unlock(&lo->lo_ctl_mutex); +-} +- +-static void lo_release(struct gendisk *disk, fmode_t mode) +-{ +- mutex_lock(&loop_index_mutex); +- __lo_release(disk->private_data); +- mutex_unlock(&loop_index_mutex); ++out_unlock: ++ mutex_unlock(&loop_ctl_mutex); + } + + static const struct block_device_operations lo_fops = { +@@ -1673,10 +1702,10 @@ static int unregister_transfer_cb(int id, void *ptr, void *data) + struct loop_device *lo = ptr; + struct loop_func_table *xfer = data; + +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + if (lo->lo_encryption == xfer) + loop_release_xfer(lo); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return 0; + } + +@@ -1849,7 +1878,6 @@ static int loop_add(struct loop_device **l, int i) + if (!part_shift) + disk->flags |= GENHD_FL_NO_PART_SCAN; + disk->flags |= GENHD_FL_EXT_DEVT; +- mutex_init(&lo->lo_ctl_mutex); + atomic_set(&lo->lo_refcnt, 0); + lo->lo_number = i; + spin_lock_init(&lo->lo_lock); +@@ -1928,7 +1956,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data) + struct kobject *kobj; + int err; + +- mutex_lock(&loop_index_mutex); ++ mutex_lock(&loop_ctl_mutex); + err = loop_lookup(&lo, MINOR(dev) >> part_shift); + if (err < 0) + err = loop_add(&lo, MINOR(dev) >> part_shift); +@@ -1936,7 +1964,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data) + kobj = NULL; + else + kobj = get_disk(lo->lo_disk); +- mutex_unlock(&loop_index_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + *part = 0; + return kobj; +@@ -1946,9 +1974,13 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd, + unsigned long parm) + { + struct loop_device *lo; +- int ret = -ENOSYS; ++ int ret; ++ ++ ret = mutex_lock_killable(&loop_ctl_mutex); ++ if (ret) ++ return ret; + +- mutex_lock(&loop_index_mutex); ++ ret = -ENOSYS; + switch (cmd) { + case LOOP_CTL_ADD: + ret = loop_lookup(&lo, parm); +@@ -1962,19 +1994,15 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd, + ret = loop_lookup(&lo, parm); + if (ret < 0) + break; +- mutex_lock(&lo->lo_ctl_mutex); + if (lo->lo_state != Lo_unbound) { + ret = -EBUSY; +- mutex_unlock(&lo->lo_ctl_mutex); + break; + } + if (atomic_read(&lo->lo_refcnt) > 0) { + ret = -EBUSY; +- mutex_unlock(&lo->lo_ctl_mutex); + break; + } + lo->lo_disk->private_data = NULL; +- mutex_unlock(&lo->lo_ctl_mutex); + idr_remove(&loop_index_idr, lo->lo_number); + loop_remove(lo); + break; +@@ -1984,7 +2012,7 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd, + break; + ret = loop_add(&lo, -1); + } +- mutex_unlock(&loop_index_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + return ret; + } +@@ -2068,10 +2096,10 @@ static int __init loop_init(void) + THIS_MODULE, loop_probe, NULL, NULL); + + /* pre-create number of devices given by config or max_loop */ +- mutex_lock(&loop_index_mutex); ++ mutex_lock(&loop_ctl_mutex); + for (i = 0; i < nr; i++) + loop_add(&lo, i); +- mutex_unlock(&loop_index_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + printk(KERN_INFO "loop: module loaded\n"); + return 0; +diff --git a/drivers/block/loop.h b/drivers/block/loop.h +index dfc54ceba410..b2251752452b 100644 +--- a/drivers/block/loop.h ++++ b/drivers/block/loop.h +@@ -54,7 +54,6 @@ struct loop_device { + + spinlock_t lo_lock; + int lo_state; +- struct mutex lo_ctl_mutex; + struct kthread_worker worker; + struct task_struct *worker_task; + bool use_dio; +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index fe1414df0f33..d32cd943dff2 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -275,9 +275,10 @@ static void nbd_size_update(struct nbd_device *nbd) + blk_queue_physical_block_size(nbd->disk->queue, config->blksize); + set_capacity(nbd->disk, config->bytesize >> 9); + if (bdev) { +- if (bdev->bd_disk) ++ if (bdev->bd_disk) { + bd_set_size(bdev, config->bytesize); +- else ++ set_blocksize(bdev, config->blksize); ++ } else + bdev->bd_invalidated = 1; + bdput(bdev); + } +diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig +index 143f8bc403b9..342bc777841c 100644 +--- a/drivers/crypto/Kconfig ++++ b/drivers/crypto/Kconfig +@@ -679,6 +679,7 @@ config CRYPTO_DEV_BCM_SPU + depends on ARCH_BCM_IPROC + depends on MAILBOX + default m ++ select CRYPTO_AUTHENC + select CRYPTO_DES + select CRYPTO_MD5 + select CRYPTO_SHA1 +diff --git a/drivers/crypto/bcm/cipher.c b/drivers/crypto/bcm/cipher.c +index ee52c355bee0..b6be383a51a6 100644 +--- a/drivers/crypto/bcm/cipher.c ++++ b/drivers/crypto/bcm/cipher.c +@@ -2846,44 +2846,28 @@ static int aead_authenc_setkey(struct crypto_aead *cipher, + struct spu_hw *spu = &iproc_priv.spu; + struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher); + struct crypto_tfm *tfm = crypto_aead_tfm(cipher); +- struct rtattr *rta = (void *)key; +- struct crypto_authenc_key_param *param; +- const u8 *origkey = key; +- const unsigned int origkeylen = keylen; +- +- int ret = 0; ++ struct crypto_authenc_keys keys; ++ int ret; + + flow_log("%s() aead:%p key:%p keylen:%u\n", __func__, cipher, key, + keylen); + flow_dump(" key: ", key, keylen); + +- if (!RTA_OK(rta, keylen)) +- goto badkey; +- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM) +- goto badkey; +- if (RTA_PAYLOAD(rta) < sizeof(*param)) ++ ret = crypto_authenc_extractkeys(&keys, key, keylen); ++ if (ret) + goto badkey; + +- param = RTA_DATA(rta); +- ctx->enckeylen = be32_to_cpu(param->enckeylen); +- +- key += RTA_ALIGN(rta->rta_len); +- keylen -= RTA_ALIGN(rta->rta_len); +- +- if (keylen < ctx->enckeylen) +- goto badkey; +- if (ctx->enckeylen > MAX_KEY_SIZE) ++ if (keys.enckeylen > MAX_KEY_SIZE || ++ keys.authkeylen > MAX_KEY_SIZE) + goto badkey; + +- ctx->authkeylen = keylen - ctx->enckeylen; +- +- if (ctx->authkeylen > MAX_KEY_SIZE) +- goto badkey; ++ ctx->enckeylen = keys.enckeylen; ++ ctx->authkeylen = keys.authkeylen; + +- memcpy(ctx->enckey, key + ctx->authkeylen, ctx->enckeylen); ++ memcpy(ctx->enckey, keys.enckey, keys.enckeylen); + /* May end up padding auth key. So make sure it's zeroed. */ + memset(ctx->authkey, 0, sizeof(ctx->authkey)); +- memcpy(ctx->authkey, key, ctx->authkeylen); ++ memcpy(ctx->authkey, keys.authkey, keys.authkeylen); + + switch (ctx->alg->cipher_info.alg) { + case CIPHER_ALG_DES: +@@ -2891,7 +2875,7 @@ static int aead_authenc_setkey(struct crypto_aead *cipher, + u32 tmp[DES_EXPKEY_WORDS]; + u32 flags = CRYPTO_TFM_RES_WEAK_KEY; + +- if (des_ekey(tmp, key) == 0) { ++ if (des_ekey(tmp, keys.enckey) == 0) { + if (crypto_aead_get_flags(cipher) & + CRYPTO_TFM_REQ_WEAK_KEY) { + crypto_aead_set_flags(cipher, flags); +@@ -2906,7 +2890,7 @@ static int aead_authenc_setkey(struct crypto_aead *cipher, + break; + case CIPHER_ALG_3DES: + if (ctx->enckeylen == (DES_KEY_SIZE * 3)) { +- const u32 *K = (const u32 *)key; ++ const u32 *K = (const u32 *)keys.enckey; + u32 flags = CRYPTO_TFM_RES_BAD_KEY_SCHED; + + if (!((K[0] ^ K[2]) | (K[1] ^ K[3])) || +@@ -2957,9 +2941,7 @@ static int aead_authenc_setkey(struct crypto_aead *cipher, + ctx->fallback_cipher->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK; + ctx->fallback_cipher->base.crt_flags |= + tfm->crt_flags & CRYPTO_TFM_REQ_MASK; +- ret = +- crypto_aead_setkey(ctx->fallback_cipher, origkey, +- origkeylen); ++ ret = crypto_aead_setkey(ctx->fallback_cipher, key, keylen); + if (ret) { + flow_log(" fallback setkey() returned:%d\n", ret); + tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK; +diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c +index 698580b60b2f..8fa35bc75870 100644 +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -1109,13 +1109,16 @@ static int ahash_final_no_ctx(struct ahash_request *req) + + desc = edesc->hw_desc; + +- state->buf_dma = dma_map_single(jrdev, buf, buflen, DMA_TO_DEVICE); +- if (dma_mapping_error(jrdev, state->buf_dma)) { +- dev_err(jrdev, "unable to map src\n"); +- goto unmap; +- } ++ if (buflen) { ++ state->buf_dma = dma_map_single(jrdev, buf, buflen, ++ DMA_TO_DEVICE); ++ if (dma_mapping_error(jrdev, state->buf_dma)) { ++ dev_err(jrdev, "unable to map src\n"); ++ goto unmap; ++ } + +- append_seq_in_ptr(desc, state->buf_dma, buflen, 0); ++ append_seq_in_ptr(desc, state->buf_dma, buflen, 0); ++ } + + edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result, + digestsize); +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 57e1b203cf36..4388f4e3840c 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1347,23 +1347,18 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, + struct talitos_private *priv = dev_get_drvdata(dev); + bool is_sec1 = has_ftr_sec1(priv); + int max_len = is_sec1 ? TALITOS1_MAX_DATA_LEN : TALITOS2_MAX_DATA_LEN; +- void *err; + + if (cryptlen + authsize > max_len) { + dev_err(dev, "length exceeds h/w max limit\n"); + return ERR_PTR(-EINVAL); + } + +- if (ivsize) +- iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE); +- + if (!dst || dst == src) { + src_len = assoclen + cryptlen + authsize; + src_nents = sg_nents_for_len(src, src_len); + if (src_nents < 0) { + dev_err(dev, "Invalid number of src SG.\n"); +- err = ERR_PTR(-EINVAL); +- goto error_sg; ++ return ERR_PTR(-EINVAL); + } + src_nents = (src_nents == 1) ? 0 : src_nents; + dst_nents = dst ? src_nents : 0; +@@ -1373,16 +1368,14 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, + src_nents = sg_nents_for_len(src, src_len); + if (src_nents < 0) { + dev_err(dev, "Invalid number of src SG.\n"); +- err = ERR_PTR(-EINVAL); +- goto error_sg; ++ return ERR_PTR(-EINVAL); + } + src_nents = (src_nents == 1) ? 0 : src_nents; + dst_len = assoclen + cryptlen + (encrypt ? authsize : 0); + dst_nents = sg_nents_for_len(dst, dst_len); + if (dst_nents < 0) { + dev_err(dev, "Invalid number of dst SG.\n"); +- err = ERR_PTR(-EINVAL); +- goto error_sg; ++ return ERR_PTR(-EINVAL); + } + dst_nents = (dst_nents == 1) ? 0 : dst_nents; + } +@@ -1405,12 +1398,14 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, + dma_len = 0; + alloc_len += icv_stashing ? authsize : 0; + } ++ alloc_len += ivsize; + + edesc = kmalloc(alloc_len, GFP_DMA | flags); +- if (!edesc) { +- dev_err(dev, "could not allocate edescriptor\n"); +- err = ERR_PTR(-ENOMEM); +- goto error_sg; ++ if (!edesc) ++ return ERR_PTR(-ENOMEM); ++ if (ivsize) { ++ iv = memcpy(((u8 *)edesc) + alloc_len - ivsize, iv, ivsize); ++ iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE); + } + + edesc->src_nents = src_nents; +@@ -1423,10 +1418,6 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, + DMA_BIDIRECTIONAL); + + return edesc; +-error_sg: +- if (iv_dma) +- dma_unmap_single(dev, iv_dma, ivsize, DMA_TO_DEVICE); +- return err; + } + + static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv, +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c +index ad6812baa611..f1259a0c2883 100644 +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -1578,9 +1578,14 @@ int drm_fb_helper_check_var(struct fb_var_screeninfo *var, + struct drm_fb_helper *fb_helper = info->par; + struct drm_framebuffer *fb = fb_helper->fb; + +- if (var->pixclock != 0 || in_dbg_master()) ++ if (in_dbg_master()) + return -EINVAL; + ++ if (var->pixclock != 0) { ++ DRM_DEBUG("fbdev emulation doesn't support changing the pixel clock, value of pixclock is ignored\n"); ++ var->pixclock = 0; ++ } ++ + /* + * Changes struct fb_var_screeninfo are currently not pushed back + * to KMS, hence fail if different settings are requested. +diff --git a/drivers/media/platform/vivid/vivid-kthread-cap.c b/drivers/media/platform/vivid/vivid-kthread-cap.c +index 6ca71aabb576..d300e5e7eadc 100644 +--- a/drivers/media/platform/vivid/vivid-kthread-cap.c ++++ b/drivers/media/platform/vivid/vivid-kthread-cap.c +@@ -877,8 +877,11 @@ int vivid_start_generating_vid_cap(struct vivid_dev *dev, bool *pstreaming) + "%s-vid-cap", dev->v4l2_dev.name); + + if (IS_ERR(dev->kthread_vid_cap)) { ++ int err = PTR_ERR(dev->kthread_vid_cap); ++ ++ dev->kthread_vid_cap = NULL; + v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n"); +- return PTR_ERR(dev->kthread_vid_cap); ++ return err; + } + *pstreaming = true; + vivid_grab_controls(dev, true); +diff --git a/drivers/media/platform/vivid/vivid-kthread-out.c b/drivers/media/platform/vivid/vivid-kthread-out.c +index 98eed5889bc1..7c8d75852816 100644 +--- a/drivers/media/platform/vivid/vivid-kthread-out.c ++++ b/drivers/media/platform/vivid/vivid-kthread-out.c +@@ -248,8 +248,11 @@ int vivid_start_generating_vid_out(struct vivid_dev *dev, bool *pstreaming) + "%s-vid-out", dev->v4l2_dev.name); + + if (IS_ERR(dev->kthread_vid_out)) { ++ int err = PTR_ERR(dev->kthread_vid_out); ++ ++ dev->kthread_vid_out = NULL; + v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n"); +- return PTR_ERR(dev->kthread_vid_out); ++ return err; + } + *pstreaming = true; + vivid_grab_controls(dev, true); +diff --git a/drivers/media/platform/vivid/vivid-vid-common.c b/drivers/media/platform/vivid/vivid-vid-common.c +index 6f6d4df1e8a8..11b014bbacd8 100644 +--- a/drivers/media/platform/vivid/vivid-vid-common.c ++++ b/drivers/media/platform/vivid/vivid-vid-common.c +@@ -33,7 +33,7 @@ const struct v4l2_dv_timings_cap vivid_dv_timings_cap = { + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, MAX_WIDTH, 0, MAX_HEIGHT, 14000000, 775000000, ++ V4L2_INIT_BT_TIMINGS(16, MAX_WIDTH, 16, MAX_HEIGHT, 14000000, 775000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_CVT | V4L2_DV_BT_STD_GTF, + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_INTERLACED) +diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c +index 92a74bc34527..bd8de78e0ffd 100644 +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -900,8 +900,6 @@ static int em28xx_enable_analog_tuner(struct em28xx *dev) + if (!mdev || !v4l2->decoder) + return 0; + +- dev->v4l2->field_count = 0; +- + /* + * This will find the tuner that is connected into the decoder. + * Technically, this is not 100% correct, as the device may be +@@ -1074,6 +1072,8 @@ int em28xx_start_analog_streaming(struct vb2_queue *vq, unsigned int count) + + em28xx_videodbg("%s\n", __func__); + ++ dev->v4l2->field_count = 0; ++ + /* Make sure streaming is not already in progress for this type + of filehandle (e.g. video, vbi) */ + rc = res_get(dev, vq->type); +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c +index d06941cc6a55..f1ef4e97238e 100644 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -249,6 +249,7 @@ static void v4l_print_format(const void *arg, bool write_only) + const struct v4l2_window *win; + const struct v4l2_sdr_format *sdr; + const struct v4l2_meta_format *meta; ++ u32 planes; + unsigned i; + + pr_cont("type=%s", prt_names(p->type, v4l2_type_names)); +@@ -279,7 +280,8 @@ static void v4l_print_format(const void *arg, bool write_only) + prt_names(mp->field, v4l2_field_names), + mp->colorspace, mp->num_planes, mp->flags, + mp->ycbcr_enc, mp->quantization, mp->xfer_func); +- for (i = 0; i < mp->num_planes; i++) ++ planes = min_t(u32, mp->num_planes, VIDEO_MAX_PLANES); ++ for (i = 0; i < planes; i++) + printk(KERN_DEBUG "plane %u: bytesperline=%u sizeimage=%u\n", i, + mp->plane_fmt[i].bytesperline, + mp->plane_fmt[i].sizeimage); +diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c +index 43522a09b11d..f1725da2a90d 100644 +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -1925,9 +1925,13 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) + return -EINVAL; + } + } ++ ++ mutex_lock(&q->mmap_lock); ++ + if (vb2_fileio_is_active(q)) { + dprintk(1, "mmap: file io in progress\n"); +- return -EBUSY; ++ ret = -EBUSY; ++ goto unlock; + } + + /* +@@ -1935,7 +1939,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) + */ + ret = __find_plane_by_offset(q, off, &buffer, &plane); + if (ret) +- return ret; ++ goto unlock; + + vb = q->bufs[buffer]; + +@@ -1948,11 +1952,13 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) + if (length < (vma->vm_end - vma->vm_start)) { + dprintk(1, + "MMAP invalid, as it would overflow buffer length\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto unlock; + } + +- mutex_lock(&q->mmap_lock); + ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma); ++ ++unlock: + mutex_unlock(&q->mmap_lock); + if (ret) + return ret; +diff --git a/drivers/mfd/tps6586x.c b/drivers/mfd/tps6586x.c +index 5628a6b5b19b..c5c320efc7b4 100644 +--- a/drivers/mfd/tps6586x.c ++++ b/drivers/mfd/tps6586x.c +@@ -594,6 +594,29 @@ static int tps6586x_i2c_remove(struct i2c_client *client) + return 0; + } + ++static int __maybe_unused tps6586x_i2c_suspend(struct device *dev) ++{ ++ struct tps6586x *tps6586x = dev_get_drvdata(dev); ++ ++ if (tps6586x->client->irq) ++ disable_irq(tps6586x->client->irq); ++ ++ return 0; ++} ++ ++static int __maybe_unused tps6586x_i2c_resume(struct device *dev) ++{ ++ struct tps6586x *tps6586x = dev_get_drvdata(dev); ++ ++ if (tps6586x->client->irq) ++ enable_irq(tps6586x->client->irq); ++ ++ return 0; ++} ++ ++static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend, ++ tps6586x_i2c_resume); ++ + static const struct i2c_device_id tps6586x_id_table[] = { + { "tps6586x", 0 }, + { }, +@@ -604,6 +627,7 @@ static struct i2c_driver tps6586x_driver = { + .driver = { + .name = "tps6586x", + .of_match_table = of_match_ptr(tps6586x_of_match), ++ .pm = &tps6586x_pm_ops, + }, + .probe = tps6586x_i2c_probe, + .remove = tps6586x_i2c_remove, +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c +index 92c483ec6cb2..192844b50c69 100644 +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -138,6 +138,8 @@ struct sdhci_msm_host { + bool calibration_done; + u8 saved_tuning_phase; + bool use_cdclp533; ++ bool use_cdr; ++ u32 transfer_mode; + }; + + static unsigned int msm_get_clock_rate_for_bus_mode(struct sdhci_host *host, +@@ -815,6 +817,23 @@ out: + return ret; + } + ++static void sdhci_msm_set_cdr(struct sdhci_host *host, bool enable) ++{ ++ u32 config, oldconfig = readl_relaxed(host->ioaddr + CORE_DLL_CONFIG); ++ ++ config = oldconfig; ++ if (enable) { ++ config |= CORE_CDR_EN; ++ config &= ~CORE_CDR_EXT_EN; ++ } else { ++ config &= ~CORE_CDR_EN; ++ config |= CORE_CDR_EXT_EN; ++ } ++ ++ if (config != oldconfig) ++ writel_relaxed(config, host->ioaddr + CORE_DLL_CONFIG); ++} ++ + static int sdhci_msm_execute_tuning(struct mmc_host *mmc, u32 opcode) + { + struct sdhci_host *host = mmc_priv(mmc); +@@ -832,8 +851,14 @@ static int sdhci_msm_execute_tuning(struct mmc_host *mmc, u32 opcode) + if (host->clock <= CORE_FREQ_100MHZ || + !(ios.timing == MMC_TIMING_MMC_HS400 || + ios.timing == MMC_TIMING_MMC_HS200 || +- ios.timing == MMC_TIMING_UHS_SDR104)) ++ ios.timing == MMC_TIMING_UHS_SDR104)) { ++ msm_host->use_cdr = false; ++ sdhci_msm_set_cdr(host, false); + return 0; ++ } ++ ++ /* Clock-Data-Recovery used to dynamically adjust RX sampling point */ ++ msm_host->use_cdr = true; + + /* + * For HS400 tuning in HS200 timing requires: +@@ -1092,6 +1117,29 @@ out: + __sdhci_msm_set_clock(host, clock); + } + ++static void sdhci_msm_write_w(struct sdhci_host *host, u16 val, int reg) ++{ ++ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); ++ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ ++ switch (reg) { ++ case SDHCI_TRANSFER_MODE: ++ msm_host->transfer_mode = val; ++ break; ++ case SDHCI_COMMAND: ++ if (!msm_host->use_cdr) ++ break; ++ if ((msm_host->transfer_mode & SDHCI_TRNS_READ) && ++ (SDHCI_GET_CMD(val) != MMC_SEND_TUNING_BLOCK_HS200) && ++ (SDHCI_GET_CMD(val) != MMC_SEND_TUNING_BLOCK)) ++ sdhci_msm_set_cdr(host, true); ++ else ++ sdhci_msm_set_cdr(host, false); ++ break; ++ } ++ writew(val, host->ioaddr + reg); ++} ++ + static const struct of_device_id sdhci_msm_dt_match[] = { + { .compatible = "qcom,sdhci-msm-v4" }, + {}, +@@ -1107,6 +1155,7 @@ static const struct sdhci_ops sdhci_msm_ops = { + .set_bus_width = sdhci_set_bus_width, + .set_uhs_signaling = sdhci_msm_set_uhs_signaling, + .voltage_switch = sdhci_msm_voltage_switch, ++ .write_w = sdhci_msm_write_w, + }; + + static const struct sdhci_pltfm_data sdhci_msm_pdata = { +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index cf64a365362b..65c5a65af0ba 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1928,6 +1928,9 @@ static int __bond_release_one(struct net_device *bond_dev, + if (!bond_has_slaves(bond)) { + bond_set_carrier(bond); + eth_hw_addr_random(bond_dev); ++ bond->nest_level = SINGLE_DEPTH_NESTING; ++ } else { ++ bond->nest_level = dev_get_nest_level(bond_dev) + 1; + } + + unblock_netpoll_tx(); +diff --git a/drivers/of/property.c b/drivers/of/property.c +index 264c355ba1ff..fd9b734fff33 100644 +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -810,6 +810,7 @@ struct device_node *of_graph_get_remote_node(const struct device_node *node, + + if (!of_device_is_available(remote)) { + pr_debug("not available for remote node\n"); ++ of_node_put(remote); + return NULL; + } + +diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c +index b44c1bb687a2..ebc193f7f7dd 100644 +--- a/drivers/scsi/scsi_pm.c ++++ b/drivers/scsi/scsi_pm.c +@@ -79,8 +79,22 @@ static int scsi_dev_type_resume(struct device *dev, + + if (err == 0) { + pm_runtime_disable(dev); +- pm_runtime_set_active(dev); ++ err = pm_runtime_set_active(dev); + pm_runtime_enable(dev); ++ ++ /* ++ * Forcibly set runtime PM status of request queue to "active" ++ * to make sure we can again get requests from the queue ++ * (see also blk_pm_peek_request()). ++ * ++ * The resume hook will correct runtime PM status of the disk. ++ */ ++ if (!err && scsi_is_sdev_device(dev)) { ++ struct scsi_device *sdev = to_scsi_device(dev); ++ ++ if (sdev->request_queue->dev) ++ blk_set_runtime_active(sdev->request_queue); ++ } + } + + return err; +@@ -139,16 +153,6 @@ static int scsi_bus_resume_common(struct device *dev, + else + fn = NULL; + +- /* +- * Forcibly set runtime PM status of request queue to "active" to +- * make sure we can again get requests from the queue (see also +- * blk_pm_peek_request()). +- * +- * The resume hook will correct runtime PM status of the disk. +- */ +- if (scsi_is_sdev_device(dev) && pm_runtime_suspended(dev)) +- blk_set_runtime_active(to_scsi_device(dev)->request_queue); +- + if (fn) { + async_schedule_domain(fn, dev, &scsi_sd_pm_domain); + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 39754cc90043..048fccc72e03 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -206,6 +206,12 @@ cache_type_store(struct device *dev, struct device_attribute *attr, + sp = buffer_data[0] & 0x80 ? 1 : 0; + buffer_data[0] &= ~0x80; + ++ /* ++ * Ensure WP, DPOFUA, and RESERVED fields are cleared in ++ * received mode parameter buffer before doing MODE SELECT. ++ */ ++ data.device_specific = 0; ++ + if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT, + SD_MAX_RETRIES, &data, &sshdr)) { + if (scsi_sense_valid(&sshdr)) +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 83376caa571b..417b81c67fe9 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1254,7 +1254,8 @@ static void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct * + static int tty_reopen(struct tty_struct *tty) + { + struct tty_driver *driver = tty->driver; +- int retval; ++ struct tty_ldisc *ld; ++ int retval = 0; + + if (driver->type == TTY_DRIVER_TYPE_PTY && + driver->subtype == PTY_TYPE_MASTER) +@@ -1266,14 +1267,21 @@ static int tty_reopen(struct tty_struct *tty) + if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN)) + return -EBUSY; + +- tty->count++; ++ ld = tty_ldisc_ref_wait(tty); ++ if (ld) { ++ tty_ldisc_deref(ld); ++ } else { ++ retval = tty_ldisc_lock(tty, 5 * HZ); ++ if (retval) ++ return retval; + +- if (tty->ldisc) +- return 0; ++ if (!tty->ldisc) ++ retval = tty_ldisc_reinit(tty, tty->termios.c_line); ++ tty_ldisc_unlock(tty); ++ } + +- retval = tty_ldisc_reinit(tty, tty->termios.c_line); +- if (retval) +- tty->count--; ++ if (retval == 0) ++ tty->count++; + + return retval; + } +diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c +index 52b7baef4f7a..5c2cec298816 100644 +--- a/drivers/tty/tty_ldsem.c ++++ b/drivers/tty/tty_ldsem.c +@@ -307,6 +307,16 @@ down_write_failed(struct ld_semaphore *sem, long count, long timeout) + if (!locked) + ldsem_atomic_update(-LDSEM_WAIT_BIAS, sem); + list_del(&waiter.list); ++ ++ /* ++ * In case of timeout, wake up every reader who gave the right of way ++ * to writer. Prevent separation readers into two groups: ++ * one that helds semaphore and another that sleeps. ++ * (in case of no contention with a writer) ++ */ ++ if (!locked && list_empty(&sem->write_wait)) ++ __ldsem_wake_readers(sem); ++ + raw_spin_unlock_irq(&sem->wait_lock); + + __set_current_state(TASK_RUNNING); +diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +index a3edb20ea4c3..a846d32ee653 100644 +--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c ++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, unsigned int cmd, unsigned long arg) + + int r = 0; + ++ memset(&p, 0, sizeof(p)); ++ + switch (cmd) { + case OMAPFB_SYNC_GFX: + DBG("ioctl SYNC_GFX\n"); +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 3323eec5c164..3911c1a80219 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -116,6 +116,20 @@ void invalidate_bdev(struct block_device *bdev) + } + EXPORT_SYMBOL(invalidate_bdev); + ++static void set_init_blocksize(struct block_device *bdev) ++{ ++ unsigned bsize = bdev_logical_block_size(bdev); ++ loff_t size = i_size_read(bdev->bd_inode); ++ ++ while (bsize < PAGE_SIZE) { ++ if (size & bsize) ++ break; ++ bsize <<= 1; ++ } ++ bdev->bd_block_size = bsize; ++ bdev->bd_inode->i_blkbits = blksize_bits(bsize); ++} ++ + int set_blocksize(struct block_device *bdev, int size) + { + /* Size must be a power of two, and between 512 and PAGE_SIZE */ +@@ -1393,18 +1407,9 @@ EXPORT_SYMBOL(check_disk_change); + + void bd_set_size(struct block_device *bdev, loff_t size) + { +- unsigned bsize = bdev_logical_block_size(bdev); +- + inode_lock(bdev->bd_inode); + i_size_write(bdev->bd_inode, size); + inode_unlock(bdev->bd_inode); +- while (bsize < PAGE_SIZE) { +- if (size & bsize) +- break; +- bsize <<= 1; +- } +- bdev->bd_block_size = bsize; +- bdev->bd_inode->i_blkbits = blksize_bits(bsize); + } + EXPORT_SYMBOL(bd_set_size); + +@@ -1482,8 +1487,10 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + } + } + +- if (!ret) ++ if (!ret) { + bd_set_size(bdev,(loff_t)get_capacity(disk)<<9); ++ set_init_blocksize(bdev); ++ } + + /* + * If the device is invalidated, rescan partition +@@ -1518,6 +1525,7 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + goto out_clear; + } + bd_set_size(bdev, (loff_t)bdev->bd_part->nr_sects << 9); ++ set_init_blocksize(bdev); + } + + if (bdev->bd_bdi == &noop_backing_dev_info) +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 858d5812eb8f..e0bdc0c902e4 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4115,6 +4115,14 @@ static void btrfs_destroy_all_ordered_extents(struct btrfs_fs_info *fs_info) + spin_lock(&fs_info->ordered_root_lock); + } + spin_unlock(&fs_info->ordered_root_lock); ++ ++ /* ++ * We need this here because if we've been flipped read-only we won't ++ * get sync() from the umount, so we need to make sure any ordered ++ * extents that haven't had their dirty pages IO start writeout yet ++ * actually get run and error out properly. ++ */ ++ btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1); + } + + static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans, +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 09829e8d759e..909f7ea92e0b 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3170,9 +3170,6 @@ out: + /* once for the tree */ + btrfs_put_ordered_extent(ordered_extent); + +- /* Try to release some metadata so we don't get an OOM but don't wait */ +- btrfs_btree_balance_dirty_nodelay(fs_info); +- + return ret; + } + +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index 9f7e546d7050..f371e03cf3bf 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -711,18 +711,15 @@ static int ramoops_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct ramoops_platform_data *pdata = dev->platform_data; ++ struct ramoops_platform_data pdata_local; + struct ramoops_context *cxt = &oops_cxt; + size_t dump_mem_sz; + phys_addr_t paddr; + int err = -EINVAL; + + if (dev_of_node(dev) && !pdata) { +- pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata), GFP_KERNEL); +- if (!pdata) { +- pr_err("cannot allocate platform data buffer\n"); +- err = -ENOMEM; +- goto fail_out; +- } ++ pdata = &pdata_local; ++ memset(pdata, 0, sizeof(*pdata)); + + err = ramoops_parse_dt(pdev, pdata); + if (err < 0) +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 6e108af21481..f33b24080b1c 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -4087,6 +4087,7 @@ void __refill_cfs_bandwidth_runtime(struct cfs_bandwidth *cfs_b) + now = sched_clock_cpu(smp_processor_id()); + cfs_b->runtime = cfs_b->quota; + cfs_b->runtime_expires = now + ktime_to_ns(cfs_b->period); ++ cfs_b->expires_seq++; + } + + static inline struct cfs_bandwidth *tg_cfs_bandwidth(struct task_group *tg) +@@ -4109,6 +4110,7 @@ static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq) + struct task_group *tg = cfs_rq->tg; + struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(tg); + u64 amount = 0, min_amount, expires; ++ int expires_seq; + + /* note: this is a positive sum as runtime_remaining <= 0 */ + min_amount = sched_cfs_bandwidth_slice() - cfs_rq->runtime_remaining; +@@ -4125,6 +4127,7 @@ static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq) + cfs_b->idle = 0; + } + } ++ expires_seq = cfs_b->expires_seq; + expires = cfs_b->runtime_expires; + raw_spin_unlock(&cfs_b->lock); + +@@ -4134,8 +4137,10 @@ static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq) + * spread between our sched_clock and the one on which runtime was + * issued. + */ +- if ((s64)(expires - cfs_rq->runtime_expires) > 0) ++ if (cfs_rq->expires_seq != expires_seq) { ++ cfs_rq->expires_seq = expires_seq; + cfs_rq->runtime_expires = expires; ++ } + + return cfs_rq->runtime_remaining > 0; + } +@@ -4161,12 +4166,9 @@ static void expire_cfs_rq_runtime(struct cfs_rq *cfs_rq) + * has not truly expired. + * + * Fortunately we can check determine whether this the case by checking +- * whether the global deadline has advanced. It is valid to compare +- * cfs_b->runtime_expires without any locks since we only care about +- * exact equality, so a partial write will still work. ++ * whether the global deadline(cfs_b->expires_seq) has advanced. + */ +- +- if (cfs_rq->runtime_expires != cfs_b->runtime_expires) { ++ if (cfs_rq->expires_seq == cfs_b->expires_seq) { + /* extend local deadline, drift is bounded above by 2 ticks */ + cfs_rq->runtime_expires += TICK_NSEC; + } else { +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index b3ba6e5e99f2..452b56923c6d 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -281,8 +281,9 @@ struct cfs_bandwidth { + u64 quota, runtime; + s64 hierarchical_quota; + u64 runtime_expires; ++ int expires_seq; + +- int idle, period_active; ++ short idle, period_active; + struct hrtimer period_timer, slack_timer; + struct list_head throttled_cfs_rq; + +@@ -488,6 +489,7 @@ struct cfs_rq { + + #ifdef CONFIG_CFS_BANDWIDTH + int runtime_enabled; ++ int expires_seq; + u64 runtime_expires; + s64 runtime_remaining; + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 7582f28ab306..3f3859b8d49f 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -275,7 +275,7 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_ + struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); + int ret; + +- if (neigh->hh.hh_len) { ++ if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) { + neigh_hh_bridge(&neigh->hh, skb); + skb->dev = nf_bridge->physindev; + ret = br_handle_frame_finish(net, sk, skb); +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 54c7fe68040f..22e4c15a1fc3 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1134,14 +1134,16 @@ static int do_replace(struct net *net, const void __user *user, + tmp.name[sizeof(tmp.name) - 1] = 0; + + countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; +- newinfo = vmalloc(sizeof(*newinfo) + countersize); ++ newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT, ++ PAGE_KERNEL); + if (!newinfo) + return -ENOMEM; + + if (countersize) + memset(newinfo->counters, 0, countersize); + +- newinfo->entries = vmalloc(tmp.entries_size); ++ newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT, ++ PAGE_KERNEL); + if (!newinfo->entries) { + ret = -ENOMEM; + goto free_newinfo; +diff --git a/net/can/gw.c b/net/can/gw.c +index 73a02af4b5d7..5114b8f07fd4 100644 +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -416,13 +416,29 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data) + while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx]) + (*gwj->mod.modfunc[modidx++])(cf, &gwj->mod); + +- /* check for checksum updates when the CAN frame has been modified */ ++ /* Has the CAN frame been modified? */ + if (modidx) { +- if (gwj->mod.csumfunc.crc8) ++ /* get available space for the processed CAN frame type */ ++ int max_len = nskb->len - offsetof(struct can_frame, data); ++ ++ /* dlc may have changed, make sure it fits to the CAN frame */ ++ if (cf->can_dlc > max_len) ++ goto out_delete; ++ ++ /* check for checksum updates in classic CAN length only */ ++ if (gwj->mod.csumfunc.crc8) { ++ if (cf->can_dlc > 8) ++ goto out_delete; ++ + (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8); ++ } ++ ++ if (gwj->mod.csumfunc.xor) { ++ if (cf->can_dlc > 8) ++ goto out_delete; + +- if (gwj->mod.csumfunc.xor) + (*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor); ++ } + } + + /* clear the skb timestamp if not configured the other way */ +@@ -434,6 +450,14 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data) + gwj->dropped_frames++; + else + gwj->handled_frames++; ++ ++ return; ++ ++ out_delete: ++ /* delete frame due to misconfiguration */ ++ gwj->deleted_frames++; ++ kfree_skb(nskb); ++ return; + } + + static inline int cgw_register_filter(struct net *net, struct cgw_job *gwj) +diff --git a/net/core/filter.c b/net/core/filter.c +index d5158a10ac8f..542fd04bc44d 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1714,18 +1714,19 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb) + static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev, + u32 flags) + { +- /* skb->mac_len is not set on normal egress */ +- unsigned int mlen = skb->network_header - skb->mac_header; ++ unsigned int mlen = skb_network_offset(skb); + +- __skb_pull(skb, mlen); ++ if (mlen) { ++ __skb_pull(skb, mlen); + +- /* At ingress, the mac header has already been pulled once. +- * At egress, skb_pospull_rcsum has to be done in case that +- * the skb is originated from ingress (i.e. a forwarded skb) +- * to ensure that rcsum starts at net header. +- */ +- if (!skb_at_tc_ingress(skb)) +- skb_postpull_rcsum(skb, skb_mac_header(skb), mlen); ++ /* At ingress, the mac header has already been pulled once. ++ * At egress, skb_pospull_rcsum has to be done in case that ++ * the skb is originated from ingress (i.e. a forwarded skb) ++ * to ensure that rcsum starts at net header. ++ */ ++ if (!skb_at_tc_ingress(skb)) ++ skb_postpull_rcsum(skb, skb_mac_header(skb), mlen); ++ } + skb_pop_mac_header(skb); + skb_reset_mac_len(skb); + return flags & BPF_F_INGRESS ? +diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c +index 832d69649cb6..65313c766ab3 100644 +--- a/net/core/lwt_bpf.c ++++ b/net/core/lwt_bpf.c +@@ -65,6 +65,7 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt, + lwt->name ? : "<unknown>"); + ret = BPF_OK; + } else { ++ skb_reset_mac_header(skb); + ret = skb_do_redirect(skb); + if (ret == 0) + ret = BPF_REDIRECT; +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 4ef92ebc4f6d..d1081eac3b49 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -146,19 +146,17 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) + + static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) + { ++ __be16 _ports[2], *ports; + struct sockaddr_in sin; +- __be16 *ports; +- int end; +- +- end = skb_transport_offset(skb) + 4; +- if (end > 0 && !pskb_may_pull(skb, end)) +- return; + + /* All current transport protocols have the port numbers in the + * first four bytes of the transport header and this function is + * written with this assumption in mind. + */ +- ports = (__be16 *)skb_transport_header(skb); ++ ports = skb_header_pointer(skb, skb_transport_offset(skb), ++ sizeof(_ports), &_ports); ++ if (!ports) ++ return; + + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = ip_hdr(skb)->daddr; +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index 461825e0680f..1ee3e0d2b587 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -349,6 +349,7 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info) + skb_reset_network_header(skb); + iph = ipv6_hdr(skb); + iph->daddr = fl6->daddr; ++ ip6_flow_hdr(iph, 0, 0); + + serr = SKB_EXT_ERR(skb); + serr->ee.ee_errno = err; +@@ -708,17 +709,15 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg, + } + if (np->rxopt.bits.rxorigdstaddr) { + struct sockaddr_in6 sin6; +- __be16 *ports; +- int end; ++ __be16 _ports[2], *ports; + +- end = skb_transport_offset(skb) + 4; +- if (end <= 0 || pskb_may_pull(skb, end)) { ++ ports = skb_header_pointer(skb, skb_transport_offset(skb), ++ sizeof(_ports), &_ports); ++ if (ports) { + /* All current transport protocols have the port numbers in the + * first four bytes of the transport header and this function is + * written with this assumption in mind. + */ +- ports = (__be16 *)skb_transport_header(skb); +- + sin6.sin6_family = AF_INET6; + sin6.sin6_addr = ipv6_hdr(skb)->daddr; + sin6.sin6_port = ports[1]; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 91a323f99d47..44a093c75567 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2666,7 +2666,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); + if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out; ++ goto out_put; + } + + err = -ENXIO; +@@ -2866,7 +2866,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); + if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out; ++ goto out_unlock; + } + + err = -ENXIO; +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 8002a72aae1a..7eb06fa75730 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -97,11 +97,9 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev, + + switch (ev) { + case NETDEV_UP: +- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC); ++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v6.sin6_family = AF_INET6; +- addr->a.v6.sin6_port = 0; +- addr->a.v6.sin6_flowinfo = 0; + addr->a.v6.sin6_addr = ifa->addr; + addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; + addr->valid = 1; +@@ -415,7 +413,6 @@ static void sctp_v6_copy_addrlist(struct list_head *addrlist, + addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v6.sin6_family = AF_INET6; +- addr->a.v6.sin6_port = 0; + addr->a.v6.sin6_addr = ifp->addr; + addr->a.v6.sin6_scope_id = dev->ifindex; + addr->valid = 1; +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index df22a9c352ad..cbb04d66f564 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -151,7 +151,6 @@ static void sctp_v4_copy_addrlist(struct list_head *addrlist, + addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v4.sin_family = AF_INET; +- addr->a.v4.sin_port = 0; + addr->a.v4.sin_addr.s_addr = ifa->ifa_local; + addr->valid = 1; + INIT_LIST_HEAD(&addr->list); +@@ -782,10 +781,9 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev, + + switch (ev) { + case NETDEV_UP: +- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC); ++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v4.sin_family = AF_INET; +- addr->a.v4.sin_port = 0; + addr->a.v4.sin_addr.s_addr = ifa->ifa_local; + addr->valid = 1; + spin_lock_bh(&net->sctp.local_addr_lock); +diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c +index ea0676f199c8..da21efac80f4 100644 +--- a/net/sunrpc/rpcb_clnt.c ++++ b/net/sunrpc/rpcb_clnt.c +@@ -771,6 +771,12 @@ void rpcb_getport_async(struct rpc_task *task) + case RPCBVERS_3: + map->r_netid = xprt->address_strings[RPC_DISPLAY_NETID]; + map->r_addr = rpc_sockaddr2uaddr(sap, GFP_ATOMIC); ++ if (!map->r_addr) { ++ status = -ENOMEM; ++ dprintk("RPC: %5u %s: no memory available\n", ++ task->tk_pid, __func__); ++ goto bailout_free_args; ++ } + map->r_owner = ""; + break; + case RPCBVERS_2: +@@ -793,6 +799,8 @@ void rpcb_getport_async(struct rpc_task *task) + rpc_put_task(child); + return; + ++bailout_free_args: ++ kfree(map); + bailout_release_client: + rpc_release_client(rpcb_clnt); + bailout_nofree: +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index e48f0b2c01b9..73895daf8943 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -87,6 +87,11 @@ static int tipc_skb_tailroom(struct sk_buff *skb) + return limit; + } + ++static inline int TLV_GET_DATA_LEN(struct tlv_desc *tlv) ++{ ++ return TLV_GET_LEN(tlv) - TLV_SPACE(0); ++} ++ + static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len) + { + struct tlv_desc *tlv = (struct tlv_desc *)skb_tail_pointer(skb); +@@ -166,6 +171,11 @@ static struct sk_buff *tipc_get_err_tlv(char *str) + return buf; + } + ++static inline bool string_is_valid(char *s, int len) ++{ ++ return memchr(s, '\0', len) ? true : false; ++} ++ + static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + struct tipc_nl_compat_msg *msg, + struct sk_buff *arg) +@@ -370,6 +380,7 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, + struct nlattr *prop; + struct nlattr *bearer; + struct tipc_bearer_config *b; ++ int len; + + b = (struct tipc_bearer_config *)TLV_DATA(msg->req); + +@@ -377,6 +388,10 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, + if (!bearer) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ if (!string_is_valid(b->name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, b->name)) + return -EMSGSIZE; + +@@ -402,6 +417,7 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd, + { + char *name; + struct nlattr *bearer; ++ int len; + + name = (char *)TLV_DATA(msg->req); + +@@ -409,6 +425,10 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd, + if (!bearer) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ if (!string_is_valid(name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, name)) + return -EMSGSIZE; + +@@ -469,6 +489,7 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, + struct nlattr *prop[TIPC_NLA_PROP_MAX + 1]; + struct nlattr *stats[TIPC_NLA_STATS_MAX + 1]; + int err; ++ int len; + + if (!attrs[TIPC_NLA_LINK]) + return -EINVAL; +@@ -495,6 +516,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, + return err; + + name = (char *)TLV_DATA(msg->req); ++ ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ if (!string_is_valid(name, len)) ++ return -EINVAL; ++ + if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) + return 0; + +@@ -635,6 +661,7 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb, + struct nlattr *prop; + struct nlattr *media; + struct tipc_link_config *lc; ++ int len; + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +@@ -642,6 +669,10 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb, + if (!media) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME); ++ if (!string_is_valid(lc->name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_MEDIA_NAME, lc->name)) + return -EMSGSIZE; + +@@ -662,6 +693,7 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb, + struct nlattr *prop; + struct nlattr *bearer; + struct tipc_link_config *lc; ++ int len; + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +@@ -669,6 +701,10 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb, + if (!bearer) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME); ++ if (!string_is_valid(lc->name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, lc->name)) + return -EMSGSIZE; + +@@ -717,9 +753,14 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, + struct tipc_link_config *lc; + struct tipc_bearer *bearer; + struct tipc_media *media; ++ int len; + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ if (!string_is_valid(lc->name, len)) ++ return -EINVAL; ++ + media = tipc_media_find(lc->name); + if (media) { + cmd->doit = &tipc_nl_media_set; +@@ -741,6 +782,7 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd, + { + char *name; + struct nlattr *link; ++ int len; + + name = (char *)TLV_DATA(msg->req); + +@@ -748,6 +790,10 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd, + if (!link) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ if (!string_is_valid(name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_LINK_NAME, name)) + return -EMSGSIZE; + +@@ -769,6 +815,8 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg) + }; + + ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req); ++ if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query)) ++ return -EINVAL; + + depth = ntohl(ntq->depth); + +@@ -1192,7 +1240,7 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info) + } + + len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN); +- if (len && !TLV_OK(msg.req, len)) { ++ if (!len || !TLV_OK(msg.req, len)) { + msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED); + err = -EOPNOTSUPP; + goto send; +diff --git a/security/security.c b/security/security.c +index 95a1a0f52880..4fbe4e495c02 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -993,6 +993,13 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) + + void security_cred_free(struct cred *cred) + { ++ /* ++ * There is a failure case in prepare_creds() that ++ * may result in a call here with ->security being NULL. ++ */ ++ if (unlikely(cred->security == NULL)) ++ return; ++ + call_void_hook(cred_free, cred); + } + +diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c +index ffeb644bfecd..524068d71bc1 100644 +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -730,7 +730,8 @@ static int sens_destroy(void *key, void *datum, void *p) + kfree(key); + if (datum) { + levdatum = datum; +- ebitmap_destroy(&levdatum->level->cat); ++ if (levdatum->level) ++ ebitmap_destroy(&levdatum->level->cat); + kfree(levdatum->level); + } + kfree(datum); +diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c +index 8298e094f4f7..7d5541c6a225 100644 +--- a/security/yama/yama_lsm.c ++++ b/security/yama/yama_lsm.c +@@ -373,7 +373,9 @@ static int yama_ptrace_access_check(struct task_struct *child, + break; + case YAMA_SCOPE_RELATIONAL: + rcu_read_lock(); +- if (!task_is_descendant(current, child) && ++ if (!pid_alive(child)) ++ rc = -EPERM; ++ if (!rc && !task_is_descendant(current, child) && + !ptracer_exception_found(current, child) && + !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) + rc = -EPERM; |