summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pagano <mpagano@gentoo.org>2018-08-07 14:11:17 -0400
committerMike Pagano <mpagano@gentoo.org>2018-11-14 09:00:40 -0500
commit52e0b7c17c14c06a06a13b600f7d31cc34db657c (patch)
tree603c0887674c6ca43e78635c3f5d1736d800fddb /1060_linux-4.14.61.patch
parentLinux patch 4.14.60 (diff)
downloadlinux-patches-52e0b7c17c14c06a06a13b600f7d31cc34db657c.tar.gz
linux-patches-52e0b7c17c14c06a06a13b600f7d31cc34db657c.tar.bz2
linux-patches-52e0b7c17c14c06a06a13b600f7d31cc34db657c.zip
Linux patch 4.14.61
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
Diffstat (limited to '1060_linux-4.14.61.patch')
-rw-r--r--1060_linux-4.14.61.patch909
1 files changed, 909 insertions, 0 deletions
diff --git a/1060_linux-4.14.61.patch b/1060_linux-4.14.61.patch
new file mode 100644
index 00000000..d7a40832
--- /dev/null
+++ b/1060_linux-4.14.61.patch
@@ -0,0 +1,909 @@
+diff --git a/Makefile b/Makefile
+index 5b48ec630990..4bd65eabd298 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 4
+ PATCHLEVEL = 14
+-SUBLEVEL = 60
++SUBLEVEL = 61
+ EXTRAVERSION =
+ NAME = Petit Gorille
+
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
+index f7bfa701219b..0fae7096ae23 100644
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -933,7 +933,7 @@ ENTRY(\sym)
+
+ call \do_sym
+
+- jmp error_exit /* %ebx: no swapgs flag */
++ jmp error_exit
+ .endif
+ END(\sym)
+ .endm
+@@ -1166,7 +1166,6 @@ END(paranoid_exit)
+
+ /*
+ * Save all registers in pt_regs, and switch GS if needed.
+- * Return: EBX=0: came from user mode; EBX=1: otherwise
+ */
+ ENTRY(error_entry)
+ UNWIND_HINT_FUNC
+@@ -1213,7 +1212,6 @@ ENTRY(error_entry)
+ * for these here too.
+ */
+ .Lerror_kernelspace:
+- incl %ebx
+ leaq native_irq_return_iret(%rip), %rcx
+ cmpq %rcx, RIP+8(%rsp)
+ je .Lerror_bad_iret
+@@ -1247,28 +1245,20 @@ ENTRY(error_entry)
+
+ /*
+ * Pretend that the exception came from user mode: set up pt_regs
+- * as if we faulted immediately after IRET and clear EBX so that
+- * error_exit knows that we will be returning to user mode.
++ * as if we faulted immediately after IRET.
+ */
+ mov %rsp, %rdi
+ call fixup_bad_iret
+ mov %rax, %rsp
+- decl %ebx
+ jmp .Lerror_entry_from_usermode_after_swapgs
+ END(error_entry)
+
+-
+-/*
+- * On entry, EBX is a "return to kernel mode" flag:
+- * 1: already in kernel mode, don't need SWAPGS
+- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
+- */
+ ENTRY(error_exit)
+ UNWIND_HINT_REGS
+ DISABLE_INTERRUPTS(CLBR_ANY)
+ TRACE_IRQS_OFF
+- testl %ebx, %ebx
+- jnz retint_kernel
++ testb $3, CS(%rsp)
++ jz retint_kernel
+ jmp retint_user
+ END(error_exit)
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index ebdcc368a2d3..f48a51335538 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -580,6 +580,9 @@ static u32 skx_deadline_rev(void)
+ case 0x04: return 0x02000014;
+ }
+
++ if (boot_cpu_data.x86_stepping > 4)
++ return 0;
++
+ return ~0U;
+ }
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 90747865205d..8d000fde1414 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7354,6 +7354,8 @@ static int enter_vmx_operation(struct kvm_vcpu *vcpu)
+ HRTIMER_MODE_REL_PINNED);
+ vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
+
++ vmx->nested.vpid02 = allocate_vpid();
++
+ vmx->nested.vmxon = true;
+ return 0;
+
+@@ -9802,10 +9804,8 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
+ goto free_vmcs;
+ }
+
+- if (nested) {
++ if (nested)
+ nested_vmx_setup_ctls_msrs(vmx);
+- vmx->nested.vpid02 = allocate_vpid();
+- }
+
+ vmx->nested.posted_intr_nv = -1;
+ vmx->nested.current_vmptr = -1ull;
+@@ -9822,7 +9822,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
+ return &vmx->vcpu;
+
+ free_vmcs:
+- free_vpid(vmx->nested.vpid02);
+ free_loaded_vmcs(vmx->loaded_vmcs);
+ free_msrs:
+ kfree(vmx->guest_msrs);
+diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c
+index c939f18f70cc..7685f557dcc0 100644
+--- a/drivers/crypto/padlock-aes.c
++++ b/drivers/crypto/padlock-aes.c
+@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key,
+ return;
+ }
+
++ count -= initial;
++
+ if (initial)
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
+ : "+S"(input), "+D"(output)
+@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key,
+
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
+ : "+S"(input), "+D"(output)
+- : "d"(control_word), "b"(key), "c"(count - initial));
++ : "d"(control_word), "b"(key), "c"(count));
+ }
+
+ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
+@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
+ if (count < cbc_fetch_blocks)
+ return cbc_crypt(input, output, key, iv, control_word, count);
+
++ count -= initial;
++
+ if (initial)
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
+ : "+S" (input), "+D" (output), "+a" (iv)
+@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
+
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
+ : "+S" (input), "+D" (output), "+a" (iv)
+- : "d" (control_word), "b" (key), "c" (count-initial));
++ : "d" (control_word), "b" (key), "c" (count));
+ return iv;
+ }
+
+diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
+index 77c56264c05b..17590cb2b80d 100644
+--- a/drivers/gpu/drm/vc4/vc4_plane.c
++++ b/drivers/gpu/drm/vc4/vc4_plane.c
+@@ -352,6 +352,9 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state)
+ vc4_state->x_scaling[0] = VC4_SCALING_TPZ;
+ if (vc4_state->y_scaling[0] == VC4_SCALING_NONE)
+ vc4_state->y_scaling[0] = VC4_SCALING_TPZ;
++ } else {
++ vc4_state->x_scaling[1] = VC4_SCALING_NONE;
++ vc4_state->y_scaling[1] = VC4_SCALING_NONE;
+ }
+
+ vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&
+diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
+index b8229d7b0ff5..f836ed1dd300 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1981,15 +1981,64 @@ static int modify_qp(struct ib_uverbs_file *file,
+ goto release_qp;
+ }
+
+- if ((cmd->base.attr_mask & IB_QP_AV) &&
+- !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
+- ret = -EINVAL;
+- goto release_qp;
++ if ((cmd->base.attr_mask & IB_QP_AV)) {
++ if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++
++ if (cmd->base.attr_mask & IB_QP_STATE &&
++ cmd->base.qp_state == IB_QPS_RTR) {
++ /* We are in INIT->RTR TRANSITION (if we are not,
++ * this transition will be rejected in subsequent checks).
++ * In the INIT->RTR transition, we cannot have IB_QP_PORT set,
++ * but the IB_QP_STATE flag is required.
++ *
++ * Since kernel 3.14 (commit dbf727de7440), the uverbs driver,
++ * when IB_QP_AV is set, has required inclusion of a valid
++ * port number in the primary AV. (AVs are created and handled
++ * differently for infiniband and ethernet (RoCE) ports).
++ *
++ * Check the port number included in the primary AV against
++ * the port number in the qp struct, which was set (and saved)
++ * in the RST->INIT transition.
++ */
++ if (cmd->base.dest.port_num != qp->real_qp->port) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++ } else {
++ /* We are in SQD->SQD. (If we are not, this transition will
++ * be rejected later in the verbs layer checks).
++ * Check for both IB_QP_PORT and IB_QP_AV, these can be set
++ * together in the SQD->SQD transition.
++ *
++ * If only IP_QP_AV was set, add in IB_QP_PORT as well (the
++ * verbs layer driver does not track primary port changes
++ * resulting from path migration. Thus, in SQD, if the primary
++ * AV is modified, the primary port should also be modified).
++ *
++ * Note that in this transition, the IB_QP_STATE flag
++ * is not allowed.
++ */
++ if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
++ == (IB_QP_AV | IB_QP_PORT)) &&
++ cmd->base.port_num != cmd->base.dest.port_num) {
++ ret = -EINVAL;
++ goto release_qp;
++ }
++ if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
++ == IB_QP_AV) {
++ cmd->base.attr_mask |= IB_QP_PORT;
++ cmd->base.port_num = cmd->base.dest.port_num;
++ }
++ }
+ }
+
+ if ((cmd->base.attr_mask & IB_QP_ALT_PATH) &&
+ (!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) ||
+- !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) {
++ !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) ||
++ cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) {
+ ret = -EINVAL;
+ goto release_qp;
+ }
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 00245b73c224..15aedb64a02b 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1687,6 +1687,8 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
+ goto err_upper_unlink;
+ }
+
++ bond->nest_level = dev_get_nest_level(bond_dev) + 1;
++
+ /* If the mode uses primary, then the following is handled by
+ * bond_change_active_slave().
+ */
+@@ -1734,7 +1736,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
+ if (bond_mode_uses_xmit_hash(bond))
+ bond_update_slave_arr(bond, NULL);
+
+- bond->nest_level = dev_get_nest_level(bond_dev);
+
+ netdev_info(bond_dev, "Enslaving %s as %s interface with %s link\n",
+ slave_dev->name,
+@@ -3379,6 +3380,13 @@ static void bond_fold_stats(struct rtnl_link_stats64 *_res,
+ }
+ }
+
++static int bond_get_nest_level(struct net_device *bond_dev)
++{
++ struct bonding *bond = netdev_priv(bond_dev);
++
++ return bond->nest_level;
++}
++
+ static void bond_get_stats(struct net_device *bond_dev,
+ struct rtnl_link_stats64 *stats)
+ {
+@@ -3387,7 +3395,7 @@ static void bond_get_stats(struct net_device *bond_dev,
+ struct list_head *iter;
+ struct slave *slave;
+
+- spin_lock(&bond->stats_lock);
++ spin_lock_nested(&bond->stats_lock, bond_get_nest_level(bond_dev));
+ memcpy(stats, &bond->bond_stats, sizeof(*stats));
+
+ rcu_read_lock();
+@@ -4182,6 +4190,7 @@ static const struct net_device_ops bond_netdev_ops = {
+ .ndo_neigh_setup = bond_neigh_setup,
+ .ndo_vlan_rx_add_vid = bond_vlan_rx_add_vid,
+ .ndo_vlan_rx_kill_vid = bond_vlan_rx_kill_vid,
++ .ndo_get_lock_subclass = bond_get_nest_level,
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+ .ndo_netpoll_setup = bond_netpoll_setup,
+ .ndo_netpoll_cleanup = bond_netpoll_cleanup,
+@@ -4680,6 +4689,7 @@ static int bond_init(struct net_device *bond_dev)
+ if (!bond->wq)
+ return -ENOMEM;
+
++ bond->nest_level = SINGLE_DEPTH_NESTING;
+ netdev_lockdep_set_classes(bond_dev);
+
+ list_add_tail(&bond->bond_list, &bn->dev_list);
+diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
+index b00358297424..d0846ae9e0e4 100644
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -1071,6 +1071,7 @@ static void ems_usb_disconnect(struct usb_interface *intf)
+ usb_free_urb(dev->intr_urb);
+
+ kfree(dev->intr_in_buffer);
++ kfree(dev->tx_msg_buffer);
+ }
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 667415301066..f697084937c3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -1616,7 +1616,7 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
+ int vport_num;
+ int err;
+
+- if (!MLX5_VPORT_MANAGER(dev))
++ if (!MLX5_ESWITCH_MANAGER(dev))
+ return 0;
+
+ esw_info(dev,
+@@ -1689,7 +1689,7 @@ abort:
+
+ void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw)
+ {
+- if (!esw || !MLX5_VPORT_MANAGER(esw->dev))
++ if (!esw || !MLX5_ESWITCH_MANAGER(esw->dev))
+ return;
+
+ esw_info(esw->dev, "cleanup\n");
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+index 8d375e51a526..6a393b16a1fc 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+@@ -257,7 +257,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev,
+ return -ENOMEM;
+
+ /* Enable pci device */
+- ret = pcim_enable_device(pdev);
++ ret = pci_enable_device(pdev);
+ if (ret) {
+ dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
+ __func__);
+@@ -300,9 +300,45 @@ static int stmmac_pci_probe(struct pci_dev *pdev,
+ static void stmmac_pci_remove(struct pci_dev *pdev)
+ {
+ stmmac_dvr_remove(&pdev->dev);
++ pci_disable_device(pdev);
+ }
+
+-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume);
++static int stmmac_pci_suspend(struct device *dev)
++{
++ struct pci_dev *pdev = to_pci_dev(dev);
++ int ret;
++
++ ret = stmmac_suspend(dev);
++ if (ret)
++ return ret;
++
++ ret = pci_save_state(pdev);
++ if (ret)
++ return ret;
++
++ pci_disable_device(pdev);
++ pci_wake_from_d3(pdev, true);
++ return 0;
++}
++
++static int stmmac_pci_resume(struct device *dev)
++{
++ struct pci_dev *pdev = to_pci_dev(dev);
++ int ret;
++
++ pci_restore_state(pdev);
++ pci_set_power_state(pdev, PCI_D0);
++
++ ret = pci_enable_device(pdev);
++ if (ret)
++ return ret;
++
++ pci_set_master(pdev);
++
++ return stmmac_resume(dev);
++}
++
++static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, stmmac_pci_resume);
+
+ /* synthetic ID, no official vendor */
+ #define PCI_VENDOR_ID_STMMAC 0x700
+diff --git a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+index 73da5e63a609..2c80c722feca 100644
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+@@ -177,6 +177,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = {
+ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+ };
+
++const struct iwl_cfg iwl9260_killer_2ac_cfg = {
++ .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter (9260NGW)",
++ .fw_name_pre = IWL9260A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++};
++
+ const struct iwl_cfg iwl9270_2ac_cfg = {
+ .name = "Intel(R) Dual Band Wireless AC 9270",
+ .fw_name_pre = IWL9260A_FW_PRE,
+@@ -266,6 +277,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc = {
+ .soc_latency = 5000,
+ };
+
++const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = {
++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++};
++
++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = {
++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++};
++
+ const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = {
+ .name = "Intel(R) Dual Band Wireless AC 9460",
+ .fw_name_pre = IWL9000A_FW_PRE,
+@@ -326,6 +365,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_shared_clk = {
+ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
+ };
+
++const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = {
++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
++};
++
++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = {
++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)",
++ .fw_name_pre = IWL9000A_FW_PRE,
++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++ IWL_DEVICE_9000,
++ .ht_params = &iwl9000_ht_params,
++ .nvm_ver = IWL9000_NVM_VERSION,
++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++ .integrated = true,
++ .soc_latency = 5000,
++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
++};
++
+ MODULE_FIRMWARE(IWL9000A_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX));
+ MODULE_FIRMWARE(IWL9000B_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX));
+ MODULE_FIRMWARE(IWL9000RFB_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX));
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-config.h b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+index 85fe1a928adc..70f3c327eb4a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+@@ -470,6 +470,7 @@ extern const struct iwl_cfg iwl8265_2ac_sdio_cfg;
+ extern const struct iwl_cfg iwl4165_2ac_sdio_cfg;
+ extern const struct iwl_cfg iwl9160_2ac_cfg;
+ extern const struct iwl_cfg iwl9260_2ac_cfg;
++extern const struct iwl_cfg iwl9260_killer_2ac_cfg;
+ extern const struct iwl_cfg iwl9270_2ac_cfg;
+ extern const struct iwl_cfg iwl9460_2ac_cfg;
+ extern const struct iwl_cfg iwl9560_2ac_cfg;
+@@ -477,10 +478,14 @@ extern const struct iwl_cfg iwl9460_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9461_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9462_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9560_2ac_cfg_soc;
++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_soc;
++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9460_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9461_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9462_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9560_2ac_cfg_shared_clk;
++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk;
++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwla000_2ac_cfg_hr;
+ extern const struct iwl_cfg iwla000_2ac_cfg_hr_cdb;
+ extern const struct iwl_cfg iwla000_2ac_cfg_jf;
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index 9a8605abb00a..4cbc6cb8bf89 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -543,6 +543,9 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x2526, 0x1210, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x1410, iwl9270_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x1420, iwl9460_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x1550, iwl9260_killer_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x2526, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x1610, iwl9270_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x2034, iwl9560_2ac_cfg_soc)},
+@@ -552,6 +555,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9460_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0x4234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2526, 0x42A4, iwl9462_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2526, 0x8014, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2526, 0xA014, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x271B, 0x0010, iwl9160_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)},
+@@ -576,6 +580,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x2720, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x2720, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_cfg)},
+@@ -602,6 +608,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x30DC, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x30DC, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x30DC, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -628,6 +636,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x31DC, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x31DC, 0x1030, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x31DC, 0x1551, iwl9560_killer_s_2ac_cfg_shared_clk)},
++ {IWL_PCI_DEVICE(0x31DC, 0x1552, iwl9560_killer_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x2030, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x2034, iwl9560_2ac_cfg_shared_clk)},
+ {IWL_PCI_DEVICE(0x31DC, 0x4030, iwl9560_2ac_cfg_shared_clk)},
+@@ -654,6 +664,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x34F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x34F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x34F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x34F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x34F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -680,6 +692,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x3DF0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x3DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x3DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x3DF0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -706,6 +720,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x43F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x43F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x43F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x43F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x43F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -741,6 +757,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x9DF0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x9DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0x9DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2010, iwl9460_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x9DF0, 0x2034, iwl9560_2ac_cfg_soc)},
+@@ -769,6 +787,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0xA0F0, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0xA0F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0xA0F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA0F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -795,6 +815,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0xA370, 0x1010, iwl9260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0xA370, 0x1030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x1210, iwl9260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0xA370, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++ {IWL_PCI_DEVICE(0xA370, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0xA370, 0x4030, iwl9560_2ac_cfg_soc)},
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 4d49fb8f2bbc..3a406b40f150 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp)
+ write_lock_irqsave(&sdp->sfd_lock, iflags);
+ if (atomic_read(&sdp->detaching)) {
+ write_unlock_irqrestore(&sdp->sfd_lock, iflags);
++ kfree(sfp);
+ return ERR_PTR(-ENODEV);
+ }
+ list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
+diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
+index f0b3a0b9d42f..36c9fbf70d44 100644
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -490,7 +490,9 @@ static int virtballoon_migratepage(struct balloon_dev_info *vb_dev_info,
+ tell_host(vb, vb->inflate_vq);
+
+ /* balloon's page migration 2nd step -- deflate "page" */
++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
+ balloon_page_delete(page);
++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
+ vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
+ set_page_pfns(vb, vb->pfns, page);
+ tell_host(vb, vb->deflate_vq);
+diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
+index 2751476e6b6e..f098b9f1c396 100644
+--- a/fs/squashfs/block.c
++++ b/fs/squashfs/block.c
+@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
+ }
+
+ if (compressed) {
++ if (!msblk->stream)
++ goto read_failure;
+ length = squashfs_decompress(msblk, bh, b, offset, length,
+ output);
+ if (length < 0)
+diff --git a/fs/squashfs/fragment.c b/fs/squashfs/fragment.c
+index 86ad9a4b8c36..0681feab4a84 100644
+--- a/fs/squashfs/fragment.c
++++ b/fs/squashfs/fragment.c
+@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment,
+ u64 *fragment_block)
+ {
+ struct squashfs_sb_info *msblk = sb->s_fs_info;
+- int block = SQUASHFS_FRAGMENT_INDEX(fragment);
+- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
+- u64 start_block = le64_to_cpu(msblk->fragment_index[block]);
++ int block, offset, size;
+ struct squashfs_fragment_entry fragment_entry;
+- int size;
++ u64 start_block;
++
++ if (fragment >= msblk->fragments)
++ return -EIO;
++ block = SQUASHFS_FRAGMENT_INDEX(fragment);
++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
++
++ start_block = le64_to_cpu(msblk->fragment_index[block]);
+
+ size = squashfs_read_metadata(sb, &fragment_entry, &start_block,
+ &offset, sizeof(fragment_entry));
+diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h
+index 1da565cb50c3..ef69c31947bf 100644
+--- a/fs/squashfs/squashfs_fs_sb.h
++++ b/fs/squashfs/squashfs_fs_sb.h
+@@ -75,6 +75,7 @@ struct squashfs_sb_info {
+ unsigned short block_log;
+ long long bytes_used;
+ unsigned int inodes;
++ unsigned int fragments;
+ int xattr_ids;
+ };
+ #endif
+diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
+index cf01e15a7b16..1516bb779b8d 100644
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -175,6 +175,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
+ msblk->inode_table = le64_to_cpu(sblk->inode_table_start);
+ msblk->directory_table = le64_to_cpu(sblk->directory_table_start);
+ msblk->inodes = le32_to_cpu(sblk->inodes);
++ msblk->fragments = le32_to_cpu(sblk->fragments);
+ flags = le16_to_cpu(sblk->flags);
+
+ TRACE("Found valid superblock on %pg\n", sb->s_bdev);
+@@ -185,7 +186,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
+ TRACE("Filesystem size %lld bytes\n", msblk->bytes_used);
+ TRACE("Block size %d\n", msblk->block_size);
+ TRACE("Number of inodes %d\n", msblk->inodes);
+- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments));
++ TRACE("Number of fragments %d\n", msblk->fragments);
+ TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids));
+ TRACE("sblk->inode_table_start %llx\n", msblk->inode_table);
+ TRACE("sblk->directory_table_start %llx\n", msblk->directory_table);
+@@ -272,7 +273,7 @@ allocate_id_index_table:
+ sb->s_export_op = &squashfs_export_ops;
+
+ handle_fragments:
+- fragments = le32_to_cpu(sblk->fragments);
++ fragments = msblk->fragments;
+ if (fragments == 0)
+ goto check_directory_table;
+
+diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
+index f6ed92524a03..3eda623e4cb4 100644
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -628,8 +628,10 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
+ /* the various vma->vm_userfaultfd_ctx still points to it */
+ down_write(&mm->mmap_sem);
+ for (vma = mm->mmap; vma; vma = vma->vm_next)
+- if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
++ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
+ vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
++ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING);
++ }
+ up_write(&mm->mmap_sem);
+
+ userfaultfd_ctx_put(release_new_ctx);
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index 677053a2fb57..76d789d6cea0 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1274,8 +1274,12 @@ static void show_special(struct audit_context *context, int *call_panic)
+ break;
+ case AUDIT_KERN_MODULE:
+ audit_log_format(ab, "name=");
+- audit_log_untrustedstring(ab, context->module.name);
+- kfree(context->module.name);
++ if (context->module.name) {
++ audit_log_untrustedstring(ab, context->module.name);
++ kfree(context->module.name);
++ } else
++ audit_log_format(ab, "(null)");
++
+ break;
+ }
+ audit_log_end(ab);
+@@ -2387,8 +2391,9 @@ void __audit_log_kern_module(char *name)
+ {
+ struct audit_context *context = current->audit_context;
+
+- context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+- strcpy(context->module.name, name);
++ context->module.name = kstrdup(name, GFP_KERNEL);
++ if (!context->module.name)
++ audit_log_lost("out of memory in __audit_log_kern_module");
+ context->type = AUDIT_KERN_MODULE;
+ }
+
+diff --git a/net/dsa/slave.c b/net/dsa/slave.c
+index 865e29e62bad..242e74b9d454 100644
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -1219,6 +1219,9 @@ int dsa_slave_suspend(struct net_device *slave_dev)
+ {
+ struct dsa_slave_priv *p = netdev_priv(slave_dev);
+
++ if (!netif_running(slave_dev))
++ return 0;
++
+ netif_device_detach(slave_dev);
+
+ if (p->phy) {
+@@ -1236,6 +1239,9 @@ int dsa_slave_resume(struct net_device *slave_dev)
+ {
+ struct dsa_slave_priv *p = netdev_priv(slave_dev);
+
++ if (!netif_running(slave_dev))
++ return 0;
++
+ netif_device_attach(slave_dev);
+
+ if (p->phy) {
+diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
+index e691705f0a85..ba4454ecdf0f 100644
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -356,11 +356,6 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf,
+ {
+ struct inet_frag_queue *q;
+
+- if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
+- inet_frag_schedule_worker(f);
+- return NULL;
+- }
+-
+ q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
+ if (!q)
+ return NULL;
+@@ -397,6 +392,11 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
+ struct inet_frag_queue *q;
+ int depth = 0;
+
++ if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
++ inet_frag_schedule_worker(f);
++ return NULL;
++ }
++
+ if (frag_mem_limit(nf) > nf->low_thresh)
+ inet_frag_schedule_worker(f);
+
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index df8fe0503de0..4cb1befc3949 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -447,11 +447,16 @@ found:
+ int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */
+
+ if (i < next->len) {
++ int delta = -next->truesize;
++
+ /* Eat head of the next overlapped fragment
+ * and leave the loop. The next ones cannot overlap.
+ */
+ if (!pskb_pull(next, i))
+ goto err;
++ delta += next->truesize;
++ if (delta)
++ add_frag_mem_limit(qp->q.net, delta);
+ FRAG_CB(next)->offset += i;
+ qp->q.meat -= i;
+ if (next->ip_summed != CHECKSUM_UNNECESSARY)
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index b2fcbf012056..68c9d1833b95 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -63,6 +63,7 @@
+ #include <linux/hash.h>
+ #include <linux/genetlink.h>
+ #include <linux/net_namespace.h>
++#include <linux/nospec.h>
+
+ #include <net/net_namespace.h>
+ #include <net/sock.h>
+@@ -647,6 +648,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol,
+
+ if (protocol < 0 || protocol >= MAX_LINKS)
+ return -EPROTONOSUPPORT;
++ protocol = array_index_nospec(protocol, MAX_LINKS);
+
+ netlink_lock_table();
+ #ifdef CONFIG_MODULES
+diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
+index 3028298ca561..62b1581d44a5 100644
+--- a/net/rxrpc/call_accept.c
++++ b/net/rxrpc/call_accept.c
+@@ -115,9 +115,9 @@ static int rxrpc_service_prealloc_one(struct rxrpc_sock *rx,
+ while (*pp) {
+ parent = *pp;
+ xcall = rb_entry(parent, struct rxrpc_call, sock_node);
+- if (user_call_ID < call->user_call_ID)
++ if (user_call_ID < xcall->user_call_ID)
+ pp = &(*pp)->rb_left;
+- else if (user_call_ID > call->user_call_ID)
++ else if (user_call_ID > xcall->user_call_ID)
+ pp = &(*pp)->rb_right;
+ else
+ goto id_in_use;
+diff --git a/net/socket.c b/net/socket.c
+index 8b2bef6cfe42..d27922639a20 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,7 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ #include <linux/xattr.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+@@ -2443,6 +2444,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
+
+ if (call < 1 || call > SYS_SENDMMSG)
+ return -EINVAL;
++ call = array_index_nospec(call, SYS_SENDMMSG + 1);
+
+ len = nargs[call];
+ if (len > sizeof(a))