commit: 960699eac6983ad1174767153c20301d3746f701 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Thu Jun 11 11:28:44 2020 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Thu Jun 11 11:28:44 2020 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=960699ea
Linux patch 4.9.227 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 4 + 1226_linux-4.9.227.patch | 1642 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1646 insertions(+) diff --git a/0000_README b/0000_README index d0e9162..5270d46 100644 --- a/0000_README +++ b/0000_README @@ -947,6 +947,10 @@ Patch: 1225_linux-4.9.226.patch From: http://www.kernel.org Desc: Linux 4.9.226 +Patch: 1226_linux-4.9.227.patch +From: http://www.kernel.org +Desc: Linux 4.9.227 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1226_linux-4.9.227.patch b/1226_linux-4.9.227.patch new file mode 100644 index 0000000..9ba6a9f --- /dev/null +++ b/1226_linux-4.9.227.patch @@ -0,0 +1,1642 @@ +diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu +index b41046b5713b..a5225df4a070 100644 +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu +@@ -358,6 +358,7 @@ What: /sys/devices/system/cpu/vulnerabilities + /sys/devices/system/cpu/vulnerabilities/spec_store_bypass + /sys/devices/system/cpu/vulnerabilities/l1tf + /sys/devices/system/cpu/vulnerabilities/mds ++ /sys/devices/system/cpu/vulnerabilities/srbds + /sys/devices/system/cpu/vulnerabilities/tsx_async_abort + /sys/devices/system/cpu/vulnerabilities/itlb_multihit + Date: January 2018 +diff --git a/Documentation/hw-vuln/index.rst b/Documentation/hw-vuln/index.rst +index 24f53c501366..b5fbc6ae9d5f 100644 +--- a/Documentation/hw-vuln/index.rst ++++ b/Documentation/hw-vuln/index.rst +@@ -12,4 +12,5 @@ are configurable at compile, boot or run time. + l1tf + mds + tsx_async_abort +- multihit.rst ++ multihit ++ special-register-buffer-data-sampling +diff --git a/Documentation/hw-vuln/special-register-buffer-data-sampling.rst b/Documentation/hw-vuln/special-register-buffer-data-sampling.rst +new file mode 100644 +index 000000000000..47b1b3afac99 +--- /dev/null ++++ b/Documentation/hw-vuln/special-register-buffer-data-sampling.rst +@@ -0,0 +1,149 @@ ++.. SPDX-License-Identifier: GPL-2.0 ++ ++SRBDS - Special Register Buffer Data Sampling ++============================================= ++ ++SRBDS is a hardware vulnerability that allows MDS :doc:`mds` techniques to ++infer values returned from special register accesses. Special register ++accesses are accesses to off core registers. According to Intel's evaluation, ++the special register reads that have a security expectation of privacy are ++RDRAND, RDSEED and SGX EGETKEY. ++ ++When RDRAND, RDSEED and EGETKEY instructions are used, the data is moved ++to the core through the special register mechanism that is susceptible ++to MDS attacks. ++ ++Affected processors ++-------------------- ++Core models (desktop, mobile, Xeon-E3) that implement RDRAND and/or RDSEED may ++be affected. ++ ++A processor is affected by SRBDS if its Family_Model and stepping is ++in the following list, with the exception of the listed processors ++exporting MDS_NO while Intel TSX is available yet not enabled. The ++latter class of processors are only affected when Intel TSX is enabled ++by software using TSX_CTRL_MSR otherwise they are not affected. ++ ++ ============= ============ ======== ++ common name Family_Model Stepping ++ ============= ============ ======== ++ IvyBridge 06_3AH All ++ ++ Haswell 06_3CH All ++ Haswell_L 06_45H All ++ Haswell_G 06_46H All ++ ++ Broadwell_G 06_47H All ++ Broadwell 06_3DH All ++ ++ Skylake_L 06_4EH All ++ Skylake 06_5EH All ++ ++ Kabylake_L 06_8EH <= 0xC ++ Kabylake 06_9EH <= 0xD ++ ============= ============ ======== ++ ++Related CVEs ++------------ ++ ++The following CVE entry is related to this SRBDS issue: ++ ++ ============== ===== ===================================== ++ CVE-2020-0543 SRBDS Special Register Buffer Data Sampling ++ ============== ===== ===================================== ++ ++Attack scenarios ++---------------- ++An unprivileged user can extract values returned from RDRAND and RDSEED ++executed on another core or sibling thread using MDS techniques. ++ ++ ++Mitigation mechanism ++------------------- ++Intel will release microcode updates that modify the RDRAND, RDSEED, and ++EGETKEY instructions to overwrite secret special register data in the shared ++staging buffer before the secret data can be accessed by another logical ++processor. ++ ++During execution of the RDRAND, RDSEED, or EGETKEY instructions, off-core ++accesses from other logical processors will be delayed until the special ++register read is complete and the secret data in the shared staging buffer is ++overwritten. ++ ++This has three effects on performance: ++ ++#. RDRAND, RDSEED, or EGETKEY instructions have higher latency. ++ ++#. Executing RDRAND at the same time on multiple logical processors will be ++ serialized, resulting in an overall reduction in the maximum RDRAND ++ bandwidth. ++ ++#. Executing RDRAND, RDSEED or EGETKEY will delay memory accesses from other ++ logical processors that miss their core caches, with an impact similar to ++ legacy locked cache-line-split accesses. ++ ++The microcode updates provide an opt-out mechanism (RNGDS_MITG_DIS) to disable ++the mitigation for RDRAND and RDSEED instructions executed outside of Intel ++Software Guard Extensions (Intel SGX) enclaves. On logical processors that ++disable the mitigation using this opt-out mechanism, RDRAND and RDSEED do not ++take longer to execute and do not impact performance of sibling logical ++processors memory accesses. The opt-out mechanism does not affect Intel SGX ++enclaves (including execution of RDRAND or RDSEED inside an enclave, as well ++as EGETKEY execution). ++ ++IA32_MCU_OPT_CTRL MSR Definition ++-------------------------------- ++Along with the mitigation for this issue, Intel added a new thread-scope ++IA32_MCU_OPT_CTRL MSR, (address 0x123). The presence of this MSR and ++RNGDS_MITG_DIS (bit 0) is enumerated by CPUID.(EAX=07H,ECX=0).EDX[SRBDS_CTRL = ++9]==1. This MSR is introduced through the microcode update. ++ ++Setting IA32_MCU_OPT_CTRL[0] (RNGDS_MITG_DIS) to 1 for a logical processor ++disables the mitigation for RDRAND and RDSEED executed outside of an Intel SGX ++enclave on that logical processor. Opting out of the mitigation for a ++particular logical processor does not affect the RDRAND and RDSEED mitigations ++for other logical processors. ++ ++Note that inside of an Intel SGX enclave, the mitigation is applied regardless ++of the value of RNGDS_MITG_DS. ++ ++Mitigation control on the kernel command line ++--------------------------------------------- ++The kernel command line allows control over the SRBDS mitigation at boot time ++with the option "srbds=". The option for this is: ++ ++ ============= ============================================================= ++ off This option disables SRBDS mitigation for RDRAND and RDSEED on ++ affected platforms. ++ ============= ============================================================= ++ ++SRBDS System Information ++----------------------- ++The Linux kernel provides vulnerability status information through sysfs. For ++SRBDS this can be accessed by the following sysfs file: ++/sys/devices/system/cpu/vulnerabilities/srbds ++ ++The possible values contained in this file are: ++ ++ ============================== ============================================= ++ Not affected Processor not vulnerable ++ Vulnerable Processor vulnerable and mitigation disabled ++ Vulnerable: No microcode Processor vulnerable and microcode is missing ++ mitigation ++ Mitigation: Microcode Processor is vulnerable and mitigation is in ++ effect. ++ Mitigation: TSX disabled Processor is only vulnerable when TSX is ++ enabled while this system was booted with TSX ++ disabled. ++ Unknown: Dependent on ++ hypervisor status Running on virtual guest processor that is ++ affected but with no way to know if host ++ processor is mitigated or vulnerable. ++ ============================== ============================================= ++ ++SRBDS Default mitigation ++------------------------ ++This new microcode serializes processor access during execution of RDRAND, ++RDSEED ensures that the shared buffer is overwritten before it is released for ++reuse. Use the "srbds=off" kernel command line to disable the mitigation for ++RDRAND and RDSEED. +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index e05d65d6fcb6..40602517ca52 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -4262,6 +4262,26 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + spia_pedr= + spia_peddr= + ++ srbds= [X86,INTEL] ++ Control the Special Register Buffer Data Sampling ++ (SRBDS) mitigation. ++ ++ Certain CPUs are vulnerable to an MDS-like ++ exploit which can leak bits from the random ++ number generator. ++ ++ By default, this issue is mitigated by ++ microcode. However, the microcode fix can cause ++ the RDRAND and RDSEED instructions to become ++ much slower. Among other effects, this will ++ result in reduced throughput from /dev/urandom. ++ ++ The microcode mitigation can be disabled with ++ the following option: ++ ++ off: Disable mitigation and remove ++ performance impact to RDRAND and RDSEED ++ + ssbd= [ARM64,HW] + Speculative Store Bypass Disable control + +diff --git a/Makefile b/Makefile +index b0e1162fddfa..6c3c6e193621 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 226 ++SUBLEVEL = 227 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c +index 9f96120eee6e..82464fae7772 100644 +--- a/arch/arc/kernel/setup.c ++++ b/arch/arc/kernel/setup.c +@@ -12,6 +12,7 @@ + #include <linux/root_dev.h> + #include <linux/console.h> + #include <linux/module.h> ++#include <linux/sizes.h> + #include <linux/cpu.h> + #include <linux/of_fdt.h> + #include <linux/of.h> +@@ -333,12 +334,12 @@ static void arc_chk_core_config(void) + if ((unsigned int)__arc_dccm_base != cpu->dccm.base_addr) + panic("Linux built with incorrect DCCM Base address\n"); + +- if (CONFIG_ARC_DCCM_SZ != cpu->dccm.sz) ++ if (CONFIG_ARC_DCCM_SZ * SZ_1K != cpu->dccm.sz) + panic("Linux built with incorrect DCCM Size\n"); + #endif + + #ifdef CONFIG_ARC_HAS_ICCM +- if (CONFIG_ARC_ICCM_SZ != cpu->iccm.sz) ++ if (CONFIG_ARC_ICCM_SZ * SZ_1K != cpu->iccm.sz) + panic("Linux built with incorrect ICCM Size\n"); + #endif + +diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S +index 802a4ded9a62..e9df35249f9f 100644 +--- a/arch/s390/kernel/mcount.S ++++ b/arch/s390/kernel/mcount.S +@@ -39,6 +39,7 @@ EXPORT_SYMBOL(_mcount) + ENTRY(ftrace_caller) + .globl ftrace_regs_caller + .set ftrace_regs_caller,ftrace_caller ++ stg %r14,(__SF_GPRS+8*8)(%r15) # save traced function caller + lgr %r1,%r15 + #ifndef CC_USING_HOTPATCH + aghi %r0,MCOUNT_RETURN_FIXUP +diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h +index ff501e511d91..b9473858c6b6 100644 +--- a/arch/x86/include/asm/cpu_device_id.h ++++ b/arch/x86/include/asm/cpu_device_id.h +@@ -8,6 +8,33 @@ + + #include <linux/mod_devicetable.h> + ++#define X86_STEPPINGS(mins, maxs) GENMASK(maxs, mins) ++ ++/** ++ * X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE - Base macro for CPU matching ++ * @_vendor: The vendor name, e.g. INTEL, AMD, HYGON, ..., ANY ++ * The name is expanded to X86_VENDOR_@_vendor ++ * @_family: The family number or X86_FAMILY_ANY ++ * @_model: The model number, model constant or X86_MODEL_ANY ++ * @_steppings: Bitmask for steppings, stepping constant or X86_STEPPING_ANY ++ * @_feature: A X86_FEATURE bit or X86_FEATURE_ANY ++ * @_data: Driver specific data or NULL. The internal storage ++ * format is unsigned long. The supplied value, pointer ++ * etc. is casted to unsigned long internally. ++ * ++ * Backport version to keep the SRBDS pile consistant. No shorter variants ++ * required for this. ++ */ ++#define X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(_vendor, _family, _model, \ ++ _steppings, _feature, _data) { \ ++ .vendor = X86_VENDOR_##_vendor, \ ++ .family = _family, \ ++ .model = _model, \ ++ .steppings = _steppings, \ ++ .feature = _feature, \ ++ .driver_data = (unsigned long) _data \ ++} ++ + extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match); + + #endif +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index fb457ba8ccc6..2cd5d12a842c 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -316,6 +316,7 @@ + /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */ + #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */ + #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ ++#define X86_FEATURE_SRBDS_CTRL (18*32+ 9) /* "" SRBDS mitigation MSR available */ + #define X86_FEATURE_TSX_FORCE_ABORT (18*32+13) /* "" TSX_FORCE_ABORT */ + #define X86_FEATURE_MD_CLEAR (18*32+10) /* VERW clears CPU buffers */ + #define X86_FEATURE_PCONFIG (18*32+18) /* Intel PCONFIG */ +@@ -346,19 +347,20 @@ + */ + #define X86_BUG_ESPFIX X86_BUG(9) /* "" IRET to 16-bit SS corrupts ESP/RSP high bits */ + #endif +-#define X86_BUG_NULL_SEG X86_BUG(10) /* Nulling a selector preserves the base */ +-#define X86_BUG_SWAPGS_FENCE X86_BUG(11) /* SWAPGS without input dep on GS */ +-#define X86_BUG_MONITOR X86_BUG(12) /* IPI required to wake up remote CPU */ +-#define X86_BUG_AMD_E400 X86_BUG(13) /* CPU is among the affected by Erratum 400 */ +-#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ +-#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ +-#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ +-#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ +-#define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ +-#define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */ +-#define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */ +-#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ +-#define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */ +-#define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ ++#define X86_BUG_NULL_SEG X86_BUG(10) /* Nulling a selector preserves the base */ ++#define X86_BUG_SWAPGS_FENCE X86_BUG(11) /* SWAPGS without input dep on GS */ ++#define X86_BUG_MONITOR X86_BUG(12) /* IPI required to wake up remote CPU */ ++#define X86_BUG_AMD_E400 X86_BUG(13) /* CPU is among the affected by Erratum 400 */ ++#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ ++#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ ++#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ ++#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ ++#define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ ++#define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */ ++#define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */ ++#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ ++#define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */ ++#define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ ++#define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */ + + #endif /* _ASM_X86_CPUFEATURES_H */ +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h +index 8d162e0f2881..b12b0a50ad1f 100644 +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -103,6 +103,10 @@ + #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ + #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ + ++/* SRBDS support */ ++#define MSR_IA32_MCU_OPT_CTRL 0x00000123 ++#define RNGDS_MITG_DIS BIT(0) ++ + #define MSR_IA32_SYSENTER_CS 0x00000174 + #define MSR_IA32_SYSENTER_ESP 0x00000175 + #define MSR_IA32_SYSENTER_EIP 0x00000176 +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index 5736306bdaab..e638e3bc3cb8 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -203,6 +203,7 @@ static inline int pmd_large(pmd_t pte) + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */ + static inline int pmd_trans_huge(pmd_t pmd) + { + return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE; +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 24307d5bb4b8..5ef0a2b34261 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -40,6 +40,7 @@ static void __init l1tf_select_mitigation(void); + static void __init mds_select_mitigation(void); + static void __init mds_print_mitigation(void); + static void __init taa_select_mitigation(void); ++static void __init srbds_select_mitigation(void); + + /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ + u64 x86_spec_ctrl_base; +@@ -107,6 +108,7 @@ void __init check_bugs(void) + l1tf_select_mitigation(); + mds_select_mitigation(); + taa_select_mitigation(); ++ srbds_select_mitigation(); + + /* + * As MDS and TAA mitigations are inter-related, print MDS +@@ -389,6 +391,97 @@ static int __init tsx_async_abort_parse_cmdline(char *str) + } + early_param("tsx_async_abort", tsx_async_abort_parse_cmdline); + ++#undef pr_fmt ++#define pr_fmt(fmt) "SRBDS: " fmt ++ ++enum srbds_mitigations { ++ SRBDS_MITIGATION_OFF, ++ SRBDS_MITIGATION_UCODE_NEEDED, ++ SRBDS_MITIGATION_FULL, ++ SRBDS_MITIGATION_TSX_OFF, ++ SRBDS_MITIGATION_HYPERVISOR, ++}; ++ ++static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL; ++ ++static const char * const srbds_strings[] = { ++ [SRBDS_MITIGATION_OFF] = "Vulnerable", ++ [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode", ++ [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode", ++ [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled", ++ [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status", ++}; ++ ++static bool srbds_off; ++ ++void update_srbds_msr(void) ++{ ++ u64 mcu_ctrl; ++ ++ if (!boot_cpu_has_bug(X86_BUG_SRBDS)) ++ return; ++ ++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) ++ return; ++ ++ if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED) ++ return; ++ ++ rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); ++ ++ switch (srbds_mitigation) { ++ case SRBDS_MITIGATION_OFF: ++ case SRBDS_MITIGATION_TSX_OFF: ++ mcu_ctrl |= RNGDS_MITG_DIS; ++ break; ++ case SRBDS_MITIGATION_FULL: ++ mcu_ctrl &= ~RNGDS_MITG_DIS; ++ break; ++ default: ++ break; ++ } ++ ++ wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); ++} ++ ++static void __init srbds_select_mitigation(void) ++{ ++ u64 ia32_cap; ++ ++ if (!boot_cpu_has_bug(X86_BUG_SRBDS)) ++ return; ++ ++ /* ++ * Check to see if this is one of the MDS_NO systems supporting ++ * TSX that are only exposed to SRBDS when TSX is enabled. ++ */ ++ ia32_cap = x86_read_arch_cap_msr(); ++ if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM)) ++ srbds_mitigation = SRBDS_MITIGATION_TSX_OFF; ++ else if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) ++ srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR; ++ else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL)) ++ srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED; ++ else if (cpu_mitigations_off() || srbds_off) ++ srbds_mitigation = SRBDS_MITIGATION_OFF; ++ ++ update_srbds_msr(); ++ pr_info("%s\n", srbds_strings[srbds_mitigation]); ++} ++ ++static int __init srbds_parse_cmdline(char *str) ++{ ++ if (!str) ++ return -EINVAL; ++ ++ if (!boot_cpu_has_bug(X86_BUG_SRBDS)) ++ return 0; ++ ++ srbds_off = !strcmp(str, "off"); ++ return 0; ++} ++early_param("srbds", srbds_parse_cmdline); ++ + #undef pr_fmt + #define pr_fmt(fmt) "Spectre V1 : " fmt + +@@ -1501,6 +1594,11 @@ static char *ibpb_state(void) + return ""; + } + ++static ssize_t srbds_show_state(char *buf) ++{ ++ return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]); ++} ++ + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, + char *buf, unsigned int bug) + { +@@ -1542,6 +1640,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr + case X86_BUG_ITLB_MULTIHIT: + return itlb_multihit_show_state(buf); + ++ case X86_BUG_SRBDS: ++ return srbds_show_state(buf); ++ + default: + break; + } +@@ -1588,4 +1689,9 @@ ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr + { + return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT); + } ++ ++ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS); ++} + #endif +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index f490a4fab2f7..b16b6176738b 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -956,9 +956,30 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { + {} + }; + +-static bool __init cpu_matches(unsigned long which) ++#define VULNBL_INTEL_STEPPINGS(model, steppings, issues) \ ++ X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(INTEL, 6, \ ++ INTEL_FAM6_##model, steppings, \ ++ X86_FEATURE_ANY, issues) ++ ++#define SRBDS BIT(0) ++ ++static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { ++ VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(HASWELL_CORE, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(HASWELL_ULT, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(HASWELL_GT3E, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(BROADWELL_GT3E, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(BROADWELL_CORE, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_MOBILE, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_DESKTOP, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE_MOBILE, X86_STEPPINGS(0x0, 0xC), SRBDS), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE_DESKTOP,X86_STEPPINGS(0x0, 0xD), SRBDS), ++ {} ++}; ++ ++static bool __init cpu_matches(const struct x86_cpu_id *table, unsigned long which) + { +- const struct x86_cpu_id *m = x86_match_cpu(cpu_vuln_whitelist); ++ const struct x86_cpu_id *m = x86_match_cpu(table); + + return m && !!(m->driver_data & which); + } +@@ -978,29 +999,32 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) + u64 ia32_cap = x86_read_arch_cap_msr(); + + /* Set ITLB_MULTIHIT bug if cpu is not in the whitelist and not mitigated */ +- if (!cpu_matches(NO_ITLB_MULTIHIT) && !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO)) ++ if (!cpu_matches(cpu_vuln_whitelist, NO_ITLB_MULTIHIT) && ++ !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO)) + setup_force_cpu_bug(X86_BUG_ITLB_MULTIHIT); + +- if (cpu_matches(NO_SPECULATION)) ++ if (cpu_matches(cpu_vuln_whitelist, NO_SPECULATION)) + return; + + setup_force_cpu_bug(X86_BUG_SPECTRE_V1); + setup_force_cpu_bug(X86_BUG_SPECTRE_V2); + +- if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) && ++ if (!cpu_matches(cpu_vuln_whitelist, NO_SSB) && ++ !(ia32_cap & ARCH_CAP_SSB_NO) && + !cpu_has(c, X86_FEATURE_AMD_SSB_NO)) + setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); + + if (ia32_cap & ARCH_CAP_IBRS_ALL) + setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); + +- if (!cpu_matches(NO_MDS) && !(ia32_cap & ARCH_CAP_MDS_NO)) { ++ if (!cpu_matches(cpu_vuln_whitelist, NO_MDS) && ++ !(ia32_cap & ARCH_CAP_MDS_NO)) { + setup_force_cpu_bug(X86_BUG_MDS); +- if (cpu_matches(MSBDS_ONLY)) ++ if (cpu_matches(cpu_vuln_whitelist, MSBDS_ONLY)) + setup_force_cpu_bug(X86_BUG_MSBDS_ONLY); + } + +- if (!cpu_matches(NO_SWAPGS)) ++ if (!cpu_matches(cpu_vuln_whitelist, NO_SWAPGS)) + setup_force_cpu_bug(X86_BUG_SWAPGS); + + /* +@@ -1018,7 +1042,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) + (ia32_cap & ARCH_CAP_TSX_CTRL_MSR))) + setup_force_cpu_bug(X86_BUG_TAA); + +- if (cpu_matches(NO_MELTDOWN)) ++ /* ++ * SRBDS affects CPUs which support RDRAND or RDSEED and are listed ++ * in the vulnerability blacklist. ++ */ ++ if ((cpu_has(c, X86_FEATURE_RDRAND) || ++ cpu_has(c, X86_FEATURE_RDSEED)) && ++ cpu_matches(cpu_vuln_blacklist, SRBDS)) ++ setup_force_cpu_bug(X86_BUG_SRBDS); ++ ++ if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) + return; + + /* Rogue Data Cache Load? No! */ +@@ -1027,7 +1060,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) + + setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); + +- if (cpu_matches(NO_L1TF)) ++ if (cpu_matches(cpu_vuln_whitelist, NO_L1TF)) + return; + + setup_force_cpu_bug(X86_BUG_L1TF); +@@ -1450,6 +1483,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c) + mtrr_ap_init(); + validate_apic_and_package_id(c); + x86_spec_ctrl_setup_ap(); ++ update_srbds_msr(); + } + + struct msr_range { +diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h +index 4350f50b5deb..fdeeab6b158c 100644 +--- a/arch/x86/kernel/cpu/cpu.h ++++ b/arch/x86/kernel/cpu/cpu.h +@@ -66,6 +66,7 @@ extern int detect_extended_topology_early(struct cpuinfo_x86 *c); + extern int detect_ht_early(struct cpuinfo_x86 *c); + + extern void x86_spec_ctrl_setup_ap(void); ++extern void update_srbds_msr(void); + + extern u64 x86_read_arch_cap_msr(void); + +diff --git a/arch/x86/kernel/cpu/match.c b/arch/x86/kernel/cpu/match.c +index e42117d5f4d7..f46ffb3b295f 100644 +--- a/arch/x86/kernel/cpu/match.c ++++ b/arch/x86/kernel/cpu/match.c +@@ -33,13 +33,18 @@ const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match) + const struct x86_cpu_id *m; + struct cpuinfo_x86 *c = &boot_cpu_data; + +- for (m = match; m->vendor | m->family | m->model | m->feature; m++) { ++ for (m = match; ++ m->vendor | m->family | m->model | m->steppings | m->feature; ++ m++) { + if (m->vendor != X86_VENDOR_ANY && c->x86_vendor != m->vendor) + continue; + if (m->family != X86_FAMILY_ANY && c->x86 != m->family) + continue; + if (m->model != X86_MODEL_ANY && c->x86_model != m->model) + continue; ++ if (m->steppings != X86_STEPPING_ANY && ++ !(BIT(c->x86_stepping) & m->steppings)) ++ continue; + if (m->feature != X86_FEATURE_ANY && !cpu_has(c, m->feature)) + continue; + return m; +diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c +index bef36622e408..abd4fa587ca4 100644 +--- a/arch/x86/mm/mmio-mod.c ++++ b/arch/x86/mm/mmio-mod.c +@@ -385,7 +385,7 @@ static void enter_uniprocessor(void) + int cpu; + int err; + +- if (downed_cpus == NULL && ++ if (!cpumask_available(downed_cpus) && + !alloc_cpumask_var(&downed_cpus, GFP_KERNEL)) { + pr_notice("Failed to allocate mask\n"); + goto out; +@@ -415,7 +415,7 @@ static void leave_uniprocessor(void) + int cpu; + int err; + +- if (downed_cpus == NULL || cpumask_weight(downed_cpus) == 0) ++ if (!cpumask_available(downed_cpus) || cpumask_weight(downed_cpus) == 0) + return; + pr_notice("Re-enabling CPUs...\n"); + for_each_cpu(cpu, downed_cpus) { +diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c +index 677c5f36674b..100850398dd3 100644 +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -550,6 +550,12 @@ ssize_t __weak cpu_show_itlb_multihit(struct device *dev, + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_srbds(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); +@@ -558,6 +564,7 @@ static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL); + static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL); + static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL); + static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL); ++static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, +@@ -568,6 +575,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_mds.attr, + &dev_attr_tsx_async_abort.attr, + &dev_attr_itlb_multihit.attr, ++ &dev_attr_srbds.attr, + NULL + }; + +diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +index 95052373a828..681ac9bc68b3 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c ++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +@@ -381,6 +381,14 @@ static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = { + }, + .driver_data = (void *)&sipodev_desc + }, ++ { ++ .ident = "Schneider SCL142ALM", ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SCHNEIDER"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "SCL142ALM"), ++ }, ++ .driver_data = (void *)&sipodev_desc ++ }, + { } /* Terminate list */ + }; + +diff --git a/drivers/iio/light/vcnl4000.c b/drivers/iio/light/vcnl4000.c +index 360b6e98137a..5a3a532937ba 100644 +--- a/drivers/iio/light/vcnl4000.c ++++ b/drivers/iio/light/vcnl4000.c +@@ -61,7 +61,6 @@ static int vcnl4000_measure(struct vcnl4000_data *data, u8 req_mask, + u8 rdy_mask, u8 data_reg, int *val) + { + int tries = 20; +- __be16 buf; + int ret; + + mutex_lock(&data->lock); +@@ -88,13 +87,12 @@ static int vcnl4000_measure(struct vcnl4000_data *data, u8 req_mask, + goto fail; + } + +- ret = i2c_smbus_read_i2c_block_data(data->client, +- data_reg, sizeof(buf), (u8 *) &buf); ++ ret = i2c_smbus_read_word_swapped(data->client, data_reg); + if (ret < 0) + goto fail; + + mutex_unlock(&data->lock); +- *val = be16_to_cpu(buf); ++ *val = ret; + + return 0; + +diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c +index d0435c7631ff..9c938f9892b2 100644 +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -618,10 +618,9 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); +- slc_free_netdev(sl->dev); + /* do not call free_netdev before rtnl_unlock */ + rtnl_unlock(); +- free_netdev(sl->dev); ++ slc_free_netdev(sl->dev); + return err; + + err_exit: +diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c +index a65d7a60f116..ffa7e7e6d18d 100644 +--- a/drivers/net/ethernet/apple/bmac.c ++++ b/drivers/net/ethernet/apple/bmac.c +@@ -1187,7 +1187,7 @@ bmac_get_station_address(struct net_device *dev, unsigned char *ea) + int i; + unsigned short data; + +- for (i = 0; i < 6; i++) ++ for (i = 0; i < 3; i++) + { + reset_and_select_srom(dev); + data = read_srom(dev, i + EnetAddressOffset/2, SROMAddressBits); +diff --git a/drivers/net/ethernet/freescale/ucc_geth.c b/drivers/net/ethernet/freescale/ucc_geth.c +index 714593023bbc..af922bac19ae 100644 +--- a/drivers/net/ethernet/freescale/ucc_geth.c ++++ b/drivers/net/ethernet/freescale/ucc_geth.c +@@ -45,6 +45,7 @@ + #include <soc/fsl/qe/ucc.h> + #include <soc/fsl/qe/ucc_fast.h> + #include <asm/machdep.h> ++#include <net/sch_generic.h> + + #include "ucc_geth.h" + +@@ -1551,11 +1552,8 @@ static int ugeth_disable(struct ucc_geth_private *ugeth, enum comm_dir mode) + + static void ugeth_quiesce(struct ucc_geth_private *ugeth) + { +- /* Prevent any further xmits, plus detach the device. */ +- netif_device_detach(ugeth->ndev); +- +- /* Wait for any current xmits to finish. */ +- netif_tx_disable(ugeth->ndev); ++ /* Prevent any further xmits */ ++ netif_tx_stop_all_queues(ugeth->ndev); + + /* Disable the interrupt to avoid NAPI rescheduling. */ + disable_irq(ugeth->ug_info->uf_info.irq); +@@ -1568,7 +1566,10 @@ static void ugeth_activate(struct ucc_geth_private *ugeth) + { + napi_enable(&ugeth->napi); + enable_irq(ugeth->ug_info->uf_info.irq); +- netif_device_attach(ugeth->ndev); ++ ++ /* allow to xmit again */ ++ netif_tx_wake_all_queues(ugeth->ndev); ++ __netdev_watchdog_up(ugeth->ndev); + } + + /* Called every time the controller might need to be made +diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c +index 4143659615e1..264136dba674 100644 +--- a/drivers/net/ethernet/smsc/smsc911x.c ++++ b/drivers/net/ethernet/smsc/smsc911x.c +@@ -2506,20 +2506,20 @@ static int smsc911x_drv_probe(struct platform_device *pdev) + + retval = smsc911x_init(dev); + if (retval < 0) +- goto out_disable_resources; ++ goto out_init_fail; + + netif_carrier_off(dev); + + retval = smsc911x_mii_init(pdev, dev); + if (retval) { + SMSC_WARN(pdata, probe, "Error %i initialising mii", retval); +- goto out_disable_resources; ++ goto out_init_fail; + } + + retval = register_netdev(dev); + if (retval) { + SMSC_WARN(pdata, probe, "Error %i registering device", retval); +- goto out_disable_resources; ++ goto out_init_fail; + } else { + SMSC_TRACE(pdata, probe, + "Network interface: \"%s\"", dev->name); +@@ -2560,9 +2560,10 @@ static int smsc911x_drv_probe(struct platform_device *pdev) + + return 0; + +-out_disable_resources: ++out_init_fail: + pm_runtime_put(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++out_disable_resources: + (void)smsc911x_disable_resources(pdev); + out_enable_resources_fail: + smsc911x_free_resources(pdev); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +index 11a4a81b0397..bcc5d1e16ce2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +@@ -330,6 +330,19 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + /* Enable PTP clock */ + regmap_read(gmac->nss_common, NSS_COMMON_CLK_GATE, &val); + val |= NSS_COMMON_CLK_GATE_PTP_EN(gmac->id); ++ switch (gmac->phy_mode) { ++ case PHY_INTERFACE_MODE_RGMII: ++ val |= NSS_COMMON_CLK_GATE_RGMII_RX_EN(gmac->id) | ++ NSS_COMMON_CLK_GATE_RGMII_TX_EN(gmac->id); ++ break; ++ case PHY_INTERFACE_MODE_SGMII: ++ val |= NSS_COMMON_CLK_GATE_GMII_RX_EN(gmac->id) | ++ NSS_COMMON_CLK_GATE_GMII_TX_EN(gmac->id); ++ break; ++ default: ++ /* We don't get here; the switch above will have errored out */ ++ unreachable(); ++ } + regmap_write(gmac->nss_common, NSS_COMMON_CLK_GATE, val); + + if (gmac->phy_mode == PHY_INTERFACE_MODE_SGMII) { +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index fa8f7c40a384..804c52c35f07 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -494,6 +494,9 @@ static int pppoe_disc_rcv(struct sk_buff *skb, struct net_device *dev, + if (!skb) + goto out; + ++ if (skb->pkt_type != PACKET_HOST) ++ goto abort; ++ + if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr))) + goto abort; + +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c +index cc841126147e..f870396e05e1 100644 +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -867,7 +867,10 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); ++ /* do not call free_netdev before rtnl_unlock */ ++ rtnl_unlock(); + sl_free_netdev(sl->dev); ++ return err; + + err_exit: + rtnl_unlock(); +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 5755eec00d7f..9a873616dd27 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -921,6 +921,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index a8d470010f5e..ea609dc7f081 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -1928,6 +1928,10 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb, + airo_print_err(dev->name, "%s: skb == NULL!",__func__); + return NETDEV_TX_OK; + } ++ if (skb_padto(skb, ETH_ZLEN)) { ++ dev->stats.tx_dropped++; ++ return NETDEV_TX_OK; ++ } + npacks = skb_queue_len (&ai->txq); + + if (npacks >= MAXTXQ - 1) { +@@ -2130,6 +2134,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb, + airo_print_err(dev->name, "%s: skb == NULL!", __func__); + return NETDEV_TX_OK; + } ++ if (skb_padto(skb, ETH_ZLEN)) { ++ dev->stats.tx_dropped++; ++ return NETDEV_TX_OK; ++ } + + /* Find a vacant FID */ + for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ ); +@@ -2204,6 +2212,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb, + airo_print_err(dev->name, "%s: skb == NULL!", __func__); + return NETDEV_TX_OK; + } ++ if (skb_padto(skb, ETH_ZLEN)) { ++ dev->stats.tx_dropped++; ++ return NETDEV_TX_OK; ++ } + + /* Find a vacant FID */ + for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ ); +diff --git a/drivers/net/wireless/intersil/p54/p54usb.c b/drivers/net/wireless/intersil/p54/p54usb.c +index 4a197a32d78c..979fcef1d848 100644 +--- a/drivers/net/wireless/intersil/p54/p54usb.c ++++ b/drivers/net/wireless/intersil/p54/p54usb.c +@@ -64,6 +64,7 @@ static struct usb_device_id p54u_table[] = { + {USB_DEVICE(0x0db0, 0x6826)}, /* MSI UB54G (MS-6826) */ + {USB_DEVICE(0x107b, 0x55f2)}, /* Gateway WGU-210 (Gemtek) */ + {USB_DEVICE(0x124a, 0x4023)}, /* Shuttle PN15, Airvast WM168g, IOGear GWU513 */ ++ {USB_DEVICE(0x124a, 0x4026)}, /* AirVasT USB wireless device */ + {USB_DEVICE(0x1435, 0x0210)}, /* Inventel UR054G */ + {USB_DEVICE(0x15a9, 0x0002)}, /* Gemtek WUBI-100GW 802.11g */ + {USB_DEVICE(0x1630, 0x0005)}, /* 2Wire 802.11g USB (v1) / Z-Com */ +diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c +index 798a32bbac5d..e023a679bdea 100644 +--- a/drivers/nfc/st21nfca/dep.c ++++ b/drivers/nfc/st21nfca/dep.c +@@ -184,8 +184,10 @@ static int st21nfca_tm_send_atr_res(struct nfc_hci_dev *hdev, + memcpy(atr_res->gbi, atr_req->gbi, gb_len); + r = nfc_set_remote_general_bytes(hdev->ndev, atr_res->gbi, + gb_len); +- if (r < 0) ++ if (r < 0) { ++ kfree_skb(skb); + return r; ++ } + } + + info->dep_info.curr_nfc_dep_pni = 0; +diff --git a/drivers/nvmem/qfprom.c b/drivers/nvmem/qfprom.c +index b5305f08b184..05b1c4f36b7b 100644 +--- a/drivers/nvmem/qfprom.c ++++ b/drivers/nvmem/qfprom.c +@@ -30,19 +30,6 @@ static int qfprom_reg_read(void *context, + return 0; + } + +-static int qfprom_reg_write(void *context, +- unsigned int reg, void *_val, size_t bytes) +-{ +- void __iomem *base = context; +- u32 *val = _val; +- int i = 0, words = bytes / 4; +- +- while (words--) +- writel(*val++, base + reg + (i++ * 4)); +- +- return 0; +-} +- + static int qfprom_remove(struct platform_device *pdev) + { + struct nvmem_device *nvmem = platform_get_drvdata(pdev); +@@ -56,7 +43,6 @@ static struct nvmem_config econfig = { + .stride = 4, + .word_size = 1, + .reg_read = qfprom_reg_read, +- .reg_write = qfprom_reg_write, + }; + + static int qfprom_probe(struct platform_device *pdev) +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index 9d555b63d2e2..d596b76eea64 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -394,8 +394,8 @@ EXPORT_SYMBOL(scsi_dev_info_list_add_keyed); + + /** + * scsi_dev_info_list_find - find a matching dev_info list entry. +- * @vendor: vendor string +- * @model: model (product) string ++ * @vendor: full vendor string ++ * @model: full model (product) string + * @key: specify list to use + * + * Description: +@@ -410,7 +410,7 @@ static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor, + struct scsi_dev_info_list *devinfo; + struct scsi_dev_info_list_table *devinfo_table = + scsi_devinfo_lookup_by_key(key); +- size_t vmax, mmax; ++ size_t vmax, mmax, mlen; + const char *vskip, *mskip; + + if (IS_ERR(devinfo_table)) +@@ -449,15 +449,18 @@ static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor, + dev_info_list) { + if (devinfo->compatible) { + /* +- * Behave like the older version of get_device_flags. ++ * vendor strings must be an exact match + */ +- if (memcmp(devinfo->vendor, vskip, vmax) || +- (vmax < sizeof(devinfo->vendor) && +- devinfo->vendor[vmax])) ++ if (vmax != strlen(devinfo->vendor) || ++ memcmp(devinfo->vendor, vskip, vmax)) + continue; +- if (memcmp(devinfo->model, mskip, mmax) || +- (mmax < sizeof(devinfo->model) && +- devinfo->model[mmax])) ++ ++ /* ++ * @model specifies the full string, and ++ * must be larger or equal to devinfo->model ++ */ ++ mlen = strlen(devinfo->model); ++ if (mmax < mlen || memcmp(devinfo->model, mskip, mlen)) + continue; + return devinfo; + } else { +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 50d15748084a..af4b0a2021d6 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -1512,6 +1512,7 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) + + err = ufshcd_map_sg(hba, lrbp); + if (err) { ++ ufshcd_release(hba); + lrbp->cmd = NULL; + clear_bit_unlock(tag, &hba->lrb_in_use); + goto out; +diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c +index 16f0def9df82..babf0a337e96 100644 +--- a/drivers/spi/spi-dw.c ++++ b/drivers/spi/spi-dw.c +@@ -305,6 +305,9 @@ static int dw_spi_transfer_one(struct spi_master *master, + dws->len = transfer->len; + spin_unlock_irqrestore(&dws->buf_lock, flags); + ++ /* Ensure dw->rx and dw->rx_end are visible */ ++ smp_mb(); ++ + spi_enable_chip(dws, 0); + + /* Handle per transfer options for bpw and speed */ +diff --git a/drivers/staging/rtl8712/wifi.h b/drivers/staging/rtl8712/wifi.h +index b8af9656e6da..f97275b90177 100644 +--- a/drivers/staging/rtl8712/wifi.h ++++ b/drivers/staging/rtl8712/wifi.h +@@ -471,7 +471,7 @@ static inline unsigned char *get_hdr_bssid(unsigned char *pframe) + /* block-ack parameters */ + #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 + #define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C +-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0 ++#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFC0 + #define IEEE80211_DELBA_PARAM_TID_MASK 0xF000 + #define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800 + +@@ -565,13 +565,6 @@ struct ieee80211_ht_addt_info { + #define IEEE80211_HT_IE_NON_GF_STA_PRSNT 0x0004 + #define IEEE80211_HT_IE_NON_HT_STA_PRSNT 0x0010 + +-/* block-ack parameters */ +-#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 +-#define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C +-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0 +-#define IEEE80211_DELBA_PARAM_TID_MASK 0xF000 +-#define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800 +- + /* + * A-PMDU buffer sizes + * According to IEEE802.11n spec size varies from 8K to 64K (in powers of 2) +diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c +index f8964247c4c3..985f49a65906 100644 +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -358,15 +358,14 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) + * tty fields and return the kref reference. + */ + if (rc) { +- tty_port_tty_set(&hp->port, NULL); +- tty->driver_data = NULL; +- tty_port_put(&hp->port); + printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc); +- } else ++ } else { + /* We are ready... raise DTR/RTS */ + if (C_BAUD(tty)) + if (hp->ops->dtr_rts) + hp->ops->dtr_rts(hp, 1); ++ tty_port_set_initialized(&hp->port, true); ++ } + + /* Force wakeup of the polling thread */ + hvc_kick(); +@@ -376,22 +375,12 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) + + static void hvc_close(struct tty_struct *tty, struct file * filp) + { +- struct hvc_struct *hp; ++ struct hvc_struct *hp = tty->driver_data; + unsigned long flags; + + if (tty_hung_up_p(filp)) + return; + +- /* +- * No driver_data means that this close was issued after a failed +- * hvc_open by the tty layer's release_dev() function and we can just +- * exit cleanly because the kref reference wasn't made. +- */ +- if (!tty->driver_data) +- return; +- +- hp = tty->driver_data; +- + spin_lock_irqsave(&hp->port.lock, flags); + + if (--hp->port.count == 0) { +@@ -399,6 +388,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) + /* We are done with the tty pointer now. */ + tty_port_tty_set(&hp->port, NULL); + ++ if (!tty_port_initialized(&hp->port)) ++ return; ++ + if (C_HUPCL(tty)) + if (hp->ops->dtr_rts) + hp->ops->dtr_rts(hp, 0); +@@ -415,6 +407,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) + * waking periodically to check chars_in_buffer(). + */ + tty_wait_until_sent(tty, HVC_CLOSE_WAIT); ++ tty_port_set_initialized(&hp->port, false); + } else { + if (hp->port.count < 0) + printk(KERN_ERR "hvc_close %X: oops, count is %d\n", +diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c +index b4e7a7317713..d9eba7938917 100644 +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -125,7 +125,11 @@ static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */ + static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */ + static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */ + static bool dead_key_next; +-static int npadch = -1; /* -1 or number assembled on pad */ ++ ++/* Handles a number being assembled on the number pad */ ++static bool npadch_active; ++static unsigned int npadch_value; ++ + static unsigned int diacr; + static char rep; /* flag telling character repeat */ + +@@ -815,12 +819,12 @@ static void k_shift(struct vc_data *vc, unsigned char value, char up_flag) + shift_state &= ~(1 << value); + + /* kludge */ +- if (up_flag && shift_state != old_state && npadch != -1) { ++ if (up_flag && shift_state != old_state && npadch_active) { + if (kbd->kbdmode == VC_UNICODE) +- to_utf8(vc, npadch); ++ to_utf8(vc, npadch_value); + else +- put_queue(vc, npadch & 0xff); +- npadch = -1; ++ put_queue(vc, npadch_value & 0xff); ++ npadch_active = false; + } + } + +@@ -838,7 +842,7 @@ static void k_meta(struct vc_data *vc, unsigned char value, char up_flag) + + static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag) + { +- int base; ++ unsigned int base; + + if (up_flag) + return; +@@ -852,10 +856,12 @@ static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag) + base = 16; + } + +- if (npadch == -1) +- npadch = value; +- else +- npadch = npadch * base + value; ++ if (!npadch_active) { ++ npadch_value = 0; ++ npadch_active = true; ++ } ++ ++ npadch_value = npadch_value * base + value; + } + + static void k_lock(struct vc_data *vc, unsigned char value, char up_flag) +diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c +index f4bd08cfac11..a631975e050d 100644 +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -1069,13 +1069,13 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn) + agdev->out_ep = usb_ep_autoconfig(gadget, &fs_epout_desc); + if (!agdev->out_ep) { + dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); +- return ret; ++ return -ENODEV; + } + + agdev->in_ep = usb_ep_autoconfig(gadget, &fs_epin_desc); + if (!agdev->in_ep) { + dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); +- return ret; ++ return -ENODEV; + } + + uac2->p_prm.uac2 = uac2; +diff --git a/drivers/usb/musb/musb_debugfs.c b/drivers/usb/musb/musb_debugfs.c +index 534a3f6fa89c..474bb13b7dbb 100644 +--- a/drivers/usb/musb/musb_debugfs.c ++++ b/drivers/usb/musb/musb_debugfs.c +@@ -200,6 +200,11 @@ static ssize_t musb_test_mode_write(struct file *file, + u8 test; + char buf[18]; + ++ memset(buf, 0x00, sizeof(buf)); ++ ++ if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) ++ return -EFAULT; ++ + pm_runtime_get_sync(musb->controller); + test = musb_readb(musb->mregs, MUSB_TESTMODE); + if (test) { +@@ -208,11 +213,6 @@ static ssize_t musb_test_mode_write(struct file *file, + goto ret; + } + +- memset(buf, 0x00, sizeof(buf)); +- +- if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) +- return -EFAULT; +- + if (strstarts(buf, "force host")) + test = MUSB_TEST_FORCE_HOST; + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 737b6652a0b5..326e7109b8f8 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1146,6 +1146,10 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1031, 0xff), /* Telit LE910C1-EUX */ ++ .driver_info = NCTRL(0) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1033, 0xff), /* Telit LE910C1-EUX (ECM) */ ++ .driver_info = NCTRL(0) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0), + .driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG1), +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index 06916ddc3159..c59e6d4a8a61 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -177,6 +177,7 @@ static const struct usb_device_id id_table[] = { + {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ + {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ ++ {DEVICE_SWI(0x413c, 0x81cb)}, /* Dell Wireless 5816e QDL */ + {DEVICE_SWI(0x413c, 0x81cc)}, /* Dell Wireless 5816e */ + {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */ + {DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */ +diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c +index 93c696e2131f..0fbb34fcbddf 100644 +--- a/drivers/usb/serial/usb_wwan.c ++++ b/drivers/usb/serial/usb_wwan.c +@@ -305,6 +305,10 @@ static void usb_wwan_indat_callback(struct urb *urb) + if (status) { + dev_dbg(dev, "%s: nonzero status: %d on endpoint %02x.\n", + __func__, status, endpoint); ++ ++ /* don't resubmit on fatal errors */ ++ if (status == -ESHUTDOWN || status == -ENOENT) ++ return; + } else { + if (urb->actual_length) { + tty_insert_flip_string(&port->port, data, +diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h +index 1abfe37314a0..df841a72b804 100644 +--- a/include/linux/mod_devicetable.h ++++ b/include/linux/mod_devicetable.h +@@ -572,6 +572,10 @@ struct mips_cdmm_device_id { + /* + * MODULE_DEVICE_TABLE expects this struct to be called x86cpu_device_id. + * Although gcc seems to ignore this error, clang fails without this define. ++ * ++ * Note: The ordering of the struct is different from upstream because the ++ * static initializers in kernels < 5.7 still use C89 style while upstream ++ * has been converted to proper C99 initializers. + */ + #define x86cpu_device_id x86_cpu_id + struct x86_cpu_id { +@@ -580,6 +584,7 @@ struct x86_cpu_id { + __u16 model; + __u16 feature; /* bit index */ + kernel_ulong_t driver_data; ++ __u16 steppings; + }; + + #define X86_FEATURE_MATCH(x) \ +@@ -588,6 +593,7 @@ struct x86_cpu_id { + #define X86_VENDOR_ANY 0xffff + #define X86_FAMILY_ANY 0 + #define X86_MODEL_ANY 0 ++#define X86_STEPPING_ANY 0 + #define X86_FEATURE_ANY 0 /* Same as FPU, you can't test for that */ + + /* +diff --git a/include/uapi/linux/mmc/ioctl.h b/include/uapi/linux/mmc/ioctl.h +index 7e385b83b9d8..fe4b6b69d79a 100644 +--- a/include/uapi/linux/mmc/ioctl.h ++++ b/include/uapi/linux/mmc/ioctl.h +@@ -2,6 +2,7 @@ + #define LINUX_MMC_IOCTL_H + + #include <linux/types.h> ++#include <linux/major.h> + + struct mmc_ioc_cmd { + /* Implies direction of data. true = write, false = read */ +diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c +index 8ddd29476c0d..1fcaa174ed32 100644 +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -604,10 +604,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file, + if (ret) + goto out; + +- /* uprobe_write_opcode() assumes we don't cross page boundary */ +- BUG_ON((uprobe->offset & ~PAGE_MASK) + +- UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); +- + smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ + set_bit(UPROBE_COPY_INSN, &uprobe->flags); + +@@ -886,6 +882,13 @@ int uprobe_register(struct inode *inode, loff_t offset, struct uprobe_consumer * + if (offset > i_size_read(inode)) + return -EINVAL; + ++ /* ++ * This ensures that copy_from_page() and copy_to_page() ++ * can't cross page boundary. ++ */ ++ if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE)) ++ return -EINVAL; ++ + retry: + uprobe = alloc_uprobe(inode, offset); + if (!uprobe) +@@ -1696,6 +1699,9 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr) + uprobe_opcode_t opcode; + int result; + ++ if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE))) ++ return -EINVAL; ++ + pagefault_disable(); + result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr); + pagefault_enable(); +diff --git a/kernel/relay.c b/kernel/relay.c +index 91e8fbf8aff3..5034cb3a339f 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -578,6 +578,11 @@ struct rchan *relay_open(const char *base_filename, + return NULL; + + chan->buf = alloc_percpu(struct rchan_buf *); ++ if (!chan->buf) { ++ kfree(chan); ++ return NULL; ++ } ++ + chan->version = RELAYFS_CHANNEL_VERSION; + chan->n_subbufs = n_subbufs; + chan->subbuf_size = subbuf_size; +diff --git a/mm/mremap.c b/mm/mremap.c +index 9e6035969d7b..b5d8d25173c6 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -212,7 +212,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma, + new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr); + if (!new_pmd) + break; +- if (pmd_trans_huge(*old_pmd)) { ++ if (pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) { + if (extent == HPAGE_PMD_SIZE) { + bool moved; + /* See comment in move_ptes() */ +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index af3363f4543f..6f3c52943186 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -262,6 +262,7 @@ static struct in_device *inetdev_init(struct net_device *dev) + err = devinet_sysctl_register(in_dev); + if (err) { + in_dev->dead = 1; ++ neigh_parms_release(&arp_tbl, in_dev->arp_parms); + in_dev_put(in_dev); + in_dev = NULL; + goto out; +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index 6a924be66e37..da158a3acac4 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -426,8 +426,10 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) + + sg_init_table(sg, nfrags); + ret = skb_to_sgvec(skb, sg, 0, skb->len); +- if (unlikely(ret < 0)) ++ if (unlikely(ret < 0)) { ++ kfree(tmp); + goto out; ++ } + + aead_request_set_crypt(req, sg, sg, elen + ivlen, iv); + aead_request_set_ad(req, assoclen); +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 36c7f616294a..fdc1de1cb4fa 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1568,6 +1568,8 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 + tunnel_id, fd); + goto err; + } ++ if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) ++ goto err; + switch (encap) { + case L2TP_ENCAPTYPE_UDP: + if (sk->sk_protocol != IPPROTO_UDP) { +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 4a88c4eb2301..3817c3554641 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -24,7 +24,6 @@ + #include <net/icmp.h> + #include <net/udp.h> + #include <net/inet_common.h> +-#include <net/inet_hashtables.h> + #include <net/tcp_states.h> + #include <net/protocol.h> + #include <net/xfrm.h> +@@ -208,15 +207,31 @@ discard: + return 0; + } + +-static int l2tp_ip_open(struct sock *sk) ++static int l2tp_ip_hash(struct sock *sk) + { +- /* Prevent autobind. We don't have ports. */ +- inet_sk(sk)->inet_num = IPPROTO_L2TP; ++ if (sk_unhashed(sk)) { ++ write_lock_bh(&l2tp_ip_lock); ++ sk_add_node(sk, &l2tp_ip_table); ++ write_unlock_bh(&l2tp_ip_lock); ++ } ++ return 0; ++} + ++static void l2tp_ip_unhash(struct sock *sk) ++{ ++ if (sk_unhashed(sk)) ++ return; + write_lock_bh(&l2tp_ip_lock); +- sk_add_node(sk, &l2tp_ip_table); ++ sk_del_node_init(sk); + write_unlock_bh(&l2tp_ip_lock); ++} ++ ++static int l2tp_ip_open(struct sock *sk) ++{ ++ /* Prevent autobind. We don't have ports. */ ++ inet_sk(sk)->inet_num = IPPROTO_L2TP; + ++ l2tp_ip_hash(sk); + return 0; + } + +@@ -598,8 +613,8 @@ static struct proto l2tp_ip_prot = { + .sendmsg = l2tp_ip_sendmsg, + .recvmsg = l2tp_ip_recvmsg, + .backlog_rcv = l2tp_ip_backlog_recv, +- .hash = inet_hash, +- .unhash = inet_unhash, ++ .hash = l2tp_ip_hash, ++ .unhash = l2tp_ip_unhash, + .obj_size = sizeof(struct l2tp_ip_sock), + #ifdef CONFIG_COMPAT + .compat_setsockopt = compat_ip_setsockopt, +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 28274f397c55..76ef758db112 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -24,8 +24,6 @@ + #include <net/icmp.h> + #include <net/udp.h> + #include <net/inet_common.h> +-#include <net/inet_hashtables.h> +-#include <net/inet6_hashtables.h> + #include <net/tcp_states.h> + #include <net/protocol.h> + #include <net/xfrm.h> +@@ -221,15 +219,31 @@ discard: + return 0; + } + +-static int l2tp_ip6_open(struct sock *sk) ++static int l2tp_ip6_hash(struct sock *sk) + { +- /* Prevent autobind. We don't have ports. */ +- inet_sk(sk)->inet_num = IPPROTO_L2TP; ++ if (sk_unhashed(sk)) { ++ write_lock_bh(&l2tp_ip6_lock); ++ sk_add_node(sk, &l2tp_ip6_table); ++ write_unlock_bh(&l2tp_ip6_lock); ++ } ++ return 0; ++} + ++static void l2tp_ip6_unhash(struct sock *sk) ++{ ++ if (sk_unhashed(sk)) ++ return; + write_lock_bh(&l2tp_ip6_lock); +- sk_add_node(sk, &l2tp_ip6_table); ++ sk_del_node_init(sk); + write_unlock_bh(&l2tp_ip6_lock); ++} ++ ++static int l2tp_ip6_open(struct sock *sk) ++{ ++ /* Prevent autobind. We don't have ports. */ ++ inet_sk(sk)->inet_num = IPPROTO_L2TP; + ++ l2tp_ip6_hash(sk); + return 0; + } + +@@ -732,8 +746,8 @@ static struct proto l2tp_ip6_prot = { + .sendmsg = l2tp_ip6_sendmsg, + .recvmsg = l2tp_ip6_recvmsg, + .backlog_rcv = l2tp_ip6_backlog_recv, +- .hash = inet6_hash, +- .unhash = inet_unhash, ++ .hash = l2tp_ip6_hash, ++ .unhash = l2tp_ip6_unhash, + .obj_size = sizeof(struct l2tp_ip6_sock), + #ifdef CONFIG_COMPAT + .compat_setsockopt = compat_ipv6_setsockopt, +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 18f377306884..d6473b8d9a81 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1296,7 +1296,7 @@ static int vsock_accept(struct socket *sock, struct socket *newsock, int flags) + /* Wait for children sockets to appear; these are the new sockets + * created upon connection establishment. + */ +- timeout = sock_sndtimeo(listener, flags & O_NONBLOCK); ++ timeout = sock_rcvtimeo(listener, flags & O_NONBLOCK); + prepare_to_wait(sk_sleep(listener), &wait, TASK_INTERRUPTIBLE); + + while ((connected = vsock_dequeue_accept(listener)) == NULL &&
