summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2017-01-01 14:54:26 -0500
committerAnthony G. Basile <blueness@gentoo.org>2017-01-01 14:54:26 -0500
commit1b413d517df92fadb5758bba4463c8bd6f73fb25 (patch)
tree03e0d9b20b142ffbdfbdd68bb7dfa101b7167dd0
parentgrsecurity-3.1-4.8.15-201612151923 (diff)
downloadhardened-patchset-1b413d517df92fadb5758bba4463c8bd6f73fb25.tar.gz
hardened-patchset-1b413d517df92fadb5758bba4463c8bd6f73fb25.tar.bz2
hardened-patchset-1b413d517df92fadb5758bba4463c8bd6f73fb25.zip
grsecurity-3.1-4.8.15-20161230194920161230
-rw-r--r--4.8.15/0000_README18
-rw-r--r--4.8.15/1012_linux-4.8.13.patch1063
-rw-r--r--4.8.15/1013_linux-4.8.14.patch1725
-rw-r--r--4.8.15/1014_linux-4.8.15.patch1042
-rw-r--r--4.8.15/4420_grsecurity-3.1-4.8.15-201612301949.patch (renamed from 4.8.15/4420_grsecurity-3.1-4.8.15-201612151923.patch)14
-rw-r--r--4.8.15/4426_default_XATTR_PAX_FLAGS.patch36
6 files changed, 50 insertions, 3848 deletions
diff --git a/4.8.15/0000_README b/4.8.15/0000_README
index cd91d08..97a03a1 100644
--- a/4.8.15/0000_README
+++ b/4.8.15/0000_README
@@ -2,19 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1012_linux-4.8.13.patch
-From: http://www.kernel.org
-Desc: Linux 4.8.13
-
-Patch: 1013_linux-4.8.14.patch
-From: http://www.kernel.org
-Desc: Linux 4.8.14
-
-Patch: 1014_linux-4.8.15.patch
-From: http://www.kernel.org
-Desc: Linux 4.8.15
-
-Patch: 4420_grsecurity-3.1-4.8.15-201612151923.patch
+Patch: 4420_grsecurity-3.1-4.8.15-201612301949.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
@@ -22,6 +10,10 @@ Patch: 4425_grsec_remove_EI_PAX.patch
From: Anthony G. Basile <blueness@gentoo.org>
Desc: Remove EI_PAX option and force off
+Patch: 4426_default_XATTR_PAX_FLAGS.patch
+From: Anthony G. Basile <blueness@gentoo.org>
+Desc: Defalut PT_PAX_FLAGS off and XATTR_PAX_FLAGS on
+
Patch: 4427_force_XATTR_PAX_tmpfs.patch
From: Anthony G. Basile <blueness@gentoo.org>
Desc: Force XATTR_PAX on tmpfs
diff --git a/4.8.15/1012_linux-4.8.13.patch b/4.8.15/1012_linux-4.8.13.patch
deleted file mode 100644
index c742393..0000000
--- a/4.8.15/1012_linux-4.8.13.patch
+++ /dev/null
@@ -1,1063 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 7b0c92f..b38abe9 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 8
--SUBLEVEL = 12
-+SUBLEVEL = 13
- EXTRAVERSION =
- NAME = Psychotic Stoned Sheep
-
-diff --git a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h
-index 08e7e2a..a36e860 100644
---- a/arch/arc/include/asm/delay.h
-+++ b/arch/arc/include/asm/delay.h
-@@ -22,10 +22,11 @@
- static inline void __delay(unsigned long loops)
- {
- __asm__ __volatile__(
-- " lp 1f \n"
-- " nop \n"
-- "1: \n"
-- : "+l"(loops));
-+ " mov lp_count, %0 \n"
-+ " lp 1f \n"
-+ " nop \n"
-+ "1: \n"
-+ : : "r"(loops));
- }
-
- extern void __bad_udelay(void);
-diff --git a/arch/arc/include/asm/pgtable.h b/arch/arc/include/asm/pgtable.h
-index 89eeb37..e94ca72 100644
---- a/arch/arc/include/asm/pgtable.h
-+++ b/arch/arc/include/asm/pgtable.h
-@@ -280,7 +280,7 @@ static inline void pmd_set(pmd_t *pmdp, pte_t *ptep)
-
- #define pte_page(pte) pfn_to_page(pte_pfn(pte))
- #define mk_pte(page, prot) pfn_pte(page_to_pfn(page), prot)
--#define pfn_pte(pfn, prot) __pte(((pfn) << PAGE_SHIFT) | pgprot_val(prot))
-+#define pfn_pte(pfn, prot) __pte(__pfn_to_phys(pfn) | pgprot_val(prot))
-
- /* Don't use virt_to_pfn for macros below: could cause truncations for PAE40*/
- #define pte_pfn(pte) (pte_val(pte) >> PAGE_SHIFT)
-diff --git a/arch/arm64/boot/dts/arm/juno-r1.dts b/arch/arm64/boot/dts/arm/juno-r1.dts
-index 123a58b..f0b857d 100644
---- a/arch/arm64/boot/dts/arm/juno-r1.dts
-+++ b/arch/arm64/boot/dts/arm/juno-r1.dts
-@@ -76,7 +76,7 @@
- compatible = "arm,idle-state";
- arm,psci-suspend-param = <0x1010000>;
- local-timer-stop;
-- entry-latency-us = <300>;
-+ entry-latency-us = <400>;
- exit-latency-us = <1200>;
- min-residency-us = <2500>;
- };
-diff --git a/arch/arm64/boot/dts/arm/juno-r2.dts b/arch/arm64/boot/dts/arm/juno-r2.dts
-index 007be82..26aaa6a 100644
---- a/arch/arm64/boot/dts/arm/juno-r2.dts
-+++ b/arch/arm64/boot/dts/arm/juno-r2.dts
-@@ -76,7 +76,7 @@
- compatible = "arm,idle-state";
- arm,psci-suspend-param = <0x1010000>;
- local-timer-stop;
-- entry-latency-us = <300>;
-+ entry-latency-us = <400>;
- exit-latency-us = <1200>;
- min-residency-us = <2500>;
- };
-diff --git a/arch/arm64/boot/dts/arm/juno.dts b/arch/arm64/boot/dts/arm/juno.dts
-index a7270ef..6e154d9 100644
---- a/arch/arm64/boot/dts/arm/juno.dts
-+++ b/arch/arm64/boot/dts/arm/juno.dts
-@@ -76,7 +76,7 @@
- compatible = "arm,idle-state";
- arm,psci-suspend-param = <0x1010000>;
- local-timer-stop;
-- entry-latency-us = <300>;
-+ entry-latency-us = <400>;
- exit-latency-us = <1200>;
- min-residency-us = <2500>;
- };
-diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
-index 7099f26..b96346b 100644
---- a/arch/arm64/include/asm/cpufeature.h
-+++ b/arch/arm64/include/asm/cpufeature.h
-@@ -90,7 +90,7 @@ struct arm64_cpu_capabilities {
- u16 capability;
- int def_scope; /* default scope */
- bool (*matches)(const struct arm64_cpu_capabilities *caps, int scope);
-- void (*enable)(void *); /* Called on all active CPUs */
-+ int (*enable)(void *); /* Called on all active CPUs */
- union {
- struct { /* To be used for erratum handling only */
- u32 midr_model;
-diff --git a/arch/arm64/include/asm/exec.h b/arch/arm64/include/asm/exec.h
-index db0563c..f7865dd 100644
---- a/arch/arm64/include/asm/exec.h
-+++ b/arch/arm64/include/asm/exec.h
-@@ -18,6 +18,9 @@
- #ifndef __ASM_EXEC_H
- #define __ASM_EXEC_H
-
-+#include <linux/sched.h>
-+
- extern unsigned long arch_align_stack(unsigned long sp);
-+void uao_thread_switch(struct task_struct *next);
-
- #endif /* __ASM_EXEC_H */
-diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
-index ace0a96..3be0ab0 100644
---- a/arch/arm64/include/asm/processor.h
-+++ b/arch/arm64/include/asm/processor.h
-@@ -190,8 +190,8 @@ static inline void spin_lock_prefetch(const void *ptr)
-
- #endif
-
--void cpu_enable_pan(void *__unused);
--void cpu_enable_uao(void *__unused);
--void cpu_enable_cache_maint_trap(void *__unused);
-+int cpu_enable_pan(void *__unused);
-+int cpu_enable_uao(void *__unused);
-+int cpu_enable_cache_maint_trap(void *__unused);
-
- #endif /* __ASM_PROCESSOR_H */
-diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
-index 62272ea..94a0330 100644
---- a/arch/arm64/kernel/cpufeature.c
-+++ b/arch/arm64/kernel/cpufeature.c
-@@ -19,7 +19,9 @@
- #define pr_fmt(fmt) "CPU features: " fmt
-
- #include <linux/bsearch.h>
-+#include <linux/cpumask.h>
- #include <linux/sort.h>
-+#include <linux/stop_machine.h>
- #include <linux/types.h>
- #include <asm/cpu.h>
- #include <asm/cpufeature.h>
-@@ -936,7 +938,13 @@ void __init enable_cpu_capabilities(const struct arm64_cpu_capabilities *caps)
- {
- for (; caps->matches; caps++)
- if (caps->enable && cpus_have_cap(caps->capability))
-- on_each_cpu(caps->enable, NULL, true);
-+ /*
-+ * Use stop_machine() as it schedules the work allowing
-+ * us to modify PSTATE, instead of on_each_cpu() which
-+ * uses an IPI, giving us a PSTATE that disappears when
-+ * we return.
-+ */
-+ stop_machine(caps->enable, NULL, cpu_online_mask);
- }
-
- /*
-diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
-index 6cd2612..9cc8667 100644
---- a/arch/arm64/kernel/process.c
-+++ b/arch/arm64/kernel/process.c
-@@ -49,6 +49,7 @@
- #include <asm/alternative.h>
- #include <asm/compat.h>
- #include <asm/cacheflush.h>
-+#include <asm/exec.h>
- #include <asm/fpsimd.h>
- #include <asm/mmu_context.h>
- #include <asm/processor.h>
-@@ -303,7 +304,7 @@ static void tls_thread_switch(struct task_struct *next)
- }
-
- /* Restore the UAO state depending on next's addr_limit */
--static void uao_thread_switch(struct task_struct *next)
-+void uao_thread_switch(struct task_struct *next)
- {
- if (IS_ENABLED(CONFIG_ARM64_UAO)) {
- if (task_thread_info(next)->addr_limit == KERNEL_DS)
-diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c
-index b616e365..23ddf55 100644
---- a/arch/arm64/kernel/suspend.c
-+++ b/arch/arm64/kernel/suspend.c
-@@ -1,8 +1,11 @@
- #include <linux/ftrace.h>
- #include <linux/percpu.h>
- #include <linux/slab.h>
-+#include <asm/alternative.h>
- #include <asm/cacheflush.h>
-+#include <asm/cpufeature.h>
- #include <asm/debug-monitors.h>
-+#include <asm/exec.h>
- #include <asm/pgtable.h>
- #include <asm/memory.h>
- #include <asm/mmu_context.h>
-@@ -48,6 +51,14 @@ void notrace __cpu_suspend_exit(void)
- set_my_cpu_offset(per_cpu_offset(smp_processor_id()));
-
- /*
-+ * PSTATE was not saved over suspend/resume, re-enable any detected
-+ * features that might not have been set correctly.
-+ */
-+ asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN,
-+ CONFIG_ARM64_PAN));
-+ uao_thread_switch(current);
-+
-+ /*
- * Restore HW breakpoint registers to sane values
- * before debug exceptions are possibly reenabled
- * through local_dbg_restore.
-diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
-index 771a01a7f..9595d3d 100644
---- a/arch/arm64/kernel/traps.c
-+++ b/arch/arm64/kernel/traps.c
-@@ -428,9 +428,10 @@ asmlinkage void __exception do_undefinstr(struct pt_regs *regs)
- force_signal_inject(SIGILL, ILL_ILLOPC, regs, 0);
- }
-
--void cpu_enable_cache_maint_trap(void *__unused)
-+int cpu_enable_cache_maint_trap(void *__unused)
- {
- config_sctlr_el1(SCTLR_EL1_UCI, 0);
-+ return 0;
- }
-
- #define __user_cache_maint(insn, address, res) \
-diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
-index 05d2bd7..67506c3 100644
---- a/arch/arm64/mm/fault.c
-+++ b/arch/arm64/mm/fault.c
-@@ -29,7 +29,9 @@
- #include <linux/sched.h>
- #include <linux/highmem.h>
- #include <linux/perf_event.h>
-+#include <linux/preempt.h>
-
-+#include <asm/bug.h>
- #include <asm/cpufeature.h>
- #include <asm/exception.h>
- #include <asm/debug-monitors.h>
-@@ -671,9 +673,17 @@ asmlinkage int __exception do_debug_exception(unsigned long addr,
- NOKPROBE_SYMBOL(do_debug_exception);
-
- #ifdef CONFIG_ARM64_PAN
--void cpu_enable_pan(void *__unused)
-+int cpu_enable_pan(void *__unused)
- {
-+ /*
-+ * We modify PSTATE. This won't work from irq context as the PSTATE
-+ * is discarded once we return from the exception.
-+ */
-+ WARN_ON_ONCE(in_interrupt());
-+
- config_sctlr_el1(SCTLR_EL1_SPAN, 0);
-+ asm(SET_PSTATE_PAN(1));
-+ return 0;
- }
- #endif /* CONFIG_ARM64_PAN */
-
-@@ -684,8 +694,9 @@ void cpu_enable_pan(void *__unused)
- * We need to enable the feature at runtime (instead of adding it to
- * PSR_MODE_EL1h) as the feature may not be implemented by the cpu.
- */
--void cpu_enable_uao(void *__unused)
-+int cpu_enable_uao(void *__unused)
- {
- asm(SET_PSTATE_UAO(1));
-+ return 0;
- }
- #endif /* CONFIG_ARM64_UAO */
-diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
-index d0efb5c..a4e070a 100644
---- a/arch/x86/events/core.c
-+++ b/arch/x86/events/core.c
-@@ -2344,7 +2344,7 @@ perf_callchain_user32(struct pt_regs *regs, struct perf_callchain_entry_ctx *ent
- frame.next_frame = 0;
- frame.return_address = 0;
-
-- if (!access_ok(VERIFY_READ, fp, 8))
-+ if (!valid_user_frame(fp, sizeof(frame)))
- break;
-
- bytes = __copy_from_user_nmi(&frame.next_frame, fp, 4);
-@@ -2354,9 +2354,6 @@ perf_callchain_user32(struct pt_regs *regs, struct perf_callchain_entry_ctx *ent
- if (bytes != 0)
- break;
-
-- if (!valid_user_frame(fp, sizeof(frame)))
-- break;
--
- perf_callchain_store(entry, cs_base + frame.return_address);
- fp = compat_ptr(ss_base + frame.next_frame);
- }
-@@ -2405,7 +2402,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs
- frame.next_frame = NULL;
- frame.return_address = 0;
-
-- if (!access_ok(VERIFY_READ, fp, sizeof(*fp) * 2))
-+ if (!valid_user_frame(fp, sizeof(frame)))
- break;
-
- bytes = __copy_from_user_nmi(&frame.next_frame, fp, sizeof(*fp));
-@@ -2415,9 +2412,6 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs
- if (bytes != 0)
- break;
-
-- if (!valid_user_frame(fp, sizeof(frame)))
-- break;
--
- perf_callchain_store(entry, frame.return_address);
- fp = (void __user *)frame.next_frame;
- }
-diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
-index e207b33..1e007a9 100644
---- a/drivers/ata/libata-scsi.c
-+++ b/drivers/ata/libata-scsi.c
-@@ -1088,7 +1088,7 @@ static void ata_gen_passthru_sense(struct ata_queued_cmd *qc)
- desc[1] = tf->command; /* status */
- desc[2] = tf->device;
- desc[3] = tf->nsect;
-- desc[0] = 0;
-+ desc[7] = 0;
- if (tf->flags & ATA_TFLAG_LBA48) {
- desc[8] |= 0x80;
- if (tf->hob_nsect)
-diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
-index 04365b1..5163c8f 100644
---- a/drivers/block/zram/zram_drv.c
-+++ b/drivers/block/zram/zram_drv.c
-@@ -1403,7 +1403,8 @@ static ssize_t hot_remove_store(struct class *class,
- zram = idr_find(&zram_index_idr, dev_id);
- if (zram) {
- ret = zram_remove(zram);
-- idr_remove(&zram_index_idr, dev_id);
-+ if (!ret)
-+ idr_remove(&zram_index_idr, dev_id);
- } else {
- ret = -ENODEV;
- }
-diff --git a/drivers/clk/sunxi/clk-sunxi.c b/drivers/clk/sunxi/clk-sunxi.c
-index 838b22a..f2c9274 100644
---- a/drivers/clk/sunxi/clk-sunxi.c
-+++ b/drivers/clk/sunxi/clk-sunxi.c
-@@ -373,7 +373,7 @@ static void sun4i_get_apb1_factors(struct factors_request *req)
- else
- calcp = 3;
-
-- calcm = (req->parent_rate >> calcp) - 1;
-+ calcm = (div >> calcp) - 1;
-
- req->rate = (req->parent_rate >> calcp) / (calcm + 1);
- req->m = calcm;
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
-index 10b5ddf..1ed085f 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
-@@ -33,6 +33,7 @@ struct amdgpu_atpx {
-
- static struct amdgpu_atpx_priv {
- bool atpx_detected;
-+ bool bridge_pm_usable;
- /* handle for device - and atpx */
- acpi_handle dhandle;
- acpi_handle other_handle;
-@@ -200,7 +201,11 @@ static int amdgpu_atpx_validate(struct amdgpu_atpx *atpx)
- atpx->is_hybrid = false;
- if (valid_bits & ATPX_MS_HYBRID_GFX_SUPPORTED) {
- printk("ATPX Hybrid Graphics\n");
-- atpx->functions.power_cntl = false;
-+ /*
-+ * Disable legacy PM methods only when pcie port PM is usable,
-+ * otherwise the device might fail to power off or power on.
-+ */
-+ atpx->functions.power_cntl = !amdgpu_atpx_priv.bridge_pm_usable;
- atpx->is_hybrid = true;
- }
-
-@@ -546,17 +551,25 @@ static bool amdgpu_atpx_detect(void)
- struct pci_dev *pdev = NULL;
- bool has_atpx = false;
- int vga_count = 0;
-+ bool d3_supported = false;
-+ struct pci_dev *parent_pdev;
-
- while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev)) != NULL) {
- vga_count++;
-
- has_atpx |= (amdgpu_atpx_pci_probe_handle(pdev) == true);
-+
-+ parent_pdev = pci_upstream_bridge(pdev);
-+ d3_supported |= parent_pdev && parent_pdev->bridge_d3;
- }
-
- while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_OTHER << 8, pdev)) != NULL) {
- vga_count++;
-
- has_atpx |= (amdgpu_atpx_pci_probe_handle(pdev) == true);
-+
-+ parent_pdev = pci_upstream_bridge(pdev);
-+ d3_supported |= parent_pdev && parent_pdev->bridge_d3;
- }
-
- if (has_atpx && vga_count == 2) {
-@@ -564,6 +577,7 @@ static bool amdgpu_atpx_detect(void)
- printk(KERN_INFO "vga_switcheroo: detected switching method %s handle\n",
- acpi_method_name);
- amdgpu_atpx_priv.atpx_detected = true;
-+ amdgpu_atpx_priv.bridge_pm_usable = d3_supported;
- amdgpu_atpx_init();
- return true;
- }
-diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
-index a77ce99..b8e3854 100644
---- a/drivers/gpu/drm/i915/i915_gem.c
-+++ b/drivers/gpu/drm/i915/i915_gem.c
-@@ -2540,7 +2540,7 @@ i915_gem_object_get_pages_gtt(struct drm_i915_gem_object *obj)
- page = shmem_read_mapping_page(mapping, i);
- if (IS_ERR(page)) {
- ret = PTR_ERR(page);
-- goto err_pages;
-+ goto err_sg;
- }
- }
- #ifdef CONFIG_SWIOTLB
-@@ -2583,8 +2583,9 @@ i915_gem_object_get_pages_gtt(struct drm_i915_gem_object *obj)
-
- return 0;
-
--err_pages:
-+err_sg:
- sg_mark_end(sg);
-+err_pages:
- for_each_sgt_page(page, sgt_iter, st)
- put_page(page);
- sg_free_table(st);
-diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index e26f889..35d385d 100644
---- a/drivers/gpu/drm/i915/intel_display.c
-+++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -11791,7 +11791,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
- intel_crtc->reset_counter = i915_reset_counter(&dev_priv->gpu_error);
- if (__i915_reset_in_progress_or_wedged(intel_crtc->reset_counter)) {
- ret = -EIO;
-- goto cleanup;
-+ goto unlock;
- }
-
- atomic_inc(&intel_crtc->unpin_work_count);
-@@ -11877,6 +11877,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
- if (!IS_ERR_OR_NULL(request))
- i915_add_request_no_flush(request);
- atomic_dec(&intel_crtc->unpin_work_count);
-+unlock:
- mutex_unlock(&dev->struct_mutex);
- cleanup:
- crtc->primary->fb = old_fb;
-diff --git a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
-index 8f62671f..54acfcc 100644
---- a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
-+++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
-@@ -249,13 +249,6 @@ static int mtk_disp_ovl_probe(struct platform_device *pdev)
- if (irq < 0)
- return irq;
-
-- ret = devm_request_irq(dev, irq, mtk_disp_ovl_irq_handler,
-- IRQF_TRIGGER_NONE, dev_name(dev), priv);
-- if (ret < 0) {
-- dev_err(dev, "Failed to request irq %d: %d\n", irq, ret);
-- return ret;
-- }
--
- comp_id = mtk_ddp_comp_get_id(dev->of_node, MTK_DISP_OVL);
- if (comp_id < 0) {
- dev_err(dev, "Failed to identify by alias: %d\n", comp_id);
-@@ -271,6 +264,13 @@ static int mtk_disp_ovl_probe(struct platform_device *pdev)
-
- platform_set_drvdata(pdev, priv);
-
-+ ret = devm_request_irq(dev, irq, mtk_disp_ovl_irq_handler,
-+ IRQF_TRIGGER_NONE, dev_name(dev), priv);
-+ if (ret < 0) {
-+ dev_err(dev, "Failed to request irq %d: %d\n", irq, ret);
-+ return ret;
-+ }
-+
- ret = component_add(dev, &mtk_disp_ovl_component_ops);
- if (ret)
- dev_err(dev, "Failed to add component: %d\n", ret);
-diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
-index ddef0d4..34b4ace 100644
---- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c
-+++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
-@@ -33,6 +33,7 @@ struct radeon_atpx {
-
- static struct radeon_atpx_priv {
- bool atpx_detected;
-+ bool bridge_pm_usable;
- /* handle for device - and atpx */
- acpi_handle dhandle;
- struct radeon_atpx atpx;
-@@ -198,7 +199,11 @@ static int radeon_atpx_validate(struct radeon_atpx *atpx)
- atpx->is_hybrid = false;
- if (valid_bits & ATPX_MS_HYBRID_GFX_SUPPORTED) {
- printk("ATPX Hybrid Graphics\n");
-- atpx->functions.power_cntl = false;
-+ /*
-+ * Disable legacy PM methods only when pcie port PM is usable,
-+ * otherwise the device might fail to power off or power on.
-+ */
-+ atpx->functions.power_cntl = !radeon_atpx_priv.bridge_pm_usable;
- atpx->is_hybrid = true;
- }
-
-@@ -543,11 +548,16 @@ static bool radeon_atpx_detect(void)
- struct pci_dev *pdev = NULL;
- bool has_atpx = false;
- int vga_count = 0;
-+ bool d3_supported = false;
-+ struct pci_dev *parent_pdev;
-
- while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev)) != NULL) {
- vga_count++;
-
- has_atpx |= (radeon_atpx_pci_probe_handle(pdev) == true);
-+
-+ parent_pdev = pci_upstream_bridge(pdev);
-+ d3_supported |= parent_pdev && parent_pdev->bridge_d3;
- }
-
- /* some newer PX laptops mark the dGPU as a non-VGA display device */
-@@ -555,6 +565,9 @@ static bool radeon_atpx_detect(void)
- vga_count++;
-
- has_atpx |= (radeon_atpx_pci_probe_handle(pdev) == true);
-+
-+ parent_pdev = pci_upstream_bridge(pdev);
-+ d3_supported |= parent_pdev && parent_pdev->bridge_d3;
- }
-
- if (has_atpx && vga_count == 2) {
-@@ -562,6 +575,7 @@ static bool radeon_atpx_detect(void)
- printk(KERN_INFO "vga_switcheroo: detected switching method %s handle\n",
- acpi_method_name);
- radeon_atpx_priv.atpx_detected = true;
-+ radeon_atpx_priv.bridge_pm_usable = d3_supported;
- radeon_atpx_init();
- return true;
- }
-diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
-index 5784e20..9f6203c 100644
---- a/drivers/input/mouse/psmouse-base.c
-+++ b/drivers/input/mouse/psmouse-base.c
-@@ -1115,10 +1115,6 @@ static int psmouse_extensions(struct psmouse *psmouse,
- if (psmouse_try_protocol(psmouse, PSMOUSE_TOUCHKIT_PS2,
- &max_proto, set_properties, true))
- return PSMOUSE_TOUCHKIT_PS2;
--
-- if (psmouse_try_protocol(psmouse, PSMOUSE_BYD,
-- &max_proto, set_properties, true))
-- return PSMOUSE_BYD;
- }
-
- /*
-diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
-index a8ff969..cbc7dfa 100644
---- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
-+++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
-@@ -2203,8 +2203,9 @@ mwifiex_cfg80211_assoc(struct mwifiex_private *priv, size_t ssid_len,
- is_scanning_required = 1;
- } else {
- mwifiex_dbg(priv->adapter, MSG,
-- "info: trying to associate to '%s' bssid %pM\n",
-- (char *)req_ssid.ssid, bss->bssid);
-+ "info: trying to associate to '%.*s' bssid %pM\n",
-+ req_ssid.ssid_len, (char *)req_ssid.ssid,
-+ bss->bssid);
- memcpy(&priv->cfg_bssid, bss->bssid, ETH_ALEN);
- break;
- }
-@@ -2264,8 +2265,8 @@ mwifiex_cfg80211_connect(struct wiphy *wiphy, struct net_device *dev,
- }
-
- mwifiex_dbg(adapter, INFO,
-- "info: Trying to associate to %s and bssid %pM\n",
-- (char *)sme->ssid, sme->bssid);
-+ "info: Trying to associate to %.*s and bssid %pM\n",
-+ (int)sme->ssid_len, (char *)sme->ssid, sme->bssid);
-
- if (!mwifiex_stop_bg_scan(priv))
- cfg80211_sched_scan_stopped_rtnl(priv->wdev.wiphy);
-@@ -2398,8 +2399,8 @@ mwifiex_cfg80211_join_ibss(struct wiphy *wiphy, struct net_device *dev,
- }
-
- mwifiex_dbg(priv->adapter, MSG,
-- "info: trying to join to %s and bssid %pM\n",
-- (char *)params->ssid, params->bssid);
-+ "info: trying to join to %.*s and bssid %pM\n",
-+ params->ssid_len, (char *)params->ssid, params->bssid);
-
- mwifiex_set_ibss_params(priv, params);
-
-diff --git a/drivers/pci/pcie/aer/aer_inject.c b/drivers/pci/pcie/aer/aer_inject.c
-index db553dc..2b6a592 100644
---- a/drivers/pci/pcie/aer/aer_inject.c
-+++ b/drivers/pci/pcie/aer/aer_inject.c
-@@ -307,20 +307,6 @@ static int pci_bus_set_aer_ops(struct pci_bus *bus)
- return 0;
- }
-
--static struct pci_dev *pcie_find_root_port(struct pci_dev *dev)
--{
-- while (1) {
-- if (!pci_is_pcie(dev))
-- break;
-- if (pci_pcie_type(dev) == PCI_EXP_TYPE_ROOT_PORT)
-- return dev;
-- if (!dev->bus->self)
-- break;
-- dev = dev->bus->self;
-- }
-- return NULL;
--}
--
- static int find_aer_device_iter(struct device *device, void *data)
- {
- struct pcie_device **result = data;
-diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 93f280d..f6eff4a 100644
---- a/drivers/pci/probe.c
-+++ b/drivers/pci/probe.c
-@@ -1439,6 +1439,21 @@ static void program_hpp_type1(struct pci_dev *dev, struct hpp_type1 *hpp)
- dev_warn(&dev->dev, "PCI-X settings not supported\n");
- }
-
-+static bool pcie_root_rcb_set(struct pci_dev *dev)
-+{
-+ struct pci_dev *rp = pcie_find_root_port(dev);
-+ u16 lnkctl;
-+
-+ if (!rp)
-+ return false;
-+
-+ pcie_capability_read_word(rp, PCI_EXP_LNKCTL, &lnkctl);
-+ if (lnkctl & PCI_EXP_LNKCTL_RCB)
-+ return true;
-+
-+ return false;
-+}
-+
- static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp)
- {
- int pos;
-@@ -1468,9 +1483,20 @@ static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp)
- ~hpp->pci_exp_devctl_and, hpp->pci_exp_devctl_or);
-
- /* Initialize Link Control Register */
-- if (pcie_cap_has_lnkctl(dev))
-+ if (pcie_cap_has_lnkctl(dev)) {
-+
-+ /*
-+ * If the Root Port supports Read Completion Boundary of
-+ * 128, set RCB to 128. Otherwise, clear it.
-+ */
-+ hpp->pci_exp_lnkctl_and |= PCI_EXP_LNKCTL_RCB;
-+ hpp->pci_exp_lnkctl_or &= ~PCI_EXP_LNKCTL_RCB;
-+ if (pcie_root_rcb_set(dev))
-+ hpp->pci_exp_lnkctl_or |= PCI_EXP_LNKCTL_RCB;
-+
- pcie_capability_clear_and_set_word(dev, PCI_EXP_LNKCTL,
- ~hpp->pci_exp_lnkctl_and, hpp->pci_exp_lnkctl_or);
-+ }
-
- /* Find Advanced Error Reporting Enhanced Capability */
- pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ERR);
-diff --git a/drivers/pwm/sysfs.c b/drivers/pwm/sysfs.c
-index 0296d81..a813239 100644
---- a/drivers/pwm/sysfs.c
-+++ b/drivers/pwm/sysfs.c
-@@ -425,6 +425,8 @@ void pwmchip_sysfs_unexport_children(struct pwm_chip *chip)
- if (test_bit(PWMF_EXPORTED, &pwm->flags))
- pwm_unexport_child(parent, pwm);
- }
-+
-+ put_device(parent);
- }
-
- static int __init pwm_sysfs_init(void)
-diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
-index 030d002..5138a84 100644
---- a/drivers/scsi/hpsa.c
-+++ b/drivers/scsi/hpsa.c
-@@ -2007,7 +2007,7 @@ static struct hpsa_scsi_dev_t *lookup_hpsa_scsi_dev(struct ctlr_info *h,
-
- static int hpsa_slave_alloc(struct scsi_device *sdev)
- {
-- struct hpsa_scsi_dev_t *sd;
-+ struct hpsa_scsi_dev_t *sd = NULL;
- unsigned long flags;
- struct ctlr_info *h;
-
-@@ -2024,7 +2024,8 @@ static int hpsa_slave_alloc(struct scsi_device *sdev)
- sd->target = sdev_id(sdev);
- sd->lun = sdev->lun;
- }
-- } else
-+ }
-+ if (!sd)
- sd = lookup_hpsa_scsi_dev(h, sdev_channel(sdev),
- sdev_id(sdev), sdev->lun);
-
-@@ -3805,6 +3806,7 @@ static int hpsa_update_device_info(struct ctlr_info *h,
- sizeof(this_device->vendor));
- memcpy(this_device->model, &inq_buff[16],
- sizeof(this_device->model));
-+ this_device->rev = inq_buff[2];
- memset(this_device->device_id, 0,
- sizeof(this_device->device_id));
- hpsa_get_device_id(h, scsi3addr, this_device->device_id, 8,
-@@ -3887,10 +3889,14 @@ static void figure_bus_target_lun(struct ctlr_info *h,
-
- if (!is_logical_dev_addr_mode(lunaddrbytes)) {
- /* physical device, target and lun filled in later */
-- if (is_hba_lunid(lunaddrbytes))
-+ if (is_hba_lunid(lunaddrbytes)) {
-+ int bus = HPSA_HBA_BUS;
-+
-+ if (!device->rev)
-+ bus = HPSA_LEGACY_HBA_BUS;
- hpsa_set_bus_target_lun(device,
-- HPSA_HBA_BUS, 0, lunid & 0x3fff);
-- else
-+ bus, 0, lunid & 0x3fff);
-+ } else
- /* defer target, lun assignment for physical devices */
- hpsa_set_bus_target_lun(device,
- HPSA_PHYSICAL_DEVICE_BUS, -1, -1);
-diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
-index a1487e6..9d45dde 100644
---- a/drivers/scsi/hpsa.h
-+++ b/drivers/scsi/hpsa.h
-@@ -69,6 +69,7 @@ struct hpsa_scsi_dev_t {
- u64 sas_address;
- unsigned char vendor[8]; /* bytes 8-15 of inquiry data */
- unsigned char model[16]; /* bytes 16-31 of inquiry data */
-+ unsigned char rev; /* byte 2 of inquiry data */
- unsigned char raid_level; /* from inquiry page 0xC1 */
- unsigned char volume_offline; /* discovered via TUR or VPD */
- u16 queue_depth; /* max queue_depth for this device */
-@@ -403,6 +404,7 @@ struct offline_device_entry {
- #define HPSA_RAID_VOLUME_BUS 1
- #define HPSA_EXTERNAL_RAID_VOLUME_BUS 2
- #define HPSA_HBA_BUS 0
-+#define HPSA_LEGACY_HBA_BUS 3
-
- /*
- Send the command to the hardware
-diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
-index 04ce7cf..50c7167 100644
---- a/drivers/scsi/libfc/fc_lport.c
-+++ b/drivers/scsi/libfc/fc_lport.c
-@@ -308,7 +308,7 @@ struct fc_host_statistics *fc_get_host_stats(struct Scsi_Host *shost)
- fc_stats = &lport->host_stats;
- memset(fc_stats, 0, sizeof(struct fc_host_statistics));
-
-- fc_stats->seconds_since_last_reset = (lport->boot_time - jiffies) / HZ;
-+ fc_stats->seconds_since_last_reset = (jiffies - lport->boot_time) / HZ;
-
- for_each_possible_cpu(cpu) {
- struct fc_stats *stats;
-diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
-index a78415d..78be4ae 100644
---- a/fs/overlayfs/super.c
-+++ b/fs/overlayfs/super.c
-@@ -329,11 +329,11 @@ static struct dentry *ovl_d_real(struct dentry *dentry,
- if (!real)
- goto bug;
-
-+ /* Handle recursion */
-+ real = d_real(real, inode, open_flags);
-+
- if (!inode || inode == d_inode(real))
- return real;
--
-- /* Handle recursion */
-- return d_real(real, inode, open_flags);
- bug:
- WARN(1, "ovl_d_real(%pd4, %s:%lu): real dentry not found\n", dentry,
- inode ? inode->i_sb->s_id : "NULL", inode ? inode->i_ino : 0);
-diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
-index 573c5a1..0a0b2d5 100644
---- a/include/linux/compiler-gcc.h
-+++ b/include/linux/compiler-gcc.h
-@@ -256,7 +256,9 @@
- #endif
- #endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP && !__CHECKER__ */
-
--#if GCC_VERSION >= 50000
-+#if GCC_VERSION >= 70000
-+#define KASAN_ABI_VERSION 5
-+#elif GCC_VERSION >= 50000
- #define KASAN_ABI_VERSION 4
- #elif GCC_VERSION >= 40902
- #define KASAN_ABI_VERSION 3
-diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
-index 01e8443..d47cc4a 100644
---- a/include/linux/pagemap.h
-+++ b/include/linux/pagemap.h
-@@ -364,16 +364,13 @@ static inline struct page *read_mapping_page(struct address_space *mapping,
- }
-
- /*
-- * Get the offset in PAGE_SIZE.
-- * (TODO: hugepage should have ->index in PAGE_SIZE)
-+ * Get index of the page with in radix-tree
-+ * (TODO: remove once hugetlb pages will have ->index in PAGE_SIZE)
- */
--static inline pgoff_t page_to_pgoff(struct page *page)
-+static inline pgoff_t page_to_index(struct page *page)
- {
- pgoff_t pgoff;
-
-- if (unlikely(PageHeadHuge(page)))
-- return page->index << compound_order(page);
--
- if (likely(!PageTransTail(page)))
- return page->index;
-
-@@ -387,6 +384,18 @@ static inline pgoff_t page_to_pgoff(struct page *page)
- }
-
- /*
-+ * Get the offset in PAGE_SIZE.
-+ * (TODO: hugepage should have ->index in PAGE_SIZE)
-+ */
-+static inline pgoff_t page_to_pgoff(struct page *page)
-+{
-+ if (unlikely(PageHeadHuge(page)))
-+ return page->index << compound_order(page);
-+
-+ return page_to_index(page);
-+}
-+
-+/*
- * Return byte-offset into filesystem object for page.
- */
- static inline loff_t page_offset(struct page *page)
-diff --git a/include/linux/pci.h b/include/linux/pci.h
-index 0ab8359..03f3df0 100644
---- a/include/linux/pci.h
-+++ b/include/linux/pci.h
-@@ -1896,6 +1896,20 @@ static inline int pci_pcie_type(const struct pci_dev *dev)
- return (pcie_caps_reg(dev) & PCI_EXP_FLAGS_TYPE) >> 4;
- }
-
-+static inline struct pci_dev *pcie_find_root_port(struct pci_dev *dev)
-+{
-+ while (1) {
-+ if (!pci_is_pcie(dev))
-+ break;
-+ if (pci_pcie_type(dev) == PCI_EXP_TYPE_ROOT_PORT)
-+ return dev;
-+ if (!dev->bus->self)
-+ break;
-+ dev = dev->bus->self;
-+ }
-+ return NULL;
-+}
-+
- void pci_request_acs(void);
- bool pci_acs_enabled(struct pci_dev *pdev, u16 acs_flags);
- bool pci_acs_path_enabled(struct pci_dev *start,
-diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h
-index d6d071f..3af60ee 100644
---- a/include/uapi/linux/input-event-codes.h
-+++ b/include/uapi/linux/input-event-codes.h
-@@ -640,7 +640,7 @@
- * Control a data application associated with the currently viewed channel,
- * e.g. teletext or data broadcast application (MHEG, MHP, HbbTV, etc.)
- */
--#define KEY_DATA 0x275
-+#define KEY_DATA 0x277
-
- #define BTN_TRIGGER_HAPPY 0x2c0
- #define BTN_TRIGGER_HAPPY1 0x2c0
-diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
-index 0082fce..85c5a88 100644
---- a/kernel/rcu/tree_plugin.h
-+++ b/kernel/rcu/tree_plugin.h
-@@ -2173,6 +2173,7 @@ static int rcu_nocb_kthread(void *arg)
- cl++;
- c++;
- local_bh_enable();
-+ cond_resched_rcu_qs();
- list = next;
- }
- trace_rcu_batch_end(rdp->rsp->name, c, !!list, 0, 0, 1);
-diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
-index e5c2181f..03f4545 100644
---- a/mm/kasan/kasan.h
-+++ b/mm/kasan/kasan.h
-@@ -53,6 +53,9 @@ struct kasan_global {
- #if KASAN_ABI_VERSION >= 4
- struct kasan_source_location *location;
- #endif
-+#if KASAN_ABI_VERSION >= 5
-+ char *odr_indicator;
-+#endif
- };
-
- /**
-diff --git a/mm/khugepaged.c b/mm/khugepaged.c
-index 728d779..87e1a7ca 100644
---- a/mm/khugepaged.c
-+++ b/mm/khugepaged.c
-@@ -103,6 +103,7 @@ static struct khugepaged_scan khugepaged_scan = {
- .mm_head = LIST_HEAD_INIT(khugepaged_scan.mm_head),
- };
-
-+#ifdef CONFIG_SYSFS
- static ssize_t scan_sleep_millisecs_show(struct kobject *kobj,
- struct kobj_attribute *attr,
- char *buf)
-@@ -295,6 +296,7 @@ struct attribute_group khugepaged_attr_group = {
- .attrs = khugepaged_attr,
- .name = "khugepaged",
- };
-+#endif /* CONFIG_SYSFS */
-
- #define VM_NO_KHUGEPAGED (VM_SPECIAL | VM_HUGETLB)
-
-diff --git a/mm/mlock.c b/mm/mlock.c
-index 14645be..9c91acc 100644
---- a/mm/mlock.c
-+++ b/mm/mlock.c
-@@ -190,10 +190,13 @@ unsigned int munlock_vma_page(struct page *page)
- */
- spin_lock_irq(zone_lru_lock(zone));
-
-- nr_pages = hpage_nr_pages(page);
-- if (!TestClearPageMlocked(page))
-+ if (!TestClearPageMlocked(page)) {
-+ /* Potentially, PTE-mapped THP: do not skip the rest PTEs */
-+ nr_pages = 1;
- goto unlock_out;
-+ }
-
-+ nr_pages = hpage_nr_pages(page);
- __mod_zone_page_state(zone, NR_MLOCK, -nr_pages);
-
- if (__munlock_isolate_lru_page(page, true)) {
-diff --git a/mm/truncate.c b/mm/truncate.c
-index a01cce4..8d8c62d 100644
---- a/mm/truncate.c
-+++ b/mm/truncate.c
-@@ -283,7 +283,7 @@ void truncate_inode_pages_range(struct address_space *mapping,
-
- if (!trylock_page(page))
- continue;
-- WARN_ON(page_to_pgoff(page) != index);
-+ WARN_ON(page_to_index(page) != index);
- if (PageWriteback(page)) {
- unlock_page(page);
- continue;
-@@ -371,7 +371,7 @@ void truncate_inode_pages_range(struct address_space *mapping,
- }
-
- lock_page(page);
-- WARN_ON(page_to_pgoff(page) != index);
-+ WARN_ON(page_to_index(page) != index);
- wait_on_page_writeback(page);
- truncate_inode_page(mapping, page);
- unlock_page(page);
-@@ -492,7 +492,7 @@ unsigned long invalidate_mapping_pages(struct address_space *mapping,
- if (!trylock_page(page))
- continue;
-
-- WARN_ON(page_to_pgoff(page) != index);
-+ WARN_ON(page_to_index(page) != index);
-
- /* Middle of THP: skip */
- if (PageTransTail(page)) {
-@@ -612,7 +612,7 @@ int invalidate_inode_pages2_range(struct address_space *mapping,
- }
-
- lock_page(page);
-- WARN_ON(page_to_pgoff(page) != index);
-+ WARN_ON(page_to_index(page) != index);
- if (page->mapping != mapping) {
- unlock_page(page);
- continue;
-diff --git a/mm/workingset.c b/mm/workingset.c
-index 617475f..fb1f918 100644
---- a/mm/workingset.c
-+++ b/mm/workingset.c
-@@ -348,7 +348,7 @@ static unsigned long count_shadow_nodes(struct shrinker *shrinker,
- shadow_nodes = list_lru_shrink_count(&workingset_shadow_nodes, sc);
- local_irq_enable();
-
-- if (memcg_kmem_enabled()) {
-+ if (sc->memcg) {
- pages = mem_cgroup_node_nr_lru_pages(sc->memcg, sc->nid,
- LRU_ALL_FILE);
- } else {
-diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
-index 2333777..8af1611 100644
---- a/net/batman-adv/tp_meter.c
-+++ b/net/batman-adv/tp_meter.c
-@@ -837,6 +837,7 @@ static int batadv_tp_send(void *arg)
- primary_if = batadv_primary_if_get_selected(bat_priv);
- if (unlikely(!primary_if)) {
- err = BATADV_TP_REASON_DST_UNREACHABLE;
-+ tp_vars->reason = err;
- goto out;
- }
-
-diff --git a/virt/kvm/arm/vgic/vgic-v2.c b/virt/kvm/arm/vgic/vgic-v2.c
-index 0bf6709..6fb4314 100644
---- a/virt/kvm/arm/vgic/vgic-v2.c
-+++ b/virt/kvm/arm/vgic/vgic-v2.c
-@@ -50,8 +50,10 @@ void vgic_v2_process_maintenance(struct kvm_vcpu *vcpu)
-
- WARN_ON(cpuif->vgic_lr[lr] & GICH_LR_STATE);
-
-- kvm_notify_acked_irq(vcpu->kvm, 0,
-- intid - VGIC_NR_PRIVATE_IRQS);
-+ /* Only SPIs require notification */
-+ if (vgic_valid_spi(vcpu->kvm, intid))
-+ kvm_notify_acked_irq(vcpu->kvm, 0,
-+ intid - VGIC_NR_PRIVATE_IRQS);
- }
- }
-
-diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c
-index 9f0dae3..5c9f974 100644
---- a/virt/kvm/arm/vgic/vgic-v3.c
-+++ b/virt/kvm/arm/vgic/vgic-v3.c
-@@ -41,8 +41,10 @@ void vgic_v3_process_maintenance(struct kvm_vcpu *vcpu)
-
- WARN_ON(cpuif->vgic_lr[lr] & ICH_LR_STATE);
-
-- kvm_notify_acked_irq(vcpu->kvm, 0,
-- intid - VGIC_NR_PRIVATE_IRQS);
-+ /* Only SPIs require notification */
-+ if (vgic_valid_spi(vcpu->kvm, intid))
-+ kvm_notify_acked_irq(vcpu->kvm, 0,
-+ intid - VGIC_NR_PRIVATE_IRQS);
- }
-
- /*
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 1950782..690d15e 100644
---- a/virt/kvm/kvm_main.c
-+++ b/virt/kvm/kvm_main.c
-@@ -2852,10 +2852,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
-
- ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
- if (ret < 0) {
-- ops->destroy(dev);
- mutex_lock(&kvm->lock);
- list_del(&dev->vm_node);
- mutex_unlock(&kvm->lock);
-+ ops->destroy(dev);
- return ret;
- }
-
diff --git a/4.8.15/1013_linux-4.8.14.patch b/4.8.15/1013_linux-4.8.14.patch
deleted file mode 100644
index 63d837b..0000000
--- a/4.8.15/1013_linux-4.8.14.patch
+++ /dev/null
@@ -1,1725 +0,0 @@
-diff --git a/Makefile b/Makefile
-index b38abe9..6a74924 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 8
--SUBLEVEL = 13
-+SUBLEVEL = 14
- EXTRAVERSION =
- NAME = Psychotic Stoned Sheep
-
-diff --git a/arch/sparc/kernel/signal_32.c b/arch/sparc/kernel/signal_32.c
-index c3c12ef..9c0c8fd 100644
---- a/arch/sparc/kernel/signal_32.c
-+++ b/arch/sparc/kernel/signal_32.c
-@@ -89,7 +89,7 @@ asmlinkage void do_sigreturn(struct pt_regs *regs)
- sf = (struct signal_frame __user *) regs->u_regs[UREG_FP];
-
- /* 1. Make sure we are not getting garbage from the user */
-- if (!invalid_frame_pointer(sf, sizeof(*sf)))
-+ if (invalid_frame_pointer(sf, sizeof(*sf)))
- goto segv_and_exit;
-
- if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
-@@ -150,7 +150,7 @@ asmlinkage void do_rt_sigreturn(struct pt_regs *regs)
-
- synchronize_user_stack();
- sf = (struct rt_signal_frame __user *) regs->u_regs[UREG_FP];
-- if (!invalid_frame_pointer(sf, sizeof(*sf)))
-+ if (invalid_frame_pointer(sf, sizeof(*sf)))
- goto segv;
-
- if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
-diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
-index 7ac6b62..05c7708 100644
---- a/arch/sparc/mm/init_64.c
-+++ b/arch/sparc/mm/init_64.c
-@@ -802,8 +802,10 @@ struct mdesc_mblock {
- };
- static struct mdesc_mblock *mblocks;
- static int num_mblocks;
-+static int find_numa_node_for_addr(unsigned long pa,
-+ struct node_mem_mask *pnode_mask);
-
--static unsigned long ra_to_pa(unsigned long addr)
-+static unsigned long __init ra_to_pa(unsigned long addr)
- {
- int i;
-
-@@ -819,8 +821,11 @@ static unsigned long ra_to_pa(unsigned long addr)
- return addr;
- }
-
--static int find_node(unsigned long addr)
-+static int __init find_node(unsigned long addr)
- {
-+ static bool search_mdesc = true;
-+ static struct node_mem_mask last_mem_mask = { ~0UL, ~0UL };
-+ static int last_index;
- int i;
-
- addr = ra_to_pa(addr);
-@@ -830,13 +835,30 @@ static int find_node(unsigned long addr)
- if ((addr & p->mask) == p->val)
- return i;
- }
-- /* The following condition has been observed on LDOM guests.*/
-- WARN_ONCE(1, "find_node: A physical address doesn't match a NUMA node"
-- " rule. Some physical memory will be owned by node 0.");
-- return 0;
-+ /* The following condition has been observed on LDOM guests because
-+ * node_masks only contains the best latency mask and value.
-+ * LDOM guest's mdesc can contain a single latency group to
-+ * cover multiple address range. Print warning message only if the
-+ * address cannot be found in node_masks nor mdesc.
-+ */
-+ if ((search_mdesc) &&
-+ ((addr & last_mem_mask.mask) != last_mem_mask.val)) {
-+ /* find the available node in the mdesc */
-+ last_index = find_numa_node_for_addr(addr, &last_mem_mask);
-+ numadbg("find_node: latency group for address 0x%lx is %d\n",
-+ addr, last_index);
-+ if ((last_index < 0) || (last_index >= num_node_masks)) {
-+ /* WARN_ONCE() and use default group 0 */
-+ WARN_ONCE(1, "find_node: A physical address doesn't match a NUMA node rule. Some physical memory will be owned by node 0.");
-+ search_mdesc = false;
-+ last_index = 0;
-+ }
-+ }
-+
-+ return last_index;
- }
-
--static u64 memblock_nid_range(u64 start, u64 end, int *nid)
-+static u64 __init memblock_nid_range(u64 start, u64 end, int *nid)
- {
- *nid = find_node(start);
- start += PAGE_SIZE;
-@@ -1160,6 +1182,41 @@ int __node_distance(int from, int to)
- return numa_latency[from][to];
- }
-
-+static int find_numa_node_for_addr(unsigned long pa,
-+ struct node_mem_mask *pnode_mask)
-+{
-+ struct mdesc_handle *md = mdesc_grab();
-+ u64 node, arc;
-+ int i = 0;
-+
-+ node = mdesc_node_by_name(md, MDESC_NODE_NULL, "latency-groups");
-+ if (node == MDESC_NODE_NULL)
-+ goto out;
-+
-+ mdesc_for_each_node_by_name(md, node, "group") {
-+ mdesc_for_each_arc(arc, md, node, MDESC_ARC_TYPE_FWD) {
-+ u64 target = mdesc_arc_target(md, arc);
-+ struct mdesc_mlgroup *m = find_mlgroup(target);
-+
-+ if (!m)
-+ continue;
-+ if ((pa & m->mask) == m->match) {
-+ if (pnode_mask) {
-+ pnode_mask->mask = m->mask;
-+ pnode_mask->val = m->match;
-+ }
-+ mdesc_release(md);
-+ return i;
-+ }
-+ }
-+ i++;
-+ }
-+
-+out:
-+ mdesc_release(md);
-+ return -1;
-+}
-+
- static int __init find_best_numa_node_for_mlgroup(struct mdesc_mlgroup *grp)
- {
- int i;
-diff --git a/block/blk-map.c b/block/blk-map.c
-index b8657fa..27fd8d92 100644
---- a/block/blk-map.c
-+++ b/block/blk-map.c
-@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
- struct iov_iter i;
- int ret;
-
-+ if (!iter_is_iovec(iter))
-+ goto fail;
-+
- if (map_data)
- copy = true;
- else if (iov_iter_alignment(iter) & align)
-@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
-
- unmap_rq:
- __blk_rq_unmap_user(bio);
-+fail:
- rq->bio = NULL;
- return -EINVAL;
- }
-diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
-index bda37d3..b081929 100644
---- a/drivers/net/dsa/b53/b53_common.c
-+++ b/drivers/net/dsa/b53/b53_common.c
-@@ -904,9 +904,10 @@ static void b53_vlan_add(struct dsa_switch *ds, int port,
-
- vl->members |= BIT(port) | BIT(cpu_port);
- if (untagged)
-- vl->untag |= BIT(port) | BIT(cpu_port);
-+ vl->untag |= BIT(port);
- else
-- vl->untag &= ~(BIT(port) | BIT(cpu_port));
-+ vl->untag &= ~BIT(port);
-+ vl->untag &= ~BIT(cpu_port);
-
- b53_set_vlan_entry(dev, vid, vl);
- b53_fast_age_vlan(dev, vid);
-@@ -915,8 +916,6 @@ static void b53_vlan_add(struct dsa_switch *ds, int port,
- if (pvid) {
- b53_write16(dev, B53_VLAN_PAGE, B53_VLAN_PORT_DEF_TAG(port),
- vlan->vid_end);
-- b53_write16(dev, B53_VLAN_PAGE, B53_VLAN_PORT_DEF_TAG(cpu_port),
-- vlan->vid_end);
- b53_fast_age_vlan(dev, vid);
- }
- }
-@@ -926,7 +925,6 @@ static int b53_vlan_del(struct dsa_switch *ds, int port,
- {
- struct b53_device *dev = ds_to_priv(ds);
- bool untagged = vlan->flags & BRIDGE_VLAN_INFO_UNTAGGED;
-- unsigned int cpu_port = dev->cpu_port;
- struct b53_vlan *vl;
- u16 vid;
- u16 pvid;
-@@ -939,8 +937,6 @@ static int b53_vlan_del(struct dsa_switch *ds, int port,
- b53_get_vlan_entry(dev, vid, vl);
-
- vl->members &= ~BIT(port);
-- if ((vl->members & BIT(cpu_port)) == BIT(cpu_port))
-- vl->members = 0;
-
- if (pvid == vid) {
- if (is5325(dev) || is5365(dev))
-@@ -949,18 +945,14 @@ static int b53_vlan_del(struct dsa_switch *ds, int port,
- pvid = 0;
- }
-
-- if (untagged) {
-+ if (untagged)
- vl->untag &= ~(BIT(port));
-- if ((vl->untag & BIT(cpu_port)) == BIT(cpu_port))
-- vl->untag = 0;
-- }
-
- b53_set_vlan_entry(dev, vid, vl);
- b53_fast_age_vlan(dev, vid);
- }
-
- b53_write16(dev, B53_VLAN_PAGE, B53_VLAN_PORT_DEF_TAG(port), pvid);
-- b53_write16(dev, B53_VLAN_PAGE, B53_VLAN_PORT_DEF_TAG(cpu_port), pvid);
- b53_fast_age_vlan(dev, pvid);
-
- return 0;
-diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
-index b2b8387..4036865 100644
---- a/drivers/net/dsa/bcm_sf2.c
-+++ b/drivers/net/dsa/bcm_sf2.c
-@@ -1167,6 +1167,7 @@ static void bcm_sf2_sw_adjust_link(struct dsa_switch *ds, int port,
- struct phy_device *phydev)
- {
- struct bcm_sf2_priv *priv = ds_to_priv(ds);
-+ struct ethtool_eee *p = &priv->port_sts[port].eee;
- u32 id_mode_dis = 0, port_mode;
- const char *str = NULL;
- u32 reg;
-@@ -1241,6 +1242,9 @@ static void bcm_sf2_sw_adjust_link(struct dsa_switch *ds, int port,
- reg |= DUPLX_MODE;
-
- core_writel(priv, reg, CORE_STS_OVERRIDE_GMIIP_PORT(port));
-+
-+ if (!phydev->is_pseudo_fixed_link)
-+ p->eee_enabled = bcm_sf2_eee_init(ds, port, phydev);
- }
-
- static void bcm_sf2_sw_fixed_link_update(struct dsa_switch *ds, int port,
-diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
-index 5414563..842d8b9 100644
---- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
-+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
-@@ -1172,6 +1172,7 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
- struct bcmgenet_tx_ring *ring)
- {
- struct bcmgenet_priv *priv = netdev_priv(dev);
-+ struct device *kdev = &priv->pdev->dev;
- struct enet_cb *tx_cb_ptr;
- struct netdev_queue *txq;
- unsigned int pkts_compl = 0;
-@@ -1199,13 +1200,13 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
- if (tx_cb_ptr->skb) {
- pkts_compl++;
- bytes_compl += GENET_CB(tx_cb_ptr->skb)->bytes_sent;
-- dma_unmap_single(&dev->dev,
-+ dma_unmap_single(kdev,
- dma_unmap_addr(tx_cb_ptr, dma_addr),
- dma_unmap_len(tx_cb_ptr, dma_len),
- DMA_TO_DEVICE);
- bcmgenet_free_cb(tx_cb_ptr);
- } else if (dma_unmap_addr(tx_cb_ptr, dma_addr)) {
-- dma_unmap_page(&dev->dev,
-+ dma_unmap_page(kdev,
- dma_unmap_addr(tx_cb_ptr, dma_addr),
- dma_unmap_len(tx_cb_ptr, dma_len),
- DMA_TO_DEVICE);
-@@ -1775,6 +1776,7 @@ static int bcmgenet_alloc_rx_buffers(struct bcmgenet_priv *priv,
-
- static void bcmgenet_free_rx_buffers(struct bcmgenet_priv *priv)
- {
-+ struct device *kdev = &priv->pdev->dev;
- struct enet_cb *cb;
- int i;
-
-@@ -1782,7 +1784,7 @@ static void bcmgenet_free_rx_buffers(struct bcmgenet_priv *priv)
- cb = &priv->rx_cbs[i];
-
- if (dma_unmap_addr(cb, dma_addr)) {
-- dma_unmap_single(&priv->dev->dev,
-+ dma_unmap_single(kdev,
- dma_unmap_addr(cb, dma_addr),
- priv->rx_buf_len, DMA_FROM_DEVICE);
- dma_unmap_addr_set(cb, dma_addr, 0);
-diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c
-index d954a97..ef0dbcf 100644
---- a/drivers/net/ethernet/cadence/macb.c
-+++ b/drivers/net/ethernet/cadence/macb.c
-@@ -959,6 +959,7 @@ static inline void macb_init_rx_ring(struct macb *bp)
- addr += bp->rx_buffer_size;
- }
- bp->rx_ring[RX_RING_SIZE - 1].addr |= MACB_BIT(RX_WRAP);
-+ bp->rx_tail = 0;
- }
-
- static int macb_rx(struct macb *bp, int budget)
-@@ -1597,8 +1598,6 @@ static void macb_init_rings(struct macb *bp)
- bp->queues[0].tx_head = 0;
- bp->queues[0].tx_tail = 0;
- bp->queues[0].tx_ring[TX_RING_SIZE - 1].ctrl |= MACB_BIT(TX_WRAP);
--
-- bp->rx_tail = 0;
- }
-
- static void macb_reset_hw(struct macb *bp)
-diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
-index 467138b..d747e17 100644
---- a/drivers/net/ethernet/marvell/sky2.c
-+++ b/drivers/net/ethernet/marvell/sky2.c
-@@ -5220,6 +5220,19 @@ static SIMPLE_DEV_PM_OPS(sky2_pm_ops, sky2_suspend, sky2_resume);
-
- static void sky2_shutdown(struct pci_dev *pdev)
- {
-+ struct sky2_hw *hw = pci_get_drvdata(pdev);
-+ int port;
-+
-+ for (port = 0; port < hw->ports; port++) {
-+ struct net_device *ndev = hw->dev[port];
-+
-+ rtnl_lock();
-+ if (netif_running(ndev)) {
-+ dev_close(ndev);
-+ netif_device_detach(ndev);
-+ }
-+ rtnl_unlock();
-+ }
- sky2_suspend(&pdev->dev);
- pci_wake_from_d3(pdev, device_may_wakeup(&pdev->dev));
- pci_set_power_state(pdev, PCI_D3hot);
-diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
-index 054e795..92c9a95 100644
---- a/drivers/net/ethernet/renesas/sh_eth.c
-+++ b/drivers/net/ethernet/renesas/sh_eth.c
-@@ -518,7 +518,7 @@ static struct sh_eth_cpu_data r7s72100_data = {
-
- .ecsr_value = ECSR_ICD,
- .ecsipr_value = ECSIPR_ICDIP,
-- .eesipr_value = 0xff7f009f,
-+ .eesipr_value = 0xe77f009f,
-
- .tx_check = EESR_TC1 | EESR_FTC,
- .eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT |
-diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
-index 16af1ce..5ad706b 100644
---- a/drivers/net/geneve.c
-+++ b/drivers/net/geneve.c
-@@ -844,7 +844,6 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
- struct geneve_dev *geneve = netdev_priv(dev);
- struct geneve_sock *gs4 = geneve->sock4;
- struct rtable *rt = NULL;
-- const struct iphdr *iip; /* interior IP header */
- int err = -EINVAL;
- struct flowi4 fl4;
- __u8 tos, ttl;
-@@ -871,8 +870,6 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
- skb_reset_mac_header(skb);
-
-- iip = ip_hdr(skb);
--
- if (info) {
- const struct ip_tunnel_key *key = &info->key;
- u8 *opts = NULL;
-@@ -892,7 +889,7 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
- if (unlikely(err))
- goto tx_error;
-
-- tos = ip_tunnel_ecn_encap(key->tos, iip, skb);
-+ tos = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb);
- ttl = key->ttl;
- df = key->tun_flags & TUNNEL_DONT_FRAGMENT ? htons(IP_DF) : 0;
- } else {
-@@ -901,7 +898,7 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
- if (unlikely(err))
- goto tx_error;
-
-- tos = ip_tunnel_ecn_encap(fl4.flowi4_tos, iip, skb);
-+ tos = ip_tunnel_ecn_encap(fl4.flowi4_tos, ip_hdr(skb), skb);
- ttl = geneve->ttl;
- if (!ttl && IN_MULTICAST(ntohl(fl4.daddr)))
- ttl = 1;
-@@ -934,7 +931,6 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
- struct geneve_dev *geneve = netdev_priv(dev);
- struct geneve_sock *gs6 = geneve->sock6;
- struct dst_entry *dst = NULL;
-- const struct iphdr *iip; /* interior IP header */
- int err = -EINVAL;
- struct flowi6 fl6;
- __u8 prio, ttl;
-@@ -959,8 +955,6 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
- skb_reset_mac_header(skb);
-
-- iip = ip_hdr(skb);
--
- if (info) {
- const struct ip_tunnel_key *key = &info->key;
- u8 *opts = NULL;
-@@ -981,7 +975,7 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
- if (unlikely(err))
- goto tx_error;
-
-- prio = ip_tunnel_ecn_encap(key->tos, iip, skb);
-+ prio = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb);
- ttl = key->ttl;
- label = info->key.label;
- } else {
-@@ -991,7 +985,7 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
- goto tx_error;
-
- prio = ip_tunnel_ecn_encap(ip6_tclass(fl6.flowlabel),
-- iip, skb);
-+ ip_hdr(skb), skb);
- ttl = geneve->ttl;
- if (!ttl && ipv6_addr_is_multicast(&fl6.daddr))
- ttl = 1;
-diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
-index c47ec0a..dd623f6 100644
---- a/drivers/net/usb/cdc_ether.c
-+++ b/drivers/net/usb/cdc_ether.c
-@@ -388,12 +388,6 @@ void usbnet_cdc_status(struct usbnet *dev, struct urb *urb)
- case USB_CDC_NOTIFY_NETWORK_CONNECTION:
- netif_dbg(dev, timer, dev->net, "CDC: carrier %s\n",
- event->wValue ? "on" : "off");
--
-- /* Work-around for devices with broken off-notifications */
-- if (event->wValue &&
-- !test_bit(__LINK_STATE_NOCARRIER, &dev->net->state))
-- usbnet_link_change(dev, 0, 0);
--
- usbnet_link_change(dev, !!event->wValue, 0);
- break;
- case USB_CDC_NOTIFY_SPEED_CHANGE: /* tx/rx rates */
-@@ -466,6 +460,36 @@ static int usbnet_cdc_zte_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
- return 1;
- }
-
-+/* Ensure correct link state
-+ *
-+ * Some devices (ZTE MF823/831/910) export two carrier on notifications when
-+ * connected. This causes the link state to be incorrect. Work around this by
-+ * always setting the state to off, then on.
-+ */
-+void usbnet_cdc_zte_status(struct usbnet *dev, struct urb *urb)
-+{
-+ struct usb_cdc_notification *event;
-+
-+ if (urb->actual_length < sizeof(*event))
-+ return;
-+
-+ event = urb->transfer_buffer;
-+
-+ if (event->bNotificationType != USB_CDC_NOTIFY_NETWORK_CONNECTION) {
-+ usbnet_cdc_status(dev, urb);
-+ return;
-+ }
-+
-+ netif_dbg(dev, timer, dev->net, "CDC: carrier %s\n",
-+ event->wValue ? "on" : "off");
-+
-+ if (event->wValue &&
-+ netif_carrier_ok(dev->net))
-+ netif_carrier_off(dev->net);
-+
-+ usbnet_link_change(dev, !!event->wValue, 0);
-+}
-+
- static const struct driver_info cdc_info = {
- .description = "CDC Ethernet Device",
- .flags = FLAG_ETHER | FLAG_POINTTOPOINT,
-@@ -481,7 +505,7 @@ static const struct driver_info zte_cdc_info = {
- .flags = FLAG_ETHER | FLAG_POINTTOPOINT,
- .bind = usbnet_cdc_zte_bind,
- .unbind = usbnet_cdc_unbind,
-- .status = usbnet_cdc_status,
-+ .status = usbnet_cdc_zte_status,
- .set_rx_mode = usbnet_cdc_update_filter,
- .manage_power = usbnet_manage_power,
- .rx_fixup = usbnet_cdc_zte_rx_fixup,
-diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
-index bf3fd34..d807209 100644
---- a/drivers/net/virtio_net.c
-+++ b/drivers/net/virtio_net.c
-@@ -1468,6 +1468,11 @@ static void virtnet_free_queues(struct virtnet_info *vi)
- netif_napi_del(&vi->rq[i].napi);
- }
-
-+ /* We called napi_hash_del() before netif_napi_del(),
-+ * we need to respect an RCU grace period before freeing vi->rq
-+ */
-+ synchronize_net();
-+
- kfree(vi->rq);
- kfree(vi->sq);
- }
-diff --git a/include/linux/uio.h b/include/linux/uio.h
-index 75b4aaf..944e7ba 100644
---- a/include/linux/uio.h
-+++ b/include/linux/uio.h
-@@ -102,12 +102,12 @@ int iov_iter_npages(const struct iov_iter *i, int maxpages);
-
- const void *dup_iter(struct iov_iter *new, struct iov_iter *old, gfp_t flags);
-
--static inline size_t iov_iter_count(struct iov_iter *i)
-+static inline size_t iov_iter_count(const struct iov_iter *i)
- {
- return i->count;
- }
-
--static inline bool iter_is_iovec(struct iov_iter *i)
-+static inline bool iter_is_iovec(const struct iov_iter *i)
- {
- return !(i->type & (ITER_BVEC | ITER_KVEC));
- }
-diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
-index d15214d..2a1abbf 100644
---- a/include/net/gro_cells.h
-+++ b/include/net/gro_cells.h
-@@ -68,6 +68,9 @@ static inline int gro_cells_init(struct gro_cells *gcells, struct net_device *de
- struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
-
- __skb_queue_head_init(&cell->napi_skbs);
-+
-+ set_bit(NAPI_STATE_NO_BUSY_POLL, &cell->napi.state);
-+
- netif_napi_add(dev, &cell->napi, gro_cell_poll, 64);
- napi_enable(&cell->napi);
- }
-diff --git a/net/core/flow.c b/net/core/flow.c
-index 3937b1b..18e8893 100644
---- a/net/core/flow.c
-+++ b/net/core/flow.c
-@@ -95,7 +95,6 @@ static void flow_cache_gc_task(struct work_struct *work)
- list_for_each_entry_safe(fce, n, &gc_list, u.gc_list) {
- flow_entry_kill(fce, xfrm);
- atomic_dec(&xfrm->flow_cache_gc_count);
-- WARN_ON(atomic_read(&xfrm->flow_cache_gc_count) < 0);
- }
- }
-
-@@ -236,9 +235,8 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
- if (fcp->hash_count > fc->high_watermark)
- flow_cache_shrink(fc, fcp);
-
-- if (fcp->hash_count > 2 * fc->high_watermark ||
-- atomic_read(&net->xfrm.flow_cache_gc_count) > fc->high_watermark) {
-- atomic_inc(&net->xfrm.flow_cache_genid);
-+ if (atomic_read(&net->xfrm.flow_cache_gc_count) >
-+ 2 * num_online_cpus() * fc->high_watermark) {
- flo = ERR_PTR(-ENOBUFS);
- goto ret_object;
- }
-diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
-index 2c2eb1b..2e9a1c2 100644
---- a/net/core/net_namespace.c
-+++ b/net/core/net_namespace.c
-@@ -217,6 +217,8 @@ int peernet2id_alloc(struct net *net, struct net *peer)
- bool alloc;
- int id;
-
-+ if (atomic_read(&net->count) == 0)
-+ return NETNSA_NSID_NOT_ASSIGNED;
- spin_lock_irqsave(&net->nsid_lock, flags);
- alloc = atomic_read(&peer->count) == 0 ? false : true;
- id = __peernet2id_alloc(net, peer, &alloc);
-diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index 189cc78..08c3702 100644
---- a/net/core/rtnetlink.c
-+++ b/net/core/rtnetlink.c
-@@ -1578,7 +1578,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
- head = &net->dev_index_head[h];
- hlist_for_each_entry(dev, head, index_hlist) {
- if (link_dump_filtered(dev, master_idx, kind_ops))
-- continue;
-+ goto cont;
- if (idx < s_idx)
- goto cont;
- err = rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK,
-@@ -2791,7 +2791,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
-
- static inline size_t rtnl_fdb_nlmsg_size(void)
- {
-- return NLMSG_ALIGN(sizeof(struct ndmsg)) + nla_total_size(ETH_ALEN);
-+ return NLMSG_ALIGN(sizeof(struct ndmsg)) +
-+ nla_total_size(ETH_ALEN) + /* NDA_LLADDR */
-+ nla_total_size(sizeof(u16)) + /* NDA_VLAN */
-+ 0;
- }
-
- static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type,
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 10acacc..ba27920 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
- val = min_t(u32, val, sysctl_wmem_max);
- set_sndbuf:
- sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
-- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
-+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
- /* Wake up sending tasks if we upped the value. */
- sk->sk_write_space(sk);
- break;
-@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
- * returning the value we actually used in getsockopt
- * is the most desirable behavior.
- */
-- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
-+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
- break;
-
- case SO_RCVBUFFORCE:
-diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
-index b567c87..edbe59d 100644
---- a/net/dccp/ipv4.c
-+++ b/net/dccp/ipv4.c
-@@ -700,6 +700,7 @@ int dccp_invalid_packet(struct sk_buff *skb)
- {
- const struct dccp_hdr *dh;
- unsigned int cscov;
-+ u8 dccph_doff;
-
- if (skb->pkt_type != PACKET_HOST)
- return 1;
-@@ -721,18 +722,19 @@ int dccp_invalid_packet(struct sk_buff *skb)
- /*
- * If P.Data Offset is too small for packet type, drop packet and return
- */
-- if (dh->dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
-- DCCP_WARN("P.Data Offset(%u) too small\n", dh->dccph_doff);
-+ dccph_doff = dh->dccph_doff;
-+ if (dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
-+ DCCP_WARN("P.Data Offset(%u) too small\n", dccph_doff);
- return 1;
- }
- /*
- * If P.Data Offset is too too large for packet, drop packet and return
- */
-- if (!pskb_may_pull(skb, dh->dccph_doff * sizeof(u32))) {
-- DCCP_WARN("P.Data Offset(%u) too large\n", dh->dccph_doff);
-+ if (!pskb_may_pull(skb, dccph_doff * sizeof(u32))) {
-+ DCCP_WARN("P.Data Offset(%u) too large\n", dccph_doff);
- return 1;
- }
--
-+ dh = dccp_hdr(skb);
- /*
- * If P.type is not Data, Ack, or DataAck and P.X == 0 (the packet
- * has short sequence numbers), drop packet and return
-diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
-index f30bad9..3bdecd2 100644
---- a/net/dsa/dsa2.c
-+++ b/net/dsa/dsa2.c
-@@ -28,8 +28,10 @@ static struct dsa_switch_tree *dsa_get_dst(u32 tree)
- struct dsa_switch_tree *dst;
-
- list_for_each_entry(dst, &dsa_switch_trees, list)
-- if (dst->tree == tree)
-+ if (dst->tree == tree) {
-+ kref_get(&dst->refcount);
- return dst;
-+ }
- return NULL;
- }
-
-diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index eebbc0f..ed22af6 100644
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -1237,7 +1237,7 @@ struct sk_buff *inet_gso_segment(struct sk_buff *skb,
- fixedid = !!(skb_shinfo(skb)->gso_type & SKB_GSO_TCP_FIXEDID);
-
- /* fixed ID is invalid if DF bit is not set */
-- if (fixedid && !(iph->frag_off & htons(IP_DF)))
-+ if (fixedid && !(ip_hdr(skb)->frag_off & htons(IP_DF)))
- goto out;
- }
-
-diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
-index d95631d..20fb25e 100644
---- a/net/ipv4/esp4.c
-+++ b/net/ipv4/esp4.c
-@@ -476,7 +476,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
- esph = (void *)skb_push(skb, 4);
- *seqhi = esph->spi;
- esph->spi = esph->seq_no;
-- esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi);
-+ esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi;
- aead_request_set_callback(req, 0, esp_input_done_esn, skb);
- }
-
-diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
-index 1b25daf..9301308 100644
---- a/net/ipv4/fib_frontend.c
-+++ b/net/ipv4/fib_frontend.c
-@@ -157,7 +157,7 @@ static void fib_replace_table(struct net *net, struct fib_table *old,
-
- int fib_unmerge(struct net *net)
- {
-- struct fib_table *old, *new;
-+ struct fib_table *old, *new, *main_table;
-
- /* attempt to fetch local table if it has been allocated */
- old = fib_get_table(net, RT_TABLE_LOCAL);
-@@ -168,11 +168,21 @@ int fib_unmerge(struct net *net)
- if (!new)
- return -ENOMEM;
-
-+ /* table is already unmerged */
-+ if (new == old)
-+ return 0;
-+
- /* replace merged table with clean table */
-- if (new != old) {
-- fib_replace_table(net, old, new);
-- fib_free_table(old);
-- }
-+ fib_replace_table(net, old, new);
-+ fib_free_table(old);
-+
-+ /* attempt to fetch main table if it has been allocated */
-+ main_table = fib_get_table(net, RT_TABLE_MAIN);
-+ if (!main_table)
-+ return 0;
-+
-+ /* flush local entries from main table */
-+ fib_table_flush_external(main_table);
-
- return 0;
- }
-diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
-index 7ef7031..84fd7272 100644
---- a/net/ipv4/fib_trie.c
-+++ b/net/ipv4/fib_trie.c
-@@ -681,6 +681,13 @@ static unsigned char update_suffix(struct key_vector *tn)
- {
- unsigned char slen = tn->pos;
- unsigned long stride, i;
-+ unsigned char slen_max;
-+
-+ /* only vector 0 can have a suffix length greater than or equal to
-+ * tn->pos + tn->bits, the second highest node will have a suffix
-+ * length at most of tn->pos + tn->bits - 1
-+ */
-+ slen_max = min_t(unsigned char, tn->pos + tn->bits - 1, tn->slen);
-
- /* search though the list of children looking for nodes that might
- * have a suffix greater than the one we currently have. This is
-@@ -698,12 +705,8 @@ static unsigned char update_suffix(struct key_vector *tn)
- slen = n->slen;
- i &= ~(stride - 1);
-
-- /* if slen covers all but the last bit we can stop here
-- * there will be nothing longer than that since only node
-- * 0 and 1 << (bits - 1) could have that as their suffix
-- * length.
-- */
-- if ((slen + 1) >= (tn->pos + tn->bits))
-+ /* stop searching if we have hit the maximum possible value */
-+ if (slen >= slen_max)
- break;
- }
-
-@@ -875,39 +878,27 @@ static struct key_vector *resize(struct trie *t, struct key_vector *tn)
- return collapse(t, tn);
-
- /* update parent in case halve failed */
-- tp = node_parent(tn);
--
-- /* Return if at least one deflate was run */
-- if (max_work != MAX_WORK)
-- return tp;
--
-- /* push the suffix length to the parent node */
-- if (tn->slen > tn->pos) {
-- unsigned char slen = update_suffix(tn);
--
-- if (slen > tp->slen)
-- tp->slen = slen;
-- }
--
-- return tp;
-+ return node_parent(tn);
- }
-
--static void leaf_pull_suffix(struct key_vector *tp, struct key_vector *l)
-+static void node_pull_suffix(struct key_vector *tn, unsigned char slen)
- {
-- while ((tp->slen > tp->pos) && (tp->slen > l->slen)) {
-- if (update_suffix(tp) > l->slen)
-+ unsigned char node_slen = tn->slen;
-+
-+ while ((node_slen > tn->pos) && (node_slen > slen)) {
-+ slen = update_suffix(tn);
-+ if (node_slen == slen)
- break;
-- tp = node_parent(tp);
-+
-+ tn = node_parent(tn);
-+ node_slen = tn->slen;
- }
- }
-
--static void leaf_push_suffix(struct key_vector *tn, struct key_vector *l)
-+static void node_push_suffix(struct key_vector *tn, unsigned char slen)
- {
-- /* if this is a new leaf then tn will be NULL and we can sort
-- * out parent suffix lengths as a part of trie_rebalance
-- */
-- while (tn->slen < l->slen) {
-- tn->slen = l->slen;
-+ while (tn->slen < slen) {
-+ tn->slen = slen;
- tn = node_parent(tn);
- }
- }
-@@ -1028,6 +1019,7 @@ static int fib_insert_node(struct trie *t, struct key_vector *tp,
- }
-
- /* Case 3: n is NULL, and will just insert a new leaf */
-+ node_push_suffix(tp, new->fa_slen);
- NODE_INIT_PARENT(l, tp);
- put_child_root(tp, key, l);
- trie_rebalance(t, tp);
-@@ -1069,7 +1061,7 @@ static int fib_insert_alias(struct trie *t, struct key_vector *tp,
- /* if we added to the tail node then we need to update slen */
- if (l->slen < new->fa_slen) {
- l->slen = new->fa_slen;
-- leaf_push_suffix(tp, l);
-+ node_push_suffix(tp, new->fa_slen);
- }
-
- return 0;
-@@ -1470,6 +1462,8 @@ static void fib_remove_alias(struct trie *t, struct key_vector *tp,
- * out parent suffix lengths as a part of trie_rebalance
- */
- if (hlist_empty(&l->leaf)) {
-+ if (tp->slen == l->slen)
-+ node_pull_suffix(tp, tp->pos);
- put_child_root(tp, l->key, NULL);
- node_free(l);
- trie_rebalance(t, tp);
-@@ -1482,7 +1476,7 @@ static void fib_remove_alias(struct trie *t, struct key_vector *tp,
-
- /* update the trie with the latest suffix length */
- l->slen = fa->fa_slen;
-- leaf_pull_suffix(tp, l);
-+ node_pull_suffix(tp, fa->fa_slen);
- }
-
- /* Caller must hold RTNL. */
-@@ -1713,8 +1707,10 @@ struct fib_table *fib_trie_unmerge(struct fib_table *oldtb)
- local_l = fib_find_node(lt, &local_tp, l->key);
-
- if (fib_insert_alias(lt, local_tp, local_l, new_fa,
-- NULL, l->key))
-+ NULL, l->key)) {
-+ kmem_cache_free(fn_alias_kmem, new_fa);
- goto out;
-+ }
- }
-
- /* stop loop if key wrapped back to 0 */
-@@ -1751,6 +1747,10 @@ void fib_table_flush_external(struct fib_table *tb)
- if (IS_TRIE(pn))
- break;
-
-+ /* update the suffix to address pulled leaves */
-+ if (pn->slen > pn->pos)
-+ update_suffix(pn);
-+
- /* resize completed node */
- pn = resize(t, pn);
- cindex = get_index(pkey, pn);
-@@ -1826,6 +1826,10 @@ int fib_table_flush(struct fib_table *tb)
- if (IS_TRIE(pn))
- break;
-
-+ /* update the suffix to address pulled leaves */
-+ if (pn->slen > pn->pos)
-+ update_suffix(pn);
-+
- /* resize completed node */
- pn = resize(t, pn);
- cindex = get_index(pkey, pn);
-diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
-index 307daed..f4790c3 100644
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -98,6 +98,9 @@ int __ip_local_out(struct net *net, struct sock *sk, struct sk_buff *skb)
-
- iph->tot_len = htons(skb->len);
- ip_send_check(iph);
-+
-+ skb->protocol = htons(ETH_P_IP);
-+
- return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT,
- net, sk, skb, NULL, skb_dst(skb)->dev,
- dst_output);
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index 66ddcb6..dcdd5ae 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -662,6 +662,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len,
- if (len > 0xFFFF)
- return -EMSGSIZE;
-
-+ /* Must have at least a full ICMP header. */
-+ if (len < icmph_len)
-+ return -EINVAL;
-+
- /*
- * Check the flags.
- */
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index c0d71e7..a2d54f5 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1451,7 +1451,7 @@ static void udp_v4_rehash(struct sock *sk)
- udp_lib_rehash(sk, new_hash);
- }
-
--static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
-+int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
- {
- int rc;
-
-diff --git a/net/ipv4/udp_impl.h b/net/ipv4/udp_impl.h
-index 7e0fe4b..feb50a1 100644
---- a/net/ipv4/udp_impl.h
-+++ b/net/ipv4/udp_impl.h
-@@ -25,7 +25,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
- int flags, int *addr_len);
- int udp_sendpage(struct sock *sk, struct page *page, int offset, size_t size,
- int flags);
--int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
-+int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
- void udp_destroy_sock(struct sock *sk);
-
- #ifdef CONFIG_PROC_FS
-diff --git a/net/ipv4/udplite.c b/net/ipv4/udplite.c
-index 2eea073..705d9fb 100644
---- a/net/ipv4/udplite.c
-+++ b/net/ipv4/udplite.c
-@@ -50,7 +50,7 @@ struct proto udplite_prot = {
- .sendmsg = udp_sendmsg,
- .recvmsg = udp_recvmsg,
- .sendpage = udp_sendpage,
-- .backlog_rcv = udp_queue_rcv_skb,
-+ .backlog_rcv = __udp_queue_rcv_skb,
- .hash = udp_lib_hash,
- .unhash = udp_lib_unhash,
- .get_port = udp_v4_get_port,
-diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index f5432d6..8f2e36f 100644
---- a/net/ipv6/addrconf.c
-+++ b/net/ipv6/addrconf.c
-@@ -163,7 +163,7 @@ static struct rt6_info *addrconf_get_prefix_route(const struct in6_addr *pfx,
-
- static void addrconf_dad_start(struct inet6_ifaddr *ifp);
- static void addrconf_dad_work(struct work_struct *w);
--static void addrconf_dad_completed(struct inet6_ifaddr *ifp);
-+static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id);
- static void addrconf_dad_run(struct inet6_dev *idev);
- static void addrconf_rs_timer(unsigned long data);
- static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifa);
-@@ -2893,6 +2893,7 @@ static void add_addr(struct inet6_dev *idev, const struct in6_addr *addr,
- spin_lock_bh(&ifp->lock);
- ifp->flags &= ~IFA_F_TENTATIVE;
- spin_unlock_bh(&ifp->lock);
-+ rt_genid_bump_ipv6(dev_net(idev->dev));
- ipv6_ifa_notify(RTM_NEWADDR, ifp);
- in6_ifa_put(ifp);
- }
-@@ -3736,7 +3737,7 @@ static void addrconf_dad_begin(struct inet6_ifaddr *ifp)
- {
- struct inet6_dev *idev = ifp->idev;
- struct net_device *dev = idev->dev;
-- bool notify = false;
-+ bool bump_id, notify = false;
-
- addrconf_join_solict(dev, &ifp->addr);
-
-@@ -3751,11 +3752,12 @@ static void addrconf_dad_begin(struct inet6_ifaddr *ifp)
- idev->cnf.accept_dad < 1 ||
- !(ifp->flags&IFA_F_TENTATIVE) ||
- ifp->flags & IFA_F_NODAD) {
-+ bump_id = ifp->flags & IFA_F_TENTATIVE;
- ifp->flags &= ~(IFA_F_TENTATIVE|IFA_F_OPTIMISTIC|IFA_F_DADFAILED);
- spin_unlock(&ifp->lock);
- read_unlock_bh(&idev->lock);
-
-- addrconf_dad_completed(ifp);
-+ addrconf_dad_completed(ifp, bump_id);
- return;
- }
-
-@@ -3815,8 +3817,8 @@ static void addrconf_dad_work(struct work_struct *w)
- struct inet6_ifaddr,
- dad_work);
- struct inet6_dev *idev = ifp->idev;
-+ bool bump_id, disable_ipv6 = false;
- struct in6_addr mcaddr;
-- bool disable_ipv6 = false;
-
- enum {
- DAD_PROCESS,
-@@ -3886,11 +3888,12 @@ static void addrconf_dad_work(struct work_struct *w)
- * DAD was successful
- */
-
-+ bump_id = ifp->flags & IFA_F_TENTATIVE;
- ifp->flags &= ~(IFA_F_TENTATIVE|IFA_F_OPTIMISTIC|IFA_F_DADFAILED);
- spin_unlock(&ifp->lock);
- write_unlock_bh(&idev->lock);
-
-- addrconf_dad_completed(ifp);
-+ addrconf_dad_completed(ifp, bump_id);
-
- goto out;
- }
-@@ -3927,7 +3930,7 @@ static bool ipv6_lonely_lladdr(struct inet6_ifaddr *ifp)
- return true;
- }
-
--static void addrconf_dad_completed(struct inet6_ifaddr *ifp)
-+static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id)
- {
- struct net_device *dev = ifp->idev->dev;
- struct in6_addr lladdr;
-@@ -3978,6 +3981,9 @@ static void addrconf_dad_completed(struct inet6_ifaddr *ifp)
- spin_unlock(&ifp->lock);
- write_unlock_bh(&ifp->idev->lock);
- }
-+
-+ if (bump_id)
-+ rt_genid_bump_ipv6(dev_net(dev));
- }
-
- static void addrconf_dad_run(struct inet6_dev *idev)
-diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
-index 060a60b..111ba55 100644
---- a/net/ipv6/esp6.c
-+++ b/net/ipv6/esp6.c
-@@ -418,7 +418,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
- esph = (void *)skb_push(skb, 4);
- *seqhi = esph->spi;
- esph->spi = esph->seq_no;
-- esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi);
-+ esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi;
- aead_request_set_callback(req, 0, esp_input_done_esn, skb);
- }
-
-diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
-index a09418b..93294cf 100644
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -98,7 +98,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
- segs = ops->callbacks.gso_segment(skb, features);
- }
-
-- if (IS_ERR(segs))
-+ if (IS_ERR_OR_NULL(segs))
- goto out;
-
- for (skb = segs; skb; skb = skb->next) {
-diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
-index 41489f3..da4e7b3 100644
---- a/net/ipv6/ip6_tunnel.c
-+++ b/net/ipv6/ip6_tunnel.c
-@@ -1014,6 +1014,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
- int mtu;
- unsigned int psh_hlen = sizeof(struct ipv6hdr) + t->encap_hlen;
- unsigned int max_headroom = psh_hlen;
-+ bool use_cache = false;
- int err = -1;
-
- /* NBMA tunnel */
-@@ -1038,7 +1039,15 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
-
- memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
- neigh_release(neigh);
-- } else if (!fl6->flowi6_mark)
-+ } else if (!(t->parms.flags &
-+ (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
-+ /* enable the cache only only if the routing decision does
-+ * not depend on the current inner header value
-+ */
-+ use_cache = true;
-+ }
-+
-+ if (use_cache)
- dst = dst_cache_get(&t->dst_cache);
-
- if (!ip6_tnl_xmit_ctl(t, &fl6->saddr, &fl6->daddr))
-@@ -1113,7 +1122,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
- skb = new_skb;
- }
-
-- if (!fl6->flowi6_mark && ndst)
-+ if (use_cache && ndst)
- dst_cache_set_ip6(&t->dst_cache, ndst, &fl6->saddr);
- skb_dst_set(skb, dst);
-
-@@ -1134,7 +1143,6 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
- if (err)
- return err;
-
-- skb->protocol = htons(ETH_P_IPV6);
- skb_push(skb, sizeof(struct ipv6hdr));
- skb_reset_network_header(skb);
- ipv6h = ipv6_hdr(skb);
-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
-index 462f2a76b..1d18432 100644
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -148,6 +148,8 @@ int __ip6_local_out(struct net *net, struct sock *sk, struct sk_buff *skb)
- ipv6_hdr(skb)->payload_len = htons(len);
- IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
-
-+ skb->protocol = htons(ETH_P_IPV6);
-+
- return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
- net, sk, skb, NULL, skb_dst(skb)->dev,
- dst_output);
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index c2a8656..fa39ab8 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -514,7 +514,7 @@ void __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
- return;
- }
-
--static int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
-+int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
- {
- int rc;
-
-diff --git a/net/ipv6/udp_impl.h b/net/ipv6/udp_impl.h
-index 0682c03..3c1dbc9 100644
---- a/net/ipv6/udp_impl.h
-+++ b/net/ipv6/udp_impl.h
-@@ -26,7 +26,7 @@ int compat_udpv6_getsockopt(struct sock *sk, int level, int optname,
- int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len);
- int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
- int flags, int *addr_len);
--int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
-+int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
- void udpv6_destroy_sock(struct sock *sk);
-
- void udp_v6_clear_sk(struct sock *sk, int size);
-diff --git a/net/ipv6/udplite.c b/net/ipv6/udplite.c
-index fd6ef41..af2895c 100644
---- a/net/ipv6/udplite.c
-+++ b/net/ipv6/udplite.c
-@@ -45,7 +45,7 @@ struct proto udplitev6_prot = {
- .getsockopt = udpv6_getsockopt,
- .sendmsg = udpv6_sendmsg,
- .recvmsg = udpv6_recvmsg,
-- .backlog_rcv = udpv6_queue_rcv_skb,
-+ .backlog_rcv = __udpv6_queue_rcv_skb,
- .hash = udp_lib_hash,
- .unhash = udp_lib_unhash,
- .get_port = udp_v6_get_port,
-diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
-index 42de4cc..d0e906d 100644
---- a/net/l2tp/l2tp_ip.c
-+++ b/net/l2tp/l2tp_ip.c
-@@ -251,8 +251,6 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- int ret;
- int chk_addr_ret;
-
-- if (!sock_flag(sk, SOCK_ZAPPED))
-- return -EINVAL;
- if (addr_len < sizeof(struct sockaddr_l2tpip))
- return -EINVAL;
- if (addr->l2tp_family != AF_INET)
-@@ -267,6 +265,9 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- read_unlock_bh(&l2tp_ip_lock);
-
- lock_sock(sk);
-+ if (!sock_flag(sk, SOCK_ZAPPED))
-+ goto out;
-+
- if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip))
- goto out;
-
-diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
-index ea2ae66..b9c6a41 100644
---- a/net/l2tp/l2tp_ip6.c
-+++ b/net/l2tp/l2tp_ip6.c
-@@ -269,8 +269,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- int addr_type;
- int err;
-
-- if (!sock_flag(sk, SOCK_ZAPPED))
-- return -EINVAL;
- if (addr->l2tp_family != AF_INET6)
- return -EINVAL;
- if (addr_len < sizeof(*addr))
-@@ -296,6 +294,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- lock_sock(sk);
-
- err = -EINVAL;
-+ if (!sock_flag(sk, SOCK_ZAPPED))
-+ goto out_unlock;
-+
- if (sk->sk_state != TCP_CLOSE)
- goto out_unlock;
-
-diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 62bea45..246f29d 100644
---- a/net/netlink/af_netlink.c
-+++ b/net/netlink/af_netlink.c
-@@ -329,7 +329,6 @@ static void netlink_sock_destruct(struct sock *sk)
- if (nlk->cb_running) {
- if (nlk->cb.done)
- nlk->cb.done(&nlk->cb);
--
- module_put(nlk->cb.module);
- kfree_skb(nlk->cb.skb);
- }
-@@ -346,6 +345,14 @@ static void netlink_sock_destruct(struct sock *sk)
- WARN_ON(nlk_sk(sk)->groups);
- }
-
-+static void netlink_sock_destruct_work(struct work_struct *work)
-+{
-+ struct netlink_sock *nlk = container_of(work, struct netlink_sock,
-+ work);
-+
-+ sk_free(&nlk->sk);
-+}
-+
- /* This lock without WQ_FLAG_EXCLUSIVE is good on UP and it is _very_ bad on
- * SMP. Look, when several writers sleep and reader wakes them up, all but one
- * immediately hit write lock and grab all the cpus. Exclusive sleep solves
-@@ -648,8 +655,18 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol,
- static void deferred_put_nlk_sk(struct rcu_head *head)
- {
- struct netlink_sock *nlk = container_of(head, struct netlink_sock, rcu);
-+ struct sock *sk = &nlk->sk;
-+
-+ if (!atomic_dec_and_test(&sk->sk_refcnt))
-+ return;
-+
-+ if (nlk->cb_running && nlk->cb.done) {
-+ INIT_WORK(&nlk->work, netlink_sock_destruct_work);
-+ schedule_work(&nlk->work);
-+ return;
-+ }
-
-- sock_put(&nlk->sk);
-+ sk_free(sk);
- }
-
- static int netlink_release(struct socket *sock)
-diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h
-index 3cfd6cc..4fdb383 100644
---- a/net/netlink/af_netlink.h
-+++ b/net/netlink/af_netlink.h
-@@ -3,6 +3,7 @@
-
- #include <linux/rhashtable.h>
- #include <linux/atomic.h>
-+#include <linux/workqueue.h>
- #include <net/sock.h>
-
- #define NLGRPSZ(x) (ALIGN(x, sizeof(unsigned long) * 8) / 8)
-@@ -33,6 +34,7 @@ struct netlink_sock {
-
- struct rhash_head node;
- struct rcu_head rcu;
-+ struct work_struct work;
- };
-
- static inline struct netlink_sock *nlk_sk(struct sock *sk)
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index d2238b2..dd23323 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
-
- if (optlen != sizeof(val))
- return -EINVAL;
-- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
- switch (val) {
- case TPACKET_V1:
- case TPACKET_V2:
- case TPACKET_V3:
-- po->tp_version = val;
-- return 0;
-+ break;
- default:
- return -EINVAL;
- }
-+ lock_sock(sk);
-+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+ ret = -EBUSY;
-+ } else {
-+ po->tp_version = val;
-+ ret = 0;
-+ }
-+ release_sock(sk);
-+ return ret;
- }
- case PACKET_RESERVE:
- {
-@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
- /* Added to avoid minimal code churn */
- struct tpacket_req *req = &req_u->req;
-
-+ lock_sock(sk);
- /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
- if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
- net_warn_ratelimited("Tx-ring is not supported.\n");
-@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
- goto out;
- }
-
-- lock_sock(sk);
-
- /* Detach socket from network */
- spin_lock(&po->bind_lock);
-@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
- if (!tx_ring)
- prb_shutdown_retire_blk_timer(po, rb_queue);
- }
-- release_sock(sk);
-
- if (pg_vec)
- free_pg_vec(pg_vec, order, req->tp_block_nr);
- out:
-+ release_sock(sk);
- return err;
- }
-
-diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
-index b54d56d..cf9b2fe 100644
---- a/net/sched/act_pedit.c
-+++ b/net/sched/act_pedit.c
-@@ -108,6 +108,17 @@ static void tcf_pedit_cleanup(struct tc_action *a, int bind)
- kfree(keys);
- }
-
-+static bool offset_valid(struct sk_buff *skb, int offset)
-+{
-+ if (offset > 0 && offset > skb->len)
-+ return false;
-+
-+ if (offset < 0 && -offset > skb_headroom(skb))
-+ return false;
-+
-+ return true;
-+}
-+
- static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
- struct tcf_result *res)
- {
-@@ -134,6 +145,11 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
- if (tkey->offmask) {
- char *d, _d;
-
-+ if (!offset_valid(skb, off + tkey->at)) {
-+ pr_info("tc filter pedit 'at' offset %d out of bounds\n",
-+ off + tkey->at);
-+ goto bad;
-+ }
- d = skb_header_pointer(skb, off + tkey->at, 1,
- &_d);
- if (!d)
-@@ -146,10 +162,10 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
- " offset must be on 32 bit boundaries\n");
- goto bad;
- }
-- if (offset > 0 && offset > skb->len) {
-- pr_info("tc filter pedit"
-- " offset %d can't exceed pkt length %d\n",
-- offset, skb->len);
-+
-+ if (!offset_valid(skb, off + offset)) {
-+ pr_info("tc filter pedit offset %d out of bounds\n",
-+ offset);
- goto bad;
- }
-
-diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c
-index 0b8c3ac..1bf1f451 100644
---- a/net/sched/cls_basic.c
-+++ b/net/sched/cls_basic.c
-@@ -62,9 +62,6 @@ static unsigned long basic_get(struct tcf_proto *tp, u32 handle)
- struct basic_head *head = rtnl_dereference(tp->root);
- struct basic_filter *f;
-
-- if (head == NULL)
-- return 0UL;
--
- list_for_each_entry(f, &head->flist, link) {
- if (f->handle == handle) {
- l = (unsigned long) f;
-@@ -109,7 +106,6 @@ static bool basic_destroy(struct tcf_proto *tp, bool force)
- tcf_unbind_filter(tp, &f->res);
- call_rcu(&f->rcu, basic_delete_filter);
- }
-- RCU_INIT_POINTER(tp->root, NULL);
- kfree_rcu(head, rcu);
- return true;
- }
-diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
-index c3002c2..dbec458 100644
---- a/net/sched/cls_bpf.c
-+++ b/net/sched/cls_bpf.c
-@@ -200,7 +200,6 @@ static bool cls_bpf_destroy(struct tcf_proto *tp, bool force)
- call_rcu(&prog->rcu, __cls_bpf_delete_prog);
- }
-
-- RCU_INIT_POINTER(tp->root, NULL);
- kfree_rcu(head, rcu);
- return true;
- }
-@@ -211,9 +210,6 @@ static unsigned long cls_bpf_get(struct tcf_proto *tp, u32 handle)
- struct cls_bpf_prog *prog;
- unsigned long ret = 0UL;
-
-- if (head == NULL)
-- return 0UL;
--
- list_for_each_entry(prog, &head->plist, link) {
- if (prog->handle == handle) {
- ret = (unsigned long) prog;
-diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
-index 4c85bd3..c104c20 100644
---- a/net/sched/cls_cgroup.c
-+++ b/net/sched/cls_cgroup.c
-@@ -130,11 +130,10 @@ static bool cls_cgroup_destroy(struct tcf_proto *tp, bool force)
-
- if (!force)
- return false;
--
-- if (head) {
-- RCU_INIT_POINTER(tp->root, NULL);
-+ /* Head can still be NULL due to cls_cgroup_init(). */
-+ if (head)
- call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
-- }
-+
- return true;
- }
-
-diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
-index fbfec6a..d7ba2b4 100644
---- a/net/sched/cls_flow.c
-+++ b/net/sched/cls_flow.c
-@@ -583,7 +583,6 @@ static bool flow_destroy(struct tcf_proto *tp, bool force)
- list_del_rcu(&f->list);
- call_rcu(&f->rcu, flow_destroy_filter);
- }
-- RCU_INIT_POINTER(tp->root, NULL);
- kfree_rcu(head, rcu);
- return true;
- }
-diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
-index 5060801..a411571 100644
---- a/net/sched/cls_flower.c
-+++ b/net/sched/cls_flower.c
-@@ -13,6 +13,7 @@
- #include <linux/init.h>
- #include <linux/module.h>
- #include <linux/rhashtable.h>
-+#include <linux/workqueue.h>
-
- #include <linux/if_ether.h>
- #include <linux/in6.h>
-@@ -55,7 +56,10 @@ struct cls_fl_head {
- bool mask_assigned;
- struct list_head filters;
- struct rhashtable_params ht_params;
-- struct rcu_head rcu;
-+ union {
-+ struct work_struct work;
-+ struct rcu_head rcu;
-+ };
- };
-
- struct cls_fl_filter {
-@@ -239,6 +243,24 @@ static void fl_hw_update_stats(struct tcf_proto *tp, struct cls_fl_filter *f)
- dev->netdev_ops->ndo_setup_tc(dev, tp->q->handle, tp->protocol, &tc);
- }
-
-+static void fl_destroy_sleepable(struct work_struct *work)
-+{
-+ struct cls_fl_head *head = container_of(work, struct cls_fl_head,
-+ work);
-+ if (head->mask_assigned)
-+ rhashtable_destroy(&head->ht);
-+ kfree(head);
-+ module_put(THIS_MODULE);
-+}
-+
-+static void fl_destroy_rcu(struct rcu_head *rcu)
-+{
-+ struct cls_fl_head *head = container_of(rcu, struct cls_fl_head, rcu);
-+
-+ INIT_WORK(&head->work, fl_destroy_sleepable);
-+ schedule_work(&head->work);
-+}
-+
- static bool fl_destroy(struct tcf_proto *tp, bool force)
- {
- struct cls_fl_head *head = rtnl_dereference(tp->root);
-@@ -252,10 +274,9 @@ static bool fl_destroy(struct tcf_proto *tp, bool force)
- list_del_rcu(&f->list);
- call_rcu(&f->rcu, fl_destroy_filter);
- }
-- RCU_INIT_POINTER(tp->root, NULL);
-- if (head->mask_assigned)
-- rhashtable_destroy(&head->ht);
-- kfree_rcu(head, rcu);
-+
-+ __module_get(THIS_MODULE);
-+ call_rcu(&head->rcu, fl_destroy_rcu);
- return true;
- }
-
-diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c
-index 25927b6..f935429 100644
---- a/net/sched/cls_matchall.c
-+++ b/net/sched/cls_matchall.c
-@@ -114,7 +114,6 @@ static bool mall_destroy(struct tcf_proto *tp, bool force)
-
- call_rcu(&f->rcu, mall_destroy_filter);
- }
-- RCU_INIT_POINTER(tp->root, NULL);
- kfree_rcu(head, rcu);
- return true;
- }
-diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
-index f9c9fc0..9992dfa 100644
---- a/net/sched/cls_rsvp.h
-+++ b/net/sched/cls_rsvp.h
-@@ -152,7 +152,8 @@ static int rsvp_classify(struct sk_buff *skb, const struct tcf_proto *tp,
- return -1;
- nhptr = ip_hdr(skb);
- #endif
--
-+ if (unlikely(!head))
-+ return -1;
- restart:
-
- #if RSVP_DST_LEN == 4
-diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
-index 944c8ff..403746b 100644
---- a/net/sched/cls_tcindex.c
-+++ b/net/sched/cls_tcindex.c
-@@ -503,7 +503,6 @@ static bool tcindex_destroy(struct tcf_proto *tp, bool force)
- walker.fn = tcindex_destroy_element;
- tcindex_walk(tp, &walker);
-
-- RCU_INIT_POINTER(tp->root, NULL);
- call_rcu(&p->rcu, __tcindex_destroy);
- return true;
- }
-diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
-index 65b1bbf..6167699 100644
---- a/net/tipc/bearer.c
-+++ b/net/tipc/bearer.c
-@@ -402,6 +402,10 @@ int tipc_enable_l2_media(struct net *net, struct tipc_bearer *b,
- dev = dev_get_by_name(net, driver_name);
- if (!dev)
- return -ENODEV;
-+ if (tipc_mtu_bad(dev, 0)) {
-+ dev_put(dev);
-+ return -EINVAL;
-+ }
-
- /* Associate TIPC bearer with L2 bearer */
- rcu_assign_pointer(b->media_ptr, dev);
-@@ -606,8 +610,6 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
- if (!b)
- return NOTIFY_DONE;
-
-- b->mtu = dev->mtu;
--
- switch (evt) {
- case NETDEV_CHANGE:
- if (netif_carrier_ok(dev))
-@@ -621,6 +623,11 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
- tipc_reset_bearer(net, b);
- break;
- case NETDEV_CHANGEMTU:
-+ if (tipc_mtu_bad(dev, 0)) {
-+ bearer_disable(net, b);
-+ break;
-+ }
-+ b->mtu = dev->mtu;
- tipc_reset_bearer(net, b);
- break;
- case NETDEV_CHANGEADDR:
-diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
-index 43757f1..d93f1f1 100644
---- a/net/tipc/bearer.h
-+++ b/net/tipc/bearer.h
-@@ -39,6 +39,7 @@
-
- #include "netlink.h"
- #include "core.h"
-+#include "msg.h"
- #include <net/genetlink.h>
-
- #define MAX_MEDIA 3
-@@ -59,6 +60,9 @@
- #define TIPC_MEDIA_TYPE_IB 2
- #define TIPC_MEDIA_TYPE_UDP 3
-
-+/* minimum bearer MTU */
-+#define TIPC_MIN_BEARER_MTU (MAX_H_SIZE + INT_H_SIZE)
-+
- /**
- * struct tipc_media_addr - destination address used by TIPC bearers
- * @value: address info (format defined by media)
-@@ -213,4 +217,13 @@ void tipc_bearer_xmit(struct net *net, u32 bearer_id,
- void tipc_bearer_bc_xmit(struct net *net, u32 bearer_id,
- struct sk_buff_head *xmitq);
-
-+/* check if device MTU is too low for tipc headers */
-+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)
-+{
-+ if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)
-+ return false;
-+ netdev_warn(dev, "MTU too low for tipc bearer\n");
-+ return true;
-+}
-+
- #endif /* _TIPC_BEARER_H */
-diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
-index ae7e14c..f60f346 100644
---- a/net/tipc/udp_media.c
-+++ b/net/tipc/udp_media.c
-@@ -372,6 +372,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
- udp_conf.local_ip.s_addr = htonl(INADDR_ANY);
- udp_conf.use_udp_checksums = false;
- ub->ifindex = dev->ifindex;
-+ if (tipc_mtu_bad(dev, sizeof(struct iphdr) +
-+ sizeof(struct udphdr))) {
-+ err = -EINVAL;
-+ goto err;
-+ }
- b->mtu = dev->mtu - sizeof(struct iphdr)
- - sizeof(struct udphdr);
- #if IS_ENABLED(CONFIG_IPV6)
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 8309687..568f307 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -2199,7 +2199,8 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
- * Sleep until more data has arrived. But check for races..
- */
- static long unix_stream_data_wait(struct sock *sk, long timeo,
-- struct sk_buff *last, unsigned int last_len)
-+ struct sk_buff *last, unsigned int last_len,
-+ bool freezable)
- {
- struct sk_buff *tail;
- DEFINE_WAIT(wait);
-@@ -2220,7 +2221,10 @@ static long unix_stream_data_wait(struct sock *sk, long timeo,
-
- sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
- unix_state_unlock(sk);
-- timeo = freezable_schedule_timeout(timeo);
-+ if (freezable)
-+ timeo = freezable_schedule_timeout(timeo);
-+ else
-+ timeo = schedule_timeout(timeo);
- unix_state_lock(sk);
-
- if (sock_flag(sk, SOCK_DEAD))
-@@ -2250,7 +2254,8 @@ struct unix_stream_read_state {
- unsigned int splice_flags;
- };
-
--static int unix_stream_read_generic(struct unix_stream_read_state *state)
-+static int unix_stream_read_generic(struct unix_stream_read_state *state,
-+ bool freezable)
- {
- struct scm_cookie scm;
- struct socket *sock = state->socket;
-@@ -2330,7 +2335,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
- mutex_unlock(&u->iolock);
-
- timeo = unix_stream_data_wait(sk, timeo, last,
-- last_len);
-+ last_len, freezable);
-
- if (signal_pending(current)) {
- err = sock_intr_errno(timeo);
-@@ -2472,7 +2477,7 @@ static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
- .flags = flags
- };
-
-- return unix_stream_read_generic(&state);
-+ return unix_stream_read_generic(&state, true);
- }
-
- static ssize_t skb_unix_socket_splice(struct sock *sk,
-@@ -2518,7 +2523,7 @@ static ssize_t unix_stream_splice_read(struct socket *sock, loff_t *ppos,
- flags & SPLICE_F_NONBLOCK)
- state.flags = MSG_DONTWAIT;
-
-- return unix_stream_read_generic(&state);
-+ return unix_stream_read_generic(&state, false);
- }
-
- static int unix_shutdown(struct socket *sock, int mode)
diff --git a/4.8.15/1014_linux-4.8.15.patch b/4.8.15/1014_linux-4.8.15.patch
deleted file mode 100644
index 9b7b2f4..0000000
--- a/4.8.15/1014_linux-4.8.15.patch
+++ /dev/null
@@ -1,1042 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 6a74924..c7f0e79 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 8
--SUBLEVEL = 14
-+SUBLEVEL = 15
- EXTRAVERSION =
- NAME = Psychotic Stoned Sheep
-
-diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
-index 1e90bdb..fb307de 100644
---- a/arch/arm/boot/dts/imx7s.dtsi
-+++ b/arch/arm/boot/dts/imx7s.dtsi
-@@ -640,9 +640,8 @@
- reg = <0x30730000 0x10000>;
- interrupts = <GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>;
- clocks = <&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>,
-- <&clks IMX7D_CLK_DUMMY>,
-- <&clks IMX7D_CLK_DUMMY>;
-- clock-names = "pix", "axi", "disp_axi";
-+ <&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>;
-+ clock-names = "pix", "axi";
- status = "disabled";
- };
- };
-diff --git a/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts b/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
-index 1cf644b..51dc734 100644
---- a/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
-+++ b/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
-@@ -82,6 +82,10 @@
- gpios = <&gpio0 9 GPIO_ACTIVE_HIGH>;
- };
-
-+&sata {
-+ nr-ports = <2>;
-+};
-+
- &ehci1 {
- status = "okay";
- };
-diff --git a/arch/m68k/include/asm/delay.h b/arch/m68k/include/asm/delay.h
-index d28fa8f..c598d84 100644
---- a/arch/m68k/include/asm/delay.h
-+++ b/arch/m68k/include/asm/delay.h
-@@ -114,6 +114,6 @@ static inline void __udelay(unsigned long usecs)
- */
- #define HZSCALE (268435456 / (1000000 / HZ))
-
--#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000));
-+#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000))
-
- #endif /* defined(_M68K_DELAY_H) */
-diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
-index c2c43f7..3a4ed9f 100644
---- a/arch/parisc/include/asm/pgtable.h
-+++ b/arch/parisc/include/asm/pgtable.h
-@@ -65,9 +65,9 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
- unsigned long flags; \
- spin_lock_irqsave(&pa_tlb_lock, flags); \
- old_pte = *ptep; \
-- set_pte(ptep, pteval); \
- if (pte_inserted(old_pte)) \
- purge_tlb_entries(mm, addr); \
-+ set_pte(ptep, pteval); \
- spin_unlock_irqrestore(&pa_tlb_lock, flags); \
- } while (0)
-
-@@ -478,8 +478,8 @@ static inline int ptep_test_and_clear_young(struct vm_area_struct *vma, unsigned
- spin_unlock_irqrestore(&pa_tlb_lock, flags);
- return 0;
- }
-- set_pte(ptep, pte_mkold(pte));
- purge_tlb_entries(vma->vm_mm, addr);
-+ set_pte(ptep, pte_mkold(pte));
- spin_unlock_irqrestore(&pa_tlb_lock, flags);
- return 1;
- }
-@@ -492,9 +492,9 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
-
- spin_lock_irqsave(&pa_tlb_lock, flags);
- old_pte = *ptep;
-- set_pte(ptep, __pte(0));
- if (pte_inserted(old_pte))
- purge_tlb_entries(mm, addr);
-+ set_pte(ptep, __pte(0));
- spin_unlock_irqrestore(&pa_tlb_lock, flags);
-
- return old_pte;
-@@ -504,8 +504,8 @@ static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr,
- {
- unsigned long flags;
- spin_lock_irqsave(&pa_tlb_lock, flags);
-- set_pte(ptep, pte_wrprotect(*ptep));
- purge_tlb_entries(mm, addr);
-+ set_pte(ptep, pte_wrprotect(*ptep));
- spin_unlock_irqrestore(&pa_tlb_lock, flags);
- }
-
-diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c
-index c2259d4..bbb314eb 100644
---- a/arch/parisc/kernel/cache.c
-+++ b/arch/parisc/kernel/cache.c
-@@ -393,6 +393,15 @@ void __init parisc_setup_cache_timing(void)
-
- /* calculate TLB flush threshold */
-
-+ /* On SMP machines, skip the TLB measure of kernel text which
-+ * has been mapped as huge pages. */
-+ if (num_online_cpus() > 1 && !parisc_requires_coherency()) {
-+ threshold = max(cache_info.it_size, cache_info.dt_size);
-+ threshold *= PAGE_SIZE;
-+ threshold /= num_online_cpus();
-+ goto set_tlb_threshold;
-+ }
-+
- alltime = mfctl(16);
- flush_tlb_all();
- alltime = mfctl(16) - alltime;
-@@ -411,6 +420,8 @@ void __init parisc_setup_cache_timing(void)
- alltime, size, rangetime);
-
- threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime);
-+
-+set_tlb_threshold:
- if (threshold)
- parisc_tlb_flush_threshold = threshold;
- printk(KERN_INFO "TLB flush threshold set to %lu KiB\n",
-diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S
-index 6755219..a4761b7 100644
---- a/arch/parisc/kernel/pacache.S
-+++ b/arch/parisc/kernel/pacache.S
-@@ -886,19 +886,10 @@ ENTRY(flush_dcache_page_asm)
- fdc,m r31(%r28)
- fdc,m r31(%r28)
- fdc,m r31(%r28)
-- cmpb,COND(<<) %r28, %r25,1b
-+ cmpb,COND(<<) %r28, %r25,1b
- fdc,m r31(%r28)
-
- sync
--
--#ifdef CONFIG_PA20
-- pdtlb,l %r0(%r25)
--#else
-- tlb_lock %r20,%r21,%r22
-- pdtlb %r0(%r25)
-- tlb_unlock %r20,%r21,%r22
--#endif
--
- bv %r0(%r2)
- nop
- .exit
-@@ -973,17 +964,6 @@ ENTRY(flush_icache_page_asm)
- fic,m %r31(%sr4,%r28)
-
- sync
--
--#ifdef CONFIG_PA20
-- pdtlb,l %r0(%r28)
-- pitlb,l %r0(%sr4,%r25)
--#else
-- tlb_lock %r20,%r21,%r22
-- pdtlb %r0(%r28)
-- pitlb %r0(%sr4,%r25)
-- tlb_unlock %r20,%r21,%r22
--#endif
--
- bv %r0(%r2)
- nop
- .exit
-diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile
-index 1a2a6e8..1894beb 100644
---- a/arch/powerpc/boot/Makefile
-+++ b/arch/powerpc/boot/Makefile
-@@ -78,7 +78,8 @@ src-wlib-y := string.S crt0.S crtsavres.S stdio.c main.c \
- ns16550.c serial.c simple_alloc.c div64.S util.S \
- gunzip_util.c elf_util.c $(zlib) devtree.c stdlib.c \
- oflib.c ofconsole.c cuboot.c mpsc.c cpm-serial.c \
-- uartlite.c mpc52xx-psc.c opal.c opal-calls.S
-+ uartlite.c mpc52xx-psc.c opal.c
-+src-wlib-$(CONFIG_PPC64_BOOT_WRAPPER) += opal-calls.S
- src-wlib-$(CONFIG_40x) += 4xx.c planetcore.c
- src-wlib-$(CONFIG_44x) += 4xx.c ebony.c bamboo.c
- src-wlib-$(CONFIG_8xx) += mpc8xx.c planetcore.c fsl-soc.c
-diff --git a/arch/powerpc/boot/opal.c b/arch/powerpc/boot/opal.c
-index d7b4fd4..0272570 100644
---- a/arch/powerpc/boot/opal.c
-+++ b/arch/powerpc/boot/opal.c
-@@ -13,7 +13,7 @@
- #include <libfdt.h>
- #include "../include/asm/opal-api.h"
-
--#ifdef __powerpc64__
-+#ifdef CONFIG_PPC64_BOOT_WRAPPER
-
- /* Global OPAL struct used by opal-call.S */
- struct opal {
-diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
-index 29aa8d1..248f28b 100644
---- a/arch/powerpc/kernel/eeh_driver.c
-+++ b/arch/powerpc/kernel/eeh_driver.c
-@@ -671,8 +671,10 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
-
- /* Clear frozen state */
- rc = eeh_clear_pe_frozen_state(pe, false);
-- if (rc)
-+ if (rc) {
-+ pci_unlock_rescan_remove();
- return rc;
-+ }
-
- /* Give the system 5 seconds to finish running the user-space
- * hotplug shutdown scripts, e.g. ifdown for ethernet. Yes,
-diff --git a/arch/powerpc/mm/hash64_4k.c b/arch/powerpc/mm/hash64_4k.c
-index 42c702b..6fa450c 100644
---- a/arch/powerpc/mm/hash64_4k.c
-+++ b/arch/powerpc/mm/hash64_4k.c
-@@ -55,7 +55,7 @@ int __hash_page_4K(unsigned long ea, unsigned long access, unsigned long vsid,
- */
- rflags = htab_convert_pte_flags(new_pte);
-
-- if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
-+ if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
- !cpu_has_feature(CPU_FTR_COHERENT_ICACHE))
- rflags = hash_page_do_lazy_icache(rflags, __pte(old_pte), trap);
-
-diff --git a/arch/powerpc/mm/hash64_64k.c b/arch/powerpc/mm/hash64_64k.c
-index 3bbbea0..1a68cb1 100644
---- a/arch/powerpc/mm/hash64_64k.c
-+++ b/arch/powerpc/mm/hash64_64k.c
-@@ -87,7 +87,7 @@ int __hash_page_4K(unsigned long ea, unsigned long access, unsigned long vsid,
- subpg_pte = new_pte & ~subpg_prot;
- rflags = htab_convert_pte_flags(subpg_pte);
-
-- if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
-+ if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
- !cpu_has_feature(CPU_FTR_COHERENT_ICACHE)) {
-
- /*
-@@ -258,7 +258,7 @@ int __hash_page_64K(unsigned long ea, unsigned long access,
-
- rflags = htab_convert_pte_flags(new_pte);
-
-- if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
-+ if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
- !cpu_has_feature(CPU_FTR_COHERENT_ICACHE))
- rflags = hash_page_do_lazy_icache(rflags, __pte(old_pte), trap);
-
-diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
-index a4e070a..8c925ec 100644
---- a/arch/x86/events/core.c
-+++ b/arch/x86/events/core.c
-@@ -68,7 +68,7 @@ u64 x86_perf_event_update(struct perf_event *event)
- int shift = 64 - x86_pmu.cntval_bits;
- u64 prev_raw_count, new_raw_count;
- int idx = hwc->idx;
-- s64 delta;
-+ u64 delta;
-
- if (idx == INTEL_PMC_IDX_FIXED_BTS)
- return 0;
-diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
-index 4c9a79b..3ef34c6 100644
---- a/arch/x86/events/intel/core.c
-+++ b/arch/x86/events/intel/core.c
-@@ -4024,7 +4024,7 @@ __init int intel_pmu_init(void)
-
- /* Support full width counters using alternative MSR range */
- if (x86_pmu.intel_cap.full_width_write) {
-- x86_pmu.max_period = x86_pmu.cntval_mask;
-+ x86_pmu.max_period = x86_pmu.cntval_mask >> 1;
- x86_pmu.perfctr = MSR_IA32_PMC0;
- pr_cont("full-width counters, ");
- }
-diff --git a/crypto/Makefile b/crypto/Makefile
-index 99cc64ac..bd6a029 100644
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -40,6 +40,7 @@ obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
-
- $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
- $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
-+$(obj)/rsa_helper.o: $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.h
- clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
- clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h
-
-diff --git a/crypto/mcryptd.c b/crypto/mcryptd.c
-index 86fb59b..c6e9920 100644
---- a/crypto/mcryptd.c
-+++ b/crypto/mcryptd.c
-@@ -254,18 +254,22 @@ static void *mcryptd_alloc_instance(struct crypto_alg *alg, unsigned int head,
- goto out;
- }
-
--static inline void mcryptd_check_internal(struct rtattr **tb, u32 *type,
-+static inline bool mcryptd_check_internal(struct rtattr **tb, u32 *type,
- u32 *mask)
- {
- struct crypto_attr_type *algt;
-
- algt = crypto_get_attr_type(tb);
- if (IS_ERR(algt))
-- return;
-- if ((algt->type & CRYPTO_ALG_INTERNAL))
-- *type |= CRYPTO_ALG_INTERNAL;
-- if ((algt->mask & CRYPTO_ALG_INTERNAL))
-- *mask |= CRYPTO_ALG_INTERNAL;
-+ return false;
-+
-+ *type |= algt->type & CRYPTO_ALG_INTERNAL;
-+ *mask |= algt->mask & CRYPTO_ALG_INTERNAL;
-+
-+ if (*type & *mask & CRYPTO_ALG_INTERNAL)
-+ return true;
-+ else
-+ return false;
- }
-
- static int mcryptd_hash_init_tfm(struct crypto_tfm *tfm)
-@@ -492,7 +496,8 @@ static int mcryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
- u32 mask = 0;
- int err;
-
-- mcryptd_check_internal(tb, &type, &mask);
-+ if (!mcryptd_check_internal(tb, &type, &mask))
-+ return -EINVAL;
-
- halg = ahash_attr_alg(tb[1], type, mask);
- if (IS_ERR(halg))
-diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
-index 2accf78..93e0d83 100644
---- a/drivers/acpi/nfit/core.c
-+++ b/drivers/acpi/nfit/core.c
-@@ -94,7 +94,7 @@ static struct acpi_device *to_acpi_dev(struct acpi_nfit_desc *acpi_desc)
- return to_acpi_device(acpi_desc->dev);
- }
-
--static int xlat_status(void *buf, unsigned int cmd, u32 status)
-+static int xlat_bus_status(void *buf, unsigned int cmd, u32 status)
- {
- struct nd_cmd_clear_error *clear_err;
- struct nd_cmd_ars_status *ars_status;
-@@ -113,7 +113,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
- flags = ND_ARS_PERSISTENT | ND_ARS_VOLATILE;
- if ((status >> 16 & flags) == 0)
- return -ENOTTY;
-- break;
-+ return 0;
- case ND_CMD_ARS_START:
- /* ARS is in progress */
- if ((status & 0xffff) == NFIT_ARS_START_BUSY)
-@@ -122,7 +122,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
- /* Command failed */
- if (status & 0xffff)
- return -EIO;
-- break;
-+ return 0;
- case ND_CMD_ARS_STATUS:
- ars_status = buf;
- /* Command failed */
-@@ -146,7 +146,8 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
- * then just continue with the returned results.
- */
- if (status == NFIT_ARS_STATUS_INTR) {
-- if (ars_status->flags & NFIT_ARS_F_OVERFLOW)
-+ if (ars_status->out_length >= 40 && (ars_status->flags
-+ & NFIT_ARS_F_OVERFLOW))
- return -ENOSPC;
- return 0;
- }
-@@ -154,7 +155,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
- /* Unknown status */
- if (status >> 16)
- return -EIO;
-- break;
-+ return 0;
- case ND_CMD_CLEAR_ERROR:
- clear_err = buf;
- if (status & 0xffff)
-@@ -163,7 +164,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
- return -EIO;
- if (clear_err->length > clear_err->cleared)
- return clear_err->cleared;
-- break;
-+ return 0;
- default:
- break;
- }
-@@ -174,6 +175,16 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
- return 0;
- }
-
-+static int xlat_status(struct nvdimm *nvdimm, void *buf, unsigned int cmd,
-+ u32 status)
-+{
-+ if (!nvdimm)
-+ return xlat_bus_status(buf, cmd, status);
-+ if (status)
-+ return -EIO;
-+ return 0;
-+}
-+
- static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
- struct nvdimm *nvdimm, unsigned int cmd, void *buf,
- unsigned int buf_len, int *cmd_rc)
-@@ -298,7 +309,8 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
-
- for (i = 0, offset = 0; i < desc->out_num; i++) {
- u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
-- (u32 *) out_obj->buffer.pointer);
-+ (u32 *) out_obj->buffer.pointer,
-+ out_obj->buffer.length - offset);
-
- if (offset + out_size > out_obj->buffer.length) {
- dev_dbg(dev, "%s:%s output object underflow cmd: %s field: %d\n",
-@@ -333,7 +345,8 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
- */
- rc = buf_len - offset - in_buf.buffer.length;
- if (cmd_rc)
-- *cmd_rc = xlat_status(buf, cmd, fw_status);
-+ *cmd_rc = xlat_status(nvdimm, buf, cmd,
-+ fw_status);
- } else {
- dev_err(dev, "%s:%s underrun cmd: %s buf_len: %d out_len: %d\n",
- __func__, dimm_name, cmd_name, buf_len,
-@@ -343,7 +356,7 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
- } else {
- rc = 0;
- if (cmd_rc)
-- *cmd_rc = xlat_status(buf, cmd, fw_status);
-+ *cmd_rc = xlat_status(nvdimm, buf, cmd, fw_status);
- }
-
- out:
-@@ -1857,19 +1870,32 @@ static int ars_get_status(struct acpi_nfit_desc *acpi_desc)
- return cmd_rc;
- }
-
--static int ars_status_process_records(struct nvdimm_bus *nvdimm_bus,
-+static int ars_status_process_records(struct acpi_nfit_desc *acpi_desc,
- struct nd_cmd_ars_status *ars_status)
- {
-+ struct nvdimm_bus *nvdimm_bus = acpi_desc->nvdimm_bus;
- int rc;
- u32 i;
-
-+ /*
-+ * First record starts at 44 byte offset from the start of the
-+ * payload.
-+ */
-+ if (ars_status->out_length < 44)
-+ return 0;
- for (i = 0; i < ars_status->num_records; i++) {
-+ /* only process full records */
-+ if (ars_status->out_length
-+ < 44 + sizeof(struct nd_ars_record) * (i + 1))
-+ break;
- rc = nvdimm_bus_add_poison(nvdimm_bus,
- ars_status->records[i].err_address,
- ars_status->records[i].length);
- if (rc)
- return rc;
- }
-+ if (i < ars_status->num_records)
-+ dev_warn(acpi_desc->dev, "detected truncated ars results\n");
-
- return 0;
- }
-@@ -2122,8 +2148,7 @@ static int acpi_nfit_query_poison(struct acpi_nfit_desc *acpi_desc,
- if (rc < 0 && rc != -ENOSPC)
- return rc;
-
-- if (ars_status_process_records(acpi_desc->nvdimm_bus,
-- acpi_desc->ars_status))
-+ if (ars_status_process_records(acpi_desc, acpi_desc->ars_status))
- return -ENOMEM;
-
- return 0;
-diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
-index 2b38c1b..7a2e4d4 100644
---- a/drivers/acpi/sleep.c
-+++ b/drivers/acpi/sleep.c
-@@ -47,32 +47,15 @@ static void acpi_sleep_tts_switch(u32 acpi_state)
- }
- }
-
--static void acpi_sleep_pts_switch(u32 acpi_state)
--{
-- acpi_status status;
--
-- status = acpi_execute_simple_method(NULL, "\\_PTS", acpi_state);
-- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
-- /*
-- * OS can't evaluate the _PTS object correctly. Some warning
-- * message will be printed. But it won't break anything.
-- */
-- printk(KERN_NOTICE "Failure in evaluating _PTS object\n");
-- }
--}
--
--static int sleep_notify_reboot(struct notifier_block *this,
-+static int tts_notify_reboot(struct notifier_block *this,
- unsigned long code, void *x)
- {
- acpi_sleep_tts_switch(ACPI_STATE_S5);
--
-- acpi_sleep_pts_switch(ACPI_STATE_S5);
--
- return NOTIFY_DONE;
- }
-
--static struct notifier_block sleep_notifier = {
-- .notifier_call = sleep_notify_reboot,
-+static struct notifier_block tts_notifier = {
-+ .notifier_call = tts_notify_reboot,
- .next = NULL,
- .priority = 0,
- };
-@@ -916,9 +899,9 @@ int __init acpi_sleep_init(void)
- pr_info(PREFIX "(supports%s)\n", supported);
-
- /*
-- * Register the sleep_notifier to reboot notifier list so that the _TTS
-- * and _PTS object can also be evaluated when the system enters S5.
-+ * Register the tts_notifier to reboot notifier list so that the _TTS
-+ * object can also be evaluated when the system enters S5.
- */
-- register_reboot_notifier(&sleep_notifier);
-+ register_reboot_notifier(&tts_notifier);
- return 0;
- }
-diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
-index 5163c8f..5497f7f 100644
---- a/drivers/block/zram/zram_drv.c
-+++ b/drivers/block/zram/zram_drv.c
-@@ -1413,8 +1413,14 @@ static ssize_t hot_remove_store(struct class *class,
- return ret ? ret : count;
- }
-
-+/*
-+ * NOTE: hot_add attribute is not the usual read-only sysfs attribute. In a
-+ * sense that reading from this file does alter the state of your system -- it
-+ * creates a new un-initialized zram device and returns back this device's
-+ * device_id (or an error code if it fails to create a new device).
-+ */
- static struct class_attribute zram_control_class_attrs[] = {
-- __ATTR_RO(hot_add),
-+ __ATTR(hot_add, 0400, hot_add_show, NULL),
- __ATTR_WO(hot_remove),
- __ATTR_NULL,
- };
-diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
-index 0ec112e..2341f37 100644
---- a/drivers/crypto/caam/ctrl.c
-+++ b/drivers/crypto/caam/ctrl.c
-@@ -557,8 +557,9 @@ static int caam_probe(struct platform_device *pdev)
- * Enable DECO watchdogs and, if this is a PHYS_ADDR_T_64BIT kernel,
- * long pointers in master configuration register
- */
-- clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK, MCFGR_AWCACHE_CACH |
-- MCFGR_AWCACHE_BUFF | MCFGR_WDENABLE | MCFGR_LARGE_BURST |
-+ clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK | MCFGR_LONG_PTR,
-+ MCFGR_AWCACHE_CACH | MCFGR_AWCACHE_BUFF |
-+ MCFGR_WDENABLE | MCFGR_LARGE_BURST |
- (sizeof(dma_addr_t) == sizeof(u64) ? MCFGR_LONG_PTR : 0));
-
- /*
-diff --git a/drivers/crypto/marvell/hash.c b/drivers/crypto/marvell/hash.c
-index b111e14..13e89af 100644
---- a/drivers/crypto/marvell/hash.c
-+++ b/drivers/crypto/marvell/hash.c
-@@ -168,12 +168,11 @@ static void mv_cesa_ahash_std_step(struct ahash_request *req)
- mv_cesa_adjust_op(engine, &creq->op_tmpl);
- memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl));
-
-- digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req));
-- for (i = 0; i < digsize / 4; i++)
-- writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
--
-- mv_cesa_adjust_op(engine, &creq->op_tmpl);
-- memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl));
-+ if (!sreq->offset) {
-+ digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req));
-+ for (i = 0; i < digsize / 4; i++)
-+ writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
-+ }
-
- if (creq->cache_ptr)
- memcpy_toio(engine->sram + CESA_SA_DATA_SRAM_OFFSET,
-diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c
-index ff64313..4894199 100644
---- a/drivers/dax/dax.c
-+++ b/drivers/dax/dax.c
-@@ -324,7 +324,7 @@ static int check_vma(struct dax_dev *dax_dev, struct vm_area_struct *vma,
- return -ENXIO;
-
- /* prevent private mappings from being established */
-- if ((vma->vm_flags & VM_SHARED) != VM_SHARED) {
-+ if ((vma->vm_flags & VM_MAYSHARE) != VM_MAYSHARE) {
- dev_info(dev, "%s: %s: fail, attempted private mapping\n",
- current->comm, func);
- return -EINVAL;
-diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
-index bfb91d8..1006af4 100644
---- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
-+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
-@@ -872,23 +872,25 @@ static int peak_usb_create_dev(const struct peak_usb_adapter *peak_usb_adapter,
- static void peak_usb_disconnect(struct usb_interface *intf)
- {
- struct peak_usb_device *dev;
-+ struct peak_usb_device *dev_prev_siblings;
-
- /* unregister as many netdev devices as siblings */
-- for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
-+ for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
- struct net_device *netdev = dev->netdev;
- char name[IFNAMSIZ];
-
-+ dev_prev_siblings = dev->prev_siblings;
- dev->state &= ~PCAN_USB_STATE_CONNECTED;
- strncpy(name, netdev->name, IFNAMSIZ);
-
- unregister_netdev(netdev);
-- free_candev(netdev);
-
- kfree(dev->cmd_buf);
- dev->next_siblings = NULL;
- if (dev->adapter->dev_free)
- dev->adapter->dev_free(dev);
-
-+ free_candev(netdev);
- dev_info(&intf->dev, "%s removed\n", name);
- }
-
-diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
-index a8b6949..23d4a17 100644
---- a/drivers/nvdimm/bus.c
-+++ b/drivers/nvdimm/bus.c
-@@ -715,7 +715,7 @@ EXPORT_SYMBOL_GPL(nd_cmd_in_size);
-
- u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
- const struct nd_cmd_desc *desc, int idx, const u32 *in_field,
-- const u32 *out_field)
-+ const u32 *out_field, unsigned long remainder)
- {
- if (idx >= desc->out_num)
- return UINT_MAX;
-@@ -727,9 +727,24 @@ u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
- return in_field[1];
- else if (nvdimm && cmd == ND_CMD_VENDOR && idx == 2)
- return out_field[1];
-- else if (!nvdimm && cmd == ND_CMD_ARS_STATUS && idx == 2)
-- return out_field[1] - 8;
-- else if (cmd == ND_CMD_CALL) {
-+ else if (!nvdimm && cmd == ND_CMD_ARS_STATUS && idx == 2) {
-+ /*
-+ * Per table 9-276 ARS Data in ACPI 6.1, out_field[1] is
-+ * "Size of Output Buffer in bytes, including this
-+ * field."
-+ */
-+ if (out_field[1] < 4)
-+ return 0;
-+ /*
-+ * ACPI 6.1 is ambiguous if 'status' is included in the
-+ * output size. If we encounter an output size that
-+ * overshoots the remainder by 4 bytes, assume it was
-+ * including 'status'.
-+ */
-+ if (out_field[1] - 8 == remainder)
-+ return remainder;
-+ return out_field[1] - 4;
-+ } else if (cmd == ND_CMD_CALL) {
- struct nd_cmd_pkg *pkg = (struct nd_cmd_pkg *) in_field;
-
- return pkg->nd_size_out;
-@@ -876,7 +891,7 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
- /* process an output envelope */
- for (i = 0; i < desc->out_num; i++) {
- u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i,
-- (u32 *) in_env, (u32 *) out_env);
-+ (u32 *) in_env, (u32 *) out_env, 0);
- u32 copy;
-
- if (out_size == UINT_MAX) {
-diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
-index 7080ce2..8214eba 100644
---- a/drivers/scsi/lpfc/lpfc_sli.c
-+++ b/drivers/scsi/lpfc/lpfc_sli.c
-@@ -1323,18 +1323,20 @@ lpfc_sli_ringtxcmpl_put(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
- {
- lockdep_assert_held(&phba->hbalock);
-
-- BUG_ON(!piocb || !piocb->vport);
-+ BUG_ON(!piocb);
-
- list_add_tail(&piocb->list, &pring->txcmplq);
- piocb->iocb_flag |= LPFC_IO_ON_TXCMPLQ;
-
- if ((unlikely(pring->ringno == LPFC_ELS_RING)) &&
- (piocb->iocb.ulpCommand != CMD_ABORT_XRI_CN) &&
-- (piocb->iocb.ulpCommand != CMD_CLOSE_XRI_CN) &&
-- (!(piocb->vport->load_flag & FC_UNLOADING)))
-- mod_timer(&piocb->vport->els_tmofunc,
-- jiffies +
-- msecs_to_jiffies(1000 * (phba->fc_ratov << 1)));
-+ (piocb->iocb.ulpCommand != CMD_CLOSE_XRI_CN)) {
-+ BUG_ON(!piocb->vport);
-+ if (!(piocb->vport->load_flag & FC_UNLOADING))
-+ mod_timer(&piocb->vport->els_tmofunc,
-+ jiffies +
-+ msecs_to_jiffies(1000 * (phba->fc_ratov << 1)));
-+ }
-
- return 0;
- }
-diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
-index e3b30ea..a504e2e0 100644
---- a/drivers/vhost/vsock.c
-+++ b/drivers/vhost/vsock.c
-@@ -506,7 +506,7 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
- * executing.
- */
-
-- if (!vhost_vsock_get(vsk->local_addr.svm_cid)) {
-+ if (!vhost_vsock_get(vsk->remote_addr.svm_cid)) {
- sock_set_flag(sk, SOCK_DONE);
- vsk->peer_shutdown = SHUTDOWN_MASK;
- sk->sk_state = SS_UNCONNECTED;
-diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
-index df4b3e6..93142bf 100644
---- a/fs/ceph/dir.c
-+++ b/fs/ceph/dir.c
-@@ -1257,26 +1257,30 @@ static int ceph_d_revalidate(struct dentry *dentry, unsigned int flags)
- return -ECHILD;
-
- op = ceph_snap(dir) == CEPH_SNAPDIR ?
-- CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_LOOKUP;
-+ CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_GETATTR;
- req = ceph_mdsc_create_request(mdsc, op, USE_ANY_MDS);
- if (!IS_ERR(req)) {
- req->r_dentry = dget(dentry);
-- req->r_num_caps = 2;
-+ req->r_num_caps = op == CEPH_MDS_OP_GETATTR ? 1 : 2;
-
- mask = CEPH_STAT_CAP_INODE | CEPH_CAP_AUTH_SHARED;
- if (ceph_security_xattr_wanted(dir))
- mask |= CEPH_CAP_XATTR_SHARED;
- req->r_args.getattr.mask = mask;
-
-- req->r_locked_dir = dir;
- err = ceph_mdsc_do_request(mdsc, NULL, req);
-- if (err == 0 || err == -ENOENT) {
-- if (dentry == req->r_dentry) {
-- valid = !d_unhashed(dentry);
-- } else {
-- d_invalidate(req->r_dentry);
-- err = -EAGAIN;
-- }
-+ switch (err) {
-+ case 0:
-+ if (d_really_is_positive(dentry) &&
-+ d_inode(dentry) == req->r_target_inode)
-+ valid = 1;
-+ break;
-+ case -ENOENT:
-+ if (d_really_is_negative(dentry))
-+ valid = 1;
-+ /* Fallthrough */
-+ default:
-+ break;
- }
- ceph_mdsc_put_request(req);
- dout("d_revalidate %p lookup result=%d\n",
-diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
-index 4ff9251..eb5373a 100644
---- a/fs/fuse/dir.c
-+++ b/fs/fuse/dir.c
-@@ -1709,8 +1709,6 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
- return -EACCES;
-
- if (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID)) {
-- int kill;
--
- attr->ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID |
- ATTR_MODE);
- /*
-@@ -1722,12 +1720,11 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
- return ret;
-
- attr->ia_mode = inode->i_mode;
-- kill = should_remove_suid(entry);
-- if (kill & ATTR_KILL_SUID) {
-+ if (inode->i_mode & S_ISUID) {
- attr->ia_valid |= ATTR_MODE;
- attr->ia_mode &= ~S_ISUID;
- }
-- if (kill & ATTR_KILL_SGID) {
-+ if ((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
- attr->ia_valid |= ATTR_MODE;
- attr->ia_mode &= ~S_ISGID;
- }
-diff --git a/include/linux/cpu.h b/include/linux/cpu.h
-index 797d9c8..c8938eb 100644
---- a/include/linux/cpu.h
-+++ b/include/linux/cpu.h
-@@ -105,22 +105,16 @@ extern bool cpuhp_tasks_frozen;
- { .notifier_call = fn, .priority = pri }; \
- __register_cpu_notifier(&fn##_nb); \
- }
--#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
--#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
--#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
--#endif /* #else #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-
--#ifdef CONFIG_HOTPLUG_CPU
- extern int register_cpu_notifier(struct notifier_block *nb);
- extern int __register_cpu_notifier(struct notifier_block *nb);
- extern void unregister_cpu_notifier(struct notifier_block *nb);
- extern void __unregister_cpu_notifier(struct notifier_block *nb);
--#else
-
--#ifndef MODULE
--extern int register_cpu_notifier(struct notifier_block *nb);
--extern int __register_cpu_notifier(struct notifier_block *nb);
--#else
-+#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-+#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
-+#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
-+
- static inline int register_cpu_notifier(struct notifier_block *nb)
- {
- return 0;
-@@ -130,7 +124,6 @@ static inline int __register_cpu_notifier(struct notifier_block *nb)
- {
- return 0;
- }
--#endif
-
- static inline void unregister_cpu_notifier(struct notifier_block *nb)
- {
-diff --git a/include/linux/libnvdimm.h b/include/linux/libnvdimm.h
-index bbfce62..d02d65d 100644
---- a/include/linux/libnvdimm.h
-+++ b/include/linux/libnvdimm.h
-@@ -153,7 +153,7 @@ u32 nd_cmd_in_size(struct nvdimm *nvdimm, int cmd,
- const struct nd_cmd_desc *desc, int idx, void *buf);
- u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
- const struct nd_cmd_desc *desc, int idx, const u32 *in_field,
-- const u32 *out_field);
-+ const u32 *out_field, unsigned long remainder);
- int nvdimm_bus_check_dimm_count(struct nvdimm_bus *nvdimm_bus, int dimm_count);
- struct nd_region *nvdimm_pmem_region_create(struct nvdimm_bus *nvdimm_bus,
- struct nd_region_desc *ndr_desc);
-diff --git a/include/uapi/linux/can.h b/include/uapi/linux/can.h
-index 9692cda..c48d93a 100644
---- a/include/uapi/linux/can.h
-+++ b/include/uapi/linux/can.h
-@@ -196,5 +196,6 @@ struct can_filter {
- };
-
- #define CAN_INV_FILTER 0x20000000U /* to be set in can_filter.can_id */
-+#define CAN_RAW_FILTER_MAX 512 /* maximum number of can_filter set via setsockopt() */
-
- #endif /* !_UAPI_CAN_H */
-diff --git a/kernel/cpu.c b/kernel/cpu.c
-index 341bf80..73fb59f 100644
---- a/kernel/cpu.c
-+++ b/kernel/cpu.c
-@@ -578,7 +578,6 @@ void __init cpuhp_threads_init(void)
- kthread_unpark(this_cpu_read(cpuhp_state.thread));
- }
-
--#ifdef CONFIG_HOTPLUG_CPU
- EXPORT_SYMBOL(register_cpu_notifier);
- EXPORT_SYMBOL(__register_cpu_notifier);
- void unregister_cpu_notifier(struct notifier_block *nb)
-@@ -595,6 +594,7 @@ void __unregister_cpu_notifier(struct notifier_block *nb)
- }
- EXPORT_SYMBOL(__unregister_cpu_notifier);
-
-+#ifdef CONFIG_HOTPLUG_CPU
- /**
- * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
- * @cpu: a CPU id
-diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
-index 1ec0f48..2c49d76 100644
---- a/kernel/locking/rtmutex.c
-+++ b/kernel/locking/rtmutex.c
-@@ -65,8 +65,72 @@ static inline void clear_rt_mutex_waiters(struct rt_mutex *lock)
-
- static void fixup_rt_mutex_waiters(struct rt_mutex *lock)
- {
-- if (!rt_mutex_has_waiters(lock))
-- clear_rt_mutex_waiters(lock);
-+ unsigned long owner, *p = (unsigned long *) &lock->owner;
-+
-+ if (rt_mutex_has_waiters(lock))
-+ return;
-+
-+ /*
-+ * The rbtree has no waiters enqueued, now make sure that the
-+ * lock->owner still has the waiters bit set, otherwise the
-+ * following can happen:
-+ *
-+ * CPU 0 CPU 1 CPU2
-+ * l->owner=T1
-+ * rt_mutex_lock(l)
-+ * lock(l->lock)
-+ * l->owner = T1 | HAS_WAITERS;
-+ * enqueue(T2)
-+ * boost()
-+ * unlock(l->lock)
-+ * block()
-+ *
-+ * rt_mutex_lock(l)
-+ * lock(l->lock)
-+ * l->owner = T1 | HAS_WAITERS;
-+ * enqueue(T3)
-+ * boost()
-+ * unlock(l->lock)
-+ * block()
-+ * signal(->T2) signal(->T3)
-+ * lock(l->lock)
-+ * dequeue(T2)
-+ * deboost()
-+ * unlock(l->lock)
-+ * lock(l->lock)
-+ * dequeue(T3)
-+ * ==> wait list is empty
-+ * deboost()
-+ * unlock(l->lock)
-+ * lock(l->lock)
-+ * fixup_rt_mutex_waiters()
-+ * if (wait_list_empty(l) {
-+ * l->owner = owner
-+ * owner = l->owner & ~HAS_WAITERS;
-+ * ==> l->owner = T1
-+ * }
-+ * lock(l->lock)
-+ * rt_mutex_unlock(l) fixup_rt_mutex_waiters()
-+ * if (wait_list_empty(l) {
-+ * owner = l->owner & ~HAS_WAITERS;
-+ * cmpxchg(l->owner, T1, NULL)
-+ * ===> Success (l->owner = NULL)
-+ *
-+ * l->owner = owner
-+ * ==> l->owner = T1
-+ * }
-+ *
-+ * With the check for the waiter bit in place T3 on CPU2 will not
-+ * overwrite. All tasks fiddling with the waiters bit are
-+ * serialized by l->lock, so nothing else can modify the waiters
-+ * bit. If the bit is set then nothing can change l->owner either
-+ * so the simple RMW is safe. The cmpxchg() will simply fail if it
-+ * happens in the middle of the RMW because the waiters bit is
-+ * still set.
-+ */
-+ owner = READ_ONCE(*p);
-+ if (owner & RT_MUTEX_HAS_WAITERS)
-+ WRITE_ONCE(*p, owner & ~RT_MUTEX_HAS_WAITERS);
- }
-
- /*
-diff --git a/kernel/locking/rtmutex_common.h b/kernel/locking/rtmutex_common.h
-index 4f5f83c..e317e1c 100644
---- a/kernel/locking/rtmutex_common.h
-+++ b/kernel/locking/rtmutex_common.h
-@@ -75,8 +75,9 @@ task_top_pi_waiter(struct task_struct *p)
-
- static inline struct task_struct *rt_mutex_owner(struct rt_mutex *lock)
- {
-- return (struct task_struct *)
-- ((unsigned long)lock->owner & ~RT_MUTEX_OWNER_MASKALL);
-+ unsigned long owner = (unsigned long) READ_ONCE(lock->owner);
-+
-+ return (struct task_struct *) (owner & ~RT_MUTEX_OWNER_MASKALL);
- }
-
- /*
-diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
-index a5d966c..418d9b6 100644
---- a/kernel/sched/auto_group.c
-+++ b/kernel/sched/auto_group.c
-@@ -192,6 +192,7 @@ int proc_sched_autogroup_set_nice(struct task_struct *p, int nice)
- {
- static unsigned long next = INITIAL_JIFFIES;
- struct autogroup *ag;
-+ unsigned long shares;
- int err;
-
- if (nice < MIN_NICE || nice > MAX_NICE)
-@@ -210,9 +211,10 @@ int proc_sched_autogroup_set_nice(struct task_struct *p, int nice)
-
- next = HZ / 10 + jiffies;
- ag = autogroup_task_get(p);
-+ shares = scale_load(sched_prio_to_weight[nice + 20]);
-
- down_write(&ag->lock);
-- err = sched_group_set_shares(ag->tg, sched_prio_to_weight[nice + 20]);
-+ err = sched_group_set_shares(ag->tg, shares);
- if (!err)
- ag->nice = nice;
- up_write(&ag->lock);
-diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
-index 7e6df7a..67f8fa9 100644
---- a/net/batman-adv/translation-table.c
-+++ b/net/batman-adv/translation-table.c
-@@ -2849,7 +2849,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
- &tvlv_tt_data,
- &tt_change,
- &tt_len);
-- if (!tt_len)
-+ if (!tt_len || !tvlv_len)
- goto unlock;
-
- /* Copy the last orig_node's OGM buffer */
-@@ -2867,7 +2867,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
- &tvlv_tt_data,
- &tt_change,
- &tt_len);
-- if (!tt_len)
-+ if (!tt_len || !tvlv_len)
- goto out;
-
- /* fill the rest of the tvlv with the real TT entries */
-diff --git a/net/can/raw.c b/net/can/raw.c
-index 972c187..b075f02 100644
---- a/net/can/raw.c
-+++ b/net/can/raw.c
-@@ -499,6 +499,9 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
- if (optlen % sizeof(struct can_filter) != 0)
- return -EINVAL;
-
-+ if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter))
-+ return -EINVAL;
-+
- count = optlen / sizeof(struct can_filter);
-
- if (count > 1) {
diff --git a/4.8.15/4420_grsecurity-3.1-4.8.15-201612151923.patch b/4.8.15/4420_grsecurity-3.1-4.8.15-201612301949.patch
index f7b8b72..b16a42d 100644
--- a/4.8.15/4420_grsecurity-3.1-4.8.15-201612151923.patch
+++ b/4.8.15/4420_grsecurity-3.1-4.8.15-201612301949.patch
@@ -22150,24 +22150,28 @@ index 6ca9fd6..4c0aa55 100644
* Vectors 0x30-0x3f are used for ISA interrupts.
* round up to the next 16-vector boundary
diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
-index b77f5ed..3862b91 100644
+index b77f5ed..cbf5ec6 100644
--- a/arch/x86/include/asm/irqflags.h
+++ b/arch/x86/include/asm/irqflags.h
-@@ -23,11 +23,13 @@ static inline unsigned long native_save_fl(void)
+@@ -23,11 +23,17 @@ static inline unsigned long native_save_fl(void)
: /* no input */
: "memory");
++#if !defined(CONFIG_GRKERNSEC_CONFIG_VIRT_HOST) || !defined(CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX)
+ BUG_ON(flags & X86_EFLAGS_AC);
++#endif
return flags;
}
static inline void native_restore_fl(unsigned long flags)
{
++#if !defined(CONFIG_GRKERNSEC_CONFIG_VIRT_HOST) || !defined(CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX)
+ BUG_ON(flags & X86_EFLAGS_AC);
++#endif
asm volatile("push %0 ; popf"
: /* no output */
:"g" (flags)
-@@ -137,6 +139,11 @@ static inline notrace unsigned long arch_local_irq_save(void)
+@@ -137,6 +143,11 @@ static inline notrace unsigned long arch_local_irq_save(void)
swapgs; \
sysretl
@@ -120398,7 +120402,7 @@ index fd6be45..6be6542 100644
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..307ca55
+index 0000000..f1c1ee2
--- /dev/null
+++ b/grsecurity/Kconfig
@@ -0,0 +1,1206 @@
@@ -120600,7 +120604,7 @@ index 0000000..307ca55
+config GRKERNSEC_HIDESYM
+ bool "Hide kernel symbols"
+ default y if GRKERNSEC_CONFIG_AUTO
-+ select PAX_USERCOPY_SLABS
++ select PAX_USERCOPY
+ help
+ If you say Y here, getting information on loaded modules, and
+ displaying all kernel symbols through a syscall will be restricted
diff --git a/4.8.15/4426_default_XATTR_PAX_FLAGS.patch b/4.8.15/4426_default_XATTR_PAX_FLAGS.patch
new file mode 100644
index 0000000..f7e97b5
--- /dev/null
+++ b/4.8.15/4426_default_XATTR_PAX_FLAGS.patch
@@ -0,0 +1,36 @@
+diff -Naur linux-4.8.15-hardened-r1.orig/security/Kconfig linux-4.8.15-hardened-r1/security/Kconfig
+--- linux-4.8.15-hardened-r1.orig/security/Kconfig 2017-01-01 12:10:19.638828792 -0500
++++ linux-4.8.15-hardened-r1/security/Kconfig 2017-01-01 12:14:05.434836657 -0500
+@@ -293,7 +293,7 @@
+
+ config PAX_PT_PAX_FLAGS
+ bool 'Use ELF program header marking'
+- default y if GRKERNSEC_CONFIG_AUTO
++ default n
+ help
+ Enabling this option will allow you to control PaX features on
+ a per executable basis via the 'paxctl' utility available at
+@@ -312,9 +312,12 @@
+ If you enable none of the marking options then all applications
+ will run with PaX enabled on them by default.
+
++ Note for Gentoo: PT_PAX_FLAGS has been deprecated in Gentoo. Enable
++ this only for legacy systems.
++
+ config PAX_XATTR_PAX_FLAGS
+ bool 'Use filesystem extended attributes marking'
+- default y if GRKERNSEC_CONFIG_AUTO
++ default y
+ select CIFS_XATTR if CIFS
+ select EXT2_FS_XATTR if EXT2_FS
+ select EXT3_FS_XATTR if EXT3_FS
+@@ -343,6 +346,9 @@
+ If you enable none of the marking options then all applications
+ will run with PaX enabled on them by default.
+
++ Note for Gentoo: XATTR_PAX_FLAGS is now the default in Gentoo. Do
++ not disable this unless you know what you're doing.
++
+ choice
+ prompt 'MAC system integration'
+ default PAX_HAVE_ACL_FLAGS