[gentoo-commits] proj/linux-patches:4.14 commit in: /

Tue, 07 Aug 2018 11:11:47 -0700 

commit:     49e86e327e9f0a9d5fb487785c6c6b72cf18b5bb
Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Tue Aug  7 18:11:17 2018 +0000
Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Tue Aug  7 18:11:17 2018 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=49e86e32

Linux patch 4.14.61

 0000_README              |   4 +
 1060_linux-4.14.61.patch | 909 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 913 insertions(+)

diff --git a/0000_README b/0000_README
index 685cb5d..64029e1 100644
--- a/0000_README
+++ b/0000_README
@@ -283,6 +283,10 @@ Patch:  1059_linux-4.14.60.patch
 From:   http://www.kernel.org
 Desc:   Linux 4.14.60
 
+Patch:  1060_linux-4.14.61.patch
+From:   http://www.kernel.org
+Desc:   Linux 4.14.61
+
 Patch:  1500_XATTR_USER_PREFIX.patch
 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644
 Desc:   Support for namespace user.pax.* on tmpfs.

diff --git a/1060_linux-4.14.61.patch b/1060_linux-4.14.61.patch
new file mode 100644
index 0000000..d7a4083
--- /dev/null
+++ b/1060_linux-4.14.61.patch
@@ -0,0 +1,909 @@
+diff --git a/Makefile b/Makefile
+index 5b48ec630990..4bd65eabd298 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 4
+ PATCHLEVEL = 14
+-SUBLEVEL = 60
++SUBLEVEL = 61
+ EXTRAVERSION =
+ NAME = Petit Gorille
+ 
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
+index f7bfa701219b..0fae7096ae23 100644
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -933,7 +933,7 @@ ENTRY(\sym)
+ 
+       call    \do_sym
+ 
+-      jmp     error_exit                      /* %ebx: no swapgs flag */
++      jmp     error_exit
+       .endif
+ END(\sym)
+ .endm
+@@ -1166,7 +1166,6 @@ END(paranoid_exit)
+ 
+ /*
+  * Save all registers in pt_regs, and switch GS if needed.
+- * Return: EBX=0: came from user mode; EBX=1: otherwise
+  */
+ ENTRY(error_entry)
+       UNWIND_HINT_FUNC
+@@ -1213,7 +1212,6 @@ ENTRY(error_entry)
+        * for these here too.
+        */
+ .Lerror_kernelspace:
+-      incl    %ebx
+       leaq    native_irq_return_iret(%rip), %rcx
+       cmpq    %rcx, RIP+8(%rsp)
+       je      .Lerror_bad_iret
+@@ -1247,28 +1245,20 @@ ENTRY(error_entry)
+ 
+       /*
+        * Pretend that the exception came from user mode: set up pt_regs
+-       * as if we faulted immediately after IRET and clear EBX so that
+-       * error_exit knows that we will be returning to user mode.
++       * as if we faulted immediately after IRET.
+        */
+       mov     %rsp, %rdi
+       call    fixup_bad_iret
+       mov     %rax, %rsp
+-      decl    %ebx
+       jmp     .Lerror_entry_from_usermode_after_swapgs
+ END(error_entry)
+ 
+-
+-/*
+- * On entry, EBX is a "return to kernel mode" flag:
+- *   1: already in kernel mode, don't need SWAPGS
+- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for 
return to usermode
+- */
+ ENTRY(error_exit)
+       UNWIND_HINT_REGS
+       DISABLE_INTERRUPTS(CLBR_ANY)
+       TRACE_IRQS_OFF
+-      testl   %ebx, %ebx
+-      jnz     retint_kernel
++      testb   $3, CS(%rsp)
++      jz      retint_kernel
+       jmp     retint_user
+ END(error_exit)
+ 
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index ebdcc368a2d3..f48a51335538 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -580,6 +580,9 @@ static u32 skx_deadline_rev(void)
+       case 0x04: return 0x02000014;
+       }
+ 
++      if (boot_cpu_data.x86_stepping > 4)
++              return 0;
++
+       return ~0U;
+ }
+ 
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 90747865205d..8d000fde1414 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7354,6 +7354,8 @@ static int enter_vmx_operation(struct kvm_vcpu *vcpu)
+                    HRTIMER_MODE_REL_PINNED);
+       vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
+ 
++      vmx->nested.vpid02 = allocate_vpid();
++
+       vmx->nested.vmxon = true;
+       return 0;
+ 
+@@ -9802,10 +9804,8 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm 
*kvm, unsigned int id)
+                       goto free_vmcs;
+       }
+ 
+-      if (nested) {
++      if (nested)
+               nested_vmx_setup_ctls_msrs(vmx);
+-              vmx->nested.vpid02 = allocate_vpid();
+-      }
+ 
+       vmx->nested.posted_intr_nv = -1;
+       vmx->nested.current_vmptr = -1ull;
+@@ -9822,7 +9822,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, 
unsigned int id)
+       return &vmx->vcpu;
+ 
+ free_vmcs:
+-      free_vpid(vmx->nested.vpid02);
+       free_loaded_vmcs(vmx->loaded_vmcs);
+ free_msrs:
+       kfree(vmx->guest_msrs);
+diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c
+index c939f18f70cc..7685f557dcc0 100644
+--- a/drivers/crypto/padlock-aes.c
++++ b/drivers/crypto/padlock-aes.c
+@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 
*output, void *key,
+               return;
+       }
+ 
++      count -= initial;
++
+       if (initial)
+               asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"       /* rep 
xcryptecb */
+                             : "+S"(input), "+D"(output)
+@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 
*output, void *key,
+ 
+       asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"       /* rep xcryptecb */
+                     : "+S"(input), "+D"(output)
+-                    : "d"(control_word), "b"(key), "c"(count - initial));
++                    : "d"(control_word), "b"(key), "c"(count));
+ }
+ 
+ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
+@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 
*output, void *key,
+       if (count < cbc_fetch_blocks)
+               return cbc_crypt(input, output, key, iv, control_word, count);
+ 
++      count -= initial;
++
+       if (initial)
+               asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"       /* rep 
xcryptcbc */
+                             : "+S" (input), "+D" (output), "+a" (iv)
+@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 
*output, void *key,
+ 
+       asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"       /* rep xcryptcbc */
+                     : "+S" (input), "+D" (output), "+a" (iv)
+-                    : "d" (control_word), "b" (key), "c" (count-initial));
++                    : "d" (control_word), "b" (key), "c" (count));
+       return iv;
+ }
+ 
+diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
+index 77c56264c05b..17590cb2b80d 100644
+--- a/drivers/gpu/drm/vc4/vc4_plane.c
++++ b/drivers/gpu/drm/vc4/vc4_plane.c
+@@ -352,6 +352,9 @@ static int vc4_plane_setup_clipping_and_scaling(struct 
drm_plane_state *state)
+                       vc4_state->x_scaling[0] = VC4_SCALING_TPZ;
+               if (vc4_state->y_scaling[0] == VC4_SCALING_NONE)
+                       vc4_state->y_scaling[0] = VC4_SCALING_TPZ;
++      } else {
++              vc4_state->x_scaling[1] = VC4_SCALING_NONE;
++              vc4_state->y_scaling[1] = VC4_SCALING_NONE;
+       }
+ 
+       vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&
+diff --git a/drivers/infiniband/core/uverbs_cmd.c 
b/drivers/infiniband/core/uverbs_cmd.c
+index b8229d7b0ff5..f836ed1dd300 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1981,15 +1981,64 @@ static int modify_qp(struct ib_uverbs_file *file,
+               goto release_qp;
+       }
+ 
+-      if ((cmd->base.attr_mask & IB_QP_AV) &&
+-          !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
+-              ret = -EINVAL;
+-              goto release_qp;
++      if ((cmd->base.attr_mask & IB_QP_AV)) {
++              if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) {
++                      ret = -EINVAL;
++                      goto release_qp;
++              }
++
++              if (cmd->base.attr_mask & IB_QP_STATE &&
++                  cmd->base.qp_state == IB_QPS_RTR) {
++              /* We are in INIT->RTR TRANSITION (if we are not,
++               * this transition will be rejected in subsequent checks).
++               * In the INIT->RTR transition, we cannot have IB_QP_PORT set,
++               * but the IB_QP_STATE flag is required.
++               *
++               * Since kernel 3.14 (commit dbf727de7440), the uverbs driver,
++               * when IB_QP_AV is set, has required inclusion of a valid
++               * port number in the primary AV. (AVs are created and handled
++               * differently for infiniband and ethernet (RoCE) ports).
++               *
++               * Check the port number included in the primary AV against
++               * the port number in the qp struct, which was set (and saved)
++               * in the RST->INIT transition.
++               */
++                      if (cmd->base.dest.port_num != qp->real_qp->port) {
++                              ret = -EINVAL;
++                              goto release_qp;
++                      }
++              } else {
++              /* We are in SQD->SQD. (If we are not, this transition will
++               * be rejected later in the verbs layer checks).
++               * Check for both IB_QP_PORT and IB_QP_AV, these can be set
++               * together in the SQD->SQD transition.
++               *
++               * If only IP_QP_AV was set, add in IB_QP_PORT as well (the
++               * verbs layer driver does not track primary port changes
++               * resulting from path migration. Thus, in SQD, if the primary
++               * AV is modified, the primary port should also be modified).
++               *
++               * Note that in this transition, the IB_QP_STATE flag
++               * is not allowed.
++               */
++                      if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
++                           == (IB_QP_AV | IB_QP_PORT)) &&
++                          cmd->base.port_num != cmd->base.dest.port_num) {
++                              ret = -EINVAL;
++                              goto release_qp;
++                      }
++                      if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT))
++                          == IB_QP_AV) {
++                              cmd->base.attr_mask |= IB_QP_PORT;
++                              cmd->base.port_num = cmd->base.dest.port_num;
++                      }
++              }
+       }
+ 
+       if ((cmd->base.attr_mask & IB_QP_ALT_PATH) &&
+           (!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) ||
+-          !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) {
++          !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) ||
++          cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) {
+               ret = -EINVAL;
+               goto release_qp;
+       }
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 00245b73c224..15aedb64a02b 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1687,6 +1687,8 @@ int bond_enslave(struct net_device *bond_dev, struct 
net_device *slave_dev)
+               goto err_upper_unlink;
+       }
+ 
++      bond->nest_level = dev_get_nest_level(bond_dev) + 1;
++
+       /* If the mode uses primary, then the following is handled by
+        * bond_change_active_slave().
+        */
+@@ -1734,7 +1736,6 @@ int bond_enslave(struct net_device *bond_dev, struct 
net_device *slave_dev)
+       if (bond_mode_uses_xmit_hash(bond))
+               bond_update_slave_arr(bond, NULL);
+ 
+-      bond->nest_level = dev_get_nest_level(bond_dev);
+ 
+       netdev_info(bond_dev, "Enslaving %s as %s interface with %s link\n",
+                   slave_dev->name,
+@@ -3379,6 +3380,13 @@ static void bond_fold_stats(struct rtnl_link_stats64 
*_res,
+       }
+ }
+ 
++static int bond_get_nest_level(struct net_device *bond_dev)
++{
++      struct bonding *bond = netdev_priv(bond_dev);
++
++      return bond->nest_level;
++}
++
+ static void bond_get_stats(struct net_device *bond_dev,
+                          struct rtnl_link_stats64 *stats)
+ {
+@@ -3387,7 +3395,7 @@ static void bond_get_stats(struct net_device *bond_dev,
+       struct list_head *iter;
+       struct slave *slave;
+ 
+-      spin_lock(&bond->stats_lock);
++      spin_lock_nested(&bond->stats_lock, bond_get_nest_level(bond_dev));
+       memcpy(stats, &bond->bond_stats, sizeof(*stats));
+ 
+       rcu_read_lock();
+@@ -4182,6 +4190,7 @@ static const struct net_device_ops bond_netdev_ops = {
+       .ndo_neigh_setup        = bond_neigh_setup,
+       .ndo_vlan_rx_add_vid    = bond_vlan_rx_add_vid,
+       .ndo_vlan_rx_kill_vid   = bond_vlan_rx_kill_vid,
++      .ndo_get_lock_subclass  = bond_get_nest_level,
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+       .ndo_netpoll_setup      = bond_netpoll_setup,
+       .ndo_netpoll_cleanup    = bond_netpoll_cleanup,
+@@ -4680,6 +4689,7 @@ static int bond_init(struct net_device *bond_dev)
+       if (!bond->wq)
+               return -ENOMEM;
+ 
++      bond->nest_level = SINGLE_DEPTH_NESTING;
+       netdev_lockdep_set_classes(bond_dev);
+ 
+       list_add_tail(&bond->bond_list, &bn->dev_list);
+diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
+index b00358297424..d0846ae9e0e4 100644
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -1071,6 +1071,7 @@ static void ems_usb_disconnect(struct usb_interface 
*intf)
+               usb_free_urb(dev->intr_urb);
+ 
+               kfree(dev->intr_in_buffer);
++              kfree(dev->tx_msg_buffer);
+       }
+ }
+ 
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c 
b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 667415301066..f697084937c3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -1616,7 +1616,7 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
+       int vport_num;
+       int err;
+ 
+-      if (!MLX5_VPORT_MANAGER(dev))
++      if (!MLX5_ESWITCH_MANAGER(dev))
+               return 0;
+ 
+       esw_info(dev,
+@@ -1689,7 +1689,7 @@ abort:
+ 
+ void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw)
+ {
+-      if (!esw || !MLX5_VPORT_MANAGER(esw->dev))
++      if (!esw || !MLX5_ESWITCH_MANAGER(esw->dev))
+               return;
+ 
+       esw_info(esw->dev, "cleanup\n");
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c 
b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+index 8d375e51a526..6a393b16a1fc 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+@@ -257,7 +257,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev,
+               return -ENOMEM;
+ 
+       /* Enable pci device */
+-      ret = pcim_enable_device(pdev);
++      ret = pci_enable_device(pdev);
+       if (ret) {
+               dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
+                       __func__);
+@@ -300,9 +300,45 @@ static int stmmac_pci_probe(struct pci_dev *pdev,
+ static void stmmac_pci_remove(struct pci_dev *pdev)
+ {
+       stmmac_dvr_remove(&pdev->dev);
++      pci_disable_device(pdev);
+ }
+ 
+-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume);
++static int stmmac_pci_suspend(struct device *dev)
++{
++      struct pci_dev *pdev = to_pci_dev(dev);
++      int ret;
++
++      ret = stmmac_suspend(dev);
++      if (ret)
++              return ret;
++
++      ret = pci_save_state(pdev);
++      if (ret)
++              return ret;
++
++      pci_disable_device(pdev);
++      pci_wake_from_d3(pdev, true);
++      return 0;
++}
++
++static int stmmac_pci_resume(struct device *dev)
++{
++      struct pci_dev *pdev = to_pci_dev(dev);
++      int ret;
++
++      pci_restore_state(pdev);
++      pci_set_power_state(pdev, PCI_D0);
++
++      ret = pci_enable_device(pdev);
++      if (ret)
++              return ret;
++
++      pci_set_master(pdev);
++
++      return stmmac_resume(dev);
++}
++
++static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, 
stmmac_pci_resume);
+ 
+ /* synthetic ID, no official vendor */
+ #define PCI_VENDOR_ID_STMMAC 0x700
+diff --git a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c 
b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+index 73da5e63a609..2c80c722feca 100644
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c
+@@ -177,6 +177,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = {
+       .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
+ };
+ 
++const struct iwl_cfg iwl9260_killer_2ac_cfg = {
++      .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter 
(9260NGW)",
++      .fw_name_pre = IWL9260A_FW_PRE,
++      .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE,
++      IWL_DEVICE_9000,
++      .ht_params = &iwl9000_ht_params,
++      .nvm_ver = IWL9000_NVM_VERSION,
++      .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++      .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++};
++
+ const struct iwl_cfg iwl9270_2ac_cfg = {
+       .name = "Intel(R) Dual Band Wireless AC 9270",
+       .fw_name_pre = IWL9260A_FW_PRE,
+@@ -266,6 +277,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc = {
+       .soc_latency = 5000,
+ };
+ 
++const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = {
++      .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter 
(9560NGW)",
++      .fw_name_pre = IWL9000A_FW_PRE,
++      .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++      .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++      IWL_DEVICE_9000,
++      .ht_params = &iwl9000_ht_params,
++      .nvm_ver = IWL9000_NVM_VERSION,
++      .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++      .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++      .integrated = true,
++      .soc_latency = 5000,
++};
++
++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = {
++      .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter 
(9560NGW)",
++      .fw_name_pre = IWL9000A_FW_PRE,
++      .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++      .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++      IWL_DEVICE_9000,
++      .ht_params = &iwl9000_ht_params,
++      .nvm_ver = IWL9000_NVM_VERSION,
++      .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++      .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++      .integrated = true,
++      .soc_latency = 5000,
++};
++
+ const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = {
+       .name = "Intel(R) Dual Band Wireless AC 9460",
+       .fw_name_pre = IWL9000A_FW_PRE,
+@@ -326,6 +365,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_shared_clk = {
+       .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
+ };
+ 
++const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = {
++      .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter 
(9560NGW)",
++      .fw_name_pre = IWL9000A_FW_PRE,
++      .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++      .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++      IWL_DEVICE_9000,
++      .ht_params = &iwl9000_ht_params,
++      .nvm_ver = IWL9000_NVM_VERSION,
++      .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++      .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++      .integrated = true,
++      .soc_latency = 5000,
++      .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
++};
++
++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = {
++      .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter 
(9560NGW)",
++      .fw_name_pre = IWL9000A_FW_PRE,
++      .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE,
++      .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE,
++      IWL_DEVICE_9000,
++      .ht_params = &iwl9000_ht_params,
++      .nvm_ver = IWL9000_NVM_VERSION,
++      .nvm_calib_ver = IWL9000_TX_POWER_VERSION,
++      .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
++      .integrated = true,
++      .soc_latency = 5000,
++      .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK
++};
++
+ MODULE_FIRMWARE(IWL9000A_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX));
+ MODULE_FIRMWARE(IWL9000B_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX));
+ MODULE_FIRMWARE(IWL9000RFB_MODULE_FIRMWARE(IWL9000_UCODE_API_MAX));
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-config.h 
b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+index 85fe1a928adc..70f3c327eb4a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+@@ -470,6 +470,7 @@ extern const struct iwl_cfg iwl8265_2ac_sdio_cfg;
+ extern const struct iwl_cfg iwl4165_2ac_sdio_cfg;
+ extern const struct iwl_cfg iwl9160_2ac_cfg;
+ extern const struct iwl_cfg iwl9260_2ac_cfg;
++extern const struct iwl_cfg iwl9260_killer_2ac_cfg;
+ extern const struct iwl_cfg iwl9270_2ac_cfg;
+ extern const struct iwl_cfg iwl9460_2ac_cfg;
+ extern const struct iwl_cfg iwl9560_2ac_cfg;
+@@ -477,10 +478,14 @@ extern const struct iwl_cfg iwl9460_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9461_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9462_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9560_2ac_cfg_soc;
++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_soc;
++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc;
+ extern const struct iwl_cfg iwl9460_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9461_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9462_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwl9560_2ac_cfg_shared_clk;
++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk;
++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk;
+ extern const struct iwl_cfg iwla000_2ac_cfg_hr;
+ extern const struct iwl_cfg iwla000_2ac_cfg_hr_cdb;
+ extern const struct iwl_cfg iwla000_2ac_cfg_jf;
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c 
b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index 9a8605abb00a..4cbc6cb8bf89 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -543,6 +543,9 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x2526, 0x1210, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x2526, 0x1410, iwl9270_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x2526, 0x1420, iwl9460_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x2526, 0x1550, iwl9260_killer_2ac_cfg)},
++      {IWL_PCI_DEVICE(0x2526, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x2526, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x2526, 0x1610, iwl9270_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x2526, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x2526, 0x2034, iwl9560_2ac_cfg_soc)},
+@@ -552,6 +555,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9460_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x2526, 0x4234, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x2526, 0x42A4, iwl9462_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x2526, 0x8014, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x2526, 0xA014, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x271B, 0x0010, iwl9160_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)},
+@@ -576,6 +580,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x2720, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x2720, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0x2720, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_cfg)},
+@@ -602,6 +608,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x30DC, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x30DC, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0x30DC, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x30DC, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -628,6 +636,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x31DC, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x31DC, 0x1030, iwl9560_2ac_cfg_shared_clk)},
+       {IWL_PCI_DEVICE(0x31DC, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0x31DC, 0x1551, iwl9560_killer_s_2ac_cfg_shared_clk)},
++      {IWL_PCI_DEVICE(0x31DC, 0x1552, iwl9560_killer_2ac_cfg_shared_clk)},
+       {IWL_PCI_DEVICE(0x31DC, 0x2030, iwl9560_2ac_cfg_shared_clk)},
+       {IWL_PCI_DEVICE(0x31DC, 0x2034, iwl9560_2ac_cfg_shared_clk)},
+       {IWL_PCI_DEVICE(0x31DC, 0x4030, iwl9560_2ac_cfg_shared_clk)},
+@@ -654,6 +664,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x34F0, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x34F0, 0x1030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x34F0, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0x34F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x34F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x34F0, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x34F0, 0x2034, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x34F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -680,6 +692,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x3DF0, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x3DF0, 0x1030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x3DF0, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0x3DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x3DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x3DF0, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x3DF0, 0x2034, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x3DF0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -706,6 +720,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x43F0, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x43F0, 0x1030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x43F0, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0x43F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x43F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x43F0, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x43F0, 0x2034, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x43F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -741,6 +757,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0x9DF0, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0x9DF0, 0x1030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x9DF0, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0x9DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0x9DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x9DF0, 0x2010, iwl9460_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x9DF0, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0x9DF0, 0x2034, iwl9560_2ac_cfg_soc)},
+@@ -769,6 +787,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0xA0F0, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0xA0F0, 0x1030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0xA0F0, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0xA0F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0xA0F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0xA0F0, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0xA0F0, 0x2034, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0xA0F0, 0x4030, iwl9560_2ac_cfg_soc)},
+@@ -795,6 +815,8 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+       {IWL_PCI_DEVICE(0xA370, 0x1010, iwl9260_2ac_cfg)},
+       {IWL_PCI_DEVICE(0xA370, 0x1030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0xA370, 0x1210, iwl9260_2ac_cfg)},
++      {IWL_PCI_DEVICE(0xA370, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
++      {IWL_PCI_DEVICE(0xA370, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0xA370, 0x2030, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0xA370, 0x2034, iwl9560_2ac_cfg_soc)},
+       {IWL_PCI_DEVICE(0xA370, 0x4030, iwl9560_2ac_cfg_soc)},
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 4d49fb8f2bbc..3a406b40f150 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp)
+       write_lock_irqsave(&sdp->sfd_lock, iflags);
+       if (atomic_read(&sdp->detaching)) {
+               write_unlock_irqrestore(&sdp->sfd_lock, iflags);
++              kfree(sfp);
+               return ERR_PTR(-ENODEV);
+       }
+       list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
+diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
+index f0b3a0b9d42f..36c9fbf70d44 100644
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -490,7 +490,9 @@ static int virtballoon_migratepage(struct balloon_dev_info 
*vb_dev_info,
+       tell_host(vb, vb->inflate_vq);
+ 
+       /* balloon's page migration 2nd step -- deflate "page" */
++      spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
+       balloon_page_delete(page);
++      spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
+       vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
+       set_page_pfns(vb, vb->pfns, page);
+       tell_host(vb, vb->deflate_vq);
+diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
+index 2751476e6b6e..f098b9f1c396 100644
+--- a/fs/squashfs/block.c
++++ b/fs/squashfs/block.c
+@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, 
int length,
+       }
+ 
+       if (compressed) {
++              if (!msblk->stream)
++                      goto read_failure;
+               length = squashfs_decompress(msblk, bh, b, offset, length,
+                       output);
+               if (length < 0)
+diff --git a/fs/squashfs/fragment.c b/fs/squashfs/fragment.c
+index 86ad9a4b8c36..0681feab4a84 100644
+--- a/fs/squashfs/fragment.c
++++ b/fs/squashfs/fragment.c
+@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned 
int fragment,
+                               u64 *fragment_block)
+ {
+       struct squashfs_sb_info *msblk = sb->s_fs_info;
+-      int block = SQUASHFS_FRAGMENT_INDEX(fragment);
+-      int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
+-      u64 start_block = le64_to_cpu(msblk->fragment_index[block]);
++      int block, offset, size;
+       struct squashfs_fragment_entry fragment_entry;
+-      int size;
++      u64 start_block;
++
++      if (fragment >= msblk->fragments)
++              return -EIO;
++      block = SQUASHFS_FRAGMENT_INDEX(fragment);
++      offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
++
++      start_block = le64_to_cpu(msblk->fragment_index[block]);
+ 
+       size = squashfs_read_metadata(sb, &fragment_entry, &start_block,
+                                       &offset, sizeof(fragment_entry));
+diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h
+index 1da565cb50c3..ef69c31947bf 100644
+--- a/fs/squashfs/squashfs_fs_sb.h
++++ b/fs/squashfs/squashfs_fs_sb.h
+@@ -75,6 +75,7 @@ struct squashfs_sb_info {
+       unsigned short                          block_log;
+       long long                               bytes_used;
+       unsigned int                            inodes;
++      unsigned int                            fragments;
+       int                                     xattr_ids;
+ };
+ #endif
+diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
+index cf01e15a7b16..1516bb779b8d 100644
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -175,6 +175,7 @@ static int squashfs_fill_super(struct super_block *sb, 
void *data, int silent)
+       msblk->inode_table = le64_to_cpu(sblk->inode_table_start);
+       msblk->directory_table = le64_to_cpu(sblk->directory_table_start);
+       msblk->inodes = le32_to_cpu(sblk->inodes);
++      msblk->fragments = le32_to_cpu(sblk->fragments);
+       flags = le16_to_cpu(sblk->flags);
+ 
+       TRACE("Found valid superblock on %pg\n", sb->s_bdev);
+@@ -185,7 +186,7 @@ static int squashfs_fill_super(struct super_block *sb, 
void *data, int silent)
+       TRACE("Filesystem size %lld bytes\n", msblk->bytes_used);
+       TRACE("Block size %d\n", msblk->block_size);
+       TRACE("Number of inodes %d\n", msblk->inodes);
+-      TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments));
++      TRACE("Number of fragments %d\n", msblk->fragments);
+       TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids));
+       TRACE("sblk->inode_table_start %llx\n", msblk->inode_table);
+       TRACE("sblk->directory_table_start %llx\n", msblk->directory_table);
+@@ -272,7 +273,7 @@ allocate_id_index_table:
+       sb->s_export_op = &squashfs_export_ops;
+ 
+ handle_fragments:
+-      fragments = le32_to_cpu(sblk->fragments);
++      fragments = msblk->fragments;
+       if (fragments == 0)
+               goto check_directory_table;
+ 
+diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
+index f6ed92524a03..3eda623e4cb4 100644
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -628,8 +628,10 @@ static void userfaultfd_event_wait_completion(struct 
userfaultfd_ctx *ctx,
+               /* the various vma->vm_userfaultfd_ctx still points to it */
+               down_write(&mm->mmap_sem);
+               for (vma = mm->mmap; vma; vma = vma->vm_next)
+-                      if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
++                      if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
+                               vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
++                              vma->vm_flags &= ~(VM_UFFD_WP | 
VM_UFFD_MISSING);
++                      }
+               up_write(&mm->mmap_sem);
+ 
+               userfaultfd_ctx_put(release_new_ctx);
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index 677053a2fb57..76d789d6cea0 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1274,8 +1274,12 @@ static void show_special(struct audit_context *context, 
int *call_panic)
+               break;
+       case AUDIT_KERN_MODULE:
+               audit_log_format(ab, "name=");
+-              audit_log_untrustedstring(ab, context->module.name);
+-              kfree(context->module.name);
++              if (context->module.name) {
++                      audit_log_untrustedstring(ab, context->module.name);
++                      kfree(context->module.name);
++              } else
++                      audit_log_format(ab, "(null)");
++
+               break;
+       }
+       audit_log_end(ab);
+@@ -2387,8 +2391,9 @@ void __audit_log_kern_module(char *name)
+ {
+       struct audit_context *context = current->audit_context;
+ 
+-      context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+-      strcpy(context->module.name, name);
++      context->module.name = kstrdup(name, GFP_KERNEL);
++      if (!context->module.name)
++              audit_log_lost("out of memory in __audit_log_kern_module");
+       context->type = AUDIT_KERN_MODULE;
+ }
+ 
+diff --git a/net/dsa/slave.c b/net/dsa/slave.c
+index 865e29e62bad..242e74b9d454 100644
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -1219,6 +1219,9 @@ int dsa_slave_suspend(struct net_device *slave_dev)
+ {
+       struct dsa_slave_priv *p = netdev_priv(slave_dev);
+ 
++      if (!netif_running(slave_dev))
++              return 0;
++
+       netif_device_detach(slave_dev);
+ 
+       if (p->phy) {
+@@ -1236,6 +1239,9 @@ int dsa_slave_resume(struct net_device *slave_dev)
+ {
+       struct dsa_slave_priv *p = netdev_priv(slave_dev);
+ 
++      if (!netif_running(slave_dev))
++              return 0;
++
+       netif_device_attach(slave_dev);
+ 
+       if (p->phy) {
+diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
+index e691705f0a85..ba4454ecdf0f 100644
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -356,11 +356,6 @@ static struct inet_frag_queue *inet_frag_alloc(struct 
netns_frags *nf,
+ {
+       struct inet_frag_queue *q;
+ 
+-      if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
+-              inet_frag_schedule_worker(f);
+-              return NULL;
+-      }
+-
+       q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
+       if (!q)
+               return NULL;
+@@ -397,6 +392,11 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags 
*nf,
+       struct inet_frag_queue *q;
+       int depth = 0;
+ 
++      if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
++              inet_frag_schedule_worker(f);
++              return NULL;
++      }
++
+       if (frag_mem_limit(nf) > nf->low_thresh)
+               inet_frag_schedule_worker(f);
+ 
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index df8fe0503de0..4cb1befc3949 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -447,11 +447,16 @@ found:
+               int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */
+ 
+               if (i < next->len) {
++                      int delta = -next->truesize;
++
+                       /* Eat head of the next overlapped fragment
+                        * and leave the loop. The next ones cannot overlap.
+                        */
+                       if (!pskb_pull(next, i))
+                               goto err;
++                      delta += next->truesize;
++                      if (delta)
++                              add_frag_mem_limit(qp->q.net, delta);
+                       FRAG_CB(next)->offset += i;
+                       qp->q.meat -= i;
+                       if (next->ip_summed != CHECKSUM_UNNECESSARY)
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index b2fcbf012056..68c9d1833b95 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -63,6 +63,7 @@
+ #include <linux/hash.h>
+ #include <linux/genetlink.h>
+ #include <linux/net_namespace.h>
++#include <linux/nospec.h>
+ 
+ #include <net/net_namespace.h>
+ #include <net/sock.h>
+@@ -647,6 +648,7 @@ static int netlink_create(struct net *net, struct socket 
*sock, int protocol,
+ 
+       if (protocol < 0 || protocol >= MAX_LINKS)
+               return -EPROTONOSUPPORT;
++      protocol = array_index_nospec(protocol, MAX_LINKS);
+ 
+       netlink_lock_table();
+ #ifdef CONFIG_MODULES
+diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
+index 3028298ca561..62b1581d44a5 100644
+--- a/net/rxrpc/call_accept.c
++++ b/net/rxrpc/call_accept.c
+@@ -115,9 +115,9 @@ static int rxrpc_service_prealloc_one(struct rxrpc_sock 
*rx,
+               while (*pp) {
+                       parent = *pp;
+                       xcall = rb_entry(parent, struct rxrpc_call, sock_node);
+-                      if (user_call_ID < call->user_call_ID)
++                      if (user_call_ID < xcall->user_call_ID)
+                               pp = &(*pp)->rb_left;
+-                      else if (user_call_ID > call->user_call_ID)
++                      else if (user_call_ID > xcall->user_call_ID)
+                               pp = &(*pp)->rb_right;
+                       else
+                               goto id_in_use;
+diff --git a/net/socket.c b/net/socket.c
+index 8b2bef6cfe42..d27922639a20 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,7 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ #include <linux/xattr.h>
++#include <linux/nospec.h>
+ 
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+@@ -2443,6 +2444,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long 
__user *, args)
+ 
+       if (call < 1 || call > SYS_SENDMMSG)
+               return -EINVAL;
++      call = array_index_nospec(call, SYS_SENDMMSG + 1);
+ 
+       len = nargs[call];
+       if (len > sizeof(a))

Reply via email to