diff options
author | Mike Pagano <mpagano@gentoo.org> | 2018-08-07 14:11:17 -0400 |
---|---|---|
committer | Mike Pagano <mpagano@gentoo.org> | 2018-11-14 09:00:40 -0500 |
commit | 52e0b7c17c14c06a06a13b600f7d31cc34db657c (patch) | |
tree | 603c0887674c6ca43e78635c3f5d1736d800fddb /1060_linux-4.14.61.patch | |
parent | Linux patch 4.14.60 (diff) | |
download | linux-patches-52e0b7c17c14c06a06a13b600f7d31cc34db657c.tar.gz linux-patches-52e0b7c17c14c06a06a13b600f7d31cc34db657c.tar.bz2 linux-patches-52e0b7c17c14c06a06a13b600f7d31cc34db657c.zip |
Linux patch 4.14.61
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
Diffstat (limited to '1060_linux-4.14.61.patch')
-rw-r--r-- | 1060_linux-4.14.61.patch | 909 |
1 files changed, 909 insertions, 0 deletions
diff --git a/1060_linux-4.14.61.patch b/1060_linux-4.14.61.patch new file mode 100644 index 00000000..d7a40832 --- /dev/null +++ b/1060_linux-4.14.61.patch @@ -0,0 +1,909 @@ +diff --git a/Makefile b/Makefile +index 5b48ec630990..4bd65eabd298 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 60 ++SUBLEVEL = 61 + EXTRAVERSION = + NAME = Petit Gorille + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index f7bfa701219b..0fae7096ae23 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -933,7 +933,7 @@ ENTRY(\sym) + + call \do_sym + +- jmp error_exit /* %ebx: no swapgs flag */ ++ jmp error_exit + .endif + END(\sym) + .endm +@@ -1166,7 +1166,6 @@ END(paranoid_exit) + + /* + * Save all registers in pt_regs, and switch GS if needed. +- * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) + UNWIND_HINT_FUNC +@@ -1213,7 +1212,6 @@ ENTRY(error_entry) + * for these here too. + */ + .Lerror_kernelspace: +- incl %ebx + leaq native_irq_return_iret(%rip), %rcx + cmpq %rcx, RIP+8(%rsp) + je .Lerror_bad_iret +@@ -1247,28 +1245,20 @@ ENTRY(error_entry) + + /* + * Pretend that the exception came from user mode: set up pt_regs +- * as if we faulted immediately after IRET and clear EBX so that +- * error_exit knows that we will be returning to user mode. ++ * as if we faulted immediately after IRET. + */ + mov %rsp, %rdi + call fixup_bad_iret + mov %rax, %rsp +- decl %ebx + jmp .Lerror_entry_from_usermode_after_swapgs + END(error_entry) + +- +-/* +- * On entry, EBX is a "return to kernel mode" flag: +- * 1: already in kernel mode, don't need SWAPGS +- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode +- */ + ENTRY(error_exit) + UNWIND_HINT_REGS + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +- testl %ebx, %ebx +- jnz retint_kernel ++ testb $3, CS(%rsp) ++ jz retint_kernel + jmp retint_user + END(error_exit) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index ebdcc368a2d3..f48a51335538 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -580,6 +580,9 @@ static u32 skx_deadline_rev(void) + case 0x04: return 0x02000014; + } + ++ if (boot_cpu_data.x86_stepping > 4) ++ return 0; ++ + return ~0U; + } + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 90747865205d..8d000fde1414 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7354,6 +7354,8 @@ static int enter_vmx_operation(struct kvm_vcpu *vcpu) + HRTIMER_MODE_REL_PINNED); + vmx->nested.preemption_timer.function = vmx_preemption_timer_fn; + ++ vmx->nested.vpid02 = allocate_vpid(); ++ + vmx->nested.vmxon = true; + return 0; + +@@ -9802,10 +9804,8 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) + goto free_vmcs; + } + +- if (nested) { ++ if (nested) + nested_vmx_setup_ctls_msrs(vmx); +- vmx->nested.vpid02 = allocate_vpid(); +- } + + vmx->nested.posted_intr_nv = -1; + vmx->nested.current_vmptr = -1ull; +@@ -9822,7 +9822,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) + return &vmx->vcpu; + + free_vmcs: +- free_vpid(vmx->nested.vpid02); + free_loaded_vmcs(vmx->loaded_vmcs); + free_msrs: + kfree(vmx->guest_msrs); +diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c +index c939f18f70cc..7685f557dcc0 100644 +--- a/drivers/crypto/padlock-aes.c ++++ b/drivers/crypto/padlock-aes.c +@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key, + return; + } + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key, + + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +- : "d"(control_word), "b"(key), "c"(count - initial)); ++ : "d"(control_word), "b"(key), "c"(count)); + } + + static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, +@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, + if (count < cbc_fetch_blocks) + return cbc_crypt(input, output, key, iv, control_word, count); + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, + + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +- : "d" (control_word), "b" (key), "c" (count-initial)); ++ : "d" (control_word), "b" (key), "c" (count)); + return iv; + } + +diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c +index 77c56264c05b..17590cb2b80d 100644 +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -352,6 +352,9 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state) + vc4_state->x_scaling[0] = VC4_SCALING_TPZ; + if (vc4_state->y_scaling[0] == VC4_SCALING_NONE) + vc4_state->y_scaling[0] = VC4_SCALING_TPZ; ++ } else { ++ vc4_state->x_scaling[1] = VC4_SCALING_NONE; ++ vc4_state->y_scaling[1] = VC4_SCALING_NONE; + } + + vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE && +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index b8229d7b0ff5..f836ed1dd300 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1981,15 +1981,64 @@ static int modify_qp(struct ib_uverbs_file *file, + goto release_qp; + } + +- if ((cmd->base.attr_mask & IB_QP_AV) && +- !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) { +- ret = -EINVAL; +- goto release_qp; ++ if ((cmd->base.attr_mask & IB_QP_AV)) { ++ if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ ++ if (cmd->base.attr_mask & IB_QP_STATE && ++ cmd->base.qp_state == IB_QPS_RTR) { ++ /* We are in INIT->RTR TRANSITION (if we are not, ++ * this transition will be rejected in subsequent checks). ++ * In the INIT->RTR transition, we cannot have IB_QP_PORT set, ++ * but the IB_QP_STATE flag is required. ++ * ++ * Since kernel 3.14 (commit dbf727de7440), the uverbs driver, ++ * when IB_QP_AV is set, has required inclusion of a valid ++ * port number in the primary AV. (AVs are created and handled ++ * differently for infiniband and ethernet (RoCE) ports). ++ * ++ * Check the port number included in the primary AV against ++ * the port number in the qp struct, which was set (and saved) ++ * in the RST->INIT transition. ++ */ ++ if (cmd->base.dest.port_num != qp->real_qp->port) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ } else { ++ /* We are in SQD->SQD. (If we are not, this transition will ++ * be rejected later in the verbs layer checks). ++ * Check for both IB_QP_PORT and IB_QP_AV, these can be set ++ * together in the SQD->SQD transition. ++ * ++ * If only IP_QP_AV was set, add in IB_QP_PORT as well (the ++ * verbs layer driver does not track primary port changes ++ * resulting from path migration. Thus, in SQD, if the primary ++ * AV is modified, the primary port should also be modified). ++ * ++ * Note that in this transition, the IB_QP_STATE flag ++ * is not allowed. ++ */ ++ if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT)) ++ == (IB_QP_AV | IB_QP_PORT)) && ++ cmd->base.port_num != cmd->base.dest.port_num) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT)) ++ == IB_QP_AV) { ++ cmd->base.attr_mask |= IB_QP_PORT; ++ cmd->base.port_num = cmd->base.dest.port_num; ++ } ++ } + } + + if ((cmd->base.attr_mask & IB_QP_ALT_PATH) && + (!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) || +- !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) { ++ !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) || ++ cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) { + ret = -EINVAL; + goto release_qp; + } +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 00245b73c224..15aedb64a02b 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1687,6 +1687,8 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev) + goto err_upper_unlink; + } + ++ bond->nest_level = dev_get_nest_level(bond_dev) + 1; ++ + /* If the mode uses primary, then the following is handled by + * bond_change_active_slave(). + */ +@@ -1734,7 +1736,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev) + if (bond_mode_uses_xmit_hash(bond)) + bond_update_slave_arr(bond, NULL); + +- bond->nest_level = dev_get_nest_level(bond_dev); + + netdev_info(bond_dev, "Enslaving %s as %s interface with %s link\n", + slave_dev->name, +@@ -3379,6 +3380,13 @@ static void bond_fold_stats(struct rtnl_link_stats64 *_res, + } + } + ++static int bond_get_nest_level(struct net_device *bond_dev) ++{ ++ struct bonding *bond = netdev_priv(bond_dev); ++ ++ return bond->nest_level; ++} ++ + static void bond_get_stats(struct net_device *bond_dev, + struct rtnl_link_stats64 *stats) + { +@@ -3387,7 +3395,7 @@ static void bond_get_stats(struct net_device *bond_dev, + struct list_head *iter; + struct slave *slave; + +- spin_lock(&bond->stats_lock); ++ spin_lock_nested(&bond->stats_lock, bond_get_nest_level(bond_dev)); + memcpy(stats, &bond->bond_stats, sizeof(*stats)); + + rcu_read_lock(); +@@ -4182,6 +4190,7 @@ static const struct net_device_ops bond_netdev_ops = { + .ndo_neigh_setup = bond_neigh_setup, + .ndo_vlan_rx_add_vid = bond_vlan_rx_add_vid, + .ndo_vlan_rx_kill_vid = bond_vlan_rx_kill_vid, ++ .ndo_get_lock_subclass = bond_get_nest_level, + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_netpoll_setup = bond_netpoll_setup, + .ndo_netpoll_cleanup = bond_netpoll_cleanup, +@@ -4680,6 +4689,7 @@ static int bond_init(struct net_device *bond_dev) + if (!bond->wq) + return -ENOMEM; + ++ bond->nest_level = SINGLE_DEPTH_NESTING; + netdev_lockdep_set_classes(bond_dev); + + list_add_tail(&bond->bond_list, &bn->dev_list); +diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c +index b00358297424..d0846ae9e0e4 100644 +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -1071,6 +1071,7 @@ static void ems_usb_disconnect(struct usb_interface *intf) + usb_free_urb(dev->intr_urb); + + kfree(dev->intr_in_buffer); ++ kfree(dev->tx_msg_buffer); + } + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 667415301066..f697084937c3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1616,7 +1616,7 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev) + int vport_num; + int err; + +- if (!MLX5_VPORT_MANAGER(dev)) ++ if (!MLX5_ESWITCH_MANAGER(dev)) + return 0; + + esw_info(dev, +@@ -1689,7 +1689,7 @@ abort: + + void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw) + { +- if (!esw || !MLX5_VPORT_MANAGER(esw->dev)) ++ if (!esw || !MLX5_ESWITCH_MANAGER(esw->dev)) + return; + + esw_info(esw->dev, "cleanup\n"); +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +index 8d375e51a526..6a393b16a1fc 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -257,7 +257,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev, + return -ENOMEM; + + /* Enable pci device */ +- ret = pcim_enable_device(pdev); ++ ret = pci_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", + __func__); +@@ -300,9 +300,45 @@ static int stmmac_pci_probe(struct pci_dev *pdev, + static void stmmac_pci_remove(struct pci_dev *pdev) + { + stmmac_dvr_remove(&pdev->dev); ++ pci_disable_device(pdev); + } + +-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume); ++static int stmmac_pci_suspend(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ int ret; ++ ++ ret = stmmac_suspend(dev); ++ if (ret) ++ return ret; ++ ++ ret = pci_save_state(pdev); ++ if (ret) ++ return ret; ++ ++ pci_disable_device(pdev); ++ pci_wake_from_d3(pdev, true); ++ return 0; ++} ++ ++static int stmmac_pci_resume(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ int ret; ++ ++ pci_restore_state(pdev); ++ pci_set_power_state(pdev, PCI_D0); ++ ++ ret = pci_enable_device(pdev); ++ if (ret) ++ return ret; ++ ++ pci_set_master(pdev); ++ ++ return stmmac_resume(dev); ++} ++ ++static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, stmmac_pci_resume); + + /* synthetic ID, no official vendor */ + #define PCI_VENDOR_ID_STMMAC 0x700 +diff --git a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c +index 73da5e63a609..2c80c722feca 100644 +--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c ++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c +@@ -177,6 +177,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = { + .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, + }; + ++const struct iwl_cfg iwl9260_killer_2ac_cfg = { ++ .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter (9260NGW)", ++ .fw_name_pre = IWL9260A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++}; ++ + const struct iwl_cfg iwl9270_2ac_cfg = { + .name = "Intel(R) Dual Band Wireless AC 9270", + .fw_name_pre = IWL9260A_FW_PRE, +@@ -266,6 +277,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc = { + .soc_latency = 5000, + }; + ++const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = { ++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++}; ++ ++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = { ++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++}; ++ + const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = { + .name = "Intel(R) Dual Band Wireless AC 9460", + .fw_name_pre = IWL9000A_FW_PRE, +@@ -326,6 +365,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_shared_clk = { + .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK + }; + ++const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = { ++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK ++}; ++ ++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = { ++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK ++}; ++ + MODULE_FIRMWARE(IWL9000A_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL9000B_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL9000RFB_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX)); +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-config.h b/drivers/net/wireless/intel/iwlwifi/iwl-config.h +index 85fe1a928adc..70f3c327eb4a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h +@@ -470,6 +470,7 @@ extern const struct iwl_cfg iwl8265_2ac_sdio_cfg; + extern const struct iwl_cfg iwl4165_2ac_sdio_cfg; + extern const struct iwl_cfg iwl9160_2ac_cfg; + extern const struct iwl_cfg iwl9260_2ac_cfg; ++extern const struct iwl_cfg iwl9260_killer_2ac_cfg; + extern const struct iwl_cfg iwl9270_2ac_cfg; + extern const struct iwl_cfg iwl9460_2ac_cfg; + extern const struct iwl_cfg iwl9560_2ac_cfg; +@@ -477,10 +478,14 @@ extern const struct iwl_cfg iwl9460_2ac_cfg_soc; + extern const struct iwl_cfg iwl9461_2ac_cfg_soc; + extern const struct iwl_cfg iwl9462_2ac_cfg_soc; + extern const struct iwl_cfg iwl9560_2ac_cfg_soc; ++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_soc; ++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc; + extern const struct iwl_cfg iwl9460_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9461_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9462_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9560_2ac_cfg_shared_clk; ++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk; ++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwla000_2ac_cfg_hr; + extern const struct iwl_cfg iwla000_2ac_cfg_hr_cdb; + extern const struct iwl_cfg iwla000_2ac_cfg_jf; +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 9a8605abb00a..4cbc6cb8bf89 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -543,6 +543,9 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x2526, 0x1210, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x1410, iwl9270_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x1420, iwl9460_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1550, iwl9260_killer_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x1610, iwl9270_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x2034, iwl9560_2ac_cfg_soc)}, +@@ -552,6 +555,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9460_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x4234, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x42A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x8014, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0xA014, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271B, 0x0010, iwl9160_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)}, +@@ -576,6 +580,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x2720, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_cfg)}, +@@ -602,6 +608,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x30DC, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -628,6 +636,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x31DC, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x31DC, 0x1030, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x31DC, 0x1551, iwl9560_killer_s_2ac_cfg_shared_clk)}, ++ {IWL_PCI_DEVICE(0x31DC, 0x1552, iwl9560_killer_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x2030, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x2034, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x4030, iwl9560_2ac_cfg_shared_clk)}, +@@ -654,6 +664,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x34F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x34F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x34F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x34F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -680,6 +692,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x3DF0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x3DF0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x3DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x3DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -706,6 +720,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x43F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x43F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x43F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x43F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -741,6 +757,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x9DF0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x9DF0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x9DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x9DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2010, iwl9460_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2034, iwl9560_2ac_cfg_soc)}, +@@ -769,6 +787,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0xA0F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0xA0F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0xA0F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0xA0F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -795,6 +815,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0xA370, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0xA370, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0xA370, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0xA370, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x4030, iwl9560_2ac_cfg_soc)}, +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 4d49fb8f2bbc..3a406b40f150 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp) + write_lock_irqsave(&sdp->sfd_lock, iflags); + if (atomic_read(&sdp->detaching)) { + write_unlock_irqrestore(&sdp->sfd_lock, iflags); ++ kfree(sfp); + return ERR_PTR(-ENODEV); + } + list_add_tail(&sfp->sfd_siblings, &sdp->sfds); +diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c +index f0b3a0b9d42f..36c9fbf70d44 100644 +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -490,7 +490,9 @@ static int virtballoon_migratepage(struct balloon_dev_info *vb_dev_info, + tell_host(vb, vb->inflate_vq); + + /* balloon's page migration 2nd step -- deflate "page" */ ++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags); + balloon_page_delete(page); ++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags); + vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE; + set_page_pfns(vb, vb->pfns, page); + tell_host(vb, vb->deflate_vq); +diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c +index 2751476e6b6e..f098b9f1c396 100644 +--- a/fs/squashfs/block.c ++++ b/fs/squashfs/block.c +@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length, + } + + if (compressed) { ++ if (!msblk->stream) ++ goto read_failure; + length = squashfs_decompress(msblk, bh, b, offset, length, + output); + if (length < 0) +diff --git a/fs/squashfs/fragment.c b/fs/squashfs/fragment.c +index 86ad9a4b8c36..0681feab4a84 100644 +--- a/fs/squashfs/fragment.c ++++ b/fs/squashfs/fragment.c +@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment, + u64 *fragment_block) + { + struct squashfs_sb_info *msblk = sb->s_fs_info; +- int block = SQUASHFS_FRAGMENT_INDEX(fragment); +- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); +- u64 start_block = le64_to_cpu(msblk->fragment_index[block]); ++ int block, offset, size; + struct squashfs_fragment_entry fragment_entry; +- int size; ++ u64 start_block; ++ ++ if (fragment >= msblk->fragments) ++ return -EIO; ++ block = SQUASHFS_FRAGMENT_INDEX(fragment); ++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); ++ ++ start_block = le64_to_cpu(msblk->fragment_index[block]); + + size = squashfs_read_metadata(sb, &fragment_entry, &start_block, + &offset, sizeof(fragment_entry)); +diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h +index 1da565cb50c3..ef69c31947bf 100644 +--- a/fs/squashfs/squashfs_fs_sb.h ++++ b/fs/squashfs/squashfs_fs_sb.h +@@ -75,6 +75,7 @@ struct squashfs_sb_info { + unsigned short block_log; + long long bytes_used; + unsigned int inodes; ++ unsigned int fragments; + int xattr_ids; + }; + #endif +diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c +index cf01e15a7b16..1516bb779b8d 100644 +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -175,6 +175,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) + msblk->inode_table = le64_to_cpu(sblk->inode_table_start); + msblk->directory_table = le64_to_cpu(sblk->directory_table_start); + msblk->inodes = le32_to_cpu(sblk->inodes); ++ msblk->fragments = le32_to_cpu(sblk->fragments); + flags = le16_to_cpu(sblk->flags); + + TRACE("Found valid superblock on %pg\n", sb->s_bdev); +@@ -185,7 +186,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) + TRACE("Filesystem size %lld bytes\n", msblk->bytes_used); + TRACE("Block size %d\n", msblk->block_size); + TRACE("Number of inodes %d\n", msblk->inodes); +- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments)); ++ TRACE("Number of fragments %d\n", msblk->fragments); + TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids)); + TRACE("sblk->inode_table_start %llx\n", msblk->inode_table); + TRACE("sblk->directory_table_start %llx\n", msblk->directory_table); +@@ -272,7 +273,7 @@ allocate_id_index_table: + sb->s_export_op = &squashfs_export_ops; + + handle_fragments: +- fragments = le32_to_cpu(sblk->fragments); ++ fragments = msblk->fragments; + if (fragments == 0) + goto check_directory_table; + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index f6ed92524a03..3eda623e4cb4 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -628,8 +628,10 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx, + /* the various vma->vm_userfaultfd_ctx still points to it */ + down_write(&mm->mmap_sem); + for (vma = mm->mmap; vma; vma = vma->vm_next) +- if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) ++ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) { + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; ++ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING); ++ } + up_write(&mm->mmap_sem); + + userfaultfd_ctx_put(release_new_ctx); +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 677053a2fb57..76d789d6cea0 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1274,8 +1274,12 @@ static void show_special(struct audit_context *context, int *call_panic) + break; + case AUDIT_KERN_MODULE: + audit_log_format(ab, "name="); +- audit_log_untrustedstring(ab, context->module.name); +- kfree(context->module.name); ++ if (context->module.name) { ++ audit_log_untrustedstring(ab, context->module.name); ++ kfree(context->module.name); ++ } else ++ audit_log_format(ab, "(null)"); ++ + break; + } + audit_log_end(ab); +@@ -2387,8 +2391,9 @@ void __audit_log_kern_module(char *name) + { + struct audit_context *context = current->audit_context; + +- context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL); +- strcpy(context->module.name, name); ++ context->module.name = kstrdup(name, GFP_KERNEL); ++ if (!context->module.name) ++ audit_log_lost("out of memory in __audit_log_kern_module"); + context->type = AUDIT_KERN_MODULE; + } + +diff --git a/net/dsa/slave.c b/net/dsa/slave.c +index 865e29e62bad..242e74b9d454 100644 +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -1219,6 +1219,9 @@ int dsa_slave_suspend(struct net_device *slave_dev) + { + struct dsa_slave_priv *p = netdev_priv(slave_dev); + ++ if (!netif_running(slave_dev)) ++ return 0; ++ + netif_device_detach(slave_dev); + + if (p->phy) { +@@ -1236,6 +1239,9 @@ int dsa_slave_resume(struct net_device *slave_dev) + { + struct dsa_slave_priv *p = netdev_priv(slave_dev); + ++ if (!netif_running(slave_dev)) ++ return 0; ++ + netif_device_attach(slave_dev); + + if (p->phy) { +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index e691705f0a85..ba4454ecdf0f 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -356,11 +356,6 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf, + { + struct inet_frag_queue *q; + +- if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) { +- inet_frag_schedule_worker(f); +- return NULL; +- } +- + q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC); + if (!q) + return NULL; +@@ -397,6 +392,11 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, + struct inet_frag_queue *q; + int depth = 0; + ++ if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) { ++ inet_frag_schedule_worker(f); ++ return NULL; ++ } ++ + if (frag_mem_limit(nf) > nf->low_thresh) + inet_frag_schedule_worker(f); + +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c +index df8fe0503de0..4cb1befc3949 100644 +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -447,11 +447,16 @@ found: + int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */ + + if (i < next->len) { ++ int delta = -next->truesize; ++ + /* Eat head of the next overlapped fragment + * and leave the loop. The next ones cannot overlap. + */ + if (!pskb_pull(next, i)) + goto err; ++ delta += next->truesize; ++ if (delta) ++ add_frag_mem_limit(qp->q.net, delta); + FRAG_CB(next)->offset += i; + qp->q.meat -= i; + if (next->ip_summed != CHECKSUM_UNNECESSARY) +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index b2fcbf012056..68c9d1833b95 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -63,6 +63,7 @@ + #include <linux/hash.h> + #include <linux/genetlink.h> + #include <linux/net_namespace.h> ++#include <linux/nospec.h> + + #include <net/net_namespace.h> + #include <net/sock.h> +@@ -647,6 +648,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol, + + if (protocol < 0 || protocol >= MAX_LINKS) + return -EPROTONOSUPPORT; ++ protocol = array_index_nospec(protocol, MAX_LINKS); + + netlink_lock_table(); + #ifdef CONFIG_MODULES +diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c +index 3028298ca561..62b1581d44a5 100644 +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -115,9 +115,9 @@ static int rxrpc_service_prealloc_one(struct rxrpc_sock *rx, + while (*pp) { + parent = *pp; + xcall = rb_entry(parent, struct rxrpc_call, sock_node); +- if (user_call_ID < call->user_call_ID) ++ if (user_call_ID < xcall->user_call_ID) + pp = &(*pp)->rb_left; +- else if (user_call_ID > call->user_call_ID) ++ else if (user_call_ID > xcall->user_call_ID) + pp = &(*pp)->rb_right; + else + goto id_in_use; +diff --git a/net/socket.c b/net/socket.c +index 8b2bef6cfe42..d27922639a20 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -89,6 +89,7 @@ + #include <linux/magic.h> + #include <linux/slab.h> + #include <linux/xattr.h> ++#include <linux/nospec.h> + + #include <linux/uaccess.h> + #include <asm/unistd.h> +@@ -2443,6 +2444,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) + + if (call < 1 || call > SYS_SENDMMSG) + return -EINVAL; ++ call = array_index_nospec(call, SYS_SENDMMSG + 1); + + len = nargs[call]; + if (len > sizeof(a)) |