commit: 34d9261639ae90116c1b17c082767e44530b9116 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Sat Apr 27 17:38:27 2019 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Sat Apr 27 17:38:27 2019 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=34d92616
Linux paycj 5.0.10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 4 + 1009_linux-5.0.10.patch | 4117 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 4121 insertions(+) diff --git a/0000_README b/0000_README index dda69ae..49a76eb 100644 --- a/0000_README +++ b/0000_README @@ -79,6 +79,10 @@ Patch: 1008_linux-5.0.9.patch From: http://www.kernel.org Desc: Linux 5.0.9 +Patch: 1009_linux-5.0.10.patch +From: http://www.kernel.org +Desc: Linux 5.0.10 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1009_linux-5.0.10.patch b/1009_linux-5.0.10.patch new file mode 100644 index 0000000..0659014 --- /dev/null +++ b/1009_linux-5.0.10.patch @@ -0,0 +1,4117 @@ +diff --git a/Makefile b/Makefile +index ef192ca04330..b282c4143b21 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 5 + PATCHLEVEL = 0 +-SUBLEVEL = 9 ++SUBLEVEL = 10 + EXTRAVERSION = + NAME = Shy Crocodile + +@@ -678,8 +678,7 @@ KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow) + KBUILD_CFLAGS += $(call cc-disable-warning, int-in-bool-context) + + ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE +-KBUILD_CFLAGS += $(call cc-option,-Oz,-Os) +-KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,) ++KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,) + else + ifdef CONFIG_PROFILE_ALL_BRANCHES + KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,) +diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h +index e1d95f08f8e1..c7e1a7837706 100644 +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -50,7 +50,7 @@ do { \ + static inline int + arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr) + { +- int oldval, ret, tmp; ++ int oldval = 0, ret, tmp; + u32 __user *uaddr = __uaccess_mask_ptr(_uaddr); + + pagefault_disable(); +diff --git a/arch/s390/boot/mem_detect.c b/arch/s390/boot/mem_detect.c +index 4cb771ba13fa..5d316fe40480 100644 +--- a/arch/s390/boot/mem_detect.c ++++ b/arch/s390/boot/mem_detect.c +@@ -25,7 +25,7 @@ static void *mem_detect_alloc_extended(void) + { + unsigned long offset = ALIGN(mem_safe_offset(), sizeof(u64)); + +- if (IS_ENABLED(BLK_DEV_INITRD) && INITRD_START && INITRD_SIZE && ++ if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && INITRD_START && INITRD_SIZE && + INITRD_START < offset + ENTRIES_EXTENDED_MAX) + offset = ALIGN(INITRD_START + INITRD_SIZE, sizeof(u64)); + +diff --git a/arch/x86/crypto/poly1305-avx2-x86_64.S b/arch/x86/crypto/poly1305-avx2-x86_64.S +index 3b6e70d085da..8457cdd47f75 100644 +--- a/arch/x86/crypto/poly1305-avx2-x86_64.S ++++ b/arch/x86/crypto/poly1305-avx2-x86_64.S +@@ -323,6 +323,12 @@ ENTRY(poly1305_4block_avx2) + vpaddq t2,t1,t1 + vmovq t1x,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -361,16 +367,16 @@ ENTRY(poly1305_4block_avx2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +diff --git a/arch/x86/crypto/poly1305-sse2-x86_64.S b/arch/x86/crypto/poly1305-sse2-x86_64.S +index c88c670cb5fc..5851c7418fb7 100644 +--- a/arch/x86/crypto/poly1305-sse2-x86_64.S ++++ b/arch/x86/crypto/poly1305-sse2-x86_64.S +@@ -253,16 +253,16 @@ ENTRY(poly1305_block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +@@ -520,6 +520,12 @@ ENTRY(poly1305_2block_sse2) + paddq t2,t1 + movq t1,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -558,16 +564,16 @@ ENTRY(poly1305_2block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index 0ecfac84ba91..d45f3fbd232e 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -117,22 +117,39 @@ static __initconst const u64 amd_hw_cache_event_ids + }; + + /* +- * AMD Performance Monitor K7 and later. ++ * AMD Performance Monitor K7 and later, up to and including Family 16h: + */ + static const u64 amd_perfmon_event_map[PERF_COUNT_HW_MAX] = + { +- [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, +- [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, +- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, +- [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, +- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, +- [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, +- [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ +- [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */ ++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, ++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, ++ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, ++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, ++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ ++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */ ++}; ++ ++/* ++ * AMD Performance Monitor Family 17h and later: ++ */ ++static const u64 amd_f17h_perfmon_event_map[PERF_COUNT_HW_MAX] = ++{ ++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, ++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0xff60, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, ++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, ++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x0287, ++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x0187, + }; + + static u64 amd_pmu_event_map(int hw_event) + { ++ if (boot_cpu_data.x86 >= 0x17) ++ return amd_f17h_perfmon_event_map[hw_event]; ++ + return amd_perfmon_event_map[hw_event]; + } + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 2480feb07df3..470d7daa915d 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3130,7 +3130,7 @@ static unsigned long intel_pmu_large_pebs_flags(struct perf_event *event) + flags &= ~PERF_SAMPLE_TIME; + if (!event->attr.exclude_kernel) + flags &= ~PERF_SAMPLE_REGS_USER; +- if (event->attr.sample_regs_user & ~PEBS_REGS) ++ if (event->attr.sample_regs_user & ~PEBS_GP_REGS) + flags &= ~(PERF_SAMPLE_REGS_USER | PERF_SAMPLE_REGS_INTR); + return flags; + } +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h +index acd72e669c04..b68ab65454ff 100644 +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -96,25 +96,25 @@ struct amd_nb { + PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER | \ + PERF_SAMPLE_PERIOD) + +-#define PEBS_REGS \ +- (PERF_REG_X86_AX | \ +- PERF_REG_X86_BX | \ +- PERF_REG_X86_CX | \ +- PERF_REG_X86_DX | \ +- PERF_REG_X86_DI | \ +- PERF_REG_X86_SI | \ +- PERF_REG_X86_SP | \ +- PERF_REG_X86_BP | \ +- PERF_REG_X86_IP | \ +- PERF_REG_X86_FLAGS | \ +- PERF_REG_X86_R8 | \ +- PERF_REG_X86_R9 | \ +- PERF_REG_X86_R10 | \ +- PERF_REG_X86_R11 | \ +- PERF_REG_X86_R12 | \ +- PERF_REG_X86_R13 | \ +- PERF_REG_X86_R14 | \ +- PERF_REG_X86_R15) ++#define PEBS_GP_REGS \ ++ ((1ULL << PERF_REG_X86_AX) | \ ++ (1ULL << PERF_REG_X86_BX) | \ ++ (1ULL << PERF_REG_X86_CX) | \ ++ (1ULL << PERF_REG_X86_DX) | \ ++ (1ULL << PERF_REG_X86_DI) | \ ++ (1ULL << PERF_REG_X86_SI) | \ ++ (1ULL << PERF_REG_X86_SP) | \ ++ (1ULL << PERF_REG_X86_BP) | \ ++ (1ULL << PERF_REG_X86_IP) | \ ++ (1ULL << PERF_REG_X86_FLAGS) | \ ++ (1ULL << PERF_REG_X86_R8) | \ ++ (1ULL << PERF_REG_X86_R9) | \ ++ (1ULL << PERF_REG_X86_R10) | \ ++ (1ULL << PERF_REG_X86_R11) | \ ++ (1ULL << PERF_REG_X86_R12) | \ ++ (1ULL << PERF_REG_X86_R13) | \ ++ (1ULL << PERF_REG_X86_R14) | \ ++ (1ULL << PERF_REG_X86_R15)) + + /* + * Per register state. +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 01874d54f4fd..482383c2b184 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -275,7 +275,7 @@ static const struct { + const char *option; + enum spectre_v2_user_cmd cmd; + bool secure; +-} v2_user_options[] __initdata = { ++} v2_user_options[] __initconst = { + { "auto", SPECTRE_V2_USER_CMD_AUTO, false }, + { "off", SPECTRE_V2_USER_CMD_NONE, false }, + { "on", SPECTRE_V2_USER_CMD_FORCE, true }, +@@ -419,7 +419,7 @@ static const struct { + const char *option; + enum spectre_v2_mitigation_cmd cmd; + bool secure; +-} mitigation_options[] __initdata = { ++} mitigation_options[] __initconst = { + { "off", SPECTRE_V2_CMD_NONE, false }, + { "on", SPECTRE_V2_CMD_FORCE, true }, + { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, +@@ -658,7 +658,7 @@ static const char * const ssb_strings[] = { + static const struct { + const char *option; + enum ssb_mitigation_cmd cmd; +-} ssb_mitigation_options[] __initdata = { ++} ssb_mitigation_options[] __initconst = { + { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ + { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ + { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 4ba75afba527..f4b954ff5b89 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -569,6 +569,7 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs) + unsigned long *sara = stack_addr(regs); + + ri->ret_addr = (kprobe_opcode_t *) *sara; ++ ri->fp = sara; + + /* Replace the return addr with trampoline addr */ + *sara = (unsigned long) &kretprobe_trampoline; +@@ -748,26 +749,48 @@ asm( + NOKPROBE_SYMBOL(kretprobe_trampoline); + STACK_FRAME_NON_STANDARD(kretprobe_trampoline); + ++static struct kprobe kretprobe_kprobe = { ++ .addr = (void *)kretprobe_trampoline, ++}; ++ + /* + * Called from kretprobe_trampoline + */ + static __used void *trampoline_handler(struct pt_regs *regs) + { ++ struct kprobe_ctlblk *kcb; + struct kretprobe_instance *ri = NULL; + struct hlist_head *head, empty_rp; + struct hlist_node *tmp; + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; + kprobe_opcode_t *correct_ret_addr = NULL; ++ void *frame_pointer; ++ bool skipped = false; ++ ++ preempt_disable(); ++ ++ /* ++ * Set a dummy kprobe for avoiding kretprobe recursion. ++ * Since kretprobe never run in kprobe handler, kprobe must not ++ * be running at this point. ++ */ ++ kcb = get_kprobe_ctlblk(); ++ __this_cpu_write(current_kprobe, &kretprobe_kprobe); ++ kcb->kprobe_status = KPROBE_HIT_ACTIVE; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ + #ifdef CONFIG_X86_64 + regs->cs = __KERNEL_CS; ++ /* On x86-64, we use pt_regs->sp for return address holder. */ ++ frame_pointer = ®s->sp; + #else + regs->cs = __KERNEL_CS | get_kernel_rpl(); + regs->gs = 0; ++ /* On x86-32, we use pt_regs->flags for return address holder. */ ++ frame_pointer = ®s->flags; + #endif + regs->ip = trampoline_address; + regs->orig_ax = ~0UL; +@@ -789,8 +812,25 @@ static __used void *trampoline_handler(struct pt_regs *regs) + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ /* ++ * Return probes must be pushed on this hash list correct ++ * order (same as return order) so that it can be poped ++ * correctly. However, if we find it is pushed it incorrect ++ * order, this means we find a function which should not be ++ * probed, because the wrong order entry is pushed on the ++ * path of processing other kretprobe itself. ++ */ ++ if (ri->fp != frame_pointer) { ++ if (!skipped) ++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); ++ skipped = true; ++ continue; ++ } + + orig_ret_address = (unsigned long)ri->ret_addr; ++ if (skipped) ++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", ++ ri->rp->kp.addr); + + if (orig_ret_address != trampoline_address) + /* +@@ -808,14 +848,15 @@ static __used void *trampoline_handler(struct pt_regs *regs) + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ if (ri->fp != frame_pointer) ++ continue; + + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { + __this_cpu_write(current_kprobe, &ri->rp->kp); +- get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; + ri->ret_addr = correct_ret_addr; + ri->rp->handler(ri, regs); +- __this_cpu_write(current_kprobe, NULL); ++ __this_cpu_write(current_kprobe, &kretprobe_kprobe); + } + + recycle_rp_inst(ri, &empty_rp); +@@ -831,6 +872,9 @@ static __used void *trampoline_handler(struct pt_regs *regs) + + kretprobe_hash_unlock(current, &flags); + ++ __this_cpu_write(current_kprobe, NULL); ++ preempt_enable(); ++ + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + kfree(ri); +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 90ae0ca51083..9db049f06f2f 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -414,6 +414,8 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp, + u64 msr = x86_spec_ctrl_base; + bool updmsr = false; + ++ lockdep_assert_irqs_disabled(); ++ + /* + * If TIF_SSBD is different, select the proper mitigation + * method. Note that if SSBD mitigation is disabled or permanentely +@@ -465,10 +467,12 @@ static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk) + + void speculation_ctrl_update(unsigned long tif) + { ++ unsigned long flags; ++ + /* Forced update. Make sure all relevant TIF flags are different */ +- preempt_disable(); ++ local_irq_save(flags); + __speculation_ctrl_update(~tif, tif); +- preempt_enable(); ++ local_irq_restore(flags); + } + + /* Called from seccomp/prctl update */ +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index c338984c850d..81be2165821f 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2575,15 +2575,13 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU + * supports long mode. + */ +- cr4 = ctxt->ops->get_cr(ctxt, 4); + if (emulator_has_longmode(ctxt)) { + struct desc_struct cs_desc; + + /* Zero CR4.PCIDE before CR0.PG. */ +- if (cr4 & X86_CR4_PCIDE) { ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PCIDE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); +- cr4 &= ~X86_CR4_PCIDE; +- } + + /* A 32-bit code segment is required to clear EFER.LMA. */ + memset(&cs_desc, 0, sizeof(cs_desc)); +@@ -2597,13 +2595,16 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); + +- /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ +- if (cr4 & X86_CR4_PAE) +- ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ if (emulator_has_longmode(ctxt)) { ++ /* Clear CR4.PAE before clearing EFER.LME. */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PAE) ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); + +- /* And finally go back to 32-bit mode. */ +- efer = 0; +- ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ /* And finally go back to 32-bit mode. */ ++ efer = 0; ++ ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ } + + smbase = ctxt->ops->get_smbase(ctxt); + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index a9b8e38d78ad..516c1de03d47 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2687,6 +2687,7 @@ static int npf_interception(struct vcpu_svm *svm) + static int db_interception(struct vcpu_svm *svm) + { + struct kvm_run *kvm_run = svm->vcpu.run; ++ struct kvm_vcpu *vcpu = &svm->vcpu; + + if (!(svm->vcpu.guest_debug & + (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) && +@@ -2697,6 +2698,8 @@ static int db_interception(struct vcpu_svm *svm) + + if (svm->nmi_singlestep) { + disable_nmi_singlestep(svm); ++ /* Make sure we check for pending NMIs upon entry */ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -4512,14 +4515,25 @@ static int avic_incomplete_ipi_interception(struct vcpu_svm *svm) + kvm_lapic_reg_write(apic, APIC_ICR, icrl); + break; + case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: { ++ int i; ++ struct kvm_vcpu *vcpu; ++ struct kvm *kvm = svm->vcpu.kvm; + struct kvm_lapic *apic = svm->vcpu.arch.apic; + + /* +- * Update ICR high and low, then emulate sending IPI, +- * which is handled when writing APIC_ICR. ++ * At this point, we expect that the AVIC HW has already ++ * set the appropriate IRR bits on the valid target ++ * vcpus. So, we just need to kick the appropriate vcpu. + */ +- kvm_lapic_reg_write(apic, APIC_ICR2, icrh); +- kvm_lapic_reg_write(apic, APIC_ICR, icrl); ++ kvm_for_each_vcpu(i, vcpu, kvm) { ++ bool m = kvm_apic_match_dest(vcpu, apic, ++ icrl & KVM_APIC_SHORT_MASK, ++ GET_APIC_DEST_FIELD(icrh), ++ icrl & KVM_APIC_DEST_MASK); ++ ++ if (m && !avic_vcpu_is_running(vcpu)) ++ kvm_vcpu_wake_up(vcpu); ++ } + break; + } + case AVIC_IPI_FAILURE_INVALID_TARGET: +@@ -5620,6 +5634,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) + svm->vmcb->save.cr2 = vcpu->arch.cr2; + + clgi(); ++ kvm_load_guest_xcr0(vcpu); + + /* + * If this vCPU has touched SPEC_CTRL, restore the guest's value if +@@ -5765,6 +5780,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) + if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI)) + kvm_before_interrupt(&svm->vcpu); + ++ kvm_put_guest_xcr0(vcpu); + stgi(); + + /* Any pending NMI will happen here */ +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index a0a770816429..34499081022c 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -6548,6 +6548,8 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu) + if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) + vmx_set_interrupt_shadow(vcpu, 0); + ++ kvm_load_guest_xcr0(vcpu); ++ + if (static_cpu_has(X86_FEATURE_PKU) && + kvm_read_cr4_bits(vcpu, X86_CR4_PKE) && + vcpu->arch.pkru != vmx->host_pkru) +@@ -6635,6 +6637,8 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu) + __write_pkru(vmx->host_pkru); + } + ++ kvm_put_guest_xcr0(vcpu); ++ + vmx->nested.nested_run_pending = 0; + vmx->idt_vectoring_info = 0; + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 7ee802a92bc8..2db58067bb59 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -800,7 +800,7 @@ void kvm_lmsw(struct kvm_vcpu *vcpu, unsigned long msw) + } + EXPORT_SYMBOL_GPL(kvm_lmsw); + +-static void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu) ++void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu) + { + if (kvm_read_cr4_bits(vcpu, X86_CR4_OSXSAVE) && + !vcpu->guest_xcr0_loaded) { +@@ -810,8 +810,9 @@ static void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu) + vcpu->guest_xcr0_loaded = 1; + } + } ++EXPORT_SYMBOL_GPL(kvm_load_guest_xcr0); + +-static void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu) ++void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu) + { + if (vcpu->guest_xcr0_loaded) { + if (vcpu->arch.xcr0 != host_xcr0) +@@ -819,6 +820,7 @@ static void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu) + vcpu->guest_xcr0_loaded = 0; + } + } ++EXPORT_SYMBOL_GPL(kvm_put_guest_xcr0); + + static int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr) + { +@@ -7856,8 +7858,6 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) + goto cancel_injection; + } + +- kvm_load_guest_xcr0(vcpu); +- + if (req_immediate_exit) { + kvm_make_request(KVM_REQ_EVENT, vcpu); + kvm_x86_ops->request_immediate_exit(vcpu); +@@ -7910,8 +7910,6 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) + vcpu->mode = OUTSIDE_GUEST_MODE; + smp_wmb(); + +- kvm_put_guest_xcr0(vcpu); +- + kvm_before_interrupt(vcpu); + kvm_x86_ops->handle_external_intr(vcpu); + kvm_after_interrupt(vcpu); +diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h +index 20ede17202bf..de3d46769ee3 100644 +--- a/arch/x86/kvm/x86.h ++++ b/arch/x86/kvm/x86.h +@@ -347,4 +347,6 @@ static inline void kvm_after_interrupt(struct kvm_vcpu *vcpu) + __this_cpu_write(current_vcpu, NULL); + } + ++void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu); ++void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu); + #endif +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index ca8e8ebef309..db496aa360a3 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -5706,7 +5706,49 @@ static const struct hash_testvec poly1305_tv_template[] = { + .psize = 80, + .digest = "\x13\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00", +- }, ++ }, { /* Regression test for overflow in AVX2 implementation */ ++ .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff", ++ .psize = 300, ++ .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8" ++ "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1", ++ } + }; + + /* NHPoly1305 test vectors from https://github.com/google/adiantum */ +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index f75f8f870ce3..4be4dc3e8aa6 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -1319,19 +1319,30 @@ static ssize_t scrub_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct nvdimm_bus_descriptor *nd_desc; ++ struct acpi_nfit_desc *acpi_desc; + ssize_t rc = -ENXIO; ++ bool busy; + + device_lock(dev); + nd_desc = dev_get_drvdata(dev); +- if (nd_desc) { +- struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc); ++ if (!nd_desc) { ++ device_unlock(dev); ++ return rc; ++ } ++ acpi_desc = to_acpi_desc(nd_desc); + +- mutex_lock(&acpi_desc->init_mutex); +- rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, +- acpi_desc->scrub_busy +- && !acpi_desc->cancel ? "+\n" : "\n"); +- mutex_unlock(&acpi_desc->init_mutex); ++ mutex_lock(&acpi_desc->init_mutex); ++ busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags) ++ && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags); ++ rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n"); ++ /* Allow an admin to poll the busy state at a higher rate */ ++ if (busy && capable(CAP_SYS_RAWIO) && !test_and_set_bit(ARS_POLL, ++ &acpi_desc->scrub_flags)) { ++ acpi_desc->scrub_tmo = 1; ++ mod_delayed_work(nfit_wq, &acpi_desc->dwork, HZ); + } ++ ++ mutex_unlock(&acpi_desc->init_mutex); + device_unlock(dev); + return rc; + } +@@ -2650,7 +2661,10 @@ static int ars_start(struct acpi_nfit_desc *acpi_desc, + + if (rc < 0) + return rc; +- return cmd_rc; ++ if (cmd_rc < 0) ++ return cmd_rc; ++ set_bit(ARS_VALID, &acpi_desc->scrub_flags); ++ return 0; + } + + static int ars_continue(struct acpi_nfit_desc *acpi_desc) +@@ -2660,11 +2674,11 @@ static int ars_continue(struct acpi_nfit_desc *acpi_desc) + struct nvdimm_bus_descriptor *nd_desc = &acpi_desc->nd_desc; + struct nd_cmd_ars_status *ars_status = acpi_desc->ars_status; + +- memset(&ars_start, 0, sizeof(ars_start)); +- ars_start.address = ars_status->restart_address; +- ars_start.length = ars_status->restart_length; +- ars_start.type = ars_status->type; +- ars_start.flags = acpi_desc->ars_start_flags; ++ ars_start = (struct nd_cmd_ars_start) { ++ .address = ars_status->restart_address, ++ .length = ars_status->restart_length, ++ .type = ars_status->type, ++ }; + rc = nd_desc->ndctl(nd_desc, NULL, ND_CMD_ARS_START, &ars_start, + sizeof(ars_start), &cmd_rc); + if (rc < 0) +@@ -2743,6 +2757,17 @@ static int ars_status_process_records(struct acpi_nfit_desc *acpi_desc) + */ + if (ars_status->out_length < 44) + return 0; ++ ++ /* ++ * Ignore potentially stale results that are only refreshed ++ * after a start-ARS event. ++ */ ++ if (!test_and_clear_bit(ARS_VALID, &acpi_desc->scrub_flags)) { ++ dev_dbg(acpi_desc->dev, "skip %d stale records\n", ++ ars_status->num_records); ++ return 0; ++ } ++ + for (i = 0; i < ars_status->num_records; i++) { + /* only process full records */ + if (ars_status->out_length +@@ -3081,7 +3106,7 @@ static unsigned int __acpi_nfit_scrub(struct acpi_nfit_desc *acpi_desc, + + lockdep_assert_held(&acpi_desc->init_mutex); + +- if (acpi_desc->cancel) ++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) + return 0; + + if (query_rc == -EBUSY) { +@@ -3155,7 +3180,7 @@ static void __sched_ars(struct acpi_nfit_desc *acpi_desc, unsigned int tmo) + { + lockdep_assert_held(&acpi_desc->init_mutex); + +- acpi_desc->scrub_busy = 1; ++ set_bit(ARS_BUSY, &acpi_desc->scrub_flags); + /* note this should only be set from within the workqueue */ + if (tmo) + acpi_desc->scrub_tmo = tmo; +@@ -3171,7 +3196,7 @@ static void notify_ars_done(struct acpi_nfit_desc *acpi_desc) + { + lockdep_assert_held(&acpi_desc->init_mutex); + +- acpi_desc->scrub_busy = 0; ++ clear_bit(ARS_BUSY, &acpi_desc->scrub_flags); + acpi_desc->scrub_count++; + if (acpi_desc->scrub_count_state) + sysfs_notify_dirent(acpi_desc->scrub_count_state); +@@ -3192,6 +3217,7 @@ static void acpi_nfit_scrub(struct work_struct *work) + else + notify_ars_done(acpi_desc); + memset(acpi_desc->ars_status, 0, acpi_desc->max_ars); ++ clear_bit(ARS_POLL, &acpi_desc->scrub_flags); + mutex_unlock(&acpi_desc->init_mutex); + } + +@@ -3226,6 +3252,7 @@ static int acpi_nfit_register_regions(struct acpi_nfit_desc *acpi_desc) + struct nfit_spa *nfit_spa; + int rc; + ++ set_bit(ARS_VALID, &acpi_desc->scrub_flags); + list_for_each_entry(nfit_spa, &acpi_desc->spas, list) { + switch (nfit_spa_type(nfit_spa->spa)) { + case NFIT_SPA_VOLATILE: +@@ -3460,7 +3487,7 @@ int acpi_nfit_ars_rescan(struct acpi_nfit_desc *acpi_desc, + struct nfit_spa *nfit_spa; + + mutex_lock(&acpi_desc->init_mutex); +- if (acpi_desc->cancel) { ++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) { + mutex_unlock(&acpi_desc->init_mutex); + return 0; + } +@@ -3539,7 +3566,7 @@ void acpi_nfit_shutdown(void *data) + mutex_unlock(&acpi_desc_lock); + + mutex_lock(&acpi_desc->init_mutex); +- acpi_desc->cancel = 1; ++ set_bit(ARS_CANCEL, &acpi_desc->scrub_flags); + cancel_delayed_work_sync(&acpi_desc->dwork); + mutex_unlock(&acpi_desc->init_mutex); + +diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h +index 33691aecfcee..0cbe5009eb2c 100644 +--- a/drivers/acpi/nfit/nfit.h ++++ b/drivers/acpi/nfit/nfit.h +@@ -210,6 +210,13 @@ struct nfit_mem { + int family; + }; + ++enum scrub_flags { ++ ARS_BUSY, ++ ARS_CANCEL, ++ ARS_VALID, ++ ARS_POLL, ++}; ++ + struct acpi_nfit_desc { + struct nvdimm_bus_descriptor nd_desc; + struct acpi_table_header acpi_header; +@@ -223,7 +230,6 @@ struct acpi_nfit_desc { + struct list_head idts; + struct nvdimm_bus *nvdimm_bus; + struct device *dev; +- u8 ars_start_flags; + struct nd_cmd_ars_status *ars_status; + struct nfit_spa *scrub_spa; + struct delayed_work dwork; +@@ -232,8 +238,7 @@ struct acpi_nfit_desc { + unsigned int max_ars; + unsigned int scrub_count; + unsigned int scrub_mode; +- unsigned int scrub_busy:1; +- unsigned int cancel:1; ++ unsigned long scrub_flags; + unsigned long dimm_cmd_force_en; + unsigned long bus_cmd_force_en; + unsigned long bus_nfit_cmd_force_en; +diff --git a/drivers/base/memory.c b/drivers/base/memory.c +index 048cbf7d5233..23125f276ff1 100644 +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -505,7 +505,7 @@ static ssize_t probe_store(struct device *dev, struct device_attribute *attr, + + ret = lock_device_hotplug_sysfs(); + if (ret) +- goto out; ++ return ret; + + nid = memory_add_physaddr_to_nid(phys_addr); + ret = __add_memory(nid, phys_addr, +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index c518659b4d9f..ff9dd9adf803 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -214,6 +214,9 @@ struct ipmi_user { + + /* Does this interface receive IPMI events? */ + bool gets_events; ++ ++ /* Free must run in process context for RCU cleanup. */ ++ struct work_struct remove_work; + }; + + static struct ipmi_user *acquire_ipmi_user(struct ipmi_user *user, int *index) +@@ -1079,6 +1082,15 @@ static int intf_err_seq(struct ipmi_smi *intf, + } + + ++static void free_user_work(struct work_struct *work) ++{ ++ struct ipmi_user *user = container_of(work, struct ipmi_user, ++ remove_work); ++ ++ cleanup_srcu_struct(&user->release_barrier); ++ kfree(user); ++} ++ + int ipmi_create_user(unsigned int if_num, + const struct ipmi_user_hndl *handler, + void *handler_data, +@@ -1122,6 +1134,8 @@ int ipmi_create_user(unsigned int if_num, + goto out_kfree; + + found: ++ INIT_WORK(&new_user->remove_work, free_user_work); ++ + rv = init_srcu_struct(&new_user->release_barrier); + if (rv) + goto out_kfree; +@@ -1184,8 +1198,9 @@ EXPORT_SYMBOL(ipmi_get_smi_info); + static void free_user(struct kref *ref) + { + struct ipmi_user *user = container_of(ref, struct ipmi_user, refcount); +- cleanup_srcu_struct(&user->release_barrier); +- kfree(user); ++ ++ /* SRCU cleanup must happen in task context. */ ++ schedule_work(&user->remove_work); + } + + static void _ipmi_destroy_user(struct ipmi_user *user) +diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c +index 1b8fa9de2cac..41b9f6c92da7 100644 +--- a/drivers/char/tpm/eventlog/tpm2.c ++++ b/drivers/char/tpm/eventlog/tpm2.c +@@ -37,8 +37,8 @@ + * + * Returns size of the event. If it is an invalid event, returns 0. + */ +-static int calc_tpm2_event_size(struct tcg_pcr_event2 *event, +- struct tcg_pcr_event *event_header) ++static size_t calc_tpm2_event_size(struct tcg_pcr_event2 *event, ++ struct tcg_pcr_event *event_header) + { + struct tcg_efi_specid_event *efispecid; + struct tcg_event_field *event_field; +diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c +index 5eecad233ea1..744b0237300a 100644 +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -203,12 +203,19 @@ __poll_t tpm_common_poll(struct file *file, poll_table *wait) + __poll_t mask = 0; + + poll_wait(file, &priv->async_wait, wait); ++ mutex_lock(&priv->buffer_mutex); + +- if (!priv->response_read || priv->response_length) ++ /* ++ * The response_length indicates if there is still response ++ * (or part of it) to be consumed. Partial reads decrease it ++ * by the number of bytes read, and write resets it the zero. ++ */ ++ if (priv->response_length) + mask = EPOLLIN | EPOLLRDNORM; + else + mask = EPOLLOUT | EPOLLWRNORM; + ++ mutex_unlock(&priv->buffer_mutex); + return mask; + } + +diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c +index 32a8e27c5382..cc4e642d3180 100644 +--- a/drivers/char/tpm/tpm_i2c_atmel.c ++++ b/drivers/char/tpm/tpm_i2c_atmel.c +@@ -69,6 +69,10 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t len) + if (status < 0) + return status; + ++ /* The upper layer does not support incomplete sends. */ ++ if (status != len) ++ return -E2BIG; ++ + return 0; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c +index d0d966d6080a..1696644ec022 100644 +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c +@@ -182,6 +182,7 @@ static void mmhub_v1_0_init_cache_regs(struct amdgpu_device *adev) + tmp = REG_SET_FIELD(tmp, VM_L2_CNTL3, + L2_CACHE_BIGK_FRAGMENT_SIZE, 6); + } ++ WREG32_SOC15(MMHUB, 0, mmVM_L2_CNTL3, tmp); + + tmp = mmVM_L2_CNTL4_DEFAULT; + tmp = REG_SET_FIELD(tmp, VM_L2_CNTL4, VMC_TAP_PDE_REQUEST_PHYSICAL, 0); +diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c +index f841accc2c00..f77c81db161b 100644 +--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c ++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c +@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +- if (!(flags & TTM_PAGE_FLAG_DMA32)) { ++ if (!(flags & TTM_PAGE_FLAG_DMA32) && ++ (npages - i) >= HPAGE_PMD_NR) { + for (j = 0; j < HPAGE_PMD_NR; ++j) + if (p++ != pages[i + j]) + break; +@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, + unsigned max_size, n2free; + + spin_lock_irqsave(&huge->lock, irq_flags); +- while (i < npages) { ++ while ((npages - i) >= HPAGE_PMD_NR) { + struct page *p = pages[i]; + unsigned j; + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 2dc628d4f1ae..1412abcff010 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1980,7 +1980,6 @@ of_i3c_master_add_i3c_boardinfo(struct i3c_master_controller *master, + { + struct i3c_dev_boardinfo *boardinfo; + struct device *dev = &master->dev; +- struct i3c_device_info info = { }; + enum i3c_addr_slot_status addrstatus; + u32 init_dyn_addr = 0; + +@@ -2012,8 +2011,8 @@ of_i3c_master_add_i3c_boardinfo(struct i3c_master_controller *master, + + boardinfo->pid = ((u64)reg[1] << 32) | reg[2]; + +- if ((info.pid & GENMASK_ULL(63, 48)) || +- I3C_PID_RND_LOWER_32BITS(info.pid)) ++ if ((boardinfo->pid & GENMASK_ULL(63, 48)) || ++ I3C_PID_RND_LOWER_32BITS(boardinfo->pid)) + return -EINVAL; + + boardinfo->init_dyn_addr = init_dyn_addr; +diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c +index bb03079fbade..ec385fbfef4c 100644 +--- a/drivers/i3c/master/dw-i3c-master.c ++++ b/drivers/i3c/master/dw-i3c-master.c +@@ -300,7 +300,7 @@ to_dw_i3c_master(struct i3c_master_controller *master) + + static void dw_i3c_master_disable(struct dw_i3c_master *master) + { +- writel(readl(master->regs + DEVICE_CTRL) & DEV_CTRL_ENABLE, ++ writel(readl(master->regs + DEVICE_CTRL) & ~DEV_CTRL_ENABLE, + master->regs + DEVICE_CTRL); + } + +diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c +index 7096e577b23f..50f3ff386bea 100644 +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1437,6 +1437,8 @@ static int kxcjk1013_resume(struct device *dev) + + mutex_lock(&data->mutex); + ret = kxcjk1013_set_mode(data, OPERATION); ++ if (ret == 0) ++ ret = kxcjk1013_set_range(data, data->range); + mutex_unlock(&data->mutex); + + return ret; +diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c +index ff5f2da2e1b1..54d9978b2740 100644 +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta, + if (sigma_delta->info->has_registers) { + data[0] = reg << sigma_delta->info->addr_shift; + data[0] |= sigma_delta->info->read_mask; ++ data[0] |= sigma_delta->comm; + spi_message_add_tail(&t[0], &m); + } + spi_message_add_tail(&t[1], &m); +diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c +index 75d2f73582a3..596841a3c4db 100644 +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -704,23 +704,29 @@ static int at91_adc_read_raw(struct iio_dev *idev, + ret = wait_event_interruptible_timeout(st->wq_data_avail, + st->done, + msecs_to_jiffies(1000)); +- if (ret == 0) +- ret = -ETIMEDOUT; +- if (ret < 0) { +- mutex_unlock(&st->lock); +- return ret; +- } +- +- *val = st->last_value; + ++ /* Disable interrupts, regardless if adc conversion was ++ * successful or not ++ */ + at91_adc_writel(st, AT91_ADC_CHDR, + AT91_ADC_CH(chan->channel)); + at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); + +- st->last_value = 0; +- st->done = false; ++ if (ret > 0) { ++ /* a valid conversion took place */ ++ *val = st->last_value; ++ st->last_value = 0; ++ st->done = false; ++ ret = IIO_VAL_INT; ++ } else if (ret == 0) { ++ /* conversion timeout */ ++ dev_err(&idev->dev, "ADC Channel %d timeout.\n", ++ chan->channel); ++ ret = -ETIMEDOUT; ++ } ++ + mutex_unlock(&st->lock); +- return IIO_VAL_INT; ++ return ret; + + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; +diff --git a/drivers/iio/chemical/bme680.h b/drivers/iio/chemical/bme680.h +index 0ae89b87e2d6..4edc5d21cb9f 100644 +--- a/drivers/iio/chemical/bme680.h ++++ b/drivers/iio/chemical/bme680.h +@@ -2,11 +2,9 @@ + #ifndef BME680_H_ + #define BME680_H_ + +-#define BME680_REG_CHIP_I2C_ID 0xD0 +-#define BME680_REG_CHIP_SPI_ID 0x50 ++#define BME680_REG_CHIP_ID 0xD0 + #define BME680_CHIP_ID_VAL 0x61 +-#define BME680_REG_SOFT_RESET_I2C 0xE0 +-#define BME680_REG_SOFT_RESET_SPI 0x60 ++#define BME680_REG_SOFT_RESET 0xE0 + #define BME680_CMD_SOFTRESET 0xB6 + #define BME680_REG_STATUS 0x73 + #define BME680_SPI_MEM_PAGE_BIT BIT(4) +diff --git a/drivers/iio/chemical/bme680_core.c b/drivers/iio/chemical/bme680_core.c +index 70c1fe4366f4..ccde4c65ff93 100644 +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -63,9 +63,23 @@ struct bme680_data { + s32 t_fine; + }; + ++static const struct regmap_range bme680_volatile_ranges[] = { ++ regmap_reg_range(BME680_REG_MEAS_STAT_0, BME680_REG_GAS_R_LSB), ++ regmap_reg_range(BME680_REG_STATUS, BME680_REG_STATUS), ++ regmap_reg_range(BME680_T2_LSB_REG, BME680_GH3_REG), ++}; ++ ++static const struct regmap_access_table bme680_volatile_table = { ++ .yes_ranges = bme680_volatile_ranges, ++ .n_yes_ranges = ARRAY_SIZE(bme680_volatile_ranges), ++}; ++ + const struct regmap_config bme680_regmap_config = { + .reg_bits = 8, + .val_bits = 8, ++ .max_register = 0xef, ++ .volatile_table = &bme680_volatile_table, ++ .cache_type = REGCACHE_RBTREE, + }; + EXPORT_SYMBOL(bme680_regmap_config); + +@@ -316,6 +330,10 @@ static s16 bme680_compensate_temp(struct bme680_data *data, + s64 var1, var2, var3; + s16 calc_temp; + ++ /* If the calibration is invalid, attempt to reload it */ ++ if (!calib->par_t2) ++ bme680_read_calib(data, calib); ++ + var1 = (adc_temp >> 3) - (calib->par_t1 << 1); + var2 = (var1 * calib->par_t2) >> 11; + var3 = ((var1 >> 1) * (var1 >> 1)) >> 12; +@@ -583,8 +601,7 @@ static int bme680_gas_config(struct bme680_data *data) + return ret; + } + +-static int bme680_read_temp(struct bme680_data *data, +- int *val, int *val2) ++static int bme680_read_temp(struct bme680_data *data, int *val) + { + struct device *dev = regmap_get_device(data->regmap); + int ret; +@@ -617,10 +634,9 @@ static int bme680_read_temp(struct bme680_data *data, + * compensate_press/compensate_humid to get compensated + * pressure/humidity readings. + */ +- if (val && val2) { +- *val = comp_temp; +- *val2 = 100; +- return IIO_VAL_FRACTIONAL; ++ if (val) { ++ *val = comp_temp * 10; /* Centidegrees to millidegrees */ ++ return IIO_VAL_INT; + } + + return ret; +@@ -635,7 +651,7 @@ static int bme680_read_press(struct bme680_data *data, + s32 adc_press; + + /* Read and compensate temperature to get a reading of t_fine */ +- ret = bme680_read_temp(data, NULL, NULL); ++ ret = bme680_read_temp(data, NULL); + if (ret < 0) + return ret; + +@@ -668,7 +684,7 @@ static int bme680_read_humid(struct bme680_data *data, + u32 comp_humidity; + + /* Read and compensate temperature to get a reading of t_fine */ +- ret = bme680_read_temp(data, NULL, NULL); ++ ret = bme680_read_temp(data, NULL); + if (ret < 0) + return ret; + +@@ -761,7 +777,7 @@ static int bme680_read_raw(struct iio_dev *indio_dev, + case IIO_CHAN_INFO_PROCESSED: + switch (chan->type) { + case IIO_TEMP: +- return bme680_read_temp(data, val, val2); ++ return bme680_read_temp(data, val); + case IIO_PRESSURE: + return bme680_read_press(data, val, val2); + case IIO_HUMIDITYRELATIVE: +@@ -867,8 +883,28 @@ int bme680_core_probe(struct device *dev, struct regmap *regmap, + { + struct iio_dev *indio_dev; + struct bme680_data *data; ++ unsigned int val; + int ret; + ++ ret = regmap_write(regmap, BME680_REG_SOFT_RESET, ++ BME680_CMD_SOFTRESET); ++ if (ret < 0) { ++ dev_err(dev, "Failed to reset chip\n"); ++ return ret; ++ } ++ ++ ret = regmap_read(regmap, BME680_REG_CHIP_ID, &val); ++ if (ret < 0) { ++ dev_err(dev, "Error reading chip ID\n"); ++ return ret; ++ } ++ ++ if (val != BME680_CHIP_ID_VAL) { ++ dev_err(dev, "Wrong chip ID, got %x expected %x\n", ++ val, BME680_CHIP_ID_VAL); ++ return -ENODEV; ++ } ++ + indio_dev = devm_iio_device_alloc(dev, sizeof(*data)); + if (!indio_dev) + return -ENOMEM; +diff --git a/drivers/iio/chemical/bme680_i2c.c b/drivers/iio/chemical/bme680_i2c.c +index 06d4be539d2e..cfc4449edf1b 100644 +--- a/drivers/iio/chemical/bme680_i2c.c ++++ b/drivers/iio/chemical/bme680_i2c.c +@@ -23,8 +23,6 @@ static int bme680_i2c_probe(struct i2c_client *client, + { + struct regmap *regmap; + const char *name = NULL; +- unsigned int val; +- int ret; + + regmap = devm_regmap_init_i2c(client, &bme680_regmap_config); + if (IS_ERR(regmap)) { +@@ -33,25 +31,6 @@ static int bme680_i2c_probe(struct i2c_client *client, + return PTR_ERR(regmap); + } + +- ret = regmap_write(regmap, BME680_REG_SOFT_RESET_I2C, +- BME680_CMD_SOFTRESET); +- if (ret < 0) { +- dev_err(&client->dev, "Failed to reset chip\n"); +- return ret; +- } +- +- ret = regmap_read(regmap, BME680_REG_CHIP_I2C_ID, &val); +- if (ret < 0) { +- dev_err(&client->dev, "Error reading I2C chip ID\n"); +- return ret; +- } +- +- if (val != BME680_CHIP_ID_VAL) { +- dev_err(&client->dev, "Wrong chip ID, got %x expected %x\n", +- val, BME680_CHIP_ID_VAL); +- return -ENODEV; +- } +- + if (id) + name = id->name; + +diff --git a/drivers/iio/chemical/bme680_spi.c b/drivers/iio/chemical/bme680_spi.c +index c9fb05e8d0b9..881778e55d38 100644 +--- a/drivers/iio/chemical/bme680_spi.c ++++ b/drivers/iio/chemical/bme680_spi.c +@@ -11,28 +11,93 @@ + + #include "bme680.h" + ++struct bme680_spi_bus_context { ++ struct spi_device *spi; ++ u8 current_page; ++}; ++ ++/* ++ * In SPI mode there are only 7 address bits, a "page" register determines ++ * which part of the 8-bit range is active. This function looks at the address ++ * and writes the page selection bit if needed ++ */ ++static int bme680_regmap_spi_select_page( ++ struct bme680_spi_bus_context *ctx, u8 reg) ++{ ++ struct spi_device *spi = ctx->spi; ++ int ret; ++ u8 buf[2]; ++ u8 page = (reg & 0x80) ? 0 : 1; /* Page "1" is low range */ ++ ++ if (page == ctx->current_page) ++ return 0; ++ ++ /* ++ * Data sheet claims we're only allowed to change bit 4, so we must do ++ * a read-modify-write on each and every page select ++ */ ++ buf[0] = BME680_REG_STATUS; ++ ret = spi_write_then_read(spi, buf, 1, buf + 1, 1); ++ if (ret < 0) { ++ dev_err(&spi->dev, "failed to set page %u\n", page); ++ return ret; ++ } ++ ++ buf[0] = BME680_REG_STATUS; ++ if (page) ++ buf[1] |= BME680_SPI_MEM_PAGE_BIT; ++ else ++ buf[1] &= ~BME680_SPI_MEM_PAGE_BIT; ++ ++ ret = spi_write(spi, buf, 2); ++ if (ret < 0) { ++ dev_err(&spi->dev, "failed to set page %u\n", page); ++ return ret; ++ } ++ ++ ctx->current_page = page; ++ ++ return 0; ++} ++ + static int bme680_regmap_spi_write(void *context, const void *data, + size_t count) + { +- struct spi_device *spi = context; ++ struct bme680_spi_bus_context *ctx = context; ++ struct spi_device *spi = ctx->spi; ++ int ret; + u8 buf[2]; + + memcpy(buf, data, 2); ++ ++ ret = bme680_regmap_spi_select_page(ctx, buf[0]); ++ if (ret) ++ return ret; ++ + /* + * The SPI register address (= full register address without bit 7) + * and the write command (bit7 = RW = '0') + */ + buf[0] &= ~0x80; + +- return spi_write_then_read(spi, buf, 2, NULL, 0); ++ return spi_write(spi, buf, 2); + } + + static int bme680_regmap_spi_read(void *context, const void *reg, + size_t reg_size, void *val, size_t val_size) + { +- struct spi_device *spi = context; ++ struct bme680_spi_bus_context *ctx = context; ++ struct spi_device *spi = ctx->spi; ++ int ret; ++ u8 addr = *(const u8 *)reg; ++ ++ ret = bme680_regmap_spi_select_page(ctx, addr); ++ if (ret) ++ return ret; + +- return spi_write_then_read(spi, reg, reg_size, val, val_size); ++ addr |= 0x80; /* bit7 = RW = '1' */ ++ ++ return spi_write_then_read(spi, &addr, 1, val, val_size); + } + + static struct regmap_bus bme680_regmap_bus = { +@@ -45,8 +110,8 @@ static struct regmap_bus bme680_regmap_bus = { + static int bme680_spi_probe(struct spi_device *spi) + { + const struct spi_device_id *id = spi_get_device_id(spi); ++ struct bme680_spi_bus_context *bus_context; + struct regmap *regmap; +- unsigned int val; + int ret; + + spi->bits_per_word = 8; +@@ -56,45 +121,21 @@ static int bme680_spi_probe(struct spi_device *spi) + return ret; + } + ++ bus_context = devm_kzalloc(&spi->dev, sizeof(*bus_context), GFP_KERNEL); ++ if (!bus_context) ++ return -ENOMEM; ++ ++ bus_context->spi = spi; ++ bus_context->current_page = 0xff; /* Undefined on warm boot */ ++ + regmap = devm_regmap_init(&spi->dev, &bme680_regmap_bus, +- &spi->dev, &bme680_regmap_config); ++ bus_context, &bme680_regmap_config); + if (IS_ERR(regmap)) { + dev_err(&spi->dev, "Failed to register spi regmap %d\n", + (int)PTR_ERR(regmap)); + return PTR_ERR(regmap); + } + +- ret = regmap_write(regmap, BME680_REG_SOFT_RESET_SPI, +- BME680_CMD_SOFTRESET); +- if (ret < 0) { +- dev_err(&spi->dev, "Failed to reset chip\n"); +- return ret; +- } +- +- /* after power-on reset, Page 0(0x80-0xFF) of spi_mem_page is active */ +- ret = regmap_read(regmap, BME680_REG_CHIP_SPI_ID, &val); +- if (ret < 0) { +- dev_err(&spi->dev, "Error reading SPI chip ID\n"); +- return ret; +- } +- +- if (val != BME680_CHIP_ID_VAL) { +- dev_err(&spi->dev, "Wrong chip ID, got %x expected %x\n", +- val, BME680_CHIP_ID_VAL); +- return -ENODEV; +- } +- /* +- * select Page 1 of spi_mem_page to enable access to +- * to registers from address 0x00 to 0x7F. +- */ +- ret = regmap_write_bits(regmap, BME680_REG_STATUS, +- BME680_SPI_MEM_PAGE_BIT, +- BME680_SPI_MEM_PAGE_1_VAL); +- if (ret < 0) { +- dev_err(&spi->dev, "failed to set page 1 of spi_mem_page\n"); +- return ret; +- } +- + return bme680_core_probe(&spi->dev, regmap, id->name); + } + +diff --git a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c +index 89cb0066a6e0..8d76afb87d87 100644 +--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c ++++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c +@@ -103,9 +103,10 @@ static int cros_ec_sensors_read(struct iio_dev *indio_dev, + * Do not use IIO_DEGREE_TO_RAD to avoid precision + * loss. Round to the nearest integer. + */ +- *val = div_s64(val64 * 314159 + 9000000ULL, 1000); +- *val2 = 18000 << (CROS_EC_SENSOR_BITS - 1); +- ret = IIO_VAL_FRACTIONAL; ++ *val = 0; ++ *val2 = div_s64(val64 * 3141592653ULL, ++ 180 << (CROS_EC_SENSOR_BITS - 1)); ++ ret = IIO_VAL_INT_PLUS_NANO; + break; + case MOTIONSENSE_TYPE_MAG: + /* +diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c +index 6d71fd905e29..c701a45469f6 100644 +--- a/drivers/iio/dac/mcp4725.c ++++ b/drivers/iio/dac/mcp4725.c +@@ -92,6 +92,7 @@ static ssize_t mcp4725_store_eeprom(struct device *dev, + + inoutbuf[0] = 0x60; /* write EEPROM */ + inoutbuf[0] |= data->ref_mode << 3; ++ inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0; + inoutbuf[1] = data->dac_value >> 4; + inoutbuf[2] = (data->dac_value & 0xf) << 4; + +diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c +index 63ca31628a93..92c07ab826eb 100644 +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -582,11 +582,10 @@ static int bmg160_read_raw(struct iio_dev *indio_dev, + case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY: + return bmg160_get_filter(data, val); + case IIO_CHAN_INFO_SCALE: +- *val = 0; + switch (chan->type) { + case IIO_TEMP: +- *val2 = 500000; +- return IIO_VAL_INT_PLUS_MICRO; ++ *val = 500; ++ return IIO_VAL_INT; + case IIO_ANGL_VEL: + { + int i; +@@ -594,6 +593,7 @@ static int bmg160_read_raw(struct iio_dev *indio_dev, + for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) { + if (bmg160_scale_table[i].dps_range == + data->dps_range) { ++ *val = 0; + *val2 = bmg160_scale_table[i].scale; + return IIO_VAL_INT_PLUS_MICRO; + } +diff --git a/drivers/iio/gyro/mpu3050-core.c b/drivers/iio/gyro/mpu3050-core.c +index 77fac81a3adc..5ddebede31a6 100644 +--- a/drivers/iio/gyro/mpu3050-core.c ++++ b/drivers/iio/gyro/mpu3050-core.c +@@ -29,7 +29,8 @@ + + #include "mpu3050.h" + +-#define MPU3050_CHIP_ID 0x69 ++#define MPU3050_CHIP_ID 0x68 ++#define MPU3050_CHIP_ID_MASK 0x7E + + /* + * Register map: anything suffixed *_H is a big-endian high byte and always +@@ -1176,8 +1177,9 @@ int mpu3050_common_probe(struct device *dev, + goto err_power_down; + } + +- if (val != MPU3050_CHIP_ID) { +- dev_err(dev, "unsupported chip id %02x\n", (u8)val); ++ if ((val & MPU3050_CHIP_ID_MASK) != MPU3050_CHIP_ID) { ++ dev_err(dev, "unsupported chip id %02x\n", ++ (u8)(val & MPU3050_CHIP_ID_MASK)); + ret = -ENODEV; + goto err_power_down; + } +diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c +index cd5bfe39591b..dadd921a4a30 100644 +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -320,9 +320,8 @@ static int iio_scan_mask_set(struct iio_dev *indio_dev, + const unsigned long *mask; + unsigned long *trialmask; + +- trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength), +- sizeof(*trialmask), +- GFP_KERNEL); ++ trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength), ++ sizeof(*trialmask), GFP_KERNEL); + if (trialmask == NULL) + return -ENOMEM; + if (!indio_dev->masklength) { +diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c +index 4f5cd9f60870..5b65750ce775 100644 +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -1738,10 +1738,10 @@ EXPORT_SYMBOL(__iio_device_register); + **/ + void iio_device_unregister(struct iio_dev *indio_dev) + { +- mutex_lock(&indio_dev->info_exist_lock); +- + cdev_device_del(&indio_dev->chrdev, &indio_dev->dev); + ++ mutex_lock(&indio_dev->info_exist_lock); ++ + iio_device_unregister_debugfs(indio_dev); + + iio_disable_all_buffers(indio_dev); +diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c +index 5f366838b7ff..e2a4570a47e8 100644 +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -992,6 +992,8 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile) + * will only be one mm, so no big deal. + */ + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto skip_mm; + mutex_lock(&ufile->umap_lock); + list_for_each_entry_safe (priv, next_priv, &ufile->umaps, + list) { +@@ -1006,6 +1008,7 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile) + vma->vm_flags &= ~(VM_SHARED | VM_MAYSHARE); + } + mutex_unlock(&ufile->umap_lock); ++ skip_mm: + up_write(&mm->mmap_sem); + mmput(mm); + } +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 628ef617bb2f..f9525d6f0bfe 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1339,21 +1339,46 @@ static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0600", 0 }, + { "ELAN0601", 0 }, + { "ELAN0602", 0 }, ++ { "ELAN0603", 0 }, ++ { "ELAN0604", 0 }, + { "ELAN0605", 0 }, ++ { "ELAN0606", 0 }, ++ { "ELAN0607", 0 }, + { "ELAN0608", 0 }, + { "ELAN0609", 0 }, + { "ELAN060B", 0 }, + { "ELAN060C", 0 }, ++ { "ELAN060F", 0 }, ++ { "ELAN0610", 0 }, + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, ++ { "ELAN0615", 0 }, ++ { "ELAN0616", 0 }, + { "ELAN0617", 0 }, + { "ELAN0618", 0 }, ++ { "ELAN0619", 0 }, ++ { "ELAN061A", 0 }, ++ { "ELAN061B", 0 }, + { "ELAN061C", 0 }, + { "ELAN061D", 0 }, + { "ELAN061E", 0 }, ++ { "ELAN061F", 0 }, + { "ELAN0620", 0 }, + { "ELAN0621", 0 }, + { "ELAN0622", 0 }, ++ { "ELAN0623", 0 }, ++ { "ELAN0624", 0 }, ++ { "ELAN0625", 0 }, ++ { "ELAN0626", 0 }, ++ { "ELAN0627", 0 }, ++ { "ELAN0628", 0 }, ++ { "ELAN0629", 0 }, ++ { "ELAN062A", 0 }, ++ { "ELAN062B", 0 }, ++ { "ELAN062C", 0 }, ++ { "ELAN062D", 0 }, ++ { "ELAN0631", 0 }, ++ { "ELAN0632", 0 }, + { "ELAN1000", 0 }, + { } + }; +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 537c90c8eb0a..f89fc6ea6078 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3214,8 +3214,12 @@ static int bond_netdev_event(struct notifier_block *this, + return NOTIFY_DONE; + + if (event_dev->flags & IFF_MASTER) { ++ int ret; ++ + netdev_dbg(event_dev, "IFF_MASTER\n"); +- return bond_master_netdev_event(event, event_dev); ++ ret = bond_master_netdev_event(event, event_dev); ++ if (ret != NOTIFY_DONE) ++ return ret; + } + + if (event_dev->flags & IFF_SLAVE) { +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index d4ee9f9c8c34..36263c77df46 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -32,6 +32,13 @@ + #define DRV_NAME "nicvf" + #define DRV_VERSION "1.0" + ++/* NOTE: Packets bigger than 1530 are split across multiple pages and XDP needs ++ * the buffer to be contiguous. Allow XDP to be set up only if we don't exceed ++ * this value, keeping headroom for the 14 byte Ethernet header and two ++ * VLAN tags (for QinQ) ++ */ ++#define MAX_XDP_MTU (1530 - ETH_HLEN - VLAN_HLEN * 2) ++ + /* Supported devices */ + static const struct pci_device_id nicvf_id_table[] = { + { PCI_DEVICE_SUB(PCI_VENDOR_ID_CAVIUM, +@@ -1582,6 +1589,15 @@ static int nicvf_change_mtu(struct net_device *netdev, int new_mtu) + struct nicvf *nic = netdev_priv(netdev); + int orig_mtu = netdev->mtu; + ++ /* For now just support only the usual MTU sized frames, ++ * plus some headroom for VLAN, QinQ. ++ */ ++ if (nic->xdp_prog && new_mtu > MAX_XDP_MTU) { ++ netdev_warn(netdev, "Jumbo frames not yet supported with XDP, current MTU %d.\n", ++ netdev->mtu); ++ return -EINVAL; ++ } ++ + netdev->mtu = new_mtu; + + if (!netif_running(netdev)) +@@ -1830,8 +1846,10 @@ static int nicvf_xdp_setup(struct nicvf *nic, struct bpf_prog *prog) + bool bpf_attached = false; + int ret = 0; + +- /* For now just support only the usual MTU sized frames */ +- if (prog && (dev->mtu > 1500)) { ++ /* For now just support only the usual MTU sized frames, ++ * plus some headroom for VLAN, QinQ. ++ */ ++ if (prog && dev->mtu > MAX_XDP_MTU) { + netdev_warn(dev, "Jumbo frames not yet supported with XDP, current MTU %d.\n", + dev->mtu); + return -EOPNOTSUPP; +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 697c2427f2b7..a96ad20ee484 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1840,13 +1840,9 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + int ret; + + if (enable) { +- ret = clk_prepare_enable(fep->clk_ahb); +- if (ret) +- return ret; +- + ret = clk_prepare_enable(fep->clk_enet_out); + if (ret) +- goto failed_clk_enet_out; ++ return ret; + + if (fep->clk_ptp) { + mutex_lock(&fep->ptp_clk_mutex); +@@ -1866,7 +1862,6 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + + phy_reset_after_clk_enable(ndev->phydev); + } else { +- clk_disable_unprepare(fep->clk_ahb); + clk_disable_unprepare(fep->clk_enet_out); + if (fep->clk_ptp) { + mutex_lock(&fep->ptp_clk_mutex); +@@ -1885,8 +1880,6 @@ failed_clk_ref: + failed_clk_ptp: + if (fep->clk_enet_out) + clk_disable_unprepare(fep->clk_enet_out); +-failed_clk_enet_out: +- clk_disable_unprepare(fep->clk_ahb); + + return ret; + } +@@ -3470,6 +3463,9 @@ fec_probe(struct platform_device *pdev) + ret = clk_prepare_enable(fep->clk_ipg); + if (ret) + goto failed_clk_ipg; ++ ret = clk_prepare_enable(fep->clk_ahb); ++ if (ret) ++ goto failed_clk_ahb; + + fep->reg_phy = devm_regulator_get_optional(&pdev->dev, "phy"); + if (!IS_ERR(fep->reg_phy)) { +@@ -3563,6 +3559,9 @@ failed_reset: + pm_runtime_put(&pdev->dev); + pm_runtime_disable(&pdev->dev); + failed_regulator: ++ clk_disable_unprepare(fep->clk_ahb); ++failed_clk_ahb: ++ clk_disable_unprepare(fep->clk_ipg); + failed_clk_ipg: + fec_enet_clk_enable(ndev, false); + failed_clk: +@@ -3686,6 +3685,7 @@ static int __maybe_unused fec_runtime_suspend(struct device *dev) + struct net_device *ndev = dev_get_drvdata(dev); + struct fec_enet_private *fep = netdev_priv(ndev); + ++ clk_disable_unprepare(fep->clk_ahb); + clk_disable_unprepare(fep->clk_ipg); + + return 0; +@@ -3695,8 +3695,20 @@ static int __maybe_unused fec_runtime_resume(struct device *dev) + { + struct net_device *ndev = dev_get_drvdata(dev); + struct fec_enet_private *fep = netdev_priv(ndev); ++ int ret; + +- return clk_prepare_enable(fep->clk_ipg); ++ ret = clk_prepare_enable(fep->clk_ahb); ++ if (ret) ++ return ret; ++ ret = clk_prepare_enable(fep->clk_ipg); ++ if (ret) ++ goto failed_clk_ipg; ++ ++ return 0; ++ ++failed_clk_ipg: ++ clk_disable_unprepare(fep->clk_ahb); ++ return ret; + } + + static const struct dev_pm_ops fec_pm_ops = { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +index f3c7ab6faea5..b8521e2f64ac 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -39,6 +39,10 @@ static int get_route_and_out_devs(struct mlx5e_priv *priv, + return -EOPNOTSUPP; + } + ++ if (!(mlx5e_eswitch_rep(*out_dev) && ++ mlx5e_is_uplink_rep(netdev_priv(*out_dev)))) ++ return -EOPNOTSUPP; ++ + return 0; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index e6099f51d25f..3b9e5f0d0212 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1665,7 +1665,8 @@ static int set_pflag_rx_no_csum_complete(struct net_device *netdev, bool enable) + struct mlx5e_channel *c; + int i; + +- if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) ++ if (!test_bit(MLX5E_STATE_OPENED, &priv->state) || ++ priv->channels.params.xdp_prog) + return 0; + + for (i = 0; i < channels->num; i++) { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 93e50ccd44c3..0cb19e4dd439 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -950,7 +950,11 @@ static int mlx5e_open_rq(struct mlx5e_channel *c, + if (params->rx_dim_enabled) + __set_bit(MLX5E_RQ_STATE_AM, &c->rq.state); + +- if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_NO_CSUM_COMPLETE)) ++ /* We disable csum_complete when XDP is enabled since ++ * XDP programs might manipulate packets which will render ++ * skb->checksum incorrect. ++ */ ++ if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_NO_CSUM_COMPLETE) || c->xdp) + __set_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &c->rq.state); + + return 0; +@@ -4570,7 +4574,7 @@ void mlx5e_build_rss_params(struct mlx5e_rss_params *rss_params, + { + enum mlx5e_traffic_types tt; + +- rss_params->hfunc = ETH_RSS_HASH_XOR; ++ rss_params->hfunc = ETH_RSS_HASH_TOP; + netdev_rss_key_fill(rss_params->toeplitz_hash_key, + sizeof(rss_params->toeplitz_hash_key)); + mlx5e_build_default_indir_rqt(rss_params->indirection_rqt, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index f86e4804e83e..2cbda8abd8b9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -693,7 +693,14 @@ static inline bool is_last_ethertype_ip(struct sk_buff *skb, int *network_depth, + { + *proto = ((struct ethhdr *)skb->data)->h_proto; + *proto = __vlan_get_protocol(skb, *proto, network_depth); +- return (*proto == htons(ETH_P_IP) || *proto == htons(ETH_P_IPV6)); ++ ++ if (*proto == htons(ETH_P_IP)) ++ return pskb_may_pull(skb, *network_depth + sizeof(struct iphdr)); ++ ++ if (*proto == htons(ETH_P_IPV6)) ++ return pskb_may_pull(skb, *network_depth + sizeof(struct ipv6hdr)); ++ ++ return false; + } + + static inline void mlx5e_enable_ecn(struct mlx5e_rq *rq, struct sk_buff *skb) +@@ -713,17 +720,6 @@ static inline void mlx5e_enable_ecn(struct mlx5e_rq *rq, struct sk_buff *skb) + rq->stats->ecn_mark += !!rc; + } + +-static u32 mlx5e_get_fcs(const struct sk_buff *skb) +-{ +- const void *fcs_bytes; +- u32 _fcs_bytes; +- +- fcs_bytes = skb_header_pointer(skb, skb->len - ETH_FCS_LEN, +- ETH_FCS_LEN, &_fcs_bytes); +- +- return __get_unaligned_cpu32(fcs_bytes); +-} +- + static u8 get_ip_proto(struct sk_buff *skb, int network_depth, __be16 proto) + { + void *ip_p = skb->data + network_depth; +@@ -734,6 +730,68 @@ static u8 get_ip_proto(struct sk_buff *skb, int network_depth, __be16 proto) + + #define short_frame(size) ((size) <= ETH_ZLEN + ETH_FCS_LEN) + ++#define MAX_PADDING 8 ++ ++static void ++tail_padding_csum_slow(struct sk_buff *skb, int offset, int len, ++ struct mlx5e_rq_stats *stats) ++{ ++ stats->csum_complete_tail_slow++; ++ skb->csum = csum_block_add(skb->csum, ++ skb_checksum(skb, offset, len, 0), ++ offset); ++} ++ ++static void ++tail_padding_csum(struct sk_buff *skb, int offset, ++ struct mlx5e_rq_stats *stats) ++{ ++ u8 tail_padding[MAX_PADDING]; ++ int len = skb->len - offset; ++ void *tail; ++ ++ if (unlikely(len > MAX_PADDING)) { ++ tail_padding_csum_slow(skb, offset, len, stats); ++ return; ++ } ++ ++ tail = skb_header_pointer(skb, offset, len, tail_padding); ++ if (unlikely(!tail)) { ++ tail_padding_csum_slow(skb, offset, len, stats); ++ return; ++ } ++ ++ stats->csum_complete_tail++; ++ skb->csum = csum_block_add(skb->csum, csum_partial(tail, len, 0), offset); ++} ++ ++static void ++mlx5e_skb_padding_csum(struct sk_buff *skb, int network_depth, __be16 proto, ++ struct mlx5e_rq_stats *stats) ++{ ++ struct ipv6hdr *ip6; ++ struct iphdr *ip4; ++ int pkt_len; ++ ++ switch (proto) { ++ case htons(ETH_P_IP): ++ ip4 = (struct iphdr *)(skb->data + network_depth); ++ pkt_len = network_depth + ntohs(ip4->tot_len); ++ break; ++ case htons(ETH_P_IPV6): ++ ip6 = (struct ipv6hdr *)(skb->data + network_depth); ++ pkt_len = network_depth + sizeof(*ip6) + ntohs(ip6->payload_len); ++ break; ++ default: ++ return; ++ } ++ ++ if (likely(pkt_len >= skb->len)) ++ return; ++ ++ tail_padding_csum(skb, pkt_len, stats); ++} ++ + static inline void mlx5e_handle_csum(struct net_device *netdev, + struct mlx5_cqe64 *cqe, + struct mlx5e_rq *rq, +@@ -753,7 +811,8 @@ static inline void mlx5e_handle_csum(struct net_device *netdev, + return; + } + +- if (unlikely(test_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &rq->state))) ++ /* True when explicitly set via priv flag, or XDP prog is loaded */ ++ if (test_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &rq->state)) + goto csum_unnecessary; + + /* CQE csum doesn't cover padding octets in short ethernet +@@ -781,18 +840,15 @@ static inline void mlx5e_handle_csum(struct net_device *netdev, + skb->csum = csum_partial(skb->data + ETH_HLEN, + network_depth - ETH_HLEN, + skb->csum); +- if (unlikely(netdev->features & NETIF_F_RXFCS)) +- skb->csum = csum_block_add(skb->csum, +- (__force __wsum)mlx5e_get_fcs(skb), +- skb->len - ETH_FCS_LEN); ++ ++ mlx5e_skb_padding_csum(skb, network_depth, proto, stats); + stats->csum_complete++; + return; + } + + csum_unnecessary: + if (likely((cqe->hds_ip_ext & CQE_L3_OK) && +- ((cqe->hds_ip_ext & CQE_L4_OK) || +- (get_cqe_l4_hdr_type(cqe) == CQE_L4_HDR_TYPE_NONE)))) { ++ (cqe->hds_ip_ext & CQE_L4_OK))) { + skb->ip_summed = CHECKSUM_UNNECESSARY; + if (cqe_is_tunneled(cqe)) { + skb->csum_level = 1; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c +index d3fe48ff9da9..4461b44acafc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c +@@ -59,6 +59,8 @@ static const struct counter_desc sw_stats_desc[] = { + { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_unnecessary) }, + { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_none) }, + { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete) }, ++ { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete_tail) }, ++ { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete_tail_slow) }, + { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_unnecessary_inner) }, + { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_xdp_drop) }, + { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_xdp_redirect) }, +@@ -151,6 +153,8 @@ void mlx5e_grp_sw_update_stats(struct mlx5e_priv *priv) + s->rx_removed_vlan_packets += rq_stats->removed_vlan_packets; + s->rx_csum_none += rq_stats->csum_none; + s->rx_csum_complete += rq_stats->csum_complete; ++ s->rx_csum_complete_tail += rq_stats->csum_complete_tail; ++ s->rx_csum_complete_tail_slow += rq_stats->csum_complete_tail_slow; + s->rx_csum_unnecessary += rq_stats->csum_unnecessary; + s->rx_csum_unnecessary_inner += rq_stats->csum_unnecessary_inner; + s->rx_xdp_drop += rq_stats->xdp_drop; +@@ -1192,6 +1196,8 @@ static const struct counter_desc rq_stats_desc[] = { + { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, packets) }, + { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, bytes) }, + { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete) }, ++ { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete_tail) }, ++ { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete_tail_slow) }, + { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_unnecessary) }, + { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_unnecessary_inner) }, + { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_none) }, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h +index fe91ec06e3c7..714303bf0797 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h +@@ -71,6 +71,8 @@ struct mlx5e_sw_stats { + u64 rx_csum_unnecessary; + u64 rx_csum_none; + u64 rx_csum_complete; ++ u64 rx_csum_complete_tail; ++ u64 rx_csum_complete_tail_slow; + u64 rx_csum_unnecessary_inner; + u64 rx_xdp_drop; + u64 rx_xdp_redirect; +@@ -181,6 +183,8 @@ struct mlx5e_rq_stats { + u64 packets; + u64 bytes; + u64 csum_complete; ++ u64 csum_complete_tail; ++ u64 csum_complete_tail_slow; + u64 csum_unnecessary; + u64 csum_unnecessary_inner; + u64 csum_none; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c +index 8de64e88c670..22a2ef111514 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c +@@ -148,14 +148,16 @@ static int mlx5_fpga_tls_alloc_swid(struct idr *idr, spinlock_t *idr_spinlock, + return ret; + } + +-static void mlx5_fpga_tls_release_swid(struct idr *idr, +- spinlock_t *idr_spinlock, u32 swid) ++static void *mlx5_fpga_tls_release_swid(struct idr *idr, ++ spinlock_t *idr_spinlock, u32 swid) + { + unsigned long flags; ++ void *ptr; + + spin_lock_irqsave(idr_spinlock, flags); +- idr_remove(idr, swid); ++ ptr = idr_remove(idr, swid); + spin_unlock_irqrestore(idr_spinlock, flags); ++ return ptr; + } + + static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn, +@@ -165,20 +167,12 @@ static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn, + kfree(buf); + } + +-struct mlx5_teardown_stream_context { +- struct mlx5_fpga_tls_command_context cmd; +- u32 swid; +-}; +- + static void + mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn, + struct mlx5_fpga_device *fdev, + struct mlx5_fpga_tls_command_context *cmd, + struct mlx5_fpga_dma_buf *resp) + { +- struct mlx5_teardown_stream_context *ctx = +- container_of(cmd, struct mlx5_teardown_stream_context, cmd); +- + if (resp) { + u32 syndrome = MLX5_GET(tls_resp, resp->sg[0].data, syndrome); + +@@ -186,14 +180,6 @@ mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn, + mlx5_fpga_err(fdev, + "Teardown stream failed with syndrome = %d", + syndrome); +- else if (MLX5_GET(tls_cmd, cmd->buf.sg[0].data, direction_sx)) +- mlx5_fpga_tls_release_swid(&fdev->tls->tx_idr, +- &fdev->tls->tx_idr_spinlock, +- ctx->swid); +- else +- mlx5_fpga_tls_release_swid(&fdev->tls->rx_idr, +- &fdev->tls->rx_idr_spinlock, +- ctx->swid); + } + mlx5_fpga_tls_put_command_ctx(cmd); + } +@@ -217,22 +203,22 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, + void *cmd; + int ret; + +- rcu_read_lock(); +- flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); +- rcu_read_unlock(); +- +- if (!flow) { +- WARN_ONCE(1, "Received NULL pointer for handle\n"); +- return -EINVAL; +- } +- + buf = kzalloc(size, GFP_ATOMIC); + if (!buf) + return -ENOMEM; + + cmd = (buf + 1); + ++ rcu_read_lock(); ++ flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); ++ if (unlikely(!flow)) { ++ rcu_read_unlock(); ++ WARN_ONCE(1, "Received NULL pointer for handle\n"); ++ kfree(buf); ++ return -EINVAL; ++ } + mlx5_fpga_tls_flow_to_cmd(flow, cmd); ++ rcu_read_unlock(); + + MLX5_SET(tls_cmd, cmd, swid, ntohl(handle)); + MLX5_SET64(tls_cmd, cmd, tls_rcd_sn, be64_to_cpu(rcd_sn)); +@@ -253,7 +239,7 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, + static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev, + void *flow, u32 swid, gfp_t flags) + { +- struct mlx5_teardown_stream_context *ctx; ++ struct mlx5_fpga_tls_command_context *ctx; + struct mlx5_fpga_dma_buf *buf; + void *cmd; + +@@ -261,7 +247,7 @@ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev, + if (!ctx) + return; + +- buf = &ctx->cmd.buf; ++ buf = &ctx->buf; + cmd = (ctx + 1); + MLX5_SET(tls_cmd, cmd, command_type, CMD_TEARDOWN_STREAM); + MLX5_SET(tls_cmd, cmd, swid, swid); +@@ -272,8 +258,7 @@ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev, + buf->sg[0].data = cmd; + buf->sg[0].size = MLX5_TLS_COMMAND_SIZE; + +- ctx->swid = swid; +- mlx5_fpga_tls_cmd_send(mdev->fpga, &ctx->cmd, ++ mlx5_fpga_tls_cmd_send(mdev->fpga, ctx, + mlx5_fpga_tls_teardown_completion); + } + +@@ -283,13 +268,14 @@ void mlx5_fpga_tls_del_flow(struct mlx5_core_dev *mdev, u32 swid, + struct mlx5_fpga_tls *tls = mdev->fpga->tls; + void *flow; + +- rcu_read_lock(); + if (direction_sx) +- flow = idr_find(&tls->tx_idr, swid); ++ flow = mlx5_fpga_tls_release_swid(&tls->tx_idr, ++ &tls->tx_idr_spinlock, ++ swid); + else +- flow = idr_find(&tls->rx_idr, swid); +- +- rcu_read_unlock(); ++ flow = mlx5_fpga_tls_release_swid(&tls->rx_idr, ++ &tls->rx_idr_spinlock, ++ swid); + + if (!flow) { + mlx5_fpga_err(mdev->fpga, "No flow information for swid %u\n", +@@ -297,6 +283,7 @@ void mlx5_fpga_tls_del_flow(struct mlx5_core_dev *mdev, u32 swid, + return; + } + ++ synchronize_rcu(); /* before kfree(flow) */ + mlx5_fpga_tls_send_teardown_cmd(mdev, flow, swid, flags); + } + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index ddedf8ab5b64..fc643fde5a4a 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -568,7 +568,7 @@ static int mlxsw_emad_init(struct mlxsw_core *mlxsw_core) + if (!(mlxsw_core->bus->features & MLXSW_BUS_F_TXRX)) + return 0; + +- emad_wq = alloc_workqueue("mlxsw_core_emad", WQ_MEM_RECLAIM, 0); ++ emad_wq = alloc_workqueue("mlxsw_core_emad", 0, 0); + if (!emad_wq) + return -ENOMEM; + mlxsw_core->emad_wq = emad_wq; +@@ -1912,10 +1912,10 @@ static int __init mlxsw_core_module_init(void) + { + int err; + +- mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, WQ_MEM_RECLAIM, 0); ++ mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, 0, 0); + if (!mlxsw_wq) + return -ENOMEM; +- mlxsw_owq = alloc_ordered_workqueue("%s_ordered", WQ_MEM_RECLAIM, ++ mlxsw_owq = alloc_ordered_workqueue("%s_ordered", 0, + mlxsw_core_driver_name); + if (!mlxsw_owq) { + err = -ENOMEM; +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +index 98e5ffd71b91..2f6afbfd689f 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -6745,7 +6745,7 @@ static int mlxsw_sp_router_port_check_rif_addr(struct mlxsw_sp *mlxsw_sp, + /* A RIF is not created for macvlan netdevs. Their MAC is used to + * populate the FDB + */ +- if (netif_is_macvlan(dev)) ++ if (netif_is_macvlan(dev) || netif_is_l3_master(dev)) + return 0; + + for (i = 0; i < MLXSW_CORE_RES_GET(mlxsw_sp->core, MAX_RIFS); i++) { +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +index c772109b638d..f5a10e286400 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +@@ -1654,7 +1654,7 @@ static int mlxsw_sp_port_mdb_add(struct mlxsw_sp_port *mlxsw_sp_port, + u16 fid_index; + int err = 0; + +- if (switchdev_trans_ph_prepare(trans)) ++ if (switchdev_trans_ph_commit(trans)) + return 0; + + bridge_port = mlxsw_sp_bridge_port_find(mlxsw_sp->bridge, orig_dev); +diff --git a/drivers/net/ethernet/netronome/nfp/flower/action.c b/drivers/net/ethernet/netronome/nfp/flower/action.c +index 8d54b36afee8..2bbc5b8f92c2 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/action.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/action.c +@@ -49,8 +49,7 @@ nfp_fl_push_vlan(struct nfp_fl_push_vlan *push_vlan, + + tmp_push_vlan_tci = + FIELD_PREP(NFP_FL_PUSH_VLAN_PRIO, tcf_vlan_push_prio(action)) | +- FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action)) | +- NFP_FL_PUSH_VLAN_CFI; ++ FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action)); + push_vlan->vlan_tci = cpu_to_be16(tmp_push_vlan_tci); + } + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h +index 15f41cfef9f1..ab07d76b4186 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h ++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h +@@ -26,7 +26,7 @@ + #define NFP_FLOWER_LAYER2_GENEVE_OP BIT(6) + + #define NFP_FLOWER_MASK_VLAN_PRIO GENMASK(15, 13) +-#define NFP_FLOWER_MASK_VLAN_CFI BIT(12) ++#define NFP_FLOWER_MASK_VLAN_PRESENT BIT(12) + #define NFP_FLOWER_MASK_VLAN_VID GENMASK(11, 0) + + #define NFP_FLOWER_MASK_MPLS_LB GENMASK(31, 12) +@@ -82,7 +82,6 @@ + #define NFP_FL_OUT_FLAGS_TYPE_IDX GENMASK(2, 0) + + #define NFP_FL_PUSH_VLAN_PRIO GENMASK(15, 13) +-#define NFP_FL_PUSH_VLAN_CFI BIT(12) + #define NFP_FL_PUSH_VLAN_VID GENMASK(11, 0) + + #define IPV6_FLOW_LABEL_MASK cpu_to_be32(0x000fffff) +diff --git a/drivers/net/ethernet/netronome/nfp/flower/match.c b/drivers/net/ethernet/netronome/nfp/flower/match.c +index cdf75595f627..571cc8ced33e 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/match.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/match.c +@@ -26,14 +26,12 @@ nfp_flower_compile_meta_tci(struct nfp_flower_meta_tci *frame, + FLOW_DISSECTOR_KEY_VLAN, + target); + /* Populate the tci field. */ +- if (flow_vlan->vlan_id || flow_vlan->vlan_priority) { +- tmp_tci = FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO, +- flow_vlan->vlan_priority) | +- FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID, +- flow_vlan->vlan_id) | +- NFP_FLOWER_MASK_VLAN_CFI; +- frame->tci = cpu_to_be16(tmp_tci); +- } ++ tmp_tci = NFP_FLOWER_MASK_VLAN_PRESENT; ++ tmp_tci |= FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO, ++ flow_vlan->vlan_priority) | ++ FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID, ++ flow_vlan->vlan_id); ++ frame->tci = cpu_to_be16(tmp_tci); + } + } + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 6ce3f666d142..1283632091d5 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1247,6 +1247,23 @@ static int team_port_add(struct team *team, struct net_device *port_dev, + goto err_option_port_add; + } + ++ /* set promiscuity level to new slave */ ++ if (dev->flags & IFF_PROMISC) { ++ err = dev_set_promiscuity(port_dev, 1); ++ if (err) ++ goto err_set_slave_promisc; ++ } ++ ++ /* set allmulti level to new slave */ ++ if (dev->flags & IFF_ALLMULTI) { ++ err = dev_set_allmulti(port_dev, 1); ++ if (err) { ++ if (dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(port_dev, -1); ++ goto err_set_slave_promisc; ++ } ++ } ++ + netif_addr_lock_bh(dev); + dev_uc_sync_multiple(port_dev, dev); + dev_mc_sync_multiple(port_dev, dev); +@@ -1263,6 +1280,9 @@ static int team_port_add(struct team *team, struct net_device *port_dev, + + return 0; + ++err_set_slave_promisc: ++ __team_option_inst_del_port(team, port); ++ + err_option_port_add: + team_upper_dev_unlink(team, port); + +@@ -1308,6 +1328,12 @@ static int team_port_del(struct team *team, struct net_device *port_dev) + + team_port_disable(team, port); + list_del_rcu(&port->list); ++ ++ if (dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(port_dev, -1); ++ if (dev->flags & IFF_ALLMULTI) ++ dev_set_allmulti(port_dev, -1); ++ + team_upper_dev_unlink(team, port); + netdev_rx_handler_unregister(port_dev); + team_port_disable_netpoll(port); +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c +index 7c9dfa54fee8..9678322aca60 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c +@@ -421,7 +421,6 @@ void mt76x02_send_tx_status(struct mt76x02_dev *dev, + return; + + rcu_read_lock(); +- mt76_tx_status_lock(mdev, &list); + + if (stat->wcid < ARRAY_SIZE(dev->mt76.wcid)) + wcid = rcu_dereference(dev->mt76.wcid[stat->wcid]); +@@ -434,6 +433,8 @@ void mt76x02_send_tx_status(struct mt76x02_dev *dev, + drv_priv); + } + ++ mt76_tx_status_lock(mdev, &list); ++ + if (wcid) { + if (stat->pktid) + status.skb = mt76_tx_status_skb_get(mdev, wcid, +@@ -453,7 +454,9 @@ void mt76x02_send_tx_status(struct mt76x02_dev *dev, + if (*update == 0 && stat_val == stat_cache && + stat->wcid == msta->status.wcid && msta->n_frames < 32) { + msta->n_frames++; +- goto out; ++ mt76_tx_status_unlock(mdev, &list); ++ rcu_read_unlock(); ++ return; + } + + mt76x02_mac_fill_tx_status(dev, status.info, &msta->status, +@@ -469,11 +472,10 @@ void mt76x02_send_tx_status(struct mt76x02_dev *dev, + + if (status.skb) + mt76_tx_status_skb_done(mdev, status.skb, &list); +- else +- ieee80211_tx_status_ext(mt76_hw(dev), &status); +- +-out: + mt76_tx_status_unlock(mdev, &list); ++ ++ if (!status.skb) ++ ieee80211_tx_status_ext(mt76_hw(dev), &status); + rcu_read_unlock(); + } + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00.h b/drivers/net/wireless/ralink/rt2x00/rt2x00.h +index 4b1744e9fb78..50b92ca92bd7 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h +@@ -673,7 +673,6 @@ enum rt2x00_state_flags { + CONFIG_CHANNEL_HT40, + CONFIG_POWERSAVING, + CONFIG_HT_DISABLED, +- CONFIG_QOS_DISABLED, + CONFIG_MONITORING, + + /* +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +index 2825560e2424..e8462f25d252 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +@@ -642,18 +642,8 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw, + rt2x00dev->intf_associated--; + + rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated); +- +- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); + } + +- /* +- * Check for access point which do not support 802.11e . We have to +- * generate data frames sequence number in S/W for such AP, because +- * of H/W bug. +- */ +- if (changes & BSS_CHANGED_QOS && !bss_conf->qos) +- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); +- + /* + * When the erp information has changed, we should perform + * additional configuration steps. For all other changes we are done. +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c +index 92ddc19e7bf7..4834b4eb0206 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c +@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev, + if (!rt2x00_has_cap_flag(rt2x00dev, REQUIRE_SW_SEQNO)) { + /* + * rt2800 has a H/W (or F/W) bug, device incorrectly increase +- * seqno on retransmited data (non-QOS) frames. To workaround +- * the problem let's generate seqno in software if QOS is +- * disabled. ++ * seqno on retransmitted data (non-QOS) and management frames. ++ * To workaround the problem let's generate seqno in software. ++ * Except for beacons which are transmitted periodically by H/W ++ * hence hardware has to assign seqno for them. + */ +- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags)) +- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); +- else ++ if (ieee80211_is_beacon(hdr->frame_control)) { ++ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + /* H/W will generate sequence number */ + return; ++ } ++ ++ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + } + + /* +diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c +index dfba4921b265..5bf61431434b 100644 +--- a/drivers/scsi/libfc/fc_rport.c ++++ b/drivers/scsi/libfc/fc_rport.c +@@ -2162,7 +2162,6 @@ static void fc_rport_recv_logo_req(struct fc_lport *lport, struct fc_frame *fp) + FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n", + fc_rport_state(rdata)); + +- rdata->flags &= ~FC_RP_STARTED; + fc_rport_enter_delete(rdata, RPORT_EV_STOP); + mutex_unlock(&rdata->rp_mutex); + kref_put(&rdata->kref, fc_rport_destroy); +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 655ad26106e4..5c78710b713f 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1763,8 +1763,12 @@ out_put_budget: + ret = BLK_STS_DEV_RESOURCE; + break; + default: ++ if (unlikely(!scsi_device_online(sdev))) ++ scsi_req(req)->result = DID_NO_CONNECT << 16; ++ else ++ scsi_req(req)->result = DID_ERROR << 16; + /* +- * Make sure to release all allocated ressources when ++ * Make sure to release all allocated resources when + * we hit an error, as we will never see this command + * again. + */ +diff --git a/drivers/staging/comedi/drivers/ni_usb6501.c b/drivers/staging/comedi/drivers/ni_usb6501.c +index 808ed92ed66f..1bb1cb651349 100644 +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -463,10 +463,8 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev) + + size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } +@@ -518,6 +516,9 @@ static int ni6501_auto_attach(struct comedi_device *dev, + if (!devpriv) + return -ENOMEM; + ++ mutex_init(&devpriv->mut); ++ usb_set_intfdata(intf, devpriv); ++ + ret = ni6501_find_endpoints(dev); + if (ret) + return ret; +@@ -526,9 +527,6 @@ static int ni6501_auto_attach(struct comedi_device *dev, + if (ret) + return ret; + +- mutex_init(&devpriv->mut); +- usb_set_intfdata(intf, devpriv); +- + ret = comedi_alloc_subdevices(dev, 2); + if (ret) + return ret; +diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c +index 6234b649d887..65dc6c51037e 100644 +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -682,10 +682,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev) + + size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } +@@ -800,6 +798,8 @@ static int vmk80xx_auto_attach(struct comedi_device *dev, + + devpriv->model = board->model; + ++ sema_init(&devpriv->limit_sem, 8); ++ + ret = vmk80xx_find_usb_endpoints(dev); + if (ret) + return ret; +@@ -808,8 +808,6 @@ static int vmk80xx_auto_attach(struct comedi_device *dev, + if (ret) + return ret; + +- sema_init(&devpriv->limit_sem, 8); +- + usb_set_intfdata(intf, devpriv); + + if (devpriv->model == VMK8055_MODEL) +diff --git a/drivers/staging/iio/adc/ad7192.c b/drivers/staging/iio/adc/ad7192.c +index acdbc07fd259..2fc8bc22b57b 100644 +--- a/drivers/staging/iio/adc/ad7192.c ++++ b/drivers/staging/iio/adc/ad7192.c +@@ -109,10 +109,10 @@ + #define AD7192_CH_AIN3 BIT(6) /* AIN3 - AINCOM */ + #define AD7192_CH_AIN4 BIT(7) /* AIN4 - AINCOM */ + +-#define AD7193_CH_AIN1P_AIN2M 0x000 /* AIN1(+) - AIN2(-) */ +-#define AD7193_CH_AIN3P_AIN4M 0x001 /* AIN3(+) - AIN4(-) */ +-#define AD7193_CH_AIN5P_AIN6M 0x002 /* AIN5(+) - AIN6(-) */ +-#define AD7193_CH_AIN7P_AIN8M 0x004 /* AIN7(+) - AIN8(-) */ ++#define AD7193_CH_AIN1P_AIN2M 0x001 /* AIN1(+) - AIN2(-) */ ++#define AD7193_CH_AIN3P_AIN4M 0x002 /* AIN3(+) - AIN4(-) */ ++#define AD7193_CH_AIN5P_AIN6M 0x004 /* AIN5(+) - AIN6(-) */ ++#define AD7193_CH_AIN7P_AIN8M 0x008 /* AIN7(+) - AIN8(-) */ + #define AD7193_CH_TEMP 0x100 /* Temp senseor */ + #define AD7193_CH_AIN2P_AIN2M 0x200 /* AIN2(+) - AIN2(-) */ + #define AD7193_CH_AIN1 0x401 /* AIN1 - AINCOM */ +diff --git a/drivers/staging/iio/meter/ade7854.c b/drivers/staging/iio/meter/ade7854.c +index 029c3bf42d4d..07774c000c5a 100644 +--- a/drivers/staging/iio/meter/ade7854.c ++++ b/drivers/staging/iio/meter/ade7854.c +@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(0644, + static IIO_DEV_ATTR_IPEAK(0644, + ade7854_read_32bit, + ade7854_write_32bit, +- ADE7854_VPEAK); ++ ADE7854_IPEAK); + static IIO_DEV_ATTR_APHCAL(0644, + ade7854_read_16bit, + ade7854_write_16bit, +diff --git a/drivers/staging/most/core.c b/drivers/staging/most/core.c +index 18936cdb1083..956daf8c3bd2 100644 +--- a/drivers/staging/most/core.c ++++ b/drivers/staging/most/core.c +@@ -1431,7 +1431,7 @@ int most_register_interface(struct most_interface *iface) + + INIT_LIST_HEAD(&iface->p->channel_list); + iface->p->dev_id = id; +- snprintf(iface->p->name, STRING_SIZE, "mdev%d", id); ++ strcpy(iface->p->name, iface->description); + iface->dev.init_name = iface->p->name; + iface->dev.bus = &mc.bus; + iface->dev.parent = &mc.dev; +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 93bd90f1ff14..e9a8b79ba77e 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2497,14 +2497,16 @@ done: + * center of the last stop bit in sampling clocks. + */ + int last_stop = bits * 2 - 1; +- int deviation = min_err * srr * last_stop / 2 / baud; ++ int deviation = DIV_ROUND_CLOSEST(min_err * last_stop * ++ (int)(srr + 1), ++ 2 * (int)baud); + + if (abs(deviation) >= 2) { + /* At least two sampling clocks off at the + * last stop bit; we can increase the error + * margin by shifting the sampling point. + */ +- int shift = min(-8, max(7, deviation / 2)); ++ int shift = clamp(deviation / 2, -8, 7); + + hssrr |= (shift << HSCIF_SRHP_SHIFT) & + HSCIF_SRHP_MASK; +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 9646ff63e77a..b6621a2e916d 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1518,7 +1518,8 @@ static void csi_J(struct vc_data *vc, int vpar) + return; + } + scr_memsetw(start, vc->vc_video_erase_char, 2 * count); +- update_region(vc, (unsigned long) start, count); ++ if (con_should_update(vc)) ++ do_update_region(vc, (unsigned long) start, count); + vc->vc_need_wrap = 0; + } + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index a2e5dc7716e2..674cfc5a4084 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -911,8 +911,12 @@ static int vhost_new_umem_range(struct vhost_umem *umem, + u64 start, u64 size, u64 end, + u64 userspace_addr, int perm) + { +- struct vhost_umem_node *tmp, *node = kmalloc(sizeof(*node), GFP_ATOMIC); ++ struct vhost_umem_node *tmp, *node; + ++ if (!size) ++ return -EFAULT; ++ ++ node = kmalloc(sizeof(*node), GFP_ATOMIC); + if (!node) + return -ENOMEM; + +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 6c934ab3722b..10ead04346ee 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1303,6 +1303,7 @@ cifsFileInfo_get_locked(struct cifsFileInfo *cifs_file) + } + + struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file); ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr); + void cifsFileInfo_put(struct cifsFileInfo *cifs_file); + + #define CIFS_CACHE_READ_FLG 1 +@@ -1824,6 +1825,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock; + #endif /* CONFIG_CIFS_ACL */ + + void cifs_oplock_break(struct work_struct *work); ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile); + + extern const struct slow_work_ops cifs_oplock_break_ops; + extern struct workqueue_struct *cifsiod_wq; +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 8d107587208f..7c05353b766c 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -360,12 +360,30 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file) + return cifs_file; + } + +-/* +- * Release a reference on the file private data. This may involve closing +- * the filehandle out on the server. Must be called without holding +- * tcon->open_file_lock and cifs_file->file_info_lock. ++/** ++ * cifsFileInfo_put - release a reference of file priv data ++ * ++ * Always potentially wait for oplock handler. See _cifsFileInfo_put(). + */ + void cifsFileInfo_put(struct cifsFileInfo *cifs_file) ++{ ++ _cifsFileInfo_put(cifs_file, true); ++} ++ ++/** ++ * _cifsFileInfo_put - release a reference of file priv data ++ * ++ * This may involve closing the filehandle @cifs_file out on the ++ * server. Must be called without holding tcon->open_file_lock and ++ * cifs_file->file_info_lock. ++ * ++ * If @wait_for_oplock_handler is true and we are releasing the last ++ * reference, wait for any running oplock break handler of the file ++ * and cancel any pending one. If calling this function from the ++ * oplock break handler, you need to pass false. ++ * ++ */ ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) + { + struct inode *inode = d_inode(cifs_file->dentry); + struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink); +@@ -414,7 +432,8 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file) + + spin_unlock(&tcon->open_file_lock); + +- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break); ++ oplock_break_cancelled = wait_oplock_handler ? ++ cancel_work_sync(&cifs_file->oplock_break) : false; + + if (!tcon->need_reconnect && !cifs_file->invalidHandle) { + struct TCP_Server_Info *server = tcon->ses->server; +@@ -4480,6 +4499,7 @@ void cifs_oplock_break(struct work_struct *work) + cinode); + cifs_dbg(FYI, "Oplock release rc = %d\n", rc); + } ++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */); + cifs_done_oplock_break(cinode); + } + +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index bee203055b30..1e1626a2cfc3 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -501,8 +501,7 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv) + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &pCifsInode->flags); + +- queue_work(cifsoplockd_wq, +- &netfile->oplock_break); ++ cifs_queue_oplock_break(netfile); + netfile->oplock_break_cancelled = false; + + spin_unlock(&tcon->open_file_lock); +@@ -607,6 +606,28 @@ void cifs_put_writer(struct cifsInodeInfo *cinode) + spin_unlock(&cinode->writers_lock); + } + ++/** ++ * cifs_queue_oplock_break - queue the oplock break handler for cfile ++ * ++ * This function is called from the demultiplex thread when it ++ * receives an oplock break for @cfile. ++ * ++ * Assumes the tcon->open_file_lock is held. ++ * Assumes cfile->file_info_lock is NOT held. ++ */ ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile) ++{ ++ /* ++ * Bump the handle refcount now while we hold the ++ * open_file_lock to enforce the validity of it for the oplock ++ * break handler. The matching put is done at the end of the ++ * handler. ++ */ ++ cifsFileInfo_get(cfile); ++ ++ queue_work(cifsoplockd_wq, &cfile->oplock_break); ++} ++ + void cifs_done_oplock_break(struct cifsInodeInfo *cinode) + { + clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 58700d2ba8cd..0a7ed2e3ad4f 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -555,7 +555,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, + clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + +- queue_work(cifsoplockd_wq, &cfile->oplock_break); ++ cifs_queue_oplock_break(cfile); + kfree(lw); + return true; + } +@@ -719,8 +719,8 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + spin_unlock(&cfile->file_info_lock); +- queue_work(cifsoplockd_wq, +- &cfile->oplock_break); ++ ++ cifs_queue_oplock_break(cfile); + + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index ea56b1cdbdde..d5434ac0571b 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2210,6 +2210,8 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, + + rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_iov, + &resp_buftype); ++ if (!rc) ++ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); + if (!rc || !err_iov.iov_base) { + rc = -ENOENT; + goto free_path; +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 068febe37fe4..938e75cc3b66 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -815,8 +815,11 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) + } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { + /* ops set to 3.0 by default for default so update */ + ses->server->ops = &smb21_operations; +- } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) ++ ses->server->vals = &smb21_values; ++ } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) { + ses->server->ops = &smb311_operations; ++ ses->server->vals = &smb311_values; ++ } + } else if (le16_to_cpu(rsp->DialectRevision) != + ses->server->vals->protocol_id) { + /* if requested single dialect ensure returned dialect matched */ +@@ -3387,8 +3390,6 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, + rqst.rq_nvec = 1; + + rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, &rsp_iov); +- cifs_small_buf_release(req); +- + rsp = (struct smb2_read_rsp *)rsp_iov.iov_base; + + if (rc) { +@@ -3407,6 +3408,8 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, + io_parms->tcon->tid, ses->Suid, + io_parms->offset, io_parms->length); + ++ cifs_small_buf_release(req); ++ + *nbytes = le32_to_cpu(rsp->DataLength); + if ((*nbytes > CIFS_MAX_MSGSIZE) || + (*nbytes > io_parms->length)) { +@@ -3705,7 +3708,6 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms, + + rc = cifs_send_recv(xid, io_parms->tcon->ses, &rqst, + &resp_buftype, flags, &rsp_iov); +- cifs_small_buf_release(req); + rsp = (struct smb2_write_rsp *)rsp_iov.iov_base; + + if (rc) { +@@ -3723,6 +3725,7 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms, + io_parms->offset, *nbytes); + } + ++ cifs_small_buf_release(req); + free_rsp_buf(resp_buftype, rsp); + return rc; + } +diff --git a/fs/dax.c b/fs/dax.c +index 05cca2214ae3..827ee143413e 100644 +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -33,6 +33,7 @@ + #include <linux/sizes.h> + #include <linux/mmu_notifier.h> + #include <linux/iomap.h> ++#include <asm/pgalloc.h> + #include "internal.h" + + #define CREATE_TRACE_POINTS +@@ -1409,7 +1410,9 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf, + { + struct address_space *mapping = vmf->vma->vm_file->f_mapping; + unsigned long pmd_addr = vmf->address & PMD_MASK; ++ struct vm_area_struct *vma = vmf->vma; + struct inode *inode = mapping->host; ++ pgtable_t pgtable = NULL; + struct page *zero_page; + spinlock_t *ptl; + pmd_t pmd_entry; +@@ -1424,12 +1427,22 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf, + *entry = dax_insert_entry(xas, mapping, vmf, *entry, pfn, + DAX_PMD | DAX_ZERO_PAGE, false); + ++ if (arch_needs_pgtable_deposit()) { ++ pgtable = pte_alloc_one(vma->vm_mm); ++ if (!pgtable) ++ return VM_FAULT_OOM; ++ } ++ + ptl = pmd_lock(vmf->vma->vm_mm, vmf->pmd); + if (!pmd_none(*(vmf->pmd))) { + spin_unlock(ptl); + goto fallback; + } + ++ if (pgtable) { ++ pgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable); ++ mm_inc_nr_ptes(vma->vm_mm); ++ } + pmd_entry = mk_pmd(zero_page, vmf->vma->vm_page_prot); + pmd_entry = pmd_mkhuge(pmd_entry); + set_pmd_at(vmf->vma->vm_mm, pmd_addr, vmf->pmd, pmd_entry); +@@ -1438,6 +1451,8 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf, + return VM_FAULT_NOPAGE; + + fallback: ++ if (pgtable) ++ pte_free(vma->vm_mm, pgtable); + trace_dax_pmd_load_hole_fallback(inode, vmf, zero_page, *entry); + return VM_FAULT_FALLBACK; + } +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 85b0ef890b28..91bd2ff0c62c 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1141,6 +1141,24 @@ static ssize_t clear_refs_write(struct file *file, const char __user *buf, + count = -EINTR; + goto out_mm; + } ++ /* ++ * Avoid to modify vma->vm_flags ++ * without locked ops while the ++ * coredump reads the vm_flags. ++ */ ++ if (!mmget_still_valid(mm)) { ++ /* ++ * Silently return "count" ++ * like if get_task_mm() ++ * failed. FIXME: should this ++ * function have returned ++ * -ESRCH if get_task_mm() ++ * failed like if ++ * get_proc_task() fails? ++ */ ++ up_write(&mm->mmap_sem); ++ goto out_mm; ++ } + for (vma = mm->mmap; vma; vma = vma->vm_next) { + vma->vm_flags &= ~VM_SOFTDIRTY; + vma_set_page_prot(vma); +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 89800fc7dc9d..f5de1e726356 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -629,6 +629,8 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx, + + /* the various vma->vm_userfaultfd_ctx still points to it */ + down_write(&mm->mmap_sem); ++ /* no task can run (and in turn coredump) yet */ ++ VM_WARN_ON(!mmget_still_valid(mm)); + for (vma = mm->mmap; vma; vma = vma->vm_next) + if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) { + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; +@@ -883,6 +885,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file) + * taking the mmap_sem for writing. + */ + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto skip_mm; + prev = NULL; + for (vma = mm->mmap; vma; vma = vma->vm_next) { + cond_resched(); +@@ -905,6 +909,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file) + vma->vm_flags = new_flags; + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; + } ++skip_mm: + up_write(&mm->mmap_sem); + mmput(mm); + wakeup: +@@ -1333,6 +1338,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, + goto out; + + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto out_unlock; + vma = find_vma_prev(mm, start, &prev); + if (!vma) + goto out_unlock; +@@ -1520,6 +1527,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, + goto out; + + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto out_unlock; + vma = find_vma_prev(mm, start, &prev); + if (!vma) + goto out_unlock; +diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h +index e07e91daaacc..72ff78c33033 100644 +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -173,6 +173,7 @@ struct kretprobe_instance { + struct kretprobe *rp; + kprobe_opcode_t *ret_addr; + struct task_struct *task; ++ void *fp; + char data[0]; + }; + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 848b54b7ec91..7df56decae37 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1484,6 +1484,7 @@ struct net_device_ops { + * @IFF_FAILOVER: device is a failover master device + * @IFF_FAILOVER_SLAVE: device is lower dev of a failover master device + * @IFF_L3MDEV_RX_HANDLER: only invoke the rx handler of L3 master device ++ * @IFF_LIVE_RENAME_OK: rename is allowed while device is up and running + */ + enum netdev_priv_flags { + IFF_802_1Q_VLAN = 1<<0, +@@ -1516,6 +1517,7 @@ enum netdev_priv_flags { + IFF_FAILOVER = 1<<27, + IFF_FAILOVER_SLAVE = 1<<28, + IFF_L3MDEV_RX_HANDLER = 1<<29, ++ IFF_LIVE_RENAME_OK = 1<<30, + }; + + #define IFF_802_1Q_VLAN IFF_802_1Q_VLAN +@@ -1547,6 +1549,7 @@ enum netdev_priv_flags { + #define IFF_FAILOVER IFF_FAILOVER + #define IFF_FAILOVER_SLAVE IFF_FAILOVER_SLAVE + #define IFF_L3MDEV_RX_HANDLER IFF_L3MDEV_RX_HANDLER ++#define IFF_LIVE_RENAME_OK IFF_LIVE_RENAME_OK + + /** + * struct net_device - The DEVICE structure. +diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h +index 3bfa6a0cbba4..c1dbb737a36c 100644 +--- a/include/linux/sched/mm.h ++++ b/include/linux/sched/mm.h +@@ -49,6 +49,27 @@ static inline void mmdrop(struct mm_struct *mm) + __mmdrop(mm); + } + ++/* ++ * This has to be called after a get_task_mm()/mmget_not_zero() ++ * followed by taking the mmap_sem for writing before modifying the ++ * vmas or anything the coredump pretends not to change from under it. ++ * ++ * NOTE: find_extend_vma() called from GUP context is the only place ++ * that can modify the "mm" (notably the vm_start/end) under mmap_sem ++ * for reading and outside the context of the process, so it is also ++ * the only case that holds the mmap_sem for reading that must call ++ * this function. Generally if the mmap_sem is hold for reading ++ * there's no need of this check after get_task_mm()/mmget_not_zero(). ++ * ++ * This function can be obsoleted and the check can be removed, after ++ * the coredump code will hold the mmap_sem for writing before ++ * invoking the ->core_dump methods. ++ */ ++static inline bool mmget_still_valid(struct mm_struct *mm) ++{ ++ return likely(!mm->core_state); ++} ++ + /** + * mmget() - Pin the address space associated with a &struct mm_struct. + * @mm: The address space to pin. +diff --git a/include/net/nfc/nci_core.h b/include/net/nfc/nci_core.h +index 87499b6b35d6..df5c69db68af 100644 +--- a/include/net/nfc/nci_core.h ++++ b/include/net/nfc/nci_core.h +@@ -166,7 +166,7 @@ struct nci_conn_info { + * According to specification 102 622 chapter 4.4 Pipes, + * the pipe identifier is 7 bits long. + */ +-#define NCI_HCI_MAX_PIPES 127 ++#define NCI_HCI_MAX_PIPES 128 + + struct nci_hci_gate { + u8 gate; +diff --git a/include/net/tls.h b/include/net/tls.h +index 1486b60c4de8..8b3d10917d99 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -289,6 +289,7 @@ int tls_device_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); + int tls_device_sendpage(struct sock *sk, struct page *page, + int offset, size_t size, int flags); + void tls_device_sk_destruct(struct sock *sk); ++void tls_device_free_resources_tx(struct sock *sk); + void tls_device_init(void); + void tls_device_cleanup(void); + int tls_tx_records(struct sock *sk, int flags); +@@ -312,6 +313,7 @@ int tls_push_sg(struct sock *sk, struct tls_context *ctx, + int flags); + int tls_push_partial_record(struct sock *sk, struct tls_context *ctx, + int flags); ++bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx); + + int tls_push_pending_closed_record(struct sock *sk, struct tls_context *ctx, + int flags, long *timeo); +@@ -364,7 +366,7 @@ tls_validate_xmit_skb(struct sock *sk, struct net_device *dev, + static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk) + { + #ifdef CONFIG_SOCK_VALIDATE_XMIT +- return sk_fullsock(sk) & ++ return sk_fullsock(sk) && + (smp_load_acquire(&sk->sk_validate_xmit_skb) == + &tls_validate_xmit_skb); + #else +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 878c62ec0190..dbd7656b4f73 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -456,24 +456,21 @@ void perf_aux_output_end(struct perf_output_handle *handle, unsigned long size) + rb->aux_head += size; + } + +- if (size || handle->aux_flags) { +- /* +- * Only send RECORD_AUX if we have something useful to communicate +- * +- * Note: the OVERWRITE records by themselves are not considered +- * useful, as they don't communicate any *new* information, +- * aside from the short-lived offset, that becomes history at +- * the next event sched-in and therefore isn't useful. +- * The userspace that needs to copy out AUX data in overwrite +- * mode should know to use user_page::aux_head for the actual +- * offset. So, from now on we don't output AUX records that +- * have *only* OVERWRITE flag set. +- */ +- +- if (handle->aux_flags & ~(u64)PERF_AUX_FLAG_OVERWRITE) +- perf_event_aux_event(handle->event, aux_head, size, +- handle->aux_flags); +- } ++ /* ++ * Only send RECORD_AUX if we have something useful to communicate ++ * ++ * Note: the OVERWRITE records by themselves are not considered ++ * useful, as they don't communicate any *new* information, ++ * aside from the short-lived offset, that becomes history at ++ * the next event sched-in and therefore isn't useful. ++ * The userspace that needs to copy out AUX data in overwrite ++ * mode should know to use user_page::aux_head for the actual ++ * offset. So, from now on we don't output AUX records that ++ * have *only* OVERWRITE flag set. ++ */ ++ if (size || (handle->aux_flags & ~(u64)PERF_AUX_FLAG_OVERWRITE)) ++ perf_event_aux_event(handle->event, aux_head, size, ++ handle->aux_flags); + + rb->user_page->aux_head = rb->aux_head; + if (rb_need_aux_wakeup(rb)) +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index f4ddfdd2d07e..de78d1b998f8 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -709,7 +709,6 @@ static void unoptimize_kprobe(struct kprobe *p, bool force) + static int reuse_unused_kprobe(struct kprobe *ap) + { + struct optimized_kprobe *op; +- int ret; + + /* + * Unused kprobe MUST be on the way of delayed unoptimizing (means +@@ -720,9 +719,8 @@ static int reuse_unused_kprobe(struct kprobe *ap) + /* Enable the probe again */ + ap->flags &= ~KPROBE_FLAG_DISABLED; + /* Optimize it again (remove from op->list) */ +- ret = kprobe_optready(ap); +- if (ret) +- return ret; ++ if (!kprobe_optready(ap)) ++ return -EINVAL; + + optimize_kprobe(ap); + return 0; +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 5e61a1a99e38..eeb605656d59 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -4859,12 +4859,15 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer) + return HRTIMER_NORESTART; + } + ++extern const u64 max_cfs_quota_period; ++ + static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + { + struct cfs_bandwidth *cfs_b = + container_of(timer, struct cfs_bandwidth, period_timer); + int overrun; + int idle = 0; ++ int count = 0; + + raw_spin_lock(&cfs_b->lock); + for (;;) { +@@ -4872,6 +4875,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + if (!overrun) + break; + ++ if (++count > 3) { ++ u64 new, old = ktime_to_ns(cfs_b->period); ++ ++ new = (old * 147) / 128; /* ~115% */ ++ new = min(new, max_cfs_quota_period); ++ ++ cfs_b->period = ns_to_ktime(new); ++ ++ /* since max is 1s, this is limited to 1e9^2, which fits in u64 */ ++ cfs_b->quota *= new; ++ cfs_b->quota = div64_u64(cfs_b->quota, old); ++ ++ pr_warn_ratelimited( ++ "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n", ++ smp_processor_id(), ++ div_u64(new, NSEC_PER_USEC), ++ div_u64(cfs_b->quota, NSEC_PER_USEC)); ++ ++ /* reset count so we don't come right back in here */ ++ count = 0; ++ } ++ + idle = do_sched_cfs_period_timer(cfs_b, overrun); + } + if (idle) +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 28ec71d914c7..f50f1471c119 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -126,6 +126,7 @@ static int zero; + static int __maybe_unused one = 1; + static int __maybe_unused two = 2; + static int __maybe_unused four = 4; ++static unsigned long zero_ul; + static unsigned long one_ul = 1; + static unsigned long long_max = LONG_MAX; + static int one_hundred = 100; +@@ -1723,7 +1724,7 @@ static struct ctl_table fs_table[] = { + .maxlen = sizeof(files_stat.max_files), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, +- .extra1 = &zero, ++ .extra1 = &zero_ul, + .extra2 = &long_max, + }, + { +diff --git a/kernel/time/sched_clock.c b/kernel/time/sched_clock.c +index 094b82ca95e5..930113b9799a 100644 +--- a/kernel/time/sched_clock.c ++++ b/kernel/time/sched_clock.c +@@ -272,7 +272,7 @@ static u64 notrace suspended_sched_clock_read(void) + return cd.read_data[seq & 1].epoch_cyc; + } + +-static int sched_clock_suspend(void) ++int sched_clock_suspend(void) + { + struct clock_read_data *rd = &cd.read_data[0]; + +@@ -283,7 +283,7 @@ static int sched_clock_suspend(void) + return 0; + } + +-static void sched_clock_resume(void) ++void sched_clock_resume(void) + { + struct clock_read_data *rd = &cd.read_data[0]; + +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index 529143b4c8d2..df401463a191 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -487,6 +487,7 @@ void tick_freeze(void) + trace_suspend_resume(TPS("timekeeping_freeze"), + smp_processor_id(), true); + system_state = SYSTEM_SUSPEND; ++ sched_clock_suspend(); + timekeeping_suspend(); + } else { + tick_suspend_local(); +@@ -510,6 +511,7 @@ void tick_unfreeze(void) + + if (tick_freeze_depth == num_online_cpus()) { + timekeeping_resume(); ++ sched_clock_resume(); + system_state = SYSTEM_RUNNING; + trace_suspend_resume(TPS("timekeeping_freeze"), + smp_processor_id(), false); +diff --git a/kernel/time/timekeeping.h b/kernel/time/timekeeping.h +index 7a9b4eb7a1d5..141ab3ab0354 100644 +--- a/kernel/time/timekeeping.h ++++ b/kernel/time/timekeeping.h +@@ -14,6 +14,13 @@ extern u64 timekeeping_max_deferment(void); + extern void timekeeping_warp_clock(void); + extern int timekeeping_suspend(void); + extern void timekeeping_resume(void); ++#ifdef CONFIG_GENERIC_SCHED_CLOCK ++extern int sched_clock_suspend(void); ++extern void sched_clock_resume(void); ++#else ++static inline int sched_clock_suspend(void) { return 0; } ++static inline void sched_clock_resume(void) { } ++#endif + + extern void do_timer(unsigned long ticks); + extern void update_wall_time(void); +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index aac7847c0214..f546ae5102e0 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -33,6 +33,7 @@ + #include <linux/list.h> + #include <linux/hash.h> + #include <linux/rcupdate.h> ++#include <linux/kprobes.h> + + #include <trace/events/sched.h> + +@@ -6216,7 +6217,7 @@ void ftrace_reset_array_ops(struct trace_array *tr) + tr->ops->func = ftrace_stub; + } + +-static inline void ++static nokprobe_inline void + __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ignored, struct pt_regs *regs) + { +@@ -6276,11 +6277,13 @@ static void ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + { + __ftrace_ops_list_func(ip, parent_ip, NULL, regs); + } ++NOKPROBE_SYMBOL(ftrace_ops_list_func); + #else + static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) + { + __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); + } ++NOKPROBE_SYMBOL(ftrace_ops_no_ops); + #endif + + /* +@@ -6307,6 +6310,7 @@ static void ftrace_ops_assist_func(unsigned long ip, unsigned long parent_ip, + preempt_enable_notrace(); + trace_clear_recursion(bit); + } ++NOKPROBE_SYMBOL(ftrace_ops_assist_func); + + /** + * ftrace_ops_get_func - get the function a trampoline should call +diff --git a/mm/mmap.c b/mm/mmap.c +index fc1809b1bed6..da9236a5022e 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -45,6 +45,7 @@ + #include <linux/moduleparam.h> + #include <linux/pkeys.h> + #include <linux/oom.h> ++#include <linux/sched/mm.h> + + #include <linux/uaccess.h> + #include <asm/cacheflush.h> +@@ -2526,7 +2527,8 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) + vma = find_vma_prev(mm, addr, &prev); + if (vma && (vma->vm_start <= addr)) + return vma; +- if (!prev || expand_stack(prev, addr)) ++ /* don't alter vm_end if the coredump is running */ ++ if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr)) + return NULL; + if (prev->vm_flags & VM_LOCKED) + populate_vma_page_range(prev, addr, prev->vm_end, NULL); +@@ -2552,6 +2554,9 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) + return vma; + if (!(vma->vm_flags & VM_GROWSDOWN)) + return NULL; ++ /* don't alter vm_start if the coredump is running */ ++ if (!mmget_still_valid(mm)) ++ return NULL; + start = vma->vm_start; + if (expand_stack(vma, addr)) + return NULL; +diff --git a/mm/percpu.c b/mm/percpu.c +index db86282fd024..59bd6a51954c 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -2531,8 +2531,8 @@ int __init pcpu_embed_first_chunk(size_t reserved_size, size_t dyn_size, + ai->groups[group].base_offset = areas[group] - base; + } + +- pr_info("Embedded %zu pages/cpu @%p s%zu r%zu d%zu u%zu\n", +- PFN_DOWN(size_sum), base, ai->static_size, ai->reserved_size, ++ pr_info("Embedded %zu pages/cpu s%zu r%zu d%zu u%zu\n", ++ PFN_DOWN(size_sum), ai->static_size, ai->reserved_size, + ai->dyn_size, ai->unit_size); + + rc = pcpu_setup_first_chunk(ai, base); +@@ -2653,8 +2653,8 @@ int __init pcpu_page_first_chunk(size_t reserved_size, + } + + /* we're ready, commit */ +- pr_info("%d %s pages/cpu @%p s%zu r%zu d%zu\n", +- unit_pages, psize_str, vm.addr, ai->static_size, ++ pr_info("%d %s pages/cpu s%zu r%zu d%zu\n", ++ unit_pages, psize_str, ai->static_size, + ai->reserved_size, ai->dyn_size); + + rc = pcpu_setup_first_chunk(ai, vm.addr); +diff --git a/mm/vmstat.c b/mm/vmstat.c +index 83b30edc2f7f..f807f2e3b4cb 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1274,13 +1274,8 @@ const char * const vmstat_text[] = { + #endif + #endif /* CONFIG_MEMORY_BALLOON */ + #ifdef CONFIG_DEBUG_TLBFLUSH +-#ifdef CONFIG_SMP + "nr_tlb_remote_flush", + "nr_tlb_remote_flush_received", +-#else +- "", /* nr_tlb_remote_flush */ +- "", /* nr_tlb_remote_flush_received */ +-#endif /* CONFIG_SMP */ + "nr_tlb_local_flush_all", + "nr_tlb_local_flush_one", + #endif /* CONFIG_DEBUG_TLBFLUSH */ +diff --git a/net/atm/lec.c b/net/atm/lec.c +index d7f5cf5b7594..ad4f829193f0 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -710,7 +710,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) + + static int lec_mcast_attach(struct atm_vcc *vcc, int arg) + { +- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg]) ++ if (arg < 0 || arg >= MAX_LEC_ITF) ++ return -EINVAL; ++ arg = array_index_nospec(arg, MAX_LEC_ITF); ++ if (!dev_lec[arg]) + return -EINVAL; + vcc->proto_data = dev_lec[arg]; + return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc); +@@ -728,6 +731,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg) + i = arg; + if (arg >= MAX_LEC_ITF) + return -EINVAL; ++ i = array_index_nospec(arg, MAX_LEC_ITF); + if (!dev_lec[i]) { + int size; + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 5ea7e56119c1..ba303ee99b9b 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -197,13 +197,10 @@ static void __br_handle_local_finish(struct sk_buff *skb) + /* note: already called with rcu_read_lock */ + static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- struct net_bridge_port *p = br_port_get_rcu(skb->dev); +- + __br_handle_local_finish(skb); + +- BR_INPUT_SKB_CB(skb)->brdev = p->br->dev; +- br_pass_frame_up(skb); +- return 0; ++ /* return 1 to signal the okfn() was called so it's ok to use the skb */ ++ return 1; + } + + /* +@@ -280,10 +277,18 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb) + goto forward; + } + +- /* Deliver packet to local host only */ +- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(skb->dev), +- NULL, skb, skb->dev, NULL, br_handle_local_finish); +- return RX_HANDLER_CONSUMED; ++ /* The else clause should be hit when nf_hook(): ++ * - returns < 0 (drop/error) ++ * - returns = 0 (stolen/nf_queue) ++ * Thus return 1 from the okfn() to signal the skb is ok to pass ++ */ ++ if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, ++ dev_net(skb->dev), NULL, skb, skb->dev, NULL, ++ br_handle_local_finish) == 1) { ++ return RX_HANDLER_PASS; ++ } else { ++ return RX_HANDLER_CONSUMED; ++ } + } + + forward: +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index e4777614a8a0..61ff0d497da6 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1916,7 +1916,8 @@ static void br_multicast_start_querier(struct net_bridge *br, + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -1928,6 +1929,7 @@ static void br_multicast_start_querier(struct net_bridge *br, + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c +index 9c07591b0232..7104cf13da84 100644 +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -1441,7 +1441,7 @@ static int br_fill_info(struct sk_buff *skb, const struct net_device *brdev) + nla_put_u8(skb, IFLA_BR_VLAN_STATS_ENABLED, + br_opt_get(br, BROPT_VLAN_STATS_ENABLED)) || + nla_put_u8(skb, IFLA_BR_VLAN_STATS_PER_PORT, +- br_opt_get(br, IFLA_BR_VLAN_STATS_PER_PORT))) ++ br_opt_get(br, BROPT_VLAN_STATS_PER_PORT))) + return -EMSGSIZE; + #endif + #ifdef CONFIG_BRIDGE_IGMP_SNOOPING +diff --git a/net/core/dev.c b/net/core/dev.c +index 12824e007e06..7277dd393c00 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1184,7 +1184,21 @@ int dev_change_name(struct net_device *dev, const char *newname) + BUG_ON(!dev_net(dev)); + + net = dev_net(dev); +- if (dev->flags & IFF_UP) ++ ++ /* Some auto-enslaved devices e.g. failover slaves are ++ * special, as userspace might rename the device after ++ * the interface had been brought up and running since ++ * the point kernel initiated auto-enslavement. Allow ++ * live name change even when these slave devices are ++ * up and running. ++ * ++ * Typically, users of these auto-enslaving devices ++ * don't actually care about slave name change, as ++ * they are supposed to operate on master interface ++ * directly. ++ */ ++ if (dev->flags & IFF_UP && ++ likely(!(dev->priv_flags & IFF_LIVE_RENAME_OK))) + return -EBUSY; + + write_seqcount_begin(&devnet_rename_seq); +diff --git a/net/core/failover.c b/net/core/failover.c +index 4a92a98ccce9..b5cd3c727285 100644 +--- a/net/core/failover.c ++++ b/net/core/failover.c +@@ -80,14 +80,14 @@ static int failover_slave_register(struct net_device *slave_dev) + goto err_upper_link; + } + +- slave_dev->priv_flags |= IFF_FAILOVER_SLAVE; ++ slave_dev->priv_flags |= (IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK); + + if (fops && fops->slave_register && + !fops->slave_register(slave_dev, failover_dev)) + return NOTIFY_OK; + + netdev_upper_dev_unlink(slave_dev, failover_dev); +- slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE; ++ slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK); + err_upper_link: + netdev_rx_handler_unregister(slave_dev); + done: +@@ -121,7 +121,7 @@ int failover_slave_unregister(struct net_device *slave_dev) + + netdev_rx_handler_unregister(slave_dev); + netdev_upper_dev_unlink(slave_dev, failover_dev); +- slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE; ++ slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK); + + if (fops && fops->slave_unregister && + !fops->slave_unregister(slave_dev, failover_dev)) +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index ef2cd5712098..40796b8bf820 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -5083,7 +5083,8 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len); + + static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + { +- int mac_len; ++ int mac_len, meta_len; ++ void *meta; + + if (skb_cow(skb, skb_headroom(skb)) < 0) { + kfree_skb(skb); +@@ -5095,6 +5096,13 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), + mac_len - VLAN_HLEN - ETH_TLEN); + } ++ ++ meta_len = skb_metadata_len(skb); ++ if (meta_len) { ++ meta = skb_metadata_end(skb) - meta_len; ++ memmove(meta + VLAN_HLEN, meta, meta_len); ++ } ++ + skb->mac_header += VLAN_HLEN; + return skb; + } +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index 79e98e21cdd7..12ce6c526d72 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -121,6 +121,7 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + struct guehdr *guehdr; + void *data; + u16 doffset = 0; ++ u8 proto_ctype; + + if (!fou) + return 1; +@@ -212,13 +213,14 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + if (unlikely(guehdr->control)) + return gue_control_message(skb, guehdr); + ++ proto_ctype = guehdr->proto_ctype; + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + + if (iptunnel_pull_offloads(skb)) + goto drop; + +- return -guehdr->proto_ctype; ++ return -proto_ctype; + + drop: + kfree_skb(skb); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index e04cdb58a602..25d9bef27d03 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1185,9 +1185,23 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) + + static void ipv4_link_failure(struct sk_buff *skb) + { ++ struct ip_options opt; + struct rtable *rt; ++ int res; + +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); ++ /* Recompile ip options since IPCB may not be valid anymore. ++ */ ++ memset(&opt, 0, sizeof(opt)); ++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) ++ return; ++ ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); + + rt = skb_rtable(skb); + if (rt) +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 7b1ef897b398..95b2e31fff08 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -402,11 +402,12 @@ static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb) + static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); ++ int room; ++ ++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh; + + /* Check #1 */ +- if (tp->rcv_ssthresh < tp->window_clamp && +- (int)tp->rcv_ssthresh < tcp_space(sk) && +- !tcp_under_memory_pressure(sk)) { ++ if (room > 0 && !tcp_under_memory_pressure(sk)) { + int incr; + + /* Check #2. Increase window, if skb with such overhead +@@ -419,8 +420,7 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + + if (incr) { + incr = max_t(int, incr, 2 * skb->len); +- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, +- tp->window_clamp); ++ tp->rcv_ssthresh += min(room, incr); + inet_csk(sk)->icsk_ack.quick |= 1; + } + } +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 0086acc16f3c..b6a97115a906 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2336,6 +2336,10 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, + + rcu_read_lock(); + from = rcu_dereference(rt6->from); ++ if (!from) { ++ rcu_read_unlock(); ++ return; ++ } + nrt6 = ip6_rt_cache_alloc(from, daddr, saddr); + if (nrt6) { + rt6_do_update_pmtu(nrt6, mtu); +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index 3e0d5922a440..a9c1d6e3cdae 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1166,6 +1166,9 @@ static inline void drv_wake_tx_queue(struct ieee80211_local *local, + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif); + ++ if (local->in_reconfig) ++ return; ++ + if (!check_sdata_in_driver(sdata)) + return; + +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index ddfc52ac1f9b..c0d323b58e73 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe, + create_info = (struct nci_hci_create_pipe_resp *)skb->data; + dest_gate = create_info->dest_gate; + new_pipe = create_info->pipe; ++ if (new_pipe >= NCI_HCI_MAX_PIPES) { ++ status = NCI_HCI_ANY_E_NOK; ++ goto exit; ++ } + + /* Save the new created pipe and bind with local gate, + * the description for skb->data[3] is destination gate id +@@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe, + goto exit; + } + delete_info = (struct nci_hci_delete_pipe_noti *)skb->data; ++ if (delete_info->pipe >= NCI_HCI_MAX_PIPES) { ++ status = NCI_HCI_ANY_E_NOK; ++ goto exit; ++ } + + ndev->hci_dev->pipes[delete_info->pipe].gate = + NCI_HCI_INVALID_GATE; +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index 73940293700d..7b5ce1343474 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1508,32 +1508,29 @@ static unsigned int cake_drop(struct Qdisc *sch, struct sk_buff **to_free) + return idx + (tin << 16); + } + +-static void cake_wash_diffserv(struct sk_buff *skb) +-{ +- switch (skb->protocol) { +- case htons(ETH_P_IP): +- ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0); +- break; +- case htons(ETH_P_IPV6): +- ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0); +- break; +- default: +- break; +- } +-} +- + static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash) + { ++ int wlen = skb_network_offset(skb); + u8 dscp; + +- switch (skb->protocol) { ++ switch (tc_skb_protocol(skb)) { + case htons(ETH_P_IP): ++ wlen += sizeof(struct iphdr); ++ if (!pskb_may_pull(skb, wlen) || ++ skb_try_make_writable(skb, wlen)) ++ return 0; ++ + dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2; + if (wash && dscp) + ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0); + return dscp; + + case htons(ETH_P_IPV6): ++ wlen += sizeof(struct ipv6hdr); ++ if (!pskb_may_pull(skb, wlen) || ++ skb_try_make_writable(skb, wlen)) ++ return 0; ++ + dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2; + if (wash && dscp) + ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0); +@@ -1553,25 +1550,27 @@ static struct cake_tin_data *cake_select_tin(struct Qdisc *sch, + { + struct cake_sched_data *q = qdisc_priv(sch); + u32 tin; ++ u8 dscp; ++ ++ /* Tin selection: Default to diffserv-based selection, allow overriding ++ * using firewall marks or skb->priority. ++ */ ++ dscp = cake_handle_diffserv(skb, ++ q->rate_flags & CAKE_FLAG_WASH); + +- if (TC_H_MAJ(skb->priority) == sch->handle && +- TC_H_MIN(skb->priority) > 0 && +- TC_H_MIN(skb->priority) <= q->tin_cnt) { ++ if (q->tin_mode == CAKE_DIFFSERV_BESTEFFORT) ++ tin = 0; ++ ++ else if (TC_H_MAJ(skb->priority) == sch->handle && ++ TC_H_MIN(skb->priority) > 0 && ++ TC_H_MIN(skb->priority) <= q->tin_cnt) + tin = q->tin_order[TC_H_MIN(skb->priority) - 1]; + +- if (q->rate_flags & CAKE_FLAG_WASH) +- cake_wash_diffserv(skb); +- } else if (q->tin_mode != CAKE_DIFFSERV_BESTEFFORT) { +- /* extract the Diffserv Precedence field, if it exists */ +- /* and clear DSCP bits if washing */ +- tin = q->tin_index[cake_handle_diffserv(skb, +- q->rate_flags & CAKE_FLAG_WASH)]; ++ else { ++ tin = q->tin_index[dscp]; ++ + if (unlikely(tin >= q->tin_cnt)) + tin = 0; +- } else { +- tin = 0; +- if (q->rate_flags & CAKE_FLAG_WASH) +- cake_wash_diffserv(skb); + } + + return &q->tins[tin]; +diff --git a/net/strparser/strparser.c b/net/strparser/strparser.c +index da1a676860ca..0f4e42792878 100644 +--- a/net/strparser/strparser.c ++++ b/net/strparser/strparser.c +@@ -140,13 +140,11 @@ static int __strp_recv(read_descriptor_t *desc, struct sk_buff *orig_skb, + /* We are going to append to the frags_list of head. + * Need to unshare the frag_list. + */ +- if (skb_has_frag_list(head)) { +- err = skb_unclone(head, GFP_ATOMIC); +- if (err) { +- STRP_STATS_INCR(strp->stats.mem_fail); +- desc->error = err; +- return 0; +- } ++ err = skb_unclone(head, GFP_ATOMIC); ++ if (err) { ++ STRP_STATS_INCR(strp->stats.mem_fail); ++ desc->error = err; ++ return 0; + } + + if (unlikely(skb_shinfo(head)->frag_list)) { +diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c +index bff241f03525..89993afe0fbd 100644 +--- a/net/tipc/name_table.c ++++ b/net/tipc/name_table.c +@@ -909,7 +909,8 @@ static int tipc_nl_service_list(struct net *net, struct tipc_nl_msg *msg, + for (; i < TIPC_NAMETBL_SIZE; i++) { + head = &tn->nametbl->services[i]; + +- if (*last_type) { ++ if (*last_type || ++ (!i && *last_key && (*last_lower == *last_key))) { + service = tipc_service_find(net, *last_type); + if (!service) + return -EPIPE; +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index d753e362d2d9..4b5ff3d44912 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -52,8 +52,11 @@ static DEFINE_SPINLOCK(tls_device_lock); + + static void tls_device_free_ctx(struct tls_context *ctx) + { +- if (ctx->tx_conf == TLS_HW) ++ if (ctx->tx_conf == TLS_HW) { + kfree(tls_offload_ctx_tx(ctx)); ++ kfree(ctx->tx.rec_seq); ++ kfree(ctx->tx.iv); ++ } + + if (ctx->rx_conf == TLS_HW) + kfree(tls_offload_ctx_rx(ctx)); +@@ -216,6 +219,13 @@ void tls_device_sk_destruct(struct sock *sk) + } + EXPORT_SYMBOL(tls_device_sk_destruct); + ++void tls_device_free_resources_tx(struct sock *sk) ++{ ++ struct tls_context *tls_ctx = tls_get_ctx(sk); ++ ++ tls_free_partial_record(sk, tls_ctx); ++} ++ + static void tls_append_frag(struct tls_record_info *record, + struct page_frag *pfrag, + int size) +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 78cb4a584080..96dbac91ac6e 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -220,6 +220,26 @@ int tls_push_pending_closed_record(struct sock *sk, + return tls_ctx->push_pending_record(sk, flags); + } + ++bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx) ++{ ++ struct scatterlist *sg; ++ ++ sg = ctx->partially_sent_record; ++ if (!sg) ++ return false; ++ ++ while (1) { ++ put_page(sg_page(sg)); ++ sk_mem_uncharge(sk, sg->length); ++ ++ if (sg_is_last(sg)) ++ break; ++ sg++; ++ } ++ ctx->partially_sent_record = NULL; ++ return true; ++} ++ + static void tls_write_space(struct sock *sk) + { + struct tls_context *ctx = tls_get_ctx(sk); +@@ -278,6 +298,10 @@ static void tls_sk_proto_close(struct sock *sk, long timeout) + kfree(ctx->tx.rec_seq); + kfree(ctx->tx.iv); + tls_sw_free_resources_tx(sk); ++#ifdef CONFIG_TLS_DEVICE ++ } else if (ctx->tx_conf == TLS_HW) { ++ tls_device_free_resources_tx(sk); ++#endif + } + + if (ctx->rx_conf == TLS_SW) { +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index bf5b54b513bc..d2d4f7c0d4be 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1804,20 +1804,7 @@ void tls_sw_free_resources_tx(struct sock *sk) + /* Free up un-sent records in tx_list. First, free + * the partially sent record if any at head of tx_list. + */ +- if (tls_ctx->partially_sent_record) { +- struct scatterlist *sg = tls_ctx->partially_sent_record; +- +- while (1) { +- put_page(sg_page(sg)); +- sk_mem_uncharge(sk, sg->length); +- +- if (sg_is_last(sg)) +- break; +- sg++; +- } +- +- tls_ctx->partially_sent_record = NULL; +- ++ if (tls_free_partial_record(sk, tls_ctx)) { + rec = list_first_entry(&ctx->tx_list, + struct tls_rec, list); + list_del(&rec->list); +diff --git a/security/device_cgroup.c b/security/device_cgroup.c +index cd97929fac66..dc28914fa72e 100644 +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -560,7 +560,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root, + devcg->behavior == DEVCG_DEFAULT_ALLOW) { + rc = dev_exception_add(devcg, ex); + if (rc) +- break; ++ return rc; + } else { + /* + * in the other possible cases: +diff --git a/sound/core/info.c b/sound/core/info.c +index fe502bc5e6d2..679136fba730 100644 +--- a/sound/core/info.c ++++ b/sound/core/info.c +@@ -722,8 +722,11 @@ snd_info_create_entry(const char *name, struct snd_info_entry *parent) + INIT_LIST_HEAD(&entry->children); + INIT_LIST_HEAD(&entry->list); + entry->parent = parent; +- if (parent) ++ if (parent) { ++ mutex_lock(&parent->access); + list_add_tail(&entry->list, &parent->children); ++ mutex_unlock(&parent->access); ++ } + return entry; + } + +@@ -805,7 +808,12 @@ void snd_info_free_entry(struct snd_info_entry * entry) + list_for_each_entry_safe(p, n, &entry->children, list) + snd_info_free_entry(p); + +- list_del(&entry->list); ++ p = entry->parent; ++ if (p) { ++ mutex_lock(&p->access); ++ list_del(&entry->list); ++ mutex_unlock(&p->access); ++ } + kfree(entry->name); + if (entry->private_free) + entry->private_free(entry); +diff --git a/sound/core/init.c b/sound/core/init.c +index 4849c611c0fe..16b7cc7aa66b 100644 +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -407,14 +407,7 @@ int snd_card_disconnect(struct snd_card *card) + card->shutdown = 1; + spin_unlock(&card->files_lock); + +- /* phase 1: disable fops (user space) operations for ALSA API */ +- mutex_lock(&snd_card_mutex); +- snd_cards[card->number] = NULL; +- clear_bit(card->number, snd_cards_lock); +- mutex_unlock(&snd_card_mutex); +- +- /* phase 2: replace file->f_op with special dummy operations */ +- ++ /* replace file->f_op with special dummy operations */ + spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ +@@ -430,7 +423,7 @@ int snd_card_disconnect(struct snd_card *card) + } + spin_unlock(&card->files_lock); + +- /* phase 3: notify all connected devices about disconnection */ ++ /* notify all connected devices about disconnection */ + /* at this point, they cannot respond to any calls except release() */ + + #if IS_ENABLED(CONFIG_SND_MIXER_OSS) +@@ -446,6 +439,13 @@ int snd_card_disconnect(struct snd_card *card) + device_del(&card->card_dev); + card->registered = false; + } ++ ++ /* disable fops (user space) operations for ALSA API */ ++ mutex_lock(&snd_card_mutex); ++ snd_cards[card->number] = NULL; ++ clear_bit(card->number, snd_cards_lock); ++ mutex_unlock(&snd_card_mutex); ++ + #ifdef CONFIG_PM + wake_up(&card->power_sleep); + #endif +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 84fae0df59e9..f061167062bc 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7247,6 +7247,8 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x12, 0x90a60140}, + {0x14, 0x90170150}, + {0x21, 0x02211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x21, 0x02211020}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL2_MIC_NO_PRESENCE, + {0x14, 0x90170110}, + {0x21, 0x02211020}), +@@ -7357,6 +7359,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC256_STANDARD_PINS), ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x14, 0x90170110}, ++ {0x1b, 0x01011020}, ++ {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC, + {0x14, 0x90170110}, + {0x1b, 0x90a70130},
