commit: e855e627a8b2a0c3b4301da14f905dc5311f2f67 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Sun Mar 7 15:14:07 2021 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Sun Mar 7 15:14:07 2021 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e855e627
Linux patch 4.14.224 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 4 + 1223_linux-4.14.224.patch | 2086 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 2090 insertions(+) diff --git a/0000_README b/0000_README index deda6ba..f66e8d4 100644 --- a/0000_README +++ b/0000_README @@ -935,6 +935,10 @@ Patch: 1222_linux-4.14.223.patch From: https://www.kernel.org Desc: Linux 4.14.223 +Patch: 1223_linux-4.14.224.patch +From: https://www.kernel.org +Desc: Linux 4.14.224 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1223_linux-4.14.224.patch b/1223_linux-4.14.224.patch new file mode 100644 index 0000000..9a787e1 --- /dev/null +++ b/1223_linux-4.14.224.patch @@ -0,0 +1,2086 @@ +diff --git a/Documentation/devicetree/bindings/net/btusb.txt b/Documentation/devicetree/bindings/net/btusb.txt +index 9c5e663fa1afc..828a04695e1be 100644 +--- a/Documentation/devicetree/bindings/net/btusb.txt ++++ b/Documentation/devicetree/bindings/net/btusb.txt +@@ -36,7 +36,7 @@ Following example uses irq pin number 3 of gpio0 for out of band wake-on-bt: + compatible = "usb1286,204e"; + reg = <1>; + interrupt-parent = <&gpio0>; +- interrupt-name = "wakeup"; ++ interrupt-names = "wakeup"; + interrupts = <3 IRQ_TYPE_LEVEL_LOW>; + }; + }; +diff --git a/Documentation/filesystems/sysfs.txt b/Documentation/filesystems/sysfs.txt +index 9a3658cc399ed..6ff1b9899fd02 100644 +--- a/Documentation/filesystems/sysfs.txt ++++ b/Documentation/filesystems/sysfs.txt +@@ -211,12 +211,10 @@ Other notes: + is 4096. + + - show() methods should return the number of bytes printed into the +- buffer. This is the return value of scnprintf(). ++ buffer. + +-- show() must not use snprintf() when formatting the value to be +- returned to user space. If you can guarantee that an overflow +- will never happen you can use sprintf() otherwise you must use +- scnprintf(). ++- show() should only use sysfs_emit() or sysfs_emit_at() when formatting ++ the value to be returned to user space. + + - store() should return the number of bytes used from the buffer. If the + entire buffer has been used, just return the count argument. +diff --git a/Makefile b/Makefile +index b8ab01786d095..eda72c1ca13a4 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 223 ++SUBLEVEL = 224 + EXTRAVERSION = + NAME = Petit Gorille + +diff --git a/arch/arm/xen/p2m.c b/arch/arm/xen/p2m.c +index ce538c51fa3fb..8a8a388549e7a 100644 +--- a/arch/arm/xen/p2m.c ++++ b/arch/arm/xen/p2m.c +@@ -91,12 +91,39 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops, + int i; + + for (i = 0; i < count; i++) { ++ struct gnttab_unmap_grant_ref unmap; ++ int rc; ++ + if (map_ops[i].status) + continue; +- if (unlikely(!set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT, +- map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT))) { +- return -ENOMEM; +- } ++ if (likely(set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT, ++ map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT))) ++ continue; ++ ++ /* ++ * Signal an error for this slot. This in turn requires ++ * immediate unmapping. ++ */ ++ map_ops[i].status = GNTST_general_error; ++ unmap.host_addr = map_ops[i].host_addr, ++ unmap.handle = map_ops[i].handle; ++ map_ops[i].handle = ~0; ++ if (map_ops[i].flags & GNTMAP_device_map) ++ unmap.dev_bus_addr = map_ops[i].dev_bus_addr; ++ else ++ unmap.dev_bus_addr = 0; ++ ++ /* ++ * Pre-populate the status field, to be recognizable in ++ * the log message below. ++ */ ++ unmap.status = 1; ++ ++ rc = HYPERVISOR_grant_table_op(GNTTABOP_unmap_grant_ref, ++ &unmap, 1); ++ if (rc || unmap.status != GNTST_okay) ++ pr_err_once("gnttab unmap failed: rc=%d st=%d\n", ++ rc, unmap.status); + } + + return 0; +diff --git a/arch/arm64/include/asm/atomic_ll_sc.h b/arch/arm64/include/asm/atomic_ll_sc.h +index f5a2d09afb384..1cc42441bc672 100644 +--- a/arch/arm64/include/asm/atomic_ll_sc.h ++++ b/arch/arm64/include/asm/atomic_ll_sc.h +@@ -37,7 +37,7 @@ + * (the optimize attribute silently ignores these options). + */ + +-#define ATOMIC_OP(op, asm_op) \ ++#define ATOMIC_OP(op, asm_op, constraint) \ + __LL_SC_INLINE void \ + __LL_SC_PREFIX(atomic_##op(int i, atomic_t *v)) \ + { \ +@@ -51,11 +51,11 @@ __LL_SC_PREFIX(atomic_##op(int i, atomic_t *v)) \ + " stxr %w1, %w0, %2\n" \ + " cbnz %w1, 1b" \ + : "=&r" (result), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i)); \ ++ : #constraint "r" (i)); \ + } \ + __LL_SC_EXPORT(atomic_##op); + +-#define ATOMIC_OP_RETURN(name, mb, acq, rel, cl, op, asm_op) \ ++#define ATOMIC_OP_RETURN(name, mb, acq, rel, cl, op, asm_op, constraint)\ + __LL_SC_INLINE int \ + __LL_SC_PREFIX(atomic_##op##_return##name(int i, atomic_t *v)) \ + { \ +@@ -70,14 +70,14 @@ __LL_SC_PREFIX(atomic_##op##_return##name(int i, atomic_t *v)) \ + " cbnz %w1, 1b\n" \ + " " #mb \ + : "=&r" (result), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i) \ ++ : #constraint "r" (i) \ + : cl); \ + \ + return result; \ + } \ + __LL_SC_EXPORT(atomic_##op##_return##name); + +-#define ATOMIC_FETCH_OP(name, mb, acq, rel, cl, op, asm_op) \ ++#define ATOMIC_FETCH_OP(name, mb, acq, rel, cl, op, asm_op, constraint) \ + __LL_SC_INLINE int \ + __LL_SC_PREFIX(atomic_fetch_##op##name(int i, atomic_t *v)) \ + { \ +@@ -92,7 +92,7 @@ __LL_SC_PREFIX(atomic_fetch_##op##name(int i, atomic_t *v)) \ + " cbnz %w2, 1b\n" \ + " " #mb \ + : "=&r" (result), "=&r" (val), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i) \ ++ : #constraint "r" (i) \ + : cl); \ + \ + return result; \ +@@ -110,8 +110,8 @@ __LL_SC_EXPORT(atomic_fetch_##op##name); + ATOMIC_FETCH_OP (_acquire, , a, , "memory", __VA_ARGS__)\ + ATOMIC_FETCH_OP (_release, , , l, "memory", __VA_ARGS__) + +-ATOMIC_OPS(add, add) +-ATOMIC_OPS(sub, sub) ++ATOMIC_OPS(add, add, I) ++ATOMIC_OPS(sub, sub, J) + + #undef ATOMIC_OPS + #define ATOMIC_OPS(...) \ +@@ -121,17 +121,17 @@ ATOMIC_OPS(sub, sub) + ATOMIC_FETCH_OP (_acquire, , a, , "memory", __VA_ARGS__)\ + ATOMIC_FETCH_OP (_release, , , l, "memory", __VA_ARGS__) + +-ATOMIC_OPS(and, and) +-ATOMIC_OPS(andnot, bic) +-ATOMIC_OPS(or, orr) +-ATOMIC_OPS(xor, eor) ++ATOMIC_OPS(and, and, ) ++ATOMIC_OPS(andnot, bic, ) ++ATOMIC_OPS(or, orr, ) ++ATOMIC_OPS(xor, eor, ) + + #undef ATOMIC_OPS + #undef ATOMIC_FETCH_OP + #undef ATOMIC_OP_RETURN + #undef ATOMIC_OP + +-#define ATOMIC64_OP(op, asm_op) \ ++#define ATOMIC64_OP(op, asm_op, constraint) \ + __LL_SC_INLINE void \ + __LL_SC_PREFIX(atomic64_##op(long i, atomic64_t *v)) \ + { \ +@@ -145,11 +145,11 @@ __LL_SC_PREFIX(atomic64_##op(long i, atomic64_t *v)) \ + " stxr %w1, %0, %2\n" \ + " cbnz %w1, 1b" \ + : "=&r" (result), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i)); \ ++ : #constraint "r" (i)); \ + } \ + __LL_SC_EXPORT(atomic64_##op); + +-#define ATOMIC64_OP_RETURN(name, mb, acq, rel, cl, op, asm_op) \ ++#define ATOMIC64_OP_RETURN(name, mb, acq, rel, cl, op, asm_op, constraint)\ + __LL_SC_INLINE long \ + __LL_SC_PREFIX(atomic64_##op##_return##name(long i, atomic64_t *v)) \ + { \ +@@ -164,14 +164,14 @@ __LL_SC_PREFIX(atomic64_##op##_return##name(long i, atomic64_t *v)) \ + " cbnz %w1, 1b\n" \ + " " #mb \ + : "=&r" (result), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i) \ ++ : #constraint "r" (i) \ + : cl); \ + \ + return result; \ + } \ + __LL_SC_EXPORT(atomic64_##op##_return##name); + +-#define ATOMIC64_FETCH_OP(name, mb, acq, rel, cl, op, asm_op) \ ++#define ATOMIC64_FETCH_OP(name, mb, acq, rel, cl, op, asm_op, constraint)\ + __LL_SC_INLINE long \ + __LL_SC_PREFIX(atomic64_fetch_##op##name(long i, atomic64_t *v)) \ + { \ +@@ -186,7 +186,7 @@ __LL_SC_PREFIX(atomic64_fetch_##op##name(long i, atomic64_t *v)) \ + " cbnz %w2, 1b\n" \ + " " #mb \ + : "=&r" (result), "=&r" (val), "=&r" (tmp), "+Q" (v->counter) \ +- : "Ir" (i) \ ++ : #constraint "r" (i) \ + : cl); \ + \ + return result; \ +@@ -204,8 +204,8 @@ __LL_SC_EXPORT(atomic64_fetch_##op##name); + ATOMIC64_FETCH_OP (_acquire,, a, , "memory", __VA_ARGS__) \ + ATOMIC64_FETCH_OP (_release,, , l, "memory", __VA_ARGS__) + +-ATOMIC64_OPS(add, add) +-ATOMIC64_OPS(sub, sub) ++ATOMIC64_OPS(add, add, I) ++ATOMIC64_OPS(sub, sub, J) + + #undef ATOMIC64_OPS + #define ATOMIC64_OPS(...) \ +@@ -215,10 +215,10 @@ ATOMIC64_OPS(sub, sub) + ATOMIC64_FETCH_OP (_acquire,, a, , "memory", __VA_ARGS__) \ + ATOMIC64_FETCH_OP (_release,, , l, "memory", __VA_ARGS__) + +-ATOMIC64_OPS(and, and) +-ATOMIC64_OPS(andnot, bic) +-ATOMIC64_OPS(or, orr) +-ATOMIC64_OPS(xor, eor) ++ATOMIC64_OPS(and, and, L) ++ATOMIC64_OPS(andnot, bic, ) ++ATOMIC64_OPS(or, orr, L) ++ATOMIC64_OPS(xor, eor, L) + + #undef ATOMIC64_OPS + #undef ATOMIC64_FETCH_OP +@@ -248,48 +248,54 @@ __LL_SC_PREFIX(atomic64_dec_if_positive(atomic64_t *v)) + } + __LL_SC_EXPORT(atomic64_dec_if_positive); + +-#define __CMPXCHG_CASE(w, sz, name, mb, acq, rel, cl) \ +-__LL_SC_INLINE unsigned long \ +-__LL_SC_PREFIX(__cmpxchg_case_##name(volatile void *ptr, \ +- unsigned long old, \ +- unsigned long new)) \ ++#define __CMPXCHG_CASE(w, sfx, name, sz, mb, acq, rel, cl, constraint) \ ++__LL_SC_INLINE u##sz \ ++__LL_SC_PREFIX(__cmpxchg_case_##name##sz(volatile void *ptr, \ ++ unsigned long old, \ ++ u##sz new)) \ + { \ +- unsigned long tmp, oldval; \ ++ unsigned long tmp; \ ++ u##sz oldval; \ + \ + asm volatile( \ + " prfm pstl1strm, %[v]\n" \ +- "1: ld" #acq "xr" #sz "\t%" #w "[oldval], %[v]\n" \ ++ "1: ld" #acq "xr" #sfx "\t%" #w "[oldval], %[v]\n" \ + " eor %" #w "[tmp], %" #w "[oldval], %" #w "[old]\n" \ + " cbnz %" #w "[tmp], 2f\n" \ +- " st" #rel "xr" #sz "\t%w[tmp], %" #w "[new], %[v]\n" \ ++ " st" #rel "xr" #sfx "\t%w[tmp], %" #w "[new], %[v]\n" \ + " cbnz %w[tmp], 1b\n" \ + " " #mb "\n" \ + "2:" \ + : [tmp] "=&r" (tmp), [oldval] "=&r" (oldval), \ +- [v] "+Q" (*(unsigned long *)ptr) \ +- : [old] "Lr" (old), [new] "r" (new) \ ++ [v] "+Q" (*(u##sz *)ptr) \ ++ : [old] #constraint "r" (old), [new] "r" (new) \ + : cl); \ + \ + return oldval; \ + } \ +-__LL_SC_EXPORT(__cmpxchg_case_##name); ++__LL_SC_EXPORT(__cmpxchg_case_##name##sz); + +-__CMPXCHG_CASE(w, b, 1, , , , ) +-__CMPXCHG_CASE(w, h, 2, , , , ) +-__CMPXCHG_CASE(w, , 4, , , , ) +-__CMPXCHG_CASE( , , 8, , , , ) +-__CMPXCHG_CASE(w, b, acq_1, , a, , "memory") +-__CMPXCHG_CASE(w, h, acq_2, , a, , "memory") +-__CMPXCHG_CASE(w, , acq_4, , a, , "memory") +-__CMPXCHG_CASE( , , acq_8, , a, , "memory") +-__CMPXCHG_CASE(w, b, rel_1, , , l, "memory") +-__CMPXCHG_CASE(w, h, rel_2, , , l, "memory") +-__CMPXCHG_CASE(w, , rel_4, , , l, "memory") +-__CMPXCHG_CASE( , , rel_8, , , l, "memory") +-__CMPXCHG_CASE(w, b, mb_1, dmb ish, , l, "memory") +-__CMPXCHG_CASE(w, h, mb_2, dmb ish, , l, "memory") +-__CMPXCHG_CASE(w, , mb_4, dmb ish, , l, "memory") +-__CMPXCHG_CASE( , , mb_8, dmb ish, , l, "memory") ++/* ++ * Earlier versions of GCC (no later than 8.1.0) appear to incorrectly ++ * handle the 'K' constraint for the value 4294967295 - thus we use no ++ * constraint for 32 bit operations. ++ */ ++__CMPXCHG_CASE(w, b, , 8, , , , , ) ++__CMPXCHG_CASE(w, h, , 16, , , , , ) ++__CMPXCHG_CASE(w, , , 32, , , , , ) ++__CMPXCHG_CASE( , , , 64, , , , , L) ++__CMPXCHG_CASE(w, b, acq_, 8, , a, , "memory", ) ++__CMPXCHG_CASE(w, h, acq_, 16, , a, , "memory", ) ++__CMPXCHG_CASE(w, , acq_, 32, , a, , "memory", ) ++__CMPXCHG_CASE( , , acq_, 64, , a, , "memory", L) ++__CMPXCHG_CASE(w, b, rel_, 8, , , l, "memory", ) ++__CMPXCHG_CASE(w, h, rel_, 16, , , l, "memory", ) ++__CMPXCHG_CASE(w, , rel_, 32, , , l, "memory", ) ++__CMPXCHG_CASE( , , rel_, 64, , , l, "memory", L) ++__CMPXCHG_CASE(w, b, mb_, 8, dmb ish, , l, "memory", ) ++__CMPXCHG_CASE(w, h, mb_, 16, dmb ish, , l, "memory", ) ++__CMPXCHG_CASE(w, , mb_, 32, dmb ish, , l, "memory", ) ++__CMPXCHG_CASE( , , mb_, 64, dmb ish, , l, "memory", L) + + #undef __CMPXCHG_CASE + +diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/atomic_lse.h +index f9b0b09153e0e..4d6f917b654e4 100644 +--- a/arch/arm64/include/asm/atomic_lse.h ++++ b/arch/arm64/include/asm/atomic_lse.h +@@ -446,22 +446,22 @@ static inline long atomic64_dec_if_positive(atomic64_t *v) + + #define __LL_SC_CMPXCHG(op) __LL_SC_CALL(__cmpxchg_case_##op) + +-#define __CMPXCHG_CASE(w, sz, name, mb, cl...) \ +-static inline unsigned long __cmpxchg_case_##name(volatile void *ptr, \ +- unsigned long old, \ +- unsigned long new) \ ++#define __CMPXCHG_CASE(w, sfx, name, sz, mb, cl...) \ ++static inline u##sz __cmpxchg_case_##name##sz(volatile void *ptr, \ ++ unsigned long old, \ ++ u##sz new) \ + { \ + register unsigned long x0 asm ("x0") = (unsigned long)ptr; \ + register unsigned long x1 asm ("x1") = old; \ +- register unsigned long x2 asm ("x2") = new; \ ++ register u##sz x2 asm ("x2") = new; \ + \ + asm volatile(ARM64_LSE_ATOMIC_INSN( \ + /* LL/SC */ \ +- __LL_SC_CMPXCHG(name) \ ++ __LL_SC_CMPXCHG(name##sz) \ + __nops(2), \ + /* LSE atomics */ \ + " mov " #w "30, %" #w "[old]\n" \ +- " cas" #mb #sz "\t" #w "30, %" #w "[new], %[v]\n" \ ++ " cas" #mb #sfx "\t" #w "30, %" #w "[new], %[v]\n" \ + " mov %" #w "[ret], " #w "30") \ + : [ret] "+r" (x0), [v] "+Q" (*(unsigned long *)ptr) \ + : [old] "r" (x1), [new] "r" (x2) \ +@@ -470,22 +470,22 @@ static inline unsigned long __cmpxchg_case_##name(volatile void *ptr, \ + return x0; \ + } + +-__CMPXCHG_CASE(w, b, 1, ) +-__CMPXCHG_CASE(w, h, 2, ) +-__CMPXCHG_CASE(w, , 4, ) +-__CMPXCHG_CASE(x, , 8, ) +-__CMPXCHG_CASE(w, b, acq_1, a, "memory") +-__CMPXCHG_CASE(w, h, acq_2, a, "memory") +-__CMPXCHG_CASE(w, , acq_4, a, "memory") +-__CMPXCHG_CASE(x, , acq_8, a, "memory") +-__CMPXCHG_CASE(w, b, rel_1, l, "memory") +-__CMPXCHG_CASE(w, h, rel_2, l, "memory") +-__CMPXCHG_CASE(w, , rel_4, l, "memory") +-__CMPXCHG_CASE(x, , rel_8, l, "memory") +-__CMPXCHG_CASE(w, b, mb_1, al, "memory") +-__CMPXCHG_CASE(w, h, mb_2, al, "memory") +-__CMPXCHG_CASE(w, , mb_4, al, "memory") +-__CMPXCHG_CASE(x, , mb_8, al, "memory") ++__CMPXCHG_CASE(w, b, , 8, ) ++__CMPXCHG_CASE(w, h, , 16, ) ++__CMPXCHG_CASE(w, , , 32, ) ++__CMPXCHG_CASE(x, , , 64, ) ++__CMPXCHG_CASE(w, b, acq_, 8, a, "memory") ++__CMPXCHG_CASE(w, h, acq_, 16, a, "memory") ++__CMPXCHG_CASE(w, , acq_, 32, a, "memory") ++__CMPXCHG_CASE(x, , acq_, 64, a, "memory") ++__CMPXCHG_CASE(w, b, rel_, 8, l, "memory") ++__CMPXCHG_CASE(w, h, rel_, 16, l, "memory") ++__CMPXCHG_CASE(w, , rel_, 32, l, "memory") ++__CMPXCHG_CASE(x, , rel_, 64, l, "memory") ++__CMPXCHG_CASE(w, b, mb_, 8, al, "memory") ++__CMPXCHG_CASE(w, h, mb_, 16, al, "memory") ++__CMPXCHG_CASE(w, , mb_, 32, al, "memory") ++__CMPXCHG_CASE(x, , mb_, 64, al, "memory") + + #undef __LL_SC_CMPXCHG + #undef __CMPXCHG_CASE +diff --git a/arch/arm64/include/asm/cmpxchg.h b/arch/arm64/include/asm/cmpxchg.h +index 9b2e2e2e728ae..ed6a1aae6fbb9 100644 +--- a/arch/arm64/include/asm/cmpxchg.h ++++ b/arch/arm64/include/asm/cmpxchg.h +@@ -29,46 +29,46 @@ + * barrier case is generated as release+dmb for the former and + * acquire+release for the latter. + */ +-#define __XCHG_CASE(w, sz, name, mb, nop_lse, acq, acq_lse, rel, cl) \ +-static inline unsigned long __xchg_case_##name(unsigned long x, \ +- volatile void *ptr) \ +-{ \ +- unsigned long ret, tmp; \ +- \ +- asm volatile(ARM64_LSE_ATOMIC_INSN( \ +- /* LL/SC */ \ +- " prfm pstl1strm, %2\n" \ +- "1: ld" #acq "xr" #sz "\t%" #w "0, %2\n" \ +- " st" #rel "xr" #sz "\t%w1, %" #w "3, %2\n" \ +- " cbnz %w1, 1b\n" \ +- " " #mb, \ +- /* LSE atomics */ \ +- " swp" #acq_lse #rel #sz "\t%" #w "3, %" #w "0, %2\n" \ +- __nops(3) \ +- " " #nop_lse) \ +- : "=&r" (ret), "=&r" (tmp), "+Q" (*(unsigned long *)ptr) \ +- : "r" (x) \ +- : cl); \ +- \ +- return ret; \ ++#define __XCHG_CASE(w, sfx, name, sz, mb, nop_lse, acq, acq_lse, rel, cl) \ ++static inline u##sz __xchg_case_##name##sz(u##sz x, volatile void *ptr) \ ++{ \ ++ u##sz ret; \ ++ unsigned long tmp; \ ++ \ ++ asm volatile(ARM64_LSE_ATOMIC_INSN( \ ++ /* LL/SC */ \ ++ " prfm pstl1strm, %2\n" \ ++ "1: ld" #acq "xr" #sfx "\t%" #w "0, %2\n" \ ++ " st" #rel "xr" #sfx "\t%w1, %" #w "3, %2\n" \ ++ " cbnz %w1, 1b\n" \ ++ " " #mb, \ ++ /* LSE atomics */ \ ++ " swp" #acq_lse #rel #sfx "\t%" #w "3, %" #w "0, %2\n" \ ++ __nops(3) \ ++ " " #nop_lse) \ ++ : "=&r" (ret), "=&r" (tmp), "+Q" (*(u##sz *)ptr) \ ++ : "r" (x) \ ++ : cl); \ ++ \ ++ return ret; \ + } + +-__XCHG_CASE(w, b, 1, , , , , , ) +-__XCHG_CASE(w, h, 2, , , , , , ) +-__XCHG_CASE(w, , 4, , , , , , ) +-__XCHG_CASE( , , 8, , , , , , ) +-__XCHG_CASE(w, b, acq_1, , , a, a, , "memory") +-__XCHG_CASE(w, h, acq_2, , , a, a, , "memory") +-__XCHG_CASE(w, , acq_4, , , a, a, , "memory") +-__XCHG_CASE( , , acq_8, , , a, a, , "memory") +-__XCHG_CASE(w, b, rel_1, , , , , l, "memory") +-__XCHG_CASE(w, h, rel_2, , , , , l, "memory") +-__XCHG_CASE(w, , rel_4, , , , , l, "memory") +-__XCHG_CASE( , , rel_8, , , , , l, "memory") +-__XCHG_CASE(w, b, mb_1, dmb ish, nop, , a, l, "memory") +-__XCHG_CASE(w, h, mb_2, dmb ish, nop, , a, l, "memory") +-__XCHG_CASE(w, , mb_4, dmb ish, nop, , a, l, "memory") +-__XCHG_CASE( , , mb_8, dmb ish, nop, , a, l, "memory") ++__XCHG_CASE(w, b, , 8, , , , , , ) ++__XCHG_CASE(w, h, , 16, , , , , , ) ++__XCHG_CASE(w, , , 32, , , , , , ) ++__XCHG_CASE( , , , 64, , , , , , ) ++__XCHG_CASE(w, b, acq_, 8, , , a, a, , "memory") ++__XCHG_CASE(w, h, acq_, 16, , , a, a, , "memory") ++__XCHG_CASE(w, , acq_, 32, , , a, a, , "memory") ++__XCHG_CASE( , , acq_, 64, , , a, a, , "memory") ++__XCHG_CASE(w, b, rel_, 8, , , , , l, "memory") ++__XCHG_CASE(w, h, rel_, 16, , , , , l, "memory") ++__XCHG_CASE(w, , rel_, 32, , , , , l, "memory") ++__XCHG_CASE( , , rel_, 64, , , , , l, "memory") ++__XCHG_CASE(w, b, mb_, 8, dmb ish, nop, , a, l, "memory") ++__XCHG_CASE(w, h, mb_, 16, dmb ish, nop, , a, l, "memory") ++__XCHG_CASE(w, , mb_, 32, dmb ish, nop, , a, l, "memory") ++__XCHG_CASE( , , mb_, 64, dmb ish, nop, , a, l, "memory") + + #undef __XCHG_CASE + +@@ -79,13 +79,13 @@ static __always_inline unsigned long __xchg##sfx(unsigned long x, \ + { \ + switch (size) { \ + case 1: \ +- return __xchg_case##sfx##_1(x, ptr); \ ++ return __xchg_case##sfx##_8(x, ptr); \ + case 2: \ +- return __xchg_case##sfx##_2(x, ptr); \ ++ return __xchg_case##sfx##_16(x, ptr); \ + case 4: \ +- return __xchg_case##sfx##_4(x, ptr); \ ++ return __xchg_case##sfx##_32(x, ptr); \ + case 8: \ +- return __xchg_case##sfx##_8(x, ptr); \ ++ return __xchg_case##sfx##_64(x, ptr); \ + default: \ + BUILD_BUG(); \ + } \ +@@ -122,13 +122,13 @@ static __always_inline unsigned long __cmpxchg##sfx(volatile void *ptr, \ + { \ + switch (size) { \ + case 1: \ +- return __cmpxchg_case##sfx##_1(ptr, (u8)old, new); \ ++ return __cmpxchg_case##sfx##_8(ptr, (u8)old, new); \ + case 2: \ +- return __cmpxchg_case##sfx##_2(ptr, (u16)old, new); \ ++ return __cmpxchg_case##sfx##_16(ptr, (u16)old, new); \ + case 4: \ +- return __cmpxchg_case##sfx##_4(ptr, old, new); \ ++ return __cmpxchg_case##sfx##_32(ptr, old, new); \ + case 8: \ +- return __cmpxchg_case##sfx##_8(ptr, old, new); \ ++ return __cmpxchg_case##sfx##_64(ptr, old, new); \ + default: \ + BUILD_BUG(); \ + } \ +@@ -222,16 +222,16 @@ __CMPXCHG_GEN(_mb) + __ret; \ + }) + +-#define __CMPWAIT_CASE(w, sz, name) \ +-static inline void __cmpwait_case_##name(volatile void *ptr, \ +- unsigned long val) \ ++#define __CMPWAIT_CASE(w, sfx, sz) \ ++static inline void __cmpwait_case_##sz(volatile void *ptr, \ ++ unsigned long val) \ + { \ + unsigned long tmp; \ + \ + asm volatile( \ + " sevl\n" \ + " wfe\n" \ +- " ldxr" #sz "\t%" #w "[tmp], %[v]\n" \ ++ " ldxr" #sfx "\t%" #w "[tmp], %[v]\n" \ + " eor %" #w "[tmp], %" #w "[tmp], %" #w "[val]\n" \ + " cbnz %" #w "[tmp], 1f\n" \ + " wfe\n" \ +@@ -240,10 +240,10 @@ static inline void __cmpwait_case_##name(volatile void *ptr, \ + : [val] "r" (val)); \ + } + +-__CMPWAIT_CASE(w, b, 1); +-__CMPWAIT_CASE(w, h, 2); +-__CMPWAIT_CASE(w, , 4); +-__CMPWAIT_CASE( , , 8); ++__CMPWAIT_CASE(w, b, 8); ++__CMPWAIT_CASE(w, h, 16); ++__CMPWAIT_CASE(w, , 32); ++__CMPWAIT_CASE( , , 64); + + #undef __CMPWAIT_CASE + +@@ -254,13 +254,13 @@ static __always_inline void __cmpwait##sfx(volatile void *ptr, \ + { \ + switch (size) { \ + case 1: \ +- return __cmpwait_case##sfx##_1(ptr, (u8)val); \ ++ return __cmpwait_case##sfx##_8(ptr, (u8)val); \ + case 2: \ +- return __cmpwait_case##sfx##_2(ptr, (u16)val); \ ++ return __cmpwait_case##sfx##_16(ptr, (u16)val); \ + case 4: \ +- return __cmpwait_case##sfx##_4(ptr, val); \ ++ return __cmpwait_case##sfx##_32(ptr, val); \ + case 8: \ +- return __cmpwait_case##sfx##_8(ptr, val); \ ++ return __cmpwait_case##sfx##_64(ptr, val); \ + default: \ + BUILD_BUG(); \ + } \ +diff --git a/arch/arm64/kernel/module.lds b/arch/arm64/kernel/module.lds +index 22e36a21c1134..09a0eef71d12b 100644 +--- a/arch/arm64/kernel/module.lds ++++ b/arch/arm64/kernel/module.lds +@@ -1,5 +1,5 @@ + SECTIONS { +- .plt (NOLOAD) : { BYTE(0) } +- .init.plt (NOLOAD) : { BYTE(0) } +- .text.ftrace_trampoline (NOLOAD) : { BYTE(0) } ++ .plt 0 (NOLOAD) : { BYTE(0) } ++ .init.plt 0 (NOLOAD) : { BYTE(0) } ++ .text.ftrace_trampoline 0 (NOLOAD) : { BYTE(0) } + } +diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c +index 0ca254085a662..c152c30c2d06d 100644 +--- a/arch/parisc/kernel/irq.c ++++ b/arch/parisc/kernel/irq.c +@@ -380,7 +380,11 @@ static inline int eirr_to_irq(unsigned long eirr) + /* + * IRQ STACK - used for irq handler + */ ++#ifdef CONFIG_64BIT ++#define IRQ_STACK_SIZE (4096 << 4) /* 64k irq stack size */ ++#else + #define IRQ_STACK_SIZE (4096 << 3) /* 32k irq stack size */ ++#endif + + union irq_stack_union { + unsigned long stack[IRQ_STACK_SIZE/sizeof(unsigned long)]; +diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c +index f58336af095c9..1ccfe6bb9122e 100644 +--- a/arch/x86/kernel/module.c ++++ b/arch/x86/kernel/module.c +@@ -126,6 +126,7 @@ int apply_relocate(Elf32_Shdr *sechdrs, + *location += sym->st_value; + break; + case R_386_PC32: ++ case R_386_PLT32: + /* Add the value, subtract its position */ + *location += sym->st_value - (uint32_t)location; + break; +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index 0d52c9050113d..729e288718ccb 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -477,6 +477,15 @@ static const struct dmi_system_id reboot_dmi_table[] __initconst = { + }, + }, + ++ { /* PCIe Wifi card isn't detected after reboot otherwise */ ++ .callback = set_pci_reboot, ++ .ident = "Zotac ZBOX CI327 nano", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "NA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ZBOX-CI327NANO-GS-01"), ++ }, ++ }, ++ + /* Sony */ + { /* Handle problems with rebooting on Sony VGN-Z540N */ + .callback = set_bios_reboot, +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index 220e97841e494..c58b631781233 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -840,9 +840,11 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym, + case R_386_PC32: + case R_386_PC16: + case R_386_PC8: ++ case R_386_PLT32: + /* +- * NONE can be ignored and PC relative relocations don't +- * need to be adjusted. ++ * NONE can be ignored and PC relative relocations don't need ++ * to be adjusted. Because sym must be defined, R_386_PLT32 can ++ * be treated the same way as R_386_PC32. + */ + break; + +@@ -883,9 +885,11 @@ static int do_reloc_real(struct section *sec, Elf_Rel *rel, Elf_Sym *sym, + case R_386_PC32: + case R_386_PC16: + case R_386_PC8: ++ case R_386_PLT32: + /* +- * NONE can be ignored and PC relative relocations don't +- * need to be adjusted. ++ * NONE can be ignored and PC relative relocations don't need ++ * to be adjusted. Because sym must be defined, R_386_PLT32 can ++ * be treated the same way as R_386_PC32. + */ + break; + +diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c +index 30295d2ebd924..e031b7e7272a4 100644 +--- a/arch/x86/xen/p2m.c ++++ b/arch/x86/xen/p2m.c +@@ -706,6 +706,8 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops, + + for (i = 0; i < count; i++) { + unsigned long mfn, pfn; ++ struct gnttab_unmap_grant_ref unmap[2]; ++ int rc; + + /* Do not add to override if the map failed. */ + if (map_ops[i].status != GNTST_okay || +@@ -723,10 +725,46 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops, + + WARN(pfn_to_mfn(pfn) != INVALID_P2M_ENTRY, "page must be ballooned"); + +- if (unlikely(!set_phys_to_machine(pfn, FOREIGN_FRAME(mfn)))) { +- ret = -ENOMEM; +- goto out; ++ if (likely(set_phys_to_machine(pfn, FOREIGN_FRAME(mfn)))) ++ continue; ++ ++ /* ++ * Signal an error for this slot. This in turn requires ++ * immediate unmapping. ++ */ ++ map_ops[i].status = GNTST_general_error; ++ unmap[0].host_addr = map_ops[i].host_addr, ++ unmap[0].handle = map_ops[i].handle; ++ map_ops[i].handle = ~0; ++ if (map_ops[i].flags & GNTMAP_device_map) ++ unmap[0].dev_bus_addr = map_ops[i].dev_bus_addr; ++ else ++ unmap[0].dev_bus_addr = 0; ++ ++ if (kmap_ops) { ++ kmap_ops[i].status = GNTST_general_error; ++ unmap[1].host_addr = kmap_ops[i].host_addr, ++ unmap[1].handle = kmap_ops[i].handle; ++ kmap_ops[i].handle = ~0; ++ if (kmap_ops[i].flags & GNTMAP_device_map) ++ unmap[1].dev_bus_addr = kmap_ops[i].dev_bus_addr; ++ else ++ unmap[1].dev_bus_addr = 0; + } ++ ++ /* ++ * Pre-populate both status fields, to be recognizable in ++ * the log message below. ++ */ ++ unmap[0].status = 1; ++ unmap[1].status = 1; ++ ++ rc = HYPERVISOR_grant_table_op(GNTTABOP_unmap_grant_ref, ++ unmap, 1 + !!kmap_ops); ++ if (rc || unmap[0].status != GNTST_okay || ++ unmap[1].status != GNTST_okay) ++ pr_err_once("gnttab unmap failed: rc=%d st0=%d st1=%d\n", ++ rc, unmap[0].status, unmap[1].status); + } + + out: +diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c +index 0d906ca8d4f5c..0798d6aacedd3 100644 +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -738,7 +738,7 @@ static ssize_t mm_stat_show(struct device *dev, + zram->limit_pages << PAGE_SHIFT, + max_used << PAGE_SHIFT, + (u64)atomic64_read(&zram->stats.same_pages), +- pool_stats.pages_compacted); ++ atomic_long_read(&pool_stats.pages_compacted)); + up_read(&zram->init_lock); + + return ret; +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index a956c73ea85e5..374279ba14449 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -865,9 +865,9 @@ int virtio_gpu_object_attach(struct virtio_gpu_device *vgdev, + } + + /* gets freed when the ring has consumed it */ +- ents = kmalloc_array(obj->pages->nents, +- sizeof(struct virtio_gpu_mem_entry), +- GFP_KERNEL); ++ ents = kvmalloc_array(obj->pages->nents, ++ sizeof(struct virtio_gpu_mem_entry), ++ GFP_KERNEL); + if (!ents) { + DRM_ERROR("failed to allocate ent list\n"); + return -ENOMEM; +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c +index bf7aaff3aa375..bbbbfd697f9c4 100644 +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -630,11 +630,18 @@ static void mceusb_dev_printdata(struct mceusb_dev *ir, u8 *buf, int buf_len, + data[0], data[1]); + break; + case MCE_RSP_EQIRCFS: ++ if (!data[0] && !data[1]) { ++ dev_dbg(dev, "%s: no carrier", inout); ++ break; ++ } ++ // prescaler should make sense ++ if (data[0] > 8) ++ break; + period = DIV_ROUND_CLOSEST((1U << data[0] * 2) * + (data[1] + 1), 10); + if (!period) + break; +- carrier = (1000 * 1000) / period; ++ carrier = USEC_PER_SEC / period; + dev_dbg(dev, "%s carrier of %u Hz (period %uus)", + inout, carrier, period); + break; +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 5899593dabaf6..aaaee039fb30c 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -904,7 +904,10 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id, + unsigned int i; + + extra_size = roundup(extra_size, sizeof(*entity->pads)); +- num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1; ++ if (num_pads) ++ num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1; ++ else ++ num_inputs = 0; + size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads + + num_inputs; + entity = kzalloc(size, GFP_KERNEL); +@@ -920,7 +923,7 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id, + + for (i = 0; i < num_inputs; ++i) + entity->pads[i].flags = MEDIA_PAD_FL_SINK; +- if (!UVC_ENTITY_IS_OTERM(entity)) ++ if (!UVC_ENTITY_IS_OTERM(entity) && num_pads) + entity->pads[num_pads-1].flags = MEDIA_PAD_FL_SOURCE; + + entity->bNrInPins = num_inputs; +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c +index 8eb52139684aa..1e4c75877ad11 100644 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -2836,7 +2836,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + v4l2_kioctl func) + { + char sbuf[128]; +- void *mbuf = NULL; ++ void *mbuf = NULL, *array_buf = NULL; + void *parg = (void *)arg; + long err = -EINVAL; + bool has_array_args; +@@ -2894,20 +2894,14 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + has_array_args = err; + + if (has_array_args) { +- /* +- * When adding new types of array args, make sure that the +- * parent argument to ioctl (which contains the pointer to the +- * array) fits into sbuf (so that mbuf will still remain +- * unused up to here). +- */ +- mbuf = kvmalloc(array_size, GFP_KERNEL); ++ array_buf = kvmalloc(array_size, GFP_KERNEL); + err = -ENOMEM; +- if (NULL == mbuf) ++ if (array_buf == NULL) + goto out_array_args; + err = -EFAULT; +- if (copy_from_user(mbuf, user_ptr, array_size)) ++ if (copy_from_user(array_buf, user_ptr, array_size)) + goto out_array_args; +- *kernel_ptr = mbuf; ++ *kernel_ptr = array_buf; + } + + /* Handles IOCTL */ +@@ -2926,7 +2920,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, + + if (has_array_args) { + *kernel_ptr = (void __force *)user_ptr; +- if (copy_to_user(user_ptr, mbuf, array_size)) ++ if (copy_to_user(user_ptr, array_buf, array_size)) + err = -EFAULT; + goto out_array_args; + } +@@ -2948,6 +2942,7 @@ out_array_args: + } + + out: ++ kvfree(array_buf); + kvfree(mbuf); + return err; + } +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 6702a374dbd7b..0ff4929780017 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1208,6 +1208,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x19d2, 0x1255, 4)}, + {QMI_FIXED_INTF(0x19d2, 0x1256, 4)}, + {QMI_FIXED_INTF(0x19d2, 0x1270, 5)}, /* ZTE MF667 */ ++ {QMI_FIXED_INTF(0x19d2, 0x1275, 3)}, /* ZTE P685M */ + {QMI_FIXED_INTF(0x19d2, 0x1401, 2)}, + {QMI_FIXED_INTF(0x19d2, 0x1402, 2)}, /* ZTE MF60 */ + {QMI_FIXED_INTF(0x19d2, 0x1424, 2)}, +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index be4420ff52b8a..aa5bec5a36761 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3545,23 +3545,16 @@ bool ath10k_mac_tx_frm_has_freq(struct ath10k *ar) + static int ath10k_mac_tx_wmi_mgmt(struct ath10k *ar, struct sk_buff *skb) + { + struct sk_buff_head *q = &ar->wmi_mgmt_tx_queue; +- int ret = 0; +- +- spin_lock_bh(&ar->data_lock); + +- if (skb_queue_len(q) == ATH10K_MAX_NUM_MGMT_PENDING) { ++ if (skb_queue_len_lockless(q) >= ATH10K_MAX_NUM_MGMT_PENDING) { + ath10k_warn(ar, "wmi mgmt tx queue is full\n"); +- ret = -ENOSPC; +- goto unlock; ++ return -ENOSPC; + } + +- __skb_queue_tail(q, skb); ++ skb_queue_tail(q, skb); + ieee80211_queue_work(ar->hw, &ar->wmi_mgmt_tx_work); + +-unlock: +- spin_unlock_bh(&ar->data_lock); +- +- return ret; ++ return 0; + } + + static enum ath10k_mac_tx_path +diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c +index 22009e14a8fc1..9bd635ec7827b 100644 +--- a/drivers/net/wireless/ti/wl12xx/main.c ++++ b/drivers/net/wireless/ti/wl12xx/main.c +@@ -648,7 +648,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl) + wl->quirks |= WLCORE_QUIRK_LEGACY_NVS | + WLCORE_QUIRK_DUAL_PROBE_TMPL | + WLCORE_QUIRK_TKIP_HEADER_SPACE | +- WLCORE_QUIRK_START_STA_FAILS | + WLCORE_QUIRK_AP_ZERO_SESSION_ID; + wl->sr_fw_name = WL127X_FW_NAME_SINGLE; + wl->mr_fw_name = WL127X_FW_NAME_MULTI; +@@ -672,7 +671,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl) + wl->quirks |= WLCORE_QUIRK_LEGACY_NVS | + WLCORE_QUIRK_DUAL_PROBE_TMPL | + WLCORE_QUIRK_TKIP_HEADER_SPACE | +- WLCORE_QUIRK_START_STA_FAILS | + WLCORE_QUIRK_AP_ZERO_SESSION_ID; + wl->plt_fw_name = WL127X_PLT_FW_NAME; + wl->sr_fw_name = WL127X_FW_NAME_SINGLE; +@@ -701,7 +699,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl) + wl->quirks |= WLCORE_QUIRK_TX_BLOCKSIZE_ALIGN | + WLCORE_QUIRK_DUAL_PROBE_TMPL | + WLCORE_QUIRK_TKIP_HEADER_SPACE | +- WLCORE_QUIRK_START_STA_FAILS | + WLCORE_QUIRK_AP_ZERO_SESSION_ID; + + wlcore_set_min_fw_ver(wl, WL128X_CHIP_VER, +diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c +index eb3a7971c1d34..9f568034deb35 100644 +--- a/drivers/net/wireless/ti/wlcore/main.c ++++ b/drivers/net/wireless/ti/wlcore/main.c +@@ -2832,21 +2832,8 @@ static int wlcore_join(struct wl1271 *wl, struct wl12xx_vif *wlvif) + + if (is_ibss) + ret = wl12xx_cmd_role_start_ibss(wl, wlvif); +- else { +- if (wl->quirks & WLCORE_QUIRK_START_STA_FAILS) { +- /* +- * TODO: this is an ugly workaround for wl12xx fw +- * bug - we are not able to tx/rx after the first +- * start_sta, so make dummy start+stop calls, +- * and then call start_sta again. +- * this should be fixed in the fw. +- */ +- wl12xx_cmd_role_start_sta(wl, wlvif); +- wl12xx_cmd_role_stop_sta(wl, wlvif); +- } +- ++ else + ret = wl12xx_cmd_role_start_sta(wl, wlvif); +- } + + return ret; + } +diff --git a/drivers/net/wireless/ti/wlcore/wlcore.h b/drivers/net/wireless/ti/wlcore/wlcore.h +index 95fbedc8ea342..a75b43f5a6c2a 100644 +--- a/drivers/net/wireless/ti/wlcore/wlcore.h ++++ b/drivers/net/wireless/ti/wlcore/wlcore.h +@@ -560,9 +560,6 @@ wlcore_set_min_fw_ver(struct wl1271 *wl, unsigned int chip, + /* Each RX/TX transaction requires an end-of-transaction transfer */ + #define WLCORE_QUIRK_END_OF_TRANSACTION BIT(0) + +-/* the first start_role(sta) sometimes doesn't work on wl12xx */ +-#define WLCORE_QUIRK_START_STA_FAILS BIT(1) +- + /* wl127x and SPI don't support SDIO block size alignment */ + #define WLCORE_QUIRK_TX_BLOCKSIZE_ALIGN BIT(2) + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index fcaf4dd9d9c4c..ad555a9a3eca1 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1328,11 +1328,21 @@ int xenvif_tx_action(struct xenvif_queue *queue, int budget) + return 0; + + gnttab_batch_copy(queue->tx_copy_ops, nr_cops); +- if (nr_mops != 0) ++ if (nr_mops != 0) { + ret = gnttab_map_refs(queue->tx_map_ops, + NULL, + queue->pages_to_map, + nr_mops); ++ if (ret) { ++ unsigned int i; ++ ++ netdev_err(queue->vif->dev, "Map fail: nr %u ret %d\n", ++ nr_mops, ret); ++ for (i = 0; i < nr_mops; ++i) ++ WARN_ON_ONCE(queue->tx_map_ops[i].status == ++ GNTST_okay); ++ } ++ } + + work_done = xenvif_tx_submit(queue); + +diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c +index f9cf676a0469d..56794b13bb127 100644 +--- a/drivers/s390/virtio/virtio_ccw.c ++++ b/drivers/s390/virtio/virtio_ccw.c +@@ -106,7 +106,7 @@ struct virtio_rev_info { + }; + + /* the highest virtio-ccw revision we support */ +-#define VIRTIO_CCW_REV_MAX 1 ++#define VIRTIO_CCW_REV_MAX 2 + + struct virtio_ccw_vq_info { + struct virtqueue *vq; +@@ -911,7 +911,7 @@ static u8 virtio_ccw_get_status(struct virtio_device *vdev) + u8 old_status = *vcdev->status; + struct ccw1 *ccw; + +- if (vcdev->revision < 1) ++ if (vcdev->revision < 2) + return *vcdev->status; + + ccw = kzalloc(sizeof(*ccw), GFP_DMA | GFP_KERNEL); +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index f7e1af90849b3..f180d1b4553c1 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -3368,125 +3368,125 @@ int iscsi_session_get_param(struct iscsi_cls_session *cls_session, + + switch(param) { + case ISCSI_PARAM_FAST_ABORT: +- len = sprintf(buf, "%d\n", session->fast_abort); ++ len = sysfs_emit(buf, "%d\n", session->fast_abort); + break; + case ISCSI_PARAM_ABORT_TMO: +- len = sprintf(buf, "%d\n", session->abort_timeout); ++ len = sysfs_emit(buf, "%d\n", session->abort_timeout); + break; + case ISCSI_PARAM_LU_RESET_TMO: +- len = sprintf(buf, "%d\n", session->lu_reset_timeout); ++ len = sysfs_emit(buf, "%d\n", session->lu_reset_timeout); + break; + case ISCSI_PARAM_TGT_RESET_TMO: +- len = sprintf(buf, "%d\n", session->tgt_reset_timeout); ++ len = sysfs_emit(buf, "%d\n", session->tgt_reset_timeout); + break; + case ISCSI_PARAM_INITIAL_R2T_EN: +- len = sprintf(buf, "%d\n", session->initial_r2t_en); ++ len = sysfs_emit(buf, "%d\n", session->initial_r2t_en); + break; + case ISCSI_PARAM_MAX_R2T: +- len = sprintf(buf, "%hu\n", session->max_r2t); ++ len = sysfs_emit(buf, "%hu\n", session->max_r2t); + break; + case ISCSI_PARAM_IMM_DATA_EN: +- len = sprintf(buf, "%d\n", session->imm_data_en); ++ len = sysfs_emit(buf, "%d\n", session->imm_data_en); + break; + case ISCSI_PARAM_FIRST_BURST: +- len = sprintf(buf, "%u\n", session->first_burst); ++ len = sysfs_emit(buf, "%u\n", session->first_burst); + break; + case ISCSI_PARAM_MAX_BURST: +- len = sprintf(buf, "%u\n", session->max_burst); ++ len = sysfs_emit(buf, "%u\n", session->max_burst); + break; + case ISCSI_PARAM_PDU_INORDER_EN: +- len = sprintf(buf, "%d\n", session->pdu_inorder_en); ++ len = sysfs_emit(buf, "%d\n", session->pdu_inorder_en); + break; + case ISCSI_PARAM_DATASEQ_INORDER_EN: +- len = sprintf(buf, "%d\n", session->dataseq_inorder_en); ++ len = sysfs_emit(buf, "%d\n", session->dataseq_inorder_en); + break; + case ISCSI_PARAM_DEF_TASKMGMT_TMO: +- len = sprintf(buf, "%d\n", session->def_taskmgmt_tmo); ++ len = sysfs_emit(buf, "%d\n", session->def_taskmgmt_tmo); + break; + case ISCSI_PARAM_ERL: +- len = sprintf(buf, "%d\n", session->erl); ++ len = sysfs_emit(buf, "%d\n", session->erl); + break; + case ISCSI_PARAM_TARGET_NAME: +- len = sprintf(buf, "%s\n", session->targetname); ++ len = sysfs_emit(buf, "%s\n", session->targetname); + break; + case ISCSI_PARAM_TARGET_ALIAS: +- len = sprintf(buf, "%s\n", session->targetalias); ++ len = sysfs_emit(buf, "%s\n", session->targetalias); + break; + case ISCSI_PARAM_TPGT: +- len = sprintf(buf, "%d\n", session->tpgt); ++ len = sysfs_emit(buf, "%d\n", session->tpgt); + break; + case ISCSI_PARAM_USERNAME: +- len = sprintf(buf, "%s\n", session->username); ++ len = sysfs_emit(buf, "%s\n", session->username); + break; + case ISCSI_PARAM_USERNAME_IN: +- len = sprintf(buf, "%s\n", session->username_in); ++ len = sysfs_emit(buf, "%s\n", session->username_in); + break; + case ISCSI_PARAM_PASSWORD: +- len = sprintf(buf, "%s\n", session->password); ++ len = sysfs_emit(buf, "%s\n", session->password); + break; + case ISCSI_PARAM_PASSWORD_IN: +- len = sprintf(buf, "%s\n", session->password_in); ++ len = sysfs_emit(buf, "%s\n", session->password_in); + break; + case ISCSI_PARAM_IFACE_NAME: +- len = sprintf(buf, "%s\n", session->ifacename); ++ len = sysfs_emit(buf, "%s\n", session->ifacename); + break; + case ISCSI_PARAM_INITIATOR_NAME: +- len = sprintf(buf, "%s\n", session->initiatorname); ++ len = sysfs_emit(buf, "%s\n", session->initiatorname); + break; + case ISCSI_PARAM_BOOT_ROOT: +- len = sprintf(buf, "%s\n", session->boot_root); ++ len = sysfs_emit(buf, "%s\n", session->boot_root); + break; + case ISCSI_PARAM_BOOT_NIC: +- len = sprintf(buf, "%s\n", session->boot_nic); ++ len = sysfs_emit(buf, "%s\n", session->boot_nic); + break; + case ISCSI_PARAM_BOOT_TARGET: +- len = sprintf(buf, "%s\n", session->boot_target); ++ len = sysfs_emit(buf, "%s\n", session->boot_target); + break; + case ISCSI_PARAM_AUTO_SND_TGT_DISABLE: +- len = sprintf(buf, "%u\n", session->auto_snd_tgt_disable); ++ len = sysfs_emit(buf, "%u\n", session->auto_snd_tgt_disable); + break; + case ISCSI_PARAM_DISCOVERY_SESS: +- len = sprintf(buf, "%u\n", session->discovery_sess); ++ len = sysfs_emit(buf, "%u\n", session->discovery_sess); + break; + case ISCSI_PARAM_PORTAL_TYPE: +- len = sprintf(buf, "%s\n", session->portal_type); ++ len = sysfs_emit(buf, "%s\n", session->portal_type); + break; + case ISCSI_PARAM_CHAP_AUTH_EN: +- len = sprintf(buf, "%u\n", session->chap_auth_en); ++ len = sysfs_emit(buf, "%u\n", session->chap_auth_en); + break; + case ISCSI_PARAM_DISCOVERY_LOGOUT_EN: +- len = sprintf(buf, "%u\n", session->discovery_logout_en); ++ len = sysfs_emit(buf, "%u\n", session->discovery_logout_en); + break; + case ISCSI_PARAM_BIDI_CHAP_EN: +- len = sprintf(buf, "%u\n", session->bidi_chap_en); ++ len = sysfs_emit(buf, "%u\n", session->bidi_chap_en); + break; + case ISCSI_PARAM_DISCOVERY_AUTH_OPTIONAL: +- len = sprintf(buf, "%u\n", session->discovery_auth_optional); ++ len = sysfs_emit(buf, "%u\n", session->discovery_auth_optional); + break; + case ISCSI_PARAM_DEF_TIME2WAIT: +- len = sprintf(buf, "%d\n", session->time2wait); ++ len = sysfs_emit(buf, "%d\n", session->time2wait); + break; + case ISCSI_PARAM_DEF_TIME2RETAIN: +- len = sprintf(buf, "%d\n", session->time2retain); ++ len = sysfs_emit(buf, "%d\n", session->time2retain); + break; + case ISCSI_PARAM_TSID: +- len = sprintf(buf, "%u\n", session->tsid); ++ len = sysfs_emit(buf, "%u\n", session->tsid); + break; + case ISCSI_PARAM_ISID: +- len = sprintf(buf, "%02x%02x%02x%02x%02x%02x\n", ++ len = sysfs_emit(buf, "%02x%02x%02x%02x%02x%02x\n", + session->isid[0], session->isid[1], + session->isid[2], session->isid[3], + session->isid[4], session->isid[5]); + break; + case ISCSI_PARAM_DISCOVERY_PARENT_IDX: +- len = sprintf(buf, "%u\n", session->discovery_parent_idx); ++ len = sysfs_emit(buf, "%u\n", session->discovery_parent_idx); + break; + case ISCSI_PARAM_DISCOVERY_PARENT_TYPE: + if (session->discovery_parent_type) +- len = sprintf(buf, "%s\n", ++ len = sysfs_emit(buf, "%s\n", + session->discovery_parent_type); + else +- len = sprintf(buf, "\n"); ++ len = sysfs_emit(buf, "\n"); + break; + default: + return -ENOSYS; +@@ -3518,16 +3518,16 @@ int iscsi_conn_get_addr_param(struct sockaddr_storage *addr, + case ISCSI_PARAM_CONN_ADDRESS: + case ISCSI_HOST_PARAM_IPADDRESS: + if (sin) +- len = sprintf(buf, "%pI4\n", &sin->sin_addr.s_addr); ++ len = sysfs_emit(buf, "%pI4\n", &sin->sin_addr.s_addr); + else +- len = sprintf(buf, "%pI6\n", &sin6->sin6_addr); ++ len = sysfs_emit(buf, "%pI6\n", &sin6->sin6_addr); + break; + case ISCSI_PARAM_CONN_PORT: + case ISCSI_PARAM_LOCAL_PORT: + if (sin) +- len = sprintf(buf, "%hu\n", be16_to_cpu(sin->sin_port)); ++ len = sysfs_emit(buf, "%hu\n", be16_to_cpu(sin->sin_port)); + else +- len = sprintf(buf, "%hu\n", ++ len = sysfs_emit(buf, "%hu\n", + be16_to_cpu(sin6->sin6_port)); + break; + default: +@@ -3546,88 +3546,88 @@ int iscsi_conn_get_param(struct iscsi_cls_conn *cls_conn, + + switch(param) { + case ISCSI_PARAM_PING_TMO: +- len = sprintf(buf, "%u\n", conn->ping_timeout); ++ len = sysfs_emit(buf, "%u\n", conn->ping_timeout); + break; + case ISCSI_PARAM_RECV_TMO: +- len = sprintf(buf, "%u\n", conn->recv_timeout); ++ len = sysfs_emit(buf, "%u\n", conn->recv_timeout); + break; + case ISCSI_PARAM_MAX_RECV_DLENGTH: +- len = sprintf(buf, "%u\n", conn->max_recv_dlength); ++ len = sysfs_emit(buf, "%u\n", conn->max_recv_dlength); + break; + case ISCSI_PARAM_MAX_XMIT_DLENGTH: +- len = sprintf(buf, "%u\n", conn->max_xmit_dlength); ++ len = sysfs_emit(buf, "%u\n", conn->max_xmit_dlength); + break; + case ISCSI_PARAM_HDRDGST_EN: +- len = sprintf(buf, "%d\n", conn->hdrdgst_en); ++ len = sysfs_emit(buf, "%d\n", conn->hdrdgst_en); + break; + case ISCSI_PARAM_DATADGST_EN: +- len = sprintf(buf, "%d\n", conn->datadgst_en); ++ len = sysfs_emit(buf, "%d\n", conn->datadgst_en); + break; + case ISCSI_PARAM_IFMARKER_EN: +- len = sprintf(buf, "%d\n", conn->ifmarker_en); ++ len = sysfs_emit(buf, "%d\n", conn->ifmarker_en); + break; + case ISCSI_PARAM_OFMARKER_EN: +- len = sprintf(buf, "%d\n", conn->ofmarker_en); ++ len = sysfs_emit(buf, "%d\n", conn->ofmarker_en); + break; + case ISCSI_PARAM_EXP_STATSN: +- len = sprintf(buf, "%u\n", conn->exp_statsn); ++ len = sysfs_emit(buf, "%u\n", conn->exp_statsn); + break; + case ISCSI_PARAM_PERSISTENT_PORT: +- len = sprintf(buf, "%d\n", conn->persistent_port); ++ len = sysfs_emit(buf, "%d\n", conn->persistent_port); + break; + case ISCSI_PARAM_PERSISTENT_ADDRESS: +- len = sprintf(buf, "%s\n", conn->persistent_address); ++ len = sysfs_emit(buf, "%s\n", conn->persistent_address); + break; + case ISCSI_PARAM_STATSN: +- len = sprintf(buf, "%u\n", conn->statsn); ++ len = sysfs_emit(buf, "%u\n", conn->statsn); + break; + case ISCSI_PARAM_MAX_SEGMENT_SIZE: +- len = sprintf(buf, "%u\n", conn->max_segment_size); ++ len = sysfs_emit(buf, "%u\n", conn->max_segment_size); + break; + case ISCSI_PARAM_KEEPALIVE_TMO: +- len = sprintf(buf, "%u\n", conn->keepalive_tmo); ++ len = sysfs_emit(buf, "%u\n", conn->keepalive_tmo); + break; + case ISCSI_PARAM_LOCAL_PORT: +- len = sprintf(buf, "%u\n", conn->local_port); ++ len = sysfs_emit(buf, "%u\n", conn->local_port); + break; + case ISCSI_PARAM_TCP_TIMESTAMP_STAT: +- len = sprintf(buf, "%u\n", conn->tcp_timestamp_stat); ++ len = sysfs_emit(buf, "%u\n", conn->tcp_timestamp_stat); + break; + case ISCSI_PARAM_TCP_NAGLE_DISABLE: +- len = sprintf(buf, "%u\n", conn->tcp_nagle_disable); ++ len = sysfs_emit(buf, "%u\n", conn->tcp_nagle_disable); + break; + case ISCSI_PARAM_TCP_WSF_DISABLE: +- len = sprintf(buf, "%u\n", conn->tcp_wsf_disable); ++ len = sysfs_emit(buf, "%u\n", conn->tcp_wsf_disable); + break; + case ISCSI_PARAM_TCP_TIMER_SCALE: +- len = sprintf(buf, "%u\n", conn->tcp_timer_scale); ++ len = sysfs_emit(buf, "%u\n", conn->tcp_timer_scale); + break; + case ISCSI_PARAM_TCP_TIMESTAMP_EN: +- len = sprintf(buf, "%u\n", conn->tcp_timestamp_en); ++ len = sysfs_emit(buf, "%u\n", conn->tcp_timestamp_en); + break; + case ISCSI_PARAM_IP_FRAGMENT_DISABLE: +- len = sprintf(buf, "%u\n", conn->fragment_disable); ++ len = sysfs_emit(buf, "%u\n", conn->fragment_disable); + break; + case ISCSI_PARAM_IPV4_TOS: +- len = sprintf(buf, "%u\n", conn->ipv4_tos); ++ len = sysfs_emit(buf, "%u\n", conn->ipv4_tos); + break; + case ISCSI_PARAM_IPV6_TC: +- len = sprintf(buf, "%u\n", conn->ipv6_traffic_class); ++ len = sysfs_emit(buf, "%u\n", conn->ipv6_traffic_class); + break; + case ISCSI_PARAM_IPV6_FLOW_LABEL: +- len = sprintf(buf, "%u\n", conn->ipv6_flow_label); ++ len = sysfs_emit(buf, "%u\n", conn->ipv6_flow_label); + break; + case ISCSI_PARAM_IS_FW_ASSIGNED_IPV6: +- len = sprintf(buf, "%u\n", conn->is_fw_assigned_ipv6); ++ len = sysfs_emit(buf, "%u\n", conn->is_fw_assigned_ipv6); + break; + case ISCSI_PARAM_TCP_XMIT_WSF: +- len = sprintf(buf, "%u\n", conn->tcp_xmit_wsf); ++ len = sysfs_emit(buf, "%u\n", conn->tcp_xmit_wsf); + break; + case ISCSI_PARAM_TCP_RECV_WSF: +- len = sprintf(buf, "%u\n", conn->tcp_recv_wsf); ++ len = sysfs_emit(buf, "%u\n", conn->tcp_recv_wsf); + break; + case ISCSI_PARAM_LOCAL_IPADDR: +- len = sprintf(buf, "%s\n", conn->local_ipaddr); ++ len = sysfs_emit(buf, "%s\n", conn->local_ipaddr); + break; + default: + return -ENOSYS; +@@ -3645,13 +3645,13 @@ int iscsi_host_get_param(struct Scsi_Host *shost, enum iscsi_host_param param, + + switch (param) { + case ISCSI_HOST_PARAM_NETDEV_NAME: +- len = sprintf(buf, "%s\n", ihost->netdev); ++ len = sysfs_emit(buf, "%s\n", ihost->netdev); + break; + case ISCSI_HOST_PARAM_HWADDRESS: +- len = sprintf(buf, "%s\n", ihost->hwaddress); ++ len = sysfs_emit(buf, "%s\n", ihost->hwaddress); + break; + case ISCSI_HOST_PARAM_INITIATOR_NAME: +- len = sprintf(buf, "%s\n", ihost->initiatorname); ++ len = sysfs_emit(buf, "%s\n", ihost->initiatorname); + break; + default: + return -ENOSYS; +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index c3170500a1a1d..d385eddb1a433 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -119,7 +119,11 @@ show_transport_handle(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct iscsi_internal *priv = dev_to_iscsi_internal(dev); +- return sprintf(buf, "%llu\n", (unsigned long long)iscsi_handle(priv->iscsi_transport)); ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++ return sysfs_emit(buf, "%llu\n", ++ (unsigned long long)iscsi_handle(priv->iscsi_transport)); + } + static DEVICE_ATTR(handle, S_IRUGO, show_transport_handle, NULL); + +@@ -129,7 +133,7 @@ show_transport_##name(struct device *dev, \ + struct device_attribute *attr,char *buf) \ + { \ + struct iscsi_internal *priv = dev_to_iscsi_internal(dev); \ +- return sprintf(buf, format"\n", priv->iscsi_transport->name); \ ++ return sysfs_emit(buf, format"\n", priv->iscsi_transport->name);\ + } \ + static DEVICE_ATTR(name, S_IRUGO, show_transport_##name, NULL); + +@@ -170,7 +174,7 @@ static ssize_t + show_ep_handle(struct device *dev, struct device_attribute *attr, char *buf) + { + struct iscsi_endpoint *ep = iscsi_dev_to_endpoint(dev); +- return sprintf(buf, "%llu\n", (unsigned long long) ep->id); ++ return sysfs_emit(buf, "%llu\n", (unsigned long long) ep->id); + } + static ISCSI_ATTR(ep, handle, S_IRUGO, show_ep_handle, NULL); + +@@ -2763,6 +2767,9 @@ iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) + struct iscsi_cls_session *session; + int err = 0, value = 0; + ++ if (ev->u.set_param.len > PAGE_SIZE) ++ return -EINVAL; ++ + session = iscsi_session_lookup(ev->u.set_param.sid); + conn = iscsi_conn_lookup(ev->u.set_param.sid, ev->u.set_param.cid); + if (!conn || !session) +@@ -2910,6 +2917,9 @@ iscsi_set_host_param(struct iscsi_transport *transport, + if (!transport->set_host_param) + return -ENOSYS; + ++ if (ev->u.set_host_param.len > PAGE_SIZE) ++ return -EINVAL; ++ + shost = scsi_host_lookup(ev->u.set_host_param.host_no); + if (!shost) { + printk(KERN_ERR "set_host_param could not find host no %u\n", +@@ -3497,6 +3507,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + { + int err = 0; + u32 portid; ++ u32 pdu_len; + struct iscsi_uevent *ev = nlmsg_data(nlh); + struct iscsi_transport *transport = NULL; + struct iscsi_internal *priv; +@@ -3504,6 +3515,9 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + struct iscsi_cls_conn *conn; + struct iscsi_endpoint *ep = NULL; + ++ if (!netlink_capable(skb, CAP_SYS_ADMIN)) ++ return -EPERM; ++ + if (nlh->nlmsg_type == ISCSI_UEVENT_PATH_UPDATE) + *group = ISCSI_NL_GRP_UIP; + else +@@ -3611,6 +3625,14 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = -EINVAL; + break; + case ISCSI_UEVENT_SEND_PDU: ++ pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); ++ ++ if ((ev->u.send_pdu.hdr_size > pdu_len) || ++ (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) { ++ err = -EINVAL; ++ break; ++ } ++ + conn = iscsi_conn_lookup(ev->u.send_pdu.sid, ev->u.send_pdu.cid); + if (conn) + ev->r.retcode = transport->send_pdu(conn, +@@ -4017,7 +4039,7 @@ show_priv_session_state(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent); +- return sprintf(buf, "%s\n", iscsi_session_state_name(session->state)); ++ return sysfs_emit(buf, "%s\n", iscsi_session_state_name(session->state)); + } + static ISCSI_CLASS_ATTR(priv_sess, state, S_IRUGO, show_priv_session_state, + NULL); +@@ -4026,7 +4048,7 @@ show_priv_session_creator(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent); +- return sprintf(buf, "%d\n", session->creator); ++ return sysfs_emit(buf, "%d\n", session->creator); + } + static ISCSI_CLASS_ATTR(priv_sess, creator, S_IRUGO, show_priv_session_creator, + NULL); +@@ -4035,7 +4057,7 @@ show_priv_session_target_id(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent); +- return sprintf(buf, "%d\n", session->target_id); ++ return sysfs_emit(buf, "%d\n", session->target_id); + } + static ISCSI_CLASS_ATTR(priv_sess, target_id, S_IRUGO, + show_priv_session_target_id, NULL); +@@ -4048,8 +4070,8 @@ show_priv_session_##field(struct device *dev, \ + struct iscsi_cls_session *session = \ + iscsi_dev_to_session(dev->parent); \ + if (session->field == -1) \ +- return sprintf(buf, "off\n"); \ +- return sprintf(buf, format"\n", session->field); \ ++ return sysfs_emit(buf, "off\n"); \ ++ return sysfs_emit(buf, format"\n", session->field); \ + } + + #define iscsi_priv_session_attr_store(field) \ +diff --git a/drivers/staging/fwserial/fwserial.c b/drivers/staging/fwserial/fwserial.c +index 41a49c8194e50..b19c46bd2557c 100644 +--- a/drivers/staging/fwserial/fwserial.c ++++ b/drivers/staging/fwserial/fwserial.c +@@ -2249,6 +2249,7 @@ static int fwserial_create(struct fw_unit *unit) + err = fw_core_add_address_handler(&port->rx_handler, + &fw_high_memory_region); + if (err) { ++ tty_port_destroy(&port->port); + kfree(port); + goto free_ports; + } +@@ -2331,6 +2332,7 @@ unregister_ttys: + + free_ports: + for (--i; i >= 0; --i) { ++ fw_core_remove_address_handler(&serial->ports[i]->rx_handler); + tty_port_destroy(&serial->ports[i]->port); + kfree(serial->ports[i]); + } +diff --git a/drivers/staging/most/aim-sound/sound.c b/drivers/staging/most/aim-sound/sound.c +index ea1366a440083..e259bf4956ab6 100644 +--- a/drivers/staging/most/aim-sound/sound.c ++++ b/drivers/staging/most/aim-sound/sound.c +@@ -92,6 +92,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned int bytes) + { + unsigned int i = 0; + ++ if (bytes < 2) ++ return; + while (i < bytes - 2) { + dest[i] = source[i + 2]; + dest[i + 1] = source[i + 1]; +diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c +index a5f88cf0f61d5..a2c1a02f04078 100644 +--- a/drivers/tty/vt/consolemap.c ++++ b/drivers/tty/vt/consolemap.c +@@ -493,7 +493,7 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) + + p2[unicode & 0x3f] = fontpos; + +- p->sum += (fontpos << 20) + unicode; ++ p->sum += (fontpos << 20U) + unicode; + + return 0; + } +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 0d46e936d54ed..00c415131b069 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -91,11 +91,11 @@ + #define BLKS_PER_SEC(sbi) \ + ((sbi)->segs_per_sec * (sbi)->blocks_per_seg) + #define GET_SEC_FROM_SEG(sbi, segno) \ +- ((segno) / (sbi)->segs_per_sec) ++ (((segno) == -1) ? -1: (segno) / (sbi)->segs_per_sec) + #define GET_SEG_FROM_SEC(sbi, secno) \ + ((secno) * (sbi)->segs_per_sec) + #define GET_ZONE_FROM_SEC(sbi, secno) \ +- ((secno) / (sbi)->secs_per_zone) ++ (((secno) == -1) ? -1: (secno) / (sbi)->secs_per_zone) + #define GET_ZONE_FROM_SEG(sbi, segno) \ + GET_ZONE_FROM_SEC(sbi, GET_SEC_FROM_SEG(sbi, segno)) + +diff --git a/fs/jfs/jfs_filsys.h b/fs/jfs/jfs_filsys.h +index b67d64671bb40..415bfa90607a2 100644 +--- a/fs/jfs/jfs_filsys.h ++++ b/fs/jfs/jfs_filsys.h +@@ -281,5 +281,6 @@ + * fsck() must be run to repair + */ + #define FM_EXTENDFS 0x00000008 /* file system extendfs() in progress */ ++#define FM_STATE_MAX 0x0000000f /* max value of s_state */ + + #endif /* _H_JFS_FILSYS */ +diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c +index d8658607bf468..b5214c9ac47ac 100644 +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -49,6 +49,7 @@ + + #include <linux/fs.h> + #include <linux/buffer_head.h> ++#include <linux/log2.h> + + #include "jfs_incore.h" + #include "jfs_filsys.h" +@@ -378,6 +379,15 @@ static int chkSuper(struct super_block *sb) + sbi->bsize = bsize; + sbi->l2bsize = le16_to_cpu(j_sb->s_l2bsize); + ++ /* check some fields for possible corruption */ ++ if (sbi->l2bsize != ilog2((u32)bsize) || ++ j_sb->pad != 0 || ++ le32_to_cpu(j_sb->s_state) > FM_STATE_MAX) { ++ rc = -EINVAL; ++ jfs_err("jfs_mount: Mount Failure: superblock is corrupt!"); ++ goto out; ++ } ++ + /* + * For now, ignore s_pbsize, l2bfactor. All I/O going through buffer + * cache. +diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c +index 666986b95c5d1..300cdbdc8494e 100644 +--- a/fs/sysfs/file.c ++++ b/fs/sysfs/file.c +@@ -17,6 +17,7 @@ + #include <linux/list.h> + #include <linux/mutex.h> + #include <linux/seq_file.h> ++#include <linux/mm.h> + + #include "sysfs.h" + #include "../kernfs/kernfs-internal.h" +@@ -549,3 +550,57 @@ void sysfs_remove_bin_file(struct kobject *kobj, + kernfs_remove_by_name(kobj->sd, attr->attr.name); + } + EXPORT_SYMBOL_GPL(sysfs_remove_bin_file); ++ ++/** ++ * sysfs_emit - scnprintf equivalent, aware of PAGE_SIZE buffer. ++ * @buf: start of PAGE_SIZE buffer. ++ * @fmt: format ++ * @...: optional arguments to @format ++ * ++ * ++ * Returns number of characters written to @buf. ++ */ ++int sysfs_emit(char *buf, const char *fmt, ...) ++{ ++ va_list args; ++ int len; ++ ++ if (WARN(!buf || offset_in_page(buf), ++ "invalid sysfs_emit: buf:%p\n", buf)) ++ return 0; ++ ++ va_start(args, fmt); ++ len = vscnprintf(buf, PAGE_SIZE, fmt, args); ++ va_end(args); ++ ++ return len; ++} ++EXPORT_SYMBOL_GPL(sysfs_emit); ++ ++/** ++ * sysfs_emit_at - scnprintf equivalent, aware of PAGE_SIZE buffer. ++ * @buf: start of PAGE_SIZE buffer. ++ * @at: offset in @buf to start write in bytes ++ * @at must be >= 0 && < PAGE_SIZE ++ * @fmt: format ++ * @...: optional arguments to @fmt ++ * ++ * ++ * Returns number of characters written starting at &@buf[@at]. ++ */ ++int sysfs_emit_at(char *buf, int at, const char *fmt, ...) ++{ ++ va_list args; ++ int len; ++ ++ if (WARN(!buf || offset_in_page(buf) || at < 0 || at >= PAGE_SIZE, ++ "invalid sysfs_emit_at: buf:%p at:%d\n", buf, at)) ++ return 0; ++ ++ va_start(args, fmt); ++ len = vscnprintf(buf + at, PAGE_SIZE - at, fmt, args); ++ va_end(args); ++ ++ return len; ++} ++EXPORT_SYMBOL_GPL(sysfs_emit_at); +diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c +index 42c670a313518..16d5a949fb11a 100644 +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -835,7 +835,7 @@ xfs_setattr_size( + ASSERT(xfs_isilocked(ip, XFS_MMAPLOCK_EXCL)); + ASSERT(S_ISREG(inode->i_mode)); + ASSERT((iattr->ia_valid & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| +- ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); ++ ATTR_MTIME_SET|ATTR_TIMES_SET)) == 0); + + oldsize = inode->i_size; + newsize = iattr->ia_size; +diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h +index cca19bb200bda..d19211a4502bc 100644 +--- a/include/linux/sysfs.h ++++ b/include/linux/sysfs.h +@@ -301,6 +301,11 @@ static inline void sysfs_enable_ns(struct kernfs_node *kn) + return kernfs_enable_ns(kn); + } + ++__printf(2, 3) ++int sysfs_emit(char *buf, const char *fmt, ...); ++__printf(3, 4) ++int sysfs_emit_at(char *buf, int at, const char *fmt, ...); ++ + #else /* CONFIG_SYSFS */ + + static inline int sysfs_create_dir_ns(struct kobject *kobj, const void *ns) +@@ -507,6 +512,17 @@ static inline void sysfs_enable_ns(struct kernfs_node *kn) + { + } + ++__printf(2, 3) ++static inline int sysfs_emit(char *buf, const char *fmt, ...) ++{ ++ return 0; ++} ++ ++__printf(3, 4) ++static inline int sysfs_emit_at(char *buf, int at, const char *fmt, ...) ++{ ++ return 0; ++} + #endif /* CONFIG_SYSFS */ + + static inline int __must_check sysfs_create_file(struct kobject *kobj, +diff --git a/include/linux/zsmalloc.h b/include/linux/zsmalloc.h +index 57a8e98f2708c..6c871102c2735 100644 +--- a/include/linux/zsmalloc.h ++++ b/include/linux/zsmalloc.h +@@ -36,7 +36,7 @@ enum zs_mapmode { + + struct zs_pool_stats { + /* How many pages were migrated (freed) */ +- unsigned long pages_compacted; ++ atomic_long_t pages_compacted; + }; + + struct zs_pool; +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 9741101b1fb26..0f6959961f9a1 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1208,14 +1208,16 @@ static inline int alloc_fresh_gigantic_page(struct hstate *h, + static void update_and_free_page(struct hstate *h, struct page *page) + { + int i; ++ struct page *subpage = page; + + if (hstate_is_gigantic(h) && !gigantic_page_supported()) + return; + + h->nr_huge_pages--; + h->nr_huge_pages_node[page_to_nid(page)]--; +- for (i = 0; i < pages_per_huge_page(h); i++) { +- page[i].flags &= ~(1 << PG_locked | 1 << PG_error | ++ for (i = 0; i < pages_per_huge_page(h); ++ i++, subpage = mem_map_next(subpage, page, i)) { ++ subpage->flags &= ~(1 << PG_locked | 1 << PG_error | + 1 << PG_referenced | 1 << PG_dirty | + 1 << PG_active | 1 << PG_private | + 1 << PG_writeback); +@@ -4629,21 +4631,23 @@ static bool vma_shareable(struct vm_area_struct *vma, unsigned long addr) + void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, + unsigned long *start, unsigned long *end) + { +- unsigned long a_start, a_end; ++ unsigned long v_start = ALIGN(vma->vm_start, PUD_SIZE), ++ v_end = ALIGN_DOWN(vma->vm_end, PUD_SIZE); + +- if (!(vma->vm_flags & VM_MAYSHARE)) ++ /* ++ * vma need span at least one aligned PUD size and the start,end range ++ * must at least partialy within it. ++ */ ++ if (!(vma->vm_flags & VM_MAYSHARE) || !(v_end > v_start) || ++ (*end <= v_start) || (*start >= v_end)) + return; + + /* Extend the range to be PUD aligned for a worst case scenario */ +- a_start = ALIGN_DOWN(*start, PUD_SIZE); +- a_end = ALIGN(*end, PUD_SIZE); ++ if (*start > v_start) ++ *start = ALIGN_DOWN(*start, PUD_SIZE); + +- /* +- * Intersect the range with the vma range, since pmd sharing won't be +- * across vma after all +- */ +- *start = max(vma->vm_start, a_start); +- *end = min(vma->vm_end, a_end); ++ if (*end < v_end) ++ *end = ALIGN(*end, PUD_SIZE); + } + + /* +diff --git a/mm/page_io.c b/mm/page_io.c +index 5d882de3fbfd2..253623dbbb644 100644 +--- a/mm/page_io.c ++++ b/mm/page_io.c +@@ -38,7 +38,6 @@ static struct bio *get_swap_bio(gfp_t gfp_flags, + + bio->bi_iter.bi_sector = map_swap_page(page, &bdev); + bio_set_dev(bio, bdev); +- bio->bi_iter.bi_sector <<= PAGE_SHIFT - 9; + bio->bi_end_io = end_io; + + for (i = 0; i < nr; i++) +@@ -261,11 +260,6 @@ out: + return ret; + } + +-static sector_t swap_page_sector(struct page *page) +-{ +- return (sector_t)__page_file_index(page) << (PAGE_SHIFT - 9); +-} +- + static inline void count_swpout_vm_event(struct page *page) + { + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +@@ -324,7 +318,8 @@ int __swap_writepage(struct page *page, struct writeback_control *wbc, + return ret; + } + +- ret = bdev_write_page(sis->bdev, swap_page_sector(page), page, wbc); ++ ret = bdev_write_page(sis->bdev, map_swap_page(page, &sis->bdev), ++ page, wbc); + if (!ret) { + count_swpout_vm_event(page); + return 0; +@@ -374,7 +369,7 @@ int swap_readpage(struct page *page, bool do_poll) + return ret; + } + +- ret = bdev_read_page(sis->bdev, swap_page_sector(page), page); ++ ret = bdev_read_page(sis->bdev, map_swap_page(page, &sis->bdev), page); + if (!ret) { + if (trylock_page(page)) { + swap_slot_free_notify(page); +diff --git a/mm/swapfile.c b/mm/swapfile.c +index 2aa7b59077b3c..f65d97fe2ef7e 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2304,7 +2304,7 @@ sector_t map_swap_page(struct page *page, struct block_device **bdev) + { + swp_entry_t entry; + entry.val = page_private(page); +- return map_swap_entry(entry, bdev); ++ return map_swap_entry(entry, bdev) << (PAGE_SHIFT - 9); + } + + /* +diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c +index c6df483b37517..6ed736ea9b592 100644 +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -2281,11 +2281,13 @@ static unsigned long zs_can_compact(struct size_class *class) + return obj_wasted * class->pages_per_zspage; + } + +-static void __zs_compact(struct zs_pool *pool, struct size_class *class) ++static unsigned long __zs_compact(struct zs_pool *pool, ++ struct size_class *class) + { + struct zs_compact_control cc; + struct zspage *src_zspage; + struct zspage *dst_zspage = NULL; ++ unsigned long pages_freed = 0; + + spin_lock(&class->lock); + while ((src_zspage = isolate_zspage(class, true))) { +@@ -2315,7 +2317,7 @@ static void __zs_compact(struct zs_pool *pool, struct size_class *class) + putback_zspage(class, dst_zspage); + if (putback_zspage(class, src_zspage) == ZS_EMPTY) { + free_zspage(pool, class, src_zspage); +- pool->stats.pages_compacted += class->pages_per_zspage; ++ pages_freed += class->pages_per_zspage; + } + spin_unlock(&class->lock); + cond_resched(); +@@ -2326,12 +2328,15 @@ static void __zs_compact(struct zs_pool *pool, struct size_class *class) + putback_zspage(class, src_zspage); + + spin_unlock(&class->lock); ++ ++ return pages_freed; + } + + unsigned long zs_compact(struct zs_pool *pool) + { + int i; + struct size_class *class; ++ unsigned long pages_freed = 0; + + for (i = ZS_SIZE_CLASSES - 1; i >= 0; i--) { + class = pool->size_class[i]; +@@ -2339,10 +2344,11 @@ unsigned long zs_compact(struct zs_pool *pool) + continue; + if (class->index != i) + continue; +- __zs_compact(pool, class); ++ pages_freed += __zs_compact(pool, class); + } ++ atomic_long_add(pages_freed, &pool->stats.pages_compacted); + +- return pool->stats.pages_compacted; ++ return pages_freed; + } + EXPORT_SYMBOL_GPL(zs_compact); + +@@ -2359,13 +2365,12 @@ static unsigned long zs_shrinker_scan(struct shrinker *shrinker, + struct zs_pool *pool = container_of(shrinker, struct zs_pool, + shrinker); + +- pages_freed = pool->stats.pages_compacted; + /* + * Compact classes and calculate compaction delta. + * Can run concurrently with a manually triggered + * (by user) compaction. + */ +- pages_freed = zs_compact(pool) - pages_freed; ++ pages_freed = zs_compact(pool); + + return pages_freed ? pages_freed : SHRINK_STOP; + } +diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c +index ebcab5bbadd7e..9f645a1d0202d 100644 +--- a/net/bluetooth/amp.c ++++ b/net/bluetooth/amp.c +@@ -305,6 +305,9 @@ void amp_read_loc_assoc_final_data(struct hci_dev *hdev, + struct hci_request req; + int err; + ++ if (!mgr) ++ return; ++ + cp.phy_handle = hcon->handle; + cp.len_so_far = cpu_to_le16(0); + cp.max_len = cpu_to_le16(hdev->amp_assoc_size); +diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c +index a097a8613a02c..8cf82631190c2 100644 +--- a/net/bridge/br_sysfs_if.c ++++ b/net/bridge/br_sysfs_if.c +@@ -50,9 +50,8 @@ static BRPORT_ATTR(_name, S_IRUGO | S_IWUSR, \ + static int store_flag(struct net_bridge_port *p, unsigned long v, + unsigned long mask) + { +- unsigned long flags; +- +- flags = p->flags; ++ unsigned long flags = p->flags; ++ int err; + + if (v) + flags |= mask; +@@ -60,6 +59,10 @@ static int store_flag(struct net_bridge_port *p, unsigned long v, + flags &= ~mask; + + if (flags != p->flags) { ++ err = br_switchdev_set_port_flag(p, flags, mask); ++ if (err) ++ return err; ++ + p->flags = flags; + br_port_flags_change(p, mask); + } +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index 884afb8e9fc4e..b3132f11afeb9 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -3555,7 +3555,7 @@ static int pktgen_thread_worker(void *arg) + struct pktgen_dev *pkt_dev = NULL; + int cpu = t->cpu; + +- BUG_ON(smp_processor_id() != cpu); ++ WARN_ON(smp_processor_id() != cpu); + + init_waitqueue_head(&t->queue); + complete(&t->start_done); +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 82ffadff1e9c0..18dc8524e525a 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3089,7 +3089,19 @@ EXPORT_SYMBOL(skb_split); + */ + static int skb_prepare_for_shift(struct sk_buff *skb) + { +- return skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC); ++ int ret = 0; ++ ++ if (skb_cloned(skb)) { ++ /* Save and restore truesize: pskb_expand_head() may reallocate ++ * memory where ksize(kmalloc(S)) != ksize(kmalloc(S)), but we ++ * cannot change truesize at this point. ++ */ ++ unsigned int save_truesize = skb->truesize; ++ ++ ret = pskb_expand_head(skb, 0, 0, GFP_ATOMIC); ++ skb->truesize = save_truesize; ++ } ++ return ret; + } + + /** +diff --git a/scripts/Makefile b/scripts/Makefile +index 25ab143cbe148..fb82adadb6809 100644 +--- a/scripts/Makefile ++++ b/scripts/Makefile +@@ -10,6 +10,9 @@ + + HOST_EXTRACFLAGS += -I$(srctree)/tools/include + ++CRYPTO_LIBS = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto) ++CRYPTO_CFLAGS = $(shell pkg-config --cflags libcrypto 2> /dev/null) ++ + hostprogs-$(CONFIG_KALLSYMS) += kallsyms + hostprogs-$(CONFIG_LOGO) += pnmtologo + hostprogs-$(CONFIG_VT) += conmakehash +@@ -22,8 +25,10 @@ hostprogs-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert + + HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include + HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include +-HOSTLOADLIBES_sign-file = -lcrypto +-HOSTLOADLIBES_extract-cert = -lcrypto ++HOSTCFLAGS_sign-file.o = $(CRYPTO_CFLAGS) ++HOSTLOADLIBES_sign-file = $(CRYPTO_LIBS) ++HOSTCFLAGS_extract-cert.o = $(CRYPTO_CFLAGS) ++HOSTLOADLIBES_extract-cert = $(CRYPTO_LIBS) + + always := $(hostprogs-y) $(hostprogs-m) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index accd3846f1e3e..4f8c1a272df07 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -1191,7 +1191,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, + return -EPERM; + if (*ppos != 0) + return -EINVAL; +- if (count < SMK_NETLBLADDRMIN) ++ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) + return -EINVAL; + + data = memdup_user_nul(buf, count); +@@ -1451,7 +1451,7 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf, + return -EPERM; + if (*ppos != 0) + return -EINVAL; +- if (count < SMK_NETLBLADDRMIN) ++ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) + return -EINVAL; + + data = memdup_user_nul(buf, count); +@@ -1858,6 +1858,10 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf, + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ /* Enough data must be present */ ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2029,6 +2033,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ if (count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2116,6 +2123,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf, + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ if (count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2669,6 +2679,10 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf, + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ /* Enough data must be present */ ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2761,10 +2775,13 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, + return -EPERM; + + /* ++ * No partial write. + * Enough data must be present. + */ + if (*ppos != 0) + return -EINVAL; ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; + + data = memdup_user_nul(buf, count); + if (IS_ERR(data))
