commit: 220df3b30d95895bd6092700c754329cfc0f45f1 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Sun Apr 8 14:26:21 2018 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Sun Apr 8 14:26:21 2018 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=220df3b3
Linux patch 4.9.93 0000_README | 4 + 1092_linux-4.9.93.patch | 3737 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 3741 insertions(+) diff --git a/0000_README b/0000_README index 7083c5f..3036eb1 100644 --- a/0000_README +++ b/0000_README @@ -411,6 +411,10 @@ Patch: 1091_linux-4.9.92.patch From: http://www.kernel.org Desc: Linux 4.9.92 +Patch: 1092_linux-4.9.93.patch +From: http://www.kernel.org +Desc: Linux 4.9.93 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1092_linux-4.9.93.patch b/1092_linux-4.9.93.patch new file mode 100644 index 0000000..4092fd9 --- /dev/null +++ b/1092_linux-4.9.93.patch @@ -0,0 +1,3737 @@ +diff --git a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt +index caf297bee1fb..c28d4eb83b76 100644 +--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt ++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt +@@ -35,6 +35,15 @@ Optional properties: + - ti,palmas-enable-dvfs2: Enable DVFS2. Configure pins for DVFS2 mode. + Selection primary or secondary function associated to GPADC_START + and SYSEN2 pin/pad for DVFS2 interface ++- ti,palmas-override-powerhold: This is applicable for PMICs for which ++ GPIO7 is configured in POWERHOLD mode which has higher priority ++ over DEV_ON bit and keeps the PMIC supplies on even after the DEV_ON ++ bit is turned off. This property enables driver to over ride the ++ POWERHOLD value to GPIO7 so as to turn off the PMIC in power off ++ scenarios. So for GPIO7 if ti,palmas-override-powerhold is set ++ then the GPIO_7 field should never be muxed to anything else. ++ It should be set to POWERHOLD by default and only in case of ++ power off scenarios the driver will over ride the mux value. + + This binding uses the following generic properties as defined in + pinctrl-bindings.txt: +diff --git a/Makefile b/Makefile +index 3ab3b8203bf6..f5cf4159fc20 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 92 ++SUBLEVEL = 93 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/arm/boot/dts/am335x-pepper.dts b/arch/arm/boot/dts/am335x-pepper.dts +index 42b62f54e4b7..30e2f8770aaf 100644 +--- a/arch/arm/boot/dts/am335x-pepper.dts ++++ b/arch/arm/boot/dts/am335x-pepper.dts +@@ -139,7 +139,7 @@ + &audio_codec { + status = "okay"; + +- reset-gpios = <&gpio1 16 GPIO_ACTIVE_LOW>; ++ gpio-reset = <&gpio1 16 GPIO_ACTIVE_LOW>; + AVDD-supply = <&ldo3_reg>; + IOVDD-supply = <&ldo3_reg>; + DRVDD-supply = <&ldo3_reg>; +diff --git a/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi b/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi +index 6df7829a2c15..78bee26361f1 100644 +--- a/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi ++++ b/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi +@@ -204,6 +204,7 @@ + interrupt-controller; + + ti,system-power-controller; ++ ti,palmas-override-powerhold; + + tps659038_pmic { + compatible = "ti,tps659038-pmic"; +diff --git a/arch/arm/boot/dts/am57xx-idk-common.dtsi b/arch/arm/boot/dts/am57xx-idk-common.dtsi +index db858fff4e18..1cc62727e43a 100644 +--- a/arch/arm/boot/dts/am57xx-idk-common.dtsi ++++ b/arch/arm/boot/dts/am57xx-idk-common.dtsi +@@ -57,6 +57,7 @@ + #interrupt-cells = <2>; + interrupt-controller; + ti,system-power-controller; ++ ti,palmas-override-powerhold; + + tps659038_pmic { + compatible = "ti,tps659038-pmic"; +diff --git a/arch/arm/boot/dts/dra7-evm.dts b/arch/arm/boot/dts/dra7-evm.dts +index 132f2be10889..56311fd34f81 100644 +--- a/arch/arm/boot/dts/dra7-evm.dts ++++ b/arch/arm/boot/dts/dra7-evm.dts +@@ -398,6 +398,8 @@ + tps659038: tps659038@58 { + compatible = "ti,tps659038"; + reg = <0x58>; ++ ti,palmas-override-powerhold; ++ ti,system-power-controller; + + tps659038_pmic { + compatible = "ti,tps659038-pmic"; +diff --git a/arch/arm/boot/dts/omap3-n900.dts b/arch/arm/boot/dts/omap3-n900.dts +index 6003b29c0fc0..4d448f145ed1 100644 +--- a/arch/arm/boot/dts/omap3-n900.dts ++++ b/arch/arm/boot/dts/omap3-n900.dts +@@ -510,7 +510,7 @@ + tlv320aic3x: tlv320aic3x@18 { + compatible = "ti,tlv320aic3x"; + reg = <0x18>; +- reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */ ++ gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */ + ai3x-gpio-func = < + 0 /* AIC3X_GPIO1_FUNC_DISABLED */ + 5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */ +@@ -527,7 +527,7 @@ + tlv320aic3x_aux: tlv320aic3x@19 { + compatible = "ti,tlv320aic3x"; + reg = <0x19>; +- reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */ ++ gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */ + + AVDD-supply = <&vmmc2>; + DRVDD-supply = <&vmmc2>; +diff --git a/arch/arm/vfp/vfpmodule.c b/arch/arm/vfp/vfpmodule.c +index da0b33deba6d..5629d7580973 100644 +--- a/arch/arm/vfp/vfpmodule.c ++++ b/arch/arm/vfp/vfpmodule.c +@@ -648,7 +648,7 @@ int vfp_restore_user_hwstate(struct user_vfp __user *ufp, + */ + static int vfp_dying_cpu(unsigned int cpu) + { +- vfp_force_reload(cpu, current_thread_info()); ++ vfp_current_hw_state[cpu] = NULL; + return 0; + } + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 7769c2e27788..c8471cf46cbb 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -733,6 +733,18 @@ config FORCE_MAX_ZONEORDER + However for 4K, we choose a higher default value, 11 as opposed to 10, giving us + 4M allocations matching the default size used by generic code. + ++config UNMAP_KERNEL_AT_EL0 ++ bool "Unmap kernel when running in userspace (aka \"KAISER\")" if EXPERT ++ default y ++ help ++ Speculation attacks against some high-performance processors can ++ be used to bypass MMU permission checks and leak kernel data to ++ userspace. This can be defended against by unmapping the kernel ++ when running in userspace, mapping it back in on exception entry ++ via a trampoline page in the vector table. ++ ++ If unsure, say Y. ++ + menuconfig ARMV8_DEPRECATED + bool "Emulate deprecated/obsolete ARMv8 instructions" + depends on COMPAT +diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h +index 851290d2bfe3..7193bf97b8da 100644 +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -413,4 +413,7 @@ alternative_endif + movk \reg, :abs_g0_nc:\val + .endm + ++ .macro pte_to_phys, phys, pte ++ and \phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT) ++ .endm + #endif /* __ASM_ASSEMBLER_H */ +diff --git a/arch/arm64/include/asm/cpucaps.h b/arch/arm64/include/asm/cpucaps.h +index 87b446535185..7ddf233f05bd 100644 +--- a/arch/arm64/include/asm/cpucaps.h ++++ b/arch/arm64/include/asm/cpucaps.h +@@ -34,7 +34,8 @@ + #define ARM64_HAS_32BIT_EL0 13 + #define ARM64_HYP_OFFSET_LOW 14 + #define ARM64_MISMATCHED_CACHE_LINE_SIZE 15 ++#define ARM64_UNMAP_KERNEL_AT_EL0 16 + +-#define ARM64_NCAPS 16 ++#define ARM64_NCAPS 17 + + #endif /* __ASM_CPUCAPS_H */ +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 26a68ddb11c1..1d47930c30dc 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -81,6 +81,7 @@ + + #define CAVIUM_CPU_PART_THUNDERX 0x0A1 + #define CAVIUM_CPU_PART_THUNDERX_81XX 0x0A2 ++#define CAVIUM_CPU_PART_THUNDERX2 0x0AF + + #define BRCM_CPU_PART_VULCAN 0x516 + +@@ -88,6 +89,8 @@ + #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) ++#define MIDR_CAVIUM_THUNDERX2 MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX2) ++#define MIDR_BRCM_VULCAN MIDR_CPU_MODEL(ARM_CPU_IMP_BRCM, BRCM_CPU_PART_VULCAN) + + #ifndef __ASSEMBLY__ + +diff --git a/arch/arm64/include/asm/fixmap.h b/arch/arm64/include/asm/fixmap.h +index caf86be815ba..d8e58051f32d 100644 +--- a/arch/arm64/include/asm/fixmap.h ++++ b/arch/arm64/include/asm/fixmap.h +@@ -51,6 +51,12 @@ enum fixed_addresses { + + FIX_EARLYCON_MEM_BASE, + FIX_TEXT_POKE0, ++ ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++ FIX_ENTRY_TRAMP_DATA, ++ FIX_ENTRY_TRAMP_TEXT, ++#define TRAMP_VALIAS (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT)) ++#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ + __end_of_permanent_fixed_addresses, + + /* +diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h +index 53211a0acf0f..5e3faba689e0 100644 +--- a/arch/arm64/include/asm/memory.h ++++ b/arch/arm64/include/asm/memory.h +@@ -64,8 +64,10 @@ + * TASK_UNMAPPED_BASE - the lower boundary of the mmap VM area. + */ + #define VA_BITS (CONFIG_ARM64_VA_BITS) +-#define VA_START (UL(0xffffffffffffffff) << VA_BITS) +-#define PAGE_OFFSET (UL(0xffffffffffffffff) << (VA_BITS - 1)) ++#define VA_START (UL(0xffffffffffffffff) - \ ++ (UL(1) << VA_BITS) + 1) ++#define PAGE_OFFSET (UL(0xffffffffffffffff) - \ ++ (UL(1) << (VA_BITS - 1)) + 1) + #define KIMAGE_VADDR (MODULES_END) + #define MODULES_END (MODULES_VADDR + MODULES_VSIZE) + #define MODULES_VADDR (VA_START + KASAN_SHADOW_SIZE) +diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h +index 8d9fce037b2f..a813edf28737 100644 +--- a/arch/arm64/include/asm/mmu.h ++++ b/arch/arm64/include/asm/mmu.h +@@ -16,6 +16,10 @@ + #ifndef __ASM_MMU_H + #define __ASM_MMU_H + ++#define USER_ASID_FLAG (UL(1) << 48) ++ ++#ifndef __ASSEMBLY__ ++ + typedef struct { + atomic64_t id; + void *vdso; +@@ -28,6 +32,12 @@ typedef struct { + */ + #define ASID(mm) ((mm)->context.id.counter & 0xffff) + ++static inline bool arm64_kernel_unmapped_at_el0(void) ++{ ++ return IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0) && ++ cpus_have_cap(ARM64_UNMAP_KERNEL_AT_EL0); ++} ++ + extern void paging_init(void); + extern void bootmem_init(void); + extern void __iomem *early_io_map(phys_addr_t phys, unsigned long virt); +@@ -37,4 +47,5 @@ extern void create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, + pgprot_t prot, bool allow_block_mappings); + extern void *fixmap_remap_fdt(phys_addr_t dt_phys); + ++#endif /* !__ASSEMBLY__ */ + #endif +diff --git a/arch/arm64/include/asm/mmu_context.h b/arch/arm64/include/asm/mmu_context.h +index a50185375f09..b96c4799f881 100644 +--- a/arch/arm64/include/asm/mmu_context.h ++++ b/arch/arm64/include/asm/mmu_context.h +@@ -50,6 +50,13 @@ static inline void cpu_set_reserved_ttbr0(void) + isb(); + } + ++static inline void cpu_switch_mm(pgd_t *pgd, struct mm_struct *mm) ++{ ++ BUG_ON(pgd == swapper_pg_dir); ++ cpu_set_reserved_ttbr0(); ++ cpu_do_switch_mm(virt_to_phys(pgd),mm); ++} ++ + /* + * TCR.T0SZ value to use when the ID map is active. Usually equals + * TCR_T0SZ(VA_BITS), unless system RAM is positioned very high in +diff --git a/arch/arm64/include/asm/pgtable-hwdef.h b/arch/arm64/include/asm/pgtable-hwdef.h +index eb0c2bd90de9..8df4cb6ac6f7 100644 +--- a/arch/arm64/include/asm/pgtable-hwdef.h ++++ b/arch/arm64/include/asm/pgtable-hwdef.h +@@ -272,6 +272,7 @@ + #define TCR_TG1_4K (UL(2) << TCR_TG1_SHIFT) + #define TCR_TG1_64K (UL(3) << TCR_TG1_SHIFT) + ++#define TCR_A1 (UL(1) << 22) + #define TCR_ASID16 (UL(1) << 36) + #define TCR_TBI0 (UL(1) << 37) + #define TCR_HA (UL(1) << 39) +diff --git a/arch/arm64/include/asm/pgtable-prot.h b/arch/arm64/include/asm/pgtable-prot.h +index 2142c7726e76..f705d96a76f2 100644 +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -34,8 +34,14 @@ + + #include <asm/pgtable-types.h> + +-#define PROT_DEFAULT (PTE_TYPE_PAGE | PTE_AF | PTE_SHARED) +-#define PROT_SECT_DEFAULT (PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S) ++#define _PROT_DEFAULT (PTE_TYPE_PAGE | PTE_AF | PTE_SHARED) ++#define _PROT_SECT_DEFAULT (PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S) ++ ++#define PTE_MAYBE_NG (arm64_kernel_unmapped_at_el0() ? PTE_NG : 0) ++#define PMD_MAYBE_NG (arm64_kernel_unmapped_at_el0() ? PMD_SECT_NG : 0) ++ ++#define PROT_DEFAULT (_PROT_DEFAULT | PTE_MAYBE_NG) ++#define PROT_SECT_DEFAULT (_PROT_SECT_DEFAULT | PMD_MAYBE_NG) + + #define PROT_DEVICE_nGnRnE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE)) + #define PROT_DEVICE_nGnRE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE)) +@@ -47,23 +53,24 @@ + #define PROT_SECT_NORMAL (PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL)) + #define PROT_SECT_NORMAL_EXEC (PROT_SECT_DEFAULT | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL)) + +-#define _PAGE_DEFAULT (PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL)) ++#define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL)) ++#define _HYP_PAGE_DEFAULT _PAGE_DEFAULT + +-#define PAGE_KERNEL __pgprot(_PAGE_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE) +-#define PAGE_KERNEL_RO __pgprot(_PAGE_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_RDONLY) +-#define PAGE_KERNEL_ROX __pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | PTE_RDONLY) +-#define PAGE_KERNEL_EXEC __pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | PTE_WRITE) +-#define PAGE_KERNEL_EXEC_CONT __pgprot(_PAGE_DEFAULT | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_CONT) ++#define PAGE_KERNEL __pgprot(PROT_NORMAL) ++#define PAGE_KERNEL_RO __pgprot((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY) ++#define PAGE_KERNEL_ROX __pgprot((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY) ++#define PAGE_KERNEL_EXEC __pgprot(PROT_NORMAL & ~PTE_PXN) ++#define PAGE_KERNEL_EXEC_CONT __pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_CONT) + +-#define PAGE_HYP __pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_HYP_XN) +-#define PAGE_HYP_EXEC __pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY) +-#define PAGE_HYP_RO __pgprot(_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY | PTE_HYP_XN) ++#define PAGE_HYP __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_HYP_XN) ++#define PAGE_HYP_EXEC __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY) ++#define PAGE_HYP_RO __pgprot(_HYP_PAGE_DEFAULT | PTE_HYP | PTE_RDONLY | PTE_HYP_XN) + #define PAGE_HYP_DEVICE __pgprot(PROT_DEVICE_nGnRE | PTE_HYP) + +-#define PAGE_S2 __pgprot(PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_NORMAL) | PTE_S2_RDONLY) +-#define PAGE_S2_DEVICE __pgprot(PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN) ++#define PAGE_S2 __pgprot(_PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_NORMAL) | PTE_S2_RDONLY) ++#define PAGE_S2_DEVICE __pgprot(_PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN) + +-#define PAGE_NONE __pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | PTE_PROT_NONE | PTE_PXN | PTE_UXN) ++#define PAGE_NONE __pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | PTE_PROT_NONE | PTE_NG | PTE_PXN | PTE_UXN) + #define PAGE_SHARED __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE) + #define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_WRITE) + #define PAGE_COPY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN) +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index 7acd3c5c7643..3a30a3994e4a 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -692,6 +692,7 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, + + extern pgd_t swapper_pg_dir[PTRS_PER_PGD]; + extern pgd_t idmap_pg_dir[PTRS_PER_PGD]; ++extern pgd_t tramp_pg_dir[PTRS_PER_PGD]; + + /* + * Encode and decode a swap entry: +diff --git a/arch/arm64/include/asm/proc-fns.h b/arch/arm64/include/asm/proc-fns.h +index 14ad6e4e87d1..16cef2e8449e 100644 +--- a/arch/arm64/include/asm/proc-fns.h ++++ b/arch/arm64/include/asm/proc-fns.h +@@ -35,12 +35,6 @@ extern u64 cpu_do_resume(phys_addr_t ptr, u64 idmap_ttbr); + + #include <asm/memory.h> + +-#define cpu_switch_mm(pgd,mm) \ +-do { \ +- BUG_ON(pgd == swapper_pg_dir); \ +- cpu_do_switch_mm(virt_to_phys(pgd),mm); \ +-} while (0) +- + #endif /* __ASSEMBLY__ */ + #endif /* __KERNEL__ */ + #endif /* __ASM_PROCFNS_H */ +diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h +index 7393cc767edb..7cb7f7cdcfbc 100644 +--- a/arch/arm64/include/asm/sysreg.h ++++ b/arch/arm64/include/asm/sysreg.h +@@ -117,6 +117,7 @@ + #define ID_AA64ISAR0_AES_SHIFT 4 + + /* id_aa64pfr0 */ ++#define ID_AA64PFR0_CSV3_SHIFT 60 + #define ID_AA64PFR0_GIC_SHIFT 24 + #define ID_AA64PFR0_ASIMD_SHIFT 20 + #define ID_AA64PFR0_FP_SHIFT 16 +diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h +index deab52374119..ad6bd8b26ada 100644 +--- a/arch/arm64/include/asm/tlbflush.h ++++ b/arch/arm64/include/asm/tlbflush.h +@@ -23,6 +23,7 @@ + + #include <linux/sched.h> + #include <asm/cputype.h> ++#include <asm/mmu.h> + + /* + * Raw TLBI operations. +@@ -42,6 +43,11 @@ + + #define __tlbi(op, ...) __TLBI_N(op, ##__VA_ARGS__, 1, 0) + ++#define __tlbi_user(op, arg) do { \ ++ if (arm64_kernel_unmapped_at_el0()) \ ++ __tlbi(op, (arg) | USER_ASID_FLAG); \ ++} while (0) ++ + /* + * TLB Management + * ============== +@@ -103,6 +109,7 @@ static inline void flush_tlb_mm(struct mm_struct *mm) + + dsb(ishst); + __tlbi(aside1is, asid); ++ __tlbi_user(aside1is, asid); + dsb(ish); + } + +@@ -113,6 +120,7 @@ static inline void flush_tlb_page(struct vm_area_struct *vma, + + dsb(ishst); + __tlbi(vale1is, addr); ++ __tlbi_user(vale1is, addr); + dsb(ish); + } + +@@ -139,10 +147,13 @@ static inline void __flush_tlb_range(struct vm_area_struct *vma, + + dsb(ishst); + for (addr = start; addr < end; addr += 1 << (PAGE_SHIFT - 12)) { +- if (last_level) ++ if (last_level) { + __tlbi(vale1is, addr); +- else ++ __tlbi_user(vale1is, addr); ++ } else { + __tlbi(vae1is, addr); ++ __tlbi_user(vae1is, addr); ++ } + } + dsb(ish); + } +@@ -182,6 +193,7 @@ static inline void __flush_tlb_pgtable(struct mm_struct *mm, + unsigned long addr = uaddr >> 12 | (ASID(mm) << 48); + + __tlbi(vae1is, addr); ++ __tlbi_user(vae1is, addr); + dsb(ish); + } + +diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c +index c58ddf8c4062..5f4bf3c6f016 100644 +--- a/arch/arm64/kernel/asm-offsets.c ++++ b/arch/arm64/kernel/asm-offsets.c +@@ -24,6 +24,7 @@ + #include <linux/kvm_host.h> + #include <linux/suspend.h> + #include <asm/cpufeature.h> ++#include <asm/fixmap.h> + #include <asm/thread_info.h> + #include <asm/memory.h> + #include <asm/smp_plat.h> +@@ -144,11 +145,14 @@ int main(void) + DEFINE(ARM_SMCCC_RES_X2_OFFS, offsetof(struct arm_smccc_res, a2)); + DEFINE(ARM_SMCCC_QUIRK_ID_OFFS, offsetof(struct arm_smccc_quirk, id)); + DEFINE(ARM_SMCCC_QUIRK_STATE_OFFS, offsetof(struct arm_smccc_quirk, state)); +- + BLANK(); + DEFINE(HIBERN_PBE_ORIG, offsetof(struct pbe, orig_address)); + DEFINE(HIBERN_PBE_ADDR, offsetof(struct pbe, address)); + DEFINE(HIBERN_PBE_NEXT, offsetof(struct pbe, next)); + DEFINE(ARM64_FTR_SYSVAL, offsetof(struct arm64_ftr_reg, sys_val)); ++ BLANK(); ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++ DEFINE(TRAMP_VALIAS, TRAMP_VALIAS); ++#endif + return 0; + } +diff --git a/arch/arm64/kernel/cpu-reset.S b/arch/arm64/kernel/cpu-reset.S +index 65f42d257414..f736a6f81ecd 100644 +--- a/arch/arm64/kernel/cpu-reset.S ++++ b/arch/arm64/kernel/cpu-reset.S +@@ -16,7 +16,7 @@ + #include <asm/virt.h> + + .text +-.pushsection .idmap.text, "ax" ++.pushsection .idmap.text, "awx" + + /* + * __cpu_soft_restart(el2_switch, entry, arg0, arg1, arg2) - Helper for +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index 3a129d48674e..5056fc597ae9 100644 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -93,7 +93,8 @@ static const struct arm64_ftr_bits ftr_id_aa64isar0[] = { + }; + + static const struct arm64_ftr_bits ftr_id_aa64pfr0[] = { +- ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 32, 32, 0), ++ ARM64_FTR_BITS(FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_CSV3_SHIFT, 4, 0), ++ ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 32, 28, 0), + ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 28, 4, 0), + ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, ID_AA64PFR0_GIC_SHIFT, 4, 0), + S_ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_ASIMD_SHIFT, 4, ID_AA64PFR0_ASIMD_NI), +@@ -746,6 +747,86 @@ static bool hyp_offset_low(const struct arm64_cpu_capabilities *entry, + return idmap_addr > GENMASK(VA_BITS - 2, 0) && !is_kernel_in_hyp_mode(); + } + ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */ ++ ++static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, ++ int __unused) ++{ ++ char const *str = "command line option"; ++ u64 pfr0 = read_system_reg(SYS_ID_AA64PFR0_EL1); ++ ++ /* ++ * For reasons that aren't entirely clear, enabling KPTI on Cavium ++ * ThunderX leads to apparent I-cache corruption of kernel text, which ++ * ends as well as you might imagine. Don't even try. ++ */ ++ if (cpus_have_cap(ARM64_WORKAROUND_CAVIUM_27456)) { ++ str = "ARM64_WORKAROUND_CAVIUM_27456"; ++ __kpti_forced = -1; ++ } ++ ++ /* Forced? */ ++ if (__kpti_forced) { ++ pr_info_once("kernel page table isolation forced %s by %s\n", ++ __kpti_forced > 0 ? "ON" : "OFF", str); ++ return __kpti_forced > 0; ++ } ++ ++ /* Useful for KASLR robustness */ ++ if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) ++ return true; ++ ++ /* Don't force KPTI for CPUs that are not vulnerable */ ++ switch (read_cpuid_id() & MIDR_CPU_MODEL_MASK) { ++ case MIDR_CAVIUM_THUNDERX2: ++ case MIDR_BRCM_VULCAN: ++ return false; ++ } ++ ++ /* Defer to CPU feature registers */ ++ return !cpuid_feature_extract_unsigned_field(pfr0, ++ ID_AA64PFR0_CSV3_SHIFT); ++} ++ ++static int kpti_install_ng_mappings(void *__unused) ++{ ++ typedef void (kpti_remap_fn)(int, int, phys_addr_t); ++ extern kpti_remap_fn idmap_kpti_install_ng_mappings; ++ kpti_remap_fn *remap_fn; ++ ++ static bool kpti_applied = false; ++ int cpu = smp_processor_id(); ++ ++ if (kpti_applied) ++ return 0; ++ ++ remap_fn = (void *)__pa_symbol(idmap_kpti_install_ng_mappings); ++ ++ cpu_install_idmap(); ++ remap_fn(cpu, num_online_cpus(), __pa_symbol(swapper_pg_dir)); ++ cpu_uninstall_idmap(); ++ ++ if (!cpu) ++ kpti_applied = true; ++ ++ return 0; ++} ++ ++static int __init parse_kpti(char *str) ++{ ++ bool enabled; ++ int ret = strtobool(str, &enabled); ++ ++ if (ret) ++ return ret; ++ ++ __kpti_forced = enabled ? 1 : -1; ++ return 0; ++} ++__setup("kpti=", parse_kpti); ++#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ ++ + static const struct arm64_cpu_capabilities arm64_features[] = { + { + .desc = "GIC system register CPU interface", +@@ -829,6 +910,15 @@ static const struct arm64_cpu_capabilities arm64_features[] = { + .def_scope = SCOPE_SYSTEM, + .matches = hyp_offset_low, + }, ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++ { ++ .desc = "Kernel page table isolation (KPTI)", ++ .capability = ARM64_UNMAP_KERNEL_AT_EL0, ++ .def_scope = SCOPE_SYSTEM, ++ .matches = unmap_kernel_at_el0, ++ .enable = kpti_install_ng_mappings, ++ }, ++#endif + {}, + }; + +@@ -922,6 +1012,26 @@ static void __init setup_elf_hwcaps(const struct arm64_cpu_capabilities *hwcaps) + cap_set_elf_hwcap(hwcaps); + } + ++/* ++ * Check if the current CPU has a given feature capability. ++ * Should be called from non-preemptible context. ++ */ ++static bool __this_cpu_has_cap(const struct arm64_cpu_capabilities *cap_array, ++ unsigned int cap) ++{ ++ const struct arm64_cpu_capabilities *caps; ++ ++ if (WARN_ON(preemptible())) ++ return false; ++ ++ for (caps = cap_array; caps->desc; caps++) ++ if (caps->capability == cap && ++ caps->matches && ++ caps->matches(caps, SCOPE_LOCAL_CPU)) ++ return true; ++ return false; ++} ++ + void update_cpu_capabilities(const struct arm64_cpu_capabilities *caps, + const char *info) + { +@@ -990,8 +1100,9 @@ verify_local_elf_hwcaps(const struct arm64_cpu_capabilities *caps) + } + + static void +-verify_local_cpu_features(const struct arm64_cpu_capabilities *caps) ++verify_local_cpu_features(const struct arm64_cpu_capabilities *caps_list) + { ++ const struct arm64_cpu_capabilities *caps = caps_list; + for (; caps->matches; caps++) { + if (!cpus_have_cap(caps->capability)) + continue; +@@ -999,7 +1110,7 @@ verify_local_cpu_features(const struct arm64_cpu_capabilities *caps) + * If the new CPU misses an advertised feature, we cannot proceed + * further, park the cpu. + */ +- if (!caps->matches(caps, SCOPE_LOCAL_CPU)) { ++ if (!__this_cpu_has_cap(caps_list, caps->capability)) { + pr_crit("CPU%d: missing feature: %s\n", + smp_processor_id(), caps->desc); + cpu_die_early(); +@@ -1052,22 +1163,12 @@ static void __init setup_feature_capabilities(void) + enable_cpu_capabilities(arm64_features); + } + +-/* +- * Check if the current CPU has a given feature capability. +- * Should be called from non-preemptible context. +- */ ++extern const struct arm64_cpu_capabilities arm64_errata[]; ++ + bool this_cpu_has_cap(unsigned int cap) + { +- const struct arm64_cpu_capabilities *caps; +- +- if (WARN_ON(preemptible())) +- return false; +- +- for (caps = arm64_features; caps->desc; caps++) +- if (caps->capability == cap && caps->matches) +- return caps->matches(caps, SCOPE_LOCAL_CPU); +- +- return false; ++ return (__this_cpu_has_cap(arm64_features, cap) || ++ __this_cpu_has_cap(arm64_errata, cap)); + } + + void __init setup_cpu_features(void) +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index b4c7db434654..8d1600b18562 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -29,9 +29,11 @@ + #include <asm/esr.h> + #include <asm/irq.h> + #include <asm/memory.h> ++#include <asm/mmu.h> + #include <asm/thread_info.h> + #include <asm/asm-uaccess.h> + #include <asm/unistd.h> ++#include <asm/kernel-pgtable.h> + + /* + * Context tracking subsystem. Used to instrument transitions +@@ -68,8 +70,31 @@ + #define BAD_FIQ 2 + #define BAD_ERROR 3 + +- .macro kernel_entry, el, regsize = 64 ++ .macro kernel_ventry, el, label, regsize = 64 ++ .align 7 ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++alternative_if ARM64_UNMAP_KERNEL_AT_EL0 ++ .if \el == 0 ++ .if \regsize == 64 ++ mrs x30, tpidrro_el0 ++ msr tpidrro_el0, xzr ++ .else ++ mov x30, xzr ++ .endif ++ .endif ++alternative_else_nop_endif ++#endif ++ + sub sp, sp, #S_FRAME_SIZE ++ b el\()\el\()_\label ++ .endm ++ ++ .macro tramp_alias, dst, sym ++ mov_q \dst, TRAMP_VALIAS ++ add \dst, \dst, #(\sym - .entry.tramp.text) ++ .endm ++ ++ .macro kernel_entry, el, regsize = 64 + .if \regsize == 32 + mov w0, w0 // zero upper 32 bits of x0 + .endif +@@ -150,18 +175,20 @@ + ct_user_enter + ldr x23, [sp, #S_SP] // load return stack pointer + msr sp_el0, x23 ++ tst x22, #PSR_MODE32_BIT // native task? ++ b.eq 3f ++ + #ifdef CONFIG_ARM64_ERRATUM_845719 + alternative_if ARM64_WORKAROUND_845719 +- tbz x22, #4, 1f + #ifdef CONFIG_PID_IN_CONTEXTIDR + mrs x29, contextidr_el1 + msr contextidr_el1, x29 + #else + msr contextidr_el1, xzr + #endif +-1: + alternative_else_nop_endif + #endif ++3: + .endif + msr elr_el1, x21 // set up the return data + msr spsr_el1, x22 +@@ -182,7 +209,21 @@ alternative_else_nop_endif + ldp x28, x29, [sp, #16 * 14] + ldr lr, [sp, #S_LR] + add sp, sp, #S_FRAME_SIZE // restore sp +- eret // return to kernel ++ ++ .if \el == 0 ++alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++ bne 4f ++ msr far_el1, x30 ++ tramp_alias x30, tramp_exit_native ++ br x30 ++4: ++ tramp_alias x30, tramp_exit_compat ++ br x30 ++#endif ++ .else ++ eret ++ .endif + .endm + + .macro get_thread_info, rd +@@ -257,31 +298,31 @@ tsk .req x28 // current thread_info + + .align 11 + ENTRY(vectors) +- ventry el1_sync_invalid // Synchronous EL1t +- ventry el1_irq_invalid // IRQ EL1t +- ventry el1_fiq_invalid // FIQ EL1t +- ventry el1_error_invalid // Error EL1t ++ kernel_ventry 1, sync_invalid // Synchronous EL1t ++ kernel_ventry 1, irq_invalid // IRQ EL1t ++ kernel_ventry 1, fiq_invalid // FIQ EL1t ++ kernel_ventry 1, error_invalid // Error EL1t + +- ventry el1_sync // Synchronous EL1h +- ventry el1_irq // IRQ EL1h +- ventry el1_fiq_invalid // FIQ EL1h +- ventry el1_error_invalid // Error EL1h ++ kernel_ventry 1, sync // Synchronous EL1h ++ kernel_ventry 1, irq // IRQ EL1h ++ kernel_ventry 1, fiq_invalid // FIQ EL1h ++ kernel_ventry 1, error_invalid // Error EL1h + +- ventry el0_sync // Synchronous 64-bit EL0 +- ventry el0_irq // IRQ 64-bit EL0 +- ventry el0_fiq_invalid // FIQ 64-bit EL0 +- ventry el0_error_invalid // Error 64-bit EL0 ++ kernel_ventry 0, sync // Synchronous 64-bit EL0 ++ kernel_ventry 0, irq // IRQ 64-bit EL0 ++ kernel_ventry 0, fiq_invalid // FIQ 64-bit EL0 ++ kernel_ventry 0, error_invalid // Error 64-bit EL0 + + #ifdef CONFIG_COMPAT +- ventry el0_sync_compat // Synchronous 32-bit EL0 +- ventry el0_irq_compat // IRQ 32-bit EL0 +- ventry el0_fiq_invalid_compat // FIQ 32-bit EL0 +- ventry el0_error_invalid_compat // Error 32-bit EL0 ++ kernel_ventry 0, sync_compat, 32 // Synchronous 32-bit EL0 ++ kernel_ventry 0, irq_compat, 32 // IRQ 32-bit EL0 ++ kernel_ventry 0, fiq_invalid_compat, 32 // FIQ 32-bit EL0 ++ kernel_ventry 0, error_invalid_compat, 32 // Error 32-bit EL0 + #else +- ventry el0_sync_invalid // Synchronous 32-bit EL0 +- ventry el0_irq_invalid // IRQ 32-bit EL0 +- ventry el0_fiq_invalid // FIQ 32-bit EL0 +- ventry el0_error_invalid // Error 32-bit EL0 ++ kernel_ventry 0, sync_invalid, 32 // Synchronous 32-bit EL0 ++ kernel_ventry 0, irq_invalid, 32 // IRQ 32-bit EL0 ++ kernel_ventry 0, fiq_invalid, 32 // FIQ 32-bit EL0 ++ kernel_ventry 0, error_invalid, 32 // Error 32-bit EL0 + #endif + END(vectors) + +@@ -801,6 +842,105 @@ __ni_sys_trace: + + .popsection // .entry.text + ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++/* ++ * Exception vectors trampoline. ++ */ ++ .pushsection ".entry.tramp.text", "ax" ++ ++ .macro tramp_map_kernel, tmp ++ mrs \tmp, ttbr1_el1 ++ sub \tmp, \tmp, #SWAPPER_DIR_SIZE ++ bic \tmp, \tmp, #USER_ASID_FLAG ++ msr ttbr1_el1, \tmp ++ .endm ++ ++ .macro tramp_unmap_kernel, tmp ++ mrs \tmp, ttbr1_el1 ++ add \tmp, \tmp, #SWAPPER_DIR_SIZE ++ orr \tmp, \tmp, #USER_ASID_FLAG ++ msr ttbr1_el1, \tmp ++ /* ++ * We avoid running the post_ttbr_update_workaround here because ++ * it's only needed by Cavium ThunderX, which requires KPTI to be ++ * disabled. ++ */ ++ .endm ++ ++ .macro tramp_ventry, regsize = 64 ++ .align 7 ++1: ++ .if \regsize == 64 ++ msr tpidrro_el0, x30 // Restored in kernel_ventry ++ .endif ++ /* ++ * Defend against branch aliasing attacks by pushing a dummy ++ * entry onto the return stack and using a RET instruction to ++ * enter the full-fat kernel vectors. ++ */ ++ bl 2f ++ b . ++2: ++ tramp_map_kernel x30 ++#ifdef CONFIG_RANDOMIZE_BASE ++ adr x30, tramp_vectors + PAGE_SIZE ++ isb ++ ldr x30, [x30] ++#else ++ ldr x30, =vectors ++#endif ++ prfm plil1strm, [x30, #(1b - tramp_vectors)] ++ msr vbar_el1, x30 ++ add x30, x30, #(1b - tramp_vectors) ++ isb ++ ret ++ .endm ++ ++ .macro tramp_exit, regsize = 64 ++ adr x30, tramp_vectors ++ msr vbar_el1, x30 ++ tramp_unmap_kernel x30 ++ .if \regsize == 64 ++ mrs x30, far_el1 ++ .endif ++ eret ++ .endm ++ ++ .align 11 ++ENTRY(tramp_vectors) ++ .space 0x400 ++ ++ tramp_ventry ++ tramp_ventry ++ tramp_ventry ++ tramp_ventry ++ ++ tramp_ventry 32 ++ tramp_ventry 32 ++ tramp_ventry 32 ++ tramp_ventry 32 ++END(tramp_vectors) ++ ++ENTRY(tramp_exit_native) ++ tramp_exit ++END(tramp_exit_native) ++ ++ENTRY(tramp_exit_compat) ++ tramp_exit 32 ++END(tramp_exit_compat) ++ ++ .ltorg ++ .popsection // .entry.tramp.text ++#ifdef CONFIG_RANDOMIZE_BASE ++ .pushsection ".rodata", "a" ++ .align PAGE_SHIFT ++ .globl __entry_tramp_data_start ++__entry_tramp_data_start: ++ .quad vectors ++ .popsection // .rodata ++#endif /* CONFIG_RANDOMIZE_BASE */ ++#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ ++ + /* + * Special system call wrappers. + */ +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index 539bebc1222f..fa52817d84c5 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -473,7 +473,7 @@ ENDPROC(__primary_switched) + * end early head section, begin head code that is also used for + * hotplug and needs to have the same protections as the text region + */ +- .section ".idmap.text","ax" ++ .section ".idmap.text","awx" + + ENTRY(kimage_vaddr) + .quad _text - TEXT_OFFSET +diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c +index 0e7394915c70..0972ce58316d 100644 +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -306,17 +306,17 @@ int copy_thread(unsigned long clone_flags, unsigned long stack_start, + + static void tls_thread_switch(struct task_struct *next) + { +- unsigned long tpidr, tpidrro; ++ unsigned long tpidr; + + tpidr = read_sysreg(tpidr_el0); + *task_user_tls(current) = tpidr; + +- tpidr = *task_user_tls(next); +- tpidrro = is_compat_thread(task_thread_info(next)) ? +- next->thread.tp_value : 0; ++ if (is_compat_thread(task_thread_info(next))) ++ write_sysreg(next->thread.tp_value, tpidrro_el0); ++ else if (!arm64_kernel_unmapped_at_el0()) ++ write_sysreg(0, tpidrro_el0); + +- write_sysreg(tpidr, tpidr_el0); +- write_sysreg(tpidrro, tpidrro_el0); ++ write_sysreg(*task_user_tls(next), tpidr_el0); + } + + /* Restore the UAO state depending on next's addr_limit */ +diff --git a/arch/arm64/kernel/sleep.S b/arch/arm64/kernel/sleep.S +index 1bec41b5fda3..0030d6964e65 100644 +--- a/arch/arm64/kernel/sleep.S ++++ b/arch/arm64/kernel/sleep.S +@@ -95,7 +95,7 @@ ENTRY(__cpu_suspend_enter) + ret + ENDPROC(__cpu_suspend_enter) + +- .pushsection ".idmap.text", "ax" ++ .pushsection ".idmap.text", "awx" + ENTRY(cpu_resume) + bl el2_setup // if in EL2 drop to EL1 cleanly + bl __cpu_setup +diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S +index 1105aab1e6d6..6a584558b29d 100644 +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -56,6 +56,17 @@ jiffies = jiffies_64; + #define HIBERNATE_TEXT + #endif + ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++#define TRAMP_TEXT \ ++ . = ALIGN(PAGE_SIZE); \ ++ VMLINUX_SYMBOL(__entry_tramp_text_start) = .; \ ++ *(.entry.tramp.text) \ ++ . = ALIGN(PAGE_SIZE); \ ++ VMLINUX_SYMBOL(__entry_tramp_text_end) = .; ++#else ++#define TRAMP_TEXT ++#endif ++ + /* + * The size of the PE/COFF section that covers the kernel image, which + * runs from stext to _edata, must be a round multiple of the PE/COFF +@@ -128,6 +139,7 @@ SECTIONS + HYPERVISOR_TEXT + IDMAP_TEXT + HIBERNATE_TEXT ++ TRAMP_TEXT + *(.fixup) + *(.gnu.warning) + . = ALIGN(16); +@@ -216,6 +228,11 @@ SECTIONS + swapper_pg_dir = .; + . += SWAPPER_DIR_SIZE; + ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++ tramp_pg_dir = .; ++ . += PAGE_SIZE; ++#endif ++ + _end = .; + + STABS_DEBUG +@@ -235,7 +252,10 @@ ASSERT(__idmap_text_end - (__idmap_text_start & ~(SZ_4K - 1)) <= SZ_4K, + ASSERT(__hibernate_exit_text_end - (__hibernate_exit_text_start & ~(SZ_4K - 1)) + <= SZ_4K, "Hibernate exit text too big or misaligned") + #endif +- ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) == PAGE_SIZE, ++ "Entry trampoline text too big") ++#endif + /* + * If padding is applied before .head.text, virt<->phys conversions will fail. + */ +diff --git a/arch/arm64/mm/context.c b/arch/arm64/mm/context.c +index efcf1f7ef1e4..f00f5eeb556f 100644 +--- a/arch/arm64/mm/context.c ++++ b/arch/arm64/mm/context.c +@@ -39,7 +39,16 @@ static cpumask_t tlb_flush_pending; + + #define ASID_MASK (~GENMASK(asid_bits - 1, 0)) + #define ASID_FIRST_VERSION (1UL << asid_bits) +-#define NUM_USER_ASIDS ASID_FIRST_VERSION ++ ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++#define NUM_USER_ASIDS (ASID_FIRST_VERSION >> 1) ++#define asid2idx(asid) (((asid) & ~ASID_MASK) >> 1) ++#define idx2asid(idx) (((idx) << 1) & ~ASID_MASK) ++#else ++#define NUM_USER_ASIDS (ASID_FIRST_VERSION) ++#define asid2idx(asid) ((asid) & ~ASID_MASK) ++#define idx2asid(idx) asid2idx(idx) ++#endif + + /* Get the ASIDBits supported by the current CPU */ + static u32 get_cpu_asid_bits(void) +@@ -104,7 +113,7 @@ static void flush_context(unsigned int cpu) + */ + if (asid == 0) + asid = per_cpu(reserved_asids, i); +- __set_bit(asid & ~ASID_MASK, asid_map); ++ __set_bit(asid2idx(asid), asid_map); + per_cpu(reserved_asids, i) = asid; + } + +@@ -159,16 +168,16 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu) + * We had a valid ASID in a previous life, so try to re-use + * it if possible. + */ +- asid &= ~ASID_MASK; +- if (!__test_and_set_bit(asid, asid_map)) ++ if (!__test_and_set_bit(asid2idx(asid), asid_map)) + return newasid; + } + + /* + * Allocate a free ASID. If we can't find one, take a note of the +- * currently active ASIDs and mark the TLBs as requiring flushes. +- * We always count from ASID #1, as we use ASID #0 when setting a +- * reserved TTBR0 for the init_mm. ++ * currently active ASIDs and mark the TLBs as requiring flushes. We ++ * always count from ASID #2 (index 1), as we use ASID #0 when setting ++ * a reserved TTBR0 for the init_mm and we allocate ASIDs in even/odd ++ * pairs. + */ + asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx); + if (asid != NUM_USER_ASIDS) +@@ -185,7 +194,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu) + set_asid: + __set_bit(asid, asid_map); + cur_idx = asid; +- return asid | generation; ++ return idx2asid(asid) | generation; + } + + void check_and_switch_context(struct mm_struct *mm, unsigned int cpu) +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 638f7f2bd79c..4cd4862845cd 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -419,6 +419,37 @@ static void __init map_kernel_segment(pgd_t *pgd, void *va_start, void *va_end, + vm_area_add_early(vma); + } + ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++static int __init map_entry_trampoline(void) ++{ ++ extern char __entry_tramp_text_start[]; ++ ++ pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC; ++ phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start); ++ ++ /* The trampoline is always mapped and can therefore be global */ ++ pgprot_val(prot) &= ~PTE_NG; ++ ++ /* Map only the text into the trampoline page table */ ++ memset(tramp_pg_dir, 0, PGD_SIZE); ++ __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE, ++ prot, pgd_pgtable_alloc, 0); ++ ++ /* Map both the text and data into the kernel page table */ ++ __set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot); ++ if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) { ++ extern char __entry_tramp_data_start[]; ++ ++ __set_fixmap(FIX_ENTRY_TRAMP_DATA, ++ __pa_symbol(__entry_tramp_data_start), ++ PAGE_KERNEL_RO); ++ } ++ ++ return 0; ++} ++core_initcall(map_entry_trampoline); ++#endif ++ + /* + * Create fine-grained mappings for the kernel. + */ +diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S +index 352c73b6a59e..c07d9cc057e6 100644 +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -83,7 +83,7 @@ ENDPROC(cpu_do_suspend) + * + * x0: Address of context pointer + */ +- .pushsection ".idmap.text", "ax" ++ .pushsection ".idmap.text", "awx" + ENTRY(cpu_do_resume) + ldp x2, x3, [x0] + ldp x4, x5, [x0, #16] +@@ -132,9 +132,12 @@ ENDPROC(cpu_do_resume) + * - pgd_phys - physical address of new TTB + */ + ENTRY(cpu_do_switch_mm) ++ mrs x2, ttbr1_el1 + mmid x1, x1 // get mm->context.id +- bfi x0, x1, #48, #16 // set the ASID +- msr ttbr0_el1, x0 // set TTBR0 ++ bfi x2, x1, #48, #16 // set the ASID ++ msr ttbr1_el1, x2 // in TTBR1 (since TCR.A1 is set) ++ isb ++ msr ttbr0_el1, x0 // now update TTBR0 + isb + alternative_if ARM64_WORKAROUND_CAVIUM_27456 + ic iallu +@@ -144,7 +147,17 @@ alternative_else_nop_endif + ret + ENDPROC(cpu_do_switch_mm) + +- .pushsection ".idmap.text", "ax" ++ .pushsection ".idmap.text", "awx" ++ ++.macro __idmap_cpu_set_reserved_ttbr1, tmp1, tmp2 ++ adrp \tmp1, empty_zero_page ++ msr ttbr1_el1, \tmp1 ++ isb ++ tlbi vmalle1 ++ dsb nsh ++ isb ++.endm ++ + /* + * void idmap_cpu_replace_ttbr1(phys_addr_t new_pgd) + * +@@ -155,13 +168,7 @@ ENTRY(idmap_cpu_replace_ttbr1) + mrs x2, daif + msr daifset, #0xf + +- adrp x1, empty_zero_page +- msr ttbr1_el1, x1 +- isb +- +- tlbi vmalle1 +- dsb nsh +- isb ++ __idmap_cpu_set_reserved_ttbr1 x1, x3 + + msr ttbr1_el1, x0 + isb +@@ -172,13 +179,196 @@ ENTRY(idmap_cpu_replace_ttbr1) + ENDPROC(idmap_cpu_replace_ttbr1) + .popsection + ++#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++ .pushsection ".idmap.text", "awx" ++ ++ .macro __idmap_kpti_get_pgtable_ent, type ++ dc cvac, cur_\()\type\()p // Ensure any existing dirty ++ dmb sy // lines are written back before ++ ldr \type, [cur_\()\type\()p] // loading the entry ++ tbz \type, #0, next_\()\type // Skip invalid entries ++ .endm ++ ++ .macro __idmap_kpti_put_pgtable_ent_ng, type ++ orr \type, \type, #PTE_NG // Same bit for blocks and pages ++ str \type, [cur_\()\type\()p] // Update the entry and ensure it ++ dc civac, cur_\()\type\()p // is visible to all CPUs. ++ .endm ++ ++/* ++ * void __kpti_install_ng_mappings(int cpu, int num_cpus, phys_addr_t swapper) ++ * ++ * Called exactly once from stop_machine context by each CPU found during boot. ++ */ ++__idmap_kpti_flag: ++ .long 1 ++ENTRY(idmap_kpti_install_ng_mappings) ++ cpu .req w0 ++ num_cpus .req w1 ++ swapper_pa .req x2 ++ swapper_ttb .req x3 ++ flag_ptr .req x4 ++ cur_pgdp .req x5 ++ end_pgdp .req x6 ++ pgd .req x7 ++ cur_pudp .req x8 ++ end_pudp .req x9 ++ pud .req x10 ++ cur_pmdp .req x11 ++ end_pmdp .req x12 ++ pmd .req x13 ++ cur_ptep .req x14 ++ end_ptep .req x15 ++ pte .req x16 ++ ++ mrs swapper_ttb, ttbr1_el1 ++ adr flag_ptr, __idmap_kpti_flag ++ ++ cbnz cpu, __idmap_kpti_secondary ++ ++ /* We're the boot CPU. Wait for the others to catch up */ ++ sevl ++1: wfe ++ ldaxr w18, [flag_ptr] ++ eor w18, w18, num_cpus ++ cbnz w18, 1b ++ ++ /* We need to walk swapper, so turn off the MMU. */ ++ mrs x18, sctlr_el1 ++ bic x18, x18, #SCTLR_ELx_M ++ msr sctlr_el1, x18 ++ isb ++ ++ /* Everybody is enjoying the idmap, so we can rewrite swapper. */ ++ /* PGD */ ++ mov cur_pgdp, swapper_pa ++ add end_pgdp, cur_pgdp, #(PTRS_PER_PGD * 8) ++do_pgd: __idmap_kpti_get_pgtable_ent pgd ++ tbnz pgd, #1, walk_puds ++ __idmap_kpti_put_pgtable_ent_ng pgd ++next_pgd: ++ add cur_pgdp, cur_pgdp, #8 ++ cmp cur_pgdp, end_pgdp ++ b.ne do_pgd ++ ++ /* Publish the updated tables and nuke all the TLBs */ ++ dsb sy ++ tlbi vmalle1is ++ dsb ish ++ isb ++ ++ /* We're done: fire up the MMU again */ ++ mrs x18, sctlr_el1 ++ orr x18, x18, #SCTLR_ELx_M ++ msr sctlr_el1, x18 ++ isb ++ ++ /* Set the flag to zero to indicate that we're all done */ ++ str wzr, [flag_ptr] ++ ret ++ ++ /* PUD */ ++walk_puds: ++ .if CONFIG_PGTABLE_LEVELS > 3 ++ pte_to_phys cur_pudp, pgd ++ add end_pudp, cur_pudp, #(PTRS_PER_PUD * 8) ++do_pud: __idmap_kpti_get_pgtable_ent pud ++ tbnz pud, #1, walk_pmds ++ __idmap_kpti_put_pgtable_ent_ng pud ++next_pud: ++ add cur_pudp, cur_pudp, 8 ++ cmp cur_pudp, end_pudp ++ b.ne do_pud ++ b next_pgd ++ .else /* CONFIG_PGTABLE_LEVELS <= 3 */ ++ mov pud, pgd ++ b walk_pmds ++next_pud: ++ b next_pgd ++ .endif ++ ++ /* PMD */ ++walk_pmds: ++ .if CONFIG_PGTABLE_LEVELS > 2 ++ pte_to_phys cur_pmdp, pud ++ add end_pmdp, cur_pmdp, #(PTRS_PER_PMD * 8) ++do_pmd: __idmap_kpti_get_pgtable_ent pmd ++ tbnz pmd, #1, walk_ptes ++ __idmap_kpti_put_pgtable_ent_ng pmd ++next_pmd: ++ add cur_pmdp, cur_pmdp, #8 ++ cmp cur_pmdp, end_pmdp ++ b.ne do_pmd ++ b next_pud ++ .else /* CONFIG_PGTABLE_LEVELS <= 2 */ ++ mov pmd, pud ++ b walk_ptes ++next_pmd: ++ b next_pud ++ .endif ++ ++ /* PTE */ ++walk_ptes: ++ pte_to_phys cur_ptep, pmd ++ add end_ptep, cur_ptep, #(PTRS_PER_PTE * 8) ++do_pte: __idmap_kpti_get_pgtable_ent pte ++ __idmap_kpti_put_pgtable_ent_ng pte ++next_pte: ++ add cur_ptep, cur_ptep, #8 ++ cmp cur_ptep, end_ptep ++ b.ne do_pte ++ b next_pmd ++ ++ /* Secondary CPUs end up here */ ++__idmap_kpti_secondary: ++ /* Uninstall swapper before surgery begins */ ++ __idmap_cpu_set_reserved_ttbr1 x18, x17 ++ ++ /* Increment the flag to let the boot CPU we're ready */ ++1: ldxr w18, [flag_ptr] ++ add w18, w18, #1 ++ stxr w17, w18, [flag_ptr] ++ cbnz w17, 1b ++ ++ /* Wait for the boot CPU to finish messing around with swapper */ ++ sevl ++1: wfe ++ ldxr w18, [flag_ptr] ++ cbnz w18, 1b ++ ++ /* All done, act like nothing happened */ ++ msr ttbr1_el1, swapper_ttb ++ isb ++ ret ++ ++ .unreq cpu ++ .unreq num_cpus ++ .unreq swapper_pa ++ .unreq swapper_ttb ++ .unreq flag_ptr ++ .unreq cur_pgdp ++ .unreq end_pgdp ++ .unreq pgd ++ .unreq cur_pudp ++ .unreq end_pudp ++ .unreq pud ++ .unreq cur_pmdp ++ .unreq end_pmdp ++ .unreq pmd ++ .unreq cur_ptep ++ .unreq end_ptep ++ .unreq pte ++ENDPROC(idmap_kpti_install_ng_mappings) ++ .popsection ++#endif ++ + /* + * __cpu_setup + * + * Initialise the processor for turning the MMU on. Return in x0 the + * value of the SCTLR_EL1 register. + */ +- .pushsection ".idmap.text", "ax" ++ .pushsection ".idmap.text", "awx" + ENTRY(__cpu_setup) + tlbi vmalle1 // Invalidate local TLB + dsb nsh +@@ -222,7 +412,7 @@ ENTRY(__cpu_setup) + * both user and kernel. + */ + ldr x10, =TCR_TxSZ(VA_BITS) | TCR_CACHE_FLAGS | TCR_SMP_FLAGS | \ +- TCR_TG_FLAGS | TCR_ASID16 | TCR_TBI0 ++ TCR_TG_FLAGS | TCR_ASID16 | TCR_TBI0 | TCR_A1 + tcr_set_idmap_t0sz x10, x9 + + /* +diff --git a/arch/frv/include/asm/timex.h b/arch/frv/include/asm/timex.h +index a89bddefdacf..139093fab326 100644 +--- a/arch/frv/include/asm/timex.h ++++ b/arch/frv/include/asm/timex.h +@@ -16,5 +16,11 @@ static inline cycles_t get_cycles(void) + #define vxtime_lock() do {} while (0) + #define vxtime_unlock() do {} while (0) + ++/* This attribute is used in include/linux/jiffies.h alongside with ++ * __cacheline_aligned_in_smp. It is assumed that __cacheline_aligned_in_smp ++ * for frv does not contain another section specification. ++ */ ++#define __jiffy_arch_data __attribute__((__section__(".data"))) ++ + #endif + +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index 7614d1dd2c0b..94b5dfb087e9 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -723,7 +723,7 @@ EXC_COMMON_BEGIN(bad_addr_slb) + ld r3, PACA_EXSLB+EX_DAR(r13) + std r3, _DAR(r1) + beq cr6, 2f +- li r10, 0x480 /* fix trap number for I-SLB miss */ ++ li r10, 0x481 /* fix trap number for I-SLB miss */ + std r10, _TRAP(r1) + 2: bl save_nvgprs + addi r3, r1, STACK_FRAME_OVERHEAD +diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c +index 028a22bfa90c..ad713f741ca8 100644 +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -372,6 +372,14 @@ void force_external_irq_replay(void) + */ + WARN_ON(!arch_irqs_disabled()); + ++ /* ++ * Interrupts must always be hard disabled before irq_happened is ++ * modified (to prevent lost update in case of interrupt between ++ * load and store). ++ */ ++ __hard_irq_disable(); ++ local_paca->irq_happened |= PACA_IRQ_HARD_DIS; ++ + /* Indicate in the PACA that we have an interrupt to replay */ + local_paca->irq_happened |= PACA_IRQ_EE; + } +diff --git a/arch/x86/crypto/cast5_avx_glue.c b/arch/x86/crypto/cast5_avx_glue.c +index 8648158f3916..f8fe11d24cde 100644 +--- a/arch/x86/crypto/cast5_avx_glue.c ++++ b/arch/x86/crypto/cast5_avx_glue.c +@@ -66,8 +66,6 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct blkcipher_walk *walk, + void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src); + int err; + +- fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; +- + err = blkcipher_walk_virt(desc, walk); + desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; + +@@ -79,6 +77,7 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct blkcipher_walk *walk, + + /* Process multi-block batch */ + if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) { ++ fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; + do { + fn(ctx, wdst, wsrc); + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index b8d3f1b60331..91c48cdfe81f 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -51,6 +51,7 @@ + #include <linux/ftrace.h> + #include <linux/frame.h> + #include <linux/kasan.h> ++#include <linux/moduleloader.h> + + #include <asm/text-patching.h> + #include <asm/cacheflush.h> +@@ -405,6 +406,14 @@ int __copy_instruction(u8 *dest, u8 *src) + return length; + } + ++/* Recover page to RW mode before releasing it */ ++void free_insn_page(void *page) ++{ ++ set_memory_nx((unsigned long)page & PAGE_MASK, 1); ++ set_memory_rw((unsigned long)page & PAGE_MASK, 1); ++ module_memfree(page); ++} ++ + static int arch_copy_kprobe(struct kprobe *p) + { + int ret; +diff --git a/block/bio.c b/block/bio.c +index 07f287b14cff..4f93345c6a82 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -42,9 +42,9 @@ + * break badly! cannot be bigger than what you can fit into an + * unsigned short + */ +-#define BV(x) { .nr_vecs = x, .name = "biovec-"__stringify(x) } ++#define BV(x, n) { .nr_vecs = x, .name = "biovec-"#n } + static struct biovec_slab bvec_slabs[BVEC_POOL_NR] __read_mostly = { +- BV(1), BV(4), BV(16), BV(64), BV(128), BV(BIO_MAX_PAGES), ++ BV(1, 1), BV(4, 4), BV(16, 16), BV(64, 64), BV(128, 128), BV(BIO_MAX_PAGES, max), + }; + #undef BV + +diff --git a/block/partitions/msdos.c b/block/partitions/msdos.c +index 5610cd537da7..7d8d50c11ce7 100644 +--- a/block/partitions/msdos.c ++++ b/block/partitions/msdos.c +@@ -300,7 +300,9 @@ static void parse_bsd(struct parsed_partitions *state, + continue; + bsd_start = le32_to_cpu(p->p_offset); + bsd_size = le32_to_cpu(p->p_size); +- if (memcmp(flavour, "bsd\0", 4) == 0) ++ /* FreeBSD has relative offset if C partition offset is zero */ ++ if (memcmp(flavour, "bsd\0", 4) == 0 && ++ le32_to_cpu(l->d_partitions[2].p_offset) == 0) + bsd_start += offset; + if (offset == bsd_start && size == bsd_size) + /* full parent partition, we have it already */ +diff --git a/crypto/ahash.c b/crypto/ahash.c +index 14402ef6d826..90d73a22f129 100644 +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -91,13 +91,14 @@ int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err) + + if (nbytes && walk->offset & alignmask && !err) { + walk->offset = ALIGN(walk->offset, alignmask + 1); +- walk->data += walk->offset; +- + nbytes = min(nbytes, + ((unsigned int)(PAGE_SIZE)) - walk->offset); + walk->entrylen -= nbytes; + +- return nbytes; ++ if (nbytes) { ++ walk->data += walk->offset; ++ return nbytes; ++ } + } + + if (walk->flags & CRYPTO_ALG_ASYNC) +diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c +index b86273fdf48e..3cfd879267b2 100644 +--- a/drivers/block/mtip32xx/mtip32xx.c ++++ b/drivers/block/mtip32xx/mtip32xx.c +@@ -169,25 +169,6 @@ static bool mtip_check_surprise_removal(struct pci_dev *pdev) + return false; /* device present */ + } + +-/* we have to use runtime tag to setup command header */ +-static void mtip_init_cmd_header(struct request *rq) +-{ +- struct driver_data *dd = rq->q->queuedata; +- struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq); +- u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64; +- +- /* Point the command headers at the command tables. */ +- cmd->command_header = dd->port->command_list + +- (sizeof(struct mtip_cmd_hdr) * rq->tag); +- cmd->command_header_dma = dd->port->command_list_dma + +- (sizeof(struct mtip_cmd_hdr) * rq->tag); +- +- if (host_cap_64) +- cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16); +- +- cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF); +-} +- + static struct mtip_cmd *mtip_get_int_command(struct driver_data *dd) + { + struct request *rq; +@@ -199,9 +180,6 @@ static struct mtip_cmd *mtip_get_int_command(struct driver_data *dd) + if (IS_ERR(rq)) + return NULL; + +- /* Internal cmd isn't submitted via .queue_rq */ +- mtip_init_cmd_header(rq); +- + return blk_mq_rq_to_pdu(rq); + } + +@@ -3833,8 +3811,6 @@ static int mtip_queue_rq(struct blk_mq_hw_ctx *hctx, + struct request *rq = bd->rq; + int ret; + +- mtip_init_cmd_header(rq); +- + if (unlikely(mtip_check_unal_depth(hctx, rq))) + return BLK_MQ_RQ_QUEUE_BUSY; + +@@ -3866,6 +3842,7 @@ static int mtip_init_cmd(void *data, struct request *rq, unsigned int hctx_idx, + { + struct driver_data *dd = data; + struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq); ++ u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64; + + /* + * For flush requests, request_idx starts at the end of the +@@ -3882,6 +3859,17 @@ static int mtip_init_cmd(void *data, struct request *rq, unsigned int hctx_idx, + + memset(cmd->command, 0, CMD_DMA_ALLOC_SZ); + ++ /* Point the command headers at the command tables. */ ++ cmd->command_header = dd->port->command_list + ++ (sizeof(struct mtip_cmd_hdr) * request_idx); ++ cmd->command_header_dma = dd->port->command_list_dma + ++ (sizeof(struct mtip_cmd_hdr) * request_idx); ++ ++ if (host_cap_64) ++ cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16); ++ ++ cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF); ++ + sg_init_table(cmd->sg, MTIP_MAX_SG); + return 0; + } +diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c +index b0bb99a821bd..1b1dccd37fbd 100644 +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -1056,7 +1056,6 @@ struct sony_sc { + u8 battery_charging; + u8 battery_capacity; + u8 led_state[MAX_LEDS]; +- u8 resume_led_state[MAX_LEDS]; + u8 led_delay_on[MAX_LEDS]; + u8 led_delay_off[MAX_LEDS]; + u8 led_count; +@@ -1793,6 +1792,7 @@ static int sony_leds_init(struct sony_sc *sc) + led->name = name; + led->brightness = sc->led_state[n]; + led->max_brightness = max_brightness[n]; ++ led->flags = LED_CORE_SUSPENDRESUME; + led->brightness_get = sony_led_get_brightness; + led->brightness_set = sony_led_set_brightness; + +@@ -2509,47 +2509,32 @@ static void sony_remove(struct hid_device *hdev) + + static int sony_suspend(struct hid_device *hdev, pm_message_t message) + { +- /* +- * On suspend save the current LED state, +- * stop running force-feedback and blank the LEDS. +- */ +- if (SONY_LED_SUPPORT || SONY_FF_SUPPORT) { +- struct sony_sc *sc = hid_get_drvdata(hdev); +- + #ifdef CONFIG_SONY_FF +- sc->left = sc->right = 0; +-#endif + +- memcpy(sc->resume_led_state, sc->led_state, +- sizeof(sc->resume_led_state)); +- memset(sc->led_state, 0, sizeof(sc->led_state)); ++ /* On suspend stop any running force-feedback events */ ++ if (SONY_FF_SUPPORT) { ++ struct sony_sc *sc = hid_get_drvdata(hdev); + ++ sc->left = sc->right = 0; + sony_send_output_report(sc); + } + ++#endif + return 0; + } + + static int sony_resume(struct hid_device *hdev) + { +- /* Restore the state of controller LEDs on resume */ +- if (SONY_LED_SUPPORT) { +- struct sony_sc *sc = hid_get_drvdata(hdev); +- +- memcpy(sc->led_state, sc->resume_led_state, +- sizeof(sc->led_state)); +- +- /* +- * The Sixaxis and navigation controllers on USB need to be +- * reinitialized on resume or they won't behave properly. +- */ +- if ((sc->quirks & SIXAXIS_CONTROLLER_USB) || +- (sc->quirks & NAVIGATION_CONTROLLER_USB)) { +- sixaxis_set_operational_usb(sc->hdev); +- sc->defer_initialization = 1; +- } ++ struct sony_sc *sc = hid_get_drvdata(hdev); + +- sony_set_leds(sc); ++ /* ++ * The Sixaxis and navigation controllers on USB need to be ++ * reinitialized on resume or they won't behave properly. ++ */ ++ if ((sc->quirks & SIXAXIS_CONTROLLER_USB) || ++ (sc->quirks & NAVIGATION_CONTROLLER_USB)) { ++ sixaxis_set_operational_usb(sc->hdev); ++ sc->defer_initialization = 1; + } + + return 0; +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c +index fb4ce0394ac7..978b8d94f9a4 100644 +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -209,6 +209,22 @@ int rdma_addr_size(struct sockaddr *addr) + } + EXPORT_SYMBOL(rdma_addr_size); + ++int rdma_addr_size_in6(struct sockaddr_in6 *addr) ++{ ++ int ret = rdma_addr_size((struct sockaddr *) addr); ++ ++ return ret <= sizeof(*addr) ? ret : 0; ++} ++EXPORT_SYMBOL(rdma_addr_size_in6); ++ ++int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr) ++{ ++ int ret = rdma_addr_size((struct sockaddr *) addr); ++ ++ return ret <= sizeof(*addr) ? ret : 0; ++} ++EXPORT_SYMBOL(rdma_addr_size_kss); ++ + static struct rdma_addr_client self; + + void rdma_addr_register_client(struct rdma_addr_client *client) +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 017a09ceba3f..4d732810f6fc 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -132,7 +132,7 @@ static inline struct ucma_context *_ucma_find_context(int id, + ctx = idr_find(&ctx_idr, id); + if (!ctx) + ctx = ERR_PTR(-ENOENT); +- else if (ctx->file != file) ++ else if (ctx->file != file || !ctx->cm_id) + ctx = ERR_PTR(-EINVAL); + return ctx; + } +@@ -454,6 +454,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, + struct rdma_ucm_create_id cmd; + struct rdma_ucm_create_id_resp resp; + struct ucma_context *ctx; ++ struct rdma_cm_id *cm_id; + enum ib_qp_type qp_type; + int ret; + +@@ -474,10 +475,10 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, + return -ENOMEM; + + ctx->uid = cmd.uid; +- ctx->cm_id = rdma_create_id(current->nsproxy->net_ns, +- ucma_event_handler, ctx, cmd.ps, qp_type); +- if (IS_ERR(ctx->cm_id)) { +- ret = PTR_ERR(ctx->cm_id); ++ cm_id = rdma_create_id(current->nsproxy->net_ns, ++ ucma_event_handler, ctx, cmd.ps, qp_type); ++ if (IS_ERR(cm_id)) { ++ ret = PTR_ERR(cm_id); + goto err1; + } + +@@ -487,14 +488,19 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf, + ret = -EFAULT; + goto err2; + } ++ ++ ctx->cm_id = cm_id; + return 0; + + err2: +- rdma_destroy_id(ctx->cm_id); ++ rdma_destroy_id(cm_id); + err1: + mutex_lock(&mut); + idr_remove(&ctx_idr, ctx->id); + mutex_unlock(&mut); ++ mutex_lock(&file->mut); ++ list_del(&ctx->list); ++ mutex_unlock(&file->mut); + kfree(ctx); + return ret; + } +@@ -624,6 +630,9 @@ static ssize_t ucma_bind_ip(struct ucma_file *file, const char __user *inbuf, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (!rdma_addr_size_in6(&cmd.addr)) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); +@@ -637,22 +646,21 @@ static ssize_t ucma_bind(struct ucma_file *file, const char __user *inbuf, + int in_len, int out_len) + { + struct rdma_ucm_bind cmd; +- struct sockaddr *addr; + struct ucma_context *ctx; + int ret; + + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + +- addr = (struct sockaddr *) &cmd.addr; +- if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != rdma_addr_size(addr))) ++ if (cmd.reserved || !cmd.addr_size || ++ cmd.addr_size != rdma_addr_size_kss(&cmd.addr)) + return -EINVAL; + + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- ret = rdma_bind_addr(ctx->cm_id, addr); ++ ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr); + ucma_put_ctx(ctx); + return ret; + } +@@ -668,13 +676,16 @@ static ssize_t ucma_resolve_ip(struct ucma_file *file, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (!rdma_addr_size_in6(&cmd.src_addr) || ++ !rdma_addr_size_in6(&cmd.dst_addr)) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + + ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr, +- (struct sockaddr *) &cmd.dst_addr, +- cmd.timeout_ms); ++ (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms); + ucma_put_ctx(ctx); + return ret; + } +@@ -684,24 +695,23 @@ static ssize_t ucma_resolve_addr(struct ucma_file *file, + int in_len, int out_len) + { + struct rdma_ucm_resolve_addr cmd; +- struct sockaddr *src, *dst; + struct ucma_context *ctx; + int ret; + + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + +- src = (struct sockaddr *) &cmd.src_addr; +- dst = (struct sockaddr *) &cmd.dst_addr; +- if (cmd.reserved || (cmd.src_size && (cmd.src_size != rdma_addr_size(src))) || +- !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst))) ++ if (cmd.reserved || ++ (cmd.src_size && (cmd.src_size != rdma_addr_size_kss(&cmd.src_addr))) || ++ !cmd.dst_size || (cmd.dst_size != rdma_addr_size_kss(&cmd.dst_addr))) + return -EINVAL; + + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms); ++ ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr, ++ (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms); + ucma_put_ctx(ctx); + return ret; + } +@@ -1146,6 +1156,11 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file, + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + ++ if (!ctx->cm_id->device) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + resp.qp_attr_mask = 0; + memset(&qp_attr, 0, sizeof qp_attr); + qp_attr.qp_state = cmd.qp_state; +@@ -1302,7 +1317,7 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf, + { + struct rdma_ucm_notify cmd; + struct ucma_context *ctx; +- int ret; ++ int ret = -EINVAL; + + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; +@@ -1311,7 +1326,9 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf, + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- ret = rdma_notify(ctx->cm_id, (enum ib_event_type) cmd.event); ++ if (ctx->cm_id->device) ++ ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event); ++ + ucma_put_ctx(ctx); + return ret; + } +@@ -1397,7 +1414,7 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file, + join_cmd.response = cmd.response; + join_cmd.uid = cmd.uid; + join_cmd.id = cmd.id; +- join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr); ++ join_cmd.addr_size = rdma_addr_size_in6(&cmd.addr); + if (!join_cmd.addr_size) + return -EINVAL; + +@@ -1416,7 +1433,7 @@ static ssize_t ucma_join_multicast(struct ucma_file *file, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + +- if (!rdma_addr_size((struct sockaddr *)&cmd.addr)) ++ if (!rdma_addr_size_kss(&cmd.addr)) + return -EINVAL; + + return ucma_process_join(file, &cmd, out_len); +diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c +index af83d2e34913..a8a96def0ba2 100644 +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -2538,13 +2538,31 @@ static int alps_update_btn_info_ss4_v2(unsigned char otp[][4], + } + + static int alps_update_dual_info_ss4_v2(unsigned char otp[][4], +- struct alps_data *priv) ++ struct alps_data *priv, ++ struct psmouse *psmouse) + { + bool is_dual = false; ++ int reg_val = 0; ++ struct ps2dev *ps2dev = &psmouse->ps2dev; + +- if (IS_SS4PLUS_DEV(priv->dev_id)) ++ if (IS_SS4PLUS_DEV(priv->dev_id)) { + is_dual = (otp[0][0] >> 4) & 0x01; + ++ if (!is_dual) { ++ /* For support TrackStick of Thinkpad L/E series */ ++ if (alps_exit_command_mode(psmouse) == 0 && ++ alps_enter_command_mode(psmouse) == 0) { ++ reg_val = alps_command_mode_read_reg(psmouse, ++ 0xD7); ++ } ++ alps_exit_command_mode(psmouse); ++ ps2_command(ps2dev, NULL, PSMOUSE_CMD_ENABLE); ++ ++ if (reg_val == 0x0C || reg_val == 0x1D) ++ is_dual = true; ++ } ++ } ++ + if (is_dual) + priv->flags |= ALPS_DUALPOINT | + ALPS_DUALPOINT_WITH_PRESSURE; +@@ -2567,7 +2585,7 @@ static int alps_set_defaults_ss4_v2(struct psmouse *psmouse, + + alps_update_btn_info_ss4_v2(otp, priv); + +- alps_update_dual_info_ss4_v2(otp, priv); ++ alps_update_dual_info_ss4_v2(otp, priv, psmouse); + + return 0; + } +diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c +index b604564dec5c..30328e57fdda 100644 +--- a/drivers/input/mousedev.c ++++ b/drivers/input/mousedev.c +@@ -15,6 +15,7 @@ + #define MOUSEDEV_MINORS 31 + #define MOUSEDEV_MIX 63 + ++#include <linux/bitops.h> + #include <linux/sched.h> + #include <linux/slab.h> + #include <linux/poll.h> +@@ -103,7 +104,7 @@ struct mousedev_client { + spinlock_t packet_lock; + int pos_x, pos_y; + +- signed char ps2[6]; ++ u8 ps2[6]; + unsigned char ready, buffer, bufsiz; + unsigned char imexseq, impsseq; + enum mousedev_emul mode; +@@ -291,11 +292,10 @@ static void mousedev_notify_readers(struct mousedev *mousedev, + } + + client->pos_x += packet->dx; +- client->pos_x = client->pos_x < 0 ? +- 0 : (client->pos_x >= xres ? xres : client->pos_x); ++ client->pos_x = clamp_val(client->pos_x, 0, xres); ++ + client->pos_y += packet->dy; +- client->pos_y = client->pos_y < 0 ? +- 0 : (client->pos_y >= yres ? yres : client->pos_y); ++ client->pos_y = clamp_val(client->pos_y, 0, yres); + + p->dx += packet->dx; + p->dy += packet->dy; +@@ -571,44 +571,50 @@ static int mousedev_open(struct inode *inode, struct file *file) + return error; + } + +-static inline int mousedev_limit_delta(int delta, int limit) +-{ +- return delta > limit ? limit : (delta < -limit ? -limit : delta); +-} +- +-static void mousedev_packet(struct mousedev_client *client, +- signed char *ps2_data) ++static void mousedev_packet(struct mousedev_client *client, u8 *ps2_data) + { + struct mousedev_motion *p = &client->packets[client->tail]; ++ s8 dx, dy, dz; ++ ++ dx = clamp_val(p->dx, -127, 127); ++ p->dx -= dx; ++ ++ dy = clamp_val(p->dy, -127, 127); ++ p->dy -= dy; + +- ps2_data[0] = 0x08 | +- ((p->dx < 0) << 4) | ((p->dy < 0) << 5) | (p->buttons & 0x07); +- ps2_data[1] = mousedev_limit_delta(p->dx, 127); +- ps2_data[2] = mousedev_limit_delta(p->dy, 127); +- p->dx -= ps2_data[1]; +- p->dy -= ps2_data[2]; ++ ps2_data[0] = BIT(3); ++ ps2_data[0] |= ((dx & BIT(7)) >> 3) | ((dy & BIT(7)) >> 2); ++ ps2_data[0] |= p->buttons & 0x07; ++ ps2_data[1] = dx; ++ ps2_data[2] = dy; + + switch (client->mode) { + case MOUSEDEV_EMUL_EXPS: +- ps2_data[3] = mousedev_limit_delta(p->dz, 7); +- p->dz -= ps2_data[3]; +- ps2_data[3] = (ps2_data[3] & 0x0f) | ((p->buttons & 0x18) << 1); ++ dz = clamp_val(p->dz, -7, 7); ++ p->dz -= dz; ++ ++ ps2_data[3] = (dz & 0x0f) | ((p->buttons & 0x18) << 1); + client->bufsiz = 4; + break; + + case MOUSEDEV_EMUL_IMPS: +- ps2_data[0] |= +- ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1); +- ps2_data[3] = mousedev_limit_delta(p->dz, 127); +- p->dz -= ps2_data[3]; ++ dz = clamp_val(p->dz, -127, 127); ++ p->dz -= dz; ++ ++ ps2_data[0] |= ((p->buttons & 0x10) >> 3) | ++ ((p->buttons & 0x08) >> 1); ++ ps2_data[3] = dz; ++ + client->bufsiz = 4; + break; + + case MOUSEDEV_EMUL_PS2: + default: +- ps2_data[0] |= +- ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1); + p->dz = 0; ++ ++ ps2_data[0] |= ((p->buttons & 0x10) >> 3) | ++ ((p->buttons & 0x08) >> 1); ++ + client->bufsiz = 3; + break; + } +@@ -714,7 +720,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer, + { + struct mousedev_client *client = file->private_data; + struct mousedev *mousedev = client->mousedev; +- signed char data[sizeof(client->ps2)]; ++ u8 data[sizeof(client->ps2)]; + int retval = 0; + + if (!client->ready && !client->buffer && mousedev->exist && +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index d1051e3ce819..e484ea2dc787 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -530,6 +530,20 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { + { } + }; + ++static const struct dmi_system_id i8042_dmi_forcemux_table[] __initconst = { ++ { ++ /* ++ * Sony Vaio VGN-CS series require MUX or the touch sensor ++ * buttons will disturb touchpad operation ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"), ++ }, ++ }, ++ { } ++}; ++ + /* + * On some Asus laptops, just running self tests cause problems. + */ +@@ -692,6 +706,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "20046"), + }, + }, ++ { ++ /* Lenovo ThinkPad L460 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"), ++ }, ++ }, + { + /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ + .matches = { +@@ -1223,6 +1244,9 @@ static int __init i8042_platform_init(void) + if (dmi_check_system(i8042_dmi_nomux_table)) + i8042_nomux = true; + ++ if (dmi_check_system(i8042_dmi_forcemux_table)) ++ i8042_nomux = false; ++ + if (dmi_check_system(i8042_dmi_notimeout_table)) + i8042_notimeout = true; + +diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c +index a68c650aad11..b67414b5a64e 100644 +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1777,12 +1777,12 @@ static int validate_params(uint cmd, struct dm_ioctl *param) + cmd == DM_LIST_VERSIONS_CMD) + return 0; + +- if ((cmd == DM_DEV_CREATE_CMD)) { ++ if (cmd == DM_DEV_CREATE_CMD) { + if (!*param->name) { + DMWARN("name not supplied when creating device"); + return -EINVAL; + } +- } else if ((*param->uuid && *param->name)) { ++ } else if (*param->uuid && *param->name) { + DMWARN("only supply one of name or uuid, cmd(%u)", cmd); + return -EINVAL; + } +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 18a4271bf569..6a7b9b1dcfe3 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3681,6 +3681,7 @@ static int raid10_run(struct mddev *mddev) + + if (blk_queue_discard(bdev_get_queue(rdev->bdev))) + discard_supported = true; ++ first = 0; + } + + if (mddev->queue) { +diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c +index 0324633ede42..e56a49a5e8b1 100644 +--- a/drivers/media/usb/usbtv/usbtv-core.c ++++ b/drivers/media/usb/usbtv/usbtv-core.c +@@ -109,6 +109,8 @@ static int usbtv_probe(struct usb_interface *intf, + return 0; + + usbtv_audio_fail: ++ /* we must not free at this point */ ++ usb_get_dev(usbtv->udev); + usbtv_video_free(usbtv); + + usbtv_video_fail: +diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c +index 41f318631c6d..60f5a8ded8dd 100644 +--- a/drivers/misc/mei/main.c ++++ b/drivers/misc/mei/main.c +@@ -551,7 +551,6 @@ static long mei_ioctl(struct file *file, unsigned int cmd, unsigned long data) + break; + + default: +- dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd); + rets = -ENOIOCTLCMD; + } + +diff --git a/drivers/mtd/chips/jedec_probe.c b/drivers/mtd/chips/jedec_probe.c +index 7c0b27d132b1..b479bd81120b 100644 +--- a/drivers/mtd/chips/jedec_probe.c ++++ b/drivers/mtd/chips/jedec_probe.c +@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct map_info *map, uint32_t base, + do { + uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi); + mask = (1 << (cfi->device_type * 8)) - 1; ++ if (ofs >= map->size) ++ return 0; + result = map_read(map, base + ofs); + bank++; + } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION); +diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +index 651f308cdc60..fca2e428cd86 100644 +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +@@ -1680,6 +1680,30 @@ static void xgene_enet_napi_add(struct xgene_enet_pdata *pdata) + } + } + ++#ifdef CONFIG_ACPI ++static const struct acpi_device_id xgene_enet_acpi_match[] = { ++ { "APMC0D05", XGENE_ENET1}, ++ { "APMC0D30", XGENE_ENET1}, ++ { "APMC0D31", XGENE_ENET1}, ++ { "APMC0D3F", XGENE_ENET1}, ++ { "APMC0D26", XGENE_ENET2}, ++ { "APMC0D25", XGENE_ENET2}, ++ { } ++}; ++MODULE_DEVICE_TABLE(acpi, xgene_enet_acpi_match); ++#endif ++ ++static const struct of_device_id xgene_enet_of_match[] = { ++ {.compatible = "apm,xgene-enet", .data = (void *)XGENE_ENET1}, ++ {.compatible = "apm,xgene1-sgenet", .data = (void *)XGENE_ENET1}, ++ {.compatible = "apm,xgene1-xgenet", .data = (void *)XGENE_ENET1}, ++ {.compatible = "apm,xgene2-sgenet", .data = (void *)XGENE_ENET2}, ++ {.compatible = "apm,xgene2-xgenet", .data = (void *)XGENE_ENET2}, ++ {}, ++}; ++ ++MODULE_DEVICE_TABLE(of, xgene_enet_of_match); ++ + static int xgene_enet_probe(struct platform_device *pdev) + { + struct net_device *ndev; +@@ -1826,32 +1850,6 @@ static void xgene_enet_shutdown(struct platform_device *pdev) + xgene_enet_remove(pdev); + } + +-#ifdef CONFIG_ACPI +-static const struct acpi_device_id xgene_enet_acpi_match[] = { +- { "APMC0D05", XGENE_ENET1}, +- { "APMC0D30", XGENE_ENET1}, +- { "APMC0D31", XGENE_ENET1}, +- { "APMC0D3F", XGENE_ENET1}, +- { "APMC0D26", XGENE_ENET2}, +- { "APMC0D25", XGENE_ENET2}, +- { } +-}; +-MODULE_DEVICE_TABLE(acpi, xgene_enet_acpi_match); +-#endif +- +-#ifdef CONFIG_OF +-static const struct of_device_id xgene_enet_of_match[] = { +- {.compatible = "apm,xgene-enet", .data = (void *)XGENE_ENET1}, +- {.compatible = "apm,xgene1-sgenet", .data = (void *)XGENE_ENET1}, +- {.compatible = "apm,xgene1-xgenet", .data = (void *)XGENE_ENET1}, +- {.compatible = "apm,xgene2-sgenet", .data = (void *)XGENE_ENET2}, +- {.compatible = "apm,xgene2-xgenet", .data = (void *)XGENE_ENET2}, +- {}, +-}; +- +-MODULE_DEVICE_TABLE(of, xgene_enet_of_match); +-#endif +- + static struct platform_driver xgene_enet_driver = { + .driver = { + .name = "xgene-enet", +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c +index 34b5e699a1d5..02a03bccde7b 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c +@@ -671,7 +671,7 @@ static void hns_gmac_get_strings(u32 stringset, u8 *data) + + static int hns_gmac_get_sset_count(int stringset) + { +- if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS) ++ if (stringset == ETH_SS_STATS) + return ARRAY_SIZE(g_gmac_stats_string); + + return 0; +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c +index 4ecb809785f9..6ea872287307 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c +@@ -422,7 +422,7 @@ void hns_ppe_update_stats(struct hns_ppe_cb *ppe_cb) + + int hns_ppe_get_sset_count(int stringset) + { +- if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS) ++ if (stringset == ETH_SS_STATS) + return ETH_PPE_STATIC_NUM; + return 0; + } +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c +index fbbbbffd58dc..f3be9ac47bfb 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c +@@ -798,7 +798,7 @@ void hns_rcb_get_stats(struct hnae_queue *queue, u64 *data) + */ + int hns_rcb_get_ring_sset_count(int stringset) + { +- if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS) ++ if (stringset == ETH_SS_STATS) + return HNS_RING_STATIC_REG_NUM; + + return 0; +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c +index 86a496d71995..6be0cae44e9b 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c +@@ -1017,8 +1017,10 @@ int hns_get_sset_count(struct net_device *netdev, int stringset) + cnt--; + + return cnt; +- } else { ++ } else if (stringset == ETH_SS_STATS) { + return (HNS_NET_STATS_CNT + ops->get_sset_count(h, stringset)); ++ } else { ++ return -EOPNOTSUPP; + } + } + +diff --git a/drivers/net/phy/mdio-xgene.c b/drivers/net/phy/mdio-xgene.c +index 39be3b82608f..20fbcc9c4687 100644 +--- a/drivers/net/phy/mdio-xgene.c ++++ b/drivers/net/phy/mdio-xgene.c +@@ -314,6 +314,30 @@ static acpi_status acpi_register_phy(acpi_handle handle, u32 lvl, + } + #endif + ++static const struct of_device_id xgene_mdio_of_match[] = { ++ { ++ .compatible = "apm,xgene-mdio-rgmii", ++ .data = (void *)XGENE_MDIO_RGMII ++ }, ++ { ++ .compatible = "apm,xgene-mdio-xfi", ++ .data = (void *)XGENE_MDIO_XFI ++ }, ++ {}, ++}; ++MODULE_DEVICE_TABLE(of, xgene_mdio_of_match); ++ ++#ifdef CONFIG_ACPI ++static const struct acpi_device_id xgene_mdio_acpi_match[] = { ++ { "APMC0D65", XGENE_MDIO_RGMII }, ++ { "APMC0D66", XGENE_MDIO_XFI }, ++ { } ++}; ++ ++MODULE_DEVICE_TABLE(acpi, xgene_mdio_acpi_match); ++#endif ++ ++ + static int xgene_mdio_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +@@ -439,32 +463,6 @@ static int xgene_mdio_remove(struct platform_device *pdev) + return 0; + } + +-#ifdef CONFIG_OF +-static const struct of_device_id xgene_mdio_of_match[] = { +- { +- .compatible = "apm,xgene-mdio-rgmii", +- .data = (void *)XGENE_MDIO_RGMII +- }, +- { +- .compatible = "apm,xgene-mdio-xfi", +- .data = (void *)XGENE_MDIO_XFI +- }, +- {}, +-}; +- +-MODULE_DEVICE_TABLE(of, xgene_mdio_of_match); +-#endif +- +-#ifdef CONFIG_ACPI +-static const struct acpi_device_id xgene_mdio_acpi_match[] = { +- { "APMC0D65", XGENE_MDIO_RGMII }, +- { "APMC0D66", XGENE_MDIO_XFI }, +- { } +-}; +- +-MODULE_DEVICE_TABLE(acpi, xgene_mdio_acpi_match); +-#endif +- + static struct platform_driver xgene_mdio_driver = { + .driver = { + .name = "xgene-mdio", +diff --git a/drivers/net/phy/mdio-xgene.h b/drivers/net/phy/mdio-xgene.h +index 354241b53c1d..594a11d42401 100644 +--- a/drivers/net/phy/mdio-xgene.h ++++ b/drivers/net/phy/mdio-xgene.h +@@ -132,10 +132,6 @@ static inline u64 xgene_enet_get_field_value(int pos, int len, u64 src) + #define GET_BIT(field, src) \ + xgene_enet_get_field_value(field ## _POS, 1, src) + +-static const struct of_device_id xgene_mdio_of_match[]; +-#ifdef CONFIG_ACPI +-static const struct acpi_device_id xgene_mdio_acpi_match[]; +-#endif + int xgene_mdio_rgmii_read(struct mii_bus *bus, int phy_id, int reg); + int xgene_mdio_rgmii_write(struct mii_bus *bus, int phy_id, int reg, u16 data); + struct phy_device *xgene_enet_phy_register(struct mii_bus *bus, int phy_addr); +diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c +index 78530d1714dc..bdce0679674c 100644 +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -2646,6 +2646,7 @@ enum parport_pc_pci_cards { + netmos_9901, + netmos_9865, + quatech_sppxp100, ++ wch_ch382l, + }; + + +@@ -2708,6 +2709,7 @@ static struct parport_pc_pci { + /* netmos_9901 */ { 1, { { 0, -1 }, } }, + /* netmos_9865 */ { 1, { { 0, -1 }, } }, + /* quatech_sppxp100 */ { 1, { { 0, 1 }, } }, ++ /* wch_ch382l */ { 1, { { 2, -1 }, } }, + }; + + static const struct pci_device_id parport_pc_pci_tbl[] = { +@@ -2797,6 +2799,8 @@ static const struct pci_device_id parport_pc_pci_tbl[] = { + /* Quatech SPPXP-100 Parallel port PCI ExpressCard */ + { PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 }, ++ /* WCH CH382L PCI-E single parallel port card */ ++ { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l }, + { 0, } /* terminate list */ + }; + MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl); +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index a98be6db7e93..56340abe4fc6 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -231,7 +231,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, + res->flags |= IORESOURCE_ROM_ENABLE; + l64 = l & PCI_ROM_ADDRESS_MASK; + sz64 = sz & PCI_ROM_ADDRESS_MASK; +- mask64 = (u32)PCI_ROM_ADDRESS_MASK; ++ mask64 = PCI_ROM_ADDRESS_MASK; + } + + if (res->flags & IORESOURCE_MEM_64) { +diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c +index 4bc589ee78d0..85774b7a316a 100644 +--- a/drivers/pci/setup-res.c ++++ b/drivers/pci/setup-res.c +@@ -63,7 +63,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno) + mask = (u32)PCI_BASE_ADDRESS_IO_MASK; + new |= res->flags & ~PCI_BASE_ADDRESS_IO_MASK; + } else if (resno == PCI_ROM_RESOURCE) { +- mask = (u32)PCI_ROM_ADDRESS_MASK; ++ mask = PCI_ROM_ADDRESS_MASK; + } else { + mask = (u32)PCI_BASE_ADDRESS_MEM_MASK; + new |= res->flags & ~PCI_BASE_ADDRESS_MEM_MASK; +diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c +index 8f4adc1d9588..cbc8e9388268 100644 +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -819,6 +819,7 @@ static struct scsi_host_template virtscsi_host_template_multi = { + .change_queue_depth = virtscsi_change_queue_depth, + .eh_abort_handler = virtscsi_abort, + .eh_device_reset_handler = virtscsi_device_reset, ++ .slave_alloc = virtscsi_device_alloc, + + .can_queue = 1024, + .dma_boundary = UINT_MAX, +diff --git a/drivers/spi/Kconfig b/drivers/spi/Kconfig +index 0e7415f6d093..b7995474148c 100644 +--- a/drivers/spi/Kconfig ++++ b/drivers/spi/Kconfig +@@ -156,7 +156,6 @@ config SPI_BCM63XX_HSSPI + config SPI_BCM_QSPI + tristate "Broadcom BSPI and MSPI controller support" + depends on ARCH_BRCMSTB || ARCH_BCM || ARCH_BCM_IPROC || COMPILE_TEST +- depends on MTD_NORFLASH + default ARCH_BCM_IPROC + help + Enables support for the Broadcom SPI flash and MSPI controller. +diff --git a/drivers/spi/spi-davinci.c b/drivers/spi/spi-davinci.c +index 02fb96797ac8..0d8f43a17edb 100644 +--- a/drivers/spi/spi-davinci.c ++++ b/drivers/spi/spi-davinci.c +@@ -646,7 +646,7 @@ static int davinci_spi_bufs(struct spi_device *spi, struct spi_transfer *t) + buf = t->rx_buf; + t->rx_dma = dma_map_single(&spi->dev, buf, + t->len, DMA_FROM_DEVICE); +- if (dma_mapping_error(&spi->dev, !t->rx_dma)) { ++ if (dma_mapping_error(&spi->dev, t->rx_dma)) { + ret = -EFAULT; + goto err_rx_map; + } +diff --git a/drivers/staging/comedi/drivers/ni_mio_common.c b/drivers/staging/comedi/drivers/ni_mio_common.c +index a574885ffba9..18c5312f7886 100644 +--- a/drivers/staging/comedi/drivers/ni_mio_common.c ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c +@@ -1284,6 +1284,8 @@ static void ack_a_interrupt(struct comedi_device *dev, unsigned short a_status) + ack |= NISTC_INTA_ACK_AI_START; + if (a_status & NISTC_AI_STATUS1_STOP) + ack |= NISTC_INTA_ACK_AI_STOP; ++ if (a_status & NISTC_AI_STATUS1_OVER) ++ ack |= NISTC_INTA_ACK_AI_ERR; + if (ack) + ni_stc_writew(dev, ack, NISTC_INTA_ACK_REG); + } +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 68c7bb0b7991..9e1ac58e269e 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1354,6 +1354,11 @@ static void csi_m(struct vc_data *vc) + case 3: + vc->vc_italic = 1; + break; ++ case 21: ++ /* ++ * No console drivers support double underline, so ++ * convert it to a single underline. ++ */ + case 4: + vc->vc_underline = 1; + break; +@@ -1389,7 +1394,6 @@ static void csi_m(struct vc_data *vc) + vc->vc_disp_ctrl = 1; + vc->vc_toggle_meta = 1; + break; +- case 21: + case 22: + vc->vc_intensity = 1; + break; +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index dfc0566bb155..919a32153060 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -3220,7 +3220,6 @@ static void dwc2_conn_id_status_change(struct work_struct *work) + dwc2_core_init(hsotg, false); + dwc2_enable_global_interrupts(hsotg); + spin_lock_irqsave(&hsotg->lock, flags); +- dwc2_hsotg_disconnect(hsotg); + dwc2_hsotg_core_init_disconnected(hsotg, false); + spin_unlock_irqrestore(&hsotg->lock, flags); + dwc2_hsotg_core_connect(hsotg); +@@ -3238,8 +3237,12 @@ static void dwc2_conn_id_status_change(struct work_struct *work) + if (count > 250) + dev_err(hsotg->dev, + "Connection id status change timed out\n"); +- hsotg->op_state = OTG_STATE_A_HOST; + ++ spin_lock_irqsave(&hsotg->lock, flags); ++ dwc2_hsotg_disconnect(hsotg); ++ spin_unlock_irqrestore(&hsotg->lock, flags); ++ ++ hsotg->op_state = OTG_STATE_A_HOST; + /* Initialize the Core for Host mode */ + dwc2_core_init(hsotg, false); + dwc2_enable_global_interrupts(hsotg); +diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c +index e97539fc127e..7d658565b20f 100644 +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -139,10 +139,8 @@ int usb_ep_disable(struct usb_ep *ep) + goto out; + + ret = ep->ops->disable(ep); +- if (ret) { +- ret = ret; ++ if (ret) + goto out; +- } + + ep->enabled = false; + +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 3178d8afb3e6..cab80acace4e 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -152,6 +152,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */ + { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */ + { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */ ++ { USB_DEVICE(0x155A, 0x1006) }, /* ELDAT Easywave RX09 */ + { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */ + { USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC Interface */ + { USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface */ +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 0c743e4cca1e..71cbc6890ac4 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -773,6 +773,7 @@ static const struct usb_device_id id_table_combined[] = { + .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, + { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, + { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, ++ { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) }, +@@ -935,6 +936,7 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) }, + { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 543d2801632b..76a10b222ff9 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -922,6 +922,9 @@ + /* + * RT Systems programming cables for various ham radios + */ ++/* This device uses the VID of FTDI */ ++#define RTSYSTEMS_USB_VX8_PID 0x9e50 /* USB-VX8 USB to 7 pin modular plug for Yaesu VX-8 radio */ ++ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ + #define RTSYSTEMS_USB_S03_PID 0x9001 /* RTS-03 USB to Serial Adapter */ + #define RTSYSTEMS_USB_59_PID 0x9e50 /* USB-59 USB to 8 pin plug */ +@@ -1440,6 +1443,12 @@ + */ + #define FTDI_CINTERION_MC55I_PID 0xA951 + ++/* ++ * Product: FirmwareHubEmulator ++ * Manufacturer: Harman Becker Automotive Systems ++ */ ++#define FTDI_FHE_PID 0xA9A0 ++ + /* + * Product: Comet Caller ID decoder + * Manufacturer: Crucible Technologies +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 5539f0b95efa..52401732cddc 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3664,7 +3664,7 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, + + src_offset = btrfs_item_ptr_offset(src, start_slot + i); + +- if ((i == (nr - 1))) ++ if (i == nr - 1) + last_key = ins_keys[i]; + + if (ins_keys[i].type == BTRFS_INODE_ITEM_KEY) { +diff --git a/fs/ceph/file.c b/fs/ceph/file.c +index ca3f630db90f..e7ddb23d9bb7 100644 +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -598,7 +598,8 @@ static ssize_t ceph_sync_read(struct kiocb *iocb, struct iov_iter *i, + struct ceph_aio_request { + struct kiocb *iocb; + size_t total_len; +- int write; ++ bool write; ++ bool should_dirty; + int error; + struct list_head osd_reqs; + unsigned num_reqs; +@@ -708,7 +709,7 @@ static void ceph_aio_complete_req(struct ceph_osd_request *req) + } + } + +- ceph_put_page_vector(osd_data->pages, num_pages, !aio_req->write); ++ ceph_put_page_vector(osd_data->pages, num_pages, aio_req->should_dirty); + ceph_osdc_put_request(req); + + if (rc < 0) +@@ -890,6 +891,7 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, + size_t count = iov_iter_count(iter); + loff_t pos = iocb->ki_pos; + bool write = iov_iter_rw(iter) == WRITE; ++ bool should_dirty = !write && iter_is_iovec(iter); + + if (write && ceph_snap(file_inode(file)) != CEPH_NOSNAP) + return -EROFS; +@@ -954,6 +956,7 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, + if (aio_req) { + aio_req->iocb = iocb; + aio_req->write = write; ++ aio_req->should_dirty = should_dirty; + INIT_LIST_HEAD(&aio_req->osd_reqs); + if (write) { + aio_req->mtime = mtime; +@@ -1012,7 +1015,7 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, + len = ret; + } + +- ceph_put_page_vector(pages, num_pages, !write); ++ ceph_put_page_vector(pages, num_pages, should_dirty); + + ceph_osdc_put_request(req); + if (ret < 0) +diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c +index f2d7402abe02..93c8e4a4bbd3 100644 +--- a/fs/compat_ioctl.c ++++ b/fs/compat_ioctl.c +@@ -833,7 +833,7 @@ static int compat_ioctl_preallocate(struct file *file, + */ + #define XFORM(i) (((i) ^ ((i) << 27) ^ ((i) << 17)) & 0xffffffff) + +-#define COMPATIBLE_IOCTL(cmd) XFORM(cmd), ++#define COMPATIBLE_IOCTL(cmd) XFORM((u32)cmd), + /* ioctl should not be warned about even if it's not implemented. + Valid reasons to use this: + - It is implemented with ->compat_ioctl on some device, but programs +diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h +index 2d65bbd6dbd1..18ba29ff1449 100644 +--- a/include/linux/cpumask.h ++++ b/include/linux/cpumask.h +@@ -680,6 +680,11 @@ void alloc_bootmem_cpumask_var(cpumask_var_t *mask); + void free_cpumask_var(cpumask_var_t mask); + void free_bootmem_cpumask_var(cpumask_var_t mask); + ++static inline bool cpumask_available(cpumask_var_t mask) ++{ ++ return mask != NULL; ++} ++ + #else + typedef struct cpumask cpumask_var_t[1]; + +@@ -720,6 +725,11 @@ static inline void free_cpumask_var(cpumask_var_t mask) + static inline void free_bootmem_cpumask_var(cpumask_var_t mask) + { + } ++ ++static inline bool cpumask_available(cpumask_var_t mask) ++{ ++ return true; ++} + #endif /* CONFIG_CPUMASK_OFFSTACK */ + + /* It's common to want to use cpu_all_mask in struct member initializers, +diff --git a/include/linux/init.h b/include/linux/init.h +index 683508f6bb4e..0cca4142987f 100644 +--- a/include/linux/init.h ++++ b/include/linux/init.h +@@ -133,6 +133,9 @@ void prepare_namespace(void); + void __init load_default_modules(void); + int __init init_rootfs(void); + ++#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_DEBUG_SET_MODULE_RONX) ++extern bool rodata_enabled; ++#endif + #ifdef CONFIG_DEBUG_RODATA + void mark_rodata_ro(void); + #endif +diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h +index 589d14e970ad..c2a0f0072274 100644 +--- a/include/linux/jiffies.h ++++ b/include/linux/jiffies.h +@@ -1,6 +1,7 @@ + #ifndef _LINUX_JIFFIES_H + #define _LINUX_JIFFIES_H + ++#include <linux/cache.h> + #include <linux/math64.h> + #include <linux/kernel.h> + #include <linux/types.h> +@@ -63,19 +64,17 @@ extern int register_refined_jiffies(long clock_tick_rate); + /* TICK_USEC is the time between ticks in usec assuming fake USER_HZ */ + #define TICK_USEC ((1000000UL + USER_HZ/2) / USER_HZ) + +-/* some arch's have a small-data section that can be accessed register-relative +- * but that can only take up to, say, 4-byte variables. jiffies being part of +- * an 8-byte variable may not be correctly accessed unless we force the issue +- */ +-#define __jiffy_data __attribute__((section(".data"))) ++#ifndef __jiffy_arch_data ++#define __jiffy_arch_data ++#endif + + /* + * The 64-bit value is not atomic - you MUST NOT read it + * without sampling the sequence number in jiffies_lock. + * get_jiffies_64() will do this for you as appropriate. + */ +-extern u64 __jiffy_data jiffies_64; +-extern unsigned long volatile __jiffy_data jiffies; ++extern u64 __cacheline_aligned_in_smp jiffies_64; ++extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies; + + #if (BITS_PER_LONG < 64) + u64 get_jiffies_64(void); +diff --git a/include/linux/llist.h b/include/linux/llist.h +index fd4ca0b4fe0f..ac6796138ba0 100644 +--- a/include/linux/llist.h ++++ b/include/linux/llist.h +@@ -87,6 +87,23 @@ static inline void init_llist_head(struct llist_head *list) + #define llist_entry(ptr, type, member) \ + container_of(ptr, type, member) + ++/** ++ * member_address_is_nonnull - check whether the member address is not NULL ++ * @ptr: the object pointer (struct type * that contains the llist_node) ++ * @member: the name of the llist_node within the struct. ++ * ++ * This macro is conceptually the same as ++ * &ptr->member != NULL ++ * but it works around the fact that compilers can decide that taking a member ++ * address is never a NULL pointer. ++ * ++ * Real objects that start at a high address and have a member at NULL are ++ * unlikely to exist, but such pointers may be returned e.g. by the ++ * container_of() macro. ++ */ ++#define member_address_is_nonnull(ptr, member) \ ++ ((uintptr_t)(ptr) + offsetof(typeof(*(ptr)), member) != 0) ++ + /** + * llist_for_each - iterate over some deleted entries of a lock-less list + * @pos: the &struct llist_node to use as a loop cursor +@@ -121,7 +138,7 @@ static inline void init_llist_head(struct llist_head *list) + */ + #define llist_for_each_entry(pos, node, member) \ + for ((pos) = llist_entry((node), typeof(*(pos)), member); \ +- &(pos)->member != NULL; \ ++ member_address_is_nonnull(pos, member); \ + (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member)) + + /** +@@ -143,7 +160,7 @@ static inline void init_llist_head(struct llist_head *list) + */ + #define llist_for_each_entry_safe(pos, n, node, member) \ + for (pos = llist_entry((node), typeof(*pos), member); \ +- &pos->member != NULL && \ ++ member_address_is_nonnull(pos, member) && \ + (n = llist_entry(pos->member.next, typeof(*n), member), true); \ + pos = n) + +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +index 9bfeb88fb940..69111fa2e578 100644 +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -254,6 +254,8 @@ unsigned int *xt_alloc_entry_offsets(unsigned int size); + bool xt_find_jump_offset(const unsigned int *offsets, + unsigned int target, unsigned int size); + ++int xt_check_proc_name(const char *name, unsigned int size); ++ + int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto, + bool inv_proto); + int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, +diff --git a/include/rdma/ib_addr.h b/include/rdma/ib_addr.h +index 818a38f99221..f888263fd757 100644 +--- a/include/rdma/ib_addr.h ++++ b/include/rdma/ib_addr.h +@@ -129,6 +129,8 @@ int rdma_copy_addr(struct rdma_dev_addr *dev_addr, struct net_device *dev, + const unsigned char *dst_dev_addr); + + int rdma_addr_size(struct sockaddr *addr); ++int rdma_addr_size_in6(struct sockaddr_in6 *addr); ++int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr); + + int rdma_addr_find_smac_by_sgid(union ib_gid *sgid, u8 *smac, u16 *vlan_id); + int rdma_addr_find_l2_eth_by_grh(const union ib_gid *sgid, +diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h +index e5a2e68b2236..ecc8e01c5616 100644 +--- a/include/uapi/linux/pci_regs.h ++++ b/include/uapi/linux/pci_regs.h +@@ -106,7 +106,7 @@ + #define PCI_SUBSYSTEM_ID 0x2e + #define PCI_ROM_ADDRESS 0x30 /* Bits 31..11 are address, 10..1 reserved */ + #define PCI_ROM_ADDRESS_ENABLE 0x01 +-#define PCI_ROM_ADDRESS_MASK (~0x7ffUL) ++#define PCI_ROM_ADDRESS_MASK (~0x7ffU) + + #define PCI_CAPABILITY_LIST 0x34 /* Offset of first capability list entry */ + +diff --git a/init/main.c b/init/main.c +index 99f026565608..f22957afb37e 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -81,6 +81,7 @@ + #include <linux/proc_ns.h> + #include <linux/io.h> + #include <linux/kaiser.h> ++#include <linux/cache.h> + + #include <asm/io.h> + #include <asm/bugs.h> +@@ -914,14 +915,16 @@ static int try_to_run_init_process(const char *init_filename) + + static noinline void __init kernel_init_freeable(void); + +-#ifdef CONFIG_DEBUG_RODATA +-static bool rodata_enabled = true; ++#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_SET_MODULE_RONX) ++bool rodata_enabled __ro_after_init = true; + static int __init set_debug_rodata(char *str) + { + return strtobool(str, &rodata_enabled); + } + __setup("rodata=", set_debug_rodata); ++#endif + ++#ifdef CONFIG_DEBUG_RODATA + static void mark_readonly(void) + { + if (rodata_enabled) +diff --git a/ipc/shm.c b/ipc/shm.c +index e2072ae4f90e..de93d01bfce2 100644 +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -381,6 +381,17 @@ static int shm_fault(struct vm_area_struct *vma, struct vm_fault *vmf) + return sfd->vm_ops->fault(vma, vmf); + } + ++static int shm_split(struct vm_area_struct *vma, unsigned long addr) ++{ ++ struct file *file = vma->vm_file; ++ struct shm_file_data *sfd = shm_file_data(file); ++ ++ if (sfd->vm_ops && sfd->vm_ops->split) ++ return sfd->vm_ops->split(vma, addr); ++ ++ return 0; ++} ++ + #ifdef CONFIG_NUMA + static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new) + { +@@ -503,6 +514,7 @@ static const struct vm_operations_struct shm_vm_ops = { + .open = shm_open, /* callback for a new vm-area open */ + .close = shm_close, /* callback for when the vm-area is released */ + .fault = shm_fault, ++ .split = shm_split, + #if defined(CONFIG_NUMA) + .set_policy = shm_set_policy, + .get_policy = shm_get_policy, +diff --git a/kernel/events/hw_breakpoint.c b/kernel/events/hw_breakpoint.c +index 3f8cb1e14588..253ae2da13c3 100644 +--- a/kernel/events/hw_breakpoint.c ++++ b/kernel/events/hw_breakpoint.c +@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_breakpoint); + * modify_user_hw_breakpoint - modify a user-space hardware breakpoint + * @bp: the breakpoint structure to modify + * @attr: new breakpoint attributes +- * @triggered: callback to trigger when we hit the breakpoint +- * @tsk: pointer to 'task_struct' of the process to which the address belongs + */ + int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr) + { +- u64 old_addr = bp->attr.bp_addr; +- u64 old_len = bp->attr.bp_len; +- int old_type = bp->attr.bp_type; +- int err = 0; +- + /* + * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it + * will not be possible to raise IPIs that invoke __perf_event_disable. +@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *att + bp->attr.bp_addr = attr->bp_addr; + bp->attr.bp_type = attr->bp_type; + bp->attr.bp_len = attr->bp_len; ++ bp->attr.disabled = 1; + +- if (attr->disabled) +- goto end; +- +- err = validate_hw_breakpoint(bp); +- if (!err) +- perf_event_enable(bp); ++ if (!attr->disabled) { ++ int err = validate_hw_breakpoint(bp); + +- if (err) { +- bp->attr.bp_addr = old_addr; +- bp->attr.bp_type = old_type; +- bp->attr.bp_len = old_len; +- if (!bp->attr.disabled) +- perf_event_enable(bp); ++ if (err) ++ return err; + +- return err; ++ perf_event_enable(bp); ++ bp->attr.disabled = 0; + } + +-end: +- bp->attr.disabled = attr->disabled; +- + return 0; + } + EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint); +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index ea41820ab12e..5927da596d42 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -850,7 +850,7 @@ irq_thread_check_affinity(struct irq_desc *desc, struct irqaction *action) + * This code is triggered unconditionally. Check the affinity + * mask pointer. For CPU_MASK_OFFSTACK=n this is optimized out. + */ +- if (desc->irq_common_data.affinity) ++ if (cpumask_available(desc->irq_common_data.affinity)) + cpumask_copy(mask, desc->irq_common_data.affinity); + else + valid = false; +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index a1a07cf1101f..69485183af79 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -125,7 +125,7 @@ static void *alloc_insn_page(void) + return module_alloc(PAGE_SIZE); + } + +-static void free_insn_page(void *page) ++void __weak free_insn_page(void *page) + { + module_memfree(page); + } +diff --git a/kernel/module.c b/kernel/module.c +index 07bfb9971f2f..0651f2d25fc9 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1911,6 +1911,9 @@ static void frob_writable_data(const struct module_layout *layout, + /* livepatching wants to disable read-only so it can frob module. */ + void module_disable_ro(const struct module *mod) + { ++ if (!rodata_enabled) ++ return; ++ + frob_text(&mod->core_layout, set_memory_rw); + frob_rodata(&mod->core_layout, set_memory_rw); + frob_ro_after_init(&mod->core_layout, set_memory_rw); +@@ -1920,6 +1923,9 @@ void module_disable_ro(const struct module *mod) + + void module_enable_ro(const struct module *mod, bool after_init) + { ++ if (!rodata_enabled) ++ return; ++ + frob_text(&mod->core_layout, set_memory_ro); + frob_rodata(&mod->core_layout, set_memory_ro); + frob_text(&mod->init_layout, set_memory_ro); +@@ -1952,6 +1958,9 @@ void set_all_modules_text_rw(void) + { + struct module *mod; + ++ if (!rodata_enabled) ++ return; ++ + mutex_lock(&module_mutex); + list_for_each_entry_rcu(mod, &modules, list) { + if (mod->state == MODULE_STATE_UNFORMED) +@@ -1968,6 +1977,9 @@ void set_all_modules_text_ro(void) + { + struct module *mod; + ++ if (!rodata_enabled) ++ return; ++ + mutex_lock(&module_mutex); + list_for_each_entry_rcu(mod, &modules, list) { + if (mod->state == MODULE_STATE_UNFORMED) +@@ -1981,10 +1993,12 @@ void set_all_modules_text_ro(void) + + static void disable_ro_nx(const struct module_layout *layout) + { +- frob_text(layout, set_memory_rw); +- frob_rodata(layout, set_memory_rw); ++ if (rodata_enabled) { ++ frob_text(layout, set_memory_rw); ++ frob_rodata(layout, set_memory_rw); ++ frob_ro_after_init(layout, set_memory_rw); ++ } + frob_rodata(layout, set_memory_x); +- frob_ro_after_init(layout, set_memory_rw); + frob_ro_after_init(layout, set_memory_x); + frob_writable_data(layout, set_memory_x); + } +diff --git a/mm/vmscan.c b/mm/vmscan.c +index cdd5c3b5c357..557ad1367595 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2966,7 +2966,7 @@ unsigned long try_to_free_pages(struct zonelist *zonelist, int order, + unsigned long nr_reclaimed; + struct scan_control sc = { + .nr_to_reclaim = SWAP_CLUSTER_MAX, +- .gfp_mask = (gfp_mask = memalloc_noio_flags(gfp_mask)), ++ .gfp_mask = memalloc_noio_flags(gfp_mask), + .reclaim_idx = gfp_zone(gfp_mask), + .order = order, + .nodemask = nodemask, +@@ -2981,12 +2981,12 @@ unsigned long try_to_free_pages(struct zonelist *zonelist, int order, + * 1 is returned so that the page allocator does not OOM kill at this + * point. + */ +- if (throttle_direct_reclaim(gfp_mask, zonelist, nodemask)) ++ if (throttle_direct_reclaim(sc.gfp_mask, zonelist, nodemask)) + return 1; + + trace_mm_vmscan_direct_reclaim_begin(order, + sc.may_writepage, +- gfp_mask, ++ sc.gfp_mask, + sc.reclaim_idx); + + nr_reclaimed = do_try_to_free_pages(zonelist, &sc); +@@ -3749,16 +3749,15 @@ static int __node_reclaim(struct pglist_data *pgdat, gfp_t gfp_mask, unsigned in + const unsigned long nr_pages = 1 << order; + struct task_struct *p = current; + struct reclaim_state reclaim_state; +- int classzone_idx = gfp_zone(gfp_mask); + struct scan_control sc = { + .nr_to_reclaim = max(nr_pages, SWAP_CLUSTER_MAX), +- .gfp_mask = (gfp_mask = memalloc_noio_flags(gfp_mask)), ++ .gfp_mask = memalloc_noio_flags(gfp_mask), + .order = order, + .priority = NODE_RECLAIM_PRIORITY, + .may_writepage = !!(node_reclaim_mode & RECLAIM_WRITE), + .may_unmap = !!(node_reclaim_mode & RECLAIM_UNMAP), + .may_swap = 1, +- .reclaim_idx = classzone_idx, ++ .reclaim_idx = gfp_zone(gfp_mask), + }; + + cond_resched(); +@@ -3768,7 +3767,7 @@ static int __node_reclaim(struct pglist_data *pgdat, gfp_t gfp_mask, unsigned in + * and RECLAIM_UNMAP. + */ + p->flags |= PF_MEMALLOC | PF_SWAPWRITE; +- lockdep_set_current_reclaim_state(gfp_mask); ++ lockdep_set_current_reclaim_state(sc.gfp_mask); + reclaim_state.reclaimed_slab = 0; + p->reclaim_state = &reclaim_state; + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 658c900752c6..ead4d1baeaa6 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2233,8 +2233,14 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) + else + sec_level = authreq_to_seclevel(auth); + +- if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) ++ if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) { ++ /* If link is already encrypted with sufficient security we ++ * still need refresh encryption as per Core Spec 5.0 Vol 3, ++ * Part H 2.4.6 ++ */ ++ smp_ltk_encrypt(conn, hcon->sec_level); + return 0; ++ } + + if (sec_level > hcon->pending_sec_level) + hcon->pending_sec_level = sec_level; +diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c +index 9637a681bdda..9adf16258cab 100644 +--- a/net/bridge/netfilter/ebt_among.c ++++ b/net/bridge/netfilter/ebt_among.c +@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struct ebt_mac_wormhash *w) + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); + } + ++static bool wormhash_offset_invalid(int off, unsigned int len) ++{ ++ if (off == 0) /* not present */ ++ return false; ++ ++ if (off < (int)sizeof(struct ebt_among_info) || ++ off % __alignof__(struct ebt_mac_wormhash)) ++ return true; ++ ++ off += sizeof(struct ebt_mac_wormhash); ++ ++ return off > len; ++} ++ ++static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b) ++{ ++ if (a == 0) ++ a = sizeof(struct ebt_among_info); ++ ++ return ebt_mac_wormhash_size(wh) + a == b; ++} ++ + static int ebt_among_mt_check(const struct xt_mtchk_param *par) + { + const struct ebt_among_info *info = par->matchinfo; +@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par) + if (expected_length > em->match_size) + return -EINVAL; + ++ if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) || ++ wormhash_offset_invalid(info->wh_src_ofs, em->match_size)) ++ return -EINVAL; ++ + wh_dst = ebt_among_wh_dst(info); + if (poolsize_invalid(wh_dst)) + return -EINVAL; +@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par) + if (poolsize_invalid(wh_src)) + return -EINVAL; + ++ if (info->wh_src_ofs < info->wh_dst_ofs) { ++ if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs)) ++ return -EINVAL; ++ } else { ++ if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs)) ++ return -EINVAL; ++ } ++ + expected_length += ebt_mac_wormhash_size(wh_src); + + if (em->match_size != EBT_ALIGN(expected_length)) { +diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c +index 574f7ebba0b6..ac8342dcb55e 100644 +--- a/net/ipv4/netfilter/nf_nat_h323.c ++++ b/net/ipv4/netfilter/nf_nat_h323.c +@@ -252,16 +252,16 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct, + if (set_h245_addr(skb, protoff, data, dataoff, taddr, + &ct->tuplehash[!dir].tuple.dst.u3, + htons((port & htons(1)) ? nated_port + 1 : +- nated_port)) == 0) { +- /* Save ports */ +- info->rtp_port[i][dir] = rtp_port; +- info->rtp_port[i][!dir] = htons(nated_port); +- } else { ++ nated_port))) { + nf_ct_unexpect_related(rtp_exp); + nf_ct_unexpect_related(rtcp_exp); + return -1; + } + ++ /* Save ports */ ++ info->rtp_port[i][dir] = rtp_port; ++ info->rtp_port[i][!dir] = htons(nated_port); ++ + /* Success */ + pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n", + &rtp_exp->tuple.src.u3.ip, +@@ -370,15 +370,15 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct, + /* Modify signal */ + if (set_h225_addr(skb, protoff, data, dataoff, taddr, + &ct->tuplehash[!dir].tuple.dst.u3, +- htons(nated_port)) == 0) { +- /* Save ports */ +- info->sig_port[dir] = port; +- info->sig_port[!dir] = htons(nated_port); +- } else { ++ htons(nated_port))) { + nf_ct_unexpect_related(exp); + return -1; + } + ++ /* Save ports */ ++ info->sig_port[dir] = port; ++ info->sig_port[!dir] = htons(nated_port); ++ + pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n", + &exp->tuple.src.u3.ip, + ntohs(exp->tuple.src.u.tcp.port), +@@ -462,24 +462,27 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct, + /* Modify signal */ + if (set_h225_addr(skb, protoff, data, 0, &taddr[idx], + &ct->tuplehash[!dir].tuple.dst.u3, +- htons(nated_port)) == 0) { +- /* Save ports */ +- info->sig_port[dir] = port; +- info->sig_port[!dir] = htons(nated_port); +- +- /* Fix for Gnomemeeting */ +- if (idx > 0 && +- get_h225_addr(ct, *data, &taddr[0], &addr, &port) && +- (ntohl(addr.ip) & 0xff000000) == 0x7f000000) { +- set_h225_addr(skb, protoff, data, 0, &taddr[0], +- &ct->tuplehash[!dir].tuple.dst.u3, +- info->sig_port[!dir]); +- } +- } else { ++ htons(nated_port))) { + nf_ct_unexpect_related(exp); + return -1; + } + ++ /* Save ports */ ++ info->sig_port[dir] = port; ++ info->sig_port[!dir] = htons(nated_port); ++ ++ /* Fix for Gnomemeeting */ ++ if (idx > 0 && ++ get_h225_addr(ct, *data, &taddr[0], &addr, &port) && ++ (ntohl(addr.ip) & 0xff000000) == 0x7f000000) { ++ if (set_h225_addr(skb, protoff, data, 0, &taddr[0], ++ &ct->tuplehash[!dir].tuple.dst.u3, ++ info->sig_port[!dir])) { ++ nf_ct_unexpect_related(exp); ++ return -1; ++ } ++ } ++ + /* Success */ + pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n", + &exp->tuple.src.u3.ip, +@@ -550,9 +553,9 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct, + } + + /* Modify signal */ +- if (!set_h225_addr(skb, protoff, data, dataoff, taddr, +- &ct->tuplehash[!dir].tuple.dst.u3, +- htons(nated_port)) == 0) { ++ if (set_h225_addr(skb, protoff, data, dataoff, taddr, ++ &ct->tuplehash[!dir].tuple.dst.u3, ++ htons(nated_port))) { + nf_ct_unexpect_related(exp); + return -1; + } +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index 345efeb887ef..912333586de6 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -625,7 +625,6 @@ static void vti6_link_config(struct ip6_tnl *t) + { + struct net_device *dev = t->dev; + struct __ip6_tnl_parm *p = &t->parms; +- struct net_device *tdev = NULL; + + memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr)); + memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr)); +@@ -638,25 +637,6 @@ static void vti6_link_config(struct ip6_tnl *t) + dev->flags |= IFF_POINTOPOINT; + else + dev->flags &= ~IFF_POINTOPOINT; +- +- if (p->flags & IP6_TNL_F_CAP_XMIT) { +- int strict = (ipv6_addr_type(&p->raddr) & +- (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL)); +- struct rt6_info *rt = rt6_lookup(t->net, +- &p->raddr, &p->laddr, +- p->link, strict); +- +- if (rt) +- tdev = rt->dst.dev; +- ip6_rt_put(rt); +- } +- +- if (!tdev && p->link) +- tdev = __dev_get_by_index(t->net, p->link); +- +- if (tdev) +- dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len, +- IPV6_MIN_MTU); + } + + /** +diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c +index d31818e7d10c..a5acaf1efaab 100644 +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -427,7 +427,7 @@ static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata, + case NL80211_CHAN_WIDTH_5: + case NL80211_CHAN_WIDTH_10: + cfg80211_chandef_create(&chandef, cbss->channel, +- NL80211_CHAN_WIDTH_20_NOHT); ++ NL80211_CHAN_NO_HT); + chandef.width = sdata->u.ibss.chandef.width; + break; + case NL80211_CHAN_WIDTH_80: +@@ -439,7 +439,7 @@ static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata, + default: + /* fall back to 20 MHz for unsupported modes */ + cfg80211_chandef_create(&chandef, cbss->channel, +- NL80211_CHAN_WIDTH_20_NOHT); ++ NL80211_CHAN_NO_HT); + break; + } + +diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c +index dbceb42c2a8e..e6096dfd0210 100644 +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -173,9 +173,11 @@ ieee80211_rate_control_ops_get(const char *name) + /* try default if specific alg requested but not found */ + ops = ieee80211_try_rate_control_ops_get(ieee80211_default_rc_algo); + +- /* try built-in one if specific alg requested but not found */ +- if (!ops && strlen(CONFIG_MAC80211_RC_DEFAULT)) ++ /* Note: check for > 0 is intentional to avoid clang warning */ ++ if (!ops && (strlen(CONFIG_MAC80211_RC_DEFAULT) > 0)) ++ /* try built-in one if specific alg requested but not found */ + ops = ieee80211_try_rate_control_ops_get(CONFIG_MAC80211_RC_DEFAULT); ++ + kernel_param_unlock(THIS_MODULE); + + return ops; +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index d5caed5bcfb1..d49a4639465f 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1008,9 +1008,8 @@ static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { + + static int + ctnetlink_parse_tuple(const struct nlattr * const cda[], +- struct nf_conntrack_tuple *tuple, +- enum ctattr_type type, u_int8_t l3num, +- struct nf_conntrack_zone *zone) ++ struct nf_conntrack_tuple *tuple, u32 type, ++ u_int8_t l3num, struct nf_conntrack_zone *zone) + { + struct nlattr *tb[CTA_TUPLE_MAX+1]; + int err; +@@ -2409,7 +2408,7 @@ static struct nfnl_ct_hook ctnetlink_glue_hook = { + + static int ctnetlink_exp_dump_tuple(struct sk_buff *skb, + const struct nf_conntrack_tuple *tuple, +- enum ctattr_expect type) ++ u32 type) + { + struct nlattr *nest_parms; + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 7ad1a863587a..59be89813a29 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -367,6 +367,36 @@ textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto) + return buf; + } + ++/** ++ * xt_check_proc_name - check that name is suitable for /proc file creation ++ * ++ * @name: file name candidate ++ * @size: length of buffer ++ * ++ * some x_tables modules wish to create a file in /proc. ++ * This function makes sure that the name is suitable for this ++ * purpose, it checks that name is NUL terminated and isn't a 'special' ++ * name, like "..". ++ * ++ * returns negative number on error or 0 if name is useable. ++ */ ++int xt_check_proc_name(const char *name, unsigned int size) ++{ ++ if (name[0] == '\0') ++ return -EINVAL; ++ ++ if (strnlen(name, size) == size) ++ return -ENAMETOOLONG; ++ ++ if (strcmp(name, ".") == 0 || ++ strcmp(name, "..") == 0 || ++ strchr(name, '/')) ++ return -EINVAL; ++ ++ return 0; ++} ++EXPORT_SYMBOL(xt_check_proc_name); ++ + int xt_check_match(struct xt_mtchk_param *par, + unsigned int size, u_int8_t proto, bool inv_proto) + { +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index b89b688e9d01..a1a29cdc58fc 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -794,8 +794,9 @@ static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par) + struct hashlimit_cfg2 cfg = {}; + int ret; + +- if (info->name[sizeof(info->name) - 1] != '\0') +- return -EINVAL; ++ ret = xt_check_proc_name(info->name, sizeof(info->name)); ++ if (ret) ++ return ret; + + ret = cfg_copy(&cfg, (void *)&info->cfg, 1); + +@@ -809,9 +810,11 @@ static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par) + static int hashlimit_mt_check(const struct xt_mtchk_param *par) + { + struct xt_hashlimit_mtinfo2 *info = par->matchinfo; ++ int ret; + +- if (info->name[sizeof(info->name) - 1] != '\0') +- return -EINVAL; ++ ret = xt_check_proc_name(info->name, sizeof(info->name)); ++ if (ret) ++ return ret; + + return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg, + info->name, 2); +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index e3b7a09b103e..79d7ad621a80 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -361,9 +361,9 @@ static int recent_mt_check(const struct xt_mtchk_param *par, + info->hit_count, XT_RECENT_MAX_NSTAMPS - 1); + return -EINVAL; + } +- if (info->name[0] == '\0' || +- strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) +- return -EINVAL; ++ ret = xt_check_proc_name(info->name, sizeof(info->name)); ++ if (ret) ++ return ret; + + if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot) + nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1; +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index a89061d59c74..36280e114959 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4081,7 +4081,7 @@ static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, + struct nlattr *rate; + u32 bitrate; + u16 bitrate_compat; +- enum nl80211_attrs rate_flg; ++ enum nl80211_rate_info rate_flg; + + rate = nla_nest_start(msg, attr); + if (!rate) +diff --git a/net/wireless/util.c b/net/wireless/util.c +index c921c2eed15d..bb54d9db82df 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -663,7 +663,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame, + int offset, int len) + { + struct skb_shared_info *sh = skb_shinfo(skb); +- const skb_frag_t *frag = &sh->frags[-1]; ++ const skb_frag_t *frag = &sh->frags[0]; + struct page *frag_page; + void *frag_ptr; + int frag_len, frag_size; +@@ -676,10 +676,10 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame, + + while (offset >= frag_size) { + offset -= frag_size; +- frag++; + frag_page = skb_frag_page(frag); + frag_ptr = skb_frag_address(frag); + frag_size = skb_frag_size(frag); ++ frag++; + } + + frag_ptr += offset; +@@ -691,12 +691,12 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame, + len -= cur_len; + + while (len > 0) { +- frag++; + frag_len = skb_frag_size(frag); + cur_len = min(len, frag_len); + __frame_add_frag(frame, skb_frag_page(frag), + skb_frag_address(frag), cur_len, frag_len); + len -= cur_len; ++ frag++; + } + } + +diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c +index ccfdc7115a83..a00ec715aa46 100644 +--- a/net/xfrm/xfrm_ipcomp.c ++++ b/net/xfrm/xfrm_ipcomp.c +@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu *ipcomp_alloc_tfms(const char *alg_name) + struct crypto_comp *tfm; + + /* This can be any valid CPU ID so we don't need locking. */ +- tfm = __this_cpu_read(*pos->tfms); ++ tfm = this_cpu_read(*pos->tfms); + + if (!strcmp(crypto_comp_name(tfm), alg_name)) { + pos->users++; +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 13e0611a9085..fdb9742d934e 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1883,6 +1883,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen + struct xfrm_mgr *km; + struct xfrm_policy *pol = NULL; + ++#ifdef CONFIG_COMPAT ++ if (in_compat_syscall()) ++ return -EOPNOTSUPP; ++#endif ++ + if (!optval && !optlen) { + xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL); + xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL); +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 5d33967d9aa1..6a029358bfd1 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -121,22 +121,17 @@ static inline int verify_replay(struct xfrm_usersa_info *p, + struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; + struct xfrm_replay_state_esn *rs; + +- if (p->flags & XFRM_STATE_ESN) { +- if (!rt) +- return -EINVAL; ++ if (!rt) ++ return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; + +- rs = nla_data(rt); ++ rs = nla_data(rt); + +- if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) +- return -EINVAL; +- +- if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && +- nla_len(rt) != sizeof(*rs)) +- return -EINVAL; +- } ++ if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) ++ return -EINVAL; + +- if (!rt) +- return 0; ++ if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && ++ nla_len(rt) != sizeof(*rs)) ++ return -EINVAL; + + /* As only ESP and AH support ESN feature. */ + if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH)) +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index b8278f3af9da..17627d8d5a26 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -406,18 +406,6 @@ static void superblock_free_security(struct super_block *sb) + kfree(sbsec); + } + +-/* The file system's label must be initialized prior to use. */ +- +-static const char *labeling_behaviors[7] = { +- "uses xattr", +- "uses transition SIDs", +- "uses task SIDs", +- "uses genfs_contexts", +- "not configured for labeling", +- "uses mountpoint labeling", +- "uses native labeling", +-}; +- + static inline int inode_doinit(struct inode *inode) + { + return inode_doinit_with_dentry(inode, NULL); +@@ -528,10 +516,6 @@ static int sb_finish_set_opts(struct super_block *sb) + } + } + +- if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) +- printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", +- sb->s_id, sb->s_type->name); +- + sbsec->flags |= SE_SBINITIALIZED; + if (selinux_is_sblabel_mnt(sb)) + sbsec->flags |= SBLABEL_MNT; +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index 73275a92f2e2..d656b7c98394 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -155,7 +155,7 @@ static int selinux_set_mapping(struct policydb *pol, + } + + k = 0; +- while (p_in->perms && p_in->perms[k]) { ++ while (p_in->perms[k]) { + /* An empty permission string skips ahead */ + if (!*p_in->perms[k]) { + k++; +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 3e7c3573871d..fa8741afadf5 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1361,7 +1361,7 @@ static ssize_t snd_pcm_oss_write2(struct snd_pcm_substream *substream, const cha + static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes) + { + size_t xfer = 0; +- ssize_t tmp; ++ ssize_t tmp = 0; + struct snd_pcm_runtime *runtime = substream->runtime; + + if (atomic_read(&substream->mmap_count)) +@@ -1468,7 +1468,7 @@ static ssize_t snd_pcm_oss_read2(struct snd_pcm_substream *substream, char *buf, + static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes) + { + size_t xfer = 0; +- ssize_t tmp; ++ ssize_t tmp = 0; + struct snd_pcm_runtime *runtime = substream->runtime; + + if (atomic_read(&substream->mmap_count)) +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 9d33c1e85c79..d503285867e7 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -3410,7 +3410,7 @@ int snd_pcm_lib_default_mmap(struct snd_pcm_substream *substream, + area, + substream->runtime->dma_area, + substream->runtime->dma_addr, +- area->vm_end - area->vm_start); ++ substream->runtime->dma_bytes); + #endif /* CONFIG_X86 */ + /* mmap with fault handler */ + area->vm_ops = &snd_pcm_vm_ops_data_fault; +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 1cd7f8b0bf77..45655b9108e8 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1175,6 +1175,7 @@ static bool is_teac_dsd_dac(unsigned int id) + switch (id) { + case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */ + case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */ ++ case USB_ID(0x0644, 0x804a): /* TEAC UD-301 */ + return true; + } + return false;
