commit:     220df3b30d95895bd6092700c754329cfc0f45f1
Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Sun Apr  8 14:26:21 2018 +0000
Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Sun Apr  8 14:26:21 2018 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=220df3b3

Linux patch 4.9.93

 0000_README             |    4 +
 1092_linux-4.9.93.patch | 3737 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 3741 insertions(+)

diff --git a/0000_README b/0000_README
index 7083c5f..3036eb1 100644
--- a/0000_README
+++ b/0000_README
@@ -411,6 +411,10 @@ Patch:  1091_linux-4.9.92.patch
 From:   http://www.kernel.org
 Desc:   Linux 4.9.92
 
+Patch:  1092_linux-4.9.93.patch
+From:   http://www.kernel.org
+Desc:   Linux 4.9.93
+
 Patch:  1500_XATTR_USER_PREFIX.patch
 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644
 Desc:   Support for namespace user.pax.* on tmpfs.

diff --git a/1092_linux-4.9.93.patch b/1092_linux-4.9.93.patch
new file mode 100644
index 0000000..4092fd9
--- /dev/null
+++ b/1092_linux-4.9.93.patch
@@ -0,0 +1,3737 @@
+diff --git a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt 
b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt
+index caf297bee1fb..c28d4eb83b76 100644
+--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt
++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt
+@@ -35,6 +35,15 @@ Optional properties:
+ - ti,palmas-enable-dvfs2: Enable DVFS2. Configure pins for DVFS2 mode.
+       Selection primary or secondary function associated to GPADC_START
+       and SYSEN2 pin/pad for DVFS2 interface
++- ti,palmas-override-powerhold: This is applicable for PMICs for which
++      GPIO7 is configured in POWERHOLD mode which has higher priority
++      over DEV_ON bit and keeps the PMIC supplies on even after the DEV_ON
++      bit is turned off. This property enables driver to over ride the
++      POWERHOLD value to GPIO7 so as to turn off the PMIC in power off
++      scenarios. So for GPIO7 if ti,palmas-override-powerhold is set
++      then the GPIO_7 field should never be muxed to anything else.
++      It should be set to POWERHOLD by default and only in case of
++      power off scenarios the driver will over ride the mux value.
+ 
+ This binding uses the following generic properties as defined in
+ pinctrl-bindings.txt:
+diff --git a/Makefile b/Makefile
+index 3ab3b8203bf6..f5cf4159fc20 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 9
+-SUBLEVEL = 92
++SUBLEVEL = 93
+ EXTRAVERSION =
+ NAME = Roaring Lionus
+ 
+diff --git a/arch/arm/boot/dts/am335x-pepper.dts 
b/arch/arm/boot/dts/am335x-pepper.dts
+index 42b62f54e4b7..30e2f8770aaf 100644
+--- a/arch/arm/boot/dts/am335x-pepper.dts
++++ b/arch/arm/boot/dts/am335x-pepper.dts
+@@ -139,7 +139,7 @@
+ &audio_codec {
+       status = "okay";
+ 
+-      reset-gpios = <&gpio1 16 GPIO_ACTIVE_LOW>;
++      gpio-reset = <&gpio1 16 GPIO_ACTIVE_LOW>;
+       AVDD-supply = <&ldo3_reg>;
+       IOVDD-supply = <&ldo3_reg>;
+       DRVDD-supply = <&ldo3_reg>;
+diff --git a/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi 
b/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi
+index 6df7829a2c15..78bee26361f1 100644
+--- a/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi
++++ b/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi
+@@ -204,6 +204,7 @@
+               interrupt-controller;
+ 
+               ti,system-power-controller;
++              ti,palmas-override-powerhold;
+ 
+               tps659038_pmic {
+                       compatible = "ti,tps659038-pmic";
+diff --git a/arch/arm/boot/dts/am57xx-idk-common.dtsi 
b/arch/arm/boot/dts/am57xx-idk-common.dtsi
+index db858fff4e18..1cc62727e43a 100644
+--- a/arch/arm/boot/dts/am57xx-idk-common.dtsi
++++ b/arch/arm/boot/dts/am57xx-idk-common.dtsi
+@@ -57,6 +57,7 @@
+               #interrupt-cells = <2>;
+               interrupt-controller;
+               ti,system-power-controller;
++              ti,palmas-override-powerhold;
+ 
+               tps659038_pmic {
+                       compatible = "ti,tps659038-pmic";
+diff --git a/arch/arm/boot/dts/dra7-evm.dts b/arch/arm/boot/dts/dra7-evm.dts
+index 132f2be10889..56311fd34f81 100644
+--- a/arch/arm/boot/dts/dra7-evm.dts
++++ b/arch/arm/boot/dts/dra7-evm.dts
+@@ -398,6 +398,8 @@
+       tps659038: tps659038@58 {
+               compatible = "ti,tps659038";
+               reg = <0x58>;
++              ti,palmas-override-powerhold;
++              ti,system-power-controller;
+ 
+               tps659038_pmic {
+                       compatible = "ti,tps659038-pmic";
+diff --git a/arch/arm/boot/dts/omap3-n900.dts 
b/arch/arm/boot/dts/omap3-n900.dts
+index 6003b29c0fc0..4d448f145ed1 100644
+--- a/arch/arm/boot/dts/omap3-n900.dts
++++ b/arch/arm/boot/dts/omap3-n900.dts
+@@ -510,7 +510,7 @@
+       tlv320aic3x: tlv320aic3x@18 {
+               compatible = "ti,tlv320aic3x";
+               reg = <0x18>;
+-              reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */
++              gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */
+               ai3x-gpio-func = <
+                       0 /* AIC3X_GPIO1_FUNC_DISABLED */
+                       5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */
+@@ -527,7 +527,7 @@
+       tlv320aic3x_aux: tlv320aic3x@19 {
+               compatible = "ti,tlv320aic3x";
+               reg = <0x19>;
+-              reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */
++              gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */
+ 
+               AVDD-supply = <&vmmc2>;
+               DRVDD-supply = <&vmmc2>;
+diff --git a/arch/arm/vfp/vfpmodule.c b/arch/arm/vfp/vfpmodule.c
+index da0b33deba6d..5629d7580973 100644
+--- a/arch/arm/vfp/vfpmodule.c
++++ b/arch/arm/vfp/vfpmodule.c
+@@ -648,7 +648,7 @@ int vfp_restore_user_hwstate(struct user_vfp __user *ufp,
+  */
+ static int vfp_dying_cpu(unsigned int cpu)
+ {
+-      vfp_force_reload(cpu, current_thread_info());
++      vfp_current_hw_state[cpu] = NULL;
+       return 0;
+ }
+ 
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 7769c2e27788..c8471cf46cbb 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -733,6 +733,18 @@ config FORCE_MAX_ZONEORDER
+         However for 4K, we choose a higher default value, 11 as opposed to 
10, giving us
+         4M allocations matching the default size used by generic code.
+ 
++config UNMAP_KERNEL_AT_EL0
++      bool "Unmap kernel when running in userspace (aka \"KAISER\")" if EXPERT
++      default y
++      help
++        Speculation attacks against some high-performance processors can
++        be used to bypass MMU permission checks and leak kernel data to
++        userspace. This can be defended against by unmapping the kernel
++        when running in userspace, mapping it back in on exception entry
++        via a trampoline page in the vector table.
++
++        If unsure, say Y.
++
+ menuconfig ARMV8_DEPRECATED
+       bool "Emulate deprecated/obsolete ARMv8 instructions"
+       depends on COMPAT
+diff --git a/arch/arm64/include/asm/assembler.h 
b/arch/arm64/include/asm/assembler.h
+index 851290d2bfe3..7193bf97b8da 100644
+--- a/arch/arm64/include/asm/assembler.h
++++ b/arch/arm64/include/asm/assembler.h
+@@ -413,4 +413,7 @@ alternative_endif
+       movk    \reg, :abs_g0_nc:\val
+       .endm
+ 
++      .macro  pte_to_phys, phys, pte
++      and     \phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT)
++      .endm
+ #endif        /* __ASM_ASSEMBLER_H */
+diff --git a/arch/arm64/include/asm/cpucaps.h 
b/arch/arm64/include/asm/cpucaps.h
+index 87b446535185..7ddf233f05bd 100644
+--- a/arch/arm64/include/asm/cpucaps.h
++++ b/arch/arm64/include/asm/cpucaps.h
+@@ -34,7 +34,8 @@
+ #define ARM64_HAS_32BIT_EL0                   13
+ #define ARM64_HYP_OFFSET_LOW                  14
+ #define ARM64_MISMATCHED_CACHE_LINE_SIZE      15
++#define ARM64_UNMAP_KERNEL_AT_EL0             16
+ 
+-#define ARM64_NCAPS                           16
++#define ARM64_NCAPS                           17
+ 
+ #endif /* __ASM_CPUCAPS_H */
+diff --git a/arch/arm64/include/asm/cputype.h 
b/arch/arm64/include/asm/cputype.h
+index 26a68ddb11c1..1d47930c30dc 100644
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -81,6 +81,7 @@
+ 
+ #define CAVIUM_CPU_PART_THUNDERX      0x0A1
+ #define CAVIUM_CPU_PART_THUNDERX_81XX 0x0A2
++#define CAVIUM_CPU_PART_THUNDERX2     0x0AF
+ 
+ #define BRCM_CPU_PART_VULCAN          0x516
+ 
+@@ -88,6 +89,8 @@
+ #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, 
ARM_CPU_PART_CORTEX_A57)
+ #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, 
CAVIUM_CPU_PART_THUNDERX)
+ #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, 
CAVIUM_CPU_PART_THUNDERX_81XX)
++#define MIDR_CAVIUM_THUNDERX2 MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, 
CAVIUM_CPU_PART_THUNDERX2)
++#define MIDR_BRCM_VULCAN MIDR_CPU_MODEL(ARM_CPU_IMP_BRCM, 
BRCM_CPU_PART_VULCAN)
+ 
+ #ifndef __ASSEMBLY__
+ 
+diff --git a/arch/arm64/include/asm/fixmap.h b/arch/arm64/include/asm/fixmap.h
+index caf86be815ba..d8e58051f32d 100644
+--- a/arch/arm64/include/asm/fixmap.h
++++ b/arch/arm64/include/asm/fixmap.h
+@@ -51,6 +51,12 @@ enum fixed_addresses {
+ 
+       FIX_EARLYCON_MEM_BASE,
+       FIX_TEXT_POKE0,
++
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++      FIX_ENTRY_TRAMP_DATA,
++      FIX_ENTRY_TRAMP_TEXT,
++#define TRAMP_VALIAS          (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT))
++#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
+       __end_of_permanent_fixed_addresses,
+ 
+       /*
+diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h
+index 53211a0acf0f..5e3faba689e0 100644
+--- a/arch/arm64/include/asm/memory.h
++++ b/arch/arm64/include/asm/memory.h
+@@ -64,8 +64,10 @@
+  * TASK_UNMAPPED_BASE - the lower boundary of the mmap VM area.
+  */
+ #define VA_BITS                       (CONFIG_ARM64_VA_BITS)
+-#define VA_START              (UL(0xffffffffffffffff) << VA_BITS)
+-#define PAGE_OFFSET           (UL(0xffffffffffffffff) << (VA_BITS - 1))
++#define VA_START              (UL(0xffffffffffffffff) - \
++      (UL(1) << VA_BITS) + 1)
++#define PAGE_OFFSET           (UL(0xffffffffffffffff) - \
++      (UL(1) << (VA_BITS - 1)) + 1)
+ #define KIMAGE_VADDR          (MODULES_END)
+ #define MODULES_END           (MODULES_VADDR + MODULES_VSIZE)
+ #define MODULES_VADDR         (VA_START + KASAN_SHADOW_SIZE)
+diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h
+index 8d9fce037b2f..a813edf28737 100644
+--- a/arch/arm64/include/asm/mmu.h
++++ b/arch/arm64/include/asm/mmu.h
+@@ -16,6 +16,10 @@
+ #ifndef __ASM_MMU_H
+ #define __ASM_MMU_H
+ 
++#define USER_ASID_FLAG        (UL(1) << 48)
++
++#ifndef __ASSEMBLY__
++
+ typedef struct {
+       atomic64_t      id;
+       void            *vdso;
+@@ -28,6 +32,12 @@ typedef struct {
+  */
+ #define ASID(mm)      ((mm)->context.id.counter & 0xffff)
+ 
++static inline bool arm64_kernel_unmapped_at_el0(void)
++{
++      return IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0) &&
++             cpus_have_cap(ARM64_UNMAP_KERNEL_AT_EL0);
++}
++
+ extern void paging_init(void);
+ extern void bootmem_init(void);
+ extern void __iomem *early_io_map(phys_addr_t phys, unsigned long virt);
+@@ -37,4 +47,5 @@ extern void create_pgd_mapping(struct mm_struct *mm, 
phys_addr_t phys,
+                              pgprot_t prot, bool allow_block_mappings);
+ extern void *fixmap_remap_fdt(phys_addr_t dt_phys);
+ 
++#endif        /* !__ASSEMBLY__ */
+ #endif
+diff --git a/arch/arm64/include/asm/mmu_context.h 
b/arch/arm64/include/asm/mmu_context.h
+index a50185375f09..b96c4799f881 100644
+--- a/arch/arm64/include/asm/mmu_context.h
++++ b/arch/arm64/include/asm/mmu_context.h
+@@ -50,6 +50,13 @@ static inline void cpu_set_reserved_ttbr0(void)
+       isb();
+ }
+ 
++static inline void cpu_switch_mm(pgd_t *pgd, struct mm_struct *mm)
++{
++      BUG_ON(pgd == swapper_pg_dir);
++      cpu_set_reserved_ttbr0();
++      cpu_do_switch_mm(virt_to_phys(pgd),mm);
++}
++
+ /*
+  * TCR.T0SZ value to use when the ID map is active. Usually equals
+  * TCR_T0SZ(VA_BITS), unless system RAM is positioned very high in
+diff --git a/arch/arm64/include/asm/pgtable-hwdef.h 
b/arch/arm64/include/asm/pgtable-hwdef.h
+index eb0c2bd90de9..8df4cb6ac6f7 100644
+--- a/arch/arm64/include/asm/pgtable-hwdef.h
++++ b/arch/arm64/include/asm/pgtable-hwdef.h
+@@ -272,6 +272,7 @@
+ #define TCR_TG1_4K            (UL(2) << TCR_TG1_SHIFT)
+ #define TCR_TG1_64K           (UL(3) << TCR_TG1_SHIFT)
+ 
++#define TCR_A1                        (UL(1) << 22)
+ #define TCR_ASID16            (UL(1) << 36)
+ #define TCR_TBI0              (UL(1) << 37)
+ #define TCR_HA                        (UL(1) << 39)
+diff --git a/arch/arm64/include/asm/pgtable-prot.h 
b/arch/arm64/include/asm/pgtable-prot.h
+index 2142c7726e76..f705d96a76f2 100644
+--- a/arch/arm64/include/asm/pgtable-prot.h
++++ b/arch/arm64/include/asm/pgtable-prot.h
+@@ -34,8 +34,14 @@
+ 
+ #include <asm/pgtable-types.h>
+ 
+-#define PROT_DEFAULT          (PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
+-#define PROT_SECT_DEFAULT     (PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
++#define _PROT_DEFAULT         (PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
++#define _PROT_SECT_DEFAULT    (PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
++
++#define PTE_MAYBE_NG          (arm64_kernel_unmapped_at_el0() ? PTE_NG : 0)
++#define PMD_MAYBE_NG          (arm64_kernel_unmapped_at_el0() ? PMD_SECT_NG : 
0)
++
++#define PROT_DEFAULT          (_PROT_DEFAULT | PTE_MAYBE_NG)
++#define PROT_SECT_DEFAULT     (_PROT_SECT_DEFAULT | PMD_MAYBE_NG)
+ 
+ #define PROT_DEVICE_nGnRnE    (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | 
PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE))
+ #define PROT_DEVICE_nGnRE     (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | 
PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE))
+@@ -47,23 +53,24 @@
+ #define PROT_SECT_NORMAL      (PROT_SECT_DEFAULT | PMD_SECT_PXN | 
PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL))
+ #define PROT_SECT_NORMAL_EXEC (PROT_SECT_DEFAULT | PMD_SECT_UXN | 
PMD_ATTRINDX(MT_NORMAL))
+ 
+-#define _PAGE_DEFAULT         (PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
++#define _PAGE_DEFAULT         (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
++#define _HYP_PAGE_DEFAULT     _PAGE_DEFAULT
+ 
+-#define PAGE_KERNEL           __pgprot(_PAGE_DEFAULT | PTE_PXN | PTE_UXN | 
PTE_DIRTY | PTE_WRITE)
+-#define PAGE_KERNEL_RO                __pgprot(_PAGE_DEFAULT | PTE_PXN | 
PTE_UXN | PTE_DIRTY | PTE_RDONLY)
+-#define PAGE_KERNEL_ROX               __pgprot(_PAGE_DEFAULT | PTE_UXN | 
PTE_DIRTY | PTE_RDONLY)
+-#define PAGE_KERNEL_EXEC      __pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | 
PTE_WRITE)
+-#define PAGE_KERNEL_EXEC_CONT __pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | 
PTE_WRITE | PTE_CONT)
++#define PAGE_KERNEL           __pgprot(PROT_NORMAL)
++#define PAGE_KERNEL_RO                __pgprot((PROT_NORMAL & ~PTE_WRITE) | 
PTE_RDONLY)
++#define PAGE_KERNEL_ROX               __pgprot((PROT_NORMAL & ~(PTE_WRITE | 
PTE_PXN)) | PTE_RDONLY)
++#define PAGE_KERNEL_EXEC      __pgprot(PROT_NORMAL & ~PTE_PXN)
++#define PAGE_KERNEL_EXEC_CONT __pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_CONT)
+ 
+-#define PAGE_HYP              __pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_HYP_XN)
+-#define PAGE_HYP_EXEC         __pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY)
+-#define PAGE_HYP_RO           __pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY | 
PTE_HYP_XN)
++#define PAGE_HYP              __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | 
PTE_HYP_XN)
++#define PAGE_HYP_EXEC         __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | 
PTE_RDONLY)
++#define PAGE_HYP_RO           __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | 
PTE_RDONLY | PTE_HYP_XN)
+ #define PAGE_HYP_DEVICE               __pgprot(PROT_DEVICE_nGnRE | PTE_HYP)
+ 
+-#define PAGE_S2                       __pgprot(PROT_DEFAULT | 
PTE_S2_MEMATTR(MT_S2_NORMAL) | PTE_S2_RDONLY)
+-#define PAGE_S2_DEVICE                __pgprot(PROT_DEFAULT | 
PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN)
++#define PAGE_S2                       __pgprot(_PROT_DEFAULT | 
PTE_S2_MEMATTR(MT_S2_NORMAL) | PTE_S2_RDONLY)
++#define PAGE_S2_DEVICE                __pgprot(_PROT_DEFAULT | 
PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN)
+ 
+-#define PAGE_NONE             __pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | 
PTE_PROT_NONE | PTE_PXN | PTE_UXN)
++#define PAGE_NONE             __pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | 
PTE_PROT_NONE | PTE_NG | PTE_PXN | PTE_UXN)
+ #define PAGE_SHARED           __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | 
PTE_PXN | PTE_UXN | PTE_WRITE)
+ #define PAGE_SHARED_EXEC      __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | 
PTE_PXN | PTE_WRITE)
+ #define PAGE_COPY             __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | 
PTE_PXN | PTE_UXN)
+diff --git a/arch/arm64/include/asm/pgtable.h 
b/arch/arm64/include/asm/pgtable.h
+index 7acd3c5c7643..3a30a3994e4a 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -692,6 +692,7 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
+ 
+ extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
+ extern pgd_t idmap_pg_dir[PTRS_PER_PGD];
++extern pgd_t tramp_pg_dir[PTRS_PER_PGD];
+ 
+ /*
+  * Encode and decode a swap entry:
+diff --git a/arch/arm64/include/asm/proc-fns.h 
b/arch/arm64/include/asm/proc-fns.h
+index 14ad6e4e87d1..16cef2e8449e 100644
+--- a/arch/arm64/include/asm/proc-fns.h
++++ b/arch/arm64/include/asm/proc-fns.h
+@@ -35,12 +35,6 @@ extern u64 cpu_do_resume(phys_addr_t ptr, u64 idmap_ttbr);
+ 
+ #include <asm/memory.h>
+ 
+-#define cpu_switch_mm(pgd,mm)                         \
+-do {                                                  \
+-      BUG_ON(pgd == swapper_pg_dir);                  \
+-      cpu_do_switch_mm(virt_to_phys(pgd),mm);         \
+-} while (0)
+-
+ #endif /* __ASSEMBLY__ */
+ #endif /* __KERNEL__ */
+ #endif /* __ASM_PROCFNS_H */
+diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
+index 7393cc767edb..7cb7f7cdcfbc 100644
+--- a/arch/arm64/include/asm/sysreg.h
++++ b/arch/arm64/include/asm/sysreg.h
+@@ -117,6 +117,7 @@
+ #define ID_AA64ISAR0_AES_SHIFT                4
+ 
+ /* id_aa64pfr0 */
++#define ID_AA64PFR0_CSV3_SHIFT                60
+ #define ID_AA64PFR0_GIC_SHIFT         24
+ #define ID_AA64PFR0_ASIMD_SHIFT               20
+ #define ID_AA64PFR0_FP_SHIFT          16
+diff --git a/arch/arm64/include/asm/tlbflush.h 
b/arch/arm64/include/asm/tlbflush.h
+index deab52374119..ad6bd8b26ada 100644
+--- a/arch/arm64/include/asm/tlbflush.h
++++ b/arch/arm64/include/asm/tlbflush.h
+@@ -23,6 +23,7 @@
+ 
+ #include <linux/sched.h>
+ #include <asm/cputype.h>
++#include <asm/mmu.h>
+ 
+ /*
+  * Raw TLBI operations.
+@@ -42,6 +43,11 @@
+ 
+ #define __tlbi(op, ...)               __TLBI_N(op, ##__VA_ARGS__, 1, 0)
+ 
++#define __tlbi_user(op, arg) do {                                             
\
++      if (arm64_kernel_unmapped_at_el0())                                     
\
++              __tlbi(op, (arg) | USER_ASID_FLAG);                             
\
++} while (0)
++
+ /*
+  *    TLB Management
+  *    ==============
+@@ -103,6 +109,7 @@ static inline void flush_tlb_mm(struct mm_struct *mm)
+ 
+       dsb(ishst);
+       __tlbi(aside1is, asid);
++      __tlbi_user(aside1is, asid);
+       dsb(ish);
+ }
+ 
+@@ -113,6 +120,7 @@ static inline void flush_tlb_page(struct vm_area_struct 
*vma,
+ 
+       dsb(ishst);
+       __tlbi(vale1is, addr);
++      __tlbi_user(vale1is, addr);
+       dsb(ish);
+ }
+ 
+@@ -139,10 +147,13 @@ static inline void __flush_tlb_range(struct 
vm_area_struct *vma,
+ 
+       dsb(ishst);
+       for (addr = start; addr < end; addr += 1 << (PAGE_SHIFT - 12)) {
+-              if (last_level)
++              if (last_level) {
+                       __tlbi(vale1is, addr);
+-              else
++                      __tlbi_user(vale1is, addr);
++              } else {
+                       __tlbi(vae1is, addr);
++                      __tlbi_user(vae1is, addr);
++              }
+       }
+       dsb(ish);
+ }
+@@ -182,6 +193,7 @@ static inline void __flush_tlb_pgtable(struct mm_struct 
*mm,
+       unsigned long addr = uaddr >> 12 | (ASID(mm) << 48);
+ 
+       __tlbi(vae1is, addr);
++      __tlbi_user(vae1is, addr);
+       dsb(ish);
+ }
+ 
+diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c
+index c58ddf8c4062..5f4bf3c6f016 100644
+--- a/arch/arm64/kernel/asm-offsets.c
++++ b/arch/arm64/kernel/asm-offsets.c
+@@ -24,6 +24,7 @@
+ #include <linux/kvm_host.h>
+ #include <linux/suspend.h>
+ #include <asm/cpufeature.h>
++#include <asm/fixmap.h>
+ #include <asm/thread_info.h>
+ #include <asm/memory.h>
+ #include <asm/smp_plat.h>
+@@ -144,11 +145,14 @@ int main(void)
+   DEFINE(ARM_SMCCC_RES_X2_OFFS,               offsetof(struct arm_smccc_res, 
a2));
+   DEFINE(ARM_SMCCC_QUIRK_ID_OFFS,     offsetof(struct arm_smccc_quirk, id));
+   DEFINE(ARM_SMCCC_QUIRK_STATE_OFFS,  offsetof(struct arm_smccc_quirk, 
state));
+-
+   BLANK();
+   DEFINE(HIBERN_PBE_ORIG,     offsetof(struct pbe, orig_address));
+   DEFINE(HIBERN_PBE_ADDR,     offsetof(struct pbe, address));
+   DEFINE(HIBERN_PBE_NEXT,     offsetof(struct pbe, next));
+   DEFINE(ARM64_FTR_SYSVAL,    offsetof(struct arm64_ftr_reg, sys_val));
++  BLANK();
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++  DEFINE(TRAMP_VALIAS,                TRAMP_VALIAS);
++#endif
+   return 0;
+ }
+diff --git a/arch/arm64/kernel/cpu-reset.S b/arch/arm64/kernel/cpu-reset.S
+index 65f42d257414..f736a6f81ecd 100644
+--- a/arch/arm64/kernel/cpu-reset.S
++++ b/arch/arm64/kernel/cpu-reset.S
+@@ -16,7 +16,7 @@
+ #include <asm/virt.h>
+ 
+ .text
+-.pushsection    .idmap.text, "ax"
++.pushsection    .idmap.text, "awx"
+ 
+ /*
+  * __cpu_soft_restart(el2_switch, entry, arg0, arg1, arg2) - Helper for
+diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
+index 3a129d48674e..5056fc597ae9 100644
+--- a/arch/arm64/kernel/cpufeature.c
++++ b/arch/arm64/kernel/cpufeature.c
+@@ -93,7 +93,8 @@ static const struct arm64_ftr_bits ftr_id_aa64isar0[] = {
+ };
+ 
+ static const struct arm64_ftr_bits ftr_id_aa64pfr0[] = {
+-      ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 32, 32, 0),
++      ARM64_FTR_BITS(FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_CSV3_SHIFT, 
4, 0),
++      ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 32, 28, 0),
+       ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 28, 4, 0),
+       ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, ID_AA64PFR0_GIC_SHIFT, 4, 0),
+       S_ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_ASIMD_SHIFT, 
4, ID_AA64PFR0_ASIMD_NI),
+@@ -746,6 +747,86 @@ static bool hyp_offset_low(const struct 
arm64_cpu_capabilities *entry,
+       return idmap_addr > GENMASK(VA_BITS - 2, 0) && !is_kernel_in_hyp_mode();
+ }
+ 
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */
++
++static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
++                              int __unused)
++{
++      char const *str = "command line option";
++      u64 pfr0 = read_system_reg(SYS_ID_AA64PFR0_EL1);
++
++      /*
++       * For reasons that aren't entirely clear, enabling KPTI on Cavium
++       * ThunderX leads to apparent I-cache corruption of kernel text, which
++       * ends as well as you might imagine. Don't even try.
++       */
++      if (cpus_have_cap(ARM64_WORKAROUND_CAVIUM_27456)) {
++              str = "ARM64_WORKAROUND_CAVIUM_27456";
++              __kpti_forced = -1;
++      }
++
++      /* Forced? */
++      if (__kpti_forced) {
++              pr_info_once("kernel page table isolation forced %s by %s\n",
++                           __kpti_forced > 0 ? "ON" : "OFF", str);
++              return __kpti_forced > 0;
++      }
++
++      /* Useful for KASLR robustness */
++      if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
++              return true;
++
++      /* Don't force KPTI for CPUs that are not vulnerable */
++      switch (read_cpuid_id() & MIDR_CPU_MODEL_MASK) {
++      case MIDR_CAVIUM_THUNDERX2:
++      case MIDR_BRCM_VULCAN:
++              return false;
++      }
++
++      /* Defer to CPU feature registers */
++      return !cpuid_feature_extract_unsigned_field(pfr0,
++                                                   ID_AA64PFR0_CSV3_SHIFT);
++}
++
++static int kpti_install_ng_mappings(void *__unused)
++{
++      typedef void (kpti_remap_fn)(int, int, phys_addr_t);
++      extern kpti_remap_fn idmap_kpti_install_ng_mappings;
++      kpti_remap_fn *remap_fn;
++
++      static bool kpti_applied = false;
++      int cpu = smp_processor_id();
++
++      if (kpti_applied)
++              return 0;
++
++      remap_fn = (void *)__pa_symbol(idmap_kpti_install_ng_mappings);
++
++      cpu_install_idmap();
++      remap_fn(cpu, num_online_cpus(), __pa_symbol(swapper_pg_dir));
++      cpu_uninstall_idmap();
++
++      if (!cpu)
++              kpti_applied = true;
++
++      return 0;
++}
++
++static int __init parse_kpti(char *str)
++{
++      bool enabled;
++      int ret = strtobool(str, &enabled);
++
++      if (ret)
++              return ret;
++
++      __kpti_forced = enabled ? 1 : -1;
++      return 0;
++}
++__setup("kpti=", parse_kpti);
++#endif        /* CONFIG_UNMAP_KERNEL_AT_EL0 */
++
+ static const struct arm64_cpu_capabilities arm64_features[] = {
+       {
+               .desc = "GIC system register CPU interface",
+@@ -829,6 +910,15 @@ static const struct arm64_cpu_capabilities 
arm64_features[] = {
+               .def_scope = SCOPE_SYSTEM,
+               .matches = hyp_offset_low,
+       },
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++      {
++              .desc = "Kernel page table isolation (KPTI)",
++              .capability = ARM64_UNMAP_KERNEL_AT_EL0,
++              .def_scope = SCOPE_SYSTEM,
++              .matches = unmap_kernel_at_el0,
++              .enable = kpti_install_ng_mappings,
++      },
++#endif
+       {},
+ };
+ 
+@@ -922,6 +1012,26 @@ static void __init setup_elf_hwcaps(const struct 
arm64_cpu_capabilities *hwcaps)
+                       cap_set_elf_hwcap(hwcaps);
+ }
+ 
++/*
++ * Check if the current CPU has a given feature capability.
++ * Should be called from non-preemptible context.
++ */
++static bool __this_cpu_has_cap(const struct arm64_cpu_capabilities *cap_array,
++                             unsigned int cap)
++{
++      const struct arm64_cpu_capabilities *caps;
++
++      if (WARN_ON(preemptible()))
++              return false;
++
++      for (caps = cap_array; caps->desc; caps++)
++              if (caps->capability == cap &&
++                  caps->matches &&
++                  caps->matches(caps, SCOPE_LOCAL_CPU))
++                      return true;
++      return false;
++}
++
+ void update_cpu_capabilities(const struct arm64_cpu_capabilities *caps,
+                           const char *info)
+ {
+@@ -990,8 +1100,9 @@ verify_local_elf_hwcaps(const struct 
arm64_cpu_capabilities *caps)
+ }
+ 
+ static void
+-verify_local_cpu_features(const struct arm64_cpu_capabilities *caps)
++verify_local_cpu_features(const struct arm64_cpu_capabilities *caps_list)
+ {
++      const struct arm64_cpu_capabilities *caps = caps_list;
+       for (; caps->matches; caps++) {
+               if (!cpus_have_cap(caps->capability))
+                       continue;
+@@ -999,7 +1110,7 @@ verify_local_cpu_features(const struct 
arm64_cpu_capabilities *caps)
+                * If the new CPU misses an advertised feature, we cannot 
proceed
+                * further, park the cpu.
+                */
+-              if (!caps->matches(caps, SCOPE_LOCAL_CPU)) {
++              if (!__this_cpu_has_cap(caps_list, caps->capability)) {
+                       pr_crit("CPU%d: missing feature: %s\n",
+                                       smp_processor_id(), caps->desc);
+                       cpu_die_early();
+@@ -1052,22 +1163,12 @@ static void __init setup_feature_capabilities(void)
+       enable_cpu_capabilities(arm64_features);
+ }
+ 
+-/*
+- * Check if the current CPU has a given feature capability.
+- * Should be called from non-preemptible context.
+- */
++extern const struct arm64_cpu_capabilities arm64_errata[];
++
+ bool this_cpu_has_cap(unsigned int cap)
+ {
+-      const struct arm64_cpu_capabilities *caps;
+-
+-      if (WARN_ON(preemptible()))
+-              return false;
+-
+-      for (caps = arm64_features; caps->desc; caps++)
+-              if (caps->capability == cap && caps->matches)
+-                      return caps->matches(caps, SCOPE_LOCAL_CPU);
+-
+-      return false;
++      return (__this_cpu_has_cap(arm64_features, cap) ||
++              __this_cpu_has_cap(arm64_errata, cap));
+ }
+ 
+ void __init setup_cpu_features(void)
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index b4c7db434654..8d1600b18562 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -29,9 +29,11 @@
+ #include <asm/esr.h>
+ #include <asm/irq.h>
+ #include <asm/memory.h>
++#include <asm/mmu.h>
+ #include <asm/thread_info.h>
+ #include <asm/asm-uaccess.h>
+ #include <asm/unistd.h>
++#include <asm/kernel-pgtable.h>
+ 
+ /*
+  * Context tracking subsystem.  Used to instrument transitions
+@@ -68,8 +70,31 @@
+ #define BAD_FIQ               2
+ #define BAD_ERROR     3
+ 
+-      .macro  kernel_entry, el, regsize = 64
++      .macro kernel_ventry, el, label, regsize = 64
++      .align 7
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++alternative_if ARM64_UNMAP_KERNEL_AT_EL0
++      .if     \el == 0
++      .if     \regsize == 64
++      mrs     x30, tpidrro_el0
++      msr     tpidrro_el0, xzr
++      .else
++      mov     x30, xzr
++      .endif
++      .endif
++alternative_else_nop_endif
++#endif
++
+       sub     sp, sp, #S_FRAME_SIZE
++      b       el\()\el\()_\label
++      .endm
++
++      .macro tramp_alias, dst, sym
++      mov_q   \dst, TRAMP_VALIAS
++      add     \dst, \dst, #(\sym - .entry.tramp.text)
++      .endm
++
++      .macro  kernel_entry, el, regsize = 64
+       .if     \regsize == 32
+       mov     w0, w0                          // zero upper 32 bits of x0
+       .endif
+@@ -150,18 +175,20 @@
+       ct_user_enter
+       ldr     x23, [sp, #S_SP]                // load return stack pointer
+       msr     sp_el0, x23
++      tst     x22, #PSR_MODE32_BIT            // native task?
++      b.eq    3f
++
+ #ifdef CONFIG_ARM64_ERRATUM_845719
+ alternative_if ARM64_WORKAROUND_845719
+-      tbz     x22, #4, 1f
+ #ifdef CONFIG_PID_IN_CONTEXTIDR
+       mrs     x29, contextidr_el1
+       msr     contextidr_el1, x29
+ #else
+       msr contextidr_el1, xzr
+ #endif
+-1:
+ alternative_else_nop_endif
+ #endif
++3:
+       .endif
+       msr     elr_el1, x21                    // set up the return data
+       msr     spsr_el1, x22
+@@ -182,7 +209,21 @@ alternative_else_nop_endif
+       ldp     x28, x29, [sp, #16 * 14]
+       ldr     lr, [sp, #S_LR]
+       add     sp, sp, #S_FRAME_SIZE           // restore sp
+-      eret                                    // return to kernel
++
++      .if     \el == 0
++alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++      bne     4f
++      msr     far_el1, x30
++      tramp_alias     x30, tramp_exit_native
++      br      x30
++4:
++      tramp_alias     x30, tramp_exit_compat
++      br      x30
++#endif
++      .else
++      eret
++      .endif
+       .endm
+ 
+       .macro  get_thread_info, rd
+@@ -257,31 +298,31 @@ tsk      .req    x28             // current thread_info
+ 
+       .align  11
+ ENTRY(vectors)
+-      ventry  el1_sync_invalid                // Synchronous EL1t
+-      ventry  el1_irq_invalid                 // IRQ EL1t
+-      ventry  el1_fiq_invalid                 // FIQ EL1t
+-      ventry  el1_error_invalid               // Error EL1t
++      kernel_ventry   1, sync_invalid                 // Synchronous EL1t
++      kernel_ventry   1, irq_invalid                  // IRQ EL1t
++      kernel_ventry   1, fiq_invalid                  // FIQ EL1t
++      kernel_ventry   1, error_invalid                // Error EL1t
+ 
+-      ventry  el1_sync                        // Synchronous EL1h
+-      ventry  el1_irq                         // IRQ EL1h
+-      ventry  el1_fiq_invalid                 // FIQ EL1h
+-      ventry  el1_error_invalid               // Error EL1h
++      kernel_ventry   1, sync                         // Synchronous EL1h
++      kernel_ventry   1, irq                          // IRQ EL1h
++      kernel_ventry   1, fiq_invalid                  // FIQ EL1h
++      kernel_ventry   1, error_invalid                // Error EL1h
+ 
+-      ventry  el0_sync                        // Synchronous 64-bit EL0
+-      ventry  el0_irq                         // IRQ 64-bit EL0
+-      ventry  el0_fiq_invalid                 // FIQ 64-bit EL0
+-      ventry  el0_error_invalid               // Error 64-bit EL0
++      kernel_ventry   0, sync                         // Synchronous 64-bit 
EL0
++      kernel_ventry   0, irq                          // IRQ 64-bit EL0
++      kernel_ventry   0, fiq_invalid                  // FIQ 64-bit EL0
++      kernel_ventry   0, error_invalid                // Error 64-bit EL0
+ 
+ #ifdef CONFIG_COMPAT
+-      ventry  el0_sync_compat                 // Synchronous 32-bit EL0
+-      ventry  el0_irq_compat                  // IRQ 32-bit EL0
+-      ventry  el0_fiq_invalid_compat          // FIQ 32-bit EL0
+-      ventry  el0_error_invalid_compat        // Error 32-bit EL0
++      kernel_ventry   0, sync_compat, 32              // Synchronous 32-bit 
EL0
++      kernel_ventry   0, irq_compat, 32               // IRQ 32-bit EL0
++      kernel_ventry   0, fiq_invalid_compat, 32       // FIQ 32-bit EL0
++      kernel_ventry   0, error_invalid_compat, 32     // Error 32-bit EL0
+ #else
+-      ventry  el0_sync_invalid                // Synchronous 32-bit EL0
+-      ventry  el0_irq_invalid                 // IRQ 32-bit EL0
+-      ventry  el0_fiq_invalid                 // FIQ 32-bit EL0
+-      ventry  el0_error_invalid               // Error 32-bit EL0
++      kernel_ventry   0, sync_invalid, 32             // Synchronous 32-bit 
EL0
++      kernel_ventry   0, irq_invalid, 32              // IRQ 32-bit EL0
++      kernel_ventry   0, fiq_invalid, 32              // FIQ 32-bit EL0
++      kernel_ventry   0, error_invalid, 32            // Error 32-bit EL0
+ #endif
+ END(vectors)
+ 
+@@ -801,6 +842,105 @@ __ni_sys_trace:
+ 
+       .popsection                             // .entry.text
+ 
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++/*
++ * Exception vectors trampoline.
++ */
++      .pushsection ".entry.tramp.text", "ax"
++
++      .macro tramp_map_kernel, tmp
++      mrs     \tmp, ttbr1_el1
++      sub     \tmp, \tmp, #SWAPPER_DIR_SIZE
++      bic     \tmp, \tmp, #USER_ASID_FLAG
++      msr     ttbr1_el1, \tmp
++      .endm
++
++      .macro tramp_unmap_kernel, tmp
++      mrs     \tmp, ttbr1_el1
++      add     \tmp, \tmp, #SWAPPER_DIR_SIZE
++      orr     \tmp, \tmp, #USER_ASID_FLAG
++      msr     ttbr1_el1, \tmp
++      /*
++       * We avoid running the post_ttbr_update_workaround here because
++       * it's only needed by Cavium ThunderX, which requires KPTI to be
++       * disabled.
++       */
++      .endm
++
++      .macro tramp_ventry, regsize = 64
++      .align  7
++1:
++      .if     \regsize == 64
++      msr     tpidrro_el0, x30        // Restored in kernel_ventry
++      .endif
++      /*
++       * Defend against branch aliasing attacks by pushing a dummy
++       * entry onto the return stack and using a RET instruction to
++       * enter the full-fat kernel vectors.
++       */
++      bl      2f
++      b       .
++2:
++      tramp_map_kernel        x30
++#ifdef CONFIG_RANDOMIZE_BASE
++      adr     x30, tramp_vectors + PAGE_SIZE
++      isb
++      ldr     x30, [x30]
++#else
++      ldr     x30, =vectors
++#endif
++      prfm    plil1strm, [x30, #(1b - tramp_vectors)]
++      msr     vbar_el1, x30
++      add     x30, x30, #(1b - tramp_vectors)
++      isb
++      ret
++      .endm
++
++      .macro tramp_exit, regsize = 64
++      adr     x30, tramp_vectors
++      msr     vbar_el1, x30
++      tramp_unmap_kernel      x30
++      .if     \regsize == 64
++      mrs     x30, far_el1
++      .endif
++      eret
++      .endm
++
++      .align  11
++ENTRY(tramp_vectors)
++      .space  0x400
++
++      tramp_ventry
++      tramp_ventry
++      tramp_ventry
++      tramp_ventry
++
++      tramp_ventry    32
++      tramp_ventry    32
++      tramp_ventry    32
++      tramp_ventry    32
++END(tramp_vectors)
++
++ENTRY(tramp_exit_native)
++      tramp_exit
++END(tramp_exit_native)
++
++ENTRY(tramp_exit_compat)
++      tramp_exit      32
++END(tramp_exit_compat)
++
++      .ltorg
++      .popsection                             // .entry.tramp.text
++#ifdef CONFIG_RANDOMIZE_BASE
++      .pushsection ".rodata", "a"
++      .align PAGE_SHIFT
++      .globl  __entry_tramp_data_start
++__entry_tramp_data_start:
++      .quad   vectors
++      .popsection                             // .rodata
++#endif /* CONFIG_RANDOMIZE_BASE */
++#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
++
+ /*
+  * Special system call wrappers.
+  */
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index 539bebc1222f..fa52817d84c5 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -473,7 +473,7 @@ ENDPROC(__primary_switched)
+  * end early head section, begin head code that is also used for
+  * hotplug and needs to have the same protections as the text region
+  */
+-      .section ".idmap.text","ax"
++      .section ".idmap.text","awx"
+ 
+ ENTRY(kimage_vaddr)
+       .quad           _text - TEXT_OFFSET
+diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+index 0e7394915c70..0972ce58316d 100644
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -306,17 +306,17 @@ int copy_thread(unsigned long clone_flags, unsigned long 
stack_start,
+ 
+ static void tls_thread_switch(struct task_struct *next)
+ {
+-      unsigned long tpidr, tpidrro;
++      unsigned long tpidr;
+ 
+       tpidr = read_sysreg(tpidr_el0);
+       *task_user_tls(current) = tpidr;
+ 
+-      tpidr = *task_user_tls(next);
+-      tpidrro = is_compat_thread(task_thread_info(next)) ?
+-                next->thread.tp_value : 0;
++      if (is_compat_thread(task_thread_info(next)))
++              write_sysreg(next->thread.tp_value, tpidrro_el0);
++      else if (!arm64_kernel_unmapped_at_el0())
++              write_sysreg(0, tpidrro_el0);
+ 
+-      write_sysreg(tpidr, tpidr_el0);
+-      write_sysreg(tpidrro, tpidrro_el0);
++      write_sysreg(*task_user_tls(next), tpidr_el0);
+ }
+ 
+ /* Restore the UAO state depending on next's addr_limit */
+diff --git a/arch/arm64/kernel/sleep.S b/arch/arm64/kernel/sleep.S
+index 1bec41b5fda3..0030d6964e65 100644
+--- a/arch/arm64/kernel/sleep.S
++++ b/arch/arm64/kernel/sleep.S
+@@ -95,7 +95,7 @@ ENTRY(__cpu_suspend_enter)
+       ret
+ ENDPROC(__cpu_suspend_enter)
+ 
+-      .pushsection ".idmap.text", "ax"
++      .pushsection ".idmap.text", "awx"
+ ENTRY(cpu_resume)
+       bl      el2_setup               // if in EL2 drop to EL1 cleanly
+       bl      __cpu_setup
+diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
+index 1105aab1e6d6..6a584558b29d 100644
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -56,6 +56,17 @@ jiffies = jiffies_64;
+ #define HIBERNATE_TEXT
+ #endif
+ 
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++#define TRAMP_TEXT                                    \
++      . = ALIGN(PAGE_SIZE);                           \
++      VMLINUX_SYMBOL(__entry_tramp_text_start) = .;   \
++      *(.entry.tramp.text)                            \
++      . = ALIGN(PAGE_SIZE);                           \
++      VMLINUX_SYMBOL(__entry_tramp_text_end) = .;
++#else
++#define TRAMP_TEXT
++#endif
++
+ /*
+  * The size of the PE/COFF section that covers the kernel image, which
+  * runs from stext to _edata, must be a round multiple of the PE/COFF
+@@ -128,6 +139,7 @@ SECTIONS
+                       HYPERVISOR_TEXT
+                       IDMAP_TEXT
+                       HIBERNATE_TEXT
++                      TRAMP_TEXT
+                       *(.fixup)
+                       *(.gnu.warning)
+               . = ALIGN(16);
+@@ -216,6 +228,11 @@ SECTIONS
+       swapper_pg_dir = .;
+       . += SWAPPER_DIR_SIZE;
+ 
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++      tramp_pg_dir = .;
++      . += PAGE_SIZE;
++#endif
++
+       _end = .;
+ 
+       STABS_DEBUG
+@@ -235,7 +252,10 @@ ASSERT(__idmap_text_end - (__idmap_text_start & ~(SZ_4K - 
1)) <= SZ_4K,
+ ASSERT(__hibernate_exit_text_end - (__hibernate_exit_text_start & ~(SZ_4K - 
1))
+       <= SZ_4K, "Hibernate exit text too big or misaligned")
+ #endif
+-
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) == PAGE_SIZE,
++      "Entry trampoline text too big")
++#endif
+ /*
+  * If padding is applied before .head.text, virt<->phys conversions will fail.
+  */
+diff --git a/arch/arm64/mm/context.c b/arch/arm64/mm/context.c
+index efcf1f7ef1e4..f00f5eeb556f 100644
+--- a/arch/arm64/mm/context.c
++++ b/arch/arm64/mm/context.c
+@@ -39,7 +39,16 @@ static cpumask_t tlb_flush_pending;
+ 
+ #define ASID_MASK             (~GENMASK(asid_bits - 1, 0))
+ #define ASID_FIRST_VERSION    (1UL << asid_bits)
+-#define NUM_USER_ASIDS                ASID_FIRST_VERSION
++
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++#define NUM_USER_ASIDS                (ASID_FIRST_VERSION >> 1)
++#define asid2idx(asid)                (((asid) & ~ASID_MASK) >> 1)
++#define idx2asid(idx)         (((idx) << 1) & ~ASID_MASK)
++#else
++#define NUM_USER_ASIDS                (ASID_FIRST_VERSION)
++#define asid2idx(asid)                ((asid) & ~ASID_MASK)
++#define idx2asid(idx)         asid2idx(idx)
++#endif
+ 
+ /* Get the ASIDBits supported by the current CPU */
+ static u32 get_cpu_asid_bits(void)
+@@ -104,7 +113,7 @@ static void flush_context(unsigned int cpu)
+                */
+               if (asid == 0)
+                       asid = per_cpu(reserved_asids, i);
+-              __set_bit(asid & ~ASID_MASK, asid_map);
++              __set_bit(asid2idx(asid), asid_map);
+               per_cpu(reserved_asids, i) = asid;
+       }
+ 
+@@ -159,16 +168,16 @@ static u64 new_context(struct mm_struct *mm, unsigned 
int cpu)
+                * We had a valid ASID in a previous life, so try to re-use
+                * it if possible.
+                */
+-              asid &= ~ASID_MASK;
+-              if (!__test_and_set_bit(asid, asid_map))
++              if (!__test_and_set_bit(asid2idx(asid), asid_map))
+                       return newasid;
+       }
+ 
+       /*
+        * Allocate a free ASID. If we can't find one, take a note of the
+-       * currently active ASIDs and mark the TLBs as requiring flushes.
+-       * We always count from ASID #1, as we use ASID #0 when setting a
+-       * reserved TTBR0 for the init_mm.
++       * currently active ASIDs and mark the TLBs as requiring flushes.  We
++       * always count from ASID #2 (index 1), as we use ASID #0 when setting
++       * a reserved TTBR0 for the init_mm and we allocate ASIDs in even/odd
++       * pairs.
+        */
+       asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx);
+       if (asid != NUM_USER_ASIDS)
+@@ -185,7 +194,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int 
cpu)
+ set_asid:
+       __set_bit(asid, asid_map);
+       cur_idx = asid;
+-      return asid | generation;
++      return idx2asid(asid) | generation;
+ }
+ 
+ void check_and_switch_context(struct mm_struct *mm, unsigned int cpu)
+diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
+index 638f7f2bd79c..4cd4862845cd 100644
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -419,6 +419,37 @@ static void __init map_kernel_segment(pgd_t *pgd, void 
*va_start, void *va_end,
+       vm_area_add_early(vma);
+ }
+ 
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++static int __init map_entry_trampoline(void)
++{
++      extern char __entry_tramp_text_start[];
++
++      pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC;
++      phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start);
++
++      /* The trampoline is always mapped and can therefore be global */
++      pgprot_val(prot) &= ~PTE_NG;
++
++      /* Map only the text into the trampoline page table */
++      memset(tramp_pg_dir, 0, PGD_SIZE);
++      __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE,
++                           prot, pgd_pgtable_alloc, 0);
++
++      /* Map both the text and data into the kernel page table */
++      __set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot);
++      if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) {
++              extern char __entry_tramp_data_start[];
++
++              __set_fixmap(FIX_ENTRY_TRAMP_DATA,
++                           __pa_symbol(__entry_tramp_data_start),
++                           PAGE_KERNEL_RO);
++      }
++
++      return 0;
++}
++core_initcall(map_entry_trampoline);
++#endif
++
+ /*
+  * Create fine-grained mappings for the kernel.
+  */
+diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
+index 352c73b6a59e..c07d9cc057e6 100644
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -83,7 +83,7 @@ ENDPROC(cpu_do_suspend)
+  *
+  * x0: Address of context pointer
+  */
+-      .pushsection ".idmap.text", "ax"
++      .pushsection ".idmap.text", "awx"
+ ENTRY(cpu_do_resume)
+       ldp     x2, x3, [x0]
+       ldp     x4, x5, [x0, #16]
+@@ -132,9 +132,12 @@ ENDPROC(cpu_do_resume)
+  *    - pgd_phys - physical address of new TTB
+  */
+ ENTRY(cpu_do_switch_mm)
++      mrs     x2, ttbr1_el1
+       mmid    x1, x1                          // get mm->context.id
+-      bfi     x0, x1, #48, #16                // set the ASID
+-      msr     ttbr0_el1, x0                   // set TTBR0
++      bfi     x2, x1, #48, #16                // set the ASID
++      msr     ttbr1_el1, x2                   // in TTBR1 (since TCR.A1 is 
set)
++      isb
++      msr     ttbr0_el1, x0                   // now update TTBR0
+       isb
+ alternative_if ARM64_WORKAROUND_CAVIUM_27456
+       ic      iallu
+@@ -144,7 +147,17 @@ alternative_else_nop_endif
+       ret
+ ENDPROC(cpu_do_switch_mm)
+ 
+-      .pushsection ".idmap.text", "ax"
++      .pushsection ".idmap.text", "awx"
++
++.macro        __idmap_cpu_set_reserved_ttbr1, tmp1, tmp2
++      adrp    \tmp1, empty_zero_page
++      msr     ttbr1_el1, \tmp1
++      isb
++      tlbi    vmalle1
++      dsb     nsh
++      isb
++.endm
++
+ /*
+  * void idmap_cpu_replace_ttbr1(phys_addr_t new_pgd)
+  *
+@@ -155,13 +168,7 @@ ENTRY(idmap_cpu_replace_ttbr1)
+       mrs     x2, daif
+       msr     daifset, #0xf
+ 
+-      adrp    x1, empty_zero_page
+-      msr     ttbr1_el1, x1
+-      isb
+-
+-      tlbi    vmalle1
+-      dsb     nsh
+-      isb
++      __idmap_cpu_set_reserved_ttbr1 x1, x3
+ 
+       msr     ttbr1_el1, x0
+       isb
+@@ -172,13 +179,196 @@ ENTRY(idmap_cpu_replace_ttbr1)
+ ENDPROC(idmap_cpu_replace_ttbr1)
+       .popsection
+ 
++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
++      .pushsection ".idmap.text", "awx"
++
++      .macro  __idmap_kpti_get_pgtable_ent, type
++      dc      cvac, cur_\()\type\()p          // Ensure any existing dirty
++      dmb     sy                              // lines are written back before
++      ldr     \type, [cur_\()\type\()p]       // loading the entry
++      tbz     \type, #0, next_\()\type        // Skip invalid entries
++      .endm
++
++      .macro __idmap_kpti_put_pgtable_ent_ng, type
++      orr     \type, \type, #PTE_NG           // Same bit for blocks and pages
++      str     \type, [cur_\()\type\()p]       // Update the entry and ensure 
it
++      dc      civac, cur_\()\type\()p         // is visible to all CPUs.
++      .endm
++
++/*
++ * void __kpti_install_ng_mappings(int cpu, int num_cpus, phys_addr_t swapper)
++ *
++ * Called exactly once from stop_machine context by each CPU found during 
boot.
++ */
++__idmap_kpti_flag:
++      .long   1
++ENTRY(idmap_kpti_install_ng_mappings)
++      cpu             .req    w0
++      num_cpus        .req    w1
++      swapper_pa      .req    x2
++      swapper_ttb     .req    x3
++      flag_ptr        .req    x4
++      cur_pgdp        .req    x5
++      end_pgdp        .req    x6
++      pgd             .req    x7
++      cur_pudp        .req    x8
++      end_pudp        .req    x9
++      pud             .req    x10
++      cur_pmdp        .req    x11
++      end_pmdp        .req    x12
++      pmd             .req    x13
++      cur_ptep        .req    x14
++      end_ptep        .req    x15
++      pte             .req    x16
++
++      mrs     swapper_ttb, ttbr1_el1
++      adr     flag_ptr, __idmap_kpti_flag
++
++      cbnz    cpu, __idmap_kpti_secondary
++
++      /* We're the boot CPU. Wait for the others to catch up */
++      sevl
++1:    wfe
++      ldaxr   w18, [flag_ptr]
++      eor     w18, w18, num_cpus
++      cbnz    w18, 1b
++
++      /* We need to walk swapper, so turn off the MMU. */
++      mrs     x18, sctlr_el1
++      bic     x18, x18, #SCTLR_ELx_M
++      msr     sctlr_el1, x18
++      isb
++
++      /* Everybody is enjoying the idmap, so we can rewrite swapper. */
++      /* PGD */
++      mov     cur_pgdp, swapper_pa
++      add     end_pgdp, cur_pgdp, #(PTRS_PER_PGD * 8)
++do_pgd:       __idmap_kpti_get_pgtable_ent    pgd
++      tbnz    pgd, #1, walk_puds
++      __idmap_kpti_put_pgtable_ent_ng pgd
++next_pgd:
++      add     cur_pgdp, cur_pgdp, #8
++      cmp     cur_pgdp, end_pgdp
++      b.ne    do_pgd
++
++      /* Publish the updated tables and nuke all the TLBs */
++      dsb     sy
++      tlbi    vmalle1is
++      dsb     ish
++      isb
++
++      /* We're done: fire up the MMU again */
++      mrs     x18, sctlr_el1
++      orr     x18, x18, #SCTLR_ELx_M
++      msr     sctlr_el1, x18
++      isb
++
++      /* Set the flag to zero to indicate that we're all done */
++      str     wzr, [flag_ptr]
++      ret
++
++      /* PUD */
++walk_puds:
++      .if CONFIG_PGTABLE_LEVELS > 3
++      pte_to_phys     cur_pudp, pgd
++      add     end_pudp, cur_pudp, #(PTRS_PER_PUD * 8)
++do_pud:       __idmap_kpti_get_pgtable_ent    pud
++      tbnz    pud, #1, walk_pmds
++      __idmap_kpti_put_pgtable_ent_ng pud
++next_pud:
++      add     cur_pudp, cur_pudp, 8
++      cmp     cur_pudp, end_pudp
++      b.ne    do_pud
++      b       next_pgd
++      .else /* CONFIG_PGTABLE_LEVELS <= 3 */
++      mov     pud, pgd
++      b       walk_pmds
++next_pud:
++      b       next_pgd
++      .endif
++
++      /* PMD */
++walk_pmds:
++      .if CONFIG_PGTABLE_LEVELS > 2
++      pte_to_phys     cur_pmdp, pud
++      add     end_pmdp, cur_pmdp, #(PTRS_PER_PMD * 8)
++do_pmd:       __idmap_kpti_get_pgtable_ent    pmd
++      tbnz    pmd, #1, walk_ptes
++      __idmap_kpti_put_pgtable_ent_ng pmd
++next_pmd:
++      add     cur_pmdp, cur_pmdp, #8
++      cmp     cur_pmdp, end_pmdp
++      b.ne    do_pmd
++      b       next_pud
++      .else /* CONFIG_PGTABLE_LEVELS <= 2 */
++      mov     pmd, pud
++      b       walk_ptes
++next_pmd:
++      b       next_pud
++      .endif
++
++      /* PTE */
++walk_ptes:
++      pte_to_phys     cur_ptep, pmd
++      add     end_ptep, cur_ptep, #(PTRS_PER_PTE * 8)
++do_pte:       __idmap_kpti_get_pgtable_ent    pte
++      __idmap_kpti_put_pgtable_ent_ng pte
++next_pte:
++      add     cur_ptep, cur_ptep, #8
++      cmp     cur_ptep, end_ptep
++      b.ne    do_pte
++      b       next_pmd
++
++      /* Secondary CPUs end up here */
++__idmap_kpti_secondary:
++      /* Uninstall swapper before surgery begins */
++      __idmap_cpu_set_reserved_ttbr1 x18, x17
++
++      /* Increment the flag to let the boot CPU we're ready */
++1:    ldxr    w18, [flag_ptr]
++      add     w18, w18, #1
++      stxr    w17, w18, [flag_ptr]
++      cbnz    w17, 1b
++
++      /* Wait for the boot CPU to finish messing around with swapper */
++      sevl
++1:    wfe
++      ldxr    w18, [flag_ptr]
++      cbnz    w18, 1b
++
++      /* All done, act like nothing happened */
++      msr     ttbr1_el1, swapper_ttb
++      isb
++      ret
++
++      .unreq  cpu
++      .unreq  num_cpus
++      .unreq  swapper_pa
++      .unreq  swapper_ttb
++      .unreq  flag_ptr
++      .unreq  cur_pgdp
++      .unreq  end_pgdp
++      .unreq  pgd
++      .unreq  cur_pudp
++      .unreq  end_pudp
++      .unreq  pud
++      .unreq  cur_pmdp
++      .unreq  end_pmdp
++      .unreq  pmd
++      .unreq  cur_ptep
++      .unreq  end_ptep
++      .unreq  pte
++ENDPROC(idmap_kpti_install_ng_mappings)
++      .popsection
++#endif
++
+ /*
+  *    __cpu_setup
+  *
+  *    Initialise the processor for turning the MMU on.  Return in x0 the
+  *    value of the SCTLR_EL1 register.
+  */
+-      .pushsection ".idmap.text", "ax"
++      .pushsection ".idmap.text", "awx"
+ ENTRY(__cpu_setup)
+       tlbi    vmalle1                         // Invalidate local TLB
+       dsb     nsh
+@@ -222,7 +412,7 @@ ENTRY(__cpu_setup)
+        * both user and kernel.
+        */
+       ldr     x10, =TCR_TxSZ(VA_BITS) | TCR_CACHE_FLAGS | TCR_SMP_FLAGS | \
+-                      TCR_TG_FLAGS | TCR_ASID16 | TCR_TBI0
++                      TCR_TG_FLAGS | TCR_ASID16 | TCR_TBI0 | TCR_A1
+       tcr_set_idmap_t0sz      x10, x9
+ 
+       /*
+diff --git a/arch/frv/include/asm/timex.h b/arch/frv/include/asm/timex.h
+index a89bddefdacf..139093fab326 100644
+--- a/arch/frv/include/asm/timex.h
++++ b/arch/frv/include/asm/timex.h
+@@ -16,5 +16,11 @@ static inline cycles_t get_cycles(void)
+ #define vxtime_lock()         do {} while (0)
+ #define vxtime_unlock()               do {} while (0)
+ 
++/* This attribute is used in include/linux/jiffies.h alongside with
++ * __cacheline_aligned_in_smp. It is assumed that __cacheline_aligned_in_smp
++ * for frv does not contain another section specification.
++ */
++#define __jiffy_arch_data     __attribute__((__section__(".data")))
++
+ #endif
+ 
+diff --git a/arch/powerpc/kernel/exceptions-64s.S 
b/arch/powerpc/kernel/exceptions-64s.S
+index 7614d1dd2c0b..94b5dfb087e9 100644
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -723,7 +723,7 @@ EXC_COMMON_BEGIN(bad_addr_slb)
+       ld      r3, PACA_EXSLB+EX_DAR(r13)
+       std     r3, _DAR(r1)
+       beq     cr6, 2f
+-      li      r10, 0x480              /* fix trap number for I-SLB miss */
++      li      r10, 0x481              /* fix trap number for I-SLB miss */
+       std     r10, _TRAP(r1)
+ 2:    bl      save_nvgprs
+       addi    r3, r1, STACK_FRAME_OVERHEAD
+diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
+index 028a22bfa90c..ad713f741ca8 100644
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -372,6 +372,14 @@ void force_external_irq_replay(void)
+        */
+       WARN_ON(!arch_irqs_disabled());
+ 
++      /*
++       * Interrupts must always be hard disabled before irq_happened is
++       * modified (to prevent lost update in case of interrupt between
++       * load and store).
++       */
++      __hard_irq_disable();
++      local_paca->irq_happened |= PACA_IRQ_HARD_DIS;
++
+       /* Indicate in the PACA that we have an interrupt to replay */
+       local_paca->irq_happened |= PACA_IRQ_EE;
+ }
+diff --git a/arch/x86/crypto/cast5_avx_glue.c 
b/arch/x86/crypto/cast5_avx_glue.c
+index 8648158f3916..f8fe11d24cde 100644
+--- a/arch/x86/crypto/cast5_avx_glue.c
++++ b/arch/x86/crypto/cast5_avx_glue.c
+@@ -66,8 +66,6 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct 
blkcipher_walk *walk,
+       void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src);
+       int err;
+ 
+-      fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
+-
+       err = blkcipher_walk_virt(desc, walk);
+       desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
+ 
+@@ -79,6 +77,7 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct 
blkcipher_walk *walk,
+ 
+               /* Process multi-block batch */
+               if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) {
++                      fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
+                       do {
+                               fn(ctx, wdst, wsrc);
+ 
+diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
+index b8d3f1b60331..91c48cdfe81f 100644
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -51,6 +51,7 @@
+ #include <linux/ftrace.h>
+ #include <linux/frame.h>
+ #include <linux/kasan.h>
++#include <linux/moduleloader.h>
+ 
+ #include <asm/text-patching.h>
+ #include <asm/cacheflush.h>
+@@ -405,6 +406,14 @@ int __copy_instruction(u8 *dest, u8 *src)
+       return length;
+ }
+ 
++/* Recover page to RW mode before releasing it */
++void free_insn_page(void *page)
++{
++      set_memory_nx((unsigned long)page & PAGE_MASK, 1);
++      set_memory_rw((unsigned long)page & PAGE_MASK, 1);
++      module_memfree(page);
++}
++
+ static int arch_copy_kprobe(struct kprobe *p)
+ {
+       int ret;
+diff --git a/block/bio.c b/block/bio.c
+index 07f287b14cff..4f93345c6a82 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -42,9 +42,9 @@
+  * break badly! cannot be bigger than what you can fit into an
+  * unsigned short
+  */
+-#define BV(x) { .nr_vecs = x, .name = "biovec-"__stringify(x) }
++#define BV(x, n) { .nr_vecs = x, .name = "biovec-"#n }
+ static struct biovec_slab bvec_slabs[BVEC_POOL_NR] __read_mostly = {
+-      BV(1), BV(4), BV(16), BV(64), BV(128), BV(BIO_MAX_PAGES),
++      BV(1, 1), BV(4, 4), BV(16, 16), BV(64, 64), BV(128, 128), 
BV(BIO_MAX_PAGES, max),
+ };
+ #undef BV
+ 
+diff --git a/block/partitions/msdos.c b/block/partitions/msdos.c
+index 5610cd537da7..7d8d50c11ce7 100644
+--- a/block/partitions/msdos.c
++++ b/block/partitions/msdos.c
+@@ -300,7 +300,9 @@ static void parse_bsd(struct parsed_partitions *state,
+                       continue;
+               bsd_start = le32_to_cpu(p->p_offset);
+               bsd_size = le32_to_cpu(p->p_size);
+-              if (memcmp(flavour, "bsd\0", 4) == 0)
++              /* FreeBSD has relative offset if C partition offset is zero */
++              if (memcmp(flavour, "bsd\0", 4) == 0 &&
++                  le32_to_cpu(l->d_partitions[2].p_offset) == 0)
+                       bsd_start += offset;
+               if (offset == bsd_start && size == bsd_size)
+                       /* full parent partition, we have it already */
+diff --git a/crypto/ahash.c b/crypto/ahash.c
+index 14402ef6d826..90d73a22f129 100644
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -91,13 +91,14 @@ int crypto_hash_walk_done(struct crypto_hash_walk *walk, 
int err)
+ 
+       if (nbytes && walk->offset & alignmask && !err) {
+               walk->offset = ALIGN(walk->offset, alignmask + 1);
+-              walk->data += walk->offset;
+-
+               nbytes = min(nbytes,
+                            ((unsigned int)(PAGE_SIZE)) - walk->offset);
+               walk->entrylen -= nbytes;
+ 
+-              return nbytes;
++              if (nbytes) {
++                      walk->data += walk->offset;
++                      return nbytes;
++              }
+       }
+ 
+       if (walk->flags & CRYPTO_ALG_ASYNC)
+diff --git a/drivers/block/mtip32xx/mtip32xx.c 
b/drivers/block/mtip32xx/mtip32xx.c
+index b86273fdf48e..3cfd879267b2 100644
+--- a/drivers/block/mtip32xx/mtip32xx.c
++++ b/drivers/block/mtip32xx/mtip32xx.c
+@@ -169,25 +169,6 @@ static bool mtip_check_surprise_removal(struct pci_dev 
*pdev)
+       return false; /* device present */
+ }
+ 
+-/* we have to use runtime tag to setup command header */
+-static void mtip_init_cmd_header(struct request *rq)
+-{
+-      struct driver_data *dd = rq->q->queuedata;
+-      struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
+-      u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64;
+-
+-      /* Point the command headers at the command tables. */
+-      cmd->command_header = dd->port->command_list +
+-                              (sizeof(struct mtip_cmd_hdr) * rq->tag);
+-      cmd->command_header_dma = dd->port->command_list_dma +
+-                              (sizeof(struct mtip_cmd_hdr) * rq->tag);
+-
+-      if (host_cap_64)
+-              cmd->command_header->ctbau = __force_bit2int 
cpu_to_le32((cmd->command_dma >> 16) >> 16);
+-
+-      cmd->command_header->ctba = __force_bit2int 
cpu_to_le32(cmd->command_dma & 0xFFFFFFFF);
+-}
+-
+ static struct mtip_cmd *mtip_get_int_command(struct driver_data *dd)
+ {
+       struct request *rq;
+@@ -199,9 +180,6 @@ static struct mtip_cmd *mtip_get_int_command(struct 
driver_data *dd)
+       if (IS_ERR(rq))
+               return NULL;
+ 
+-      /* Internal cmd isn't submitted via .queue_rq */
+-      mtip_init_cmd_header(rq);
+-
+       return blk_mq_rq_to_pdu(rq);
+ }
+ 
+@@ -3833,8 +3811,6 @@ static int mtip_queue_rq(struct blk_mq_hw_ctx *hctx,
+       struct request *rq = bd->rq;
+       int ret;
+ 
+-      mtip_init_cmd_header(rq);
+-
+       if (unlikely(mtip_check_unal_depth(hctx, rq)))
+               return BLK_MQ_RQ_QUEUE_BUSY;
+ 
+@@ -3866,6 +3842,7 @@ static int mtip_init_cmd(void *data, struct request *rq, 
unsigned int hctx_idx,
+ {
+       struct driver_data *dd = data;
+       struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
++      u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64;
+ 
+       /*
+        * For flush requests, request_idx starts at the end of the
+@@ -3882,6 +3859,17 @@ static int mtip_init_cmd(void *data, struct request 
*rq, unsigned int hctx_idx,
+ 
+       memset(cmd->command, 0, CMD_DMA_ALLOC_SZ);
+ 
++      /* Point the command headers at the command tables. */
++      cmd->command_header = dd->port->command_list +
++                              (sizeof(struct mtip_cmd_hdr) * request_idx);
++      cmd->command_header_dma = dd->port->command_list_dma +
++                              (sizeof(struct mtip_cmd_hdr) * request_idx);
++
++      if (host_cap_64)
++              cmd->command_header->ctbau = __force_bit2int 
cpu_to_le32((cmd->command_dma >> 16) >> 16);
++
++      cmd->command_header->ctba = __force_bit2int 
cpu_to_le32(cmd->command_dma & 0xFFFFFFFF);
++
+       sg_init_table(cmd->sg, MTIP_MAX_SG);
+       return 0;
+ }
+diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
+index b0bb99a821bd..1b1dccd37fbd 100644
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -1056,7 +1056,6 @@ struct sony_sc {
+       u8 battery_charging;
+       u8 battery_capacity;
+       u8 led_state[MAX_LEDS];
+-      u8 resume_led_state[MAX_LEDS];
+       u8 led_delay_on[MAX_LEDS];
+       u8 led_delay_off[MAX_LEDS];
+       u8 led_count;
+@@ -1793,6 +1792,7 @@ static int sony_leds_init(struct sony_sc *sc)
+               led->name = name;
+               led->brightness = sc->led_state[n];
+               led->max_brightness = max_brightness[n];
++              led->flags = LED_CORE_SUSPENDRESUME;
+               led->brightness_get = sony_led_get_brightness;
+               led->brightness_set = sony_led_set_brightness;
+ 
+@@ -2509,47 +2509,32 @@ static void sony_remove(struct hid_device *hdev)
+ 
+ static int sony_suspend(struct hid_device *hdev, pm_message_t message)
+ {
+-      /*
+-       * On suspend save the current LED state,
+-       * stop running force-feedback and blank the LEDS.
+-       */
+-      if (SONY_LED_SUPPORT || SONY_FF_SUPPORT) {
+-              struct sony_sc *sc = hid_get_drvdata(hdev);
+-
+ #ifdef CONFIG_SONY_FF
+-              sc->left = sc->right = 0;
+-#endif
+ 
+-              memcpy(sc->resume_led_state, sc->led_state,
+-                      sizeof(sc->resume_led_state));
+-              memset(sc->led_state, 0, sizeof(sc->led_state));
++      /* On suspend stop any running force-feedback events */
++      if (SONY_FF_SUPPORT) {
++              struct sony_sc *sc = hid_get_drvdata(hdev);
+ 
++              sc->left = sc->right = 0;
+               sony_send_output_report(sc);
+       }
+ 
++#endif
+       return 0;
+ }
+ 
+ static int sony_resume(struct hid_device *hdev)
+ {
+-      /* Restore the state of controller LEDs on resume */
+-      if (SONY_LED_SUPPORT) {
+-              struct sony_sc *sc = hid_get_drvdata(hdev);
+-
+-              memcpy(sc->led_state, sc->resume_led_state,
+-                      sizeof(sc->led_state));
+-
+-              /*
+-               * The Sixaxis and navigation controllers on USB need to be
+-               * reinitialized on resume or they won't behave properly.
+-               */
+-              if ((sc->quirks & SIXAXIS_CONTROLLER_USB) ||
+-                      (sc->quirks & NAVIGATION_CONTROLLER_USB)) {
+-                      sixaxis_set_operational_usb(sc->hdev);
+-                      sc->defer_initialization = 1;
+-              }
++      struct sony_sc *sc = hid_get_drvdata(hdev);
+ 
+-              sony_set_leds(sc);
++      /*
++       * The Sixaxis and navigation controllers on USB need to be
++       * reinitialized on resume or they won't behave properly.
++       */
++      if ((sc->quirks & SIXAXIS_CONTROLLER_USB) ||
++              (sc->quirks & NAVIGATION_CONTROLLER_USB)) {
++              sixaxis_set_operational_usb(sc->hdev);
++              sc->defer_initialization = 1;
+       }
+ 
+       return 0;
+diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
+index fb4ce0394ac7..978b8d94f9a4 100644
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -209,6 +209,22 @@ int rdma_addr_size(struct sockaddr *addr)
+ }
+ EXPORT_SYMBOL(rdma_addr_size);
+ 
++int rdma_addr_size_in6(struct sockaddr_in6 *addr)
++{
++      int ret = rdma_addr_size((struct sockaddr *) addr);
++
++      return ret <= sizeof(*addr) ? ret : 0;
++}
++EXPORT_SYMBOL(rdma_addr_size_in6);
++
++int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr)
++{
++      int ret = rdma_addr_size((struct sockaddr *) addr);
++
++      return ret <= sizeof(*addr) ? ret : 0;
++}
++EXPORT_SYMBOL(rdma_addr_size_kss);
++
+ static struct rdma_addr_client self;
+ 
+ void rdma_addr_register_client(struct rdma_addr_client *client)
+diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
+index 017a09ceba3f..4d732810f6fc 100644
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -132,7 +132,7 @@ static inline struct ucma_context *_ucma_find_context(int 
id,
+       ctx = idr_find(&ctx_idr, id);
+       if (!ctx)
+               ctx = ERR_PTR(-ENOENT);
+-      else if (ctx->file != file)
++      else if (ctx->file != file || !ctx->cm_id)
+               ctx = ERR_PTR(-EINVAL);
+       return ctx;
+ }
+@@ -454,6 +454,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, 
const char __user *inbuf,
+       struct rdma_ucm_create_id cmd;
+       struct rdma_ucm_create_id_resp resp;
+       struct ucma_context *ctx;
++      struct rdma_cm_id *cm_id;
+       enum ib_qp_type qp_type;
+       int ret;
+ 
+@@ -474,10 +475,10 @@ static ssize_t ucma_create_id(struct ucma_file *file, 
const char __user *inbuf,
+               return -ENOMEM;
+ 
+       ctx->uid = cmd.uid;
+-      ctx->cm_id = rdma_create_id(current->nsproxy->net_ns,
+-                                  ucma_event_handler, ctx, cmd.ps, qp_type);
+-      if (IS_ERR(ctx->cm_id)) {
+-              ret = PTR_ERR(ctx->cm_id);
++      cm_id = rdma_create_id(current->nsproxy->net_ns,
++                             ucma_event_handler, ctx, cmd.ps, qp_type);
++      if (IS_ERR(cm_id)) {
++              ret = PTR_ERR(cm_id);
+               goto err1;
+       }
+ 
+@@ -487,14 +488,19 @@ static ssize_t ucma_create_id(struct ucma_file *file, 
const char __user *inbuf,
+               ret = -EFAULT;
+               goto err2;
+       }
++
++      ctx->cm_id = cm_id;
+       return 0;
+ 
+ err2:
+-      rdma_destroy_id(ctx->cm_id);
++      rdma_destroy_id(cm_id);
+ err1:
+       mutex_lock(&mut);
+       idr_remove(&ctx_idr, ctx->id);
+       mutex_unlock(&mut);
++      mutex_lock(&file->mut);
++      list_del(&ctx->list);
++      mutex_unlock(&file->mut);
+       kfree(ctx);
+       return ret;
+ }
+@@ -624,6 +630,9 @@ static ssize_t ucma_bind_ip(struct ucma_file *file, const 
char __user *inbuf,
+       if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+               return -EFAULT;
+ 
++      if (!rdma_addr_size_in6(&cmd.addr))
++              return -EINVAL;
++
+       ctx = ucma_get_ctx(file, cmd.id);
+       if (IS_ERR(ctx))
+               return PTR_ERR(ctx);
+@@ -637,22 +646,21 @@ static ssize_t ucma_bind(struct ucma_file *file, const 
char __user *inbuf,
+                        int in_len, int out_len)
+ {
+       struct rdma_ucm_bind cmd;
+-      struct sockaddr *addr;
+       struct ucma_context *ctx;
+       int ret;
+ 
+       if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+               return -EFAULT;
+ 
+-      addr = (struct sockaddr *) &cmd.addr;
+-      if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != 
rdma_addr_size(addr)))
++      if (cmd.reserved || !cmd.addr_size ||
++          cmd.addr_size != rdma_addr_size_kss(&cmd.addr))
+               return -EINVAL;
+ 
+       ctx = ucma_get_ctx(file, cmd.id);
+       if (IS_ERR(ctx))
+               return PTR_ERR(ctx);
+ 
+-      ret = rdma_bind_addr(ctx->cm_id, addr);
++      ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr);
+       ucma_put_ctx(ctx);
+       return ret;
+ }
+@@ -668,13 +676,16 @@ static ssize_t ucma_resolve_ip(struct ucma_file *file,
+       if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+               return -EFAULT;
+ 
++      if (!rdma_addr_size_in6(&cmd.src_addr) ||
++          !rdma_addr_size_in6(&cmd.dst_addr))
++              return -EINVAL;
++
+       ctx = ucma_get_ctx(file, cmd.id);
+       if (IS_ERR(ctx))
+               return PTR_ERR(ctx);
+ 
+       ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
+-                              (struct sockaddr *) &cmd.dst_addr,
+-                              cmd.timeout_ms);
++                              (struct sockaddr *) &cmd.dst_addr, 
cmd.timeout_ms);
+       ucma_put_ctx(ctx);
+       return ret;
+ }
+@@ -684,24 +695,23 @@ static ssize_t ucma_resolve_addr(struct ucma_file *file,
+                                int in_len, int out_len)
+ {
+       struct rdma_ucm_resolve_addr cmd;
+-      struct sockaddr *src, *dst;
+       struct ucma_context *ctx;
+       int ret;
+ 
+       if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+               return -EFAULT;
+ 
+-      src = (struct sockaddr *) &cmd.src_addr;
+-      dst = (struct sockaddr *) &cmd.dst_addr;
+-      if (cmd.reserved || (cmd.src_size && (cmd.src_size != 
rdma_addr_size(src))) ||
+-          !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst)))
++      if (cmd.reserved ||
++          (cmd.src_size && (cmd.src_size != 
rdma_addr_size_kss(&cmd.src_addr))) ||
++          !cmd.dst_size || (cmd.dst_size != 
rdma_addr_size_kss(&cmd.dst_addr)))
+               return -EINVAL;
+ 
+       ctx = ucma_get_ctx(file, cmd.id);
+       if (IS_ERR(ctx))
+               return PTR_ERR(ctx);
+ 
+-      ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
++      ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
++                              (struct sockaddr *) &cmd.dst_addr, 
cmd.timeout_ms);
+       ucma_put_ctx(ctx);
+       return ret;
+ }
+@@ -1146,6 +1156,11 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
+       if (IS_ERR(ctx))
+               return PTR_ERR(ctx);
+ 
++      if (!ctx->cm_id->device) {
++              ret = -EINVAL;
++              goto out;
++      }
++
+       resp.qp_attr_mask = 0;
+       memset(&qp_attr, 0, sizeof qp_attr);
+       qp_attr.qp_state = cmd.qp_state;
+@@ -1302,7 +1317,7 @@ static ssize_t ucma_notify(struct ucma_file *file, const 
char __user *inbuf,
+ {
+       struct rdma_ucm_notify cmd;
+       struct ucma_context *ctx;
+-      int ret;
++      int ret = -EINVAL;
+ 
+       if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+               return -EFAULT;
+@@ -1311,7 +1326,9 @@ static ssize_t ucma_notify(struct ucma_file *file, const 
char __user *inbuf,
+       if (IS_ERR(ctx))
+               return PTR_ERR(ctx);
+ 
+-      ret = rdma_notify(ctx->cm_id, (enum ib_event_type) cmd.event);
++      if (ctx->cm_id->device)
++              ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event);
++
+       ucma_put_ctx(ctx);
+       return ret;
+ }
+@@ -1397,7 +1414,7 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file 
*file,
+       join_cmd.response = cmd.response;
+       join_cmd.uid = cmd.uid;
+       join_cmd.id = cmd.id;
+-      join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
++      join_cmd.addr_size = rdma_addr_size_in6(&cmd.addr);
+       if (!join_cmd.addr_size)
+               return -EINVAL;
+ 
+@@ -1416,7 +1433,7 @@ static ssize_t ucma_join_multicast(struct ucma_file 
*file,
+       if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+               return -EFAULT;
+ 
+-      if (!rdma_addr_size((struct sockaddr *)&cmd.addr))
++      if (!rdma_addr_size_kss(&cmd.addr))
+               return -EINVAL;
+ 
+       return ucma_process_join(file, &cmd, out_len);
+diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
+index af83d2e34913..a8a96def0ba2 100644
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -2538,13 +2538,31 @@ static int alps_update_btn_info_ss4_v2(unsigned char 
otp[][4],
+ }
+ 
+ static int alps_update_dual_info_ss4_v2(unsigned char otp[][4],
+-                                     struct alps_data *priv)
++                                      struct alps_data *priv,
++                                      struct psmouse *psmouse)
+ {
+       bool is_dual = false;
++      int reg_val = 0;
++      struct ps2dev *ps2dev = &psmouse->ps2dev;
+ 
+-      if (IS_SS4PLUS_DEV(priv->dev_id))
++      if (IS_SS4PLUS_DEV(priv->dev_id)) {
+               is_dual = (otp[0][0] >> 4) & 0x01;
+ 
++              if (!is_dual) {
++                      /* For support TrackStick of Thinkpad L/E series */
++                      if (alps_exit_command_mode(psmouse) == 0 &&
++                              alps_enter_command_mode(psmouse) == 0) {
++                              reg_val = alps_command_mode_read_reg(psmouse,
++                                                                      0xD7);
++                      }
++                      alps_exit_command_mode(psmouse);
++                      ps2_command(ps2dev, NULL, PSMOUSE_CMD_ENABLE);
++
++                      if (reg_val == 0x0C || reg_val == 0x1D)
++                              is_dual = true;
++              }
++      }
++
+       if (is_dual)
+               priv->flags |= ALPS_DUALPOINT |
+                                       ALPS_DUALPOINT_WITH_PRESSURE;
+@@ -2567,7 +2585,7 @@ static int alps_set_defaults_ss4_v2(struct psmouse 
*psmouse,
+ 
+       alps_update_btn_info_ss4_v2(otp, priv);
+ 
+-      alps_update_dual_info_ss4_v2(otp, priv);
++      alps_update_dual_info_ss4_v2(otp, priv, psmouse);
+ 
+       return 0;
+ }
+diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
+index b604564dec5c..30328e57fdda 100644
+--- a/drivers/input/mousedev.c
++++ b/drivers/input/mousedev.c
+@@ -15,6 +15,7 @@
+ #define MOUSEDEV_MINORS               31
+ #define MOUSEDEV_MIX          63
+ 
++#include <linux/bitops.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/poll.h>
+@@ -103,7 +104,7 @@ struct mousedev_client {
+       spinlock_t packet_lock;
+       int pos_x, pos_y;
+ 
+-      signed char ps2[6];
++      u8 ps2[6];
+       unsigned char ready, buffer, bufsiz;
+       unsigned char imexseq, impsseq;
+       enum mousedev_emul mode;
+@@ -291,11 +292,10 @@ static void mousedev_notify_readers(struct mousedev 
*mousedev,
+               }
+ 
+               client->pos_x += packet->dx;
+-              client->pos_x = client->pos_x < 0 ?
+-                      0 : (client->pos_x >= xres ? xres : client->pos_x);
++              client->pos_x = clamp_val(client->pos_x, 0, xres);
++
+               client->pos_y += packet->dy;
+-              client->pos_y = client->pos_y < 0 ?
+-                      0 : (client->pos_y >= yres ? yres : client->pos_y);
++              client->pos_y = clamp_val(client->pos_y, 0, yres);
+ 
+               p->dx += packet->dx;
+               p->dy += packet->dy;
+@@ -571,44 +571,50 @@ static int mousedev_open(struct inode *inode, struct 
file *file)
+       return error;
+ }
+ 
+-static inline int mousedev_limit_delta(int delta, int limit)
+-{
+-      return delta > limit ? limit : (delta < -limit ? -limit : delta);
+-}
+-
+-static void mousedev_packet(struct mousedev_client *client,
+-                          signed char *ps2_data)
++static void mousedev_packet(struct mousedev_client *client, u8 *ps2_data)
+ {
+       struct mousedev_motion *p = &client->packets[client->tail];
++      s8 dx, dy, dz;
++
++      dx = clamp_val(p->dx, -127, 127);
++      p->dx -= dx;
++
++      dy = clamp_val(p->dy, -127, 127);
++      p->dy -= dy;
+ 
+-      ps2_data[0] = 0x08 |
+-              ((p->dx < 0) << 4) | ((p->dy < 0) << 5) | (p->buttons & 0x07);
+-      ps2_data[1] = mousedev_limit_delta(p->dx, 127);
+-      ps2_data[2] = mousedev_limit_delta(p->dy, 127);
+-      p->dx -= ps2_data[1];
+-      p->dy -= ps2_data[2];
++      ps2_data[0] = BIT(3);
++      ps2_data[0] |= ((dx & BIT(7)) >> 3) | ((dy & BIT(7)) >> 2);
++      ps2_data[0] |= p->buttons & 0x07;
++      ps2_data[1] = dx;
++      ps2_data[2] = dy;
+ 
+       switch (client->mode) {
+       case MOUSEDEV_EMUL_EXPS:
+-              ps2_data[3] = mousedev_limit_delta(p->dz, 7);
+-              p->dz -= ps2_data[3];
+-              ps2_data[3] = (ps2_data[3] & 0x0f) | ((p->buttons & 0x18) << 1);
++              dz = clamp_val(p->dz, -7, 7);
++              p->dz -= dz;
++
++              ps2_data[3] = (dz & 0x0f) | ((p->buttons & 0x18) << 1);
+               client->bufsiz = 4;
+               break;
+ 
+       case MOUSEDEV_EMUL_IMPS:
+-              ps2_data[0] |=
+-                      ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1);
+-              ps2_data[3] = mousedev_limit_delta(p->dz, 127);
+-              p->dz -= ps2_data[3];
++              dz = clamp_val(p->dz, -127, 127);
++              p->dz -= dz;
++
++              ps2_data[0] |= ((p->buttons & 0x10) >> 3) |
++                             ((p->buttons & 0x08) >> 1);
++              ps2_data[3] = dz;
++
+               client->bufsiz = 4;
+               break;
+ 
+       case MOUSEDEV_EMUL_PS2:
+       default:
+-              ps2_data[0] |=
+-                      ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1);
+               p->dz = 0;
++
++              ps2_data[0] |= ((p->buttons & 0x10) >> 3) |
++                             ((p->buttons & 0x08) >> 1);
++
+               client->bufsiz = 3;
+               break;
+       }
+@@ -714,7 +720,7 @@ static ssize_t mousedev_read(struct file *file, char 
__user *buffer,
+ {
+       struct mousedev_client *client = file->private_data;
+       struct mousedev *mousedev = client->mousedev;
+-      signed char data[sizeof(client->ps2)];
++      u8 data[sizeof(client->ps2)];
+       int retval = 0;
+ 
+       if (!client->ready && !client->buffer && mousedev->exist &&
+diff --git a/drivers/input/serio/i8042-x86ia64io.h 
b/drivers/input/serio/i8042-x86ia64io.h
+index d1051e3ce819..e484ea2dc787 100644
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -530,6 +530,20 @@ static const struct dmi_system_id __initconst 
i8042_dmi_nomux_table[] = {
+       { }
+ };
+ 
++static const struct dmi_system_id i8042_dmi_forcemux_table[] __initconst = {
++      {
++              /*
++               * Sony Vaio VGN-CS series require MUX or the touch sensor
++               * buttons will disturb touchpad operation
++               */
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
++                      DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"),
++              },
++      },
++      { }
++};
++
+ /*
+  * On some Asus laptops, just running self tests cause problems.
+  */
+@@ -692,6 +706,13 @@ static const struct dmi_system_id __initconst 
i8042_dmi_reset_table[] = {
+                       DMI_MATCH(DMI_PRODUCT_NAME, "20046"),
+               },
+       },
++      {
++              /* Lenovo ThinkPad L460 */
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++                      DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"),
++              },
++      },
+       {
+               /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */
+               .matches = {
+@@ -1223,6 +1244,9 @@ static int __init i8042_platform_init(void)
+       if (dmi_check_system(i8042_dmi_nomux_table))
+               i8042_nomux = true;
+ 
++      if (dmi_check_system(i8042_dmi_forcemux_table))
++              i8042_nomux = false;
++
+       if (dmi_check_system(i8042_dmi_notimeout_table))
+               i8042_notimeout = true;
+ 
+diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
+index a68c650aad11..b67414b5a64e 100644
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -1777,12 +1777,12 @@ static int validate_params(uint cmd, struct dm_ioctl 
*param)
+           cmd == DM_LIST_VERSIONS_CMD)
+               return 0;
+ 
+-      if ((cmd == DM_DEV_CREATE_CMD)) {
++      if (cmd == DM_DEV_CREATE_CMD) {
+               if (!*param->name) {
+                       DMWARN("name not supplied when creating device");
+                       return -EINVAL;
+               }
+-      } else if ((*param->uuid && *param->name)) {
++      } else if (*param->uuid && *param->name) {
+               DMWARN("only supply one of name or uuid, cmd(%u)", cmd);
+               return -EINVAL;
+       }
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index 18a4271bf569..6a7b9b1dcfe3 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -3681,6 +3681,7 @@ static int raid10_run(struct mddev *mddev)
+ 
+               if (blk_queue_discard(bdev_get_queue(rdev->bdev)))
+                       discard_supported = true;
++              first = 0;
+       }
+ 
+       if (mddev->queue) {
+diff --git a/drivers/media/usb/usbtv/usbtv-core.c 
b/drivers/media/usb/usbtv/usbtv-core.c
+index 0324633ede42..e56a49a5e8b1 100644
+--- a/drivers/media/usb/usbtv/usbtv-core.c
++++ b/drivers/media/usb/usbtv/usbtv-core.c
+@@ -109,6 +109,8 @@ static int usbtv_probe(struct usb_interface *intf,
+       return 0;
+ 
+ usbtv_audio_fail:
++      /* we must not free at this point */
++      usb_get_dev(usbtv->udev);
+       usbtv_video_free(usbtv);
+ 
+ usbtv_video_fail:
+diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c
+index 41f318631c6d..60f5a8ded8dd 100644
+--- a/drivers/misc/mei/main.c
++++ b/drivers/misc/mei/main.c
+@@ -551,7 +551,6 @@ static long mei_ioctl(struct file *file, unsigned int cmd, 
unsigned long data)
+               break;
+ 
+       default:
+-              dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd);
+               rets = -ENOIOCTLCMD;
+       }
+ 
+diff --git a/drivers/mtd/chips/jedec_probe.c b/drivers/mtd/chips/jedec_probe.c
+index 7c0b27d132b1..b479bd81120b 100644
+--- a/drivers/mtd/chips/jedec_probe.c
++++ b/drivers/mtd/chips/jedec_probe.c
+@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct map_info *map, 
uint32_t base,
+       do {
+               uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
+               mask = (1 << (cfi->device_type * 8)) - 1;
++              if (ofs >= map->size)
++                      return 0;
+               result = map_read(map, base + ofs);
+               bank++;
+       } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
+diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c 
b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+index 651f308cdc60..fca2e428cd86 100644
+--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+@@ -1680,6 +1680,30 @@ static void xgene_enet_napi_add(struct xgene_enet_pdata 
*pdata)
+       }
+ }
+ 
++#ifdef CONFIG_ACPI
++static const struct acpi_device_id xgene_enet_acpi_match[] = {
++      { "APMC0D05", XGENE_ENET1},
++      { "APMC0D30", XGENE_ENET1},
++      { "APMC0D31", XGENE_ENET1},
++      { "APMC0D3F", XGENE_ENET1},
++      { "APMC0D26", XGENE_ENET2},
++      { "APMC0D25", XGENE_ENET2},
++      { }
++};
++MODULE_DEVICE_TABLE(acpi, xgene_enet_acpi_match);
++#endif
++
++static const struct of_device_id xgene_enet_of_match[] = {
++      {.compatible = "apm,xgene-enet",    .data = (void *)XGENE_ENET1},
++      {.compatible = "apm,xgene1-sgenet", .data = (void *)XGENE_ENET1},
++      {.compatible = "apm,xgene1-xgenet", .data = (void *)XGENE_ENET1},
++      {.compatible = "apm,xgene2-sgenet", .data = (void *)XGENE_ENET2},
++      {.compatible = "apm,xgene2-xgenet", .data = (void *)XGENE_ENET2},
++      {},
++};
++
++MODULE_DEVICE_TABLE(of, xgene_enet_of_match);
++
+ static int xgene_enet_probe(struct platform_device *pdev)
+ {
+       struct net_device *ndev;
+@@ -1826,32 +1850,6 @@ static void xgene_enet_shutdown(struct platform_device 
*pdev)
+       xgene_enet_remove(pdev);
+ }
+ 
+-#ifdef CONFIG_ACPI
+-static const struct acpi_device_id xgene_enet_acpi_match[] = {
+-      { "APMC0D05", XGENE_ENET1},
+-      { "APMC0D30", XGENE_ENET1},
+-      { "APMC0D31", XGENE_ENET1},
+-      { "APMC0D3F", XGENE_ENET1},
+-      { "APMC0D26", XGENE_ENET2},
+-      { "APMC0D25", XGENE_ENET2},
+-      { }
+-};
+-MODULE_DEVICE_TABLE(acpi, xgene_enet_acpi_match);
+-#endif
+-
+-#ifdef CONFIG_OF
+-static const struct of_device_id xgene_enet_of_match[] = {
+-      {.compatible = "apm,xgene-enet",    .data = (void *)XGENE_ENET1},
+-      {.compatible = "apm,xgene1-sgenet", .data = (void *)XGENE_ENET1},
+-      {.compatible = "apm,xgene1-xgenet", .data = (void *)XGENE_ENET1},
+-      {.compatible = "apm,xgene2-sgenet", .data = (void *)XGENE_ENET2},
+-      {.compatible = "apm,xgene2-xgenet", .data = (void *)XGENE_ENET2},
+-      {},
+-};
+-
+-MODULE_DEVICE_TABLE(of, xgene_enet_of_match);
+-#endif
+-
+ static struct platform_driver xgene_enet_driver = {
+       .driver = {
+                  .name = "xgene-enet",
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c 
b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
+index 34b5e699a1d5..02a03bccde7b 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
+@@ -671,7 +671,7 @@ static void hns_gmac_get_strings(u32 stringset, u8 *data)
+ 
+ static int hns_gmac_get_sset_count(int stringset)
+ {
+-      if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
++      if (stringset == ETH_SS_STATS)
+               return ARRAY_SIZE(g_gmac_stats_string);
+ 
+       return 0;
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c 
b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
+index 4ecb809785f9..6ea872287307 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
+@@ -422,7 +422,7 @@ void hns_ppe_update_stats(struct hns_ppe_cb *ppe_cb)
+ 
+ int hns_ppe_get_sset_count(int stringset)
+ {
+-      if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
++      if (stringset == ETH_SS_STATS)
+               return ETH_PPE_STATIC_NUM;
+       return 0;
+ }
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c 
b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
+index fbbbbffd58dc..f3be9ac47bfb 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
+@@ -798,7 +798,7 @@ void hns_rcb_get_stats(struct hnae_queue *queue, u64 *data)
+  */
+ int hns_rcb_get_ring_sset_count(int stringset)
+ {
+-      if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
++      if (stringset == ETH_SS_STATS)
+               return HNS_RING_STATIC_REG_NUM;
+ 
+       return 0;
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c 
b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+index 86a496d71995..6be0cae44e9b 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+@@ -1017,8 +1017,10 @@ int hns_get_sset_count(struct net_device *netdev, int 
stringset)
+                       cnt--;
+ 
+               return cnt;
+-      } else {
++      } else if (stringset == ETH_SS_STATS) {
+               return (HNS_NET_STATS_CNT + ops->get_sset_count(h, stringset));
++      } else {
++              return -EOPNOTSUPP;
+       }
+ }
+ 
+diff --git a/drivers/net/phy/mdio-xgene.c b/drivers/net/phy/mdio-xgene.c
+index 39be3b82608f..20fbcc9c4687 100644
+--- a/drivers/net/phy/mdio-xgene.c
++++ b/drivers/net/phy/mdio-xgene.c
+@@ -314,6 +314,30 @@ static acpi_status acpi_register_phy(acpi_handle handle, 
u32 lvl,
+ }
+ #endif
+ 
++static const struct of_device_id xgene_mdio_of_match[] = {
++      {
++              .compatible = "apm,xgene-mdio-rgmii",
++              .data = (void *)XGENE_MDIO_RGMII
++      },
++      {
++              .compatible = "apm,xgene-mdio-xfi",
++              .data = (void *)XGENE_MDIO_XFI
++      },
++      {},
++};
++MODULE_DEVICE_TABLE(of, xgene_mdio_of_match);
++
++#ifdef CONFIG_ACPI
++static const struct acpi_device_id xgene_mdio_acpi_match[] = {
++      { "APMC0D65", XGENE_MDIO_RGMII },
++      { "APMC0D66", XGENE_MDIO_XFI },
++      { }
++};
++
++MODULE_DEVICE_TABLE(acpi, xgene_mdio_acpi_match);
++#endif
++
++
+ static int xgene_mdio_probe(struct platform_device *pdev)
+ {
+       struct device *dev = &pdev->dev;
+@@ -439,32 +463,6 @@ static int xgene_mdio_remove(struct platform_device *pdev)
+       return 0;
+ }
+ 
+-#ifdef CONFIG_OF
+-static const struct of_device_id xgene_mdio_of_match[] = {
+-      {
+-              .compatible = "apm,xgene-mdio-rgmii",
+-              .data = (void *)XGENE_MDIO_RGMII
+-      },
+-      {
+-              .compatible = "apm,xgene-mdio-xfi",
+-              .data = (void *)XGENE_MDIO_XFI
+-      },
+-      {},
+-};
+-
+-MODULE_DEVICE_TABLE(of, xgene_mdio_of_match);
+-#endif
+-
+-#ifdef CONFIG_ACPI
+-static const struct acpi_device_id xgene_mdio_acpi_match[] = {
+-      { "APMC0D65", XGENE_MDIO_RGMII },
+-      { "APMC0D66", XGENE_MDIO_XFI },
+-      { }
+-};
+-
+-MODULE_DEVICE_TABLE(acpi, xgene_mdio_acpi_match);
+-#endif
+-
+ static struct platform_driver xgene_mdio_driver = {
+       .driver = {
+               .name = "xgene-mdio",
+diff --git a/drivers/net/phy/mdio-xgene.h b/drivers/net/phy/mdio-xgene.h
+index 354241b53c1d..594a11d42401 100644
+--- a/drivers/net/phy/mdio-xgene.h
++++ b/drivers/net/phy/mdio-xgene.h
+@@ -132,10 +132,6 @@ static inline u64 xgene_enet_get_field_value(int pos, int 
len, u64 src)
+ #define GET_BIT(field, src) \
+               xgene_enet_get_field_value(field ## _POS, 1, src)
+ 
+-static const struct of_device_id xgene_mdio_of_match[];
+-#ifdef CONFIG_ACPI
+-static const struct acpi_device_id xgene_mdio_acpi_match[];
+-#endif
+ int xgene_mdio_rgmii_read(struct mii_bus *bus, int phy_id, int reg);
+ int xgene_mdio_rgmii_write(struct mii_bus *bus, int phy_id, int reg, u16 
data);
+ struct phy_device *xgene_enet_phy_register(struct mii_bus *bus, int phy_addr);
+diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
+index 78530d1714dc..bdce0679674c 100644
+--- a/drivers/parport/parport_pc.c
++++ b/drivers/parport/parport_pc.c
+@@ -2646,6 +2646,7 @@ enum parport_pc_pci_cards {
+       netmos_9901,
+       netmos_9865,
+       quatech_sppxp100,
++      wch_ch382l,
+ };
+ 
+ 
+@@ -2708,6 +2709,7 @@ static struct parport_pc_pci {
+       /* netmos_9901 */               { 1, { { 0, -1 }, } },
+       /* netmos_9865 */               { 1, { { 0, -1 }, } },
+       /* quatech_sppxp100 */          { 1, { { 0, 1 }, } },
++      /* wch_ch382l */                { 1, { { 2, -1 }, } },
+ };
+ 
+ static const struct pci_device_id parport_pc_pci_tbl[] = {
+@@ -2797,6 +2799,8 @@ static const struct pci_device_id parport_pc_pci_tbl[] = 
{
+       /* Quatech SPPXP-100 Parallel port PCI ExpressCard */
+       { PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100,
+         PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 },
++      /* WCH CH382L PCI-E single parallel port card */
++      { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l },
+       { 0, } /* terminate list */
+ };
+ MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl);
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index a98be6db7e93..56340abe4fc6 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -231,7 +231,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type 
type,
+                       res->flags |= IORESOURCE_ROM_ENABLE;
+               l64 = l & PCI_ROM_ADDRESS_MASK;
+               sz64 = sz & PCI_ROM_ADDRESS_MASK;
+-              mask64 = (u32)PCI_ROM_ADDRESS_MASK;
++              mask64 = PCI_ROM_ADDRESS_MASK;
+       }
+ 
+       if (res->flags & IORESOURCE_MEM_64) {
+diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
+index 4bc589ee78d0..85774b7a316a 100644
+--- a/drivers/pci/setup-res.c
++++ b/drivers/pci/setup-res.c
+@@ -63,7 +63,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int 
resno)
+               mask = (u32)PCI_BASE_ADDRESS_IO_MASK;
+               new |= res->flags & ~PCI_BASE_ADDRESS_IO_MASK;
+       } else if (resno == PCI_ROM_RESOURCE) {
+-              mask = (u32)PCI_ROM_ADDRESS_MASK;
++              mask = PCI_ROM_ADDRESS_MASK;
+       } else {
+               mask = (u32)PCI_BASE_ADDRESS_MEM_MASK;
+               new |= res->flags & ~PCI_BASE_ADDRESS_MEM_MASK;
+diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
+index 8f4adc1d9588..cbc8e9388268 100644
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -819,6 +819,7 @@ static struct scsi_host_template 
virtscsi_host_template_multi = {
+       .change_queue_depth = virtscsi_change_queue_depth,
+       .eh_abort_handler = virtscsi_abort,
+       .eh_device_reset_handler = virtscsi_device_reset,
++      .slave_alloc = virtscsi_device_alloc,
+ 
+       .can_queue = 1024,
+       .dma_boundary = UINT_MAX,
+diff --git a/drivers/spi/Kconfig b/drivers/spi/Kconfig
+index 0e7415f6d093..b7995474148c 100644
+--- a/drivers/spi/Kconfig
++++ b/drivers/spi/Kconfig
+@@ -156,7 +156,6 @@ config SPI_BCM63XX_HSSPI
+ config SPI_BCM_QSPI
+       tristate "Broadcom BSPI and MSPI controller support"
+       depends on ARCH_BRCMSTB || ARCH_BCM || ARCH_BCM_IPROC || COMPILE_TEST
+-      depends on MTD_NORFLASH
+       default ARCH_BCM_IPROC
+       help
+         Enables support for the Broadcom SPI flash and MSPI controller.
+diff --git a/drivers/spi/spi-davinci.c b/drivers/spi/spi-davinci.c
+index 02fb96797ac8..0d8f43a17edb 100644
+--- a/drivers/spi/spi-davinci.c
++++ b/drivers/spi/spi-davinci.c
+@@ -646,7 +646,7 @@ static int davinci_spi_bufs(struct spi_device *spi, struct 
spi_transfer *t)
+                       buf = t->rx_buf;
+               t->rx_dma = dma_map_single(&spi->dev, buf,
+                               t->len, DMA_FROM_DEVICE);
+-              if (dma_mapping_error(&spi->dev, !t->rx_dma)) {
++              if (dma_mapping_error(&spi->dev, t->rx_dma)) {
+                       ret = -EFAULT;
+                       goto err_rx_map;
+               }
+diff --git a/drivers/staging/comedi/drivers/ni_mio_common.c 
b/drivers/staging/comedi/drivers/ni_mio_common.c
+index a574885ffba9..18c5312f7886 100644
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -1284,6 +1284,8 @@ static void ack_a_interrupt(struct comedi_device *dev, 
unsigned short a_status)
+               ack |= NISTC_INTA_ACK_AI_START;
+       if (a_status & NISTC_AI_STATUS1_STOP)
+               ack |= NISTC_INTA_ACK_AI_STOP;
++      if (a_status & NISTC_AI_STATUS1_OVER)
++              ack |= NISTC_INTA_ACK_AI_ERR;
+       if (ack)
+               ni_stc_writew(dev, ack, NISTC_INTA_ACK_REG);
+ }
+diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
+index 68c7bb0b7991..9e1ac58e269e 100644
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -1354,6 +1354,11 @@ static void csi_m(struct vc_data *vc)
+               case 3:
+                       vc->vc_italic = 1;
+                       break;
++              case 21:
++                      /*
++                       * No console drivers support double underline, so
++                       * convert it to a single underline.
++                       */
+               case 4:
+                       vc->vc_underline = 1;
+                       break;
+@@ -1389,7 +1394,6 @@ static void csi_m(struct vc_data *vc)
+                       vc->vc_disp_ctrl = 1;
+                       vc->vc_toggle_meta = 1;
+                       break;
+-              case 21:
+               case 22:
+                       vc->vc_intensity = 1;
+                       break;
+diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
+index dfc0566bb155..919a32153060 100644
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -3220,7 +3220,6 @@ static void dwc2_conn_id_status_change(struct 
work_struct *work)
+               dwc2_core_init(hsotg, false);
+               dwc2_enable_global_interrupts(hsotg);
+               spin_lock_irqsave(&hsotg->lock, flags);
+-              dwc2_hsotg_disconnect(hsotg);
+               dwc2_hsotg_core_init_disconnected(hsotg, false);
+               spin_unlock_irqrestore(&hsotg->lock, flags);
+               dwc2_hsotg_core_connect(hsotg);
+@@ -3238,8 +3237,12 @@ static void dwc2_conn_id_status_change(struct 
work_struct *work)
+               if (count > 250)
+                       dev_err(hsotg->dev,
+                               "Connection id status change timed out\n");
+-              hsotg->op_state = OTG_STATE_A_HOST;
+ 
++              spin_lock_irqsave(&hsotg->lock, flags);
++              dwc2_hsotg_disconnect(hsotg);
++              spin_unlock_irqrestore(&hsotg->lock, flags);
++
++              hsotg->op_state = OTG_STATE_A_HOST;
+               /* Initialize the Core for Host mode */
+               dwc2_core_init(hsotg, false);
+               dwc2_enable_global_interrupts(hsotg);
+diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
+index e97539fc127e..7d658565b20f 100644
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -139,10 +139,8 @@ int usb_ep_disable(struct usb_ep *ep)
+               goto out;
+ 
+       ret = ep->ops->disable(ep);
+-      if (ret) {
+-              ret = ret;
++      if (ret)
+               goto out;
+-      }
+ 
+       ep->enabled = false;
+ 
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index 3178d8afb3e6..cab80acace4e 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -152,6 +152,7 @@ static const struct usb_device_id id_table[] = {
+       { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */
+       { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */
+       { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */
++      { USB_DEVICE(0x155A, 0x1006) }, /* ELDAT Easywave RX09 */
+       { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal 
Automation Controller */
+       { USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC 
Interface */
+       { USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface 
*/
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 0c743e4cca1e..71cbc6890ac4 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -773,6 +773,7 @@ static const struct usb_device_id id_table_combined[] = {
+               .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
+       { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) },
+       { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) },
++      { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) },
+       { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) },
+       { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) },
+       { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) },
+@@ -935,6 +936,7 @@ static const struct usb_device_id id_table_combined[] = {
+       { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
++      { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
+       { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
+               .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+diff --git a/drivers/usb/serial/ftdi_sio_ids.h 
b/drivers/usb/serial/ftdi_sio_ids.h
+index 543d2801632b..76a10b222ff9 100644
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -922,6 +922,9 @@
+ /*
+  * RT Systems programming cables for various ham radios
+  */
++/* This device uses the VID of FTDI */
++#define RTSYSTEMS_USB_VX8_PID   0x9e50  /* USB-VX8 USB to 7 pin modular plug 
for Yaesu VX-8 radio */
++
+ #define RTSYSTEMS_VID         0x2100  /* Vendor ID */
+ #define RTSYSTEMS_USB_S03_PID 0x9001  /* RTS-03 USB to Serial Adapter */
+ #define RTSYSTEMS_USB_59_PID  0x9e50  /* USB-59 USB to 8 pin plug */
+@@ -1440,6 +1443,12 @@
+  */
+ #define FTDI_CINTERION_MC55I_PID      0xA951
+ 
++/*
++ * Product: FirmwareHubEmulator
++ * Manufacturer: Harman Becker Automotive Systems
++ */
++#define FTDI_FHE_PID          0xA9A0
++
+ /*
+  * Product: Comet Caller ID decoder
+  * Manufacturer: Crucible Technologies
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 5539f0b95efa..52401732cddc 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3664,7 +3664,7 @@ static noinline int copy_items(struct btrfs_trans_handle 
*trans,
+ 
+               src_offset = btrfs_item_ptr_offset(src, start_slot + i);
+ 
+-              if ((i == (nr - 1)))
++              if (i == nr - 1)
+                       last_key = ins_keys[i];
+ 
+               if (ins_keys[i].type == BTRFS_INODE_ITEM_KEY) {
+diff --git a/fs/ceph/file.c b/fs/ceph/file.c
+index ca3f630db90f..e7ddb23d9bb7 100644
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -598,7 +598,8 @@ static ssize_t ceph_sync_read(struct kiocb *iocb, struct 
iov_iter *i,
+ struct ceph_aio_request {
+       struct kiocb *iocb;
+       size_t total_len;
+-      int write;
++      bool write;
++      bool should_dirty;
+       int error;
+       struct list_head osd_reqs;
+       unsigned num_reqs;
+@@ -708,7 +709,7 @@ static void ceph_aio_complete_req(struct ceph_osd_request 
*req)
+               }
+       }
+ 
+-      ceph_put_page_vector(osd_data->pages, num_pages, !aio_req->write);
++      ceph_put_page_vector(osd_data->pages, num_pages, aio_req->should_dirty);
+       ceph_osdc_put_request(req);
+ 
+       if (rc < 0)
+@@ -890,6 +891,7 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter 
*iter,
+       size_t count = iov_iter_count(iter);
+       loff_t pos = iocb->ki_pos;
+       bool write = iov_iter_rw(iter) == WRITE;
++      bool should_dirty = !write && iter_is_iovec(iter);
+ 
+       if (write && ceph_snap(file_inode(file)) != CEPH_NOSNAP)
+               return -EROFS;
+@@ -954,6 +956,7 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter 
*iter,
+                       if (aio_req) {
+                               aio_req->iocb = iocb;
+                               aio_req->write = write;
++                              aio_req->should_dirty = should_dirty;
+                               INIT_LIST_HEAD(&aio_req->osd_reqs);
+                               if (write) {
+                                       aio_req->mtime = mtime;
+@@ -1012,7 +1015,7 @@ ceph_direct_read_write(struct kiocb *iocb, struct 
iov_iter *iter,
+                               len = ret;
+               }
+ 
+-              ceph_put_page_vector(pages, num_pages, !write);
++              ceph_put_page_vector(pages, num_pages, should_dirty);
+ 
+               ceph_osdc_put_request(req);
+               if (ret < 0)
+diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
+index f2d7402abe02..93c8e4a4bbd3 100644
+--- a/fs/compat_ioctl.c
++++ b/fs/compat_ioctl.c
+@@ -833,7 +833,7 @@ static int compat_ioctl_preallocate(struct file *file,
+  */
+ #define XFORM(i) (((i) ^ ((i) << 27) ^ ((i) << 17)) & 0xffffffff)
+ 
+-#define COMPATIBLE_IOCTL(cmd) XFORM(cmd),
++#define COMPATIBLE_IOCTL(cmd) XFORM((u32)cmd),
+ /* ioctl should not be warned about even if it's not implemented.
+    Valid reasons to use this:
+    - It is implemented with ->compat_ioctl on some device, but programs
+diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
+index 2d65bbd6dbd1..18ba29ff1449 100644
+--- a/include/linux/cpumask.h
++++ b/include/linux/cpumask.h
+@@ -680,6 +680,11 @@ void alloc_bootmem_cpumask_var(cpumask_var_t *mask);
+ void free_cpumask_var(cpumask_var_t mask);
+ void free_bootmem_cpumask_var(cpumask_var_t mask);
+ 
++static inline bool cpumask_available(cpumask_var_t mask)
++{
++      return mask != NULL;
++}
++
+ #else
+ typedef struct cpumask cpumask_var_t[1];
+ 
+@@ -720,6 +725,11 @@ static inline void free_cpumask_var(cpumask_var_t mask)
+ static inline void free_bootmem_cpumask_var(cpumask_var_t mask)
+ {
+ }
++
++static inline bool cpumask_available(cpumask_var_t mask)
++{
++      return true;
++}
+ #endif /* CONFIG_CPUMASK_OFFSTACK */
+ 
+ /* It's common to want to use cpu_all_mask in struct member initializers,
+diff --git a/include/linux/init.h b/include/linux/init.h
+index 683508f6bb4e..0cca4142987f 100644
+--- a/include/linux/init.h
++++ b/include/linux/init.h
+@@ -133,6 +133,9 @@ void prepare_namespace(void);
+ void __init load_default_modules(void);
+ int __init init_rootfs(void);
+ 
++#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_DEBUG_SET_MODULE_RONX)
++extern bool rodata_enabled;
++#endif
+ #ifdef CONFIG_DEBUG_RODATA
+ void mark_rodata_ro(void);
+ #endif
+diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
+index 589d14e970ad..c2a0f0072274 100644
+--- a/include/linux/jiffies.h
++++ b/include/linux/jiffies.h
+@@ -1,6 +1,7 @@
+ #ifndef _LINUX_JIFFIES_H
+ #define _LINUX_JIFFIES_H
+ 
++#include <linux/cache.h>
+ #include <linux/math64.h>
+ #include <linux/kernel.h>
+ #include <linux/types.h>
+@@ -63,19 +64,17 @@ extern int register_refined_jiffies(long clock_tick_rate);
+ /* TICK_USEC is the time between ticks in usec assuming fake USER_HZ */
+ #define TICK_USEC ((1000000UL + USER_HZ/2) / USER_HZ)
+ 
+-/* some arch's have a small-data section that can be accessed 
register-relative
+- * but that can only take up to, say, 4-byte variables. jiffies being part of
+- * an 8-byte variable may not be correctly accessed unless we force the issue
+- */
+-#define __jiffy_data  __attribute__((section(".data")))
++#ifndef __jiffy_arch_data
++#define __jiffy_arch_data
++#endif
+ 
+ /*
+  * The 64-bit value is not atomic - you MUST NOT read it
+  * without sampling the sequence number in jiffies_lock.
+  * get_jiffies_64() will do this for you as appropriate.
+  */
+-extern u64 __jiffy_data jiffies_64;
+-extern unsigned long volatile __jiffy_data jiffies;
++extern u64 __cacheline_aligned_in_smp jiffies_64;
++extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data 
jiffies;
+ 
+ #if (BITS_PER_LONG < 64)
+ u64 get_jiffies_64(void);
+diff --git a/include/linux/llist.h b/include/linux/llist.h
+index fd4ca0b4fe0f..ac6796138ba0 100644
+--- a/include/linux/llist.h
++++ b/include/linux/llist.h
+@@ -87,6 +87,23 @@ static inline void init_llist_head(struct llist_head *list)
+ #define llist_entry(ptr, type, member)                \
+       container_of(ptr, type, member)
+ 
++/**
++ * member_address_is_nonnull - check whether the member address is not NULL
++ * @ptr:      the object pointer (struct type * that contains the llist_node)
++ * @member:   the name of the llist_node within the struct.
++ *
++ * This macro is conceptually the same as
++ *    &ptr->member != NULL
++ * but it works around the fact that compilers can decide that taking a member
++ * address is never a NULL pointer.
++ *
++ * Real objects that start at a high address and have a member at NULL are
++ * unlikely to exist, but such pointers may be returned e.g. by the
++ * container_of() macro.
++ */
++#define member_address_is_nonnull(ptr, member)        \
++      ((uintptr_t)(ptr) + offsetof(typeof(*(ptr)), member) != 0)
++
+ /**
+  * llist_for_each - iterate over some deleted entries of a lock-less list
+  * @pos:      the &struct llist_node to use as a loop cursor
+@@ -121,7 +138,7 @@ static inline void init_llist_head(struct llist_head *list)
+  */
+ #define llist_for_each_entry(pos, node, member)                               
\
+       for ((pos) = llist_entry((node), typeof(*(pos)), member);       \
+-           &(pos)->member != NULL;                                    \
++           member_address_is_nonnull(pos, member);                    \
+            (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member))
+ 
+ /**
+@@ -143,7 +160,7 @@ static inline void init_llist_head(struct llist_head *list)
+  */
+ #define llist_for_each_entry_safe(pos, n, node, member)                       
       \
+       for (pos = llist_entry((node), typeof(*pos), member);                  \
+-           &pos->member != NULL &&                                           \
++           member_address_is_nonnull(pos, member) &&                         \
+               (n = llist_entry(pos->member.next, typeof(*n), member), true); \
+            pos = n)
+ 
+diff --git a/include/linux/netfilter/x_tables.h 
b/include/linux/netfilter/x_tables.h
+index 9bfeb88fb940..69111fa2e578 100644
+--- a/include/linux/netfilter/x_tables.h
++++ b/include/linux/netfilter/x_tables.h
+@@ -254,6 +254,8 @@ unsigned int *xt_alloc_entry_offsets(unsigned int size);
+ bool xt_find_jump_offset(const unsigned int *offsets,
+                        unsigned int target, unsigned int size);
+ 
++int xt_check_proc_name(const char *name, unsigned int size);
++
+ int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
+                  bool inv_proto);
+ int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t 
proto,
+diff --git a/include/rdma/ib_addr.h b/include/rdma/ib_addr.h
+index 818a38f99221..f888263fd757 100644
+--- a/include/rdma/ib_addr.h
++++ b/include/rdma/ib_addr.h
+@@ -129,6 +129,8 @@ int rdma_copy_addr(struct rdma_dev_addr *dev_addr, struct 
net_device *dev,
+             const unsigned char *dst_dev_addr);
+ 
+ int rdma_addr_size(struct sockaddr *addr);
++int rdma_addr_size_in6(struct sockaddr_in6 *addr);
++int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);
+ 
+ int rdma_addr_find_smac_by_sgid(union ib_gid *sgid, u8 *smac, u16 *vlan_id);
+ int rdma_addr_find_l2_eth_by_grh(const union ib_gid *sgid,
+diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h
+index e5a2e68b2236..ecc8e01c5616 100644
+--- a/include/uapi/linux/pci_regs.h
++++ b/include/uapi/linux/pci_regs.h
+@@ -106,7 +106,7 @@
+ #define PCI_SUBSYSTEM_ID      0x2e
+ #define PCI_ROM_ADDRESS               0x30    /* Bits 31..11 are address, 
10..1 reserved */
+ #define  PCI_ROM_ADDRESS_ENABLE       0x01
+-#define PCI_ROM_ADDRESS_MASK  (~0x7ffUL)
++#define PCI_ROM_ADDRESS_MASK  (~0x7ffU)
+ 
+ #define PCI_CAPABILITY_LIST   0x34    /* Offset of first capability list 
entry */
+ 
+diff --git a/init/main.c b/init/main.c
+index 99f026565608..f22957afb37e 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -81,6 +81,7 @@
+ #include <linux/proc_ns.h>
+ #include <linux/io.h>
+ #include <linux/kaiser.h>
++#include <linux/cache.h>
+ 
+ #include <asm/io.h>
+ #include <asm/bugs.h>
+@@ -914,14 +915,16 @@ static int try_to_run_init_process(const char 
*init_filename)
+ 
+ static noinline void __init kernel_init_freeable(void);
+ 
+-#ifdef CONFIG_DEBUG_RODATA
+-static bool rodata_enabled = true;
++#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_SET_MODULE_RONX)
++bool rodata_enabled __ro_after_init = true;
+ static int __init set_debug_rodata(char *str)
+ {
+       return strtobool(str, &rodata_enabled);
+ }
+ __setup("rodata=", set_debug_rodata);
++#endif
+ 
++#ifdef CONFIG_DEBUG_RODATA
+ static void mark_readonly(void)
+ {
+       if (rodata_enabled)
+diff --git a/ipc/shm.c b/ipc/shm.c
+index e2072ae4f90e..de93d01bfce2 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -381,6 +381,17 @@ static int shm_fault(struct vm_area_struct *vma, struct 
vm_fault *vmf)
+       return sfd->vm_ops->fault(vma, vmf);
+ }
+ 
++static int shm_split(struct vm_area_struct *vma, unsigned long addr)
++{
++      struct file *file = vma->vm_file;
++      struct shm_file_data *sfd = shm_file_data(file);
++
++      if (sfd->vm_ops && sfd->vm_ops->split)
++              return sfd->vm_ops->split(vma, addr);
++
++      return 0;
++}
++
+ #ifdef CONFIG_NUMA
+ static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new)
+ {
+@@ -503,6 +514,7 @@ static const struct vm_operations_struct shm_vm_ops = {
+       .open   = shm_open,     /* callback for a new vm-area open */
+       .close  = shm_close,    /* callback for when the vm-area is released */
+       .fault  = shm_fault,
++      .split  = shm_split,
+ #if defined(CONFIG_NUMA)
+       .set_policy = shm_set_policy,
+       .get_policy = shm_get_policy,
+diff --git a/kernel/events/hw_breakpoint.c b/kernel/events/hw_breakpoint.c
+index 3f8cb1e14588..253ae2da13c3 100644
+--- a/kernel/events/hw_breakpoint.c
++++ b/kernel/events/hw_breakpoint.c
+@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_breakpoint);
+  * modify_user_hw_breakpoint - modify a user-space hardware breakpoint
+  * @bp: the breakpoint structure to modify
+  * @attr: new breakpoint attributes
+- * @triggered: callback to trigger when we hit the breakpoint
+- * @tsk: pointer to 'task_struct' of the process to which the address belongs
+  */
+ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr 
*attr)
+ {
+-      u64 old_addr = bp->attr.bp_addr;
+-      u64 old_len = bp->attr.bp_len;
+-      int old_type = bp->attr.bp_type;
+-      int err = 0;
+-
+       /*
+        * modify_user_hw_breakpoint can be invoked with IRQs disabled and 
hence it
+        * will not be possible to raise IPIs that invoke __perf_event_disable.
+@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct perf_event *bp, 
struct perf_event_attr *att
+       bp->attr.bp_addr = attr->bp_addr;
+       bp->attr.bp_type = attr->bp_type;
+       bp->attr.bp_len = attr->bp_len;
++      bp->attr.disabled = 1;
+ 
+-      if (attr->disabled)
+-              goto end;
+-
+-      err = validate_hw_breakpoint(bp);
+-      if (!err)
+-              perf_event_enable(bp);
++      if (!attr->disabled) {
++              int err = validate_hw_breakpoint(bp);
+ 
+-      if (err) {
+-              bp->attr.bp_addr = old_addr;
+-              bp->attr.bp_type = old_type;
+-              bp->attr.bp_len = old_len;
+-              if (!bp->attr.disabled)
+-                      perf_event_enable(bp);
++              if (err)
++                      return err;
+ 
+-              return err;
++              perf_event_enable(bp);
++              bp->attr.disabled = 0;
+       }
+ 
+-end:
+-      bp->attr.disabled = attr->disabled;
+-
+       return 0;
+ }
+ EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);
+diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
+index ea41820ab12e..5927da596d42 100644
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -850,7 +850,7 @@ irq_thread_check_affinity(struct irq_desc *desc, struct 
irqaction *action)
+        * This code is triggered unconditionally. Check the affinity
+        * mask pointer. For CPU_MASK_OFFSTACK=n this is optimized out.
+        */
+-      if (desc->irq_common_data.affinity)
++      if (cpumask_available(desc->irq_common_data.affinity))
+               cpumask_copy(mask, desc->irq_common_data.affinity);
+       else
+               valid = false;
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index a1a07cf1101f..69485183af79 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -125,7 +125,7 @@ static void *alloc_insn_page(void)
+       return module_alloc(PAGE_SIZE);
+ }
+ 
+-static void free_insn_page(void *page)
++void __weak free_insn_page(void *page)
+ {
+       module_memfree(page);
+ }
+diff --git a/kernel/module.c b/kernel/module.c
+index 07bfb9971f2f..0651f2d25fc9 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1911,6 +1911,9 @@ static void frob_writable_data(const struct 
module_layout *layout,
+ /* livepatching wants to disable read-only so it can frob module. */
+ void module_disable_ro(const struct module *mod)
+ {
++      if (!rodata_enabled)
++              return;
++
+       frob_text(&mod->core_layout, set_memory_rw);
+       frob_rodata(&mod->core_layout, set_memory_rw);
+       frob_ro_after_init(&mod->core_layout, set_memory_rw);
+@@ -1920,6 +1923,9 @@ void module_disable_ro(const struct module *mod)
+ 
+ void module_enable_ro(const struct module *mod, bool after_init)
+ {
++      if (!rodata_enabled)
++              return;
++
+       frob_text(&mod->core_layout, set_memory_ro);
+       frob_rodata(&mod->core_layout, set_memory_ro);
+       frob_text(&mod->init_layout, set_memory_ro);
+@@ -1952,6 +1958,9 @@ void set_all_modules_text_rw(void)
+ {
+       struct module *mod;
+ 
++      if (!rodata_enabled)
++              return;
++
+       mutex_lock(&module_mutex);
+       list_for_each_entry_rcu(mod, &modules, list) {
+               if (mod->state == MODULE_STATE_UNFORMED)
+@@ -1968,6 +1977,9 @@ void set_all_modules_text_ro(void)
+ {
+       struct module *mod;
+ 
++      if (!rodata_enabled)
++              return;
++
+       mutex_lock(&module_mutex);
+       list_for_each_entry_rcu(mod, &modules, list) {
+               if (mod->state == MODULE_STATE_UNFORMED)
+@@ -1981,10 +1993,12 @@ void set_all_modules_text_ro(void)
+ 
+ static void disable_ro_nx(const struct module_layout *layout)
+ {
+-      frob_text(layout, set_memory_rw);
+-      frob_rodata(layout, set_memory_rw);
++      if (rodata_enabled) {
++              frob_text(layout, set_memory_rw);
++              frob_rodata(layout, set_memory_rw);
++              frob_ro_after_init(layout, set_memory_rw);
++      }
+       frob_rodata(layout, set_memory_x);
+-      frob_ro_after_init(layout, set_memory_rw);
+       frob_ro_after_init(layout, set_memory_x);
+       frob_writable_data(layout, set_memory_x);
+ }
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index cdd5c3b5c357..557ad1367595 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2966,7 +2966,7 @@ unsigned long try_to_free_pages(struct zonelist 
*zonelist, int order,
+       unsigned long nr_reclaimed;
+       struct scan_control sc = {
+               .nr_to_reclaim = SWAP_CLUSTER_MAX,
+-              .gfp_mask = (gfp_mask = memalloc_noio_flags(gfp_mask)),
++              .gfp_mask = memalloc_noio_flags(gfp_mask),
+               .reclaim_idx = gfp_zone(gfp_mask),
+               .order = order,
+               .nodemask = nodemask,
+@@ -2981,12 +2981,12 @@ unsigned long try_to_free_pages(struct zonelist 
*zonelist, int order,
+        * 1 is returned so that the page allocator does not OOM kill at this
+        * point.
+        */
+-      if (throttle_direct_reclaim(gfp_mask, zonelist, nodemask))
++      if (throttle_direct_reclaim(sc.gfp_mask, zonelist, nodemask))
+               return 1;
+ 
+       trace_mm_vmscan_direct_reclaim_begin(order,
+                               sc.may_writepage,
+-                              gfp_mask,
++                              sc.gfp_mask,
+                               sc.reclaim_idx);
+ 
+       nr_reclaimed = do_try_to_free_pages(zonelist, &sc);
+@@ -3749,16 +3749,15 @@ static int __node_reclaim(struct pglist_data *pgdat, 
gfp_t gfp_mask, unsigned in
+       const unsigned long nr_pages = 1 << order;
+       struct task_struct *p = current;
+       struct reclaim_state reclaim_state;
+-      int classzone_idx = gfp_zone(gfp_mask);
+       struct scan_control sc = {
+               .nr_to_reclaim = max(nr_pages, SWAP_CLUSTER_MAX),
+-              .gfp_mask = (gfp_mask = memalloc_noio_flags(gfp_mask)),
++              .gfp_mask = memalloc_noio_flags(gfp_mask),
+               .order = order,
+               .priority = NODE_RECLAIM_PRIORITY,
+               .may_writepage = !!(node_reclaim_mode & RECLAIM_WRITE),
+               .may_unmap = !!(node_reclaim_mode & RECLAIM_UNMAP),
+               .may_swap = 1,
+-              .reclaim_idx = classzone_idx,
++              .reclaim_idx = gfp_zone(gfp_mask),
+       };
+ 
+       cond_resched();
+@@ -3768,7 +3767,7 @@ static int __node_reclaim(struct pglist_data *pgdat, 
gfp_t gfp_mask, unsigned in
+        * and RECLAIM_UNMAP.
+        */
+       p->flags |= PF_MEMALLOC | PF_SWAPWRITE;
+-      lockdep_set_current_reclaim_state(gfp_mask);
++      lockdep_set_current_reclaim_state(sc.gfp_mask);
+       reclaim_state.reclaimed_slab = 0;
+       p->reclaim_state = &reclaim_state;
+ 
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 658c900752c6..ead4d1baeaa6 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2233,8 +2233,14 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, 
struct sk_buff *skb)
+       else
+               sec_level = authreq_to_seclevel(auth);
+ 
+-      if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
++      if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
++              /* If link is already encrypted with sufficient security we
++               * still need refresh encryption as per Core Spec 5.0 Vol 3,
++               * Part H 2.4.6
++               */
++              smp_ltk_encrypt(conn, hcon->sec_level);
+               return 0;
++      }
+ 
+       if (sec_level > hcon->pending_sec_level)
+               hcon->pending_sec_level = sec_level;
+diff --git a/net/bridge/netfilter/ebt_among.c 
b/net/bridge/netfilter/ebt_among.c
+index 9637a681bdda..9adf16258cab 100644
+--- a/net/bridge/netfilter/ebt_among.c
++++ b/net/bridge/netfilter/ebt_among.c
+@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struct 
ebt_mac_wormhash *w)
+       return w && w->poolsize >= (INT_MAX / sizeof(struct 
ebt_mac_wormhash_tuple));
+ }
+ 
++static bool wormhash_offset_invalid(int off, unsigned int len)
++{
++      if (off == 0) /* not present */
++              return false;
++
++      if (off < (int)sizeof(struct ebt_among_info) ||
++          off % __alignof__(struct ebt_mac_wormhash))
++              return true;
++
++      off += sizeof(struct ebt_mac_wormhash);
++
++      return off > len;
++}
++
++static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, 
int b)
++{
++      if (a == 0)
++              a = sizeof(struct ebt_among_info);
++
++      return ebt_mac_wormhash_size(wh) + a == b;
++}
++
+ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
+ {
+       const struct ebt_among_info *info = par->matchinfo;
+@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const struct xt_mtchk_param 
*par)
+       if (expected_length > em->match_size)
+               return -EINVAL;
+ 
++      if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
++          wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
++              return -EINVAL;
++
+       wh_dst = ebt_among_wh_dst(info);
+       if (poolsize_invalid(wh_dst))
+               return -EINVAL;
+@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const struct xt_mtchk_param 
*par)
+       if (poolsize_invalid(wh_src))
+               return -EINVAL;
+ 
++      if (info->wh_src_ofs < info->wh_dst_ofs) {
++              if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, 
info->wh_dst_ofs))
++                      return -EINVAL;
++      } else {
++              if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, 
info->wh_src_ofs))
++                      return -EINVAL;
++      }
++
+       expected_length += ebt_mac_wormhash_size(wh_src);
+ 
+       if (em->match_size != EBT_ALIGN(expected_length)) {
+diff --git a/net/ipv4/netfilter/nf_nat_h323.c 
b/net/ipv4/netfilter/nf_nat_h323.c
+index 574f7ebba0b6..ac8342dcb55e 100644
+--- a/net/ipv4/netfilter/nf_nat_h323.c
++++ b/net/ipv4/netfilter/nf_nat_h323.c
+@@ -252,16 +252,16 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct 
nf_conn *ct,
+       if (set_h245_addr(skb, protoff, data, dataoff, taddr,
+                         &ct->tuplehash[!dir].tuple.dst.u3,
+                         htons((port & htons(1)) ? nated_port + 1 :
+-                                                  nated_port)) == 0) {
+-              /* Save ports */
+-              info->rtp_port[i][dir] = rtp_port;
+-              info->rtp_port[i][!dir] = htons(nated_port);
+-      } else {
++                                                  nated_port))) {
+               nf_ct_unexpect_related(rtp_exp);
+               nf_ct_unexpect_related(rtcp_exp);
+               return -1;
+       }
+ 
++      /* Save ports */
++      info->rtp_port[i][dir] = rtp_port;
++      info->rtp_port[i][!dir] = htons(nated_port);
++
+       /* Success */
+       pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
+                &rtp_exp->tuple.src.u3.ip,
+@@ -370,15 +370,15 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn 
*ct,
+       /* Modify signal */
+       if (set_h225_addr(skb, protoff, data, dataoff, taddr,
+                         &ct->tuplehash[!dir].tuple.dst.u3,
+-                        htons(nated_port)) == 0) {
+-              /* Save ports */
+-              info->sig_port[dir] = port;
+-              info->sig_port[!dir] = htons(nated_port);
+-      } else {
++                        htons(nated_port))) {
+               nf_ct_unexpect_related(exp);
+               return -1;
+       }
+ 
++      /* Save ports */
++      info->sig_port[dir] = port;
++      info->sig_port[!dir] = htons(nated_port);
++
+       pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
+                &exp->tuple.src.u3.ip,
+                ntohs(exp->tuple.src.u.tcp.port),
+@@ -462,24 +462,27 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn 
*ct,
+       /* Modify signal */
+       if (set_h225_addr(skb, protoff, data, 0, &taddr[idx],
+                         &ct->tuplehash[!dir].tuple.dst.u3,
+-                        htons(nated_port)) == 0) {
+-              /* Save ports */
+-              info->sig_port[dir] = port;
+-              info->sig_port[!dir] = htons(nated_port);
+-
+-              /* Fix for Gnomemeeting */
+-              if (idx > 0 &&
+-                  get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
+-                  (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
+-                      set_h225_addr(skb, protoff, data, 0, &taddr[0],
+-                                    &ct->tuplehash[!dir].tuple.dst.u3,
+-                                    info->sig_port[!dir]);
+-              }
+-      } else {
++                        htons(nated_port))) {
+               nf_ct_unexpect_related(exp);
+               return -1;
+       }
+ 
++      /* Save ports */
++      info->sig_port[dir] = port;
++      info->sig_port[!dir] = htons(nated_port);
++
++      /* Fix for Gnomemeeting */
++      if (idx > 0 &&
++          get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
++          (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
++              if (set_h225_addr(skb, protoff, data, 0, &taddr[0],
++                                &ct->tuplehash[!dir].tuple.dst.u3,
++                                info->sig_port[!dir])) {
++                      nf_ct_unexpect_related(exp);
++                      return -1;
++              }
++      }
++
+       /* Success */
+       pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
+                &exp->tuple.src.u3.ip,
+@@ -550,9 +553,9 @@ static int nat_callforwarding(struct sk_buff *skb, struct 
nf_conn *ct,
+       }
+ 
+       /* Modify signal */
+-      if (!set_h225_addr(skb, protoff, data, dataoff, taddr,
+-                         &ct->tuplehash[!dir].tuple.dst.u3,
+-                         htons(nated_port)) == 0) {
++      if (set_h225_addr(skb, protoff, data, dataoff, taddr,
++                        &ct->tuplehash[!dir].tuple.dst.u3,
++                        htons(nated_port))) {
+               nf_ct_unexpect_related(exp);
+               return -1;
+       }
+diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
+index 345efeb887ef..912333586de6 100644
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -625,7 +625,6 @@ static void vti6_link_config(struct ip6_tnl *t)
+ {
+       struct net_device *dev = t->dev;
+       struct __ip6_tnl_parm *p = &t->parms;
+-      struct net_device *tdev = NULL;
+ 
+       memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
+       memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
+@@ -638,25 +637,6 @@ static void vti6_link_config(struct ip6_tnl *t)
+               dev->flags |= IFF_POINTOPOINT;
+       else
+               dev->flags &= ~IFF_POINTOPOINT;
+-
+-      if (p->flags & IP6_TNL_F_CAP_XMIT) {
+-              int strict = (ipv6_addr_type(&p->raddr) &
+-                            (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
+-              struct rt6_info *rt = rt6_lookup(t->net,
+-                                               &p->raddr, &p->laddr,
+-                                               p->link, strict);
+-
+-              if (rt)
+-                      tdev = rt->dst.dev;
+-              ip6_rt_put(rt);
+-      }
+-
+-      if (!tdev && p->link)
+-              tdev = __dev_get_by_index(t->net, p->link);
+-
+-      if (tdev)
+-              dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len,
+-                               IPV6_MIN_MTU);
+ }
+ 
+ /**
+diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
+index d31818e7d10c..a5acaf1efaab 100644
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -427,7 +427,7 @@ static void ieee80211_sta_join_ibss(struct 
ieee80211_sub_if_data *sdata,
+       case NL80211_CHAN_WIDTH_5:
+       case NL80211_CHAN_WIDTH_10:
+               cfg80211_chandef_create(&chandef, cbss->channel,
+-                                      NL80211_CHAN_WIDTH_20_NOHT);
++                                      NL80211_CHAN_NO_HT);
+               chandef.width = sdata->u.ibss.chandef.width;
+               break;
+       case NL80211_CHAN_WIDTH_80:
+@@ -439,7 +439,7 @@ static void ieee80211_sta_join_ibss(struct 
ieee80211_sub_if_data *sdata,
+       default:
+               /* fall back to 20 MHz for unsupported modes */
+               cfg80211_chandef_create(&chandef, cbss->channel,
+-                                      NL80211_CHAN_WIDTH_20_NOHT);
++                                      NL80211_CHAN_NO_HT);
+               break;
+       }
+ 
+diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
+index dbceb42c2a8e..e6096dfd0210 100644
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -173,9 +173,11 @@ ieee80211_rate_control_ops_get(const char *name)
+               /* try default if specific alg requested but not found */
+               ops = 
ieee80211_try_rate_control_ops_get(ieee80211_default_rc_algo);
+ 
+-      /* try built-in one if specific alg requested but not found */
+-      if (!ops && strlen(CONFIG_MAC80211_RC_DEFAULT))
++      /* Note: check for > 0 is intentional to avoid clang warning */
++      if (!ops && (strlen(CONFIG_MAC80211_RC_DEFAULT) > 0))
++              /* try built-in one if specific alg requested but not found */
+               ops = 
ieee80211_try_rate_control_ops_get(CONFIG_MAC80211_RC_DEFAULT);
++
+       kernel_param_unlock(THIS_MODULE);
+ 
+       return ops;
+diff --git a/net/netfilter/nf_conntrack_netlink.c 
b/net/netfilter/nf_conntrack_netlink.c
+index d5caed5bcfb1..d49a4639465f 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -1008,9 +1008,8 @@ static const struct nla_policy 
tuple_nla_policy[CTA_TUPLE_MAX+1] = {
+ 
+ static int
+ ctnetlink_parse_tuple(const struct nlattr * const cda[],
+-                    struct nf_conntrack_tuple *tuple,
+-                    enum ctattr_type type, u_int8_t l3num,
+-                    struct nf_conntrack_zone *zone)
++                    struct nf_conntrack_tuple *tuple, u32 type,
++                    u_int8_t l3num, struct nf_conntrack_zone *zone)
+ {
+       struct nlattr *tb[CTA_TUPLE_MAX+1];
+       int err;
+@@ -2409,7 +2408,7 @@ static struct nfnl_ct_hook ctnetlink_glue_hook = {
+ 
+ static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
+                                   const struct nf_conntrack_tuple *tuple,
+-                                  enum ctattr_expect type)
++                                  u32 type)
+ {
+       struct nlattr *nest_parms;
+ 
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index 7ad1a863587a..59be89813a29 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -367,6 +367,36 @@ textify_hooks(char *buf, size_t size, unsigned int mask, 
uint8_t nfproto)
+       return buf;
+ }
+ 
++/**
++ * xt_check_proc_name - check that name is suitable for /proc file creation
++ *
++ * @name: file name candidate
++ * @size: length of buffer
++ *
++ * some x_tables modules wish to create a file in /proc.
++ * This function makes sure that the name is suitable for this
++ * purpose, it checks that name is NUL terminated and isn't a 'special'
++ * name, like "..".
++ *
++ * returns negative number on error or 0 if name is useable.
++ */
++int xt_check_proc_name(const char *name, unsigned int size)
++{
++      if (name[0] == '\0')
++              return -EINVAL;
++
++      if (strnlen(name, size) == size)
++              return -ENAMETOOLONG;
++
++      if (strcmp(name, ".") == 0 ||
++          strcmp(name, "..") == 0 ||
++          strchr(name, '/'))
++              return -EINVAL;
++
++      return 0;
++}
++EXPORT_SYMBOL(xt_check_proc_name);
++
+ int xt_check_match(struct xt_mtchk_param *par,
+                  unsigned int size, u_int8_t proto, bool inv_proto)
+ {
+diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
+index b89b688e9d01..a1a29cdc58fc 100644
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -794,8 +794,9 @@ static int hashlimit_mt_check_v1(const struct 
xt_mtchk_param *par)
+       struct hashlimit_cfg2 cfg = {};
+       int ret;
+ 
+-      if (info->name[sizeof(info->name) - 1] != '\0')
+-              return -EINVAL;
++      ret = xt_check_proc_name(info->name, sizeof(info->name));
++      if (ret)
++              return ret;
+ 
+       ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
+ 
+@@ -809,9 +810,11 @@ static int hashlimit_mt_check_v1(const struct 
xt_mtchk_param *par)
+ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
+ {
+       struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
++      int ret;
+ 
+-      if (info->name[sizeof(info->name) - 1] != '\0')
+-              return -EINVAL;
++      ret = xt_check_proc_name(info->name, sizeof(info->name));
++      if (ret)
++              return ret;
+ 
+       return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg,
+                                        info->name, 2);
+diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
+index e3b7a09b103e..79d7ad621a80 100644
+--- a/net/netfilter/xt_recent.c
++++ b/net/netfilter/xt_recent.c
+@@ -361,9 +361,9 @@ static int recent_mt_check(const struct xt_mtchk_param 
*par,
+                       info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
+               return -EINVAL;
+       }
+-      if (info->name[0] == '\0' ||
+-          strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
+-              return -EINVAL;
++      ret = xt_check_proc_name(info->name, sizeof(info->name));
++      if (ret)
++              return ret;
+ 
+       if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
+               nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index a89061d59c74..36280e114959 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4081,7 +4081,7 @@ static bool nl80211_put_sta_rate(struct sk_buff *msg, 
struct rate_info *info,
+       struct nlattr *rate;
+       u32 bitrate;
+       u16 bitrate_compat;
+-      enum nl80211_attrs rate_flg;
++      enum nl80211_rate_info rate_flg;
+ 
+       rate = nla_nest_start(msg, attr);
+       if (!rate)
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index c921c2eed15d..bb54d9db82df 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -663,7 +663,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct 
sk_buff *frame,
+                           int offset, int len)
+ {
+       struct skb_shared_info *sh = skb_shinfo(skb);
+-      const skb_frag_t *frag = &sh->frags[-1];
++      const skb_frag_t *frag = &sh->frags[0];
+       struct page *frag_page;
+       void *frag_ptr;
+       int frag_len, frag_size;
+@@ -676,10 +676,10 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct 
sk_buff *frame,
+ 
+       while (offset >= frag_size) {
+               offset -= frag_size;
+-              frag++;
+               frag_page = skb_frag_page(frag);
+               frag_ptr = skb_frag_address(frag);
+               frag_size = skb_frag_size(frag);
++              frag++;
+       }
+ 
+       frag_ptr += offset;
+@@ -691,12 +691,12 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct 
sk_buff *frame,
+       len -= cur_len;
+ 
+       while (len > 0) {
+-              frag++;
+               frag_len = skb_frag_size(frag);
+               cur_len = min(len, frag_len);
+               __frame_add_frag(frame, skb_frag_page(frag),
+                                skb_frag_address(frag), cur_len, frag_len);
+               len -= cur_len;
++              frag++;
+       }
+ }
+ 
+diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
+index ccfdc7115a83..a00ec715aa46 100644
+--- a/net/xfrm/xfrm_ipcomp.c
++++ b/net/xfrm/xfrm_ipcomp.c
+@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu 
*ipcomp_alloc_tfms(const char *alg_name)
+               struct crypto_comp *tfm;
+ 
+               /* This can be any valid CPU ID so we don't need locking. */
+-              tfm = __this_cpu_read(*pos->tfms);
++              tfm = this_cpu_read(*pos->tfms);
+ 
+               if (!strcmp(crypto_comp_name(tfm), alg_name)) {
+                       pos->users++;
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 13e0611a9085..fdb9742d934e 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1883,6 +1883,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 
__user *optval, int optlen
+       struct xfrm_mgr *km;
+       struct xfrm_policy *pol = NULL;
+ 
++#ifdef CONFIG_COMPAT
++      if (in_compat_syscall())
++              return -EOPNOTSUPP;
++#endif
++
+       if (!optval && !optlen) {
+               xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL);
+               xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL);
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 5d33967d9aa1..6a029358bfd1 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -121,22 +121,17 @@ static inline int verify_replay(struct xfrm_usersa_info 
*p,
+       struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
+       struct xfrm_replay_state_esn *rs;
+ 
+-      if (p->flags & XFRM_STATE_ESN) {
+-              if (!rt)
+-                      return -EINVAL;
++      if (!rt)
++              return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
+ 
+-              rs = nla_data(rt);
++      rs = nla_data(rt);
+ 
+-              if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
+-                      return -EINVAL;
+-
+-              if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
+-                  nla_len(rt) != sizeof(*rs))
+-                      return -EINVAL;
+-      }
++      if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
++              return -EINVAL;
+ 
+-      if (!rt)
+-              return 0;
++      if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
++          nla_len(rt) != sizeof(*rs))
++              return -EINVAL;
+ 
+       /* As only ESP and AH support ESN feature. */
+       if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index b8278f3af9da..17627d8d5a26 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -406,18 +406,6 @@ static void superblock_free_security(struct super_block 
*sb)
+       kfree(sbsec);
+ }
+ 
+-/* The file system's label must be initialized prior to use. */
+-
+-static const char *labeling_behaviors[7] = {
+-      "uses xattr",
+-      "uses transition SIDs",
+-      "uses task SIDs",
+-      "uses genfs_contexts",
+-      "not configured for labeling",
+-      "uses mountpoint labeling",
+-      "uses native labeling",
+-};
+-
+ static inline int inode_doinit(struct inode *inode)
+ {
+       return inode_doinit_with_dentry(inode, NULL);
+@@ -528,10 +516,6 @@ static int sb_finish_set_opts(struct super_block *sb)
+               }
+       }
+ 
+-      if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
+-              printk(KERN_ERR "SELinux: initialized (dev %s, type %s), 
unknown behavior\n",
+-                     sb->s_id, sb->s_type->name);
+-
+       sbsec->flags |= SE_SBINITIALIZED;
+       if (selinux_is_sblabel_mnt(sb))
+               sbsec->flags |= SBLABEL_MNT;
+diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
+index 73275a92f2e2..d656b7c98394 100644
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -155,7 +155,7 @@ static int selinux_set_mapping(struct policydb *pol,
+               }
+ 
+               k = 0;
+-              while (p_in->perms && p_in->perms[k]) {
++              while (p_in->perms[k]) {
+                       /* An empty permission string skips ahead */
+                       if (!*p_in->perms[k]) {
+                               k++;
+diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
+index 3e7c3573871d..fa8741afadf5 100644
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1361,7 +1361,7 @@ static ssize_t snd_pcm_oss_write2(struct 
snd_pcm_substream *substream, const cha
+ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const 
char __user *buf, size_t bytes)
+ {
+       size_t xfer = 0;
+-      ssize_t tmp;
++      ssize_t tmp = 0;
+       struct snd_pcm_runtime *runtime = substream->runtime;
+ 
+       if (atomic_read(&substream->mmap_count))
+@@ -1468,7 +1468,7 @@ static ssize_t snd_pcm_oss_read2(struct 
snd_pcm_substream *substream, char *buf,
+ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char 
__user *buf, size_t bytes)
+ {
+       size_t xfer = 0;
+-      ssize_t tmp;
++      ssize_t tmp = 0;
+       struct snd_pcm_runtime *runtime = substream->runtime;
+ 
+       if (atomic_read(&substream->mmap_count))
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 9d33c1e85c79..d503285867e7 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -3410,7 +3410,7 @@ int snd_pcm_lib_default_mmap(struct snd_pcm_substream 
*substream,
+                                        area,
+                                        substream->runtime->dma_area,
+                                        substream->runtime->dma_addr,
+-                                       area->vm_end - area->vm_start);
++                                       substream->runtime->dma_bytes);
+ #endif /* CONFIG_X86 */
+       /* mmap with fault handler */
+       area->vm_ops = &snd_pcm_vm_ops_data_fault;
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 1cd7f8b0bf77..45655b9108e8 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1175,6 +1175,7 @@ static bool is_teac_dsd_dac(unsigned int id)
+       switch (id) {
+       case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
+       case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */
++      case USB_ID(0x0644, 0x804a): /* TEAC UD-301 */
+               return true;
+       }
+       return false;

Reply via email to