Magellan Linux

Annotation of /trunk/kernel-alx/patches-4.4/0151-4.4.52-all-fixes.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2887 - (hide annotations) (download)
Mon Mar 27 13:49:24 2017 UTC (7 years, 7 months ago) by niro
File size: 24573 byte(s)
linux-4.4.52
1 niro 2887 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
2     index c360f80c3473..ca64ca566099 100644
3     --- a/Documentation/kernel-parameters.txt
4     +++ b/Documentation/kernel-parameters.txt
5     @@ -1255,6 +1255,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
6     When zero, profiling data is discarded and associated
7     debugfs files are removed at module unload time.
8    
9     + goldfish [X86] Enable the goldfish android emulator platform.
10     + Don't use this when you are not running on the
11     + android emulator
12     +
13     gpt [EFI] Forces disk with valid GPT signature but
14     invalid Protective MBR to be treated as GPT. If the
15     primary GPT is corrupted, it enables the backup/alternate
16     diff --git a/Makefile b/Makefile
17     index 117357188f01..671e183bd507 100644
18     --- a/Makefile
19     +++ b/Makefile
20     @@ -1,6 +1,6 @@
21     VERSION = 4
22     PATCHLEVEL = 4
23     -SUBLEVEL = 51
24     +SUBLEVEL = 52
25     EXTRAVERSION =
26     NAME = Blurry Fish Butt
27    
28     diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
29     index bb620df05d0d..64f60a48def1 100644
30     --- a/arch/x86/kvm/vmx.c
31     +++ b/arch/x86/kvm/vmx.c
32     @@ -4867,6 +4867,12 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
33     if (vmx_xsaves_supported())
34     vmcs_write64(XSS_EXIT_BITMAP, VMX_XSS_EXIT_BITMAP);
35    
36     + if (enable_pml) {
37     + ASSERT(vmx->pml_pg);
38     + vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg));
39     + vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1);
40     + }
41     +
42     return 0;
43     }
44    
45     @@ -7839,22 +7845,6 @@ static void vmx_get_exit_info(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2)
46     *info2 = vmcs_read32(VM_EXIT_INTR_INFO);
47     }
48    
49     -static int vmx_create_pml_buffer(struct vcpu_vmx *vmx)
50     -{
51     - struct page *pml_pg;
52     -
53     - pml_pg = alloc_page(GFP_KERNEL | __GFP_ZERO);
54     - if (!pml_pg)
55     - return -ENOMEM;
56     -
57     - vmx->pml_pg = pml_pg;
58     -
59     - vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg));
60     - vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1);
61     -
62     - return 0;
63     -}
64     -
65     static void vmx_destroy_pml_buffer(struct vcpu_vmx *vmx)
66     {
67     if (vmx->pml_pg) {
68     @@ -8789,14 +8779,26 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
69     if (err)
70     goto free_vcpu;
71    
72     + err = -ENOMEM;
73     +
74     + /*
75     + * If PML is turned on, failure on enabling PML just results in failure
76     + * of creating the vcpu, therefore we can simplify PML logic (by
77     + * avoiding dealing with cases, such as enabling PML partially on vcpus
78     + * for the guest, etc.
79     + */
80     + if (enable_pml) {
81     + vmx->pml_pg = alloc_page(GFP_KERNEL | __GFP_ZERO);
82     + if (!vmx->pml_pg)
83     + goto uninit_vcpu;
84     + }
85     +
86     vmx->guest_msrs = kmalloc(PAGE_SIZE, GFP_KERNEL);
87     BUILD_BUG_ON(ARRAY_SIZE(vmx_msr_index) * sizeof(vmx->guest_msrs[0])
88     > PAGE_SIZE);
89    
90     - err = -ENOMEM;
91     - if (!vmx->guest_msrs) {
92     - goto uninit_vcpu;
93     - }
94     + if (!vmx->guest_msrs)
95     + goto free_pml;
96    
97     vmx->loaded_vmcs = &vmx->vmcs01;
98     vmx->loaded_vmcs->vmcs = alloc_vmcs();
99     @@ -8840,18 +8842,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
100     vmx->nested.current_vmptr = -1ull;
101     vmx->nested.current_vmcs12 = NULL;
102    
103     - /*
104     - * If PML is turned on, failure on enabling PML just results in failure
105     - * of creating the vcpu, therefore we can simplify PML logic (by
106     - * avoiding dealing with cases, such as enabling PML partially on vcpus
107     - * for the guest, etc.
108     - */
109     - if (enable_pml) {
110     - err = vmx_create_pml_buffer(vmx);
111     - if (err)
112     - goto free_vmcs;
113     - }
114     -
115     return &vmx->vcpu;
116    
117     free_vmcs:
118     @@ -8859,6 +8849,8 @@ free_vmcs:
119     free_loaded_vmcs(vmx->loaded_vmcs);
120     free_msrs:
121     kfree(vmx->guest_msrs);
122     +free_pml:
123     + vmx_destroy_pml_buffer(vmx);
124     uninit_vcpu:
125     kvm_vcpu_uninit(&vmx->vcpu);
126     free_vcpu:
127     diff --git a/arch/x86/platform/goldfish/goldfish.c b/arch/x86/platform/goldfish/goldfish.c
128     index 1693107a518e..0d17c0aafeb1 100644
129     --- a/arch/x86/platform/goldfish/goldfish.c
130     +++ b/arch/x86/platform/goldfish/goldfish.c
131     @@ -42,10 +42,22 @@ static struct resource goldfish_pdev_bus_resources[] = {
132     }
133     };
134    
135     +static bool goldfish_enable __initdata;
136     +
137     +static int __init goldfish_setup(char *str)
138     +{
139     + goldfish_enable = true;
140     + return 0;
141     +}
142     +__setup("goldfish", goldfish_setup);
143     +
144     static int __init goldfish_init(void)
145     {
146     + if (!goldfish_enable)
147     + return -ENODEV;
148     +
149     platform_device_register_simple("goldfish_pdev_bus", -1,
150     - goldfish_pdev_bus_resources, 2);
151     + goldfish_pdev_bus_resources, 2);
152     return 0;
153     }
154     device_initcall(goldfish_init);
155     diff --git a/block/blk-mq.c b/block/blk-mq.c
156     index 6cfc6b200366..d8d63c38bf29 100644
157     --- a/block/blk-mq.c
158     +++ b/block/blk-mq.c
159     @@ -1259,12 +1259,9 @@ static blk_qc_t blk_mq_make_request(struct request_queue *q, struct bio *bio)
160    
161     blk_queue_split(q, &bio, q->bio_split);
162    
163     - if (!is_flush_fua && !blk_queue_nomerges(q)) {
164     - if (blk_attempt_plug_merge(q, bio, &request_count,
165     - &same_queue_rq))
166     - return BLK_QC_T_NONE;
167     - } else
168     - request_count = blk_plug_queued_count(q);
169     + if (!is_flush_fua && !blk_queue_nomerges(q) &&
170     + blk_attempt_plug_merge(q, bio, &request_count, &same_queue_rq))
171     + return BLK_QC_T_NONE;
172    
173     rq = blk_mq_map_request(q, bio, &data);
174     if (unlikely(!rq))
175     @@ -1355,9 +1352,11 @@ static blk_qc_t blk_sq_make_request(struct request_queue *q, struct bio *bio)
176    
177     blk_queue_split(q, &bio, q->bio_split);
178    
179     - if (!is_flush_fua && !blk_queue_nomerges(q) &&
180     - blk_attempt_plug_merge(q, bio, &request_count, NULL))
181     - return BLK_QC_T_NONE;
182     + if (!is_flush_fua && !blk_queue_nomerges(q)) {
183     + if (blk_attempt_plug_merge(q, bio, &request_count, NULL))
184     + return BLK_QC_T_NONE;
185     + } else
186     + request_count = blk_plug_queued_count(q);
187    
188     rq = blk_mq_map_request(q, bio, &data);
189     if (unlikely(!rq))
190     diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
191     index aac1ed3f7bb4..ad8390d2997b 100644
192     --- a/drivers/net/wireless/realtek/rtlwifi/usb.c
193     +++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
194     @@ -834,12 +834,30 @@ static void rtl_usb_stop(struct ieee80211_hw *hw)
195     struct rtl_priv *rtlpriv = rtl_priv(hw);
196     struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
197     struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw));
198     + struct urb *urb;
199    
200     /* should after adapter start and interrupt enable. */
201     set_hal_stop(rtlhal);
202     cancel_work_sync(&rtlpriv->works.fill_h2c_cmd);
203     /* Enable software */
204     SET_USB_STOP(rtlusb);
205     +
206     + /* free pre-allocated URBs from rtl_usb_start() */
207     + usb_kill_anchored_urbs(&rtlusb->rx_submitted);
208     +
209     + tasklet_kill(&rtlusb->rx_work_tasklet);
210     + cancel_work_sync(&rtlpriv->works.lps_change_work);
211     +
212     + flush_workqueue(rtlpriv->works.rtl_wq);
213     +
214     + skb_queue_purge(&rtlusb->rx_queue);
215     +
216     + while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) {
217     + usb_free_coherent(urb->dev, urb->transfer_buffer_length,
218     + urb->transfer_buffer, urb->transfer_dma);
219     + usb_free_urb(urb);
220     + }
221     +
222     rtlpriv->cfg->ops->hw_disable(hw);
223     }
224    
225     @@ -1073,6 +1091,7 @@ int rtl_usb_probe(struct usb_interface *intf,
226     return -ENOMEM;
227     }
228     rtlpriv = hw->priv;
229     + rtlpriv->hw = hw;
230     rtlpriv->usb_data = kzalloc(RTL_USB_MAX_RX_COUNT * sizeof(u32),
231     GFP_KERNEL);
232     if (!rtlpriv->usb_data)
233     diff --git a/drivers/platform/goldfish/pdev_bus.c b/drivers/platform/goldfish/pdev_bus.c
234     index 1f52462f4cdd..dd9ea463c2a4 100644
235     --- a/drivers/platform/goldfish/pdev_bus.c
236     +++ b/drivers/platform/goldfish/pdev_bus.c
237     @@ -157,23 +157,26 @@ static int goldfish_new_pdev(void)
238     static irqreturn_t goldfish_pdev_bus_interrupt(int irq, void *dev_id)
239     {
240     irqreturn_t ret = IRQ_NONE;
241     +
242     while (1) {
243     u32 op = readl(pdev_bus_base + PDEV_BUS_OP);
244     - switch (op) {
245     - case PDEV_BUS_OP_DONE:
246     - return IRQ_NONE;
247    
248     + switch (op) {
249     case PDEV_BUS_OP_REMOVE_DEV:
250     goldfish_pdev_remove();
251     + ret = IRQ_HANDLED;
252     break;
253    
254     case PDEV_BUS_OP_ADD_DEV:
255     goldfish_new_pdev();
256     + ret = IRQ_HANDLED;
257     break;
258     +
259     + case PDEV_BUS_OP_DONE:
260     + default:
261     + return ret;
262     }
263     - ret = IRQ_HANDLED;
264     }
265     - return ret;
266     }
267    
268     static int goldfish_pdev_bus_probe(struct platform_device *pdev)
269     diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
270     index 5836751b8203..9bb934ed2a7a 100644
271     --- a/drivers/rtc/interface.c
272     +++ b/drivers/rtc/interface.c
273     @@ -748,9 +748,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq);
274     */
275     static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer)
276     {
277     + struct timerqueue_node *next = timerqueue_getnext(&rtc->timerqueue);
278     + struct rtc_time tm;
279     + ktime_t now;
280     +
281     timer->enabled = 1;
282     + __rtc_read_time(rtc, &tm);
283     + now = rtc_tm_to_ktime(tm);
284     +
285     + /* Skip over expired timers */
286     + while (next) {
287     + if (next->expires.tv64 >= now.tv64)
288     + break;
289     + next = timerqueue_iterate_next(next);
290     + }
291     +
292     timerqueue_add(&rtc->timerqueue, &timer->node);
293     - if (&timer->node == timerqueue_getnext(&rtc->timerqueue)) {
294     + if (!next) {
295     struct rtc_wkalrm alarm;
296     int err;
297     alarm.time = rtc_ktime_to_tm(timer->node.expires);
298     diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
299     index e1de4944e0ce..8c4707d5778e 100644
300     --- a/drivers/tty/serial/msm_serial.c
301     +++ b/drivers/tty/serial/msm_serial.c
302     @@ -1615,6 +1615,7 @@ static const struct of_device_id msm_match_table[] = {
303     { .compatible = "qcom,msm-uartdm" },
304     {}
305     };
306     +MODULE_DEVICE_TABLE(of, msm_match_table);
307    
308     static struct platform_driver msm_platform_driver = {
309     .remove = msm_serial_remove,
310     diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c
311     index 5a048b7b92e8..2949289bb3c5 100644
312     --- a/drivers/usb/chipidea/ci_hdrc_imx.c
313     +++ b/drivers/usb/chipidea/ci_hdrc_imx.c
314     @@ -244,7 +244,6 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
315     struct ci_hdrc_platform_data pdata = {
316     .name = dev_name(&pdev->dev),
317     .capoffset = DEF_CAPOFFSET,
318     - .flags = CI_HDRC_SET_NON_ZERO_TTHA,
319     };
320     int ret;
321     const struct of_device_id *of_id;
322     diff --git a/drivers/usb/serial/ark3116.c b/drivers/usb/serial/ark3116.c
323     index 1532cde8a437..7812052dc700 100644
324     --- a/drivers/usb/serial/ark3116.c
325     +++ b/drivers/usb/serial/ark3116.c
326     @@ -99,10 +99,17 @@ static int ark3116_read_reg(struct usb_serial *serial,
327     usb_rcvctrlpipe(serial->dev, 0),
328     0xfe, 0xc0, 0, reg,
329     buf, 1, ARK_TIMEOUT);
330     - if (result < 0)
331     + if (result < 1) {
332     + dev_err(&serial->interface->dev,
333     + "failed to read register %u: %d\n",
334     + reg, result);
335     + if (result >= 0)
336     + result = -EIO;
337     +
338     return result;
339     - else
340     - return buf[0];
341     + }
342     +
343     + return buf[0];
344     }
345    
346     static inline int calc_divisor(int bps)
347     diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
348     index fe7452f0f38a..33cec50978b8 100644
349     --- a/drivers/usb/serial/cp210x.c
350     +++ b/drivers/usb/serial/cp210x.c
351     @@ -171,6 +171,8 @@ static const struct usb_device_id id_table[] = {
352     { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
353     { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
354     { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
355     + { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */
356     + { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */
357     { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
358     { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
359     { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
360     diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
361     index d3d6ec455151..19a98116c2ab 100644
362     --- a/drivers/usb/serial/ftdi_sio.c
363     +++ b/drivers/usb/serial/ftdi_sio.c
364     @@ -1807,8 +1807,6 @@ static int ftdi_sio_port_probe(struct usb_serial_port *port)
365    
366     mutex_init(&priv->cfg_lock);
367    
368     - priv->flags = ASYNC_LOW_LATENCY;
369     -
370     if (quirk && quirk->port_probe)
371     quirk->port_probe(priv);
372    
373     @@ -2072,6 +2070,20 @@ static int ftdi_process_packet(struct usb_serial_port *port,
374     priv->prev_status = status;
375     }
376    
377     + /* save if the transmitter is empty or not */
378     + if (packet[1] & FTDI_RS_TEMT)
379     + priv->transmit_empty = 1;
380     + else
381     + priv->transmit_empty = 0;
382     +
383     + len -= 2;
384     + if (!len)
385     + return 0; /* status only */
386     +
387     + /*
388     + * Break and error status must only be processed for packets with
389     + * data payload to avoid over-reporting.
390     + */
391     flag = TTY_NORMAL;
392     if (packet[1] & FTDI_RS_ERR_MASK) {
393     /* Break takes precedence over parity, which takes precedence
394     @@ -2094,15 +2106,6 @@ static int ftdi_process_packet(struct usb_serial_port *port,
395     }
396     }
397    
398     - /* save if the transmitter is empty or not */
399     - if (packet[1] & FTDI_RS_TEMT)
400     - priv->transmit_empty = 1;
401     - else
402     - priv->transmit_empty = 0;
403     -
404     - len -= 2;
405     - if (!len)
406     - return 0; /* status only */
407     port->icount.rx += len;
408     ch = packet + 2;
409    
410     @@ -2433,8 +2436,12 @@ static int ftdi_get_modem_status(struct usb_serial_port *port,
411     FTDI_SIO_GET_MODEM_STATUS_REQUEST_TYPE,
412     0, priv->interface,
413     buf, len, WDR_TIMEOUT);
414     - if (ret < 0) {
415     +
416     + /* NOTE: We allow short responses and handle that below. */
417     + if (ret < 1) {
418     dev_err(&port->dev, "failed to get modem status: %d\n", ret);
419     + if (ret >= 0)
420     + ret = -EIO;
421     ret = usb_translate_errors(ret);
422     goto out;
423     }
424     diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
425     index 97ea52b5cfd4..d17685cc00c9 100644
426     --- a/drivers/usb/serial/mos7840.c
427     +++ b/drivers/usb/serial/mos7840.c
428     @@ -1024,6 +1024,7 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
429     * (can't set it up in mos7840_startup as the structures *
430     * were not set up at that time.) */
431     if (port0->open_ports == 1) {
432     + /* FIXME: Buffer never NULL, so URB is not submitted. */
433     if (serial->port[0]->interrupt_in_buffer == NULL) {
434     /* set up interrupt urb */
435     usb_fill_int_urb(serial->port[0]->interrupt_in_urb,
436     @@ -2119,7 +2120,8 @@ static int mos7840_calc_num_ports(struct usb_serial *serial)
437     static int mos7840_attach(struct usb_serial *serial)
438     {
439     if (serial->num_bulk_in < serial->num_ports ||
440     - serial->num_bulk_out < serial->num_ports) {
441     + serial->num_bulk_out < serial->num_ports ||
442     + serial->num_interrupt_in < 1) {
443     dev_err(&serial->interface->dev, "missing endpoints\n");
444     return -ENODEV;
445     }
446     diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c
447     index 4b7bfb394a32..64bf258e7e00 100644
448     --- a/drivers/usb/serial/opticon.c
449     +++ b/drivers/usb/serial/opticon.c
450     @@ -142,7 +142,7 @@ static int opticon_open(struct tty_struct *tty, struct usb_serial_port *port)
451     usb_clear_halt(port->serial->dev, port->read_urb->pipe);
452    
453     res = usb_serial_generic_open(tty, port);
454     - if (!res)
455     + if (res)
456     return res;
457    
458     /* Request CTS line state, sometimes during opening the current
459     diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c
460     index 475e6c31b266..ddfd787c461c 100644
461     --- a/drivers/usb/serial/spcp8x5.c
462     +++ b/drivers/usb/serial/spcp8x5.c
463     @@ -232,11 +232,17 @@ static int spcp8x5_get_msr(struct usb_serial_port *port, u8 *status)
464     ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
465     GET_UART_STATUS, GET_UART_STATUS_TYPE,
466     0, GET_UART_STATUS_MSR, buf, 1, 100);
467     - if (ret < 0)
468     + if (ret < 1) {
469     dev_err(&port->dev, "failed to get modem status: %d\n", ret);
470     + if (ret >= 0)
471     + ret = -EIO;
472     + goto out;
473     + }
474    
475     dev_dbg(&port->dev, "0xc0:0x22:0:6 %d - 0x02%x\n", ret, *buf);
476     *status = *buf;
477     + ret = 0;
478     +out:
479     kfree(buf);
480    
481     return ret;
482     diff --git a/mm/backing-dev.c b/mm/backing-dev.c
483     index 9ef80bf441b3..a988d4ef39da 100644
484     --- a/mm/backing-dev.c
485     +++ b/mm/backing-dev.c
486     @@ -757,15 +757,20 @@ static int cgwb_bdi_init(struct backing_dev_info *bdi)
487     if (!bdi->wb_congested)
488     return -ENOMEM;
489    
490     + atomic_set(&bdi->wb_congested->refcnt, 1);
491     +
492     err = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL);
493     if (err) {
494     - kfree(bdi->wb_congested);
495     + wb_congested_put(bdi->wb_congested);
496     return err;
497     }
498     return 0;
499     }
500    
501     -static void cgwb_bdi_destroy(struct backing_dev_info *bdi) { }
502     +static void cgwb_bdi_destroy(struct backing_dev_info *bdi)
503     +{
504     + wb_congested_put(bdi->wb_congested);
505     +}
506    
507     #endif /* CONFIG_CGROUP_WRITEBACK */
508    
509     diff --git a/net/dccp/input.c b/net/dccp/input.c
510     index 3bd14e885396..dbe2573f6ba1 100644
511     --- a/net/dccp/input.c
512     +++ b/net/dccp/input.c
513     @@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
514     if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
515     skb) < 0)
516     return 1;
517     - goto discard;
518     + consume_skb(skb);
519     + return 0;
520     }
521     if (dh->dccph_type == DCCP_PKT_RESET)
522     goto discard;
523     diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
524     index bc14c5bb124b..f300d1cbfa91 100644
525     --- a/net/ipv4/ip_sockglue.c
526     +++ b/net/ipv4/ip_sockglue.c
527     @@ -105,10 +105,10 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
528     if (skb->ip_summed != CHECKSUM_COMPLETE)
529     return;
530    
531     - if (offset != 0)
532     - csum = csum_sub(csum,
533     - csum_partial(skb->data + tlen,
534     - offset, 0));
535     + if (offset != 0) {
536     + int tend_off = skb_transport_offset(skb) + tlen;
537     + csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
538     + }
539    
540     put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum);
541     }
542     diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
543     index acbe61c7e683..160dc89335e2 100644
544     --- a/net/irda/irqueue.c
545     +++ b/net/irda/irqueue.c
546     @@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new);
547     * for deallocating this structure if it's complex. If not the user can
548     * just supply kfree, which should take care of the job.
549     */
550     -#ifdef CONFIG_LOCKDEP
551     -static int hashbin_lock_depth = 0;
552     -#endif
553     int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
554     {
555     irda_queue_t* queue;
556     @@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
557     IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
558    
559     /* Synchronize */
560     - if ( hashbin->hb_type & HB_LOCK ) {
561     - spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
562     - hashbin_lock_depth++);
563     - }
564     + if (hashbin->hb_type & HB_LOCK)
565     + spin_lock_irqsave(&hashbin->hb_spinlock, flags);
566    
567     /*
568     * Free the entries in the hashbin, TODO: use hashbin_clear when
569     * it has been shown to work
570     */
571     for (i = 0; i < HASHBIN_SIZE; i ++ ) {
572     - queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
573     - while (queue ) {
574     - if (free_func)
575     - (*free_func)(queue);
576     - queue = dequeue_first(
577     - (irda_queue_t**) &hashbin->hb_queue[i]);
578     + while (1) {
579     + queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
580     +
581     + if (!queue)
582     + break;
583     +
584     + if (free_func) {
585     + if (hashbin->hb_type & HB_LOCK)
586     + spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
587     + free_func(queue);
588     + if (hashbin->hb_type & HB_LOCK)
589     + spin_lock_irqsave(&hashbin->hb_spinlock, flags);
590     + }
591     }
592     }
593    
594     @@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
595     hashbin->magic = ~HB_MAGIC;
596    
597     /* Release lock */
598     - if ( hashbin->hb_type & HB_LOCK) {
599     + if (hashbin->hb_type & HB_LOCK)
600     spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
601     -#ifdef CONFIG_LOCKDEP
602     - hashbin_lock_depth--;
603     -#endif
604     - }
605    
606     /*
607     * Free the hashbin structure
608     diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
609     index 3e821daf9dd4..8bc5a1bd2d45 100644
610     --- a/net/llc/llc_conn.c
611     +++ b/net/llc/llc_conn.c
612     @@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
613     * another trick required to cope with how the PROCOM state
614     * machine works. -acme
615     */
616     + skb_orphan(skb);
617     + sock_hold(sk);
618     skb->sk = sk;
619     + skb->destructor = sock_efree;
620     }
621     if (!sock_owned_by_user(sk))
622     llc_conn_rcv(sk, skb);
623     diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
624     index d0e1e804ebd7..5404d0d195cc 100644
625     --- a/net/llc/llc_sap.c
626     +++ b/net/llc/llc_sap.c
627     @@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
628    
629     ev->type = LLC_SAP_EV_TYPE_PDU;
630     ev->reason = 0;
631     + skb_orphan(skb);
632     + sock_hold(sk);
633     skb->sk = sk;
634     + skb->destructor = sock_efree;
635     llc_sap_state_process(sap, skb);
636     }
637    
638     diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
639     index f2d28ed74a0a..d805cd577a60 100644
640     --- a/net/packet/af_packet.c
641     +++ b/net/packet/af_packet.c
642     @@ -1497,6 +1497,8 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po)
643     f->arr[f->num_members] = sk;
644     smp_wmb();
645     f->num_members++;
646     + if (f->num_members == 1)
647     + dev_add_pack(&f->prot_hook);
648     spin_unlock(&f->lock);
649     }
650    
651     @@ -1513,6 +1515,8 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
652     BUG_ON(i >= f->num_members);
653     f->arr[i] = f->arr[f->num_members - 1];
654     f->num_members--;
655     + if (f->num_members == 0)
656     + __dev_remove_pack(&f->prot_hook);
657     spin_unlock(&f->lock);
658     }
659    
660     @@ -1623,6 +1627,7 @@ static void fanout_release_data(struct packet_fanout *f)
661    
662     static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
663     {
664     + struct packet_rollover *rollover = NULL;
665     struct packet_sock *po = pkt_sk(sk);
666     struct packet_fanout *f, *match;
667     u8 type = type_flags & 0xff;
668     @@ -1645,23 +1650,28 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
669     return -EINVAL;
670     }
671    
672     + mutex_lock(&fanout_mutex);
673     +
674     + err = -EINVAL;
675     if (!po->running)
676     - return -EINVAL;
677     + goto out;
678    
679     + err = -EALREADY;
680     if (po->fanout)
681     - return -EALREADY;
682     + goto out;
683    
684     if (type == PACKET_FANOUT_ROLLOVER ||
685     (type_flags & PACKET_FANOUT_FLAG_ROLLOVER)) {
686     - po->rollover = kzalloc(sizeof(*po->rollover), GFP_KERNEL);
687     - if (!po->rollover)
688     - return -ENOMEM;
689     - atomic_long_set(&po->rollover->num, 0);
690     - atomic_long_set(&po->rollover->num_huge, 0);
691     - atomic_long_set(&po->rollover->num_failed, 0);
692     + err = -ENOMEM;
693     + rollover = kzalloc(sizeof(*rollover), GFP_KERNEL);
694     + if (!rollover)
695     + goto out;
696     + atomic_long_set(&rollover->num, 0);
697     + atomic_long_set(&rollover->num_huge, 0);
698     + atomic_long_set(&rollover->num_failed, 0);
699     + po->rollover = rollover;
700     }
701    
702     - mutex_lock(&fanout_mutex);
703     match = NULL;
704     list_for_each_entry(f, &fanout_list, list) {
705     if (f->id == id &&
706     @@ -1691,7 +1701,6 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
707     match->prot_hook.func = packet_rcv_fanout;
708     match->prot_hook.af_packet_priv = match;
709     match->prot_hook.id_match = match_fanout_group;
710     - dev_add_pack(&match->prot_hook);
711     list_add(&match->list, &fanout_list);
712     }
713     err = -EINVAL;
714     @@ -1708,36 +1717,40 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
715     }
716     }
717     out:
718     - mutex_unlock(&fanout_mutex);
719     - if (err) {
720     - kfree(po->rollover);
721     + if (err && rollover) {
722     + kfree(rollover);
723     po->rollover = NULL;
724     }
725     + mutex_unlock(&fanout_mutex);
726     return err;
727     }
728    
729     -static void fanout_release(struct sock *sk)
730     +/* If pkt_sk(sk)->fanout->sk_ref is zero, this function removes
731     + * pkt_sk(sk)->fanout from fanout_list and returns pkt_sk(sk)->fanout.
732     + * It is the responsibility of the caller to call fanout_release_data() and
733     + * free the returned packet_fanout (after synchronize_net())
734     + */
735     +static struct packet_fanout *fanout_release(struct sock *sk)
736     {
737     struct packet_sock *po = pkt_sk(sk);
738     struct packet_fanout *f;
739    
740     + mutex_lock(&fanout_mutex);
741     f = po->fanout;
742     - if (!f)
743     - return;
744     + if (f) {
745     + po->fanout = NULL;
746    
747     - mutex_lock(&fanout_mutex);
748     - po->fanout = NULL;
749     + if (atomic_dec_and_test(&f->sk_ref))
750     + list_del(&f->list);
751     + else
752     + f = NULL;
753    
754     - if (atomic_dec_and_test(&f->sk_ref)) {
755     - list_del(&f->list);
756     - dev_remove_pack(&f->prot_hook);
757     - fanout_release_data(f);
758     - kfree(f);
759     + if (po->rollover)
760     + kfree_rcu(po->rollover, rcu);
761     }
762     mutex_unlock(&fanout_mutex);
763    
764     - if (po->rollover)
765     - kfree_rcu(po->rollover, rcu);
766     + return f;
767     }
768    
769     static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
770     @@ -2846,6 +2859,7 @@ static int packet_release(struct socket *sock)
771     {
772     struct sock *sk = sock->sk;
773     struct packet_sock *po;
774     + struct packet_fanout *f;
775     struct net *net;
776     union tpacket_req_u req_u;
777    
778     @@ -2885,9 +2899,14 @@ static int packet_release(struct socket *sock)
779     packet_set_ring(sk, &req_u, 1, 1);
780     }
781    
782     - fanout_release(sk);
783     + f = fanout_release(sk);
784    
785     synchronize_net();
786     +
787     + if (f) {
788     + fanout_release_data(f);
789     + kfree(f);
790     + }
791     /*
792     * Now the socket is dead. No more input will appear.
793     */
794     @@ -3861,7 +3880,6 @@ static int packet_notifier(struct notifier_block *this,
795     }
796     if (msg == NETDEV_UNREGISTER) {
797     packet_cached_dev_reset(po);
798     - fanout_release(sk);
799     po->ifindex = -1;
800     if (po->prot_hook.dev)
801     dev_put(po->prot_hook.dev);
802     diff --git a/net/socket.c b/net/socket.c
803     index 0090225eeb1e..fbfa9d2492cf 100644
804     --- a/net/socket.c
805     +++ b/net/socket.c
806     @@ -2185,8 +2185,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
807     return err;
808    
809     err = sock_error(sock->sk);
810     - if (err)
811     + if (err) {
812     + datagrams = err;
813     goto out_put;
814     + }
815    
816     entry = mmsg;
817     compat_entry = (struct compat_mmsghdr __user *)mmsg;