commit:     a564b9e2d597e3b892211ac546222ac3794b10aa
Author:     Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 13 15:00:14 2021 +0000
Commit:     Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
CommitDate: Wed Oct 13 15:00:18 2021 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=a564b9e2

Linux patch 4.19.211

Signed-off-by: Alice Ferrazzi <alicef <AT> gentoo.org>

 0000_README               |   4 +
 1210_linux-4.19.211.patch | 663 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 667 insertions(+)

diff --git a/0000_README b/0000_README
index c0c1a0a..ac7acb4 100644
--- a/0000_README
+++ b/0000_README
@@ -879,6 +879,10 @@ Patch:  1209_linux-4.19.210.patch
 From:   https://www.kernel.org
 Desc:   Linux 4.19.210
 
+Patch:  1210_linux-4.19.211.patch
+From:   https://www.kernel.org
+Desc:   Linux 4.19.211
+
 Patch:  1500_XATTR_USER_PREFIX.patch
 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644
 Desc:   Support for namespace user.pax.* on tmpfs.

diff --git a/1210_linux-4.19.211.patch b/1210_linux-4.19.211.patch
new file mode 100644
index 0000000..eea7bdb
--- /dev/null
+++ b/1210_linux-4.19.211.patch
@@ -0,0 +1,663 @@
+diff --git a/Makefile b/Makefile
+index d9c39b3c05d56..d4e6f5d326b06 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 4
+ PATCHLEVEL = 19
+-SUBLEVEL = 210
++SUBLEVEL = 211
+ EXTRAVERSION =
+ NAME = "People's Front"
+ 
+diff --git a/arch/arm/boot/dts/omap3430-sdp.dts 
b/arch/arm/boot/dts/omap3430-sdp.dts
+index d652708f6bef5..56e3db08e9690 100644
+--- a/arch/arm/boot/dts/omap3430-sdp.dts
++++ b/arch/arm/boot/dts/omap3430-sdp.dts
+@@ -104,7 +104,7 @@
+ 
+       nand@1,0 {
+               compatible = "ti,omap2-nand";
+-              reg = <0 0 4>; /* CS0, offset 0, IO size 4 */
++              reg = <1 0 4>; /* CS1, offset 0, IO size 4 */
+               interrupt-parent = <&gpmc>;
+               interrupts = <0 IRQ_TYPE_NONE>, /* fifoevent */
+                            <1 IRQ_TYPE_NONE>; /* termcount */
+diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi 
b/arch/arm/boot/dts/qcom-apq8064.dtsi
+index d0153bbbdbeb8..00daa844bf8c6 100644
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -1182,7 +1182,7 @@
+               };
+ 
+               gpu: adreno-3xx@4300000 {
+-                      compatible = "qcom,adreno-3xx";
++                      compatible = "qcom,adreno-320.2", "qcom,adreno";
+                       reg = <0x04300000 0x20000>;
+                       reg-names = "kgsl_3d0_reg_memory";
+                       interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_HIGH>;
+@@ -1197,7 +1197,6 @@
+                           <&mmcc GFX3D_AHB_CLK>,
+                           <&mmcc GFX3D_AXI_CLK>,
+                           <&mmcc MMSS_IMEM_AHB_CLK>;
+-                      qcom,chipid = <0x03020002>;
+ 
+                       iommus = <&gfx3d 0
+                                 &gfx3d 1
+diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
+index 4bfefbec971a6..c3ca6e2cf7ffb 100644
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -15,6 +15,7 @@
+ #include <linux/io.h>
+ #include <linux/irq.h>
+ #include <linux/genalloc.h>
++#include <linux/irqchip/arm-gic.h>
+ #include <linux/mfd/syscon.h>
+ #include <linux/mfd/syscon/imx6q-iomuxc-gpr.h>
+ #include <linux/of.h>
+@@ -622,6 +623,7 @@ static void __init imx6_pm_common_init(const struct 
imx6_pm_socdata
+ 
+ static void imx6_pm_stby_poweroff(void)
+ {
++      gic_cpu_if_down(0);
+       imx6_set_lpm(STOP_POWER_OFF);
+       imx6q_suspend_finish(0);
+ 
+diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
+index 79b12e7445373..dade3a3ba6662 100644
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -39,6 +39,10 @@
+  *                        +-----+
+  *                        |RSVD | JIT scratchpad
+  * current ARM_SP =>      +-----+ <= (BPF_FP - STACK_SIZE + SCRATCH_SIZE)
++ *                        | ... | caller-saved registers
++ *                        +-----+
++ *                        | ... | arguments passed on stack
++ * ARM_SP during call =>  +-----|
+  *                        |     |
+  *                        | ... | Function call stack
+  *                        |     |
+@@ -66,6 +70,12 @@
+  *
+  * When popping registers off the stack at the end of a BPF function, we
+  * reference them via the current ARM_FP register.
++ *
++ * Some eBPF operations are implemented via a call to a helper function.
++ * Such calls are "invisible" in the eBPF code, so it is up to the calling
++ * program to preserve any caller-saved ARM registers during the call. The
++ * JIT emits code to push and pop those registers onto the stack, immediately
++ * above the callee stack frame.
+  */
+ #define CALLEE_MASK   (1 << ARM_R4 | 1 << ARM_R5 | 1 << ARM_R6 | \
+                        1 << ARM_R7 | 1 << ARM_R8 | 1 << ARM_R9 | \
+@@ -73,6 +83,8 @@
+ #define CALLEE_PUSH_MASK (CALLEE_MASK | 1 << ARM_LR)
+ #define CALLEE_POP_MASK  (CALLEE_MASK | 1 << ARM_PC)
+ 
++#define CALLER_MASK   (1 << ARM_R0 | 1 << ARM_R1 | 1 << ARM_R2 | 1 << ARM_R3)
++
+ enum {
+       /* Stack layout - these are offsets from (top of stack - 4) */
+       BPF_R2_HI,
+@@ -467,6 +479,7 @@ static inline int epilogue_offset(const struct jit_ctx 
*ctx)
+ 
+ static inline void emit_udivmod(u8 rd, u8 rm, u8 rn, struct jit_ctx *ctx, u8 
op)
+ {
++      const int exclude_mask = BIT(ARM_R0) | BIT(ARM_R1);
+       const s8 *tmp = bpf2a32[TMP_REG_1];
+ 
+ #if __LINUX_ARM_ARCH__ == 7
+@@ -498,11 +511,17 @@ static inline void emit_udivmod(u8 rd, u8 rm, u8 rn, 
struct jit_ctx *ctx, u8 op)
+               emit(ARM_MOV_R(ARM_R0, rm), ctx);
+       }
+ 
++      /* Push caller-saved registers on stack */
++      emit(ARM_PUSH(CALLER_MASK & ~exclude_mask), ctx);
++
+       /* Call appropriate function */
+       emit_mov_i(ARM_IP, op == BPF_DIV ?
+                  (u32)jit_udiv32 : (u32)jit_mod32, ctx);
+       emit_blx_r(ARM_IP, ctx);
+ 
++      /* Restore caller-saved registers from stack */
++      emit(ARM_POP(CALLER_MASK & ~exclude_mask), ctx);
++
+       /* Save return value */
+       if (rd != ARM_R0)
+               emit(ARM_MOV_R(rd, ARM_R0), ctx);
+diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
+index 4d8cb9bb8365d..43e6597c720c2 100644
+--- a/arch/mips/net/bpf_jit.c
++++ b/arch/mips/net/bpf_jit.c
+@@ -662,6 +662,11 @@ static void build_epilogue(struct jit_ctx *ctx)
+       ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative : func) : \
+        func##_positive)
+ 
++static bool is_bad_offset(int b_off)
++{
++      return b_off > 0x1ffff || b_off < -0x20000;
++}
++
+ static int build_body(struct jit_ctx *ctx)
+ {
+       const struct bpf_prog *prog = ctx->skf;
+@@ -728,7 +733,10 @@ load_common:
+                       /* Load return register on DS for failures */
+                       emit_reg_move(r_ret, r_zero, ctx);
+                       /* Return with error */
+-                      emit_b(b_imm(prog->len, ctx), ctx);
++                      b_off = b_imm(prog->len, ctx);
++                      if (is_bad_offset(b_off))
++                              return -E2BIG;
++                      emit_b(b_off, ctx);
+                       emit_nop(ctx);
+                       break;
+               case BPF_LD | BPF_W | BPF_IND:
+@@ -775,8 +783,10 @@ load_ind:
+                       emit_jalr(MIPS_R_RA, r_s0, ctx);
+                       emit_reg_move(MIPS_R_A0, r_skb, ctx); /* delay slot */
+                       /* Check the error value */
+-                      emit_bcond(MIPS_COND_NE, r_ret, 0,
+-                                 b_imm(prog->len, ctx), ctx);
++                      b_off = b_imm(prog->len, ctx);
++                      if (is_bad_offset(b_off))
++                              return -E2BIG;
++                      emit_bcond(MIPS_COND_NE, r_ret, 0, b_off, ctx);
+                       emit_reg_move(r_ret, r_zero, ctx);
+                       /* We are good */
+                       /* X <- P[1:K] & 0xf */
+@@ -855,8 +865,10 @@ load_ind:
+                       /* A /= X */
+                       ctx->flags |= SEEN_X | SEEN_A;
+                       /* Check if r_X is zero */
+-                      emit_bcond(MIPS_COND_EQ, r_X, r_zero,
+-                                 b_imm(prog->len, ctx), ctx);
++                      b_off = b_imm(prog->len, ctx);
++                      if (is_bad_offset(b_off))
++                              return -E2BIG;
++                      emit_bcond(MIPS_COND_EQ, r_X, r_zero, b_off, ctx);
+                       emit_load_imm(r_ret, 0, ctx); /* delay slot */
+                       emit_div(r_A, r_X, ctx);
+                       break;
+@@ -864,8 +876,10 @@ load_ind:
+                       /* A %= X */
+                       ctx->flags |= SEEN_X | SEEN_A;
+                       /* Check if r_X is zero */
+-                      emit_bcond(MIPS_COND_EQ, r_X, r_zero,
+-                                 b_imm(prog->len, ctx), ctx);
++                      b_off = b_imm(prog->len, ctx);
++                      if (is_bad_offset(b_off))
++                              return -E2BIG;
++                      emit_bcond(MIPS_COND_EQ, r_X, r_zero, b_off, ctx);
+                       emit_load_imm(r_ret, 0, ctx); /* delay slot */
+                       emit_mod(r_A, r_X, ctx);
+                       break;
+@@ -926,7 +940,10 @@ load_ind:
+                       break;
+               case BPF_JMP | BPF_JA:
+                       /* pc += K */
+-                      emit_b(b_imm(i + k + 1, ctx), ctx);
++                      b_off = b_imm(i + k + 1, ctx);
++                      if (is_bad_offset(b_off))
++                              return -E2BIG;
++                      emit_b(b_off, ctx);
+                       emit_nop(ctx);
+                       break;
+               case BPF_JMP | BPF_JEQ | BPF_K:
+@@ -1056,12 +1073,16 @@ jmp_cmp:
+                       break;
+               case BPF_RET | BPF_A:
+                       ctx->flags |= SEEN_A;
+-                      if (i != prog->len - 1)
++                      if (i != prog->len - 1) {
+                               /*
+                                * If this is not the last instruction
+                                * then jump to the epilogue
+                                */
+-                              emit_b(b_imm(prog->len, ctx), ctx);
++                              b_off = b_imm(prog->len, ctx);
++                              if (is_bad_offset(b_off))
++                                      return -E2BIG;
++                              emit_b(b_off, ctx);
++                      }
+                       emit_reg_move(r_ret, r_A, ctx); /* delay slot */
+                       break;
+               case BPF_RET | BPF_K:
+@@ -1075,7 +1096,10 @@ jmp_cmp:
+                                * If this is not the last instruction
+                                * then jump to the epilogue
+                                */
+-                              emit_b(b_imm(prog->len, ctx), ctx);
++                              b_off = b_imm(prog->len, ctx);
++                              if (is_bad_offset(b_off))
++                                      return -E2BIG;
++                              emit_b(b_off, ctx);
+                               emit_nop(ctx);
+                       }
+                       break;
+@@ -1133,8 +1157,10 @@ jmp_cmp:
+                       /* Load *dev pointer */
+                       emit_load_ptr(r_s0, r_skb, off, ctx);
+                       /* error (0) in the delay slot */
+-                      emit_bcond(MIPS_COND_EQ, r_s0, r_zero,
+-                                 b_imm(prog->len, ctx), ctx);
++                      b_off = b_imm(prog->len, ctx);
++                      if (is_bad_offset(b_off))
++                              return -E2BIG;
++                      emit_bcond(MIPS_COND_EQ, r_s0, r_zero, b_off, ctx);
+                       emit_reg_move(r_ret, r_zero, ctx);
+                       if (code == (BPF_ANC | SKF_AD_IFINDEX)) {
+                               BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, 
ifindex) != 4);
+@@ -1244,7 +1270,10 @@ void bpf_jit_compile(struct bpf_prog *fp)
+ 
+       /* Generate the actual JIT code */
+       build_prologue(&ctx);
+-      build_body(&ctx);
++      if (build_body(&ctx)) {
++              module_memfree(ctx.target);
++              goto out;
++      }
+       build_epilogue(&ctx);
+ 
+       /* Update the icache */
+diff --git a/arch/powerpc/boot/dts/fsl/t1023rdb.dts 
b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
+index 5ba6fbfca2742..f82f85c65964c 100644
+--- a/arch/powerpc/boot/dts/fsl/t1023rdb.dts
++++ b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
+@@ -154,7 +154,7 @@
+ 
+                       fm1mac3: ethernet@e4000 {
+                               phy-handle = <&sgmii_aqr_phy3>;
+-                              phy-connection-type = "sgmii-2500";
++                              phy-connection-type = "2500base-x";
+                               sleep = <&rcpm 0x20000000>;
+                       };
+ 
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index d994501d9179f..3dd2949b2b356 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1387,7 +1387,7 @@ config HIGHMEM4G
+ 
+ config HIGHMEM64G
+       bool "64GB"
+-      depends on !M486 && !M586 && !M586TSC && !M586MMX && !MGEODE_LX && 
!MGEODEGX1 && !MCYRIXIII && !MELAN && !MWINCHIPC6 && !WINCHIP3D && !MK6
++      depends on !M486 && !M586 && !M586TSC && !M586MMX && !MGEODE_LX && 
!MGEODEGX1 && !MCYRIXIII && !MELAN && !MWINCHIPC6 && !MWINCHIP3D && !MK6
+       select X86_PAE
+       ---help---
+         Select this if you have a 32-bit processor and more than 4
+diff --git a/arch/xtensa/kernel/irq.c b/arch/xtensa/kernel/irq.c
+index a48bf2d10ac2d..80cc9770a8d2d 100644
+--- a/arch/xtensa/kernel/irq.c
++++ b/arch/xtensa/kernel/irq.c
+@@ -145,7 +145,7 @@ unsigned xtensa_get_ext_irq_no(unsigned irq)
+ 
+ void __init init_IRQ(void)
+ {
+-#ifdef CONFIG_OF
++#ifdef CONFIG_USE_OF
+       irqchip_init();
+ #else
+ #ifdef CONFIG_HAVE_SMP
+diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c 
b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+index 4561a786fab07..cce4833a60832 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+@@ -185,6 +185,7 @@ static const struct file_operations nouveau_pstate_fops = {
+       .open = nouveau_debugfs_pstate_open,
+       .read = seq_read,
+       .write = nouveau_debugfs_pstate_set,
++      .release = single_release,
+ };
+ 
+ static struct drm_info_list nouveau_debugfs_list[] = {
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index 8ba4122fb3404..8288cfb44cb2c 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -395,6 +395,7 @@ static int i2c_acpi_notify(struct notifier_block *nb, 
unsigned long value,
+                       break;
+ 
+               i2c_acpi_register_device(adapter, adev, &info);
++              put_device(&adapter->dev);
+               break;
+       case ACPI_RECONFIG_DEVICE_REMOVE:
+               if (!acpi_device_enumerated(adev))
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c 
b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 246734be51775..062b942517822 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -4724,7 +4724,8 @@ static void i40e_clear_interrupt_scheme(struct i40e_pf 
*pf)
+ {
+       int i;
+ 
+-      i40e_free_misc_vector(pf);
++      if (test_bit(__I40E_MISC_IRQ_REQUESTED, pf->state))
++              i40e_free_misc_vector(pf);
+ 
+       i40e_put_lump(pf->irq_pile, pf->iwarp_base_vector,
+                     I40E_IWARP_IRQ_PILE_ID);
+@@ -9068,7 +9069,7 @@ static int i40e_get_capabilities(struct i40e_pf *pf,
+               if (pf->hw.aq.asq_last_status == I40E_AQ_RC_ENOMEM) {
+                       /* retry with a larger buffer */
+                       buf_len = data_size;
+-              } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK) {
++              } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK || err) {
+                       dev_info(&pf->pdev->dev,
+                                "capability discovery failed, err %s aq_err 
%s\n",
+                                i40e_stat_str(&pf->hw, err),
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 08c81d4cfca86..3207da2224f67 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -378,6 +378,13 @@ int __mdiobus_register(struct mii_bus *bus, struct module 
*owner)
+       bus->dev.groups = NULL;
+       dev_set_name(&bus->dev, "%s", bus->id);
+ 
++      /* We need to set state to MDIOBUS_UNREGISTERED to correctly release
++       * the device in mdiobus_free()
++       *
++       * State will be updated later in this function in case of success
++       */
++      bus->state = MDIOBUS_UNREGISTERED;
++
+       err = device_register(&bus->dev);
+       if (err) {
+               pr_err("mii_bus %s failed to register\n", bus->id);
+diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
+index 47d518e6d5d4f..71bafc8f5ed02 100644
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -113,7 +113,7 @@ static const char * const sm_state_strings[] = {
+       [SFP_S_LINK_UP] = "link_up",
+       [SFP_S_TX_FAULT] = "tx_fault",
+       [SFP_S_REINIT] = "reinit",
+-      [SFP_S_TX_DISABLE] = "rx_disable",
++      [SFP_S_TX_DISABLE] = "tx_disable",
+ };
+ 
+ static const char *sm_state_to_str(unsigned short sm_state)
+diff --git a/drivers/ptp/ptp_pch.c b/drivers/ptp/ptp_pch.c
+index 78ccf936d3560..84feaa140f1b3 100644
+--- a/drivers/ptp/ptp_pch.c
++++ b/drivers/ptp/ptp_pch.c
+@@ -695,6 +695,7 @@ static const struct pci_device_id pch_ieee1588_pcidev_id[] 
= {
+        },
+       {0}
+ };
++MODULE_DEVICE_TABLE(pci, pch_ieee1588_pcidev_id);
+ 
+ static struct pci_driver pch_driver = {
+       .name = KBUILD_MODNAME,
+diff --git a/drivers/usb/Kconfig b/drivers/usb/Kconfig
+index 70e6c956c23ce..a9f12a52f7265 100644
+--- a/drivers/usb/Kconfig
++++ b/drivers/usb/Kconfig
+@@ -175,8 +175,7 @@ source "drivers/usb/roles/Kconfig"
+ 
+ config USB_LED_TRIG
+       bool "USB LED Triggers"
+-      depends on LEDS_CLASS && LEDS_TRIGGERS
+-      select USB_COMMON
++      depends on LEDS_CLASS && USB_COMMON && LEDS_TRIGGERS
+       help
+         This option adds LED triggers for USB host and/or gadget activity.
+ 
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 6959231d63b3e..0522bd2d9d3cc 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -339,6 +339,9 @@ static void acm_process_notification(struct acm *acm, 
unsigned char *buf)
+                       acm->iocount.overrun++;
+               spin_unlock_irqrestore(&acm->read_lock, flags);
+ 
++              if (newctrl & ACM_CTRL_BRK)
++                      tty_flip_buffer_push(&acm->port);
++
+               if (difference)
+                       wake_up_all(&acm->wioctl);
+ 
+@@ -474,11 +477,16 @@ static int acm_submit_read_urbs(struct acm *acm, gfp_t 
mem_flags)
+ 
+ static void acm_process_read_urb(struct acm *acm, struct urb *urb)
+ {
++      unsigned long flags;
++
+       if (!urb->actual_length)
+               return;
+ 
++      spin_lock_irqsave(&acm->read_lock, flags);
+       tty_insert_flip_string(&acm->port, urb->transfer_buffer,
+                       urb->actual_length);
++      spin_unlock_irqrestore(&acm->read_lock, flags);
++
+       tty_flip_buffer_push(&acm->port);
+ }
+ 
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index 2459e2afd65ec..19906020eb145 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -508,12 +508,12 @@ static enum bp_state decrease_reservation(unsigned long 
nr_pages, gfp_t gfp)
+ }
+ 
+ /*
+- * Stop waiting if either state is not BP_EAGAIN and ballooning action is
+- * needed, or if the credit has changed while state is BP_EAGAIN.
++ * Stop waiting if either state is BP_DONE and ballooning action is
++ * needed, or if the credit has changed while state is not BP_DONE.
+  */
+ static bool balloon_thread_cond(enum bp_state state, long credit)
+ {
+-      if (state != BP_EAGAIN)
++      if (state == BP_DONE)
+               credit = 0;
+ 
+       return current_credit() != credit || kthread_should_stop();
+@@ -533,10 +533,19 @@ static int balloon_thread(void *unused)
+ 
+       set_freezable();
+       for (;;) {
+-              if (state == BP_EAGAIN)
+-                      timeout = balloon_stats.schedule_delay * HZ;
+-              else
++              switch (state) {
++              case BP_DONE:
++              case BP_ECANCELED:
+                       timeout = 3600 * HZ;
++                      break;
++              case BP_EAGAIN:
++                      timeout = balloon_stats.schedule_delay * HZ;
++                      break;
++              case BP_WAIT:
++                      timeout = HZ;
++                      break;
++              }
++
+               credit = current_credit();
+ 
+               wait_event_freezable_timeout(balloon_thread_wq,
+diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
+index a8486432be05a..74ff28fda64dc 100644
+--- a/drivers/xen/privcmd.c
++++ b/drivers/xen/privcmd.c
+@@ -835,11 +835,12 @@ static long privcmd_ioctl_mmap_resource(struct file 
*file,
+               unsigned int domid =
+                       (xdata.flags & XENMEM_rsrc_acq_caller_owned) ?
+                       DOMID_SELF : kdata.dom;
+-              int num;
++              int num, *errs = (int *)pfns;
+ 
++              BUILD_BUG_ON(sizeof(*errs) > sizeof(*pfns));
+               num = xen_remap_domain_mfn_array(vma,
+                                                kdata.addr & PAGE_MASK,
+-                                               pfns, kdata.num, (int *)pfns,
++                                               pfns, kdata.num, errs,
+                                                vma->vm_page_prot,
+                                                domid,
+                                                vma->vm_private_data);
+@@ -849,7 +850,7 @@ static long privcmd_ioctl_mmap_resource(struct file *file,
+                       unsigned int i;
+ 
+                       for (i = 0; i < num; i++) {
+-                              rc = pfns[i];
++                              rc = errs[i];
+                               if (rc < 0)
+                                       break;
+                       }
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index db0beefe65ec2..f67c5de1aeb8d 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3124,15 +3124,18 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int 
namlen,
+               goto fail;
+       cd->rd_maxcount -= entry_bytes;
+       /*
+-       * RFC 3530 14.2.24 describes rd_dircount as only a "hint", so
+-       * let's always let through the first entry, at least:
++       * RFC 3530 14.2.24 describes rd_dircount as only a "hint", and
++       * notes that it could be zero. If it is zero, then the server
++       * should enforce only the rd_maxcount value.
+        */
+-      if (!cd->rd_dircount)
+-              goto fail;
+-      name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8;
+-      if (name_and_cookie > cd->rd_dircount && cd->cookie_offset)
+-              goto fail;
+-      cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie);
++      if (cd->rd_dircount) {
++              name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8;
++              if (name_and_cookie > cd->rd_dircount && cd->cookie_offset)
++                      goto fail;
++              cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie);
++              if (!cd->rd_dircount)
++                      cd->rd_maxcount = 0;
++      }
+ 
+       cd->cookie_offset = cookie_offset;
+ skip_entry:
+diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
+index 0b4ee1ab25df0..0578c15e1a676 100644
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -1166,9 +1166,13 @@ static int ovl_rename(struct inode *olddir, struct 
dentry *old,
+                               goto out_dput;
+               }
+       } else {
+-              if (!d_is_negative(newdentry) &&
+-                  (!new_opaque || !ovl_is_whiteout(newdentry)))
+-                      goto out_dput;
++              if (!d_is_negative(newdentry)) {
++                      if (!new_opaque || !ovl_is_whiteout(newdentry))
++                              goto out_dput;
++              } else {
++                      if (flags & RENAME_EXCHANGE)
++                              goto out_dput;
++              }
+       }
+ 
+       if (olddentry == trap)
+diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
+index a47d623f59fe7..92310b07cb98e 100644
+--- a/kernel/bpf/stackmap.c
++++ b/kernel/bpf/stackmap.c
+@@ -63,7 +63,8 @@ static inline int stack_map_data_size(struct bpf_map *map)
+ 
+ static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
+ {
+-      u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
++      u64 elem_size = sizeof(struct stack_map_bucket) +
++                      (u64)smap->map.value_size;
+       int err;
+ 
+       smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries,
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index ec2b58a09f763..c00cb376263a0 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -1511,7 +1511,7 @@ static size_t br_get_linkxstats_size(const struct 
net_device *dev, int attr)
+       }
+ 
+       return numvls * nla_total_size(sizeof(struct bridge_vlan_xstats)) +
+-             nla_total_size(sizeof(struct br_mcast_stats)) +
++             nla_total_size_64bit(sizeof(struct br_mcast_stats)) +
+              nla_total_size(0);
+ }
+ 
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 055fd09ac1114..83de32e34bb55 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -4512,7 +4512,7 @@ nla_put_failure:
+ static size_t if_nlmsg_stats_size(const struct net_device *dev,
+                                 u32 filter_mask)
+ {
+-      size_t size = 0;
++      size_t size = NLMSG_ALIGN(sizeof(struct if_stats_msg));
+ 
+       if (stats_attr_valid(filter_mask, IFLA_STATS_LINK_64, 0))
+               size += nla_total_size_64bit(sizeof(struct rtnl_link_stats64));
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index b0fd268ed65e5..dd4e4289d0d2a 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -599,7 +599,10 @@ static int netlink_insert(struct sock *sk, u32 portid)
+ 
+       /* We need to ensure that the socket is hashed and visible. */
+       smp_wmb();
+-      nlk_sk(sk)->bound = portid;
++      /* Paired with lockless reads from netlink_bind(),
++       * netlink_connect() and netlink_sendmsg().
++       */
++      WRITE_ONCE(nlk_sk(sk)->bound, portid);
+ 
+ err:
+       release_sock(sk);
+@@ -1018,7 +1021,8 @@ static int netlink_bind(struct socket *sock, struct 
sockaddr *addr,
+       else if (nlk->ngroups < 8*sizeof(groups))
+               groups &= (1UL << nlk->ngroups) - 1;
+ 
+-      bound = nlk->bound;
++      /* Paired with WRITE_ONCE() in netlink_insert() */
++      bound = READ_ONCE(nlk->bound);
+       if (bound) {
+               /* Ensure nlk->portid is up-to-date. */
+               smp_rmb();
+@@ -1104,8 +1108,9 @@ static int netlink_connect(struct socket *sock, struct 
sockaddr *addr,
+ 
+       /* No need for barriers here as we return to user-space without
+        * using any of the bound attributes.
++       * Paired with WRITE_ONCE() in netlink_insert().
+        */
+-      if (!nlk->bound)
++      if (!READ_ONCE(nlk->bound))
+               err = netlink_autobind(sock);
+ 
+       if (err == 0) {
+@@ -1870,7 +1875,8 @@ static int netlink_sendmsg(struct socket *sock, struct 
msghdr *msg, size_t len)
+               dst_group = nlk->dst_group;
+       }
+ 
+-      if (!nlk->bound) {
++      /* Paired with WRITE_ONCE() in netlink_insert() */
++      if (!READ_ONCE(nlk->bound)) {
+               err = netlink_autobind(sock);
+               if (err)
+                       goto out;
+diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
+index 24893d3b5d229..bcd3ca97caea1 100644
+--- a/net/sched/sch_fifo.c
++++ b/net/sched/sch_fifo.c
+@@ -152,6 +152,9 @@ int fifo_set_limit(struct Qdisc *q, unsigned int limit)
+       if (strncmp(q->ops->id + 1, "fifo", 4) != 0)
+               return 0;
+ 
++      if (!q->ops->change)
++              return 0;
++
+       nla = kmalloc(nla_attr_size(sizeof(struct tc_fifo_qopt)), GFP_KERNEL);
+       if (nla) {
+               nla->nla_type = RTM_NEWQDISC;

Reply via email to