diff options
-rw-r--r-- | 0000_README | 4 | ||||
-rw-r--r-- | 1195_linux-4.9.196.patch | 1411 |
2 files changed, 1415 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 577429d6..f84136eb 100644 --- a/0000_README +++ b/0000_README @@ -823,6 +823,10 @@ Patch: 1194_linux-4.9.195.patch From: http://www.kernel.org Desc: Linux 4.9.195 +Patch: 1195_linux-4.9.196.patch +From: http://www.kernel.org +Desc: Linux 4.9.196 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1195_linux-4.9.196.patch b/1195_linux-4.9.196.patch new file mode 100644 index 00000000..b49c3db4 --- /dev/null +++ b/1195_linux-4.9.196.patch @@ -0,0 +1,1411 @@ +diff --git a/Makefile b/Makefile +index bee0218e3fb5..194c35eff19c 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 195 ++SUBLEVEL = 196 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c +index 5ca207ada852..2539c8f9fb3f 100644 +--- a/arch/arm/mm/fault.c ++++ b/arch/arm/mm/fault.c +@@ -214,7 +214,7 @@ static inline bool access_error(unsigned int fsr, struct vm_area_struct *vma) + { + unsigned int mask = VM_READ | VM_WRITE | VM_EXEC; + +- if (fsr & FSR_WRITE) ++ if ((fsr & FSR_WRITE) && !(fsr & FSR_CM)) + mask = VM_WRITE; + if (fsr & FSR_LNX_PF) + mask = VM_EXEC; +@@ -284,7 +284,7 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + + if (user_mode(regs)) + flags |= FAULT_FLAG_USER; +- if (fsr & FSR_WRITE) ++ if ((fsr & FSR_WRITE) && !(fsr & FSR_CM)) + flags |= FAULT_FLAG_WRITE; + + /* +diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h +index afc1f84e763b..9bc272642d55 100644 +--- a/arch/arm/mm/fault.h ++++ b/arch/arm/mm/fault.h +@@ -5,6 +5,7 @@ + * Fault status register encodings. We steal bit 31 for our own purposes. + */ + #define FSR_LNX_PF (1 << 31) ++#define FSR_CM (1 << 13) + #define FSR_WRITE (1 << 11) + #define FSR_FS4 (1 << 10) + #define FSR_FS3_0 (15) +diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c +index f7c741358f37..241bf898adf5 100644 +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -1168,6 +1168,22 @@ void __init adjust_lowmem_bounds(void) + */ + vmalloc_limit = (u64)(uintptr_t)vmalloc_min - PAGE_OFFSET + PHYS_OFFSET; + ++ /* ++ * The first usable region must be PMD aligned. Mark its start ++ * as MEMBLOCK_NOMAP if it isn't ++ */ ++ for_each_memblock(memory, reg) { ++ if (!memblock_is_nomap(reg)) { ++ if (!IS_ALIGNED(reg->base, PMD_SIZE)) { ++ phys_addr_t len; ++ ++ len = round_up(reg->base, PMD_SIZE) - reg->base; ++ memblock_mark_nomap(reg->base, len); ++ } ++ break; ++ } ++ } ++ + for_each_memblock(memory, reg) { + phys_addr_t block_start = reg->base; + phys_addr_t block_end = reg->base + reg->size; +diff --git a/arch/arm64/include/asm/cmpxchg.h b/arch/arm64/include/asm/cmpxchg.h +index 0f2e1ab5e166..9b2e2e2e728a 100644 +--- a/arch/arm64/include/asm/cmpxchg.h ++++ b/arch/arm64/include/asm/cmpxchg.h +@@ -73,7 +73,7 @@ __XCHG_CASE( , , mb_8, dmb ish, nop, , a, l, "memory") + #undef __XCHG_CASE + + #define __XCHG_GEN(sfx) \ +-static inline unsigned long __xchg##sfx(unsigned long x, \ ++static __always_inline unsigned long __xchg##sfx(unsigned long x, \ + volatile void *ptr, \ + int size) \ + { \ +@@ -115,7 +115,7 @@ __XCHG_GEN(_mb) + #define xchg(...) __xchg_wrapper( _mb, __VA_ARGS__) + + #define __CMPXCHG_GEN(sfx) \ +-static inline unsigned long __cmpxchg##sfx(volatile void *ptr, \ ++static __always_inline unsigned long __cmpxchg##sfx(volatile void *ptr, \ + unsigned long old, \ + unsigned long new, \ + int size) \ +@@ -248,7 +248,7 @@ __CMPWAIT_CASE( , , 8); + #undef __CMPWAIT_CASE + + #define __CMPWAIT_GEN(sfx) \ +-static inline void __cmpwait##sfx(volatile void *ptr, \ ++static __always_inline void __cmpwait##sfx(volatile void *ptr, \ + unsigned long val, \ + int size) \ + { \ +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c +index 3cc5b2e4263c..47d50197789b 100644 +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -637,7 +637,7 @@ static __maybe_unused void build_convert_pte_to_entrylo(u32 **p, + return; + } + +- if (cpu_has_rixi && _PAGE_NO_EXEC) { ++ if (cpu_has_rixi && !!_PAGE_NO_EXEC) { + if (fill_includes_sw_bits) { + UASM_i_ROTR(p, reg, reg, ilog2(_PAGE_GLOBAL)); + } else { +diff --git a/arch/powerpc/include/asm/futex.h b/arch/powerpc/include/asm/futex.h +index f4c7467f7465..b73ab8a7ebc3 100644 +--- a/arch/powerpc/include/asm/futex.h ++++ b/arch/powerpc/include/asm/futex.h +@@ -60,8 +60,7 @@ static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, + + pagefault_enable(); + +- if (!ret) +- *oval = oldval; ++ *oval = oldval; + + return ret; + } +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index 92474227262b..0c8b966e8070 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -467,6 +467,10 @@ EXC_COMMON_BEGIN(machine_check_handle_early) + RFI_TO_USER_OR_KERNEL + 9: + /* Deliver the machine check to host kernel in V mode. */ ++BEGIN_FTR_SECTION ++ ld r10,ORIG_GPR3(r1) ++ mtspr SPRN_CFAR,r10 ++END_FTR_SECTION_IFSET(CPU_FTR_CFAR) + MACHINE_CHECK_HANDLER_WINDUP + b machine_check_pSeries + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 6a3e5de544ce..a309a7a29cc6 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -874,15 +874,17 @@ static int rtas_cpu_state_change_mask(enum rtas_cpu_state state, + return 0; + + for_each_cpu(cpu, cpus) { ++ struct device *dev = get_cpu_device(cpu); ++ + switch (state) { + case DOWN: +- cpuret = cpu_down(cpu); ++ cpuret = device_offline(dev); + break; + case UP: +- cpuret = cpu_up(cpu); ++ cpuret = device_online(dev); + break; + } +- if (cpuret) { ++ if (cpuret < 0) { + pr_debug("%s: cpu_%s for cpu#%d returned %d.\n", + __func__, + ((state == UP) ? "up" : "down"), +@@ -971,6 +973,8 @@ int rtas_ibm_suspend_me(u64 handle) + data.token = rtas_token("ibm,suspend-me"); + data.complete = &done; + ++ lock_device_hotplug(); ++ + /* All present CPUs must be online */ + cpumask_andnot(offline_mask, cpu_present_mask, cpu_online_mask); + cpuret = rtas_online_cpus_mask(offline_mask); +@@ -1002,6 +1006,7 @@ int rtas_ibm_suspend_me(u64 handle) + __func__); + + out: ++ unlock_device_hotplug(); + free_cpumask_var(offline_mask); + return atomic_read(&data.error); + } +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index 3784a7abfcc8..74791e8382d2 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -11,6 +11,7 @@ + + #include <linux/kernel.h> + #include <linux/kobject.h> ++#include <linux/sched.h> + #include <linux/smp.h> + #include <linux/stat.h> + #include <linux/completion.h> +@@ -206,7 +207,11 @@ static int update_dt_node(__be32 phandle, s32 scope) + + prop_data += vd; + } ++ ++ cond_resched(); + } ++ ++ cond_resched(); + } while (rtas_rc == 1); + + of_node_put(dn); +@@ -282,8 +287,12 @@ int pseries_devicetree_update(s32 scope) + add_dt_node(phandle, drc_index); + break; + } ++ ++ cond_resched(); + } + } ++ ++ cond_resched(); + } while (rc == 1); + + kfree(rtas_buf); +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index adb09ab87f7c..30782859d898 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -298,6 +298,9 @@ static void pseries_lpar_idle(void) + * low power mode by ceding processor to hypervisor + */ + ++ if (!prep_irq_for_idle()) ++ return; ++ + /* Indicate to hypervisor that we are idle. */ + get_lppaca()->idle = 1; + +diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c +index 2a17123130d3..224aeda1e8cc 100644 +--- a/arch/s390/hypfs/inode.c ++++ b/arch/s390/hypfs/inode.c +@@ -267,7 +267,7 @@ static int hypfs_show_options(struct seq_file *s, struct dentry *root) + static int hypfs_fill_super(struct super_block *sb, void *data, int silent) + { + struct inode *root_inode; +- struct dentry *root_dentry; ++ struct dentry *root_dentry, *update_file; + int rc = 0; + struct hypfs_sb_info *sbi; + +@@ -298,9 +298,10 @@ static int hypfs_fill_super(struct super_block *sb, void *data, int silent) + rc = hypfs_diag_create_files(root_dentry); + if (rc) + return rc; +- sbi->update_file = hypfs_create_update_file(root_dentry); +- if (IS_ERR(sbi->update_file)) +- return PTR_ERR(sbi->update_file); ++ update_file = hypfs_create_update_file(root_dentry); ++ if (IS_ERR(update_file)) ++ return PTR_ERR(update_file); ++ sbi->update_file = update_file; + hypfs_update_update(sb); + pr_info("Hypervisor filesystem mounted\n"); + return 0; +diff --git a/drivers/android/binder.c b/drivers/android/binder.c +index 8056759073b0..e12288c245b5 100644 +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -334,7 +334,8 @@ enum { + BINDER_LOOPER_STATE_EXITED = 0x04, + BINDER_LOOPER_STATE_INVALID = 0x08, + BINDER_LOOPER_STATE_WAITING = 0x10, +- BINDER_LOOPER_STATE_NEED_RETURN = 0x20 ++ BINDER_LOOPER_STATE_NEED_RETURN = 0x20, ++ BINDER_LOOPER_STATE_POLL = 0x40, + }; + + struct binder_thread { +@@ -2628,6 +2629,27 @@ static int binder_free_thread(struct binder_proc *proc, + } else + BUG(); + } ++ ++ /* ++ * If this thread used poll, make sure we remove the waitqueue ++ * from any epoll data structures holding it with POLLFREE. ++ * waitqueue_active() is safe to use here because we're holding ++ * the global lock. ++ */ ++ if ((thread->looper & BINDER_LOOPER_STATE_POLL) && ++ waitqueue_active(&thread->wait)) { ++ wake_up_poll(&thread->wait, POLLHUP | POLLFREE); ++ } ++ ++ /* ++ * This is needed to avoid races between wake_up_poll() above and ++ * and ep_remove_waitqueue() called for other reasons (eg the epoll file ++ * descriptor being closed); ep_remove_waitqueue() holds an RCU read ++ * lock, so we can be sure it's done after calling synchronize_rcu(). ++ */ ++ if (thread->looper & BINDER_LOOPER_STATE_POLL) ++ synchronize_rcu(); ++ + if (send_reply) + binder_send_failed_reply(send_reply, BR_DEAD_REPLY); + binder_release_work(&thread->todo); +@@ -2651,6 +2673,8 @@ static unsigned int binder_poll(struct file *filp, + return POLLERR; + } + ++ thread->looper |= BINDER_LOOPER_STATE_POLL; ++ + wait_for_proc_work = thread->transaction_stack == NULL && + list_empty(&thread->todo) && thread->return_error == BR_OK; + +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c +index e0a53156b782..82af65818444 100644 +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -283,6 +283,9 @@ struct smi_info { + */ + bool irq_enable_broken; + ++ /* Is the driver in maintenance mode? */ ++ bool in_maintenance_mode; ++ + /* + * Did we get an attention that we did not handle? + */ +@@ -1093,11 +1096,20 @@ static int ipmi_thread(void *data) + spin_unlock_irqrestore(&(smi_info->si_lock), flags); + busy_wait = ipmi_thread_busy_wait(smi_result, smi_info, + &busy_until); +- if (smi_result == SI_SM_CALL_WITHOUT_DELAY) ++ if (smi_result == SI_SM_CALL_WITHOUT_DELAY) { + ; /* do nothing */ +- else if (smi_result == SI_SM_CALL_WITH_DELAY && busy_wait) +- schedule(); +- else if (smi_result == SI_SM_IDLE) { ++ } else if (smi_result == SI_SM_CALL_WITH_DELAY && busy_wait) { ++ /* ++ * In maintenance mode we run as fast as ++ * possible to allow firmware updates to ++ * complete as fast as possible, but normally ++ * don't bang on the scheduler. ++ */ ++ if (smi_info->in_maintenance_mode) ++ schedule(); ++ else ++ usleep_range(100, 200); ++ } else if (smi_result == SI_SM_IDLE) { + if (atomic_read(&smi_info->need_watch)) { + schedule_timeout_interruptible(100); + } else { +@@ -1105,8 +1117,9 @@ static int ipmi_thread(void *data) + __set_current_state(TASK_INTERRUPTIBLE); + schedule(); + } +- } else ++ } else { + schedule_timeout_interruptible(1); ++ } + } + return 0; + } +@@ -1285,6 +1298,7 @@ static void set_maintenance_mode(void *send_info, bool enable) + + if (!enable) + atomic_set(&smi_info->req_events, 0); ++ smi_info->in_maintenance_mode = enable; + } + + static const struct ipmi_smi_handlers handlers = { +diff --git a/drivers/clk/at91/clk-main.c b/drivers/clk/at91/clk-main.c +index c813c27f2e58..2f97a843d6d6 100644 +--- a/drivers/clk/at91/clk-main.c ++++ b/drivers/clk/at91/clk-main.c +@@ -27,6 +27,10 @@ + + #define MOR_KEY_MASK (0xff << 16) + ++#define clk_main_parent_select(s) (((s) & \ ++ (AT91_PMC_MOSCEN | \ ++ AT91_PMC_OSCBYPASS)) ? 1 : 0) ++ + struct clk_main_osc { + struct clk_hw hw; + struct regmap *regmap; +@@ -119,7 +123,7 @@ static int clk_main_osc_is_prepared(struct clk_hw *hw) + + regmap_read(regmap, AT91_PMC_SR, &status); + +- return (status & AT91_PMC_MOSCS) && (tmp & AT91_PMC_MOSCEN); ++ return (status & AT91_PMC_MOSCS) && clk_main_parent_select(tmp); + } + + static const struct clk_ops main_osc_ops = { +@@ -530,7 +534,7 @@ static u8 clk_sam9x5_main_get_parent(struct clk_hw *hw) + + regmap_read(clkmain->regmap, AT91_CKGR_MOR, &status); + +- return status & AT91_PMC_MOSCEN ? 1 : 0; ++ return clk_main_parent_select(status); + } + + static const struct clk_ops sam9x5_main_ops = { +@@ -572,7 +576,7 @@ at91_clk_register_sam9x5_main(struct regmap *regmap, + clkmain->hw.init = &init; + clkmain->regmap = regmap; + regmap_read(clkmain->regmap, AT91_CKGR_MOR, &status); +- clkmain->parent = status & AT91_PMC_MOSCEN ? 1 : 0; ++ clkmain->parent = clk_main_parent_select(status); + + hw = &clkmain->hw; + ret = clk_hw_register(NULL, &clkmain->hw); +diff --git a/drivers/clk/clk-qoriq.c b/drivers/clk/clk-qoriq.c +index 80ae2a51452d..cdce49f6476a 100644 +--- a/drivers/clk/clk-qoriq.c ++++ b/drivers/clk/clk-qoriq.c +@@ -540,7 +540,7 @@ static const struct clockgen_chipinfo chipinfo[] = { + .guts_compat = "fsl,qoriq-device-config-1.0", + .init_periph = p5020_init_periph, + .cmux_groups = { +- &p2041_cmux_grp1, &p2041_cmux_grp2 ++ &p5020_cmux_grp1, &p5020_cmux_grp2 + }, + .cmux_to_group = { + 0, 1, -1 +diff --git a/drivers/clk/sirf/clk-common.c b/drivers/clk/sirf/clk-common.c +index 77e1e2491689..edb7197cc4b4 100644 +--- a/drivers/clk/sirf/clk-common.c ++++ b/drivers/clk/sirf/clk-common.c +@@ -298,9 +298,10 @@ static u8 dmn_clk_get_parent(struct clk_hw *hw) + { + struct clk_dmn *clk = to_dmnclk(hw); + u32 cfg = clkc_readl(clk->regofs); ++ const char *name = clk_hw_get_name(hw); + + /* parent of io domain can only be pll3 */ +- if (strcmp(hw->init->name, "io") == 0) ++ if (strcmp(name, "io") == 0) + return 4; + + WARN_ON((cfg & (BIT(3) - 1)) > 4); +@@ -312,9 +313,10 @@ static int dmn_clk_set_parent(struct clk_hw *hw, u8 parent) + { + struct clk_dmn *clk = to_dmnclk(hw); + u32 cfg = clkc_readl(clk->regofs); ++ const char *name = clk_hw_get_name(hw); + + /* parent of io domain can only be pll3 */ +- if (strcmp(hw->init->name, "io") == 0) ++ if (strcmp(name, "io") == 0) + return -EINVAL; + + cfg &= ~(BIT(3) - 1); +@@ -354,7 +356,8 @@ static long dmn_clk_round_rate(struct clk_hw *hw, unsigned long rate, + { + unsigned long fin; + unsigned ratio, wait, hold; +- unsigned bits = (strcmp(hw->init->name, "mem") == 0) ? 3 : 4; ++ const char *name = clk_hw_get_name(hw); ++ unsigned bits = (strcmp(name, "mem") == 0) ? 3 : 4; + + fin = *parent_rate; + ratio = fin / rate; +@@ -376,7 +379,8 @@ static int dmn_clk_set_rate(struct clk_hw *hw, unsigned long rate, + struct clk_dmn *clk = to_dmnclk(hw); + unsigned long fin; + unsigned ratio, wait, hold, reg; +- unsigned bits = (strcmp(hw->init->name, "mem") == 0) ? 3 : 4; ++ const char *name = clk_hw_get_name(hw); ++ unsigned bits = (strcmp(name, "mem") == 0) ? 3 : 4; + + fin = parent_rate; + ratio = fin / rate; +diff --git a/drivers/gpu/drm/amd/amdgpu/si.c b/drivers/gpu/drm/amd/amdgpu/si.c +index 327bdf13e8bc..b0beb5e537bc 100644 +--- a/drivers/gpu/drm/amd/amdgpu/si.c ++++ b/drivers/gpu/drm/amd/amdgpu/si.c +@@ -1606,7 +1606,7 @@ static void si_program_aspm(struct amdgpu_device *adev) + if (orig != data) + si_pif_phy1_wreg(adev,PB1_PIF_PWRDOWN_1, data); + +- if ((adev->family != CHIP_OLAND) && (adev->family != CHIP_HAINAN)) { ++ if ((adev->asic_type != CHIP_OLAND) && (adev->asic_type != CHIP_HAINAN)) { + orig = data = si_pif_phy0_rreg(adev,PB0_PIF_PWRDOWN_0); + data &= ~PLL_RAMP_UP_TIME_0_MASK; + if (orig != data) +@@ -1655,14 +1655,14 @@ static void si_program_aspm(struct amdgpu_device *adev) + + orig = data = si_pif_phy0_rreg(adev,PB0_PIF_CNTL); + data &= ~LS2_EXIT_TIME_MASK; +- if ((adev->family == CHIP_OLAND) || (adev->family == CHIP_HAINAN)) ++ if ((adev->asic_type == CHIP_OLAND) || (adev->asic_type == CHIP_HAINAN)) + data |= LS2_EXIT_TIME(5); + if (orig != data) + si_pif_phy0_wreg(adev,PB0_PIF_CNTL, data); + + orig = data = si_pif_phy1_rreg(adev,PB1_PIF_CNTL); + data &= ~LS2_EXIT_TIME_MASK; +- if ((adev->family == CHIP_OLAND) || (adev->family == CHIP_HAINAN)) ++ if ((adev->asic_type == CHIP_OLAND) || (adev->asic_type == CHIP_HAINAN)) + data |= LS2_EXIT_TIME(5); + if (orig != data) + si_pif_phy1_wreg(adev,PB1_PIF_CNTL, data); +diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c +index 80993a8734e0..8b6f8fac92e8 100644 +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -300,7 +300,7 @@ static ssize_t tc_aux_transfer(struct drm_dp_aux *aux, + struct drm_dp_aux_msg *msg) + { + struct tc_data *tc = aux_to_tc(aux); +- size_t size = min_t(size_t, 8, msg->size); ++ size_t size = min_t(size_t, DP_AUX_MAX_PAYLOAD_BYTES - 1, msg->size); + u8 request = msg->request & ~DP_AUX_I2C_MOT; + u8 *buf = msg->buffer; + u32 tmp = 0; +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index c5e1aa5f1d8e..efa875120071 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -764,7 +764,7 @@ static int radeon_connector_set_property(struct drm_connector *connector, struct + + radeon_encoder->output_csc = val; + +- if (connector->encoder->crtc) { ++ if (connector->encoder && connector->encoder->crtc) { + struct drm_crtc *crtc = connector->encoder->crtc; + const struct drm_crtc_helper_funcs *crtc_funcs = crtc->helper_private; + struct radeon_crtc *radeon_crtc = to_radeon_crtc(crtc); +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index 30bd4a6a9d46..3ccf5b28b326 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -366,11 +366,19 @@ radeon_pci_remove(struct pci_dev *pdev) + static void + radeon_pci_shutdown(struct pci_dev *pdev) + { ++ struct drm_device *ddev = pci_get_drvdata(pdev); ++ + /* if we are running in a VM, make sure the device + * torn down properly on reboot/shutdown + */ + if (radeon_device_is_virtual()) + radeon_pci_remove(pdev); ++ ++ /* Some adapters need to be suspended before a ++ * shutdown occurs in order to prevent an error ++ * during kexec. ++ */ ++ radeon_suspend_kms(ddev, true, true, false); + } + + static int radeon_pmops_suspend(struct device *dev) +diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c +index 65a0c79f212e..31c087e1746d 100644 +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -55,7 +55,6 @@ MODULE_PARM_DESC(swap_opt_cmd, "Swap the Option (\"Alt\") and Command (\"Flag\") + struct apple_sc { + unsigned long quirks; + unsigned int fn_on; +- DECLARE_BITMAP(pressed_fn, KEY_CNT); + DECLARE_BITMAP(pressed_numlock, KEY_CNT); + }; + +@@ -182,6 +181,8 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input, + { + struct apple_sc *asc = hid_get_drvdata(hid); + const struct apple_key_translation *trans, *table; ++ bool do_translate; ++ u16 code = 0; + + if (usage->code == KEY_FN) { + asc->fn_on = !!value; +@@ -190,8 +191,6 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input, + } + + if (fnmode) { +- int do_translate; +- + if (hid->product >= USB_DEVICE_ID_APPLE_WELLSPRING4_ANSI && + hid->product <= USB_DEVICE_ID_APPLE_WELLSPRING4A_JIS) + table = macbookair_fn_keys; +@@ -203,25 +202,33 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input, + trans = apple_find_translation (table, usage->code); + + if (trans) { +- if (test_bit(usage->code, asc->pressed_fn)) +- do_translate = 1; +- else if (trans->flags & APPLE_FLAG_FKEY) +- do_translate = (fnmode == 2 && asc->fn_on) || +- (fnmode == 1 && !asc->fn_on); +- else +- do_translate = asc->fn_on; +- +- if (do_translate) { +- if (value) +- set_bit(usage->code, asc->pressed_fn); +- else +- clear_bit(usage->code, asc->pressed_fn); +- +- input_event(input, usage->type, trans->to, +- value); +- +- return 1; ++ if (test_bit(trans->from, input->key)) ++ code = trans->from; ++ else if (test_bit(trans->to, input->key)) ++ code = trans->to; ++ ++ if (!code) { ++ if (trans->flags & APPLE_FLAG_FKEY) { ++ switch (fnmode) { ++ case 1: ++ do_translate = !asc->fn_on; ++ break; ++ case 2: ++ do_translate = asc->fn_on; ++ break; ++ default: ++ /* should never happen */ ++ do_translate = false; ++ } ++ } else { ++ do_translate = asc->fn_on; ++ } ++ ++ code = do_translate ? trans->to : trans->from; + } ++ ++ input_event(input, usage->type, code, value); ++ return 1; + } + + if (asc->quirks & APPLE_NUMLOCK_EMULATION && +diff --git a/drivers/mfd/intel-lpss-pci.c b/drivers/mfd/intel-lpss-pci.c +index 9ff243970e93..5b41111e62fd 100644 +--- a/drivers/mfd/intel-lpss-pci.c ++++ b/drivers/mfd/intel-lpss-pci.c +@@ -39,6 +39,8 @@ static int intel_lpss_pci_probe(struct pci_dev *pdev, + info->mem = &pdev->resource[0]; + info->irq = pdev->irq; + ++ pdev->d3cold_delay = 0; ++ + /* Probably it is enough to set this for iDMA capable devices only */ + pci_set_master(pdev); + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +index 23d6c44dc459..9ce1ad3d950c 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -137,13 +137,12 @@ static int uldrx_handler(struct sge_rspq *q, const __be64 *rsp, + static int alloc_uld_rxqs(struct adapter *adap, + struct sge_uld_rxq_info *rxq_info, bool lro) + { +- struct sge *s = &adap->sge; + unsigned int nq = rxq_info->nrxq + rxq_info->nciq; ++ int i, err, msi_idx, que_idx = 0, bmap_idx = 0; + struct sge_ofld_rxq *q = rxq_info->uldrxq; + unsigned short *ids = rxq_info->rspq_id; +- unsigned int bmap_idx = 0; ++ struct sge *s = &adap->sge; + unsigned int per_chan; +- int i, err, msi_idx, que_idx = 0; + + per_chan = rxq_info->nrxq / adap->params.nports; + +@@ -161,6 +160,10 @@ static int alloc_uld_rxqs(struct adapter *adap, + + if (msi_idx >= 0) { + bmap_idx = get_msix_idx_from_bmap(adap); ++ if (bmap_idx < 0) { ++ err = -ENOSPC; ++ goto freeout; ++ } + msi_idx = adap->msix_info_ulds[bmap_idx].idx; + } + err = t4_sge_alloc_rxq(adap, &q->rspq, false, +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index 355c5fb802cd..c653b97d84d5 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2783,6 +2783,7 @@ static int ql_alloc_large_buffers(struct ql3_adapter *qdev) + netdev_err(qdev->ndev, + "PCI mapping failed with error: %d\n", + err); ++ dev_kfree_skb_irq(skb); + ql_free_large_buffers(qdev); + return -ENOMEM; + } +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 66ae647b712e..27fc699d8be5 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2635,14 +2635,18 @@ static struct hso_device *hso_create_bulk_serial_device( + */ + if (serial->tiocmget) { + tiocmget = serial->tiocmget; ++ tiocmget->endp = hso_get_ep(interface, ++ USB_ENDPOINT_XFER_INT, ++ USB_DIR_IN); ++ if (!tiocmget->endp) { ++ dev_err(&interface->dev, "Failed to find INT IN ep\n"); ++ goto exit; ++ } ++ + tiocmget->urb = usb_alloc_urb(0, GFP_KERNEL); + if (tiocmget->urb) { + mutex_init(&tiocmget->mutex); + init_waitqueue_head(&tiocmget->waitq); +- tiocmget->endp = hso_get_ep( +- interface, +- USB_ENDPOINT_XFER_INT, +- USB_DIR_IN); + } else + hso_free_tiomget(serial); + } +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 05953e14a064..0d48714c3f28 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -940,6 +940,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1e2d, 0x0082, 4)}, /* Cinterion PHxx,PXxx (2 RmNet) */ + {QMI_FIXED_INTF(0x1e2d, 0x0082, 5)}, /* Cinterion PHxx,PXxx (2 RmNet) */ + {QMI_FIXED_INTF(0x1e2d, 0x0083, 4)}, /* Cinterion PHxx,PXxx (1 RmNet + USB Audio)*/ ++ {QMI_QUIRK_SET_DTR(0x1e2d, 0x00b0, 4)}, /* Cinterion CLS8 */ + {QMI_FIXED_INTF(0x413c, 0x81a2, 8)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a3, 8)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index c31c564b8eab..6d391a268469 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -888,9 +888,9 @@ static int xennet_set_skb_gso(struct sk_buff *skb, + return 0; + } + +-static RING_IDX xennet_fill_frags(struct netfront_queue *queue, +- struct sk_buff *skb, +- struct sk_buff_head *list) ++static int xennet_fill_frags(struct netfront_queue *queue, ++ struct sk_buff *skb, ++ struct sk_buff_head *list) + { + RING_IDX cons = queue->rx.rsp_cons; + struct sk_buff *nskb; +@@ -909,7 +909,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, + if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { + queue->rx.rsp_cons = ++cons + skb_queue_len(list); + kfree_skb(nskb); +- return ~0U; ++ return -ENOENT; + } + + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, +@@ -920,7 +920,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, + kfree_skb(nskb); + } + +- return cons; ++ queue->rx.rsp_cons = cons; ++ ++ return 0; + } + + static int checksum_setup(struct net_device *dev, struct sk_buff *skb) +@@ -1046,8 +1048,7 @@ err: + skb->data_len = rx->status; + skb->len += rx->status; + +- i = xennet_fill_frags(queue, skb, &tmpq); +- if (unlikely(i == ~0U)) ++ if (unlikely(xennet_fill_frags(queue, skb, &tmpq))) + goto err; + + if (rx->flags & XEN_NETRXF_csum_blank) +@@ -1057,7 +1058,7 @@ err: + + __skb_queue_tail(&rxq, skb); + +- queue->rx.rsp_cons = ++i; ++ i = ++queue->rx.rsp_cons; + work_done++; + } + +diff --git a/drivers/pci/host/pci-tegra.c b/drivers/pci/host/pci-tegra.c +index 8dfccf733241..8e101b19c4d6 100644 +--- a/drivers/pci/host/pci-tegra.c ++++ b/drivers/pci/host/pci-tegra.c +@@ -1898,14 +1898,15 @@ static int tegra_pcie_parse_dt(struct tegra_pcie *pcie) + err = of_pci_get_devfn(port); + if (err < 0) { + dev_err(dev, "failed to parse address: %d\n", err); +- return err; ++ goto err_node_put; + } + + index = PCI_SLOT(err); + + if (index < 1 || index > soc->num_ports) { + dev_err(dev, "invalid port number: %d\n", index); +- return -EINVAL; ++ err = -EINVAL; ++ goto err_node_put; + } + + index--; +@@ -1914,12 +1915,13 @@ static int tegra_pcie_parse_dt(struct tegra_pcie *pcie) + if (err < 0) { + dev_err(dev, "failed to parse # of lanes: %d\n", + err); +- return err; ++ goto err_node_put; + } + + if (value > 16) { + dev_err(dev, "invalid # of lanes: %u\n", value); +- return -EINVAL; ++ err = -EINVAL; ++ goto err_node_put; + } + + lanes |= value << (index << 3); +@@ -1933,13 +1935,15 @@ static int tegra_pcie_parse_dt(struct tegra_pcie *pcie) + lane += value; + + rp = devm_kzalloc(dev, sizeof(*rp), GFP_KERNEL); +- if (!rp) +- return -ENOMEM; ++ if (!rp) { ++ err = -ENOMEM; ++ goto err_node_put; ++ } + + err = of_address_to_resource(port, 0, &rp->regs); + if (err < 0) { + dev_err(dev, "failed to parse address: %d\n", err); +- return err; ++ goto err_node_put; + } + + INIT_LIST_HEAD(&rp->list); +@@ -1966,6 +1970,10 @@ static int tegra_pcie_parse_dt(struct tegra_pcie *pcie) + return err; + + return 0; ++ ++err_node_put: ++ of_node_put(port); ++ return err; + } + + /* +diff --git a/drivers/pinctrl/tegra/pinctrl-tegra.c b/drivers/pinctrl/tegra/pinctrl-tegra.c +index 277622b4b6fb..1d9f63e954c7 100644 +--- a/drivers/pinctrl/tegra/pinctrl-tegra.c ++++ b/drivers/pinctrl/tegra/pinctrl-tegra.c +@@ -52,7 +52,9 @@ static inline u32 pmx_readl(struct tegra_pmx *pmx, u32 bank, u32 reg) + + static inline void pmx_writel(struct tegra_pmx *pmx, u32 val, u32 bank, u32 reg) + { +- writel(val, pmx->regs[bank] + reg); ++ writel_relaxed(val, pmx->regs[bank] + reg); ++ /* make sure pinmux register write completed */ ++ pmx_readl(pmx, bank, reg); + } + + static int tegra_pinctrl_get_groups_count(struct pinctrl_dev *pctldev) +diff --git a/drivers/scsi/scsi_logging.c b/drivers/scsi/scsi_logging.c +index bd70339c1242..03d9855a6afd 100644 +--- a/drivers/scsi/scsi_logging.c ++++ b/drivers/scsi/scsi_logging.c +@@ -16,57 +16,15 @@ + #include <scsi/scsi_eh.h> + #include <scsi/scsi_dbg.h> + +-#define SCSI_LOG_SPOOLSIZE 4096 +- +-#if (SCSI_LOG_SPOOLSIZE / SCSI_LOG_BUFSIZE) > BITS_PER_LONG +-#warning SCSI logging bitmask too large +-#endif +- +-struct scsi_log_buf { +- char buffer[SCSI_LOG_SPOOLSIZE]; +- unsigned long map; +-}; +- +-static DEFINE_PER_CPU(struct scsi_log_buf, scsi_format_log); +- + static char *scsi_log_reserve_buffer(size_t *len) + { +- struct scsi_log_buf *buf; +- unsigned long map_bits = sizeof(buf->buffer) / SCSI_LOG_BUFSIZE; +- unsigned long idx = 0; +- +- preempt_disable(); +- buf = this_cpu_ptr(&scsi_format_log); +- idx = find_first_zero_bit(&buf->map, map_bits); +- if (likely(idx < map_bits)) { +- while (test_and_set_bit(idx, &buf->map)) { +- idx = find_next_zero_bit(&buf->map, map_bits, idx); +- if (idx >= map_bits) +- break; +- } +- } +- if (WARN_ON(idx >= map_bits)) { +- preempt_enable(); +- return NULL; +- } +- *len = SCSI_LOG_BUFSIZE; +- return buf->buffer + idx * SCSI_LOG_BUFSIZE; ++ *len = 128; ++ return kmalloc(*len, GFP_ATOMIC); + } + + static void scsi_log_release_buffer(char *bufptr) + { +- struct scsi_log_buf *buf; +- unsigned long idx; +- int ret; +- +- buf = this_cpu_ptr(&scsi_format_log); +- if (bufptr >= buf->buffer && +- bufptr < buf->buffer + SCSI_LOG_SPOOLSIZE) { +- idx = (bufptr - buf->buffer) / SCSI_LOG_BUFSIZE; +- ret = test_and_clear_bit(idx, &buf->map); +- WARN_ON(!ret); +- } +- preempt_enable(); ++ kfree(bufptr); + } + + static inline const char *scmd_name(const struct scsi_cmnd *scmd) +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index f9a75df2d22d..a1a712d18e02 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -356,11 +356,20 @@ static void vfio_pci_disable(struct vfio_pci_device *vdev) + pci_write_config_word(pdev, PCI_COMMAND, PCI_COMMAND_INTX_DISABLE); + + /* +- * Try to reset the device. The success of this is dependent on +- * being able to lock the device, which is not always possible. ++ * Try to get the locks ourselves to prevent a deadlock. The ++ * success of this is dependent on being able to lock the device, ++ * which is not always possible. ++ * We can not use the "try" reset interface here, which will ++ * overwrite the previously restored configuration information. + */ +- if (vdev->reset_works && !pci_try_reset_function(pdev)) +- vdev->needs_reset = false; ++ if (vdev->reset_works && pci_cfg_access_trylock(pdev)) { ++ if (device_trylock(&pdev->dev)) { ++ if (!__pci_reset_function_locked(pdev)) ++ vdev->needs_reset = false; ++ device_unlock(&pdev->dev); ++ } ++ pci_cfg_access_unlock(pdev); ++ } + + pci_restore_state(pdev); + out: +diff --git a/drivers/video/fbdev/ssd1307fb.c b/drivers/video/fbdev/ssd1307fb.c +index 2925d5ce8d3e..1267b93c03bd 100644 +--- a/drivers/video/fbdev/ssd1307fb.c ++++ b/drivers/video/fbdev/ssd1307fb.c +@@ -430,7 +430,7 @@ static int ssd1307fb_init(struct ssd1307fb_par *par) + if (ret < 0) + return ret; + +- ret = ssd1307fb_write_cmd(par->client, 0x0); ++ ret = ssd1307fb_write_cmd(par->client, par->page_offset); + if (ret < 0) + return ret; + +diff --git a/fs/fat/dir.c b/fs/fat/dir.c +index 81cecbe6d7cf..971e369517a7 100644 +--- a/fs/fat/dir.c ++++ b/fs/fat/dir.c +@@ -1097,8 +1097,11 @@ static int fat_zeroed_cluster(struct inode *dir, sector_t blknr, int nr_used, + err = -ENOMEM; + goto error; + } ++ /* Avoid race with userspace read via bdev */ ++ lock_buffer(bhs[n]); + memset(bhs[n]->b_data, 0, sb->s_blocksize); + set_buffer_uptodate(bhs[n]); ++ unlock_buffer(bhs[n]); + mark_buffer_dirty_inode(bhs[n], dir); + + n++; +@@ -1155,6 +1158,8 @@ int fat_alloc_new_dir(struct inode *dir, struct timespec *ts) + fat_time_unix2fat(sbi, ts, &time, &date, &time_cs); + + de = (struct msdos_dir_entry *)bhs[0]->b_data; ++ /* Avoid race with userspace read via bdev */ ++ lock_buffer(bhs[0]); + /* filling the new directory slots ("." and ".." entries) */ + memcpy(de[0].name, MSDOS_DOT, MSDOS_NAME); + memcpy(de[1].name, MSDOS_DOTDOT, MSDOS_NAME); +@@ -1177,6 +1182,7 @@ int fat_alloc_new_dir(struct inode *dir, struct timespec *ts) + de[0].size = de[1].size = 0; + memset(de + 2, 0, sb->s_blocksize - 2 * sizeof(*de)); + set_buffer_uptodate(bhs[0]); ++ unlock_buffer(bhs[0]); + mark_buffer_dirty_inode(bhs[0], dir); + + err = fat_zeroed_cluster(dir, blknr, 1, bhs, MAX_BUF_PER_PAGE); +@@ -1234,11 +1240,14 @@ static int fat_add_new_entries(struct inode *dir, void *slots, int nr_slots, + + /* fill the directory entry */ + copy = min(size, sb->s_blocksize); ++ /* Avoid race with userspace read via bdev */ ++ lock_buffer(bhs[n]); + memcpy(bhs[n]->b_data, slots, copy); +- slots += copy; +- size -= copy; + set_buffer_uptodate(bhs[n]); ++ unlock_buffer(bhs[n]); + mark_buffer_dirty_inode(bhs[n], dir); ++ slots += copy; ++ size -= copy; + if (!size) + break; + n++; +diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c +index a9cad9b60790..0129d4d07a54 100644 +--- a/fs/fat/fatent.c ++++ b/fs/fat/fatent.c +@@ -389,8 +389,11 @@ static int fat_mirror_bhs(struct super_block *sb, struct buffer_head **bhs, + err = -ENOMEM; + goto error; + } ++ /* Avoid race with userspace read via bdev */ ++ lock_buffer(c_bh); + memcpy(c_bh->b_data, bhs[n]->b_data, sb->s_blocksize); + set_buffer_uptodate(c_bh); ++ unlock_buffer(c_bh); + mark_buffer_dirty_inode(c_bh, sbi->fat_inode); + if (sb->s_flags & MS_SYNCHRONOUS) + err = sync_dirty_buffer(c_bh); +diff --git a/fs/ocfs2/dlm/dlmunlock.c b/fs/ocfs2/dlm/dlmunlock.c +index 1082b2c3014b..5f2a120240e5 100644 +--- a/fs/ocfs2/dlm/dlmunlock.c ++++ b/fs/ocfs2/dlm/dlmunlock.c +@@ -105,7 +105,8 @@ static enum dlm_status dlmunlock_common(struct dlm_ctxt *dlm, + enum dlm_status status; + int actions = 0; + int in_use; +- u8 owner; ++ u8 owner; ++ int recovery_wait = 0; + + mlog(0, "master_node = %d, valblk = %d\n", master_node, + flags & LKM_VALBLK); +@@ -208,9 +209,12 @@ static enum dlm_status dlmunlock_common(struct dlm_ctxt *dlm, + } + if (flags & LKM_CANCEL) + lock->cancel_pending = 0; +- else +- lock->unlock_pending = 0; +- ++ else { ++ if (!lock->unlock_pending) ++ recovery_wait = 1; ++ else ++ lock->unlock_pending = 0; ++ } + } + + /* get an extra ref on lock. if we are just switching +@@ -244,6 +248,17 @@ leave: + spin_unlock(&res->spinlock); + wake_up(&res->wq); + ++ if (recovery_wait) { ++ spin_lock(&res->spinlock); ++ /* Unlock request will directly succeed after owner dies, ++ * and the lock is already removed from grant list. We have to ++ * wait for RECOVERING done or we miss the chance to purge it ++ * since the removement is much faster than RECOVERING proc. ++ */ ++ __dlm_wait_on_lockres_flags(res, DLM_LOCK_RES_RECOVERING); ++ spin_unlock(&res->spinlock); ++ } ++ + /* let the caller's final dlm_lock_put handle the actual kfree */ + if (actions & DLM_UNLOCK_FREE_LOCK) { + /* this should always be coupled with list removal */ +diff --git a/include/scsi/scsi_dbg.h b/include/scsi/scsi_dbg.h +index 56710e03101c..1fcf14aee28a 100644 +--- a/include/scsi/scsi_dbg.h ++++ b/include/scsi/scsi_dbg.h +@@ -5,8 +5,6 @@ struct scsi_cmnd; + struct scsi_device; + struct scsi_sense_hdr; + +-#define SCSI_LOG_BUFSIZE 128 +- + extern void scsi_print_command(struct scsi_cmnd *); + extern size_t __scsi_format_command(char *, size_t, + const unsigned char *, size_t); +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 4f561860bf41..bc5ff3a53d4a 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -535,7 +535,7 @@ config DEBUG_KMEMLEAK_EARLY_LOG_SIZE + int "Maximum kmemleak early log entries" + depends on DEBUG_KMEMLEAK + range 200 40000 +- default 400 ++ default 16000 + help + Kmemleak must track all the memory allocations to avoid + reporting false positives. Since memory may be allocated or +diff --git a/net/core/sock.c b/net/core/sock.c +index 3041aa6df602..d22493351407 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1426,8 +1426,6 @@ static void __sk_destruct(struct rcu_head *head) + sk_filter_uncharge(sk, filter); + RCU_INIT_POINTER(sk->sk_filter, NULL); + } +- if (rcu_access_pointer(sk->sk_reuseport_cb)) +- reuseport_detach_sock(sk); + + sock_disable_timestamp(sk, SK_FLAGS_TIMESTAMP); + +@@ -1450,7 +1448,14 @@ static void __sk_destruct(struct rcu_head *head) + + void sk_destruct(struct sock *sk) + { +- if (sock_flag(sk, SOCK_RCU_FREE)) ++ bool use_call_rcu = sock_flag(sk, SOCK_RCU_FREE); ++ ++ if (rcu_access_pointer(sk->sk_reuseport_cb)) { ++ reuseport_detach_sock(sk); ++ use_call_rcu = true; ++ } ++ ++ if (use_call_rcu) + call_rcu(&sk->sk_rcu, __sk_destruct); + else + __sk_destruct(&sk->sk_rcu); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index d558dc076577..d1a302d321fa 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -903,16 +903,15 @@ void ip_rt_send_redirect(struct sk_buff *skb) + if (peer->rate_tokens == 0 || + time_after(jiffies, + (peer->rate_last + +- (ip_rt_redirect_load << peer->rate_tokens)))) { ++ (ip_rt_redirect_load << peer->n_redirects)))) { + __be32 gw = rt_nexthop(rt, ip_hdr(skb)->daddr); + + icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw); + peer->rate_last = jiffies; +- ++peer->rate_tokens; + ++peer->n_redirects; + #ifdef CONFIG_IP_ROUTE_VERBOSE + if (log_martians && +- peer->rate_tokens == ip_rt_redirect_number) ++ peer->n_redirects == ip_rt_redirect_number) + net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n", + &ip_hdr(skb)->saddr, inet_iif(skb), + &ip_hdr(skb)->daddr, &gw); +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 4ce7f9195151..6b1310d5e808 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5443,13 +5443,20 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) + switch (event) { + case RTM_NEWADDR: + /* +- * If the address was optimistic +- * we inserted the route at the start of +- * our DAD process, so we don't need +- * to do it again ++ * If the address was optimistic we inserted the route at the ++ * start of our DAD process, so we don't need to do it again. ++ * If the device was taken down in the middle of the DAD ++ * cycle there is a race where we could get here without a ++ * host route, so nothing to insert. That will be fixed when ++ * the device is brought up. + */ +- if (!rcu_access_pointer(ifp->rt->rt6i_node)) ++ if (ifp->rt && !rcu_access_pointer(ifp->rt->rt6i_node)) { + ip6_ins_rt(ifp->rt); ++ } else if (!ifp->rt && (ifp->idev->dev->flags & IFF_UP)) { ++ pr_warn("BUG: Address %pI6c on device %s is missing its host route.\n", ++ &ifp->addr, ifp->idev->dev->name); ++ } ++ + if (ifp->idev->cnf.forwarding) + addrconf_join_anycast(ifp); + if (!ipv6_addr_any(&ifp->peer_addr)) +diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c +index aacfb4bce153..e726a61ae6dc 100644 +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -168,6 +168,16 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt + if (ipv6_addr_is_multicast(&hdr->saddr)) + goto err; + ++ /* While RFC4291 is not explicit about v4mapped addresses ++ * in IPv6 headers, it seems clear linux dual-stack ++ * model can not deal properly with these. ++ * Security models could be fooled by ::ffff:127.0.0.1 for example. ++ * ++ * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 ++ */ ++ if (ipv6_addr_v4mapped(&hdr->saddr)) ++ goto err; ++ + skb->transport_header = skb->network_header + sizeof(*hdr); + IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); + +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index 22d5a80a8f34..dd59fde1dac8 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -118,9 +118,14 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) + llcp_sock->service_name = kmemdup(llcp_addr.service_name, + llcp_sock->service_name_len, + GFP_KERNEL); +- ++ if (!llcp_sock->service_name) { ++ ret = -ENOMEM; ++ goto put_dev; ++ } + llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); + if (llcp_sock->ssap == LLCP_SAP_MAX) { ++ kfree(llcp_sock->service_name); ++ llcp_sock->service_name = NULL; + ret = -EADDRINUSE; + goto put_dev; + } +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index dbf74afe82fb..ad878302924f 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -973,7 +973,8 @@ static int nfc_genl_dep_link_down(struct sk_buff *skb, struct genl_info *info) + int rc; + u32 idx; + +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || ++ !info->attrs[NFC_ATTR_TARGET_INDEX]) + return -EINVAL; + + idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); +@@ -1022,7 +1023,8 @@ static int nfc_genl_llc_get_params(struct sk_buff *skb, struct genl_info *info) + struct sk_buff *msg = NULL; + u32 idx; + +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || ++ !info->attrs[NFC_ATTR_FIRMWARE_NAME]) + return -EINVAL; + + idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); +diff --git a/net/rds/ib.c b/net/rds/ib.c +index 0efb3d2b338d..a118686cc1ec 100644 +--- a/net/rds/ib.c ++++ b/net/rds/ib.c +@@ -138,6 +138,9 @@ static void rds_ib_add_one(struct ib_device *device) + atomic_set(&rds_ibdev->refcount, 1); + INIT_WORK(&rds_ibdev->free_work, rds_ib_dev_free); + ++ INIT_LIST_HEAD(&rds_ibdev->ipaddr_list); ++ INIT_LIST_HEAD(&rds_ibdev->conn_list); ++ + rds_ibdev->max_wrs = device->attrs.max_qp_wr; + rds_ibdev->max_sge = min(device->attrs.max_sge, RDS_IB_MAX_SGE); + +@@ -189,9 +192,6 @@ static void rds_ib_add_one(struct ib_device *device) + device->name, + rds_ibdev->use_fastreg ? "FRMR" : "FMR"); + +- INIT_LIST_HEAD(&rds_ibdev->ipaddr_list); +- INIT_LIST_HEAD(&rds_ibdev->conn_list); +- + down_write(&rds_ib_devices_lock); + list_add_tail_rcu(&rds_ibdev->list, &rds_ib_devices); + up_write(&rds_ib_devices_lock); +diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c +index beb554aa8cfb..7a434a5c43fe 100644 +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -1129,6 +1129,26 @@ static const struct nla_policy cbq_policy[TCA_CBQ_MAX + 1] = { + [TCA_CBQ_POLICE] = { .len = sizeof(struct tc_cbq_police) }, + }; + ++static int cbq_opt_parse(struct nlattr *tb[TCA_CBQ_MAX + 1], struct nlattr *opt) ++{ ++ int err; ++ ++ if (!opt) ++ return -EINVAL; ++ ++ err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); ++ if (err < 0) ++ return err; ++ ++ if (tb[TCA_CBQ_WRROPT]) { ++ const struct tc_cbq_wrropt *wrr = nla_data(tb[TCA_CBQ_WRROPT]); ++ ++ if (wrr->priority > TC_CBQ_MAXPRIO) ++ err = -EINVAL; ++ } ++ return err; ++} ++ + static int cbq_init(struct Qdisc *sch, struct nlattr *opt) + { + struct cbq_sched_data *q = qdisc_priv(sch); +@@ -1136,7 +1156,7 @@ static int cbq_init(struct Qdisc *sch, struct nlattr *opt) + struct tc_ratespec *r; + int err; + +- err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); ++ err = cbq_opt_parse(tb, opt); + if (err < 0) + return err; + +@@ -1468,10 +1488,7 @@ cbq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, struct nlattr **t + struct cbq_class *parent; + struct qdisc_rate_table *rtab = NULL; + +- if (opt == NULL) +- return -EINVAL; +- +- err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); ++ err = cbq_opt_parse(tb, opt); + if (err < 0) + return err; + +diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c +index b56d57984439..551cf193649e 100644 +--- a/net/sched/sch_dsmark.c ++++ b/net/sched/sch_dsmark.c +@@ -346,6 +346,8 @@ static int dsmark_init(struct Qdisc *sch, struct nlattr *opt) + goto errout; + + err = -EINVAL; ++ if (!tb[TCA_DSMARK_INDICES]) ++ goto errout; + indices = nla_get_u16(tb[TCA_DSMARK_INDICES]); + + if (hweight32(indices) != 1) +diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c +index 23e5808a0970..e5d5c7fb2dac 100644 +--- a/security/smack/smack_access.c ++++ b/security/smack/smack_access.c +@@ -474,7 +474,7 @@ char *smk_parse_smack(const char *string, int len) + if (i == 0 || i >= SMK_LONGLABEL) + return ERR_PTR(-EINVAL); + +- smack = kzalloc(i + 1, GFP_KERNEL); ++ smack = kzalloc(i + 1, GFP_NOFS); + if (smack == NULL) + return ERR_PTR(-ENOMEM); + +@@ -545,7 +545,7 @@ struct smack_known *smk_import_entry(const char *string, int len) + if (skp != NULL) + goto freeout; + +- skp = kzalloc(sizeof(*skp), GFP_KERNEL); ++ skp = kzalloc(sizeof(*skp), GFP_NOFS); + if (skp == NULL) { + skp = ERR_PTR(-ENOMEM); + goto freeout; +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index aeb3ba70f907..589c1c2ae6db 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -268,7 +268,7 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip, + if (!(ip->i_opflags & IOP_XATTR)) + return ERR_PTR(-EOPNOTSUPP); + +- buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); ++ buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); + if (buffer == NULL) + return ERR_PTR(-ENOMEM); + +@@ -949,7 +949,8 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) + + if (rc != 0) + return rc; +- } else if (bprm->unsafe) ++ } ++ if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) + return -EPERM; + + bsp->smk_task = isp->smk_task; +@@ -4037,6 +4038,8 @@ access_check: + skp = smack_ipv6host_label(&sadd); + if (skp == NULL) + skp = smack_net_ambient; ++ if (skb == NULL) ++ break; + #ifdef CONFIG_AUDIT + smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); + ad.a.u.net->family = family; |