diff --git a/config/kernel/linux-sunxi64-edge.config b/config/kernel/linux-sunxi64-edge.config index cfa4932052..7ab8e156ef 100644 --- a/config/kernel/linux-sunxi64-edge.config +++ b/config/kernel/linux-sunxi64-edge.config @@ -2422,7 +2422,6 @@ CONFIG_MICREL_PHY=m CONFIG_MICROCHIP_PHY=m CONFIG_MICROCHIP_T1_PHY=m # CONFIG_MICROSEMI_PHY is not set -CONFIG_MOTORCOMM_PHY=m CONFIG_NATIONAL_PHY=m # CONFIG_NXP_TJA11XX_PHY is not set CONFIG_AT803X_PHY=m diff --git a/patch/kernel/archive/odroidxu4-5.4/patch-5.4.128-129.patch b/patch/kernel/archive/odroidxu4-5.4/patch-5.4.128-129.patch new file mode 100644 index 0000000000..ff82b9fd04 --- /dev/null +++ b/patch/kernel/archive/odroidxu4-5.4/patch-5.4.128-129.patch @@ -0,0 +1,2952 @@ +diff --git a/Makefile b/Makefile +index 5db87d8031f1e..802520ad08cca 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 5 + PATCHLEVEL = 4 +-SUBLEVEL = 128 ++SUBLEVEL = 129 + EXTRAVERSION = + NAME = Kleptomaniac Octopus + +diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c +index 924285d0bccd9..43d6a6085d862 100644 +--- a/arch/arm/kernel/setup.c ++++ b/arch/arm/kernel/setup.c +@@ -544,9 +544,11 @@ void notrace cpu_init(void) + * In Thumb-2, msr with an immediate value is not allowed. + */ + #ifdef CONFIG_THUMB2_KERNEL +-#define PLC "r" ++#define PLC_l "l" ++#define PLC_r "r" + #else +-#define PLC "I" ++#define PLC_l "I" ++#define PLC_r "I" + #endif + + /* +@@ -568,15 +570,15 @@ void notrace cpu_init(void) + "msr cpsr_c, %9" + : + : "r" (stk), +- PLC (PSR_F_BIT | PSR_I_BIT | IRQ_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | IRQ_MODE), + "I" (offsetof(struct stack, irq[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | ABT_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | ABT_MODE), + "I" (offsetof(struct stack, abt[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | UND_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | UND_MODE), + "I" (offsetof(struct stack, und[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | FIQ_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | FIQ_MODE), + "I" (offsetof(struct stack, fiq[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | SVC_MODE) ++ PLC_l (PSR_F_BIT | PSR_I_BIT | SVC_MODE) + : "r14"); + #endif + } +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index cd8f3cdabfd07..d227cf87c48f3 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -10,7 +10,7 @@ + # + # Copyright (C) 1995-2001 by Russell King + +-LDFLAGS_vmlinux :=--no-undefined -X -z norelro ++LDFLAGS_vmlinux :=--no-undefined -X + CPPFLAGS_vmlinux.lds = -DTEXT_OFFSET=$(TEXT_OFFSET) + GZFLAGS :=-9 + +@@ -82,17 +82,21 @@ CHECKFLAGS += -D__AARCH64EB__ + AS += -EB + # Prefer the baremetal ELF build target, but not all toolchains include + # it so fall back to the standard linux version if needed. +-KBUILD_LDFLAGS += -EB $(call ld-option, -maarch64elfb, -maarch64linuxb) ++KBUILD_LDFLAGS += -EB $(call ld-option, -maarch64elfb, -maarch64linuxb -z norelro) + UTS_MACHINE := aarch64_be + else + KBUILD_CPPFLAGS += -mlittle-endian + CHECKFLAGS += -D__AARCH64EL__ + AS += -EL + # Same as above, prefer ELF but fall back to linux target if needed. +-KBUILD_LDFLAGS += -EL $(call ld-option, -maarch64elf, -maarch64linux) ++KBUILD_LDFLAGS += -EL $(call ld-option, -maarch64elf, -maarch64linux -z norelro) + UTS_MACHINE := aarch64 + endif + ++ifeq ($(CONFIG_LD_IS_LLD), y) ++KBUILD_LDFLAGS += -z norelro ++endif ++ + CHECKFLAGS += -D__aarch64__ + + ifeq ($(CONFIG_ARM64_MODULE_PLTS),y) +diff --git a/arch/mips/generic/board-boston.its.S b/arch/mips/generic/board-boston.its.S +index a7f51f97b9102..c45ad27594218 100644 +--- a/arch/mips/generic/board-boston.its.S ++++ b/arch/mips/generic/board-boston.its.S +@@ -1,22 +1,22 @@ + / { + images { +- fdt@boston { ++ fdt-boston { + description = "img,boston Device Tree"; + data = /incbin/("boot/dts/img/boston.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@boston { ++ conf-boston { + description = "Boston Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@boston"; ++ kernel = "kernel"; ++ fdt = "fdt-boston"; + }; + }; + }; +diff --git a/arch/mips/generic/board-ni169445.its.S b/arch/mips/generic/board-ni169445.its.S +index e4cb4f95a8cc1..0a2e8f7a8526f 100644 +--- a/arch/mips/generic/board-ni169445.its.S ++++ b/arch/mips/generic/board-ni169445.its.S +@@ -1,22 +1,22 @@ + / { + images { +- fdt@ni169445 { ++ fdt-ni169445 { + description = "NI 169445 device tree"; + data = /incbin/("boot/dts/ni/169445.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@ni169445 { ++ conf-ni169445 { + description = "NI 169445 Linux Kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@ni169445"; ++ kernel = "kernel"; ++ fdt = "fdt-ni169445"; + }; + }; + }; +diff --git a/arch/mips/generic/board-ocelot.its.S b/arch/mips/generic/board-ocelot.its.S +index 3da23988149a6..8c7e3a1b68d3d 100644 +--- a/arch/mips/generic/board-ocelot.its.S ++++ b/arch/mips/generic/board-ocelot.its.S +@@ -1,40 +1,40 @@ + /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */ + / { + images { +- fdt@ocelot_pcb123 { ++ fdt-ocelot_pcb123 { + description = "MSCC Ocelot PCB123 Device Tree"; + data = /incbin/("boot/dts/mscc/ocelot_pcb123.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + +- fdt@ocelot_pcb120 { ++ fdt-ocelot_pcb120 { + description = "MSCC Ocelot PCB120 Device Tree"; + data = /incbin/("boot/dts/mscc/ocelot_pcb120.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@ocelot_pcb123 { ++ conf-ocelot_pcb123 { + description = "Ocelot Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@ocelot_pcb123"; ++ kernel = "kernel"; ++ fdt = "fdt-ocelot_pcb123"; + }; + +- conf@ocelot_pcb120 { ++ conf-ocelot_pcb120 { + description = "Ocelot Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@ocelot_pcb120"; ++ kernel = "kernel"; ++ fdt = "fdt-ocelot_pcb120"; + }; + }; + }; +diff --git a/arch/mips/generic/board-xilfpga.its.S b/arch/mips/generic/board-xilfpga.its.S +index a2e773d3f14f4..08c1e900eb4ed 100644 +--- a/arch/mips/generic/board-xilfpga.its.S ++++ b/arch/mips/generic/board-xilfpga.its.S +@@ -1,22 +1,22 @@ + / { + images { +- fdt@xilfpga { ++ fdt-xilfpga { + description = "MIPSfpga (xilfpga) Device Tree"; + data = /incbin/("boot/dts/xilfpga/nexys4ddr.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@xilfpga { ++ conf-xilfpga { + description = "MIPSfpga Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@xilfpga"; ++ kernel = "kernel"; ++ fdt = "fdt-xilfpga"; + }; + }; + }; +diff --git a/arch/mips/generic/vmlinux.its.S b/arch/mips/generic/vmlinux.its.S +index 1a08438fd8930..3e254676540f4 100644 +--- a/arch/mips/generic/vmlinux.its.S ++++ b/arch/mips/generic/vmlinux.its.S +@@ -6,7 +6,7 @@ + #address-cells = ; + + images { +- kernel@0 { ++ kernel { + description = KERNEL_NAME; + data = /incbin/(VMLINUX_BINARY); + type = "kernel"; +@@ -15,18 +15,18 @@ + compression = VMLINUX_COMPRESSION; + load = /bits/ ADDR_BITS ; + entry = /bits/ ADDR_BITS ; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- default = "conf@default"; ++ default = "conf-default"; + +- conf@default { ++ conf-default { + description = "Generic Linux kernel"; +- kernel = "kernel@0"; ++ kernel = "kernel"; + }; + }; + }; +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c +index 0c67a5a94de30..76959a7d88c82 100644 +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -779,4 +779,48 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar); + ++#define RS690_LOWER_TOP_OF_DRAM2 0x30 ++#define RS690_LOWER_TOP_OF_DRAM2_VALID 0x1 ++#define RS690_UPPER_TOP_OF_DRAM2 0x31 ++#define RS690_HTIU_NB_INDEX 0xA8 ++#define RS690_HTIU_NB_INDEX_WR_ENABLE 0x100 ++#define RS690_HTIU_NB_DATA 0xAC ++ ++/* ++ * Some BIOS implementations support RAM above 4GB, but do not configure the ++ * PCI host to respond to bus master accesses for these addresses. These ++ * implementations set the TOP_OF_DRAM_SLOT1 register correctly, so PCI DMA ++ * works as expected for addresses below 4GB. ++ * ++ * Reference: "AMD RS690 ASIC Family Register Reference Guide" (pg. 2-57) ++ * https://www.amd.com/system/files/TechDocs/43372_rs690_rrg_3.00o.pdf ++ */ ++static void rs690_fix_64bit_dma(struct pci_dev *pdev) ++{ ++ u32 val = 0; ++ phys_addr_t top_of_dram = __pa(high_memory - 1) + 1; ++ ++ if (top_of_dram <= (1ULL << 32)) ++ return; ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_LOWER_TOP_OF_DRAM2); ++ pci_read_config_dword(pdev, RS690_HTIU_NB_DATA, &val); ++ ++ if (val) ++ return; ++ ++ pci_info(pdev, "Adjusting top of DRAM to %pa for 64-bit DMA support\n", &top_of_dram); ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_UPPER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE); ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, top_of_dram >> 32); ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_LOWER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE); ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, ++ top_of_dram | RS690_LOWER_TOP_OF_DRAM2_VALID); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7910, rs690_fix_64bit_dma); ++ + #endif +diff --git a/certs/Kconfig b/certs/Kconfig +index c94e93d8bccf0..76e469b56a773 100644 +--- a/certs/Kconfig ++++ b/certs/Kconfig +@@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST + wrapper to incorporate the list into the kernel. Each should + be a string of hex digits. + ++config SYSTEM_REVOCATION_LIST ++ bool "Provide system-wide ring of revocation certificates" ++ depends on SYSTEM_BLACKLIST_KEYRING ++ depends on PKCS7_MESSAGE_PARSER=y ++ help ++ If set, this allows revocation certificates to be stored in the ++ blacklist keyring and implements a hook whereby a PKCS#7 message can ++ be checked to see if it matches such a certificate. ++ + endmenu +diff --git a/certs/Makefile b/certs/Makefile +index f4c25b67aad90..f4b90bad8690a 100644 +--- a/certs/Makefile ++++ b/certs/Makefile +@@ -3,7 +3,7 @@ + # Makefile for the linux kernel signature checking certificates. + # + +-obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o ++obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o + ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o +diff --git a/certs/blacklist.c b/certs/blacklist.c +index 025a41de28fda..59b2f106b2940 100644 +--- a/certs/blacklist.c ++++ b/certs/blacklist.c +@@ -135,6 +135,58 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) + } + EXPORT_SYMBOL_GPL(is_hash_blacklisted); + ++int is_binary_blacklisted(const u8 *hash, size_t hash_len) ++{ ++ if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED) ++ return -EPERM; ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(is_binary_blacklisted); ++ ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++/** ++ * add_key_to_revocation_list - Add a revocation certificate to the blacklist ++ * @data: The data blob containing the certificate ++ * @size: The size of data blob ++ */ ++int add_key_to_revocation_list(const char *data, size_t size) ++{ ++ key_ref_t key; ++ ++ key = key_create_or_update(make_key_ref(blacklist_keyring, true), ++ "asymmetric", ++ NULL, ++ data, ++ size, ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), ++ KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); ++ ++ if (IS_ERR(key)) { ++ pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); ++ return PTR_ERR(key); ++ } ++ ++ return 0; ++} ++ ++/** ++ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked ++ * @pkcs7: The PKCS#7 message to check ++ */ ++int is_key_on_revocation_list(struct pkcs7_message *pkcs7) ++{ ++ int ret; ++ ++ ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); ++ ++ if (ret == 0) ++ return -EKEYREJECTED; ++ ++ return -ENOKEY; ++} ++#endif ++ + /* + * Initialise the blacklist + */ +diff --git a/certs/blacklist.h b/certs/blacklist.h +index 1efd6fa0dc608..51b320cf85749 100644 +--- a/certs/blacklist.h ++++ b/certs/blacklist.h +@@ -1,3 +1,5 @@ + #include ++#include ++#include + + extern const char __initconst *const blacklist_hashes[]; +diff --git a/certs/common.c b/certs/common.c +new file mode 100644 +index 0000000000000..16a220887a53e +--- /dev/null ++++ b/certs/common.c +@@ -0,0 +1,57 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++ ++#include ++#include ++#include "common.h" ++ ++int load_certificate_list(const u8 cert_list[], ++ const unsigned long list_size, ++ const struct key *keyring) ++{ ++ key_ref_t key; ++ const u8 *p, *end; ++ size_t plen; ++ ++ p = cert_list; ++ end = p + list_size; ++ while (p < end) { ++ /* Each cert begins with an ASN.1 SEQUENCE tag and must be more ++ * than 256 bytes in size. ++ */ ++ if (end - p < 4) ++ goto dodgy_cert; ++ if (p[0] != 0x30 && ++ p[1] != 0x82) ++ goto dodgy_cert; ++ plen = (p[2] << 8) | p[3]; ++ plen += 4; ++ if (plen > end - p) ++ goto dodgy_cert; ++ ++ key = key_create_or_update(make_key_ref(keyring, 1), ++ "asymmetric", ++ NULL, ++ p, ++ plen, ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW | KEY_USR_READ), ++ KEY_ALLOC_NOT_IN_QUOTA | ++ KEY_ALLOC_BUILT_IN | ++ KEY_ALLOC_BYPASS_RESTRICTION); ++ if (IS_ERR(key)) { ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", ++ PTR_ERR(key)); ++ } else { ++ pr_notice("Loaded X.509 cert '%s'\n", ++ key_ref_to_ptr(key)->description); ++ key_ref_put(key); ++ } ++ p += plen; ++ } ++ ++ return 0; ++ ++dodgy_cert: ++ pr_err("Problem parsing in-kernel X.509 certificate list\n"); ++ return 0; ++} +diff --git a/certs/common.h b/certs/common.h +new file mode 100644 +index 0000000000000..abdb5795936b7 +--- /dev/null ++++ b/certs/common.h +@@ -0,0 +1,9 @@ ++/* SPDX-License-Identifier: GPL-2.0-or-later */ ++ ++#ifndef _CERT_COMMON_H ++#define _CERT_COMMON_H ++ ++int load_certificate_list(const u8 cert_list[], const unsigned long list_size, ++ const struct key *keyring); ++ ++#endif +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 798291177186c..a44a8915c94cf 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include "common.h" + + static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +@@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init); + */ + static __init int load_system_certificate_list(void) + { +- key_ref_t key; +- const u8 *p, *end; +- size_t plen; +- + pr_notice("Loading compiled-in X.509 certificates\n"); + +- p = system_certificate_list; +- end = p + system_certificate_list_size; +- while (p < end) { +- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more +- * than 256 bytes in size. +- */ +- if (end - p < 4) +- goto dodgy_cert; +- if (p[0] != 0x30 && +- p[1] != 0x82) +- goto dodgy_cert; +- plen = (p[2] << 8) | p[3]; +- plen += 4; +- if (plen > end - p) +- goto dodgy_cert; +- +- key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), +- "asymmetric", +- NULL, +- p, +- plen, +- ((KEY_POS_ALL & ~KEY_POS_SETATTR) | +- KEY_USR_VIEW | KEY_USR_READ), +- KEY_ALLOC_NOT_IN_QUOTA | +- KEY_ALLOC_BUILT_IN | +- KEY_ALLOC_BYPASS_RESTRICTION); +- if (IS_ERR(key)) { +- pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", +- PTR_ERR(key)); +- } else { +- pr_notice("Loaded X.509 cert '%s'\n", +- key_ref_to_ptr(key)->description); +- key_ref_put(key); +- } +- p += plen; +- } +- +- return 0; +- +-dodgy_cert: +- pr_err("Problem parsing in-kernel X.509 certificate list\n"); +- return 0; ++ return load_certificate_list(system_certificate_list, system_certificate_list_size, ++ builtin_trusted_keys); + } + late_initcall(load_system_certificate_list); + +@@ -241,6 +198,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len, + pr_devel("PKCS#7 platform keyring is not available\n"); + goto error; + } ++ ++ ret = is_key_on_revocation_list(pkcs7); ++ if (ret != -ENOKEY) { ++ pr_devel("PKCS#7 platform key is on revocation list\n"); ++ goto error; ++ } + } + ret = pkcs7_validate_trust(pkcs7, trusted_keys); + if (ret < 0) { +diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c +index f40051d6aecbc..9c0ea13ca7883 100644 +--- a/drivers/dma/mediatek/mtk-uart-apdma.c ++++ b/drivers/dma/mediatek/mtk-uart-apdma.c +@@ -131,10 +131,7 @@ static unsigned int mtk_uart_apdma_read(struct mtk_chan *c, unsigned int reg) + + static void mtk_uart_apdma_desc_free(struct virt_dma_desc *vd) + { +- struct dma_chan *chan = vd->tx.chan; +- struct mtk_chan *c = to_mtk_uart_apdma_chan(chan); +- +- kfree(c->desc); ++ kfree(container_of(vd, struct mtk_uart_apdma_desc, vd)); + } + + static void mtk_uart_apdma_start_tx(struct mtk_chan *c) +@@ -207,14 +204,9 @@ static void mtk_uart_apdma_start_rx(struct mtk_chan *c) + + static void mtk_uart_apdma_tx_handler(struct mtk_chan *c) + { +- struct mtk_uart_apdma_desc *d = c->desc; +- + mtk_uart_apdma_write(c, VFF_INT_FLAG, VFF_TX_INT_CLR_B); + mtk_uart_apdma_write(c, VFF_INT_EN, VFF_INT_EN_CLR_B); + mtk_uart_apdma_write(c, VFF_EN, VFF_EN_CLR_B); +- +- list_del(&d->vd.node); +- vchan_cookie_complete(&d->vd); + } + + static void mtk_uart_apdma_rx_handler(struct mtk_chan *c) +@@ -245,9 +237,17 @@ static void mtk_uart_apdma_rx_handler(struct mtk_chan *c) + + c->rx_status = d->avail_len - cnt; + mtk_uart_apdma_write(c, VFF_RPT, wg); ++} + +- list_del(&d->vd.node); +- vchan_cookie_complete(&d->vd); ++static void mtk_uart_apdma_chan_complete_handler(struct mtk_chan *c) ++{ ++ struct mtk_uart_apdma_desc *d = c->desc; ++ ++ if (d) { ++ list_del(&d->vd.node); ++ vchan_cookie_complete(&d->vd); ++ c->desc = NULL; ++ } + } + + static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id) +@@ -261,6 +261,7 @@ static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id) + mtk_uart_apdma_rx_handler(c); + else if (c->dir == DMA_MEM_TO_DEV) + mtk_uart_apdma_tx_handler(c); ++ mtk_uart_apdma_chan_complete_handler(c); + spin_unlock_irqrestore(&c->vc.lock, flags); + + return IRQ_HANDLED; +@@ -348,7 +349,7 @@ static struct dma_async_tx_descriptor *mtk_uart_apdma_prep_slave_sg + return NULL; + + /* Now allocate and setup the descriptor */ +- d = kzalloc(sizeof(*d), GFP_ATOMIC); ++ d = kzalloc(sizeof(*d), GFP_NOWAIT); + if (!d) + return NULL; + +@@ -366,7 +367,7 @@ static void mtk_uart_apdma_issue_pending(struct dma_chan *chan) + unsigned long flags; + + spin_lock_irqsave(&c->vc.lock, flags); +- if (vchan_issue_pending(&c->vc)) { ++ if (vchan_issue_pending(&c->vc) && !c->desc) { + vd = vchan_next_desc(&c->vc); + c->desc = to_mtk_uart_apdma_desc(&vd->tx); + +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index 3993ab65c62cd..89eb9ea258149 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1855,7 +1855,7 @@ static int rcar_dmac_probe(struct platform_device *pdev) + + /* Enable runtime PM and initialize the device. */ + pm_runtime_enable(&pdev->dev); +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) { + dev_err(&pdev->dev, "runtime PM get sync failed (%d)\n", ret); + return ret; +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c +index d47749a35863f..84009c5e0f330 100644 +--- a/drivers/dma/xilinx/zynqmp_dma.c ++++ b/drivers/dma/xilinx/zynqmp_dma.c +@@ -467,7 +467,7 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan) + struct zynqmp_dma_desc_sw *desc; + int i, ret; + +- ret = pm_runtime_get_sync(chan->dev); ++ ret = pm_runtime_resume_and_get(chan->dev); + if (ret < 0) + return ret; + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index 9964ec0035ede..1d8739a4fbcad 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -3416,12 +3416,8 @@ static int gfx_v10_0_kiq_init_register(struct amdgpu_ring *ring) + if (ring->use_doorbell) { + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER, + (adev->doorbell_index.kiq * 2) << 2); +- /* If GC has entered CGPG, ringing doorbell > first page doesn't +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround +- * this issue. +- */ + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER, +- (adev->doorbell.size - 4)); ++ (adev->doorbell_index.userqueue_end * 2) << 2); + } + + WREG32_SOC15(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL, +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index 354da41f52def..06cdc22b5501d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -3593,12 +3593,8 @@ static int gfx_v9_0_kiq_init_register(struct amdgpu_ring *ring) + if (ring->use_doorbell) { + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER, + (adev->doorbell_index.kiq * 2) << 2); +- /* If GC has entered CGPG, ringing doorbell > first page doesn't +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround +- * this issue. +- */ + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER, +- (adev->doorbell.size - 4)); ++ (adev->doorbell_index.userqueue_end * 2) << 2); + } + + WREG32_SOC15_RLC(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL, +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c +index bae6a3eccee0b..f9ee562f72d33 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c +@@ -112,7 +112,22 @@ int nouveau_gem_prime_pin(struct drm_gem_object *obj) + if (ret) + return -EINVAL; + +- return 0; ++ ret = ttm_bo_reserve(&nvbo->bo, false, false, NULL); ++ if (ret) ++ goto error; ++ ++ if (nvbo->bo.moving) ++ ret = dma_fence_wait(nvbo->bo.moving, true); ++ ++ ttm_bo_unreserve(&nvbo->bo); ++ if (ret) ++ goto error; ++ ++ return ret; ++ ++error: ++ nouveau_bo_unpin(nvbo); ++ return ret; + } + + void nouveau_gem_prime_unpin(struct drm_gem_object *obj) +diff --git a/drivers/gpu/drm/radeon/radeon_prime.c b/drivers/gpu/drm/radeon/radeon_prime.c +index b906e8fbd5f3a..7bc33a80934c4 100644 +--- a/drivers/gpu/drm/radeon/radeon_prime.c ++++ b/drivers/gpu/drm/radeon/radeon_prime.c +@@ -94,9 +94,19 @@ int radeon_gem_prime_pin(struct drm_gem_object *obj) + + /* pin buffer into GTT */ + ret = radeon_bo_pin(bo, RADEON_GEM_DOMAIN_GTT, NULL); +- if (likely(ret == 0)) +- bo->prime_shared_count++; +- ++ if (unlikely(ret)) ++ goto error; ++ ++ if (bo->tbo.moving) { ++ ret = dma_fence_wait(bo->tbo.moving, false); ++ if (unlikely(ret)) { ++ radeon_bo_unpin(bo); ++ goto error; ++ } ++ } ++ ++ bo->prime_shared_count++; ++error: + radeon_bo_unreserve(bo); + return ret; + } +diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c b/drivers/i2c/busses/i2c-robotfuzz-osif.c +index a39f7d0927973..66dfa211e736b 100644 +--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c ++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c +@@ -83,7 +83,7 @@ static int osif_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs, + } + } + +- ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0); ++ ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0); + if (ret) { + dev_err(&adapter->dev, "failure sending STOP\n"); + return -EREMOTEIO; +@@ -153,7 +153,7 @@ static int osif_probe(struct usb_interface *interface, + * Set bus frequency. The frequency is: + * 120,000,000 / ( 16 + 2 * div * 4^prescale). + * Using dev = 52, prescale = 0 give 100KHz */ +- ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0, ++ ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0, + NULL, 0); + if (ret) { + dev_err(&interface->dev, "failure sending bit rate"); +diff --git a/drivers/mmc/host/meson-gx-mmc.c b/drivers/mmc/host/meson-gx-mmc.c +index 545c3f2f8a06c..a3e3b274f0ea3 100644 +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -166,6 +166,7 @@ struct meson_host { + + unsigned int bounce_buf_size; + void *bounce_buf; ++ void __iomem *bounce_iomem_buf; + dma_addr_t bounce_dma_addr; + struct sd_emmc_desc *descs; + dma_addr_t descs_dma_addr; +@@ -737,6 +738,47 @@ static void meson_mmc_desc_chain_transfer(struct mmc_host *mmc, u32 cmd_cfg) + writel(start, host->regs + SD_EMMC_START); + } + ++/* local sg copy to buffer version with _to/fromio usage for dram_access_quirk */ ++static void meson_mmc_copy_buffer(struct meson_host *host, struct mmc_data *data, ++ size_t buflen, bool to_buffer) ++{ ++ unsigned int sg_flags = SG_MITER_ATOMIC; ++ struct scatterlist *sgl = data->sg; ++ unsigned int nents = data->sg_len; ++ struct sg_mapping_iter miter; ++ unsigned int offset = 0; ++ ++ if (to_buffer) ++ sg_flags |= SG_MITER_FROM_SG; ++ else ++ sg_flags |= SG_MITER_TO_SG; ++ ++ sg_miter_start(&miter, sgl, nents, sg_flags); ++ ++ while ((offset < buflen) && sg_miter_next(&miter)) { ++ unsigned int len; ++ ++ len = min(miter.length, buflen - offset); ++ ++ /* When dram_access_quirk, the bounce buffer is a iomem mapping */ ++ if (host->dram_access_quirk) { ++ if (to_buffer) ++ memcpy_toio(host->bounce_iomem_buf + offset, miter.addr, len); ++ else ++ memcpy_fromio(miter.addr, host->bounce_iomem_buf + offset, len); ++ } else { ++ if (to_buffer) ++ memcpy(host->bounce_buf + offset, miter.addr, len); ++ else ++ memcpy(miter.addr, host->bounce_buf + offset, len); ++ } ++ ++ offset += len; ++ } ++ ++ sg_miter_stop(&miter); ++} ++ + static void meson_mmc_start_cmd(struct mmc_host *mmc, struct mmc_command *cmd) + { + struct meson_host *host = mmc_priv(mmc); +@@ -780,8 +822,7 @@ static void meson_mmc_start_cmd(struct mmc_host *mmc, struct mmc_command *cmd) + if (data->flags & MMC_DATA_WRITE) { + cmd_cfg |= CMD_CFG_DATA_WR; + WARN_ON(xfer_bytes > host->bounce_buf_size); +- sg_copy_to_buffer(data->sg, data->sg_len, +- host->bounce_buf, xfer_bytes); ++ meson_mmc_copy_buffer(host, data, xfer_bytes, true); + dma_wmb(); + } + +@@ -950,8 +991,7 @@ static irqreturn_t meson_mmc_irq_thread(int irq, void *dev_id) + if (meson_mmc_bounce_buf_read(data)) { + xfer_bytes = data->blksz * data->blocks; + WARN_ON(xfer_bytes > host->bounce_buf_size); +- sg_copy_from_buffer(data->sg, data->sg_len, +- host->bounce_buf, xfer_bytes); ++ meson_mmc_copy_buffer(host, data, xfer_bytes, false); + } + + next_cmd = meson_mmc_get_next_command(cmd); +@@ -1179,7 +1219,7 @@ static int meson_mmc_probe(struct platform_device *pdev) + * instead of the DDR memory + */ + host->bounce_buf_size = SD_EMMC_SRAM_DATA_BUF_LEN; +- host->bounce_buf = host->regs + SD_EMMC_SRAM_DATA_BUF_OFF; ++ host->bounce_iomem_buf = host->regs + SD_EMMC_SRAM_DATA_BUF_OFF; + host->bounce_dma_addr = res->start + SD_EMMC_SRAM_DATA_BUF_OFF; + } else { + /* data bounce buffer */ +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 0f2bee59a82b0..0bc7f6518fb32 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -351,6 +351,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); + return -ENODEV; +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +index 5c6a276f69ac4..426b8098c50ee 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +@@ -1293,9 +1293,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn, + p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC; + + p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled; ++ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) != ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + memcpy(&p_hwfn->p_dcbx_info->set.config.params, + &dcbx_info->operational.params, +- sizeof(struct qed_dcbx_admin_params)); ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + p_hwfn->p_dcbx_info->set.config.valid = true; + + memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set)); +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 8ff178fc2670c..661202e854121 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -1801,7 +1801,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch(stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings)); ++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings)); + break; + } + } +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index a042f4607b0d0..931a44fe7afe8 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2322,7 +2322,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *sh_eth_gstrings_stats, ++ memcpy(data, sh_eth_gstrings_stats, + sizeof(sh_eth_gstrings_stats)); + break; + } +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 9b55fbdc3a7c6..9a7af7dda70dc 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -770,12 +770,15 @@ static void temac_start_xmit_done(struct net_device *ndev) + stat = be32_to_cpu(cur_p->app0); + + while (stat & STS_CTRL_APP0_CMPLT) { ++ /* Make sure that the other fields are read after bd is ++ * released by dma ++ */ ++ rmb(); + dma_unmap_single(ndev->dev.parent, be32_to_cpu(cur_p->phys), + be32_to_cpu(cur_p->len), DMA_TO_DEVICE); + skb = (struct sk_buff *)ptr_from_txbd(cur_p); + if (skb) + dev_consume_skb_irq(skb); +- cur_p->app0 = 0; + cur_p->app1 = 0; + cur_p->app2 = 0; + cur_p->app3 = 0; +@@ -784,6 +787,12 @@ static void temac_start_xmit_done(struct net_device *ndev) + ndev->stats.tx_packets++; + ndev->stats.tx_bytes += be32_to_cpu(cur_p->len); + ++ /* app0 must be visible last, as it is used to flag ++ * availability of the bd ++ */ ++ smp_mb(); ++ cur_p->app0 = 0; ++ + lp->tx_bd_ci++; + if (lp->tx_bd_ci >= TX_BD_NUM) + lp->tx_bd_ci = 0; +@@ -810,6 +819,9 @@ static inline int temac_check_tx_bd_space(struct temac_local *lp, int num_frag) + if (cur_p->app0) + return NETDEV_TX_BUSY; + ++ /* Make sure to read next bd app0 after this one */ ++ rmb(); ++ + tail++; + if (tail >= TX_BD_NUM) + tail = 0; +@@ -927,6 +939,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + wmb(); + lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */ + ++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) { ++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__); ++ netif_stop_queue(ndev); ++ } ++ + return NETDEV_TX_OK; + } + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index 31a5595133628..87c0cdbf262ae 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -468,16 +468,12 @@ static int dp83867_phy_reset(struct phy_device *phydev) + { + int err; + +- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET); ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART); + if (err < 0) + return err; + + usleep_range(10, 20); + +- /* After reset FORCE_LINK_GOOD bit is set. Although the +- * default value should be unset. Disable FORCE_LINK_GOOD +- * for the phy to work properly. +- */ + return phy_modify(phydev, MII_DP83867_PHYCTRL, + DP83867_PHYCR_FORCE_LINK_GOOD, 0); + } +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index f6d643ecaf39b..24d1246330375 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5065,7 +5065,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); ++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); + break; + } + } +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index c48c68090d762..1033513d3d9de 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -1458,8 +1458,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw) + static void mac80211_hwsim_stop(struct ieee80211_hw *hw) + { + struct mac80211_hwsim_data *data = hw->priv; ++ + data->started = false; + hrtimer_cancel(&data->beacon_timer); ++ ++ while (!skb_queue_empty(&data->pending)) ++ ieee80211_free_txskb(hw, skb_dequeue(&data->pending)); ++ + wiphy_dbg(hw->wiphy, "%s\n", __func__); + } + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 34a06e89e176a..3c3bc9f584983 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1666,11 +1666,21 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags) + int err; + int i, bars = 0; + +- if (atomic_inc_return(&dev->enable_cnt) > 1) { +- pci_update_current_state(dev, dev->current_state); +- return 0; /* already enabled */ ++ /* ++ * Power state could be unknown at this point, either due to a fresh ++ * boot or a device removal call. So get the current power state ++ * so that things like MSI message writing will behave as expected ++ * (e.g. if the device really is in D0 at enable time). ++ */ ++ if (dev->pm_cap) { ++ u16 pmcsr; ++ pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr); ++ dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK); + } + ++ if (atomic_inc_return(&dev->enable_cnt) > 1) ++ return 0; /* already enabled */ ++ + bridge = pci_upstream_bridge(dev); + if (bridge) + pci_enable_bridge(bridge); +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c +index 2d5e0435af0a4..bac1d040bacab 100644 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -1153,7 +1153,7 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, + struct resource res; + struct reset_control *rstc; + int npins = STM32_GPIO_PINS_PER_BANK; +- int bank_nr, err; ++ int bank_nr, err, i = 0; + + rstc = of_reset_control_get_exclusive(np, NULL); + if (!IS_ERR(rstc)) +@@ -1182,9 +1182,14 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, + + of_property_read_string(np, "st,bank-name", &bank->gpio_chip.label); + +- if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, 0, &args)) { ++ if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, i, &args)) { + bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK; + bank->gpio_chip.base = args.args[1]; ++ ++ npins = args.args[2]; ++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, ++ ++i, &args)) ++ npins += args.args[2]; + } else { + bank_nr = pctl->nbanks; + bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK; +diff --git a/drivers/spi/spi-nxp-fspi.c b/drivers/spi/spi-nxp-fspi.c +index efd9e908e2248..36a44a837031d 100644 +--- a/drivers/spi/spi-nxp-fspi.c ++++ b/drivers/spi/spi-nxp-fspi.c +@@ -975,12 +975,6 @@ static int nxp_fspi_probe(struct platform_device *pdev) + goto err_put_ctrl; + } + +- /* Clear potential interrupts */ +- reg = fspi_readl(f, f->iobase + FSPI_INTR); +- if (reg) +- fspi_writel(f, reg, f->iobase + FSPI_INTR); +- +- + /* find the resources - controller memory mapped space */ + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "fspi_mmap"); + f->ahb_addr = devm_ioremap_resource(dev, res); +@@ -1012,6 +1006,11 @@ static int nxp_fspi_probe(struct platform_device *pdev) + goto err_put_ctrl; + } + ++ /* Clear potential interrupts */ ++ reg = fspi_readl(f, f->iobase + FSPI_INTR); ++ if (reg) ++ fspi_writel(f, reg, f->iobase + FSPI_INTR); ++ + /* find the irq */ + ret = platform_get_irq(pdev, 0); + if (ret < 0) +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index e60be7bb55b0b..c6c8a33c81d5e 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -1054,6 +1054,7 @@ void nilfs_sysfs_delete_device_group(struct the_nilfs *nilfs) + nilfs_sysfs_delete_superblock_group(nilfs); + nilfs_sysfs_delete_segctor_group(nilfs); + kobject_del(&nilfs->ns_dev_kobj); ++ kobject_put(&nilfs->ns_dev_kobj); + kfree(nilfs->ns_dev_subgroups); + } + +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index c1a96fdf598bc..875e002a41804 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -31,16 +31,37 @@ extern int restrict_link_by_builtin_and_secondary_trusted( + #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted + #endif + ++extern struct pkcs7_message *pkcs7; + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING + extern int mark_hash_blacklisted(const char *hash); + extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, + const char *type); ++extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); + #else + static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, + const char *type) + { + return 0; + } ++ ++static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) ++{ ++ return 0; ++} ++#endif ++ ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++extern int add_key_to_revocation_list(const char *data, size_t size); ++extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); ++#else ++static inline int add_key_to_revocation_list(const char *data, size_t size) ++{ ++ return 0; ++} ++static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) ++{ ++ return -ENOKEY; ++} + #endif + + #ifdef CONFIG_IMA_BLACKLIST_KEYRING +diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h +index d8b86fd391134..d2dbe462efeef 100644 +--- a/include/linux/huge_mm.h ++++ b/include/linux/huge_mm.h +@@ -259,6 +259,7 @@ struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr, + extern vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t orig_pmd); + + extern struct page *huge_zero_page; ++extern unsigned long huge_zero_pfn; + + static inline bool is_huge_zero_page(struct page *page) + { +@@ -267,7 +268,7 @@ static inline bool is_huge_zero_page(struct page *page) + + static inline bool is_huge_zero_pmd(pmd_t pmd) + { +- return is_huge_zero_page(pmd_page(pmd)); ++ return READ_ONCE(huge_zero_pfn) == pmd_pfn(pmd) && pmd_present(pmd); + } + + static inline bool is_huge_zero_pud(pud_t pud) +@@ -398,6 +399,11 @@ static inline bool is_huge_zero_page(struct page *page) + return false; + } + ++static inline bool is_huge_zero_pmd(pmd_t pmd) ++{ ++ return false; ++} ++ + static inline bool is_huge_zero_pud(pud_t pud) + { + return false; +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index fc717aeb2b3de..a0513c444446d 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -469,17 +469,6 @@ static inline int hstate_index(struct hstate *h) + return h - hstates; + } + +-pgoff_t __basepage_index(struct page *page); +- +-/* Return page->index in PAGE_SIZE units */ +-static inline pgoff_t basepage_index(struct page *page) +-{ +- if (!PageCompound(page)) +- return page->index; +- +- return __basepage_index(page); +-} +- + extern int dissolve_free_huge_page(struct page *page); + extern int dissolve_free_huge_pages(unsigned long start_pfn, + unsigned long end_pfn); +@@ -695,11 +684,6 @@ static inline int hstate_index(struct hstate *h) + return 0; + } + +-static inline pgoff_t basepage_index(struct page *page) +-{ +- return page->index; +-} +- + static inline int dissolve_free_huge_page(struct page *page) + { + return 0; +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 5565d11f95429..a7d626b4cad1c 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1459,6 +1459,7 @@ struct zap_details { + struct address_space *check_mapping; /* Check page->mapping if set */ + pgoff_t first_index; /* Lowest page->index to unmap */ + pgoff_t last_index; /* Highest page->index to unmap */ ++ struct page *single_page; /* Locked page to be unmapped */ + }; + + struct page *vm_normal_page(struct vm_area_struct *vma, unsigned long addr, +@@ -1505,6 +1506,7 @@ extern vm_fault_t handle_mm_fault(struct vm_area_struct *vma, + extern int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm, + unsigned long address, unsigned int fault_flags, + bool *unlocked); ++void unmap_mapping_page(struct page *page); + void unmap_mapping_pages(struct address_space *mapping, + pgoff_t start, pgoff_t nr, bool even_cows); + void unmap_mapping_range(struct address_space *mapping, +@@ -1525,6 +1527,7 @@ static inline int fixup_user_fault(struct task_struct *tsk, + BUG(); + return -EFAULT; + } ++static inline void unmap_mapping_page(struct page *page) { } + static inline void unmap_mapping_pages(struct address_space *mapping, + pgoff_t start, pgoff_t nr, bool even_cows) { } + static inline void unmap_mapping_range(struct address_space *mapping, +diff --git a/include/linux/mmdebug.h b/include/linux/mmdebug.h +index 2ad72d2c8cc52..5d0767cb424aa 100644 +--- a/include/linux/mmdebug.h ++++ b/include/linux/mmdebug.h +@@ -37,6 +37,18 @@ void dump_mm(const struct mm_struct *mm); + BUG(); \ + } \ + } while (0) ++#define VM_WARN_ON_ONCE_PAGE(cond, page) ({ \ ++ static bool __section(".data.once") __warned; \ ++ int __ret_warn_once = !!(cond); \ ++ \ ++ if (unlikely(__ret_warn_once && !__warned)) { \ ++ dump_page(page, "VM_WARN_ON_ONCE_PAGE(" __stringify(cond)")");\ ++ __warned = true; \ ++ WARN_ON(1); \ ++ } \ ++ unlikely(__ret_warn_once); \ ++}) ++ + #define VM_WARN_ON(cond) (void)WARN_ON(cond) + #define VM_WARN_ON_ONCE(cond) (void)WARN_ON_ONCE(cond) + #define VM_WARN_ONCE(cond, format...) (void)WARN_ONCE(cond, format) +@@ -48,6 +60,7 @@ void dump_mm(const struct mm_struct *mm); + #define VM_BUG_ON_MM(cond, mm) VM_BUG_ON(cond) + #define VM_WARN_ON(cond) BUILD_BUG_ON_INVALID(cond) + #define VM_WARN_ON_ONCE(cond) BUILD_BUG_ON_INVALID(cond) ++#define VM_WARN_ON_ONCE_PAGE(cond, page) BUILD_BUG_ON_INVALID(cond) + #define VM_WARN_ONCE(cond, format...) BUILD_BUG_ON_INVALID(cond) + #define VM_WARN(cond, format...) BUILD_BUG_ON_INVALID(cond) + #endif +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h +index 37a4d9e32cd3f..8543b1aaa5299 100644 +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -397,7 +397,7 @@ static inline struct page *read_mapping_page(struct address_space *mapping, + } + + /* +- * Get index of the page with in radix-tree ++ * Get index of the page within radix-tree (but not for hugetlb pages). + * (TODO: remove once hugetlb pages will have ->index in PAGE_SIZE) + */ + static inline pgoff_t page_to_index(struct page *page) +@@ -416,15 +416,16 @@ static inline pgoff_t page_to_index(struct page *page) + return pgoff; + } + ++extern pgoff_t hugetlb_basepage_index(struct page *page); ++ + /* +- * Get the offset in PAGE_SIZE. +- * (TODO: hugepage should have ->index in PAGE_SIZE) ++ * Get the offset in PAGE_SIZE (even for hugetlb pages). ++ * (TODO: hugetlb pages should have ->index in PAGE_SIZE) + */ + static inline pgoff_t page_to_pgoff(struct page *page) + { +- if (unlikely(PageHeadHuge(page))) +- return page->index << compound_order(page); +- ++ if (unlikely(PageHuge(page))) ++ return hugetlb_basepage_index(page); + return page_to_index(page); + } + +diff --git a/include/linux/rmap.h b/include/linux/rmap.h +index d7d6d4eb17949..91ccae9467164 100644 +--- a/include/linux/rmap.h ++++ b/include/linux/rmap.h +@@ -98,7 +98,8 @@ enum ttu_flags { + * do a final flush if necessary */ + TTU_RMAP_LOCKED = 0x80, /* do not grab rmap lock: + * caller holds it */ +- TTU_SPLIT_FREEZE = 0x100, /* freeze pte under splitting thp */ ++ TTU_SPLIT_FREEZE = 0x100, /* freeze pte under splitting thp */ ++ TTU_SYNC = 0x200, /* avoid racy checks with PVMW_SYNC */ + }; + + #ifdef CONFIG_MMU +diff --git a/include/net/sock.h b/include/net/sock.h +index a0728f24ecc53..d3dd89b6e2cba 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1860,7 +1860,8 @@ static inline u32 net_tx_rndhash(void) + + static inline void sk_set_txhash(struct sock *sk) + { +- sk->sk_txhash = net_tx_rndhash(); ++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */ ++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash()); + } + + static inline void sk_rethink_txhash(struct sock *sk) +@@ -2125,9 +2126,12 @@ static inline void sock_poll_wait(struct file *filp, struct socket *sock, + + static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk) + { +- if (sk->sk_txhash) { ++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */ ++ u32 txhash = READ_ONCE(sk->sk_txhash); ++ ++ if (txhash) { + skb->l4_hash = 1; +- skb->hash = sk->sk_txhash; ++ skb->hash = txhash; + } + } + +diff --git a/init/Kconfig b/init/Kconfig +index 4f9fd78e2200b..f23e90d9935f5 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -20,6 +20,9 @@ config GCC_VERSION + config CC_IS_CLANG + def_bool $(success,$(CC) --version | head -n 1 | grep -q clang) + ++config LD_IS_LLD ++ def_bool $(success,$(LD) -v | head -n 1 | grep -q LLD) ++ + config CLANG_VERSION + int + default $(shell,$(srctree)/scripts/clang-version.sh $(CC)) +diff --git a/kernel/futex.c b/kernel/futex.c +index 375e7e98e301f..f82879ae6577c 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -737,7 +737,7 @@ again: + + key->both.offset |= FUT_OFF_INODE; /* inode-based key */ + key->shared.i_seq = get_inode_sequence_number(inode); +- key->shared.pgoff = basepage_index(tail); ++ key->shared.pgoff = page_to_pgoff(tail); + rcu_read_unlock(); + } + +diff --git a/kernel/kthread.c b/kernel/kthread.c +index 1d4c98a19043f..2eb8d7550324b 100644 +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -1020,8 +1020,38 @@ void kthread_flush_work(struct kthread_work *work) + EXPORT_SYMBOL_GPL(kthread_flush_work); + + /* +- * This function removes the work from the worker queue. Also it makes sure +- * that it won't get queued later via the delayed work's timer. ++ * Make sure that the timer is neither set nor running and could ++ * not manipulate the work list_head any longer. ++ * ++ * The function is called under worker->lock. The lock is temporary ++ * released but the timer can't be set again in the meantime. ++ */ ++static void kthread_cancel_delayed_work_timer(struct kthread_work *work, ++ unsigned long *flags) ++{ ++ struct kthread_delayed_work *dwork = ++ container_of(work, struct kthread_delayed_work, work); ++ struct kthread_worker *worker = work->worker; ++ ++ /* ++ * del_timer_sync() must be called to make sure that the timer ++ * callback is not running. The lock must be temporary released ++ * to avoid a deadlock with the callback. In the meantime, ++ * any queuing is blocked by setting the canceling counter. ++ */ ++ work->canceling++; ++ raw_spin_unlock_irqrestore(&worker->lock, *flags); ++ del_timer_sync(&dwork->timer); ++ raw_spin_lock_irqsave(&worker->lock, *flags); ++ work->canceling--; ++} ++ ++/* ++ * This function removes the work from the worker queue. ++ * ++ * It is called under worker->lock. The caller must make sure that ++ * the timer used by delayed work is not running, e.g. by calling ++ * kthread_cancel_delayed_work_timer(). + * + * The work might still be in use when this function finishes. See the + * current_work proceed by the worker. +@@ -1029,28 +1059,8 @@ EXPORT_SYMBOL_GPL(kthread_flush_work); + * Return: %true if @work was pending and successfully canceled, + * %false if @work was not pending + */ +-static bool __kthread_cancel_work(struct kthread_work *work, bool is_dwork, +- unsigned long *flags) ++static bool __kthread_cancel_work(struct kthread_work *work) + { +- /* Try to cancel the timer if exists. */ +- if (is_dwork) { +- struct kthread_delayed_work *dwork = +- container_of(work, struct kthread_delayed_work, work); +- struct kthread_worker *worker = work->worker; +- +- /* +- * del_timer_sync() must be called to make sure that the timer +- * callback is not running. The lock must be temporary released +- * to avoid a deadlock with the callback. In the meantime, +- * any queuing is blocked by setting the canceling counter. +- */ +- work->canceling++; +- raw_spin_unlock_irqrestore(&worker->lock, *flags); +- del_timer_sync(&dwork->timer); +- raw_spin_lock_irqsave(&worker->lock, *flags); +- work->canceling--; +- } +- + /* + * Try to remove the work from a worker list. It might either + * be from worker->work_list or from worker->delayed_work_list. +@@ -1103,11 +1113,23 @@ bool kthread_mod_delayed_work(struct kthread_worker *worker, + /* Work must not be used with >1 worker, see kthread_queue_work() */ + WARN_ON_ONCE(work->worker != worker); + +- /* Do not fight with another command that is canceling this work. */ ++ /* ++ * Temporary cancel the work but do not fight with another command ++ * that is canceling the work as well. ++ * ++ * It is a bit tricky because of possible races with another ++ * mod_delayed_work() and cancel_delayed_work() callers. ++ * ++ * The timer must be canceled first because worker->lock is released ++ * when doing so. But the work can be removed from the queue (list) ++ * only when it can be queued again so that the return value can ++ * be used for reference counting. ++ */ ++ kthread_cancel_delayed_work_timer(work, &flags); + if (work->canceling) + goto out; ++ ret = __kthread_cancel_work(work); + +- ret = __kthread_cancel_work(work, true, &flags); + fast_queue: + __kthread_queue_delayed_work(worker, dwork, delay); + out: +@@ -1129,7 +1151,10 @@ static bool __kthread_cancel_work_sync(struct kthread_work *work, bool is_dwork) + /* Work must not be used with >1 worker, see kthread_queue_work(). */ + WARN_ON_ONCE(work->worker != worker); + +- ret = __kthread_cancel_work(work, is_dwork, &flags); ++ if (is_dwork) ++ kthread_cancel_delayed_work_timer(work, &flags); ++ ++ ret = __kthread_cancel_work(work); + + if (worker->current_work != work) + goto out_fast; +diff --git a/kernel/module.c b/kernel/module.c +index 88a6a9e04f8dc..59d487b8d8dad 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -268,9 +268,18 @@ static void module_assert_mutex_or_preempt(void) + #endif + } + ++#ifdef CONFIG_MODULE_SIG + static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); + module_param(sig_enforce, bool_enable_only, 0644); + ++void set_module_sig_enforced(void) ++{ ++ sig_enforce = true; ++} ++#else ++#define sig_enforce false ++#endif ++ + /* + * Export sig_enforce kernel cmdline parameter to allow other subsystems rely + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. +@@ -281,11 +290,6 @@ bool is_module_sig_enforced(void) + } + EXPORT_SYMBOL(is_module_sig_enforced); + +-void set_module_sig_enforced(void) +-{ +- sig_enforce = true; +-} +- + /* Block module loading/unloading? */ + int modules_disabled = 0; + core_param(nomodule, modules_disabled, bint, 0); +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 7bbf419bb86d6..87a07aa61be0d 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -61,6 +61,7 @@ static struct shrinker deferred_split_shrinker; + + static atomic_t huge_zero_refcount; + struct page *huge_zero_page __read_mostly; ++unsigned long huge_zero_pfn __read_mostly = ~0UL; + + bool transparent_hugepage_enabled(struct vm_area_struct *vma) + { +@@ -97,6 +98,7 @@ retry: + __free_pages(zero_page, compound_order(zero_page)); + goto retry; + } ++ WRITE_ONCE(huge_zero_pfn, page_to_pfn(zero_page)); + + /* We take additional reference here. It will be put back by shrinker */ + atomic_set(&huge_zero_refcount, 2); +@@ -146,6 +148,7 @@ static unsigned long shrink_huge_zero_page_scan(struct shrinker *shrink, + if (atomic_cmpxchg(&huge_zero_refcount, 1, 0) == 1) { + struct page *zero_page = xchg(&huge_zero_page, NULL); + BUG_ON(zero_page == NULL); ++ WRITE_ONCE(huge_zero_pfn, ~0UL); + __free_pages(zero_page, compound_order(zero_page)); + return HPAGE_PMD_NR; + } +@@ -2155,7 +2158,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + count_vm_event(THP_SPLIT_PMD); + + if (!vma_is_anonymous(vma)) { +- _pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd); ++ old_pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd); + /* + * We are going to unmap this huge page. So + * just go ahead and zap it +@@ -2164,16 +2167,25 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + zap_deposited_table(mm, pmd); + if (vma_is_dax(vma)) + return; +- page = pmd_page(_pmd); +- if (!PageDirty(page) && pmd_dirty(_pmd)) +- set_page_dirty(page); +- if (!PageReferenced(page) && pmd_young(_pmd)) +- SetPageReferenced(page); +- page_remove_rmap(page, true); +- put_page(page); ++ if (unlikely(is_pmd_migration_entry(old_pmd))) { ++ swp_entry_t entry; ++ ++ entry = pmd_to_swp_entry(old_pmd); ++ page = migration_entry_to_page(entry); ++ } else { ++ page = pmd_page(old_pmd); ++ if (!PageDirty(page) && pmd_dirty(old_pmd)) ++ set_page_dirty(page); ++ if (!PageReferenced(page) && pmd_young(old_pmd)) ++ SetPageReferenced(page); ++ page_remove_rmap(page, true); ++ put_page(page); ++ } + add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR); + return; +- } else if (pmd_trans_huge(*pmd) && is_huge_zero_pmd(*pmd)) { ++ } ++ ++ if (is_huge_zero_pmd(*pmd)) { + /* + * FIXME: Do we want to invalidate secondary mmu by calling + * mmu_notifier_invalidate_range() see comments below inside +@@ -2449,16 +2461,16 @@ void vma_adjust_trans_huge(struct vm_area_struct *vma, + static void unmap_page(struct page *page) + { + enum ttu_flags ttu_flags = TTU_IGNORE_MLOCK | TTU_IGNORE_ACCESS | +- TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD; +- bool unmap_success; ++ TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD | TTU_SYNC; + + VM_BUG_ON_PAGE(!PageHead(page), page); + + if (PageAnon(page)) + ttu_flags |= TTU_SPLIT_FREEZE; + +- unmap_success = try_to_unmap(page, ttu_flags); +- VM_BUG_ON_PAGE(!unmap_success, page); ++ try_to_unmap(page, ttu_flags); ++ ++ VM_WARN_ON_ONCE_PAGE(page_mapped(page), page); + } + + static void remap_page(struct page *page) +@@ -2737,7 +2749,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + struct deferred_split *ds_queue = get_deferred_split_queue(page); + struct anon_vma *anon_vma = NULL; + struct address_space *mapping = NULL; +- int count, mapcount, extra_pins, ret; ++ int extra_pins, ret; + bool mlocked; + unsigned long flags; + pgoff_t end; +@@ -2799,7 +2811,6 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + + mlocked = PageMlocked(page); + unmap_page(head); +- VM_BUG_ON_PAGE(compound_mapcount(head), head); + + /* Make sure the page is not on per-CPU pagevec as it takes pin */ + if (mlocked) +@@ -2822,9 +2833,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + + /* Prevent deferred_split_scan() touching ->_refcount */ + spin_lock(&ds_queue->split_queue_lock); +- count = page_count(head); +- mapcount = total_mapcount(head); +- if (!mapcount && page_ref_freeze(head, 1 + extra_pins)) { ++ if (page_ref_freeze(head, 1 + extra_pins)) { + if (!list_empty(page_deferred_list(head))) { + ds_queue->split_queue_len--; + list_del(page_deferred_list(head)); +@@ -2845,16 +2854,9 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + } else + ret = 0; + } else { +- if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) { +- pr_alert("total_mapcount: %u, page_count(): %u\n", +- mapcount, count); +- if (PageTail(page)) +- dump_page(head, NULL); +- dump_page(page, "total_mapcount(head) > 0"); +- BUG(); +- } + spin_unlock(&ds_queue->split_queue_lock); +-fail: if (mapping) ++fail: ++ if (mapping) + xa_unlock(&mapping->i_pages); + spin_unlock_irqrestore(&pgdata->lru_lock, flags); + remap_page(head); +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index fe15e7d8220ab..95a32749af4da 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1461,15 +1461,12 @@ int PageHeadHuge(struct page *page_head) + return get_compound_page_dtor(page_head) == free_huge_page; + } + +-pgoff_t __basepage_index(struct page *page) ++pgoff_t hugetlb_basepage_index(struct page *page) + { + struct page *page_head = compound_head(page); + pgoff_t index = page_index(page_head); + unsigned long compound_idx; + +- if (!PageHuge(page_head)) +- return page_index(page); +- + if (compound_order(page_head) >= MAX_ORDER) + compound_idx = page_to_pfn(page) - page_to_pfn(page_head); + else +diff --git a/mm/internal.h b/mm/internal.h +index 7dd7fbb577a9a..cf382549dd702 100644 +--- a/mm/internal.h ++++ b/mm/internal.h +@@ -339,27 +339,52 @@ static inline void mlock_migrate_page(struct page *newpage, struct page *page) + extern pmd_t maybe_pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma); + + /* +- * At what user virtual address is page expected in @vma? ++ * At what user virtual address is page expected in vma? ++ * Returns -EFAULT if all of the page is outside the range of vma. ++ * If page is a compound head, the entire compound page is considered. + */ + static inline unsigned long +-__vma_address(struct page *page, struct vm_area_struct *vma) ++vma_address(struct page *page, struct vm_area_struct *vma) + { +- pgoff_t pgoff = page_to_pgoff(page); +- return vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); ++ pgoff_t pgoff; ++ unsigned long address; ++ ++ VM_BUG_ON_PAGE(PageKsm(page), page); /* KSM page->index unusable */ ++ pgoff = page_to_pgoff(page); ++ if (pgoff >= vma->vm_pgoff) { ++ address = vma->vm_start + ++ ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); ++ /* Check for address beyond vma (or wrapped through 0?) */ ++ if (address < vma->vm_start || address >= vma->vm_end) ++ address = -EFAULT; ++ } else if (PageHead(page) && ++ pgoff + compound_nr(page) - 1 >= vma->vm_pgoff) { ++ /* Test above avoids possibility of wrap to 0 on 32-bit */ ++ address = vma->vm_start; ++ } else { ++ address = -EFAULT; ++ } ++ return address; + } + ++/* ++ * Then at what user virtual address will none of the page be found in vma? ++ * Assumes that vma_address() already returned a good starting address. ++ * If page is a compound head, the entire compound page is considered. ++ */ + static inline unsigned long +-vma_address(struct page *page, struct vm_area_struct *vma) ++vma_address_end(struct page *page, struct vm_area_struct *vma) + { +- unsigned long start, end; +- +- start = __vma_address(page, vma); +- end = start + PAGE_SIZE * (hpage_nr_pages(page) - 1); +- +- /* page should be within @vma mapping range */ +- VM_BUG_ON_VMA(end < vma->vm_start || start >= vma->vm_end, vma); +- +- return max(start, vma->vm_start); ++ pgoff_t pgoff; ++ unsigned long address; ++ ++ VM_BUG_ON_PAGE(PageKsm(page), page); /* KSM page->index unusable */ ++ pgoff = page_to_pgoff(page) + compound_nr(page); ++ address = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); ++ /* Check for address beyond vma (or wrapped through 0?) */ ++ if (address < vma->vm_start || address > vma->vm_end) ++ address = vma->vm_end; ++ return address; + } + + static inline struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf, +diff --git a/mm/memory.c b/mm/memory.c +index 13a575ce2ec8f..4bb7c6a364c81 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1165,7 +1165,18 @@ static inline unsigned long zap_pmd_range(struct mmu_gather *tlb, + else if (zap_huge_pmd(tlb, vma, pmd, addr)) + goto next; + /* fall through */ ++ } else if (details && details->single_page && ++ PageTransCompound(details->single_page) && ++ next - addr == HPAGE_PMD_SIZE && pmd_none(*pmd)) { ++ spinlock_t *ptl = pmd_lock(tlb->mm, pmd); ++ /* ++ * Take and drop THP pmd lock so that we cannot return ++ * prematurely, while zap_huge_pmd() has cleared *pmd, ++ * but not yet decremented compound_mapcount(). ++ */ ++ spin_unlock(ptl); + } ++ + /* + * Here there can be other concurrent MADV_DONTNEED or + * trans huge page faults running, and if the pmd is +@@ -2769,6 +2780,36 @@ static inline void unmap_mapping_range_tree(struct rb_root_cached *root, + } + } + ++/** ++ * unmap_mapping_page() - Unmap single page from processes. ++ * @page: The locked page to be unmapped. ++ * ++ * Unmap this page from any userspace process which still has it mmaped. ++ * Typically, for efficiency, the range of nearby pages has already been ++ * unmapped by unmap_mapping_pages() or unmap_mapping_range(). But once ++ * truncation or invalidation holds the lock on a page, it may find that ++ * the page has been remapped again: and then uses unmap_mapping_page() ++ * to unmap it finally. ++ */ ++void unmap_mapping_page(struct page *page) ++{ ++ struct address_space *mapping = page->mapping; ++ struct zap_details details = { }; ++ ++ VM_BUG_ON(!PageLocked(page)); ++ VM_BUG_ON(PageTail(page)); ++ ++ details.check_mapping = mapping; ++ details.first_index = page->index; ++ details.last_index = page->index + hpage_nr_pages(page) - 1; ++ details.single_page = page; ++ ++ i_mmap_lock_write(mapping); ++ if (unlikely(!RB_EMPTY_ROOT(&mapping->i_mmap.rb_root))) ++ unmap_mapping_range_tree(&mapping->i_mmap, &details); ++ i_mmap_unlock_write(mapping); ++} ++ + /** + * unmap_mapping_pages() - Unmap pages from processes. + * @mapping: The address space containing pages to be unmapped. +diff --git a/mm/migrate.c b/mm/migrate.c +index 00bbe57c1ce22..5092ef2aa8a1f 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -321,6 +321,7 @@ void __migration_entry_wait(struct mm_struct *mm, pte_t *ptep, + goto out; + + page = migration_entry_to_page(entry); ++ page = compound_head(page); + + /* + * Once page cache replacement of page migration started, page_count +diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c +index eff4b4520c8d5..029f5598251c2 100644 +--- a/mm/page_vma_mapped.c ++++ b/mm/page_vma_mapped.c +@@ -111,6 +111,13 @@ static bool check_pte(struct page_vma_mapped_walk *pvmw) + return pfn_in_hpage(pvmw->page, pfn); + } + ++static void step_forward(struct page_vma_mapped_walk *pvmw, unsigned long size) ++{ ++ pvmw->address = (pvmw->address + size) & ~(size - 1); ++ if (!pvmw->address) ++ pvmw->address = ULONG_MAX; ++} ++ + /** + * page_vma_mapped_walk - check if @pvmw->page is mapped in @pvmw->vma at + * @pvmw->address +@@ -139,6 +146,7 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + { + struct mm_struct *mm = pvmw->vma->vm_mm; + struct page *page = pvmw->page; ++ unsigned long end; + pgd_t *pgd; + p4d_t *p4d; + pud_t *pud; +@@ -148,10 +156,11 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + if (pvmw->pmd && !pvmw->pte) + return not_found(pvmw); + +- if (pvmw->pte) +- goto next_pte; ++ if (unlikely(PageHuge(page))) { ++ /* The only possible mapping was handled on last iteration */ ++ if (pvmw->pte) ++ return not_found(pvmw); + +- if (unlikely(PageHuge(pvmw->page))) { + /* when pud is not present, pte will be NULL */ + pvmw->pte = huge_pte_offset(mm, pvmw->address, page_size(page)); + if (!pvmw->pte) +@@ -163,78 +172,108 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + return not_found(pvmw); + return true; + } +-restart: +- pgd = pgd_offset(mm, pvmw->address); +- if (!pgd_present(*pgd)) +- return false; +- p4d = p4d_offset(pgd, pvmw->address); +- if (!p4d_present(*p4d)) +- return false; +- pud = pud_offset(p4d, pvmw->address); +- if (!pud_present(*pud)) +- return false; +- pvmw->pmd = pmd_offset(pud, pvmw->address); ++ + /* +- * Make sure the pmd value isn't cached in a register by the +- * compiler and used as a stale value after we've observed a +- * subsequent update. ++ * Seek to next pte only makes sense for THP. ++ * But more important than that optimization, is to filter out ++ * any PageKsm page: whose page->index misleads vma_address() ++ * and vma_address_end() to disaster. + */ +- pmde = READ_ONCE(*pvmw->pmd); +- if (pmd_trans_huge(pmde) || is_pmd_migration_entry(pmde)) { +- pvmw->ptl = pmd_lock(mm, pvmw->pmd); +- if (likely(pmd_trans_huge(*pvmw->pmd))) { +- if (pvmw->flags & PVMW_MIGRATION) +- return not_found(pvmw); +- if (pmd_page(*pvmw->pmd) != page) +- return not_found(pvmw); +- return true; +- } else if (!pmd_present(*pvmw->pmd)) { +- if (thp_migration_supported()) { +- if (!(pvmw->flags & PVMW_MIGRATION)) ++ end = PageTransCompound(page) ? ++ vma_address_end(page, pvmw->vma) : ++ pvmw->address + PAGE_SIZE; ++ if (pvmw->pte) ++ goto next_pte; ++restart: ++ do { ++ pgd = pgd_offset(mm, pvmw->address); ++ if (!pgd_present(*pgd)) { ++ step_forward(pvmw, PGDIR_SIZE); ++ continue; ++ } ++ p4d = p4d_offset(pgd, pvmw->address); ++ if (!p4d_present(*p4d)) { ++ step_forward(pvmw, P4D_SIZE); ++ continue; ++ } ++ pud = pud_offset(p4d, pvmw->address); ++ if (!pud_present(*pud)) { ++ step_forward(pvmw, PUD_SIZE); ++ continue; ++ } ++ ++ pvmw->pmd = pmd_offset(pud, pvmw->address); ++ /* ++ * Make sure the pmd value isn't cached in a register by the ++ * compiler and used as a stale value after we've observed a ++ * subsequent update. ++ */ ++ pmde = READ_ONCE(*pvmw->pmd); ++ ++ if (pmd_trans_huge(pmde) || is_pmd_migration_entry(pmde)) { ++ pvmw->ptl = pmd_lock(mm, pvmw->pmd); ++ pmde = *pvmw->pmd; ++ if (likely(pmd_trans_huge(pmde))) { ++ if (pvmw->flags & PVMW_MIGRATION) + return not_found(pvmw); +- if (is_migration_entry(pmd_to_swp_entry(*pvmw->pmd))) { +- swp_entry_t entry = pmd_to_swp_entry(*pvmw->pmd); ++ if (pmd_page(pmde) != page) ++ return not_found(pvmw); ++ return true; ++ } ++ if (!pmd_present(pmde)) { ++ swp_entry_t entry; + +- if (migration_entry_to_page(entry) != page) +- return not_found(pvmw); +- return true; +- } ++ if (!thp_migration_supported() || ++ !(pvmw->flags & PVMW_MIGRATION)) ++ return not_found(pvmw); ++ entry = pmd_to_swp_entry(pmde); ++ if (!is_migration_entry(entry) || ++ migration_entry_to_page(entry) != page) ++ return not_found(pvmw); ++ return true; + } +- return not_found(pvmw); +- } else { + /* THP pmd was split under us: handle on pte level */ + spin_unlock(pvmw->ptl); + pvmw->ptl = NULL; ++ } else if (!pmd_present(pmde)) { ++ /* ++ * If PVMW_SYNC, take and drop THP pmd lock so that we ++ * cannot return prematurely, while zap_huge_pmd() has ++ * cleared *pmd but not decremented compound_mapcount(). ++ */ ++ if ((pvmw->flags & PVMW_SYNC) && ++ PageTransCompound(page)) { ++ spinlock_t *ptl = pmd_lock(mm, pvmw->pmd); ++ ++ spin_unlock(ptl); ++ } ++ step_forward(pvmw, PMD_SIZE); ++ continue; + } +- } else if (!pmd_present(pmde)) { +- return false; +- } +- if (!map_pte(pvmw)) +- goto next_pte; +- while (1) { ++ if (!map_pte(pvmw)) ++ goto next_pte; ++this_pte: + if (check_pte(pvmw)) + return true; + next_pte: +- /* Seek to next pte only makes sense for THP */ +- if (!PageTransHuge(pvmw->page) || PageHuge(pvmw->page)) +- return not_found(pvmw); + do { + pvmw->address += PAGE_SIZE; +- if (pvmw->address >= pvmw->vma->vm_end || +- pvmw->address >= +- __vma_address(pvmw->page, pvmw->vma) + +- hpage_nr_pages(pvmw->page) * PAGE_SIZE) ++ if (pvmw->address >= end) + return not_found(pvmw); + /* Did we cross page table boundary? */ +- if (pvmw->address % PMD_SIZE == 0) { +- pte_unmap(pvmw->pte); ++ if ((pvmw->address & (PMD_SIZE - PAGE_SIZE)) == 0) { + if (pvmw->ptl) { + spin_unlock(pvmw->ptl); + pvmw->ptl = NULL; + } ++ pte_unmap(pvmw->pte); ++ pvmw->pte = NULL; + goto restart; +- } else { +- pvmw->pte++; ++ } ++ pvmw->pte++; ++ if ((pvmw->flags & PVMW_SYNC) && !pvmw->ptl) { ++ pvmw->ptl = pte_lockptr(mm, pvmw->pmd); ++ spin_lock(pvmw->ptl); + } + } while (pte_none(*pvmw->pte)); + +@@ -242,7 +281,10 @@ next_pte: + pvmw->ptl = pte_lockptr(mm, pvmw->pmd); + spin_lock(pvmw->ptl); + } +- } ++ goto this_pte; ++ } while (pvmw->address < end); ++ ++ return false; + } + + /** +@@ -261,14 +303,10 @@ int page_mapped_in_vma(struct page *page, struct vm_area_struct *vma) + .vma = vma, + .flags = PVMW_SYNC, + }; +- unsigned long start, end; +- +- start = __vma_address(page, vma); +- end = start + PAGE_SIZE * (hpage_nr_pages(page) - 1); + +- if (unlikely(end < vma->vm_start || start >= vma->vm_end)) ++ pvmw.address = vma_address(page, vma); ++ if (pvmw.address == -EFAULT) + return 0; +- pvmw.address = max(start, vma->vm_start); + if (!page_vma_mapped_walk(&pvmw)) + return 0; + page_vma_mapped_walk_done(&pvmw); +diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c +index 532c29276fcee..49e8a4fbc2051 100644 +--- a/mm/pgtable-generic.c ++++ b/mm/pgtable-generic.c +@@ -126,8 +126,8 @@ pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, unsigned long address, + { + pmd_t pmd; + VM_BUG_ON(address & ~HPAGE_PMD_MASK); +- VM_BUG_ON((pmd_present(*pmdp) && !pmd_trans_huge(*pmdp) && +- !pmd_devmap(*pmdp)) || !pmd_present(*pmdp)); ++ VM_BUG_ON(pmd_present(*pmdp) && !pmd_trans_huge(*pmdp) && ++ !pmd_devmap(*pmdp)); + pmd = pmdp_huge_get_and_clear(vma->vm_mm, address, pmdp); + flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); + return pmd; +diff --git a/mm/rmap.c b/mm/rmap.c +index 0c7b2a9400d4a..45f2106852e84 100644 +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -687,7 +687,6 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags) + */ + unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma) + { +- unsigned long address; + if (PageAnon(page)) { + struct anon_vma *page__anon_vma = page_anon_vma(page); + /* +@@ -697,15 +696,13 @@ unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma) + if (!vma->anon_vma || !page__anon_vma || + vma->anon_vma->root != page__anon_vma->root) + return -EFAULT; +- } else if (page->mapping) { +- if (!vma->vm_file || vma->vm_file->f_mapping != page->mapping) +- return -EFAULT; +- } else ++ } else if (!vma->vm_file) { + return -EFAULT; +- address = __vma_address(page, vma); +- if (unlikely(address < vma->vm_start || address >= vma->vm_end)) ++ } else if (vma->vm_file->f_mapping != compound_head(page)->mapping) { + return -EFAULT; +- return address; ++ } ++ ++ return vma_address(page, vma); + } + + pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address) +@@ -899,7 +896,7 @@ static bool page_mkclean_one(struct page *page, struct vm_area_struct *vma, + */ + mmu_notifier_range_init(&range, MMU_NOTIFY_PROTECTION_PAGE, + 0, vma, vma->vm_mm, address, +- min(vma->vm_end, address + page_size(page))); ++ vma_address_end(page, vma)); + mmu_notifier_invalidate_range_start(&range); + + while (page_vma_mapped_walk(&pvmw)) { +@@ -1353,6 +1350,15 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma, + struct mmu_notifier_range range; + enum ttu_flags flags = (enum ttu_flags)arg; + ++ /* ++ * When racing against e.g. zap_pte_range() on another cpu, ++ * in between its ptep_get_and_clear_full() and page_remove_rmap(), ++ * try_to_unmap() may return false when it is about to become true, ++ * if page table locking is skipped: use TTU_SYNC to wait for that. ++ */ ++ if (flags & TTU_SYNC) ++ pvmw.flags = PVMW_SYNC; ++ + /* munlock has nothing to gain from examining un-locked vmas */ + if ((flags & TTU_MUNLOCK) && !(vma->vm_flags & VM_LOCKED)) + return true; +@@ -1374,9 +1380,10 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma, + * Note that the page can not be free in this function as call of + * try_to_unmap() must hold a reference on the page. + */ ++ range.end = PageKsm(page) ? ++ address + PAGE_SIZE : vma_address_end(page, vma); + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm, +- address, +- min(vma->vm_end, address + page_size(page))); ++ address, range.end); + if (PageHuge(page)) { + /* + * If sharing is possible, start and end will be adjusted +@@ -1690,9 +1697,9 @@ static bool invalid_migration_vma(struct vm_area_struct *vma, void *arg) + return is_vma_temporary_stack(vma); + } + +-static int page_mapcount_is_zero(struct page *page) ++static int page_not_mapped(struct page *page) + { +- return !total_mapcount(page); ++ return !page_mapped(page); + } + + /** +@@ -1710,7 +1717,7 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags) + struct rmap_walk_control rwc = { + .rmap_one = try_to_unmap_one, + .arg = (void *)flags, +- .done = page_mapcount_is_zero, ++ .done = page_not_mapped, + .anon_lock = page_lock_anon_vma_read, + }; + +@@ -1731,14 +1738,15 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags) + else + rmap_walk(page, &rwc); + +- return !page_mapcount(page) ? true : false; ++ /* ++ * When racing against e.g. zap_pte_range() on another cpu, ++ * in between its ptep_get_and_clear_full() and page_remove_rmap(), ++ * try_to_unmap() may return false when it is about to become true, ++ * if page table locking is skipped: use TTU_SYNC to wait for that. ++ */ ++ return !page_mapcount(page); + } + +-static int page_not_mapped(struct page *page) +-{ +- return !page_mapped(page); +-}; +- + /** + * try_to_munlock - try to munlock a page + * @page: the page to be munlocked +@@ -1833,6 +1841,7 @@ static void rmap_walk_anon(struct page *page, struct rmap_walk_control *rwc, + struct vm_area_struct *vma = avc->vma; + unsigned long address = vma_address(page, vma); + ++ VM_BUG_ON_VMA(address == -EFAULT, vma); + cond_resched(); + + if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg)) +@@ -1887,6 +1896,7 @@ static void rmap_walk_file(struct page *page, struct rmap_walk_control *rwc, + pgoff_start, pgoff_end) { + unsigned long address = vma_address(page, vma); + ++ VM_BUG_ON_VMA(address == -EFAULT, vma); + cond_resched(); + + if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg)) +diff --git a/mm/truncate.c b/mm/truncate.c +index dd9ebc1da3566..4d5add7d8ab6d 100644 +--- a/mm/truncate.c ++++ b/mm/truncate.c +@@ -173,13 +173,10 @@ void do_invalidatepage(struct page *page, unsigned int offset, + * its lock, b) when a concurrent invalidate_mapping_pages got there first and + * c) when tmpfs swizzles a page between a tmpfs inode and swapper_space. + */ +-static void +-truncate_cleanup_page(struct address_space *mapping, struct page *page) ++static void truncate_cleanup_page(struct page *page) + { +- if (page_mapped(page)) { +- pgoff_t nr = PageTransHuge(page) ? HPAGE_PMD_NR : 1; +- unmap_mapping_pages(mapping, page->index, nr, false); +- } ++ if (page_mapped(page)) ++ unmap_mapping_page(page); + + if (page_has_private(page)) + do_invalidatepage(page, 0, PAGE_SIZE); +@@ -224,7 +221,7 @@ int truncate_inode_page(struct address_space *mapping, struct page *page) + if (page->mapping != mapping) + return -EIO; + +- truncate_cleanup_page(mapping, page); ++ truncate_cleanup_page(page); + delete_from_page_cache(page); + return 0; + } +@@ -362,7 +359,7 @@ void truncate_inode_pages_range(struct address_space *mapping, + pagevec_add(&locked_pvec, page); + } + for (i = 0; i < pagevec_count(&locked_pvec); i++) +- truncate_cleanup_page(mapping, locked_pvec.pages[i]); ++ truncate_cleanup_page(locked_pvec.pages[i]); + delete_from_page_cache_batch(mapping, &locked_pvec); + for (i = 0; i < pagevec_count(&locked_pvec); i++) + unlock_page(locked_pvec.pages[i]); +@@ -715,6 +712,16 @@ int invalidate_inode_pages2_range(struct address_space *mapping, + continue; + } + ++ if (!did_range_unmap && page_mapped(page)) { ++ /* ++ * If page is mapped, before taking its lock, ++ * zap the rest of the file in one hit. ++ */ ++ unmap_mapping_pages(mapping, index, ++ (1 + end - index), false); ++ did_range_unmap = 1; ++ } ++ + lock_page(page); + WARN_ON(page_to_index(page) != index); + if (page->mapping != mapping) { +@@ -722,23 +729,11 @@ int invalidate_inode_pages2_range(struct address_space *mapping, + continue; + } + wait_on_page_writeback(page); +- if (page_mapped(page)) { +- if (!did_range_unmap) { +- /* +- * Zap the rest of the file in one hit. +- */ +- unmap_mapping_pages(mapping, index, +- (1 + end - index), false); +- did_range_unmap = 1; +- } else { +- /* +- * Just zap this page +- */ +- unmap_mapping_pages(mapping, index, +- 1, false); +- } +- } ++ ++ if (page_mapped(page)) ++ unmap_mapping_page(page); + BUG_ON(page_mapped(page)); ++ + ret2 = do_launder_page(mapping, page); + if (ret2 == 0) { + if (!invalidate_complete_page2(mapping, page)) +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index 76506975d59a5..cbd1885f24592 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1508,7 +1508,7 @@ static int ethtool_get_any_eeprom(struct net_device *dev, void __user *useraddr, + if (eeprom.offset + eeprom.len > total_len) + return -EINVAL; + +- data = kmalloc(PAGE_SIZE, GFP_USER); ++ data = kzalloc(PAGE_SIZE, GFP_USER); + if (!data) + return -ENOMEM; + +@@ -1573,7 +1573,7 @@ static int ethtool_set_eeprom(struct net_device *dev, void __user *useraddr) + if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev)) + return -EINVAL; + +- data = kmalloc(PAGE_SIZE, GFP_USER); ++ data = kzalloc(PAGE_SIZE, GFP_USER); + if (!data) + return -ENOMEM; + +@@ -1764,7 +1764,7 @@ static int ethtool_self_test(struct net_device *dev, char __user *useraddr) + return -EFAULT; + + test.len = test_len; +- data = kmalloc_array(test_len, sizeof(u64), GFP_USER); ++ data = kcalloc(test_len, sizeof(u64), GFP_USER); + if (!data) + return -ENOMEM; + +@@ -2295,7 +2295,7 @@ static int ethtool_get_tunable(struct net_device *dev, void __user *useraddr) + ret = ethtool_tunable_valid(&tuna); + if (ret) + return ret; +- data = kmalloc(tuna.len, GFP_USER); ++ data = kzalloc(tuna.len, GFP_USER); + if (!data) + return -ENOMEM; + ret = ops->get_tunable(dev, &tuna, data); +@@ -2481,7 +2481,7 @@ static int get_phy_tunable(struct net_device *dev, void __user *useraddr) + ret = ethtool_phy_tunable_valid(&tuna); + if (ret) + return ret; +- data = kmalloc(tuna.len, GFP_USER); ++ data = kzalloc(tuna.len, GFP_USER); + if (!data) + return -ENOMEM; + mutex_lock(&phydev->lock); +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index a27d034c85ccb..603a3495afa62 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1989,7 +1989,7 @@ static int inet_set_link_af(struct net_device *dev, const struct nlattr *nla) + return -EAFNOSUPPORT; + + if (nla_parse_nested_deprecated(tb, IFLA_INET_MAX, nla, NULL, NULL) < 0) +- BUG(); ++ return -EINVAL; + + if (tb[IFLA_INET_CONF]) { + nla_for_each_nested(a, tb[IFLA_INET_CONF], rem) +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index df6fbefe44d4b..1c3d5d3702a10 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -963,6 +963,7 @@ bool ping_rcv(struct sk_buff *skb) + struct sock *sk; + struct net *net = dev_net(skb->dev); + struct icmphdr *icmph = icmp_hdr(skb); ++ bool rc = false; + + /* We assume the packet has already been checked by icmp_rcv */ + +@@ -977,14 +978,15 @@ bool ping_rcv(struct sk_buff *skb) + struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); + + pr_debug("rcv on socket %p\n", sk); +- if (skb2) +- ping_queue_rcv_skb(sk, skb2); ++ if (skb2 && !ping_queue_rcv_skb(sk, skb2)) ++ rc = true; + sock_put(sk); +- return true; + } +- pr_debug("no socket, dropping\n"); + +- return false; ++ if (!rc) ++ pr_debug("no socket, dropping\n"); ++ ++ return rc; + } + EXPORT_SYMBOL_GPL(ping_rcv); + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 52feab2baeee5..366c3792b8604 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5761,7 +5761,7 @@ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla) + return -EAFNOSUPPORT; + + if (nla_parse_nested_deprecated(tb, IFLA_INET6_MAX, nla, NULL, NULL) < 0) +- BUG(); ++ return -EINVAL; + + if (tb[IFLA_INET6_TOKEN]) { + err = inet6_set_iftoken(idev, nla_data(tb[IFLA_INET6_TOKEN])); +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index a7933279a80b7..e574fbf6745a4 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1420,7 +1420,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) + rcu_read_lock(); + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); + +- if (WARN_ON_ONCE(!chanctx_conf)) { ++ if (!chanctx_conf) { + rcu_read_unlock(); + return NULL; + } +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 3d7a5c5e586a6..670d84e54db73 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2200,17 +2200,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + sc = le16_to_cpu(hdr->seq_ctrl); + frag = sc & IEEE80211_SCTL_FRAG; + +- if (is_multicast_ether_addr(hdr->addr1)) { +- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount); +- goto out_no_led; +- } +- + if (rx->sta) + cache = &rx->sta->frags; + + if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) + goto out; + ++ if (is_multicast_ether_addr(hdr->addr1)) ++ return RX_DROP_MONITOR; ++ + I802_DEBUG_INC(rx->local->rx_handlers_fragments); + + if (skb_linearize(rx->skb)) +@@ -2336,7 +2334,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + + out: + ieee80211_led_rx(rx->local); +- out_no_led: + if (rx->sta) + rx->sta->rx_stats.packets++; + return RX_CONTINUE; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index fbc2d4dfddf0e..0ffbf3d17911a 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2656,7 +2656,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + } + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2869,7 +2869,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -3141,7 +3141,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + /* prevents packet_notifier() from calling + * register_prot_hook() + */ +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, true); + rcu_read_lock(); + dev_curr = po->prot_hook.dev; +@@ -3151,17 +3151,17 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + } + + BUG_ON(po->running); +- po->num = proto; ++ WRITE_ONCE(po->num, proto); + po->prot_hook.type = proto; + + if (unlikely(unlisted)) { + dev_put(dev); + po->prot_hook.dev = NULL; +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + packet_cached_dev_reset(po); + } else { + po->prot_hook.dev = dev; +- po->ifindex = dev ? dev->ifindex : 0; ++ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0); + packet_cached_dev_assign(po, dev); + } + } +@@ -3475,7 +3475,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, + uaddr->sa_family = AF_PACKET; + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex)); + if (dev) + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); + rcu_read_unlock(); +@@ -3490,16 +3490,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, + struct sock *sk = sock->sk; + struct packet_sock *po = pkt_sk(sk); + DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr); ++ int ifindex; + + if (peer) + return -EOPNOTSUPP; + ++ ifindex = READ_ONCE(po->ifindex); + sll->sll_family = AF_PACKET; +- sll->sll_ifindex = po->ifindex; +- sll->sll_protocol = po->num; ++ sll->sll_ifindex = ifindex; ++ sll->sll_protocol = READ_ONCE(po->num); + sll->sll_pkttype = 0; + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); + if (dev) { + sll->sll_hatype = dev->type; + sll->sll_halen = dev->addr_len; +@@ -4099,7 +4101,7 @@ static int packet_notifier(struct notifier_block *this, + } + if (msg == NETDEV_UNREGISTER) { + packet_cached_dev_reset(po); +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + if (po->prot_hook.dev) + dev_put(po->prot_hook.dev); + po->prot_hook.dev = NULL; +@@ -4405,7 +4407,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + was_running = po->running; + num = po->num; + if (was_running) { +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, false); + } + spin_unlock(&po->bind_lock); +@@ -4440,7 +4442,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + + spin_lock(&po->bind_lock); + if (was_running) { +- po->num = num; ++ WRITE_ONCE(po->num, num); + register_prot_hook(sk); + } + spin_unlock(&po->bind_lock); +@@ -4613,8 +4615,8 @@ static int packet_seq_show(struct seq_file *seq, void *v) + s, + refcount_read(&s->sk_refcnt), + s->sk_type, +- ntohs(po->num), +- po->ifindex, ++ ntohs(READ_ONCE(po->num)), ++ READ_ONCE(po->ifindex), + po->running, + atomic_read(&s->sk_rmem_alloc), + from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)), +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 4eae6ad328514..f0247eab5bc94 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1006,6 +1006,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev, + case NL80211_IFTYPE_MESH_POINT: + /* mesh should be handled? */ + break; ++ case NL80211_IFTYPE_OCB: ++ cfg80211_leave_ocb(rdev, dev); ++ break; + default: + break; + } +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h +index f9b19524da112..1e9baa5c4fc6e 100644 +--- a/scripts/recordmcount.h ++++ b/scripts/recordmcount.h +@@ -192,15 +192,20 @@ static unsigned int get_symindex(Elf_Sym const *sym, Elf32_Word const *symtab, + Elf32_Word const *symtab_shndx) + { + unsigned long offset; ++ unsigned short shndx = w2(sym->st_shndx); + int index; + +- if (sym->st_shndx != SHN_XINDEX) +- return w2(sym->st_shndx); ++ if (shndx > SHN_UNDEF && shndx < SHN_LORESERVE) ++ return shndx; + +- offset = (unsigned long)sym - (unsigned long)symtab; +- index = offset / sizeof(*sym); ++ if (shndx == SHN_XINDEX) { ++ offset = (unsigned long)sym - (unsigned long)symtab; ++ index = offset / sizeof(*sym); + +- return w(symtab_shndx[index]); ++ return w(symtab_shndx[index]); ++ } ++ ++ return 0; + } + + static unsigned int get_shnum(Elf_Ehdr const *ehdr, Elf_Shdr const *shdr0) +diff --git a/security/integrity/Makefile b/security/integrity/Makefile +index 35e6ca7737346..351c9662994b5 100644 +--- a/security/integrity/Makefile ++++ b/security/integrity/Makefile +@@ -11,7 +11,8 @@ integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o + integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o + integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o + integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ +- platform_certs/load_uefi.o ++ platform_certs/load_uefi.o \ ++ platform_certs/keyring_handler.o + integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o + + obj-$(CONFIG_IMA) += ima/ +diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c +new file mode 100644 +index 0000000000000..5604bd57c9907 +--- /dev/null ++++ b/security/integrity/platform_certs/keyring_handler.c +@@ -0,0 +1,91 @@ ++// SPDX-License-Identifier: GPL-2.0 ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "../integrity.h" ++ ++static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID; ++static efi_guid_t efi_cert_x509_sha256_guid __initdata = ++ EFI_CERT_X509_SHA256_GUID; ++static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID; ++ ++/* ++ * Blacklist a hash. ++ */ ++static __init void uefi_blacklist_hash(const char *source, const void *data, ++ size_t len, const char *type, ++ size_t type_len) ++{ ++ char *hash, *p; ++ ++ hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL); ++ if (!hash) ++ return; ++ p = memcpy(hash, type, type_len); ++ p += type_len; ++ bin2hex(p, data, len); ++ p += len * 2; ++ *p = 0; ++ ++ mark_hash_blacklisted(hash); ++ kfree(hash); ++} ++ ++/* ++ * Blacklist an X509 TBS hash. ++ */ ++static __init void uefi_blacklist_x509_tbs(const char *source, ++ const void *data, size_t len) ++{ ++ uefi_blacklist_hash(source, data, len, "tbs:", 4); ++} ++ ++/* ++ * Blacklist the hash of an executable. ++ */ ++static __init void uefi_blacklist_binary(const char *source, ++ const void *data, size_t len) ++{ ++ uefi_blacklist_hash(source, data, len, "bin:", 4); ++} ++ ++/* ++ * Add an X509 cert to the revocation list. ++ */ ++static __init void uefi_revocation_list_x509(const char *source, ++ const void *data, size_t len) ++{ ++ add_key_to_revocation_list(data, len); ++} ++ ++/* ++ * Return the appropriate handler for particular signature list types found in ++ * the UEFI db and MokListRT tables. ++ */ ++__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) ++{ ++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) ++ return add_to_platform_keyring; ++ return 0; ++} ++ ++/* ++ * Return the appropriate handler for particular signature list types found in ++ * the UEFI dbx and MokListXRT tables. ++ */ ++__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) ++{ ++ if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0) ++ return uefi_blacklist_x509_tbs; ++ if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) ++ return uefi_blacklist_binary; ++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) ++ return uefi_revocation_list_x509; ++ return 0; ++} +diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h +new file mode 100644 +index 0000000000000..2462bfa08fe34 +--- /dev/null ++++ b/security/integrity/platform_certs/keyring_handler.h +@@ -0,0 +1,32 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++#ifndef PLATFORM_CERTS_INTERNAL_H ++#define PLATFORM_CERTS_INTERNAL_H ++ ++#include ++ ++void blacklist_hash(const char *source, const void *data, ++ size_t len, const char *type, ++ size_t type_len); ++ ++/* ++ * Blacklist an X509 TBS hash. ++ */ ++void blacklist_x509_tbs(const char *source, const void *data, size_t len); ++ ++/* ++ * Blacklist the hash of an executable. ++ */ ++void blacklist_binary(const char *source, const void *data, size_t len); ++ ++/* ++ * Return the handler for particular signature list types found in the db. ++ */ ++efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); ++ ++/* ++ * Return the handler for particular signature list types found in the dbx. ++ */ ++efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type); ++ ++#endif +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c +index 020fc7a11ef0e..aa874d84e413e 100644 +--- a/security/integrity/platform_certs/load_uefi.c ++++ b/security/integrity/platform_certs/load_uefi.c +@@ -9,6 +9,7 @@ + #include + #include + #include "../integrity.h" ++#include "keyring_handler.h" + + static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID; + static efi_guid_t efi_cert_x509_sha256_guid __initdata = +@@ -69,72 +70,6 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, + return db; + } + +-/* +- * Blacklist a hash. +- */ +-static __init void uefi_blacklist_hash(const char *source, const void *data, +- size_t len, const char *type, +- size_t type_len) +-{ +- char *hash, *p; +- +- hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL); +- if (!hash) +- return; +- p = memcpy(hash, type, type_len); +- p += type_len; +- bin2hex(p, data, len); +- p += len * 2; +- *p = 0; +- +- mark_hash_blacklisted(hash); +- kfree(hash); +-} +- +-/* +- * Blacklist an X509 TBS hash. +- */ +-static __init void uefi_blacklist_x509_tbs(const char *source, +- const void *data, size_t len) +-{ +- uefi_blacklist_hash(source, data, len, "tbs:", 4); +-} +- +-/* +- * Blacklist the hash of an executable. +- */ +-static __init void uefi_blacklist_binary(const char *source, +- const void *data, size_t len) +-{ +- uefi_blacklist_hash(source, data, len, "bin:", 4); +-} +- +-/* +- * Return the appropriate handler for particular signature list types found in +- * the UEFI db and MokListRT tables. +- */ +-static __init efi_element_handler_t get_handler_for_db(const efi_guid_t * +- sig_type) +-{ +- if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) +- return add_to_platform_keyring; +- return 0; +-} +- +-/* +- * Return the appropriate handler for particular signature list types found in +- * the UEFI dbx and MokListXRT tables. +- */ +-static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t * +- sig_type) +-{ +- if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0) +- return uefi_blacklist_x509_tbs; +- if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) +- return uefi_blacklist_binary; +- return 0; +-} +- + /* + * Load the certs contained in the UEFI databases into the platform trusted + * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist +diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c +index 41cf45416060f..38de88e5ffbb2 100644 +--- a/tools/testing/selftests/kvm/lib/kvm_util.c ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c +@@ -54,7 +54,7 @@ int kvm_check_cap(long cap) + exit(KSFT_SKIP); + + ret = ioctl(kvm_fd, KVM_CHECK_EXTENSION, cap); +- TEST_ASSERT(ret != -1, "KVM_CHECK_EXTENSION IOCTL failed,\n" ++ TEST_ASSERT(ret >= 0, "KVM_CHECK_EXTENSION IOCTL failed,\n" + " rc: %i errno: %i", ret, errno); + + close(kvm_fd); +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index f83fa0aeeb451..b2287e7d3ba4a 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1593,6 +1593,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault) + return true; + } + ++static int kvm_try_get_pfn(kvm_pfn_t pfn) ++{ ++ if (kvm_is_reserved_pfn(pfn)) ++ return 1; ++ return get_page_unless_zero(pfn_to_page(pfn)); ++} ++ + static int hva_to_pfn_remapped(struct vm_area_struct *vma, + unsigned long addr, bool *async, + bool write_fault, bool *writable, +@@ -1642,13 +1649,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, + * Whoever called remap_pfn_range is also going to call e.g. + * unmap_mapping_range before the underlying pages are freed, + * causing a call to our MMU notifier. ++ * ++ * Certain IO or PFNMAP mappings can be backed with valid ++ * struct pages, but be allocated without refcounting e.g., ++ * tail pages of non-compound higher order allocations, which ++ * would then underflow the refcount when the caller does the ++ * required put_page. Don't allow those pages here. + */ +- kvm_get_pfn(pfn); ++ if (!kvm_try_get_pfn(pfn)) ++ r = -EFAULT; + + out: + pte_unmap_unlock(ptep, ptl); + *p_pfn = pfn; +- return 0; ++ ++ return r; + } + + /* diff --git a/patch/kernel/archive/sunxi-5.12/patch-5.12.12-13.patch b/patch/kernel/archive/sunxi-5.12/patch-5.12.12-13.patch deleted file mode 100644 index ef75d5781b..0000000000 --- a/patch/kernel/archive/sunxi-5.12/patch-5.12.12-13.patch +++ /dev/null @@ -1,6477 +0,0 @@ -diff --git a/Documentation/vm/slub.rst b/Documentation/vm/slub.rst -index 03f294a638bd8..d3028554b1e9c 100644 ---- a/Documentation/vm/slub.rst -+++ b/Documentation/vm/slub.rst -@@ -181,7 +181,7 @@ SLUB Debug output - Here is a sample of slub debug output:: - - ==================================================================== -- BUG kmalloc-8: Redzone overwritten -+ BUG kmalloc-8: Right Redzone overwritten - -------------------------------------------------------------------- - - INFO: 0xc90f6d28-0xc90f6d2b. First byte 0x00 instead of 0xcc -@@ -189,10 +189,10 @@ Here is a sample of slub debug output:: - INFO: Object 0xc90f6d20 @offset=3360 fp=0xc90f6d58 - INFO: Allocated in get_modalias+0x61/0xf5 age=53 cpu=1 pid=554 - -- Bytes b4 0xc90f6d10: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ -- Object 0xc90f6d20: 31 30 31 39 2e 30 30 35 1019.005 -- Redzone 0xc90f6d28: 00 cc cc cc . -- Padding 0xc90f6d50: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ -+ Bytes b4 (0xc90f6d10): 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ -+ Object (0xc90f6d20): 31 30 31 39 2e 30 30 35 1019.005 -+ Redzone (0xc90f6d28): 00 cc cc cc . -+ Padding (0xc90f6d50): 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ - - [] dump_trace+0x63/0x1eb - [] show_trace_log_lvl+0x1a/0x2f -diff --git a/Makefile b/Makefile -index e0a252b644630..d2fe36db78aed 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,7 +1,7 @@ - # SPDX-License-Identifier: GPL-2.0 - VERSION = 5 - PATCHLEVEL = 12 --SUBLEVEL = 12 -+SUBLEVEL = 13 - EXTRAVERSION = - NAME = Frozen Wasteland - -@@ -913,11 +913,14 @@ CC_FLAGS_LTO += -fvisibility=hidden - # Limit inlining across translation units to reduce binary size - KBUILD_LDFLAGS += -mllvm -import-instr-limit=5 - --# Check for frame size exceeding threshold during prolog/epilog insertion. -+# Check for frame size exceeding threshold during prolog/epilog insertion -+# when using lld < 13.0.0. - ifneq ($(CONFIG_FRAME_WARN),0) -+ifeq ($(shell test $(CONFIG_LLD_VERSION) -lt 130000; echo $$?),0) - KBUILD_LDFLAGS += -plugin-opt=-warn-stack-size=$(CONFIG_FRAME_WARN) - endif - endif -+endif - - ifdef CONFIG_LTO - KBUILD_CFLAGS += -fno-lto $(CC_FLAGS_LTO) -diff --git a/arch/arc/include/uapi/asm/sigcontext.h b/arch/arc/include/uapi/asm/sigcontext.h -index 95f8a4380e110..7a5449dfcb290 100644 ---- a/arch/arc/include/uapi/asm/sigcontext.h -+++ b/arch/arc/include/uapi/asm/sigcontext.h -@@ -18,6 +18,7 @@ - */ - struct sigcontext { - struct user_regs_struct regs; -+ struct user_regs_arcv2 v2abi; - }; - - #endif /* _ASM_ARC_SIGCONTEXT_H */ -diff --git a/arch/arc/kernel/signal.c b/arch/arc/kernel/signal.c -index fdbe06c98895e..4868bdebf586d 100644 ---- a/arch/arc/kernel/signal.c -+++ b/arch/arc/kernel/signal.c -@@ -61,6 +61,41 @@ struct rt_sigframe { - unsigned int sigret_magic; - }; - -+static int save_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs) -+{ -+ int err = 0; -+#ifndef CONFIG_ISA_ARCOMPACT -+ struct user_regs_arcv2 v2abi; -+ -+ v2abi.r30 = regs->r30; -+#ifdef CONFIG_ARC_HAS_ACCL_REGS -+ v2abi.r58 = regs->r58; -+ v2abi.r59 = regs->r59; -+#else -+ v2abi.r58 = v2abi.r59 = 0; -+#endif -+ err = __copy_to_user(&mctx->v2abi, &v2abi, sizeof(v2abi)); -+#endif -+ return err; -+} -+ -+static int restore_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs) -+{ -+ int err = 0; -+#ifndef CONFIG_ISA_ARCOMPACT -+ struct user_regs_arcv2 v2abi; -+ -+ err = __copy_from_user(&v2abi, &mctx->v2abi, sizeof(v2abi)); -+ -+ regs->r30 = v2abi.r30; -+#ifdef CONFIG_ARC_HAS_ACCL_REGS -+ regs->r58 = v2abi.r58; -+ regs->r59 = v2abi.r59; -+#endif -+#endif -+ return err; -+} -+ - static int - stash_usr_regs(struct rt_sigframe __user *sf, struct pt_regs *regs, - sigset_t *set) -@@ -94,6 +129,10 @@ stash_usr_regs(struct rt_sigframe __user *sf, struct pt_regs *regs, - - err = __copy_to_user(&(sf->uc.uc_mcontext.regs.scratch), &uregs.scratch, - sizeof(sf->uc.uc_mcontext.regs.scratch)); -+ -+ if (is_isa_arcv2()) -+ err |= save_arcv2_regs(&(sf->uc.uc_mcontext), regs); -+ - err |= __copy_to_user(&sf->uc.uc_sigmask, set, sizeof(sigset_t)); - - return err ? -EFAULT : 0; -@@ -109,6 +148,10 @@ static int restore_usr_regs(struct pt_regs *regs, struct rt_sigframe __user *sf) - err |= __copy_from_user(&uregs.scratch, - &(sf->uc.uc_mcontext.regs.scratch), - sizeof(sf->uc.uc_mcontext.regs.scratch)); -+ -+ if (is_isa_arcv2()) -+ err |= restore_arcv2_regs(&(sf->uc.uc_mcontext), regs); -+ - if (err) - return -EFAULT; - -diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c -index 766f064f00fbf..167fde7f2fce1 100644 ---- a/arch/powerpc/perf/core-book3s.c -+++ b/arch/powerpc/perf/core-book3s.c -@@ -2242,7 +2242,7 @@ unsigned long perf_instruction_pointer(struct pt_regs *regs) - bool use_siar = regs_use_siar(regs); - unsigned long siar = mfspr(SPRN_SIAR); - -- if (ppmu->flags & PPMU_P10_DD1) { -+ if (ppmu && (ppmu->flags & PPMU_P10_DD1)) { - if (siar) - return siar; - else -diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig -index d9522fc35ca5a..4f116be9152f5 100644 ---- a/arch/riscv/Kconfig -+++ b/arch/riscv/Kconfig -@@ -54,11 +54,11 @@ config RISCV - select GENERIC_TIME_VSYSCALL if MMU && 64BIT - select HANDLE_DOMAIN_IRQ - select HAVE_ARCH_AUDITSYSCALL -- select HAVE_ARCH_JUMP_LABEL -- select HAVE_ARCH_JUMP_LABEL_RELATIVE -+ select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL -+ select HAVE_ARCH_JUMP_LABEL_RELATIVE if !XIP_KERNEL - select HAVE_ARCH_KASAN if MMU && 64BIT - select HAVE_ARCH_KASAN_VMALLOC if MMU && 64BIT -- select HAVE_ARCH_KGDB -+ select HAVE_ARCH_KGDB if !XIP_KERNEL - select HAVE_ARCH_KGDB_QXFER_PKT - select HAVE_ARCH_MMAP_RND_BITS if MMU - select HAVE_ARCH_SECCOMP_FILTER -@@ -73,9 +73,9 @@ config RISCV - select HAVE_GCC_PLUGINS - select HAVE_GENERIC_VDSO if MMU && 64BIT - select HAVE_IRQ_TIME_ACCOUNTING -- select HAVE_KPROBES -- select HAVE_KPROBES_ON_FTRACE -- select HAVE_KRETPROBES -+ select HAVE_KPROBES if !XIP_KERNEL -+ select HAVE_KPROBES_ON_FTRACE if !XIP_KERNEL -+ select HAVE_KRETPROBES if !XIP_KERNEL - select HAVE_PCI - select HAVE_PERF_EVENTS - select HAVE_PERF_REGS -@@ -227,11 +227,11 @@ config ARCH_RV64I - bool "RV64I" - select 64BIT - select ARCH_SUPPORTS_INT128 if CC_HAS_INT128 && GCC_VERSION >= 50000 -- select HAVE_DYNAMIC_FTRACE if MMU && $(cc-option,-fpatchable-function-entry=8) -+ select HAVE_DYNAMIC_FTRACE if !XIP_KERNEL && MMU && $(cc-option,-fpatchable-function-entry=8) - select HAVE_DYNAMIC_FTRACE_WITH_REGS if HAVE_DYNAMIC_FTRACE -- select HAVE_FTRACE_MCOUNT_RECORD -+ select HAVE_FTRACE_MCOUNT_RECORD if !XIP_KERNEL - select HAVE_FUNCTION_GRAPH_TRACER -- select HAVE_FUNCTION_TRACER -+ select HAVE_FUNCTION_TRACER if !XIP_KERNEL - select SWIOTLB if MMU - - endchoice -diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S -index 12de7a9c85b35..9cc71ca9a88f9 100644 ---- a/arch/s390/kernel/entry.S -+++ b/arch/s390/kernel/entry.S -@@ -651,9 +651,9 @@ ENDPROC(stack_overflow) - .Lcleanup_sie_mcck: - larl %r13,.Lsie_entry - slgr %r9,%r13 -- larl %r13,.Lsie_skip -+ lghi %r13,.Lsie_skip - .Lsie_entry - clgr %r9,%r13 -- jh .Lcleanup_sie_int -+ jhe .Lcleanup_sie_int - oi __LC_CPU_FLAGS+7, _CIF_MCCK_GUEST - .Lcleanup_sie_int: - BPENTER __SF_SIE_FLAGS(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST) -diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h -index ceeba9f631722..fdee23ea4e173 100644 ---- a/arch/x86/include/asm/fpu/internal.h -+++ b/arch/x86/include/asm/fpu/internal.h -@@ -578,10 +578,17 @@ static inline void switch_fpu_finish(struct fpu *new_fpu) - * PKRU state is switched eagerly because it needs to be valid before we - * return to userland e.g. for a copy_to_user() operation. - */ -- if (current->mm) { -+ if (!(current->flags & PF_KTHREAD)) { -+ /* -+ * If the PKRU bit in xsave.header.xfeatures is not set, -+ * then the PKRU component was in init state, which means -+ * XRSTOR will set PKRU to 0. If the bit is not set then -+ * get_xsave_addr() will return NULL because the PKRU value -+ * in memory is not valid. This means pkru_val has to be -+ * set to 0 and not to init_pkru_value. -+ */ - pk = get_xsave_addr(&new_fpu->state.xsave, XFEATURE_PKRU); -- if (pk) -- pkru_val = pk->pkru; -+ pkru_val = pk ? pk->pkru : 0; - } - __write_pkru(pkru_val); - } -diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c -index a4ec65317a7fa..ec3ae30547920 100644 ---- a/arch/x86/kernel/fpu/signal.c -+++ b/arch/x86/kernel/fpu/signal.c -@@ -307,13 +307,17 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) - return 0; - } - -- if (!access_ok(buf, size)) -- return -EACCES; -+ if (!access_ok(buf, size)) { -+ ret = -EACCES; -+ goto out; -+ } - -- if (!static_cpu_has(X86_FEATURE_FPU)) -- return fpregs_soft_set(current, NULL, -- 0, sizeof(struct user_i387_ia32_struct), -- NULL, buf) != 0; -+ if (!static_cpu_has(X86_FEATURE_FPU)) { -+ ret = fpregs_soft_set(current, NULL, 0, -+ sizeof(struct user_i387_ia32_struct), -+ NULL, buf); -+ goto out; -+ } - - if (use_xsave()) { - struct _fpx_sw_bytes fx_sw_user; -@@ -369,6 +373,25 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) - fpregs_unlock(); - return 0; - } -+ -+ /* -+ * The above did an FPU restore operation, restricted to -+ * the user portion of the registers, and failed, but the -+ * microcode might have modified the FPU registers -+ * nevertheless. -+ * -+ * If the FPU registers do not belong to current, then -+ * invalidate the FPU register state otherwise the task might -+ * preempt current and return to user space with corrupted -+ * FPU registers. -+ * -+ * In case current owns the FPU registers then no further -+ * action is required. The fixup below will handle it -+ * correctly. -+ */ -+ if (test_thread_flag(TIF_NEED_FPU_LOAD)) -+ __cpu_invalidate_fpregs_state(); -+ - fpregs_unlock(); - } else { - /* -@@ -377,7 +400,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) - */ - ret = __copy_from_user(&env, buf, sizeof(env)); - if (ret) -- goto err_out; -+ goto out; - envp = &env; - } - -@@ -405,16 +428,9 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) - if (use_xsave() && !fx_only) { - u64 init_bv = xfeatures_mask_user() & ~user_xfeatures; - -- if (using_compacted_format()) { -- ret = copy_user_to_xstate(&fpu->state.xsave, buf_fx); -- } else { -- ret = __copy_from_user(&fpu->state.xsave, buf_fx, state_size); -- -- if (!ret && state_size > offsetof(struct xregs_state, header)) -- ret = validate_user_xstate_header(&fpu->state.xsave.header); -- } -+ ret = copy_user_to_xstate(&fpu->state.xsave, buf_fx); - if (ret) -- goto err_out; -+ goto out; - - sanitize_restored_user_xstate(&fpu->state, envp, user_xfeatures, - fx_only); -@@ -434,7 +450,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) - ret = __copy_from_user(&fpu->state.fxsave, buf_fx, state_size); - if (ret) { - ret = -EFAULT; -- goto err_out; -+ goto out; - } - - sanitize_restored_user_xstate(&fpu->state, envp, user_xfeatures, -@@ -452,7 +468,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) - } else { - ret = __copy_from_user(&fpu->state.fsave, buf_fx, state_size); - if (ret) -- goto err_out; -+ goto out; - - fpregs_lock(); - ret = copy_kernel_to_fregs_err(&fpu->state.fsave); -@@ -463,7 +479,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) - fpregs_deactivate(fpu); - fpregs_unlock(); - --err_out: -+out: - if (ret) - fpu__clear_user_states(fpu); - return ret; -diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index fa023f3feb25d..43013ac0fd4d9 100644 ---- a/arch/x86/kvm/lapic.c -+++ b/arch/x86/kvm/lapic.c -@@ -1410,6 +1410,9 @@ int kvm_lapic_reg_read(struct kvm_lapic *apic, u32 offset, int len, - if (!apic_x2apic_mode(apic)) - valid_reg_mask |= APIC_REG_MASK(APIC_ARBPRI); - -+ if (alignment + len > 4) -+ return 1; -+ - if (offset > 0x3f0 || !(valid_reg_mask & APIC_REG_MASK(offset))) - return 1; - -diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c -index cd0faa1876743..676ec0d1e6be4 100644 ---- a/arch/x86/kvm/mmu/mmu.c -+++ b/arch/x86/kvm/mmu/mmu.c -@@ -4726,9 +4726,33 @@ static void init_kvm_softmmu(struct kvm_vcpu *vcpu) - context->inject_page_fault = kvm_inject_page_fault; - } - -+static union kvm_mmu_role kvm_calc_nested_mmu_role(struct kvm_vcpu *vcpu) -+{ -+ union kvm_mmu_role role = kvm_calc_shadow_root_page_role_common(vcpu, false); -+ -+ /* -+ * Nested MMUs are used only for walking L2's gva->gpa, they never have -+ * shadow pages of their own and so "direct" has no meaning. Set it -+ * to "true" to try to detect bogus usage of the nested MMU. -+ */ -+ role.base.direct = true; -+ -+ if (!is_paging(vcpu)) -+ role.base.level = 0; -+ else if (is_long_mode(vcpu)) -+ role.base.level = is_la57_mode(vcpu) ? PT64_ROOT_5LEVEL : -+ PT64_ROOT_4LEVEL; -+ else if (is_pae(vcpu)) -+ role.base.level = PT32E_ROOT_LEVEL; -+ else -+ role.base.level = PT32_ROOT_LEVEL; -+ -+ return role; -+} -+ - static void init_kvm_nested_mmu(struct kvm_vcpu *vcpu) - { -- union kvm_mmu_role new_role = kvm_calc_mmu_role_common(vcpu, false); -+ union kvm_mmu_role new_role = kvm_calc_nested_mmu_role(vcpu); - struct kvm_mmu *g_context = &vcpu->arch.nested_mmu; - - if (new_role.as_u64 == g_context->mmu_role.as_u64) -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index cf37205784297..a6ca7e657af27 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -6991,7 +6991,10 @@ static unsigned emulator_get_hflags(struct x86_emulate_ctxt *ctxt) - - static void emulator_set_hflags(struct x86_emulate_ctxt *ctxt, unsigned emul_flags) - { -- emul_to_vcpu(ctxt)->arch.hflags = emul_flags; -+ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); -+ -+ vcpu->arch.hflags = emul_flags; -+ kvm_mmu_reset_context(vcpu); - } - - static int emulator_pre_leave_smm(struct x86_emulate_ctxt *ctxt, -@@ -8147,6 +8150,7 @@ void kvm_arch_exit(void) - kvm_x86_ops.hardware_enable = NULL; - kvm_mmu_module_exit(); - free_percpu(user_return_msrs); -+ kmem_cache_destroy(x86_emulator_cache); - kmem_cache_destroy(x86_fpu_cache); - #ifdef CONFIG_KVM_XEN - static_key_deferred_flush(&kvm_xen_enabled); -diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index 9e5ccc56f8e07..356b746dfbe7a 100644 ---- a/arch/x86/mm/ioremap.c -+++ b/arch/x86/mm/ioremap.c -@@ -118,7 +118,9 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des - if (!IS_ENABLED(CONFIG_EFI)) - return; - -- if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA) -+ if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA || -+ (efi_mem_type(addr) == EFI_BOOT_SERVICES_DATA && -+ efi_mem_attributes(addr) & EFI_MEMORY_RUNTIME)) - desc->flags |= IORES_MAP_ENCRYPTED; - } - -diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c -index 5eb4dc2b97dac..e94da744386f3 100644 ---- a/arch/x86/mm/numa.c -+++ b/arch/x86/mm/numa.c -@@ -254,7 +254,13 @@ int __init numa_cleanup_meminfo(struct numa_meminfo *mi) - - /* make sure all non-reserved blocks are inside the limits */ - bi->start = max(bi->start, low); -- bi->end = min(bi->end, high); -+ -+ /* preserve info for non-RAM areas above 'max_pfn': */ -+ if (bi->end > high) { -+ numa_add_memblk_to(bi->nid, high, bi->end, -+ &numa_reserved_meminfo); -+ bi->end = high; -+ } - - /* and there's no empty block */ - if (bi->start >= bi->end) -diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig -index 0c2827fd8c195..03b1b03349477 100644 ---- a/drivers/dma/Kconfig -+++ b/drivers/dma/Kconfig -@@ -59,6 +59,7 @@ config DMA_OF - #devices - config ALTERA_MSGDMA - tristate "Altera / Intel mSGDMA Engine" -+ depends on HAS_IOMEM - select DMA_ENGINE - help - Enable support for Altera / Intel mSGDMA controller. -diff --git a/drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c b/drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c -index 4ec909e0b8106..4ae057922ef1f 100644 ---- a/drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c -+++ b/drivers/dma/fsl-dpaa2-qdma/dpaa2-qdma.c -@@ -332,6 +332,7 @@ static int __cold dpaa2_qdma_setup(struct fsl_mc_device *ls_dev) - } - - if (priv->dpdmai_attr.version.major > DPDMAI_VER_MAJOR) { -+ err = -EINVAL; - dev_err(dev, "DPDMAI major version mismatch\n" - "Found %u.%u, supported version is %u.%u\n", - priv->dpdmai_attr.version.major, -@@ -341,6 +342,7 @@ static int __cold dpaa2_qdma_setup(struct fsl_mc_device *ls_dev) - } - - if (priv->dpdmai_attr.version.minor > DPDMAI_VER_MINOR) { -+ err = -EINVAL; - dev_err(dev, "DPDMAI minor version mismatch\n" - "Found %u.%u, supported version is %u.%u\n", - priv->dpdmai_attr.version.major, -@@ -475,6 +477,7 @@ static int __cold dpaa2_qdma_dpio_setup(struct dpaa2_qdma_priv *priv) - ppriv->store = - dpaa2_io_store_create(DPAA2_QDMA_STORE_SIZE, dev); - if (!ppriv->store) { -+ err = -ENOMEM; - dev_err(dev, "dpaa2_io_store_create() failed\n"); - goto err_store; - } -diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c -index 59f2104ffc771..eb41bb9df0fd9 100644 ---- a/drivers/dma/idxd/init.c -+++ b/drivers/dma/idxd/init.c -@@ -218,6 +218,7 @@ static int idxd_setup_engines(struct idxd_device *idxd) - engine->idxd = idxd; - device_initialize(&engine->conf_dev); - engine->conf_dev.parent = &idxd->conf_dev; -+ engine->conf_dev.bus = &dsa_bus_type; - engine->conf_dev.type = &idxd_engine_device_type; - rc = dev_set_name(&engine->conf_dev, "engine%d.%d", idxd->id, engine->id); - if (rc < 0) { -@@ -718,6 +719,7 @@ module_init(idxd_init_module); - - static void __exit idxd_exit_module(void) - { -+ idxd_unregister_driver(); - pci_unregister_driver(&idxd_pci_driver); - idxd_cdev_remove(); - idxd_unregister_bus_type(); -diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c -index fd8d2bc3be9f5..110de8a600588 100644 ---- a/drivers/dma/pl330.c -+++ b/drivers/dma/pl330.c -@@ -2694,13 +2694,15 @@ static struct dma_async_tx_descriptor *pl330_prep_dma_cyclic( - for (i = 0; i < len / period_len; i++) { - desc = pl330_get_desc(pch); - if (!desc) { -+ unsigned long iflags; -+ - dev_err(pch->dmac->ddma.dev, "%s:%d Unable to fetch desc\n", - __func__, __LINE__); - - if (!first) - return NULL; - -- spin_lock_irqsave(&pl330->pool_lock, flags); -+ spin_lock_irqsave(&pl330->pool_lock, iflags); - - while (!list_empty(&first->node)) { - desc = list_entry(first->node.next, -@@ -2710,7 +2712,7 @@ static struct dma_async_tx_descriptor *pl330_prep_dma_cyclic( - - list_move_tail(&first->node, &pl330->desc_pool); - -- spin_unlock_irqrestore(&pl330->pool_lock, flags); -+ spin_unlock_irqrestore(&pl330->pool_lock, iflags); - - return NULL; - } -diff --git a/drivers/dma/qcom/Kconfig b/drivers/dma/qcom/Kconfig -index 365f94eb3b081..3f926a653bd88 100644 ---- a/drivers/dma/qcom/Kconfig -+++ b/drivers/dma/qcom/Kconfig -@@ -33,6 +33,7 @@ config QCOM_GPI_DMA - - config QCOM_HIDMA_MGMT - tristate "Qualcomm Technologies HIDMA Management support" -+ depends on HAS_IOMEM - select DMA_ENGINE - help - Enable support for the Qualcomm Technologies HIDMA Management. -diff --git a/drivers/dma/sf-pdma/Kconfig b/drivers/dma/sf-pdma/Kconfig -index f8ffa02e279ff..ba46a0a15a936 100644 ---- a/drivers/dma/sf-pdma/Kconfig -+++ b/drivers/dma/sf-pdma/Kconfig -@@ -1,5 +1,6 @@ - config SF_PDMA - tristate "Sifive PDMA controller driver" -+ depends on HAS_IOMEM - select DMA_ENGINE - select DMA_VIRTUAL_CHANNELS - help -diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c -index 265d7c07b348e..e1827393143f1 100644 ---- a/drivers/dma/ste_dma40.c -+++ b/drivers/dma/ste_dma40.c -@@ -3675,6 +3675,9 @@ static int __init d40_probe(struct platform_device *pdev) - - kfree(base->lcla_pool.base_unaligned); - -+ if (base->lcpa_base) -+ iounmap(base->lcpa_base); -+ - if (base->phy_lcpa) - release_mem_region(base->phy_lcpa, - base->lcpa_size); -diff --git a/drivers/dma/xilinx/xilinx_dpdma.c b/drivers/dma/xilinx/xilinx_dpdma.c -index 70b29bd079c9f..ff7dfb3fdeb47 100644 ---- a/drivers/dma/xilinx/xilinx_dpdma.c -+++ b/drivers/dma/xilinx/xilinx_dpdma.c -@@ -1459,7 +1459,7 @@ static void xilinx_dpdma_enable_irq(struct xilinx_dpdma_device *xdev) - */ - static void xilinx_dpdma_disable_irq(struct xilinx_dpdma_device *xdev) - { -- dpdma_write(xdev->reg, XILINX_DPDMA_IDS, XILINX_DPDMA_INTR_ERR_ALL); -+ dpdma_write(xdev->reg, XILINX_DPDMA_IDS, XILINX_DPDMA_INTR_ALL); - dpdma_write(xdev->reg, XILINX_DPDMA_EIDS, XILINX_DPDMA_EINTR_ALL); - } - -@@ -1596,6 +1596,26 @@ static struct dma_chan *of_dma_xilinx_xlate(struct of_phandle_args *dma_spec, - return dma_get_slave_channel(&xdev->chan[chan_id]->vchan.chan); - } - -+static void dpdma_hw_init(struct xilinx_dpdma_device *xdev) -+{ -+ unsigned int i; -+ void __iomem *reg; -+ -+ /* Disable all interrupts */ -+ xilinx_dpdma_disable_irq(xdev); -+ -+ /* Stop all channels */ -+ for (i = 0; i < ARRAY_SIZE(xdev->chan); i++) { -+ reg = xdev->reg + XILINX_DPDMA_CH_BASE -+ + XILINX_DPDMA_CH_OFFSET * i; -+ dpdma_clr(reg, XILINX_DPDMA_CH_CNTL, XILINX_DPDMA_CH_CNTL_ENABLE); -+ } -+ -+ /* Clear the interrupt status registers */ -+ dpdma_write(xdev->reg, XILINX_DPDMA_ISR, XILINX_DPDMA_INTR_ALL); -+ dpdma_write(xdev->reg, XILINX_DPDMA_EISR, XILINX_DPDMA_EINTR_ALL); -+} -+ - static int xilinx_dpdma_probe(struct platform_device *pdev) - { - struct xilinx_dpdma_device *xdev; -@@ -1622,6 +1642,8 @@ static int xilinx_dpdma_probe(struct platform_device *pdev) - if (IS_ERR(xdev->reg)) - return PTR_ERR(xdev->reg); - -+ dpdma_hw_init(xdev); -+ - xdev->irq = platform_get_irq(pdev, 0); - if (xdev->irq < 0) { - dev_err(xdev->dev, "failed to get platform irq\n"); -diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c -index 2342c5d216f9b..72d23651501d4 100644 ---- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c -+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c -@@ -6769,8 +6769,12 @@ static int gfx_v10_0_kiq_init_register(struct amdgpu_ring *ring) - if (ring->use_doorbell) { - WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER, - (adev->doorbell_index.kiq * 2) << 2); -+ /* If GC has entered CGPG, ringing doorbell > first page doesn't -+ * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround -+ * this issue. -+ */ - WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER, -- (adev->doorbell_index.userqueue_end * 2) << 2); -+ (adev->doorbell.size - 4)); - } - - WREG32_SOC15(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL, -diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c -index d2c020a91c0be..1fdfb7783404e 100644 ---- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c -+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c -@@ -3623,8 +3623,12 @@ static int gfx_v9_0_kiq_init_register(struct amdgpu_ring *ring) - if (ring->use_doorbell) { - WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER, - (adev->doorbell_index.kiq * 2) << 2); -+ /* If GC has entered CGPG, ringing doorbell > first page doesn't -+ * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround -+ * this issue. -+ */ - WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER, -- (adev->doorbell_index.userqueue_end * 2) << 2); -+ (adev->doorbell.size - 4)); - } - - WREG32_SOC15_RLC(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL, -diff --git a/drivers/gpu/drm/radeon/radeon_uvd.c b/drivers/gpu/drm/radeon/radeon_uvd.c -index dfa9fdbe98da2..06bb24d7a9fee 100644 ---- a/drivers/gpu/drm/radeon/radeon_uvd.c -+++ b/drivers/gpu/drm/radeon/radeon_uvd.c -@@ -286,7 +286,7 @@ int radeon_uvd_resume(struct radeon_device *rdev) - if (rdev->uvd.vcpu_bo == NULL) - return -EINVAL; - -- memcpy(rdev->uvd.cpu_addr, rdev->uvd_fw->data, rdev->uvd_fw->size); -+ memcpy_toio((void __iomem *)rdev->uvd.cpu_addr, rdev->uvd_fw->data, rdev->uvd_fw->size); - - size = radeon_bo_size(rdev->uvd.vcpu_bo); - size -= rdev->uvd_fw->size; -@@ -294,7 +294,7 @@ int radeon_uvd_resume(struct radeon_device *rdev) - ptr = rdev->uvd.cpu_addr; - ptr += rdev->uvd_fw->size; - -- memset(ptr, 0, size); -+ memset_io((void __iomem *)ptr, 0, size); - - return 0; - } -diff --git a/drivers/gpu/drm/sun4i/sun8i_dw_hdmi.c b/drivers/gpu/drm/sun4i/sun8i_dw_hdmi.c -index bbdfd5e26ec88..f75fb157f2ff7 100644 ---- a/drivers/gpu/drm/sun4i/sun8i_dw_hdmi.c -+++ b/drivers/gpu/drm/sun4i/sun8i_dw_hdmi.c -@@ -209,7 +209,7 @@ static int sun8i_dw_hdmi_bind(struct device *dev, struct device *master, - goto err_disable_clk_tmds; - } - -- ret = sun8i_hdmi_phy_probe(hdmi, phy_node); -+ ret = sun8i_hdmi_phy_get(hdmi, phy_node); - of_node_put(phy_node); - if (ret) { - dev_err(dev, "Couldn't get the HDMI PHY\n"); -@@ -242,7 +242,6 @@ static int sun8i_dw_hdmi_bind(struct device *dev, struct device *master, - - cleanup_encoder: - drm_encoder_cleanup(encoder); -- sun8i_hdmi_phy_remove(hdmi); - err_disable_clk_tmds: - clk_disable_unprepare(hdmi->clk_tmds); - err_assert_ctrl_reset: -@@ -263,7 +262,6 @@ static void sun8i_dw_hdmi_unbind(struct device *dev, struct device *master, - struct sun8i_dw_hdmi *hdmi = dev_get_drvdata(dev); - - dw_hdmi_unbind(hdmi->hdmi); -- sun8i_hdmi_phy_remove(hdmi); - clk_disable_unprepare(hdmi->clk_tmds); - reset_control_assert(hdmi->rst_ctrl); - gpiod_set_value(hdmi->ddc_en, 0); -@@ -320,7 +318,32 @@ static struct platform_driver sun8i_dw_hdmi_pltfm_driver = { - .of_match_table = sun8i_dw_hdmi_dt_ids, - }, - }; --module_platform_driver(sun8i_dw_hdmi_pltfm_driver); -+ -+static int __init sun8i_dw_hdmi_init(void) -+{ -+ int ret; -+ -+ ret = platform_driver_register(&sun8i_dw_hdmi_pltfm_driver); -+ if (ret) -+ return ret; -+ -+ ret = platform_driver_register(&sun8i_hdmi_phy_driver); -+ if (ret) { -+ platform_driver_unregister(&sun8i_dw_hdmi_pltfm_driver); -+ return ret; -+ } -+ -+ return ret; -+} -+ -+static void __exit sun8i_dw_hdmi_exit(void) -+{ -+ platform_driver_unregister(&sun8i_dw_hdmi_pltfm_driver); -+ platform_driver_unregister(&sun8i_hdmi_phy_driver); -+} -+ -+module_init(sun8i_dw_hdmi_init); -+module_exit(sun8i_dw_hdmi_exit); - - MODULE_AUTHOR("Jernej Skrabec "); - MODULE_DESCRIPTION("Allwinner DW HDMI bridge"); -diff --git a/drivers/gpu/drm/sun4i/sun8i_dw_hdmi.h b/drivers/gpu/drm/sun4i/sun8i_dw_hdmi.h -index d4b55af0592f8..74f6ed0e25709 100644 ---- a/drivers/gpu/drm/sun4i/sun8i_dw_hdmi.h -+++ b/drivers/gpu/drm/sun4i/sun8i_dw_hdmi.h -@@ -195,14 +195,15 @@ struct sun8i_dw_hdmi { - struct gpio_desc *ddc_en; - }; - -+extern struct platform_driver sun8i_hdmi_phy_driver; -+ - static inline struct sun8i_dw_hdmi * - encoder_to_sun8i_dw_hdmi(struct drm_encoder *encoder) - { - return container_of(encoder, struct sun8i_dw_hdmi, encoder); - } - --int sun8i_hdmi_phy_probe(struct sun8i_dw_hdmi *hdmi, struct device_node *node); --void sun8i_hdmi_phy_remove(struct sun8i_dw_hdmi *hdmi); -+int sun8i_hdmi_phy_get(struct sun8i_dw_hdmi *hdmi, struct device_node *node); - - void sun8i_hdmi_phy_init(struct sun8i_hdmi_phy *phy); - void sun8i_hdmi_phy_set_ops(struct sun8i_hdmi_phy *phy, -diff --git a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c -index 9994edf675096..c9239708d398c 100644 ---- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c -+++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c -@@ -5,6 +5,7 @@ - - #include - #include -+#include - - #include "sun8i_dw_hdmi.h" - -@@ -597,10 +598,30 @@ static const struct of_device_id sun8i_hdmi_phy_of_table[] = { - { /* sentinel */ } - }; - --int sun8i_hdmi_phy_probe(struct sun8i_dw_hdmi *hdmi, struct device_node *node) -+int sun8i_hdmi_phy_get(struct sun8i_dw_hdmi *hdmi, struct device_node *node) -+{ -+ struct platform_device *pdev = of_find_device_by_node(node); -+ struct sun8i_hdmi_phy *phy; -+ -+ if (!pdev) -+ return -EPROBE_DEFER; -+ -+ phy = platform_get_drvdata(pdev); -+ if (!phy) -+ return -EPROBE_DEFER; -+ -+ hdmi->phy = phy; -+ -+ put_device(&pdev->dev); -+ -+ return 0; -+} -+ -+static int sun8i_hdmi_phy_probe(struct platform_device *pdev) - { - const struct of_device_id *match; -- struct device *dev = hdmi->dev; -+ struct device *dev = &pdev->dev; -+ struct device_node *node = dev->of_node; - struct sun8i_hdmi_phy *phy; - struct resource res; - void __iomem *regs; -@@ -704,7 +725,7 @@ int sun8i_hdmi_phy_probe(struct sun8i_dw_hdmi *hdmi, struct device_node *node) - clk_prepare_enable(phy->clk_phy); - } - -- hdmi->phy = phy; -+ platform_set_drvdata(pdev, phy); - - return 0; - -@@ -728,9 +749,9 @@ err_put_clk_bus: - return ret; - } - --void sun8i_hdmi_phy_remove(struct sun8i_dw_hdmi *hdmi) -+static int sun8i_hdmi_phy_remove(struct platform_device *pdev) - { -- struct sun8i_hdmi_phy *phy = hdmi->phy; -+ struct sun8i_hdmi_phy *phy = platform_get_drvdata(pdev); - - clk_disable_unprepare(phy->clk_mod); - clk_disable_unprepare(phy->clk_bus); -@@ -744,4 +765,14 @@ void sun8i_hdmi_phy_remove(struct sun8i_dw_hdmi *hdmi) - clk_put(phy->clk_pll1); - clk_put(phy->clk_mod); - clk_put(phy->clk_bus); -+ return 0; - } -+ -+struct platform_driver sun8i_hdmi_phy_driver = { -+ .probe = sun8i_hdmi_phy_probe, -+ .remove = sun8i_hdmi_phy_remove, -+ .driver = { -+ .name = "sun8i-hdmi-phy", -+ .of_match_table = sun8i_hdmi_phy_of_table, -+ }, -+}; -diff --git a/drivers/hwmon/scpi-hwmon.c b/drivers/hwmon/scpi-hwmon.c -index 25aac40f2764a..919877970ae3b 100644 ---- a/drivers/hwmon/scpi-hwmon.c -+++ b/drivers/hwmon/scpi-hwmon.c -@@ -99,6 +99,15 @@ scpi_show_sensor(struct device *dev, struct device_attribute *attr, char *buf) - - scpi_scale_reading(&value, sensor); - -+ /* -+ * Temperature sensor values are treated as signed values based on -+ * observation even though that is not explicitly specified, and -+ * because an unsigned u64 temperature does not really make practical -+ * sense especially when the temperature is below zero degrees Celsius. -+ */ -+ if (sensor->info.class == TEMPERATURE) -+ return sprintf(buf, "%lld\n", (s64)value); -+ - return sprintf(buf, "%llu\n", value); - } - -diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c -index 00404024d7cd5..fea237838bb0a 100644 ---- a/drivers/irqchip/irq-gic-v3.c -+++ b/drivers/irqchip/irq-gic-v3.c -@@ -642,11 +642,45 @@ static inline void gic_handle_nmi(u32 irqnr, struct pt_regs *regs) - nmi_exit(); - } - -+static u32 do_read_iar(struct pt_regs *regs) -+{ -+ u32 iar; -+ -+ if (gic_supports_nmi() && unlikely(!interrupts_enabled(regs))) { -+ u64 pmr; -+ -+ /* -+ * We were in a context with IRQs disabled. However, the -+ * entry code has set PMR to a value that allows any -+ * interrupt to be acknowledged, and not just NMIs. This can -+ * lead to surprising effects if the NMI has been retired in -+ * the meantime, and that there is an IRQ pending. The IRQ -+ * would then be taken in NMI context, something that nobody -+ * wants to debug twice. -+ * -+ * Until we sort this, drop PMR again to a level that will -+ * actually only allow NMIs before reading IAR, and then -+ * restore it to what it was. -+ */ -+ pmr = gic_read_pmr(); -+ gic_pmr_mask_irqs(); -+ isb(); -+ -+ iar = gic_read_iar(); -+ -+ gic_write_pmr(pmr); -+ } else { -+ iar = gic_read_iar(); -+ } -+ -+ return iar; -+} -+ - static asmlinkage void __exception_irq_entry gic_handle_irq(struct pt_regs *regs) - { - u32 irqnr; - -- irqnr = gic_read_iar(); -+ irqnr = do_read_iar(regs); - - /* Check for special IDs first */ - if ((irqnr >= 1020 && irqnr <= 1023)) -diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c -index 1f649d1780107..4484f9c079b75 100644 ---- a/drivers/net/can/usb/mcba_usb.c -+++ b/drivers/net/can/usb/mcba_usb.c -@@ -82,6 +82,8 @@ struct mcba_priv { - bool can_ka_first_pass; - bool can_speed_check; - atomic_t free_ctx_cnt; -+ void *rxbuf[MCBA_MAX_RX_URBS]; -+ dma_addr_t rxbuf_dma[MCBA_MAX_RX_URBS]; - }; - - /* CAN frame */ -@@ -633,6 +635,7 @@ static int mcba_usb_start(struct mcba_priv *priv) - for (i = 0; i < MCBA_MAX_RX_URBS; i++) { - struct urb *urb = NULL; - u8 *buf; -+ dma_addr_t buf_dma; - - /* create a URB, and a buffer for it */ - urb = usb_alloc_urb(0, GFP_KERNEL); -@@ -642,7 +645,7 @@ static int mcba_usb_start(struct mcba_priv *priv) - } - - buf = usb_alloc_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE, -- GFP_KERNEL, &urb->transfer_dma); -+ GFP_KERNEL, &buf_dma); - if (!buf) { - netdev_err(netdev, "No memory left for USB buffer\n"); - usb_free_urb(urb); -@@ -661,11 +664,14 @@ static int mcba_usb_start(struct mcba_priv *priv) - if (err) { - usb_unanchor_urb(urb); - usb_free_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE, -- buf, urb->transfer_dma); -+ buf, buf_dma); - usb_free_urb(urb); - break; - } - -+ priv->rxbuf[i] = buf; -+ priv->rxbuf_dma[i] = buf_dma; -+ - /* Drop reference, USB core will take care of freeing it */ - usb_free_urb(urb); - } -@@ -708,7 +714,14 @@ static int mcba_usb_open(struct net_device *netdev) - - static void mcba_urb_unlink(struct mcba_priv *priv) - { -+ int i; -+ - usb_kill_anchored_urbs(&priv->rx_submitted); -+ -+ for (i = 0; i < MCBA_MAX_RX_URBS; ++i) -+ usb_free_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE, -+ priv->rxbuf[i], priv->rxbuf_dma[i]); -+ - usb_kill_anchored_urbs(&priv->tx_submitted); - } - -diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c -index 102f2c91fdb85..20f8012bbe04a 100644 ---- a/drivers/net/ethernet/amazon/ena/ena_netdev.c -+++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c -@@ -236,36 +236,48 @@ static int ena_xdp_io_poll(struct napi_struct *napi, int budget) - static int ena_xdp_tx_map_frame(struct ena_ring *xdp_ring, - struct ena_tx_buffer *tx_info, - struct xdp_frame *xdpf, -- void **push_hdr, -- u32 *push_len) -+ struct ena_com_tx_ctx *ena_tx_ctx) - { - struct ena_adapter *adapter = xdp_ring->adapter; - struct ena_com_buf *ena_buf; -- dma_addr_t dma = 0; -+ int push_len = 0; -+ dma_addr_t dma; -+ void *data; - u32 size; - - tx_info->xdpf = xdpf; -+ data = tx_info->xdpf->data; - size = tx_info->xdpf->len; -- ena_buf = tx_info->bufs; - -- /* llq push buffer */ -- *push_len = min_t(u32, size, xdp_ring->tx_max_header_size); -- *push_hdr = tx_info->xdpf->data; -+ if (xdp_ring->tx_mem_queue_type == ENA_ADMIN_PLACEMENT_POLICY_DEV) { -+ /* Designate part of the packet for LLQ */ -+ push_len = min_t(u32, size, xdp_ring->tx_max_header_size); -+ -+ ena_tx_ctx->push_header = data; -+ -+ size -= push_len; -+ data += push_len; -+ } -+ -+ ena_tx_ctx->header_len = push_len; - -- if (size - *push_len > 0) { -+ if (size > 0) { - dma = dma_map_single(xdp_ring->dev, -- *push_hdr + *push_len, -- size - *push_len, -+ data, -+ size, - DMA_TO_DEVICE); - if (unlikely(dma_mapping_error(xdp_ring->dev, dma))) - goto error_report_dma_error; - -- tx_info->map_linear_data = 1; -- tx_info->num_of_bufs = 1; -- } -+ tx_info->map_linear_data = 0; - -- ena_buf->paddr = dma; -- ena_buf->len = size; -+ ena_buf = tx_info->bufs; -+ ena_buf->paddr = dma; -+ ena_buf->len = size; -+ -+ ena_tx_ctx->ena_bufs = ena_buf; -+ ena_tx_ctx->num_bufs = tx_info->num_of_bufs = 1; -+ } - - return 0; - -@@ -274,10 +286,6 @@ error_report_dma_error: - &xdp_ring->syncp); - netif_warn(adapter, tx_queued, adapter->netdev, "Failed to map xdp buff\n"); - -- xdp_return_frame_rx_napi(tx_info->xdpf); -- tx_info->xdpf = NULL; -- tx_info->num_of_bufs = 0; -- - return -EINVAL; - } - -@@ -289,8 +297,6 @@ static int ena_xdp_xmit_frame(struct ena_ring *xdp_ring, - struct ena_com_tx_ctx ena_tx_ctx = {}; - struct ena_tx_buffer *tx_info; - u16 next_to_use, req_id; -- void *push_hdr; -- u32 push_len; - int rc; - - next_to_use = xdp_ring->next_to_use; -@@ -298,15 +304,11 @@ static int ena_xdp_xmit_frame(struct ena_ring *xdp_ring, - tx_info = &xdp_ring->tx_buffer_info[req_id]; - tx_info->num_of_bufs = 0; - -- rc = ena_xdp_tx_map_frame(xdp_ring, tx_info, xdpf, &push_hdr, &push_len); -+ rc = ena_xdp_tx_map_frame(xdp_ring, tx_info, xdpf, &ena_tx_ctx); - if (unlikely(rc)) - goto error_drop_packet; - -- ena_tx_ctx.ena_bufs = tx_info->bufs; -- ena_tx_ctx.push_header = push_hdr; -- ena_tx_ctx.num_bufs = tx_info->num_of_bufs; - ena_tx_ctx.req_id = req_id; -- ena_tx_ctx.header_len = push_len; - - rc = ena_xmit_common(dev, - xdp_ring, -diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c -index 9e02f88645931..5e90df42b2013 100644 ---- a/drivers/net/ethernet/atheros/alx/main.c -+++ b/drivers/net/ethernet/atheros/alx/main.c -@@ -1849,6 +1849,7 @@ out_free_netdev: - free_netdev(netdev); - out_pci_release: - pci_release_mem_regions(pdev); -+ pci_disable_pcie_error_reporting(pdev); - out_pci_disable: - pci_disable_device(pdev); - return err; -diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c -index 027997c711aba..c118de27bc5c3 100644 ---- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c -+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c -@@ -7295,7 +7295,7 @@ skip_rdma: - entries_sp = ctx->vnic_max_vnic_entries + ctx->qp_max_l2_entries + - 2 * (extra_qps + ctx->qp_min_qp1_entries) + min; - entries_sp = roundup(entries_sp, ctx->tqm_entries_multiple); -- entries = ctx->qp_max_l2_entries + extra_qps + ctx->qp_min_qp1_entries; -+ entries = ctx->qp_max_l2_entries + 2 * (extra_qps + ctx->qp_min_qp1_entries); - entries = roundup(entries, ctx->tqm_entries_multiple); - entries = clamp_t(u32, entries, min, ctx->tqm_max_entries_per_ring); - for (i = 0; i < ctx->tqm_fp_rings_count + 1; i++) { -@@ -11573,6 +11573,8 @@ static void bnxt_fw_init_one_p3(struct bnxt *bp) - bnxt_hwrm_coal_params_qcaps(bp); - } - -+static int bnxt_probe_phy(struct bnxt *bp, bool fw_dflt); -+ - static int bnxt_fw_init_one(struct bnxt *bp) - { - int rc; -@@ -11587,6 +11589,9 @@ static int bnxt_fw_init_one(struct bnxt *bp) - netdev_err(bp->dev, "Firmware init phase 2 failed\n"); - return rc; - } -+ rc = bnxt_probe_phy(bp, false); -+ if (rc) -+ return rc; - rc = bnxt_approve_mac(bp, bp->dev->dev_addr, false); - if (rc) - return rc; -@@ -12976,6 +12981,7 @@ init_err_pci_clean: - bnxt_hwrm_func_drv_unrgtr(bp); - bnxt_free_hwrm_short_cmd_req(bp); - bnxt_free_hwrm_resources(bp); -+ bnxt_ethtool_free(bp); - kfree(bp->fw_health); - bp->fw_health = NULL; - bnxt_cleanup_pci(bp); -diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c -index 61ea3ec5c3fcc..83ed10ac86606 100644 ---- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c -+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c -@@ -1337,13 +1337,27 @@ static int cxgb4_ethtool_flash_phy(struct net_device *netdev, - return ret; - } - -- spin_lock_bh(&adap->win0_lock); -+ /* We have to RESET the chip/firmware because we need the -+ * chip in uninitialized state for loading new PHY image. -+ * Otherwise, the running firmware will only store the PHY -+ * image in local RAM which will be lost after next reset. -+ */ -+ ret = t4_fw_reset(adap, adap->mbox, PIORSTMODE_F | PIORST_F); -+ if (ret < 0) { -+ dev_err(adap->pdev_dev, -+ "Set FW to RESET for flashing PHY FW failed. ret: %d\n", -+ ret); -+ return ret; -+ } -+ - ret = t4_load_phy_fw(adap, MEMWIN_NIC, NULL, data, size); -- spin_unlock_bh(&adap->win0_lock); -- if (ret) -- dev_err(adap->pdev_dev, "Failed to load PHY FW\n"); -+ if (ret < 0) { -+ dev_err(adap->pdev_dev, "Failed to load PHY FW. ret: %d\n", -+ ret); -+ return ret; -+ } - -- return ret; -+ return 0; - } - - static int cxgb4_ethtool_flash_fw(struct net_device *netdev, -@@ -1610,16 +1624,14 @@ static struct filter_entry *cxgb4_get_filter_entry(struct adapter *adap, - u32 ftid) - { - struct tid_info *t = &adap->tids; -- struct filter_entry *f; - -- if (ftid < t->nhpftids) -- f = &adap->tids.hpftid_tab[ftid]; -- else if (ftid < t->nftids) -- f = &adap->tids.ftid_tab[ftid - t->nhpftids]; -- else -- f = lookup_tid(&adap->tids, ftid); -+ if (ftid >= t->hpftid_base && ftid < t->hpftid_base + t->nhpftids) -+ return &t->hpftid_tab[ftid - t->hpftid_base]; - -- return f; -+ if (ftid >= t->ftid_base && ftid < t->ftid_base + t->nftids) -+ return &t->ftid_tab[ftid - t->ftid_base]; -+ -+ return lookup_tid(t, ftid); - } - - static void cxgb4_fill_filter_rule(struct ethtool_rx_flow_spec *fs, -@@ -1826,6 +1838,11 @@ static int cxgb4_ntuple_del_filter(struct net_device *dev, - filter_id = filter_info->loc_array[cmd->fs.location]; - f = cxgb4_get_filter_entry(adapter, filter_id); - -+ if (f->fs.prio) -+ filter_id -= adapter->tids.hpftid_base; -+ else if (!f->fs.hash) -+ filter_id -= (adapter->tids.ftid_base - adapter->tids.nhpftids); -+ - ret = cxgb4_flow_rule_destroy(dev, f->fs.tc_prio, &f->fs, filter_id); - if (ret) - goto err; -@@ -1885,6 +1902,11 @@ static int cxgb4_ntuple_set_filter(struct net_device *netdev, - - filter_info = &adapter->ethtool_filters->port[pi->port_id]; - -+ if (fs.prio) -+ tid += adapter->tids.hpftid_base; -+ else if (!fs.hash) -+ tid += (adapter->tids.ftid_base - adapter->tids.nhpftids); -+ - filter_info->loc_array[cmd->fs.location] = tid; - set_bit(cmd->fs.location, filter_info->bmap); - filter_info->in_use++; -diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c -index e664e05b9f026..5fbc087268dbe 100644 ---- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c -+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c -@@ -198,7 +198,7 @@ static void set_nat_params(struct adapter *adap, struct filter_entry *f, - WORD_MASK, f->fs.nat_lip[3] | - f->fs.nat_lip[2] << 8 | - f->fs.nat_lip[1] << 16 | -- (u64)f->fs.nat_lip[0] << 25, 1); -+ (u64)f->fs.nat_lip[0] << 24, 1); - } - } - -diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c -index 1f601de02e706..762113a04dde6 100644 ---- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c -+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c -@@ -4424,10 +4424,8 @@ static int adap_init0_phy(struct adapter *adap) - - /* Load PHY Firmware onto adapter. - */ -- spin_lock_bh(&adap->win0_lock); - ret = t4_load_phy_fw(adap, MEMWIN_NIC, phy_info->phy_fw_version, - (u8 *)phyf->data, phyf->size); -- spin_unlock_bh(&adap->win0_lock); - if (ret < 0) - dev_err(adap->pdev_dev, "PHY Firmware transfer error %d\n", - -ret); -diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c -index 80882cfc370f5..601853bb34c91 100644 ---- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c -+++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c -@@ -3060,16 +3060,19 @@ int t4_read_flash(struct adapter *adapter, unsigned int addr, - * @addr: the start address to write - * @n: length of data to write in bytes - * @data: the data to write -+ * @byte_oriented: whether to store data as bytes or as words - * - * Writes up to a page of data (256 bytes) to the serial flash starting - * at the given address. All the data must be written to the same page. -+ * If @byte_oriented is set the write data is stored as byte stream -+ * (i.e. matches what on disk), otherwise in big-endian. - */ - static int t4_write_flash(struct adapter *adapter, unsigned int addr, -- unsigned int n, const u8 *data) -+ unsigned int n, const u8 *data, bool byte_oriented) - { -- int ret; -- u32 buf[64]; - unsigned int i, c, left, val, offset = addr & 0xff; -+ u32 buf[64]; -+ int ret; - - if (addr >= adapter->params.sf_size || offset + n > SF_PAGE_SIZE) - return -EINVAL; -@@ -3080,10 +3083,14 @@ static int t4_write_flash(struct adapter *adapter, unsigned int addr, - (ret = sf1_write(adapter, 4, 1, 1, val)) != 0) - goto unlock; - -- for (left = n; left; left -= c) { -+ for (left = n; left; left -= c, data += c) { - c = min(left, 4U); -- for (val = 0, i = 0; i < c; ++i) -- val = (val << 8) + *data++; -+ for (val = 0, i = 0; i < c; ++i) { -+ if (byte_oriented) -+ val = (val << 8) + data[i]; -+ else -+ val = (val << 8) + data[c - i - 1]; -+ } - - ret = sf1_write(adapter, c, c != left, 1, val); - if (ret) -@@ -3096,7 +3103,8 @@ static int t4_write_flash(struct adapter *adapter, unsigned int addr, - t4_write_reg(adapter, SF_OP_A, 0); /* unlock SF */ - - /* Read the page to verify the write succeeded */ -- ret = t4_read_flash(adapter, addr & ~0xff, ARRAY_SIZE(buf), buf, 1); -+ ret = t4_read_flash(adapter, addr & ~0xff, ARRAY_SIZE(buf), buf, -+ byte_oriented); - if (ret) - return ret; - -@@ -3692,7 +3700,7 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size) - */ - memcpy(first_page, fw_data, SF_PAGE_SIZE); - ((struct fw_hdr *)first_page)->fw_ver = cpu_to_be32(0xffffffff); -- ret = t4_write_flash(adap, fw_start, SF_PAGE_SIZE, first_page); -+ ret = t4_write_flash(adap, fw_start, SF_PAGE_SIZE, first_page, true); - if (ret) - goto out; - -@@ -3700,14 +3708,14 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size) - for (size -= SF_PAGE_SIZE; size; size -= SF_PAGE_SIZE) { - addr += SF_PAGE_SIZE; - fw_data += SF_PAGE_SIZE; -- ret = t4_write_flash(adap, addr, SF_PAGE_SIZE, fw_data); -+ ret = t4_write_flash(adap, addr, SF_PAGE_SIZE, fw_data, true); - if (ret) - goto out; - } - -- ret = t4_write_flash(adap, -- fw_start + offsetof(struct fw_hdr, fw_ver), -- sizeof(hdr->fw_ver), (const u8 *)&hdr->fw_ver); -+ ret = t4_write_flash(adap, fw_start + offsetof(struct fw_hdr, fw_ver), -+ sizeof(hdr->fw_ver), (const u8 *)&hdr->fw_ver, -+ true); - out: - if (ret) - dev_err(adap->pdev_dev, "firmware download failed, error %d\n", -@@ -3812,9 +3820,11 @@ int t4_load_phy_fw(struct adapter *adap, int win, - /* Copy the supplied PHY Firmware image to the adapter memory location - * allocated by the adapter firmware. - */ -+ spin_lock_bh(&adap->win0_lock); - ret = t4_memory_rw(adap, win, mtype, maddr, - phy_fw_size, (__be32 *)phy_fw_data, - T4_MEMORY_WRITE); -+ spin_unlock_bh(&adap->win0_lock); - if (ret) - return ret; - -@@ -10208,7 +10218,7 @@ int t4_load_cfg(struct adapter *adap, const u8 *cfg_data, unsigned int size) - n = size - i; - else - n = SF_PAGE_SIZE; -- ret = t4_write_flash(adap, addr, n, cfg_data); -+ ret = t4_write_flash(adap, addr, n, cfg_data, true); - if (ret) - goto out; - -@@ -10677,13 +10687,14 @@ int t4_load_boot(struct adapter *adap, u8 *boot_data, - for (size -= SF_PAGE_SIZE; size; size -= SF_PAGE_SIZE) { - addr += SF_PAGE_SIZE; - boot_data += SF_PAGE_SIZE; -- ret = t4_write_flash(adap, addr, SF_PAGE_SIZE, boot_data); -+ ret = t4_write_flash(adap, addr, SF_PAGE_SIZE, boot_data, -+ false); - if (ret) - goto out; - } - - ret = t4_write_flash(adap, boot_sector, SF_PAGE_SIZE, -- (const u8 *)header); -+ (const u8 *)header, false); - - out: - if (ret) -@@ -10758,7 +10769,7 @@ int t4_load_bootcfg(struct adapter *adap, const u8 *cfg_data, unsigned int size) - for (i = 0; i < size; i += SF_PAGE_SIZE) { - n = min_t(u32, size - i, SF_PAGE_SIZE); - -- ret = t4_write_flash(adap, addr, n, cfg_data); -+ ret = t4_write_flash(adap, addr, n, cfg_data, false); - if (ret) - goto out; - -@@ -10770,7 +10781,8 @@ int t4_load_bootcfg(struct adapter *adap, const u8 *cfg_data, unsigned int size) - for (i = 0; i < npad; i++) { - u8 data = 0; - -- ret = t4_write_flash(adap, cfg_addr + size + i, 1, &data); -+ ret = t4_write_flash(adap, cfg_addr + size + i, 1, &data, -+ false); - if (ret) - goto out; - } -diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c -index 46b0dbab8aadc..7c992172933bc 100644 ---- a/drivers/net/ethernet/ec_bhf.c -+++ b/drivers/net/ethernet/ec_bhf.c -@@ -576,10 +576,12 @@ static void ec_bhf_remove(struct pci_dev *dev) - struct ec_bhf_priv *priv = netdev_priv(net_dev); - - unregister_netdev(net_dev); -- free_netdev(net_dev); - - pci_iounmap(dev, priv->dma_io); - pci_iounmap(dev, priv->io); -+ -+ free_netdev(net_dev); -+ - pci_release_regions(dev); - pci_clear_master(dev); - pci_disable_device(dev); -diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c -index b6eba29d8e99e..7968568bbe214 100644 ---- a/drivers/net/ethernet/emulex/benet/be_main.c -+++ b/drivers/net/ethernet/emulex/benet/be_main.c -@@ -5897,6 +5897,7 @@ drv_cleanup: - unmap_bars: - be_unmap_pci_bars(adapter); - free_netdev: -+ pci_disable_pcie_error_reporting(pdev); - free_netdev(netdev); - rel_reg: - pci_release_regions(pdev); -diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c -index 1753807cbf97e..d71eac7e19249 100644 ---- a/drivers/net/ethernet/freescale/fec_ptp.c -+++ b/drivers/net/ethernet/freescale/fec_ptp.c -@@ -215,15 +215,13 @@ static u64 fec_ptp_read(const struct cyclecounter *cc) - { - struct fec_enet_private *fep = - container_of(cc, struct fec_enet_private, cc); -- const struct platform_device_id *id_entry = -- platform_get_device_id(fep->pdev); - u32 tempval; - - tempval = readl(fep->hwp + FEC_ATIME_CTRL); - tempval |= FEC_T_CTRL_CAPTURE; - writel(tempval, fep->hwp + FEC_ATIME_CTRL); - -- if (id_entry->driver_data & FEC_QUIRK_BUG_CAPTURE) -+ if (fep->quirks & FEC_QUIRK_BUG_CAPTURE) - udelay(1); - - return readl(fep->hwp + FEC_ATIME); -@@ -604,6 +602,10 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx) - fep->ptp_caps.enable = fec_ptp_enable; - - fep->cycle_speed = clk_get_rate(fep->clk_ptp); -+ if (!fep->cycle_speed) { -+ fep->cycle_speed = NSEC_PER_SEC; -+ dev_err(&fep->pdev->dev, "clk_ptp clock rate is zero\n"); -+ } - fep->ptp_inc = NSEC_PER_SEC / fep->cycle_speed; - - spin_lock_init(&fep->tmreg_lock); -diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c -index 27e439853c3b0..55432ea360ad4 100644 ---- a/drivers/net/ethernet/intel/ice/ice_lib.c -+++ b/drivers/net/ethernet/intel/ice/ice_lib.c -@@ -1715,12 +1715,13 @@ setup_rings: - * ice_vsi_cfg_txqs - Configure the VSI for Tx - * @vsi: the VSI being configured - * @rings: Tx ring array to be configured -+ * @count: number of Tx ring array elements - * - * Return 0 on success and a negative value on error - * Configure the Tx VSI for operation. - */ - static int --ice_vsi_cfg_txqs(struct ice_vsi *vsi, struct ice_ring **rings) -+ice_vsi_cfg_txqs(struct ice_vsi *vsi, struct ice_ring **rings, u16 count) - { - struct ice_aqc_add_tx_qgrp *qg_buf; - u16 q_idx = 0; -@@ -1732,7 +1733,7 @@ ice_vsi_cfg_txqs(struct ice_vsi *vsi, struct ice_ring **rings) - - qg_buf->num_txqs = 1; - -- for (q_idx = 0; q_idx < vsi->num_txq; q_idx++) { -+ for (q_idx = 0; q_idx < count; q_idx++) { - err = ice_vsi_cfg_txq(vsi, rings[q_idx], qg_buf); - if (err) - goto err_cfg_txqs; -@@ -1752,7 +1753,7 @@ err_cfg_txqs: - */ - int ice_vsi_cfg_lan_txqs(struct ice_vsi *vsi) - { -- return ice_vsi_cfg_txqs(vsi, vsi->tx_rings); -+ return ice_vsi_cfg_txqs(vsi, vsi->tx_rings, vsi->num_txq); - } - - /** -@@ -1767,7 +1768,7 @@ int ice_vsi_cfg_xdp_txqs(struct ice_vsi *vsi) - int ret; - int i; - -- ret = ice_vsi_cfg_txqs(vsi, vsi->xdp_rings); -+ ret = ice_vsi_cfg_txqs(vsi, vsi->xdp_rings, vsi->num_xdp_txq); - if (ret) - return ret; - -@@ -1965,17 +1966,18 @@ int ice_vsi_stop_all_rx_rings(struct ice_vsi *vsi) - * @rst_src: reset source - * @rel_vmvf_num: Relative ID of VF/VM - * @rings: Tx ring array to be stopped -+ * @count: number of Tx ring array elements - */ - static int - ice_vsi_stop_tx_rings(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src, -- u16 rel_vmvf_num, struct ice_ring **rings) -+ u16 rel_vmvf_num, struct ice_ring **rings, u16 count) - { - u16 q_idx; - - if (vsi->num_txq > ICE_LAN_TXQ_MAX_QDIS) - return -EINVAL; - -- for (q_idx = 0; q_idx < vsi->num_txq; q_idx++) { -+ for (q_idx = 0; q_idx < count; q_idx++) { - struct ice_txq_meta txq_meta = { }; - int status; - -@@ -2003,7 +2005,7 @@ int - ice_vsi_stop_lan_tx_rings(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src, - u16 rel_vmvf_num) - { -- return ice_vsi_stop_tx_rings(vsi, rst_src, rel_vmvf_num, vsi->tx_rings); -+ return ice_vsi_stop_tx_rings(vsi, rst_src, rel_vmvf_num, vsi->tx_rings, vsi->num_txq); - } - - /** -@@ -2012,7 +2014,7 @@ ice_vsi_stop_lan_tx_rings(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src, - */ - int ice_vsi_stop_xdp_tx_rings(struct ice_vsi *vsi) - { -- return ice_vsi_stop_tx_rings(vsi, ICE_NO_RESET, 0, vsi->xdp_rings); -+ return ice_vsi_stop_tx_rings(vsi, ICE_NO_RESET, 0, vsi->xdp_rings, vsi->num_xdp_txq); - } - - /** -diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c -index d821c687f239c..b61cd84be97fd 100644 ---- a/drivers/net/ethernet/intel/ice/ice_main.c -+++ b/drivers/net/ethernet/intel/ice/ice_main.c -@@ -2554,6 +2554,20 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, - return (ret || xdp_ring_err) ? -ENOMEM : 0; - } - -+/** -+ * ice_xdp_safe_mode - XDP handler for safe mode -+ * @dev: netdevice -+ * @xdp: XDP command -+ */ -+static int ice_xdp_safe_mode(struct net_device __always_unused *dev, -+ struct netdev_bpf *xdp) -+{ -+ NL_SET_ERR_MSG_MOD(xdp->extack, -+ "Please provide working DDP firmware package in order to use XDP\n" -+ "Refer to Documentation/networking/device_drivers/ethernet/intel/ice.rst"); -+ return -EOPNOTSUPP; -+} -+ - /** - * ice_xdp - implements XDP handler - * @dev: netdevice -@@ -6805,6 +6819,7 @@ static const struct net_device_ops ice_netdev_safe_mode_ops = { - .ndo_change_mtu = ice_change_mtu, - .ndo_get_stats64 = ice_get_stats64, - .ndo_tx_timeout = ice_tx_timeout, -+ .ndo_bpf = ice_xdp_safe_mode, - }; - - static const struct net_device_ops ice_netdev_ops = { -diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c -index 135ba5b6ae980..072075bc60ee9 100644 ---- a/drivers/net/ethernet/lantiq_xrx200.c -+++ b/drivers/net/ethernet/lantiq_xrx200.c -@@ -154,6 +154,7 @@ static int xrx200_close(struct net_device *net_dev) - - static int xrx200_alloc_skb(struct xrx200_chan *ch) - { -+ struct sk_buff *skb = ch->skb[ch->dma.desc]; - dma_addr_t mapping; - int ret = 0; - -@@ -168,6 +169,7 @@ static int xrx200_alloc_skb(struct xrx200_chan *ch) - XRX200_DMA_DATA_LEN, DMA_FROM_DEVICE); - if (unlikely(dma_mapping_error(ch->priv->dev, mapping))) { - dev_kfree_skb_any(ch->skb[ch->dma.desc]); -+ ch->skb[ch->dma.desc] = skb; - ret = -ENOMEM; - goto skip; - } -@@ -198,7 +200,6 @@ static int xrx200_hw_receive(struct xrx200_chan *ch) - ch->dma.desc %= LTQ_DESC_NUM; - - if (ret) { -- ch->skb[ch->dma.desc] = skb; - net_dev->stats.rx_dropped++; - netdev_err(net_dev, "failed to allocate new rx buffer\n"); - return ret; -@@ -352,8 +353,8 @@ static irqreturn_t xrx200_dma_irq(int irq, void *ptr) - struct xrx200_chan *ch = ptr; - - if (napi_schedule_prep(&ch->napi)) { -- __napi_schedule(&ch->napi); - ltq_dma_disable_irq(&ch->dma); -+ __napi_schedule(&ch->napi); - } - - ltq_dma_ack_irq(&ch->dma); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/dev.c -index 9153c9bda96fa..897853a68cd03 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c -@@ -306,6 +306,7 @@ int mlx5_attach_device(struct mlx5_core_dev *dev) - int ret = 0, i; - - mutex_lock(&mlx5_intf_mutex); -+ priv->flags &= ~MLX5_PRIV_FLAGS_DETACH; - for (i = 0; i < ARRAY_SIZE(mlx5_adev_devices); i++) { - if (!priv->adev[i]) { - bool is_supported = false; -@@ -323,6 +324,16 @@ int mlx5_attach_device(struct mlx5_core_dev *dev) - } - } else { - adev = &priv->adev[i]->adev; -+ -+ /* Pay attention that this is not PCI driver that -+ * mlx5_core_dev is connected, but auxiliary driver. -+ * -+ * Here we can race of module unload with devlink -+ * reload, but we don't need to take extra lock because -+ * we are holding global mlx5_intf_mutex. -+ */ -+ if (!adev->dev.driver) -+ continue; - adrv = to_auxiliary_drv(adev->dev.driver); - - if (adrv->resume) -@@ -353,6 +364,10 @@ void mlx5_detach_device(struct mlx5_core_dev *dev) - continue; - - adev = &priv->adev[i]->adev; -+ /* Auxiliary driver was unbind manually through sysfs */ -+ if (!adev->dev.driver) -+ goto skip_suspend; -+ - adrv = to_auxiliary_drv(adev->dev.driver); - - if (adrv->suspend) { -@@ -360,9 +375,11 @@ void mlx5_detach_device(struct mlx5_core_dev *dev) - continue; - } - -+skip_suspend: - del_adev(&priv->adev[i]->adev); - priv->adev[i] = NULL; - } -+ priv->flags |= MLX5_PRIV_FLAGS_DETACH; - mutex_unlock(&mlx5_intf_mutex); - } - -@@ -451,6 +468,8 @@ int mlx5_rescan_drivers_locked(struct mlx5_core_dev *dev) - struct mlx5_priv *priv = &dev->priv; - - lockdep_assert_held(&mlx5_intf_mutex); -+ if (priv->flags & MLX5_PRIV_FLAGS_DETACH) -+ return 0; - - delete_drivers(dev); - if (priv->flags & MLX5_PRIV_FLAGS_DISABLE_ALL_ADEV) -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c -index be0ee03de7217..2e9bee4e5209b 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c -@@ -129,10 +129,9 @@ static void mlx5e_rep_neigh_update(struct work_struct *work) - work); - struct mlx5e_neigh_hash_entry *nhe = update_work->nhe; - struct neighbour *n = update_work->n; -+ struct mlx5e_encap_entry *e = NULL; - bool neigh_connected, same_dev; -- struct mlx5e_encap_entry *e; - unsigned char ha[ETH_ALEN]; -- struct mlx5e_priv *priv; - u8 nud_state, dead; - - rtnl_lock(); -@@ -156,14 +155,12 @@ static void mlx5e_rep_neigh_update(struct work_struct *work) - if (!same_dev) - goto out; - -- list_for_each_entry(e, &nhe->encap_list, encap_list) { -- if (!mlx5e_encap_take(e)) -- continue; -+ /* mlx5e_get_next_init_encap() releases previous encap before returning -+ * the next one. -+ */ -+ while ((e = mlx5e_get_next_init_encap(nhe, e)) != NULL) -+ mlx5e_rep_update_flows(netdev_priv(e->out_dev), e, neigh_connected, ha); - -- priv = netdev_priv(e->out_dev); -- mlx5e_rep_update_flows(priv, e, neigh_connected, ha); -- mlx5e_encap_put(priv, e); -- } - out: - rtnl_unlock(); - mlx5e_release_neigh_update_work(update_work); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c -index 96ba027dbef3d..9992f94f794b6 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c -@@ -93,13 +93,9 @@ void mlx5e_rep_update_flows(struct mlx5e_priv *priv, - - ASSERT_RTNL(); - -- /* wait for encap to be fully initialized */ -- wait_for_completion(&e->res_ready); -- - mutex_lock(&esw->offloads.encap_tbl_lock); - encap_connected = !!(e->flags & MLX5_ENCAP_ENTRY_VALID); -- if (e->compl_result < 0 || (encap_connected == neigh_connected && -- ether_addr_equal(e->h_dest, ha))) -+ if (encap_connected == neigh_connected && ether_addr_equal(e->h_dest, ha)) - goto unlock; - - mlx5e_take_all_encap_flows(e, &flow_list); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c -index 1560fcbf4ac7c..a17d79effa273 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c -@@ -250,9 +250,12 @@ static void mlx5e_take_all_route_decap_flows(struct mlx5e_route_entry *r, - mlx5e_take_tmp_flow(flow, flow_list, 0); - } - -+typedef bool (match_cb)(struct mlx5e_encap_entry *); -+ - static struct mlx5e_encap_entry * --mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe, -- struct mlx5e_encap_entry *e) -+mlx5e_get_next_matching_encap(struct mlx5e_neigh_hash_entry *nhe, -+ struct mlx5e_encap_entry *e, -+ match_cb match) - { - struct mlx5e_encap_entry *next = NULL; - -@@ -287,7 +290,7 @@ retry: - /* wait for encap to be fully initialized */ - wait_for_completion(&next->res_ready); - /* continue searching if encap entry is not in valid state after completion */ -- if (!(next->flags & MLX5_ENCAP_ENTRY_VALID)) { -+ if (!match(next)) { - e = next; - goto retry; - } -@@ -295,6 +298,30 @@ retry: - return next; - } - -+static bool mlx5e_encap_valid(struct mlx5e_encap_entry *e) -+{ -+ return e->flags & MLX5_ENCAP_ENTRY_VALID; -+} -+ -+static struct mlx5e_encap_entry * -+mlx5e_get_next_valid_encap(struct mlx5e_neigh_hash_entry *nhe, -+ struct mlx5e_encap_entry *e) -+{ -+ return mlx5e_get_next_matching_encap(nhe, e, mlx5e_encap_valid); -+} -+ -+static bool mlx5e_encap_initialized(struct mlx5e_encap_entry *e) -+{ -+ return e->compl_result >= 0; -+} -+ -+struct mlx5e_encap_entry * -+mlx5e_get_next_init_encap(struct mlx5e_neigh_hash_entry *nhe, -+ struct mlx5e_encap_entry *e) -+{ -+ return mlx5e_get_next_matching_encap(nhe, e, mlx5e_encap_initialized); -+} -+ - void mlx5e_tc_update_neigh_used_value(struct mlx5e_neigh_hash_entry *nhe) - { - struct mlx5e_neigh *m_neigh = &nhe->m_neigh; -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c -index 3d45341e2216f..26f7fab109d97 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c -@@ -532,9 +532,6 @@ void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv) - struct mlx5_core_dev *mdev = priv->mdev; - struct net_device *netdev = priv->netdev; - -- if (!priv->ipsec) -- return; -- - if (!(mlx5_accel_ipsec_device_caps(mdev) & MLX5_ACCEL_IPSEC_CAP_ESP) || - !MLX5_CAP_ETH(mdev, swp)) { - mlx5_core_dbg(mdev, "mlx5e: ESP and SWP offload not supported\n"); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c -index 99dc9f2beed5b..16b8f52450329 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c -@@ -5168,22 +5168,15 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev) - } - - if (mlx5_vxlan_allowed(mdev->vxlan) || mlx5_geneve_tx_allowed(mdev)) { -- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL | -- NETIF_F_GSO_UDP_TUNNEL_CSUM; -- netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL | -- NETIF_F_GSO_UDP_TUNNEL_CSUM; -- netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM; -- netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL | -- NETIF_F_GSO_UDP_TUNNEL_CSUM; -+ netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL; -+ netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL; -+ netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL; - } - - if (mlx5e_tunnel_proto_supported_tx(mdev, IPPROTO_GRE)) { -- netdev->hw_features |= NETIF_F_GSO_GRE | -- NETIF_F_GSO_GRE_CSUM; -- netdev->hw_enc_features |= NETIF_F_GSO_GRE | -- NETIF_F_GSO_GRE_CSUM; -- netdev->gso_partial_features |= NETIF_F_GSO_GRE | -- NETIF_F_GSO_GRE_CSUM; -+ netdev->hw_features |= NETIF_F_GSO_GRE; -+ netdev->hw_enc_features |= NETIF_F_GSO_GRE; -+ netdev->gso_partial_features |= NETIF_F_GSO_GRE; - } - - if (mlx5e_tunnel_proto_supported_tx(mdev, IPPROTO_IPIP)) { -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c -index b633f669ea57f..b3b8e44540a5d 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c -@@ -4622,7 +4622,7 @@ static void mlx5e_tc_hairpin_update_dead_peer(struct mlx5e_priv *priv, - list_for_each_entry_safe(hpe, tmp, &init_wait_list, dead_peer_wait_list) { - wait_for_completion(&hpe->res_ready); - if (!IS_ERR_OR_NULL(hpe->hp) && hpe->peer_vhca_id == peer_vhca_id) -- hpe->hp->pair->peer_gone = true; -+ mlx5_core_hairpin_clear_dead_peer(hpe->hp->pair); - - mlx5e_hairpin_put(priv, hpe); - } -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.h b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.h -index 25c091795bcd8..17027536efbaa 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.h -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.h -@@ -178,6 +178,9 @@ void mlx5e_take_all_encap_flows(struct mlx5e_encap_entry *e, struct list_head *f - void mlx5e_put_flow_list(struct mlx5e_priv *priv, struct list_head *flow_list); - - struct mlx5e_neigh_hash_entry; -+struct mlx5e_encap_entry * -+mlx5e_get_next_init_encap(struct mlx5e_neigh_hash_entry *nhe, -+ struct mlx5e_encap_entry *e); - void mlx5e_tc_update_neigh_used_value(struct mlx5e_neigh_hash_entry *nhe); - - void mlx5e_tc_reoffload_flows_work(struct work_struct *work); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c -index 1fa9c18563da9..31c6a3b91f4a9 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c -@@ -136,7 +136,7 @@ static int mlx5_eq_comp_int(struct notifier_block *nb, - - eqe = next_eqe_sw(eq); - if (!eqe) -- return 0; -+ goto out; - - do { - struct mlx5_core_cq *cq; -@@ -161,6 +161,8 @@ static int mlx5_eq_comp_int(struct notifier_block *nb, - ++eq->cons_index; - - } while ((++num_eqes < MLX5_EQ_POLLING_BUDGET) && (eqe = next_eqe_sw(eq))); -+ -+out: - eq_update_ci(eq, 1); - - if (cqn != -1) -@@ -248,9 +250,9 @@ static int mlx5_eq_async_int(struct notifier_block *nb, - ++eq->cons_index; - - } while ((++num_eqes < MLX5_EQ_POLLING_BUDGET) && (eqe = next_eqe_sw(eq))); -- eq_update_ci(eq, 1); - - out: -+ eq_update_ci(eq, 1); - mlx5_eq_async_int_unlock(eq_async, recovery, &flags); - - return unlikely(recovery) ? num_eqes : 0; -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c -index 2c6d95900e3c9..a3edeea4ddd78 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c -@@ -1308,6 +1308,12 @@ int mlx5_esw_vport_enable(struct mlx5_eswitch *esw, u16 vport_num, - goto err_vhca_mapping; - } - -+ /* External controller host PF has factory programmed MAC. -+ * Read it from the device. -+ */ -+ if (mlx5_core_is_ecpf(esw->dev) && vport_num == MLX5_VPORT_PF) -+ mlx5_query_nic_vport_mac_address(esw->dev, vport_num, true, vport->info.mac); -+ - esw_vport_change_handle_locked(vport); - - esw->enabled_vports++; -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c -index efb93d63e54cb..58b8f75d7a01e 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/main.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c -@@ -1157,7 +1157,7 @@ static int mlx5_load(struct mlx5_core_dev *dev) - err = mlx5_core_set_hca_defaults(dev); - if (err) { - mlx5_core_err(dev, "Failed to set hca defaults\n"); -- goto err_sriov; -+ goto err_set_hca; - } - - mlx5_vhca_event_start(dev); -@@ -1190,6 +1190,7 @@ err_ec: - mlx5_sf_hw_table_destroy(dev); - err_vhca: - mlx5_vhca_event_stop(dev); -+err_set_hca: - mlx5_cleanup_fs(dev); - err_fs: - mlx5_accel_tls_cleanup(dev); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mr.c b/drivers/net/ethernet/mellanox/mlx5/core/mr.c -index 50af84e76fb6a..174f71ed52800 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/mr.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/mr.c -@@ -54,7 +54,7 @@ int mlx5_core_create_mkey(struct mlx5_core_dev *dev, - mkey_index = MLX5_GET(create_mkey_out, lout, mkey_index); - mkey->iova = MLX5_GET64(mkc, mkc, start_addr); - mkey->size = MLX5_GET64(mkc, mkc, len); -- mkey->key |= mlx5_idx_to_mkey(mkey_index); -+ mkey->key = (u32)mlx5_mkey_variant(mkey->key) | mlx5_idx_to_mkey(mkey_index); - mkey->pd = MLX5_GET(mkc, mkc, pd); - init_waitqueue_head(&mkey->wait); - -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/rdma.c b/drivers/net/ethernet/mellanox/mlx5/core/rdma.c -index 8e0dddc6383f0..2389239acadc9 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/rdma.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/rdma.c -@@ -156,6 +156,9 @@ void mlx5_rdma_enable_roce(struct mlx5_core_dev *dev) - { - int err; - -+ if (!MLX5_CAP_GEN(dev, roce)) -+ return; -+ - err = mlx5_nic_vport_enable_roce(dev); - if (err) { - mlx5_core_err(dev, "Failed to enable RoCE: %d\n", err); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c -index 90b524c59f3c3..c4139f4648bf1 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c -@@ -153,6 +153,7 @@ mlx5_sf_dev_state_change_handler(struct notifier_block *nb, unsigned long event_ - sf_index = event->function_id - MLX5_CAP_GEN(table->dev, sf_base_id); - sf_dev = xa_load(&table->devices, sf_index); - switch (event->new_vhca_state) { -+ case MLX5_VHCA_STATE_INVALID: - case MLX5_VHCA_STATE_ALLOCATED: - if (sf_dev) - mlx5_sf_dev_del(table->dev, sf_dev, sf_index); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c -index f146c618a78e7..46ef45fa91675 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v1.c -@@ -712,7 +712,11 @@ static int dr_ste_v1_set_action_decap_l3_list(void *data, - if (hw_action_sz / DR_STE_ACTION_DOUBLE_SZ < DR_STE_DECAP_L3_ACTION_NUM) - return -EINVAL; - -- memcpy(padded_data, data, data_sz); -+ inline_data_sz = -+ MLX5_FLD_SZ_BYTES(ste_double_action_insert_with_inline_v1, inline_data); -+ -+ /* Add an alignment padding */ -+ memcpy(padded_data + data_sz % inline_data_sz, data, data_sz); - - /* Remove L2L3 outer headers */ - MLX5_SET(ste_single_action_remove_header_v1, hw_action, action_id, -@@ -724,32 +728,34 @@ static int dr_ste_v1_set_action_decap_l3_list(void *data, - hw_action += DR_STE_ACTION_DOUBLE_SZ; - used_actions++; /* Remove and NOP are a single double action */ - -- inline_data_sz = -- MLX5_FLD_SZ_BYTES(ste_double_action_insert_with_inline_v1, inline_data); -+ /* Point to the last dword of the header */ -+ data_ptr += (data_sz / inline_data_sz) * inline_data_sz; - -- /* Add the new header inline + 2 extra bytes */ -+ /* Add the new header using inline action 4Byte at a time, the header -+ * is added in reversed order to the beginning of the packet to avoid -+ * incorrect parsing by the HW. Since header is 14B or 18B an extra -+ * two bytes are padded and later removed. -+ */ - for (i = 0; i < data_sz / inline_data_sz + 1; i++) { - void *addr_inline; - - MLX5_SET(ste_double_action_insert_with_inline_v1, hw_action, action_id, - DR_STE_V1_ACTION_ID_INSERT_INLINE); - /* The hardware expects here offset to words (2 bytes) */ -- MLX5_SET(ste_double_action_insert_with_inline_v1, hw_action, start_offset, -- i * 2); -+ MLX5_SET(ste_double_action_insert_with_inline_v1, hw_action, start_offset, 0); - - /* Copy bytes one by one to avoid endianness problem */ - addr_inline = MLX5_ADDR_OF(ste_double_action_insert_with_inline_v1, - hw_action, inline_data); -- memcpy(addr_inline, data_ptr, inline_data_sz); -+ memcpy(addr_inline, data_ptr - i * inline_data_sz, inline_data_sz); - hw_action += DR_STE_ACTION_DOUBLE_SZ; -- data_ptr += inline_data_sz; - used_actions++; - } - -- /* Remove 2 extra bytes */ -+ /* Remove first 2 extra bytes */ - MLX5_SET(ste_single_action_remove_header_size_v1, hw_action, action_id, - DR_STE_V1_ACTION_ID_REMOVE_BY_SIZE); -- MLX5_SET(ste_single_action_remove_header_size_v1, hw_action, start_offset, data_sz / 2); -+ MLX5_SET(ste_single_action_remove_header_size_v1, hw_action, start_offset, 0); - /* The hardware expects here size in words (2 bytes) */ - MLX5_SET(ste_single_action_remove_header_size_v1, hw_action, remove_size, 1); - used_actions++; -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h -index 612b0ac31db23..9737565cd8d43 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h -+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h -@@ -124,10 +124,11 @@ int mlx5dr_action_destroy(struct mlx5dr_action *action); - static inline bool - mlx5dr_is_supported(struct mlx5_core_dev *dev) - { -- return MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner) || -- (MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner_v2) && -- (MLX5_CAP_GEN(dev, steering_format_version) <= -- MLX5_STEERING_FORMAT_CONNECTX_6DX)); -+ return MLX5_CAP_GEN(dev, roce) && -+ (MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner) || -+ (MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner_v2) && -+ (MLX5_CAP_GEN(dev, steering_format_version) <= -+ MLX5_STEERING_FORMAT_CONNECTX_6DX))); - } - - /* buddy functions & structure */ -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/transobj.c b/drivers/net/ethernet/mellanox/mlx5/core/transobj.c -index 01cc00ad8acf2..b6931bbe52d29 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/transobj.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/transobj.c -@@ -424,6 +424,15 @@ err_modify_sq: - return err; - } - -+static void mlx5_hairpin_unpair_peer_sq(struct mlx5_hairpin *hp) -+{ -+ int i; -+ -+ for (i = 0; i < hp->num_channels; i++) -+ mlx5_hairpin_modify_sq(hp->peer_mdev, hp->sqn[i], MLX5_SQC_STATE_RDY, -+ MLX5_SQC_STATE_RST, 0, 0); -+} -+ - static void mlx5_hairpin_unpair_queues(struct mlx5_hairpin *hp) - { - int i; -@@ -432,13 +441,9 @@ static void mlx5_hairpin_unpair_queues(struct mlx5_hairpin *hp) - for (i = 0; i < hp->num_channels; i++) - mlx5_hairpin_modify_rq(hp->func_mdev, hp->rqn[i], MLX5_RQC_STATE_RDY, - MLX5_RQC_STATE_RST, 0, 0); -- - /* unset peer SQs */ -- if (hp->peer_gone) -- return; -- for (i = 0; i < hp->num_channels; i++) -- mlx5_hairpin_modify_sq(hp->peer_mdev, hp->sqn[i], MLX5_SQC_STATE_RDY, -- MLX5_SQC_STATE_RST, 0, 0); -+ if (!hp->peer_gone) -+ mlx5_hairpin_unpair_peer_sq(hp); - } - - struct mlx5_hairpin * -@@ -485,3 +490,16 @@ void mlx5_core_hairpin_destroy(struct mlx5_hairpin *hp) - mlx5_hairpin_destroy_queues(hp); - kfree(hp); - } -+ -+void mlx5_core_hairpin_clear_dead_peer(struct mlx5_hairpin *hp) -+{ -+ int i; -+ -+ mlx5_hairpin_unpair_peer_sq(hp); -+ -+ /* destroy peer SQ */ -+ for (i = 0; i < hp->num_channels; i++) -+ mlx5_core_destroy_sq(hp->peer_mdev, hp->sqn[i]); -+ -+ hp->peer_gone = true; -+} -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c -index e05c5c0f3ae1d..7d21fbb9192f6 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c -@@ -465,8 +465,6 @@ int mlx5_modify_nic_vport_node_guid(struct mlx5_core_dev *mdev, - void *in; - int err; - -- if (!vport) -- return -EINVAL; - if (!MLX5_CAP_GEN(mdev, vport_group_manager)) - return -EACCES; - -diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c b/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c -index bf85ce9835d7f..42e4437ac3c16 100644 ---- a/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c -+++ b/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c -@@ -708,7 +708,8 @@ mlxsw_thermal_module_tz_init(struct mlxsw_thermal_module *module_tz) - MLXSW_THERMAL_TRIP_MASK, - module_tz, - &mlxsw_thermal_module_ops, -- NULL, 0, 0); -+ NULL, 0, -+ module_tz->parent->polling_delay); - if (IS_ERR(module_tz->tzdev)) { - err = PTR_ERR(module_tz->tzdev); - return err; -@@ -830,7 +831,8 @@ mlxsw_thermal_gearbox_tz_init(struct mlxsw_thermal_module *gearbox_tz) - MLXSW_THERMAL_TRIP_MASK, - gearbox_tz, - &mlxsw_thermal_gearbox_ops, -- NULL, 0, 0); -+ NULL, 0, -+ gearbox_tz->parent->polling_delay); - if (IS_ERR(gearbox_tz->tzdev)) - return PTR_ERR(gearbox_tz->tzdev); - -diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h -index c4adc7f740d3e..769386971ac3b 100644 ---- a/drivers/net/ethernet/mellanox/mlxsw/reg.h -+++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h -@@ -3863,7 +3863,7 @@ MLXSW_ITEM32(reg, qeec, max_shaper_bs, 0x1C, 0, 6); - #define MLXSW_REG_QEEC_HIGHEST_SHAPER_BS 25 - #define MLXSW_REG_QEEC_LOWEST_SHAPER_BS_SP1 5 - #define MLXSW_REG_QEEC_LOWEST_SHAPER_BS_SP2 11 --#define MLXSW_REG_QEEC_LOWEST_SHAPER_BS_SP3 5 -+#define MLXSW_REG_QEEC_LOWEST_SHAPER_BS_SP3 11 - - static inline void mlxsw_reg_qeec_pack(char *payload, u8 local_port, - enum mlxsw_reg_qeec_hr hr, u8 index, -diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c -index 46e5c9136bacd..0c4c976548c85 100644 ---- a/drivers/net/ethernet/mscc/ocelot.c -+++ b/drivers/net/ethernet/mscc/ocelot.c -@@ -378,6 +378,7 @@ static u32 ocelot_read_eq_avail(struct ocelot *ocelot, int port) - - int ocelot_port_flush(struct ocelot *ocelot, int port) - { -+ unsigned int pause_ena; - int err, val; - - /* Disable dequeuing from the egress queues */ -@@ -386,6 +387,7 @@ int ocelot_port_flush(struct ocelot *ocelot, int port) - QSYS_PORT_MODE, port); - - /* Disable flow control */ -+ ocelot_fields_read(ocelot, port, SYS_PAUSE_CFG_PAUSE_ENA, &pause_ena); - ocelot_fields_write(ocelot, port, SYS_PAUSE_CFG_PAUSE_ENA, 0); - - /* Disable priority flow control */ -@@ -421,6 +423,9 @@ int ocelot_port_flush(struct ocelot *ocelot, int port) - /* Clear flushing again. */ - ocelot_rmw_gix(ocelot, 0, REW_PORT_CFG_FLUSH_ENA, REW_PORT_CFG, port); - -+ /* Re-enable flow control */ -+ ocelot_fields_write(ocelot, port, SYS_PAUSE_CFG_PAUSE_ENA, pause_ena); -+ - return err; - } - EXPORT_SYMBOL(ocelot_port_flush); -diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c -index 7e6bac85495d3..344ea11434549 100644 ---- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c -+++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c -@@ -1602,6 +1602,8 @@ err_out_free_netdev: - free_netdev(netdev); - - err_out_free_res: -+ if (NX_IS_REVISION_P3(pdev->revision)) -+ pci_disable_pcie_error_reporting(pdev); - pci_release_regions(pdev); - - err_out_disable_pdev: -diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c -index 96b947fde646b..3beafc60747e6 100644 ---- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c -+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c -@@ -2690,6 +2690,7 @@ err_out_free_hw_res: - kfree(ahw); - - err_out_free_res: -+ pci_disable_pcie_error_reporting(pdev); - pci_release_regions(pdev); - - err_out_disable_pdev: -diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c -index 41fbd2ceeede4..ab1e0fcccabb6 100644 ---- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c -+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c -@@ -126,24 +126,24 @@ static void rmnet_get_stats64(struct net_device *dev, - struct rtnl_link_stats64 *s) - { - struct rmnet_priv *priv = netdev_priv(dev); -- struct rmnet_vnd_stats total_stats; -+ struct rmnet_vnd_stats total_stats = { }; - struct rmnet_pcpu_stats *pcpu_ptr; -+ struct rmnet_vnd_stats snapshot; - unsigned int cpu, start; - -- memset(&total_stats, 0, sizeof(struct rmnet_vnd_stats)); -- - for_each_possible_cpu(cpu) { - pcpu_ptr = per_cpu_ptr(priv->pcpu_stats, cpu); - - do { - start = u64_stats_fetch_begin_irq(&pcpu_ptr->syncp); -- total_stats.rx_pkts += pcpu_ptr->stats.rx_pkts; -- total_stats.rx_bytes += pcpu_ptr->stats.rx_bytes; -- total_stats.tx_pkts += pcpu_ptr->stats.tx_pkts; -- total_stats.tx_bytes += pcpu_ptr->stats.tx_bytes; -+ snapshot = pcpu_ptr->stats; /* struct assignment */ - } while (u64_stats_fetch_retry_irq(&pcpu_ptr->syncp, start)); - -- total_stats.tx_drops += pcpu_ptr->stats.tx_drops; -+ total_stats.rx_pkts += snapshot.rx_pkts; -+ total_stats.rx_bytes += snapshot.rx_bytes; -+ total_stats.tx_pkts += snapshot.tx_pkts; -+ total_stats.tx_bytes += snapshot.tx_bytes; -+ total_stats.tx_drops += snapshot.tx_drops; - } - - s->rx_packets = total_stats.rx_pkts; -@@ -354,4 +354,4 @@ int rmnet_vnd_update_dev_mtu(struct rmnet_port *port, - } - - return 0; --} -\ No newline at end of file -+} -diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h -index b70d44ac09906..3c73453725f94 100644 ---- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h -+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h -@@ -76,10 +76,10 @@ enum power_event { - #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */ - - /* GMAC HW ADDR regs */ --#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \ -- (reg * 8)) --#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \ -- (reg * 8)) -+#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \ -+ 0x00000040 + (reg * 8)) -+#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \ -+ 0x00000044 + (reg * 8)) - #define GMAC_MAX_PERFECT_ADDRESSES 1 - - #define GMAC_PCS_BASE 0x000000c0 /* PCS register base */ -diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c -index 6dc9f10414e47..7e6bead6429c5 100644 ---- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c -+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c -@@ -622,6 +622,8 @@ error_pclk_get: - void stmmac_remove_config_dt(struct platform_device *pdev, - struct plat_stmmacenet_data *plat) - { -+ clk_disable_unprepare(plat->stmmac_clk); -+ clk_disable_unprepare(plat->pclk); - of_node_put(plat->phy_node); - of_node_put(plat->mdio_node); - } -diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c -index 030185301014c..01bb36e7cff0a 100644 ---- a/drivers/net/ethernet/xilinx/ll_temac_main.c -+++ b/drivers/net/ethernet/xilinx/ll_temac_main.c -@@ -849,7 +849,7 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) - smp_mb(); - - /* Space might have just been freed - check again */ -- if (temac_check_tx_bd_space(lp, num_frag)) -+ if (temac_check_tx_bd_space(lp, num_frag + 1)) - return NETDEV_TX_BUSY; - - netif_wake_queue(ndev); -@@ -876,7 +876,6 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) - return NETDEV_TX_OK; - } - cur_p->phys = cpu_to_be32(skb_dma_addr); -- ptr_to_txbd((void *)skb, cur_p); - - for (ii = 0; ii < num_frag; ii++) { - if (++lp->tx_bd_tail >= lp->tx_bd_num) -@@ -915,6 +914,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) - } - cur_p->app0 |= cpu_to_be32(STS_CTRL_APP0_EOP); - -+ /* Mark last fragment with skb address, so it can be consumed -+ * in temac_start_xmit_done() -+ */ -+ ptr_to_txbd((void *)skb, cur_p); -+ - tail_p = lp->tx_bd_p + sizeof(*lp->tx_bd_v) * lp->tx_bd_tail; - lp->tx_bd_tail++; - if (lp->tx_bd_tail >= lp->tx_bd_num) -diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c -index 17be2bb2985cd..920e9f888cc35 100644 ---- a/drivers/net/hamradio/mkiss.c -+++ b/drivers/net/hamradio/mkiss.c -@@ -799,6 +799,7 @@ static void mkiss_close(struct tty_struct *tty) - ax->tty = NULL; - - unregister_netdev(ax->dev); -+ free_netdev(ax->dev); - } - - /* Perform I/O control on an active ax25 channel. */ -diff --git a/drivers/net/mhi/net.c b/drivers/net/mhi/net.c -index f59960876083f..8e7f8728998f1 100644 ---- a/drivers/net/mhi/net.c -+++ b/drivers/net/mhi/net.c -@@ -49,7 +49,7 @@ static int mhi_ndo_stop(struct net_device *ndev) - return 0; - } - --static int mhi_ndo_xmit(struct sk_buff *skb, struct net_device *ndev) -+static netdev_tx_t mhi_ndo_xmit(struct sk_buff *skb, struct net_device *ndev) - { - struct mhi_net_dev *mhi_netdev = netdev_priv(ndev); - const struct mhi_net_proto *proto = mhi_netdev->proto; -diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c -index 0eeec80bec311..e4a5703666461 100644 ---- a/drivers/net/usb/cdc_eem.c -+++ b/drivers/net/usb/cdc_eem.c -@@ -123,10 +123,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, - } - - skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); -+ dev_kfree_skb_any(skb); - if (!skb2) - return NULL; - -- dev_kfree_skb_any(skb); - skb = skb2; - - done: -diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c -index 8acf301154282..dc3d84b43e4e8 100644 ---- a/drivers/net/usb/cdc_ncm.c -+++ b/drivers/net/usb/cdc_ncm.c -@@ -1902,7 +1902,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) - static const struct driver_info cdc_ncm_info = { - .description = "CDC NCM", - .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET -- | FLAG_LINK_INTR, -+ | FLAG_LINK_INTR | FLAG_ETHER, - .bind = cdc_ncm_bind, - .unbind = cdc_ncm_unbind, - .manage_power = usbnet_manage_power, -diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c -index 76ed79bb1e3f1..5281291711aff 100644 ---- a/drivers/net/usb/smsc75xx.c -+++ b/drivers/net/usb/smsc75xx.c -@@ -1483,7 +1483,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) - ret = smsc75xx_wait_ready(dev, 0); - if (ret < 0) { - netdev_warn(dev->net, "device not ready in smsc75xx_bind\n"); -- goto err; -+ goto free_pdata; - } - - smsc75xx_init_mac_address(dev); -@@ -1492,7 +1492,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) - ret = smsc75xx_reset(dev); - if (ret < 0) { - netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret); -- goto err; -+ goto cancel_work; - } - - dev->net->netdev_ops = &smsc75xx_netdev_ops; -@@ -1503,8 +1503,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) - dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE; - return 0; - --err: -+cancel_work: -+ cancel_work_sync(&pdata->set_multicast); -+free_pdata: - kfree(pdata); -+ dev->data[0] = 0; - return ret; - } - -@@ -1515,7 +1518,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf) - cancel_work_sync(&pdata->set_multicast); - netif_dbg(dev, ifdown, dev->net, "free pdata\n"); - kfree(pdata); -- pdata = NULL; - dev->data[0] = 0; - } - } -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index 503e2fd7ce518..28a6c4cfe9b8c 100644 ---- a/drivers/net/vrf.c -+++ b/drivers/net/vrf.c -@@ -1183,9 +1183,6 @@ static int vrf_dev_init(struct net_device *dev) - - dev->flags = IFF_MASTER | IFF_NOARP; - -- /* MTU is irrelevant for VRF device; set to 64k similar to lo */ -- dev->mtu = 64 * 1024; -- - /* similarly, oper state is irrelevant; set to up to avoid confusion */ - dev->operstate = IF_OPER_UP; - netdev_lockdep_set_classes(dev); -@@ -1685,7 +1682,8 @@ static void vrf_setup(struct net_device *dev) - * which breaks networking. - */ - dev->min_mtu = IPV6_MIN_MTU; -- dev->max_mtu = ETH_MAX_MTU; -+ dev->max_mtu = IP6_MAX_MTU; -+ dev->mtu = dev->max_mtu; - } - - static int vrf_validate(struct nlattr *tb[], struct nlattr *data[], -diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c -index 051b48bd7985d..e3f5e7ab76063 100644 ---- a/drivers/pci/controller/pci-aardvark.c -+++ b/drivers/pci/controller/pci-aardvark.c -@@ -514,7 +514,7 @@ static int advk_pcie_wait_pio(struct advk_pcie *pcie) - udelay(PIO_RETRY_DELAY); - } - -- dev_err(dev, "config read/write timed out\n"); -+ dev_err(dev, "PIO read/write transfer time out\n"); - return -ETIMEDOUT; - } - -@@ -657,6 +657,35 @@ static bool advk_pcie_valid_device(struct advk_pcie *pcie, struct pci_bus *bus, - return true; - } - -+static bool advk_pcie_pio_is_running(struct advk_pcie *pcie) -+{ -+ struct device *dev = &pcie->pdev->dev; -+ -+ /* -+ * Trying to start a new PIO transfer when previous has not completed -+ * cause External Abort on CPU which results in kernel panic: -+ * -+ * SError Interrupt on CPU0, code 0xbf000002 -- SError -+ * Kernel panic - not syncing: Asynchronous SError Interrupt -+ * -+ * Functions advk_pcie_rd_conf() and advk_pcie_wr_conf() are protected -+ * by raw_spin_lock_irqsave() at pci_lock_config() level to prevent -+ * concurrent calls at the same time. But because PIO transfer may take -+ * about 1.5s when link is down or card is disconnected, it means that -+ * advk_pcie_wait_pio() does not always have to wait for completion. -+ * -+ * Some versions of ARM Trusted Firmware handles this External Abort at -+ * EL3 level and mask it to prevent kernel panic. Relevant TF-A commit: -+ * https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50 -+ */ -+ if (advk_readl(pcie, PIO_START)) { -+ dev_err(dev, "Previous PIO read/write transfer is still running\n"); -+ return true; -+ } -+ -+ return false; -+} -+ - static int advk_pcie_rd_conf(struct pci_bus *bus, u32 devfn, - int where, int size, u32 *val) - { -@@ -673,9 +702,10 @@ static int advk_pcie_rd_conf(struct pci_bus *bus, u32 devfn, - return pci_bridge_emul_conf_read(&pcie->bridge, where, - size, val); - -- /* Start PIO */ -- advk_writel(pcie, 0, PIO_START); -- advk_writel(pcie, 1, PIO_ISR); -+ if (advk_pcie_pio_is_running(pcie)) { -+ *val = 0xffffffff; -+ return PCIBIOS_SET_FAILED; -+ } - - /* Program the control register */ - reg = advk_readl(pcie, PIO_CTRL); -@@ -694,7 +724,8 @@ static int advk_pcie_rd_conf(struct pci_bus *bus, u32 devfn, - /* Program the data strobe */ - advk_writel(pcie, 0xf, PIO_WR_DATA_STRB); - -- /* Start the transfer */ -+ /* Clear PIO DONE ISR and start the transfer */ -+ advk_writel(pcie, 1, PIO_ISR); - advk_writel(pcie, 1, PIO_START); - - ret = advk_pcie_wait_pio(pcie); -@@ -734,9 +765,8 @@ static int advk_pcie_wr_conf(struct pci_bus *bus, u32 devfn, - if (where % size) - return PCIBIOS_SET_FAILED; - -- /* Start PIO */ -- advk_writel(pcie, 0, PIO_START); -- advk_writel(pcie, 1, PIO_ISR); -+ if (advk_pcie_pio_is_running(pcie)) -+ return PCIBIOS_SET_FAILED; - - /* Program the control register */ - reg = advk_readl(pcie, PIO_CTRL); -@@ -763,7 +793,8 @@ static int advk_pcie_wr_conf(struct pci_bus *bus, u32 devfn, - /* Program the data strobe */ - advk_writel(pcie, data_strobe, PIO_WR_DATA_STRB); - -- /* Start the transfer */ -+ /* Clear PIO DONE ISR and start the transfer */ -+ advk_writel(pcie, 1, PIO_ISR); - advk_writel(pcie, 1, PIO_START); - - ret = advk_pcie_wait_pio(pcie); -diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index 653660e3ba9ef..7bf76bca888da 100644 ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -3558,6 +3558,18 @@ static void quirk_no_bus_reset(struct pci_dev *dev) - dev->dev_flags |= PCI_DEV_FLAGS_NO_BUS_RESET; - } - -+/* -+ * Some NVIDIA GPU devices do not work with bus reset, SBR needs to be -+ * prevented for those affected devices. -+ */ -+static void quirk_nvidia_no_bus_reset(struct pci_dev *dev) -+{ -+ if ((dev->device & 0xffc0) == 0x2340) -+ quirk_no_bus_reset(dev); -+} -+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID, -+ quirk_nvidia_no_bus_reset); -+ - /* - * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset. - * The device will throw a Link Down error on AER-capable systems and -@@ -3578,6 +3590,16 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset); - */ - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_CAVIUM, 0xa100, quirk_no_bus_reset); - -+/* -+ * Some TI KeyStone C667X devices do not support bus/hot reset. The PCIESS -+ * automatically disables LTSSM when Secondary Bus Reset is received and -+ * the device stops working. Prevent bus reset for these devices. With -+ * this change, the device can be assigned to VMs with VFIO, but it will -+ * leak state between VMs. Reference -+ * https://e2e.ti.com/support/processors/f/791/t/954382 -+ */ -+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TI, 0xb005, quirk_no_bus_reset); -+ - static void quirk_no_pm_reset(struct pci_dev *dev) - { - /* -@@ -3913,6 +3935,69 @@ static int delay_250ms_after_flr(struct pci_dev *dev, int probe) - return 0; - } - -+#define PCI_DEVICE_ID_HINIC_VF 0x375E -+#define HINIC_VF_FLR_TYPE 0x1000 -+#define HINIC_VF_FLR_CAP_BIT (1UL << 30) -+#define HINIC_VF_OP 0xE80 -+#define HINIC_VF_FLR_PROC_BIT (1UL << 18) -+#define HINIC_OPERATION_TIMEOUT 15000 /* 15 seconds */ -+ -+/* Device-specific reset method for Huawei Intelligent NIC virtual functions */ -+static int reset_hinic_vf_dev(struct pci_dev *pdev, int probe) -+{ -+ unsigned long timeout; -+ void __iomem *bar; -+ u32 val; -+ -+ if (probe) -+ return 0; -+ -+ bar = pci_iomap(pdev, 0, 0); -+ if (!bar) -+ return -ENOTTY; -+ -+ /* Get and check firmware capabilities */ -+ val = ioread32be(bar + HINIC_VF_FLR_TYPE); -+ if (!(val & HINIC_VF_FLR_CAP_BIT)) { -+ pci_iounmap(pdev, bar); -+ return -ENOTTY; -+ } -+ -+ /* Set HINIC_VF_FLR_PROC_BIT for the start of FLR */ -+ val = ioread32be(bar + HINIC_VF_OP); -+ val = val | HINIC_VF_FLR_PROC_BIT; -+ iowrite32be(val, bar + HINIC_VF_OP); -+ -+ pcie_flr(pdev); -+ -+ /* -+ * The device must recapture its Bus and Device Numbers after FLR -+ * in order generate Completions. Issue a config write to let the -+ * device capture this information. -+ */ -+ pci_write_config_word(pdev, PCI_VENDOR_ID, 0); -+ -+ /* Firmware clears HINIC_VF_FLR_PROC_BIT when reset is complete */ -+ timeout = jiffies + msecs_to_jiffies(HINIC_OPERATION_TIMEOUT); -+ do { -+ val = ioread32be(bar + HINIC_VF_OP); -+ if (!(val & HINIC_VF_FLR_PROC_BIT)) -+ goto reset_complete; -+ msleep(20); -+ } while (time_before(jiffies, timeout)); -+ -+ val = ioread32be(bar + HINIC_VF_OP); -+ if (!(val & HINIC_VF_FLR_PROC_BIT)) -+ goto reset_complete; -+ -+ pci_warn(pdev, "Reset dev timeout, FLR ack reg: %#010x\n", val); -+ -+reset_complete: -+ pci_iounmap(pdev, bar); -+ -+ return 0; -+} -+ - static const struct pci_dev_reset_methods pci_dev_reset_methods[] = { - { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82599_SFP_VF, - reset_intel_82599_sfp_virtfn }, -@@ -3924,6 +4009,8 @@ static const struct pci_dev_reset_methods pci_dev_reset_methods[] = { - { PCI_VENDOR_ID_INTEL, 0x0953, delay_250ms_after_flr }, - { PCI_VENDOR_ID_CHELSIO, PCI_ANY_ID, - reset_chelsio_generic_dev }, -+ { PCI_VENDOR_ID_HUAWEI, PCI_DEVICE_ID_HINIC_VF, -+ reset_hinic_vf_dev }, - { 0 } - }; - -@@ -4764,6 +4851,8 @@ static const struct pci_dev_acs_enabled { - { PCI_VENDOR_ID_AMPERE, 0xE00A, pci_quirk_xgene_acs }, - { PCI_VENDOR_ID_AMPERE, 0xE00B, pci_quirk_xgene_acs }, - { PCI_VENDOR_ID_AMPERE, 0xE00C, pci_quirk_xgene_acs }, -+ /* Broadcom multi-function device */ -+ { PCI_VENDOR_ID_BROADCOM, 0x16D7, pci_quirk_mf_endpoint_acs }, - { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, - /* Amazon Annapurna Labs */ - { PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs }, -@@ -5165,7 +5254,8 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0422, quirk_no_ext_tags); - static void quirk_amd_harvest_no_ats(struct pci_dev *pdev) - { - if ((pdev->device == 0x7312 && pdev->revision != 0x00) || -- (pdev->device == 0x7340 && pdev->revision != 0xc5)) -+ (pdev->device == 0x7340 && pdev->revision != 0xc5) || -+ (pdev->device == 0x7341 && pdev->revision != 0x00)) - return; - - if (pdev->device == 0x15d8) { -@@ -5192,6 +5282,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x6900, quirk_amd_harvest_no_ats); - DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7312, quirk_amd_harvest_no_ats); - /* AMD Navi14 dGPU */ - DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7340, quirk_amd_harvest_no_ats); -+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7341, quirk_amd_harvest_no_ats); - /* AMD Raven platform iGPU */ - DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x15d8, quirk_amd_harvest_no_ats); - #endif /* CONFIG_PCI_ATS */ -diff --git a/drivers/phy/mediatek/phy-mtk-tphy.c b/drivers/phy/mediatek/phy-mtk-tphy.c -index cdbcc49f71152..731c483a04dea 100644 ---- a/drivers/phy/mediatek/phy-mtk-tphy.c -+++ b/drivers/phy/mediatek/phy-mtk-tphy.c -@@ -949,6 +949,8 @@ static int mtk_phy_init(struct phy *phy) - break; - default: - dev_err(tphy->dev, "incompatible PHY type\n"); -+ clk_disable_unprepare(instance->ref_clk); -+ clk_disable_unprepare(instance->da_ref_clk); - return -EINVAL; - } - -diff --git a/drivers/pinctrl/ralink/pinctrl-rt2880.c b/drivers/pinctrl/ralink/pinctrl-rt2880.c -index 1f4bca854add5..a9b511c7e8500 100644 ---- a/drivers/pinctrl/ralink/pinctrl-rt2880.c -+++ b/drivers/pinctrl/ralink/pinctrl-rt2880.c -@@ -127,7 +127,7 @@ static int rt2880_pmx_group_enable(struct pinctrl_dev *pctrldev, - if (p->groups[group].enabled) { - dev_err(p->dev, "%s is already enabled\n", - p->groups[group].name); -- return -EBUSY; -+ return 0; - } - - p->groups[group].enabled = 1; -diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c -index 61f1c91c62de2..3390168ac0793 100644 ---- a/drivers/platform/x86/thinkpad_acpi.c -+++ b/drivers/platform/x86/thinkpad_acpi.c -@@ -8808,6 +8808,7 @@ static const struct tpacpi_quirk fan_quirk_table[] __initconst = { - TPACPI_Q_LNV3('N', '2', 'O', TPACPI_FAN_2CTL), /* P1 / X1 Extreme (2nd gen) */ - TPACPI_Q_LNV3('N', '2', 'V', TPACPI_FAN_2CTL), /* P1 / X1 Extreme (3nd gen) */ - TPACPI_Q_LNV3('N', '3', '0', TPACPI_FAN_2CTL), /* P15 (1st gen) / P15v (1st gen) */ -+ TPACPI_Q_LNV3('N', '3', '2', TPACPI_FAN_2CTL), /* X1 Carbon (9th gen) */ - }; - - static int __init fan_init(struct ibm_init_struct *iibm) -diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c -index 03a246e60fd98..21c4c34c52d8d 100644 ---- a/drivers/ptp/ptp_clock.c -+++ b/drivers/ptp/ptp_clock.c -@@ -63,7 +63,7 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue, - spin_unlock_irqrestore(&queue->lock, flags); - } - --s32 scaled_ppm_to_ppb(long ppm) -+long scaled_ppm_to_ppb(long ppm) - { - /* - * The 'freq' field in the 'struct timex' is in parts per -@@ -80,7 +80,7 @@ s32 scaled_ppm_to_ppb(long ppm) - s64 ppb = 1 + ppm; - ppb *= 125; - ppb >>= 13; -- return (s32) ppb; -+ return (long) ppb; - } - EXPORT_SYMBOL(scaled_ppm_to_ppb); - -@@ -138,7 +138,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct __kernel_timex *tx) - delta = ktime_to_ns(kt); - err = ops->adjtime(ops, delta); - } else if (tx->modes & ADJ_FREQUENCY) { -- s32 ppb = scaled_ppm_to_ppb(tx->freq); -+ long ppb = scaled_ppm_to_ppb(tx->freq); - if (ppb > ops->max_adj || ppb < -ops->max_adj) - return -ERANGE; - if (ops->adjfine) -diff --git a/drivers/regulator/cros-ec-regulator.c b/drivers/regulator/cros-ec-regulator.c -index eb3fc1db4edc8..c4754f3cf2337 100644 ---- a/drivers/regulator/cros-ec-regulator.c -+++ b/drivers/regulator/cros-ec-regulator.c -@@ -225,8 +225,9 @@ static int cros_ec_regulator_probe(struct platform_device *pdev) - - drvdata->dev = devm_regulator_register(dev, &drvdata->desc, &cfg); - if (IS_ERR(drvdata->dev)) { -+ ret = PTR_ERR(drvdata->dev); - dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret); -- return PTR_ERR(drvdata->dev); -+ return ret; - } - - platform_set_drvdata(pdev, drvdata); -diff --git a/drivers/regulator/mt6315-regulator.c b/drivers/regulator/mt6315-regulator.c -index 9edc34981ee0a..6b8be52c3772a 100644 ---- a/drivers/regulator/mt6315-regulator.c -+++ b/drivers/regulator/mt6315-regulator.c -@@ -59,7 +59,7 @@ static const struct linear_range mt_volt_range1[] = { - REGULATOR_LINEAR_RANGE(0, 0, 0xbf, 6250), - }; - --static unsigned int mt6315_map_mode(u32 mode) -+static unsigned int mt6315_map_mode(unsigned int mode) - { - switch (mode) { - case MT6315_BUCK_MODE_AUTO: -diff --git a/drivers/regulator/rt4801-regulator.c b/drivers/regulator/rt4801-regulator.c -index 2055a9cb13ba5..7a87788d3f092 100644 ---- a/drivers/regulator/rt4801-regulator.c -+++ b/drivers/regulator/rt4801-regulator.c -@@ -66,7 +66,7 @@ static int rt4801_enable(struct regulator_dev *rdev) - struct gpio_descs *gpios = priv->enable_gpios; - int id = rdev_get_id(rdev), ret; - -- if (gpios->ndescs <= id) { -+ if (!gpios || gpios->ndescs <= id) { - dev_warn(&rdev->dev, "no dedicated gpio can control\n"); - goto bypass_gpio; - } -@@ -88,7 +88,7 @@ static int rt4801_disable(struct regulator_dev *rdev) - struct gpio_descs *gpios = priv->enable_gpios; - int id = rdev_get_id(rdev); - -- if (gpios->ndescs <= id) { -+ if (!gpios || gpios->ndescs <= id) { - dev_warn(&rdev->dev, "no dedicated gpio can control\n"); - goto bypass_gpio; - } -diff --git a/drivers/regulator/rtmv20-regulator.c b/drivers/regulator/rtmv20-regulator.c -index 5adc552dffd58..4bca64de0f672 100644 ---- a/drivers/regulator/rtmv20-regulator.c -+++ b/drivers/regulator/rtmv20-regulator.c -@@ -27,6 +27,7 @@ - #define RTMV20_REG_LDIRQ 0x30 - #define RTMV20_REG_LDSTAT 0x40 - #define RTMV20_REG_LDMASK 0x50 -+#define RTMV20_MAX_REGS (RTMV20_REG_LDMASK + 1) - - #define RTMV20_VID_MASK GENMASK(7, 4) - #define RICHTEK_VID 0x80 -@@ -313,6 +314,7 @@ static const struct regmap_config rtmv20_regmap_config = { - .val_bits = 8, - .cache_type = REGCACHE_RBTREE, - .max_register = RTMV20_REG_LDMASK, -+ .num_reg_defaults_raw = RTMV20_MAX_REGS, - - .writeable_reg = rtmv20_is_accessible_reg, - .readable_reg = rtmv20_is_accessible_reg, -diff --git a/drivers/s390/crypto/ap_queue.c b/drivers/s390/crypto/ap_queue.c -index ecefc25eff0c0..337353c9655ed 100644 ---- a/drivers/s390/crypto/ap_queue.c -+++ b/drivers/s390/crypto/ap_queue.c -@@ -135,12 +135,13 @@ static struct ap_queue_status ap_sm_recv(struct ap_queue *aq) - { - struct ap_queue_status status; - struct ap_message *ap_msg; -+ bool found = false; - - status = ap_dqap(aq->qid, &aq->reply->psmid, - aq->reply->msg, aq->reply->len); - switch (status.response_code) { - case AP_RESPONSE_NORMAL: -- aq->queue_count--; -+ aq->queue_count = max_t(int, 0, aq->queue_count - 1); - if (aq->queue_count > 0) - mod_timer(&aq->timeout, - jiffies + aq->request_timeout); -@@ -150,8 +151,14 @@ static struct ap_queue_status ap_sm_recv(struct ap_queue *aq) - list_del_init(&ap_msg->list); - aq->pendingq_count--; - ap_msg->receive(aq, ap_msg, aq->reply); -+ found = true; - break; - } -+ if (!found) { -+ AP_DBF_WARN("%s unassociated reply psmid=0x%016llx on 0x%02x.%04x\n", -+ __func__, aq->reply->psmid, -+ AP_QID_CARD(aq->qid), AP_QID_QUEUE(aq->qid)); -+ } - fallthrough; - case AP_RESPONSE_NO_PENDING_REPLY: - if (!status.queue_empty || aq->queue_count <= 0) -@@ -232,7 +239,7 @@ static enum ap_sm_wait ap_sm_write(struct ap_queue *aq) - ap_msg->flags & AP_MSG_FLAG_SPECIAL); - switch (status.response_code) { - case AP_RESPONSE_NORMAL: -- aq->queue_count++; -+ aq->queue_count = max_t(int, 1, aq->queue_count + 1); - if (aq->queue_count == 1) - mod_timer(&aq->timeout, jiffies + aq->request_timeout); - list_move_tail(&ap_msg->list, &aq->pendingq); -diff --git a/drivers/spi/spi-stm32-qspi.c b/drivers/spi/spi-stm32-qspi.c -index 2786470a52011..4f24f63922126 100644 ---- a/drivers/spi/spi-stm32-qspi.c -+++ b/drivers/spi/spi-stm32-qspi.c -@@ -293,7 +293,7 @@ static int stm32_qspi_wait_cmd(struct stm32_qspi *qspi, - int err = 0; - - if (!op->data.nbytes) -- return stm32_qspi_wait_nobusy(qspi); -+ goto wait_nobusy; - - if (readl_relaxed(qspi->io_base + QSPI_SR) & SR_TCF) - goto out; -@@ -314,6 +314,9 @@ static int stm32_qspi_wait_cmd(struct stm32_qspi *qspi, - out: - /* clear flags */ - writel_relaxed(FCR_CTCF | FCR_CTEF, qspi->io_base + QSPI_FCR); -+wait_nobusy: -+ if (!err) -+ err = stm32_qspi_wait_nobusy(qspi); - - return err; - } -diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c -index 2765289028fae..68193db8b2e3c 100644 ---- a/drivers/spi/spi-zynq-qspi.c -+++ b/drivers/spi/spi-zynq-qspi.c -@@ -678,14 +678,14 @@ static int zynq_qspi_probe(struct platform_device *pdev) - xqspi->irq = platform_get_irq(pdev, 0); - if (xqspi->irq <= 0) { - ret = -ENXIO; -- goto remove_master; -+ goto clk_dis_all; - } - ret = devm_request_irq(&pdev->dev, xqspi->irq, zynq_qspi_irq, - 0, pdev->name, xqspi); - if (ret != 0) { - ret = -ENXIO; - dev_err(&pdev->dev, "request_irq failed\n"); -- goto remove_master; -+ goto clk_dis_all; - } - - ret = of_property_read_u32(np, "num-cs", -@@ -693,8 +693,9 @@ static int zynq_qspi_probe(struct platform_device *pdev) - if (ret < 0) { - ctlr->num_chipselect = 1; - } else if (num_cs > ZYNQ_QSPI_MAX_NUM_CS) { -+ ret = -EINVAL; - dev_err(&pdev->dev, "only 2 chip selects are available\n"); -- goto remove_master; -+ goto clk_dis_all; - } else { - ctlr->num_chipselect = num_cs; - } -diff --git a/drivers/staging/hikey9xx/hi6421v600-regulator.c b/drivers/staging/hikey9xx/hi6421v600-regulator.c -index f6a14e9c3cbfe..e10fe3058176d 100644 ---- a/drivers/staging/hikey9xx/hi6421v600-regulator.c -+++ b/drivers/staging/hikey9xx/hi6421v600-regulator.c -@@ -83,7 +83,7 @@ static const unsigned int ldo34_voltages[] = { - .owner = THIS_MODULE, \ - .volt_table = vtable, \ - .n_voltages = ARRAY_SIZE(vtable), \ -- .vsel_mask = (1 << (ARRAY_SIZE(vtable) - 1)) - 1, \ -+ .vsel_mask = ARRAY_SIZE(vtable) - 1, \ - .vsel_reg = vreg, \ - .enable_reg = ereg, \ - .enable_mask = emask, \ -diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c -index cbec65e5a4645..62ea47f9fee5e 100644 ---- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c -+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c -@@ -2579,7 +2579,7 @@ static int rtw_cfg80211_add_monitor_if(struct adapter *padapter, char *name, str - mon_wdev->iftype = NL80211_IFTYPE_MONITOR; - mon_ndev->ieee80211_ptr = mon_wdev; - -- ret = register_netdevice(mon_ndev); -+ ret = cfg80211_register_netdevice(mon_ndev); - if (ret) { - goto out; - } -@@ -2661,7 +2661,7 @@ static int cfg80211_rtw_del_virtual_intf(struct wiphy *wiphy, - adapter = rtw_netdev_priv(ndev); - pwdev_priv = adapter_wdev_data(adapter); - -- unregister_netdevice(ndev); -+ cfg80211_unregister_netdevice(ndev); - - if (ndev == pwdev_priv->pmon_ndev) { - pwdev_priv->pmon_ndev = NULL; -diff --git a/drivers/usb/chipidea/usbmisc_imx.c b/drivers/usb/chipidea/usbmisc_imx.c -index 4545b23bda3f1..bac0f5458cab9 100644 ---- a/drivers/usb/chipidea/usbmisc_imx.c -+++ b/drivers/usb/chipidea/usbmisc_imx.c -@@ -686,6 +686,16 @@ static int imx7d_charger_secondary_detection(struct imx_usbmisc_data *data) - int val; - unsigned long flags; - -+ /* Clear VDATSRCENB0 to disable VDP_SRC and IDM_SNK required by BC 1.2 spec */ -+ spin_lock_irqsave(&usbmisc->lock, flags); -+ val = readl(usbmisc->base + MX7D_USB_OTG_PHY_CFG2); -+ val &= ~MX7D_USB_OTG_PHY_CFG2_CHRG_VDATSRCENB0; -+ writel(val, usbmisc->base + MX7D_USB_OTG_PHY_CFG2); -+ spin_unlock_irqrestore(&usbmisc->lock, flags); -+ -+ /* TVDMSRC_DIS */ -+ msleep(20); -+ - /* VDM_SRC is connected to D- and IDP_SINK is connected to D+ */ - spin_lock_irqsave(&usbmisc->lock, flags); - val = readl(usbmisc->base + MX7D_USB_OTG_PHY_CFG2); -@@ -695,7 +705,8 @@ static int imx7d_charger_secondary_detection(struct imx_usbmisc_data *data) - usbmisc->base + MX7D_USB_OTG_PHY_CFG2); - spin_unlock_irqrestore(&usbmisc->lock, flags); - -- usleep_range(1000, 2000); -+ /* TVDMSRC_ON */ -+ msleep(40); - - /* - * Per BC 1.2, check voltage of D+: -@@ -798,7 +809,8 @@ static int imx7d_charger_primary_detection(struct imx_usbmisc_data *data) - usbmisc->base + MX7D_USB_OTG_PHY_CFG2); - spin_unlock_irqrestore(&usbmisc->lock, flags); - -- usleep_range(1000, 2000); -+ /* TVDPSRC_ON */ -+ msleep(40); - - /* Check if D- is less than VDAT_REF to determine an SDP per BC 1.2 */ - val = readl(usbmisc->base + MX7D_USB_OTG_PHY_STATUS); -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 13fe37fbbd2c8..6ebb8bd92e9df 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -40,6 +40,8 @@ - #define USB_VENDOR_GENESYS_LOGIC 0x05e3 - #define USB_VENDOR_SMSC 0x0424 - #define USB_PRODUCT_USB5534B 0x5534 -+#define USB_VENDOR_CYPRESS 0x04b4 -+#define USB_PRODUCT_CY7C65632 0x6570 - #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 - #define HUB_QUIRK_DISABLE_AUTOSUSPEND 0x02 - -@@ -5644,6 +5646,11 @@ static const struct usb_device_id hub_id_table[] = { - .idProduct = USB_PRODUCT_USB5534B, - .bInterfaceClass = USB_CLASS_HUB, - .driver_info = HUB_QUIRK_DISABLE_AUTOSUSPEND}, -+ { .match_flags = USB_DEVICE_ID_MATCH_VENDOR -+ | USB_DEVICE_ID_MATCH_PRODUCT, -+ .idVendor = USB_VENDOR_CYPRESS, -+ .idProduct = USB_PRODUCT_CY7C65632, -+ .driver_info = HUB_QUIRK_DISABLE_AUTOSUSPEND}, - { .match_flags = USB_DEVICE_ID_MATCH_VENDOR - | USB_DEVICE_ID_MATCH_INT_CLASS, - .idVendor = USB_VENDOR_GENESYS_LOGIC, -diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c -index 126f0e10b3ef4..0022039bc2355 100644 ---- a/drivers/usb/dwc3/core.c -+++ b/drivers/usb/dwc3/core.c -@@ -1657,8 +1657,8 @@ static int dwc3_remove(struct platform_device *pdev) - - pm_runtime_get_sync(&pdev->dev); - -- dwc3_debugfs_exit(dwc); - dwc3_core_exit_mode(dwc); -+ dwc3_debugfs_exit(dwc); - - dwc3_core_exit(dwc); - dwc3_ulpi_exit(dwc); -diff --git a/drivers/usb/dwc3/debug.h b/drivers/usb/dwc3/debug.h -index 8ab3949423604..74d9c2c38193d 100644 ---- a/drivers/usb/dwc3/debug.h -+++ b/drivers/usb/dwc3/debug.h -@@ -413,9 +413,12 @@ static inline const char *dwc3_gadget_generic_cmd_status_string(int status) - - - #ifdef CONFIG_DEBUG_FS -+extern void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep); - extern void dwc3_debugfs_init(struct dwc3 *d); - extern void dwc3_debugfs_exit(struct dwc3 *d); - #else -+static inline void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep) -+{ } - static inline void dwc3_debugfs_init(struct dwc3 *d) - { } - static inline void dwc3_debugfs_exit(struct dwc3 *d) -diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c -index 5da4f6082d930..3ebe3e6c284d2 100644 ---- a/drivers/usb/dwc3/debugfs.c -+++ b/drivers/usb/dwc3/debugfs.c -@@ -890,30 +890,14 @@ static void dwc3_debugfs_create_endpoint_files(struct dwc3_ep *dep, - } - } - --static void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep, -- struct dentry *parent) -+void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep) - { - struct dentry *dir; - -- dir = debugfs_create_dir(dep->name, parent); -+ dir = debugfs_create_dir(dep->name, dep->dwc->root); - dwc3_debugfs_create_endpoint_files(dep, dir); - } - --static void dwc3_debugfs_create_endpoint_dirs(struct dwc3 *dwc, -- struct dentry *parent) --{ -- int i; -- -- for (i = 0; i < dwc->num_eps; i++) { -- struct dwc3_ep *dep = dwc->eps[i]; -- -- if (!dep) -- continue; -- -- dwc3_debugfs_create_endpoint_dir(dep, parent); -- } --} -- - void dwc3_debugfs_init(struct dwc3 *dwc) - { - struct dentry *root; -@@ -944,7 +928,6 @@ void dwc3_debugfs_init(struct dwc3 *dwc) - &dwc3_testmode_fops); - debugfs_create_file("link_state", 0644, root, dwc, - &dwc3_link_state_fops); -- dwc3_debugfs_create_endpoint_dirs(dwc, root); - } - } - -diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c -index 1f9454e0d447b..755ab6fc0791f 100644 ---- a/drivers/usb/dwc3/gadget.c -+++ b/drivers/usb/dwc3/gadget.c -@@ -2719,6 +2719,8 @@ static int dwc3_gadget_init_endpoint(struct dwc3 *dwc, u8 epnum) - INIT_LIST_HEAD(&dep->started_list); - INIT_LIST_HEAD(&dep->cancelled_list); - -+ dwc3_debugfs_create_endpoint_dir(dep); -+ - return 0; - } - -@@ -2762,6 +2764,7 @@ static void dwc3_gadget_free_endpoints(struct dwc3 *dwc) - list_del(&dep->endpoint.ep_list); - } - -+ debugfs_remove_recursive(debugfs_lookup(dep->name, dwc->root)); - kfree(dep); - } - } -diff --git a/fs/afs/main.c b/fs/afs/main.c -index b2975256dadbd..179004b15566d 100644 ---- a/fs/afs/main.c -+++ b/fs/afs/main.c -@@ -203,8 +203,8 @@ static int __init afs_init(void) - goto error_fs; - - afs_proc_symlink = proc_symlink("fs/afs", NULL, "../self/net/afs"); -- if (IS_ERR(afs_proc_symlink)) { -- ret = PTR_ERR(afs_proc_symlink); -+ if (!afs_proc_symlink) { -+ ret = -ENOMEM; - goto error_proc; - } - -diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c -index a7d9e147dee62..595fd083c4ad1 100644 ---- a/fs/btrfs/block-group.c -+++ b/fs/btrfs/block-group.c -@@ -2347,16 +2347,16 @@ void btrfs_dec_block_group_ro(struct btrfs_block_group *cache) - spin_lock(&sinfo->lock); - spin_lock(&cache->lock); - if (!--cache->ro) { -- num_bytes = cache->length - cache->reserved - -- cache->pinned - cache->bytes_super - -- cache->zone_unusable - cache->used; -- sinfo->bytes_readonly -= num_bytes; - if (btrfs_is_zoned(cache->fs_info)) { - /* Migrate zone_unusable bytes back */ - cache->zone_unusable = cache->alloc_offset - cache->used; - sinfo->bytes_zone_unusable += cache->zone_unusable; - sinfo->bytes_readonly -= cache->zone_unusable; - } -+ num_bytes = cache->length - cache->reserved - -+ cache->pinned - cache->bytes_super - -+ cache->zone_unusable - cache->used; -+ sinfo->bytes_readonly -= num_bytes; - list_del_init(&cache->ro_list); - } - spin_unlock(&cache->lock); -diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c -index c63d0a7f7ba4f..527c972b562dd 100644 ---- a/fs/hugetlbfs/inode.c -+++ b/fs/hugetlbfs/inode.c -@@ -738,6 +738,7 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, - __SetPageUptodate(page); - error = huge_add_to_page_cache(page, mapping, index); - if (unlikely(error)) { -+ restore_reserve_on_error(h, &pseudo_vma, addr, page); - put_page(page); - mutex_unlock(&hugetlb_fault_mutex_table[hash]); - goto out; -diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 9e0c1afac8bdf..c175523b0a2c1 100644 ---- a/fs/notify/fanotify/fanotify_user.c -+++ b/fs/notify/fanotify/fanotify_user.c -@@ -378,7 +378,7 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, - info_type, fanotify_info_name(info), - info->name_len, buf, count); - if (ret < 0) -- return ret; -+ goto out_close_fd; - - buf += ret; - count -= ret; -@@ -426,7 +426,7 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, - fanotify_event_object_fh(event), - info_type, dot, dot_len, buf, count); - if (ret < 0) -- return ret; -+ goto out_close_fd; - - buf += ret; - count -= ret; -diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h -index cccd1aab69dd1..5dae4187210d9 100644 ---- a/include/linux/hugetlb.h -+++ b/include/linux/hugetlb.h -@@ -145,6 +145,7 @@ bool hugetlb_reserve_pages(struct inode *inode, long from, long to, - long hugetlb_unreserve_pages(struct inode *inode, long start, long end, - long freed); - bool isolate_huge_page(struct page *page, struct list_head *list); -+int get_hwpoison_huge_page(struct page *page, bool *hugetlb); - void putback_active_hugepage(struct page *page); - void move_hugetlb_state(struct page *oldpage, struct page *newpage, int reason); - void free_huge_page(struct page *page); -@@ -330,6 +331,11 @@ static inline bool isolate_huge_page(struct page *page, struct list_head *list) - return false; - } - -+static inline int get_hwpoison_huge_page(struct page *page, bool *hugetlb) -+{ -+ return 0; -+} -+ - static inline void putback_active_hugepage(struct page *page) - { - } -@@ -591,6 +597,8 @@ struct page *alloc_huge_page_vma(struct hstate *h, struct vm_area_struct *vma, - unsigned long address); - int huge_add_to_page_cache(struct page *page, struct address_space *mapping, - pgoff_t idx); -+void restore_reserve_on_error(struct hstate *h, struct vm_area_struct *vma, -+ unsigned long address, struct page *page); - - /* arch callback */ - int __init __alloc_bootmem_huge_page(struct hstate *h); -diff --git a/include/linux/mfd/rohm-bd70528.h b/include/linux/mfd/rohm-bd70528.h -index a57af878fd0cd..4a5966475a35a 100644 ---- a/include/linux/mfd/rohm-bd70528.h -+++ b/include/linux/mfd/rohm-bd70528.h -@@ -26,9 +26,7 @@ struct bd70528_data { - struct mutex rtc_timer_lock; - }; - --#define BD70528_BUCK_VOLTS 17 --#define BD70528_BUCK_VOLTS 17 --#define BD70528_BUCK_VOLTS 17 -+#define BD70528_BUCK_VOLTS 0x10 - #define BD70528_LDO_VOLTS 0x20 - - #define BD70528_REG_BUCK1_EN 0x0F -diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h -index 133967c40214b..6a31bbba1b6f1 100644 ---- a/include/linux/mlx5/driver.h -+++ b/include/linux/mlx5/driver.h -@@ -541,6 +541,10 @@ struct mlx5_core_roce { - enum { - MLX5_PRIV_FLAGS_DISABLE_IB_ADEV = 1 << 0, - MLX5_PRIV_FLAGS_DISABLE_ALL_ADEV = 1 << 1, -+ /* Set during device detach to block any further devices -+ * creation/deletion on drivers rescan. Unset during device attach. -+ */ -+ MLX5_PRIV_FLAGS_DETACH = 1 << 2, - }; - - struct mlx5_adev { -diff --git a/include/linux/mlx5/transobj.h b/include/linux/mlx5/transobj.h -index 028f442530cf5..60ffeb6b67ae7 100644 ---- a/include/linux/mlx5/transobj.h -+++ b/include/linux/mlx5/transobj.h -@@ -85,4 +85,5 @@ mlx5_core_hairpin_create(struct mlx5_core_dev *func_mdev, - struct mlx5_hairpin_params *params); - - void mlx5_core_hairpin_destroy(struct mlx5_hairpin *pair); -+void mlx5_core_hairpin_clear_dead_peer(struct mlx5_hairpin *hp); - #endif /* __TRANSOBJ_H__ */ -diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 5aacc1c10a45a..8f0fb62e8975c 100644 ---- a/include/linux/mm_types.h -+++ b/include/linux/mm_types.h -@@ -445,13 +445,6 @@ struct mm_struct { - */ - atomic_t has_pinned; - -- /** -- * @write_protect_seq: Locked when any thread is write -- * protecting pages mapped by this mm to enforce a later COW, -- * for instance during page table copying for fork(). -- */ -- seqcount_t write_protect_seq; -- - #ifdef CONFIG_MMU - atomic_long_t pgtables_bytes; /* PTE page table pages */ - #endif -@@ -460,6 +453,18 @@ struct mm_struct { - spinlock_t page_table_lock; /* Protects page tables and some - * counters - */ -+ /* -+ * With some kernel config, the current mmap_lock's offset -+ * inside 'mm_struct' is at 0x120, which is very optimal, as -+ * its two hot fields 'count' and 'owner' sit in 2 different -+ * cachelines, and when mmap_lock is highly contended, both -+ * of the 2 fields will be accessed frequently, current layout -+ * will help to reduce cache bouncing. -+ * -+ * So please be careful with adding new fields before -+ * mmap_lock, which can easily push the 2 fields into one -+ * cacheline. -+ */ - struct rw_semaphore mmap_lock; - - struct list_head mmlist; /* List of maybe swapped mm's. These -@@ -480,7 +485,15 @@ struct mm_struct { - unsigned long stack_vm; /* VM_STACK */ - unsigned long def_flags; - -+ /** -+ * @write_protect_seq: Locked when any thread is write -+ * protecting pages mapped by this mm to enforce a later COW, -+ * for instance during page table copying for fork(). -+ */ -+ seqcount_t write_protect_seq; -+ - spinlock_t arg_lock; /* protect the below fields */ -+ - unsigned long start_code, end_code, start_data, end_data; - unsigned long start_brk, brk, start_stack; - unsigned long arg_start, arg_end, env_start, env_end; -diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h -index 0d47fd33b2285..51d7f1b8b32aa 100644 ---- a/include/linux/ptp_clock_kernel.h -+++ b/include/linux/ptp_clock_kernel.h -@@ -235,7 +235,7 @@ extern int ptp_clock_index(struct ptp_clock *ptp); - * @ppm: Parts per million, but with a 16 bit binary fractional field - */ - --extern s32 scaled_ppm_to_ppb(long ppm); -+extern long scaled_ppm_to_ppb(long ppm); - - /** - * ptp_find_pin() - obtain the pin index of a given auxiliary function -diff --git a/include/linux/socket.h b/include/linux/socket.h -index 385894b4a8bba..42222a84167f3 100644 ---- a/include/linux/socket.h -+++ b/include/linux/socket.h -@@ -438,6 +438,4 @@ extern int __sys_socketpair(int family, int type, int protocol, - int __user *usockvec); - extern int __sys_shutdown_sock(struct socket *sock, int how); - extern int __sys_shutdown(int fd, int how); -- --extern struct ns_common *get_net_ns(struct ns_common *ns); - #endif /* _LINUX_SOCKET_H */ -diff --git a/include/linux/swapops.h b/include/linux/swapops.h -index d9b7c9132c2f6..6430a94c69818 100644 ---- a/include/linux/swapops.h -+++ b/include/linux/swapops.h -@@ -23,6 +23,16 @@ - #define SWP_TYPE_SHIFT (BITS_PER_XA_VALUE - MAX_SWAPFILES_SHIFT) - #define SWP_OFFSET_MASK ((1UL << SWP_TYPE_SHIFT) - 1) - -+/* Clear all flags but only keep swp_entry_t related information */ -+static inline pte_t pte_swp_clear_flags(pte_t pte) -+{ -+ if (pte_swp_soft_dirty(pte)) -+ pte = pte_swp_clear_soft_dirty(pte); -+ if (pte_swp_uffd_wp(pte)) -+ pte = pte_swp_clear_uffd_wp(pte); -+ return pte; -+} -+ - /* - * Store a type+offset into a swp_entry_t in an arch-independent format - */ -@@ -66,10 +76,7 @@ static inline swp_entry_t pte_to_swp_entry(pte_t pte) - { - swp_entry_t arch_entry; - -- if (pte_swp_soft_dirty(pte)) -- pte = pte_swp_clear_soft_dirty(pte); -- if (pte_swp_uffd_wp(pte)) -- pte = pte_swp_clear_uffd_wp(pte); -+ pte = pte_swp_clear_flags(pte); - arch_entry = __pte_to_swp_entry(pte); - return swp_entry(__swp_type(arch_entry), __swp_offset(arch_entry)); - } -diff --git a/include/net/mac80211.h b/include/net/mac80211.h -index 2d1d629e5d14b..a5ca18cfdb6fb 100644 ---- a/include/net/mac80211.h -+++ b/include/net/mac80211.h -@@ -6388,7 +6388,12 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw, - - /** - * ieee80211_parse_tx_radiotap - Sanity-check and parse the radiotap header -- * of injected frames -+ * of injected frames. -+ * -+ * To accurately parse and take into account rate and retransmission fields, -+ * you must initialize the chandef field in the ieee80211_tx_info structure -+ * of the skb before calling this function. -+ * - * @skb: packet injected by userspace - * @dev: the &struct device of this 802.11 device - */ -diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h -index dcaee24a4d877..14b6f7f445322 100644 ---- a/include/net/net_namespace.h -+++ b/include/net/net_namespace.h -@@ -197,6 +197,8 @@ struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns, - void net_ns_get_ownership(const struct net *net, kuid_t *uid, kgid_t *gid); - - void net_ns_barrier(void); -+ -+struct ns_common *get_net_ns(struct ns_common *ns); - #else /* CONFIG_NET_NS */ - #include - #include -@@ -216,6 +218,11 @@ static inline void net_ns_get_ownership(const struct net *net, - } - - static inline void net_ns_barrier(void) {} -+ -+static inline struct ns_common *get_net_ns(struct ns_common *ns) -+{ -+ return ERR_PTR(-EINVAL); -+} - #endif /* CONFIG_NET_NS */ - - -diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h -index 7d6687618d808..d1b327036ae43 100644 ---- a/include/uapi/linux/in.h -+++ b/include/uapi/linux/in.h -@@ -289,6 +289,9 @@ struct sockaddr_in { - /* Address indicating an error return. */ - #define INADDR_NONE ((unsigned long int) 0xffffffff) - -+/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */ -+#define INADDR_DUMMY ((unsigned long int) 0xc0000008) -+ - /* Network number for local host loopback. */ - #define IN_LOOPBACKNET 127 - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 9e600767803b5..2423b4e918b90 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5937,6 +5937,27 @@ struct bpf_sanitize_info { - bool mask_to_left; - }; - -+static struct bpf_verifier_state * -+sanitize_speculative_path(struct bpf_verifier_env *env, -+ const struct bpf_insn *insn, -+ u32 next_idx, u32 curr_idx) -+{ -+ struct bpf_verifier_state *branch; -+ struct bpf_reg_state *regs; -+ -+ branch = push_stack(env, next_idx, curr_idx, true); -+ if (branch && insn) { -+ regs = branch->frame[branch->curframe]->regs; -+ if (BPF_SRC(insn->code) == BPF_K) { -+ mark_reg_unknown(env, regs, insn->dst_reg); -+ } else if (BPF_SRC(insn->code) == BPF_X) { -+ mark_reg_unknown(env, regs, insn->dst_reg); -+ mark_reg_unknown(env, regs, insn->src_reg); -+ } -+ } -+ return branch; -+} -+ - static int sanitize_ptr_alu(struct bpf_verifier_env *env, - struct bpf_insn *insn, - const struct bpf_reg_state *ptr_reg, -@@ -6020,12 +6041,26 @@ do_sim: - tmp = *dst_reg; - *dst_reg = *ptr_reg; - } -- ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); -+ ret = sanitize_speculative_path(env, NULL, env->insn_idx + 1, -+ env->insn_idx); - if (!ptr_is_dst_reg && ret) - *dst_reg = tmp; - return !ret ? REASON_STACK : 0; - } - -+static void sanitize_mark_insn_seen(struct bpf_verifier_env *env) -+{ -+ struct bpf_verifier_state *vstate = env->cur_state; -+ -+ /* If we simulate paths under speculation, we don't update the -+ * insn as 'seen' such that when we verify unreachable paths in -+ * the non-speculative domain, sanitize_dead_code() can still -+ * rewrite/sanitize them. -+ */ -+ if (!vstate->speculative) -+ env->insn_aux_data[env->insn_idx].seen = env->pass_cnt; -+} -+ - static int sanitize_err(struct bpf_verifier_env *env, - const struct bpf_insn *insn, int reason, - const struct bpf_reg_state *off_reg, -@@ -8204,14 +8239,28 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, - if (err) - return err; - } -+ - if (pred == 1) { -- /* only follow the goto, ignore fall-through */ -+ /* Only follow the goto, ignore fall-through. If needed, push -+ * the fall-through branch for simulation under speculative -+ * execution. -+ */ -+ if (!env->bypass_spec_v1 && -+ !sanitize_speculative_path(env, insn, *insn_idx + 1, -+ *insn_idx)) -+ return -EFAULT; - *insn_idx += insn->off; - return 0; - } else if (pred == 0) { -- /* only follow fall-through branch, since -- * that's where the program will go -+ /* Only follow the fall-through branch, since that's where the -+ * program will go. If needed, push the goto branch for -+ * simulation under speculative execution. - */ -+ if (!env->bypass_spec_v1 && -+ !sanitize_speculative_path(env, insn, -+ *insn_idx + insn->off + 1, -+ *insn_idx)) -+ return -EFAULT; - return 0; - } - -@@ -10060,7 +10109,7 @@ static int do_check(struct bpf_verifier_env *env) - } - - regs = cur_regs(env); -- env->insn_aux_data[env->insn_idx].seen = env->pass_cnt; -+ sanitize_mark_insn_seen(env); - prev_insn_idx = env->insn_idx; - - if (class == BPF_ALU || class == BPF_ALU64) { -@@ -10285,7 +10334,7 @@ process_bpf_exit: - return err; - - env->insn_idx++; -- env->insn_aux_data[env->insn_idx].seen = env->pass_cnt; -+ sanitize_mark_insn_seen(env); - } else { - verbose(env, "invalid BPF_LD mode\n"); - return -EINVAL; -@@ -10784,6 +10833,7 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, - { - struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; - struct bpf_insn *insn = new_prog->insnsi; -+ u32 old_seen = old_data[off].seen; - u32 prog_len; - int i; - -@@ -10804,7 +10854,8 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, - memcpy(new_data + off + cnt - 1, old_data + off, - sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); - for (i = off; i < off + cnt - 1; i++) { -- new_data[i].seen = env->pass_cnt; -+ /* Expand insni[off]'s seen count to the patched range. */ -+ new_data[i].seen = old_seen; - new_data[i].zext_dst = insn_has_def32(env, insn + i); - } - env->insn_aux_data = new_data; -@@ -12060,6 +12111,9 @@ static void free_states(struct bpf_verifier_env *env) - * insn_aux_data was touched. These variables are compared to clear temporary - * data from failed pass. For testing and experiments do_check_common() can be - * run multiple times even when prior attempt to verify is unsuccessful. -+ * -+ * Note that special handling is needed on !env->bypass_spec_v1 if this is -+ * ever called outside of error path with subsequent program rejection. - */ - static void sanitize_insn_aux_data(struct bpf_verifier_env *env) - { -diff --git a/kernel/crash_core.c b/kernel/crash_core.c -index 825284baaf466..684a6061a13a4 100644 ---- a/kernel/crash_core.c -+++ b/kernel/crash_core.c -@@ -464,6 +464,7 @@ static int __init crash_save_vmcoreinfo_init(void) - VMCOREINFO_LENGTH(mem_section, NR_SECTION_ROOTS); - VMCOREINFO_STRUCT_SIZE(mem_section); - VMCOREINFO_OFFSET(mem_section, section_mem_map); -+ VMCOREINFO_NUMBER(SECTION_SIZE_BITS); - VMCOREINFO_NUMBER(MAX_PHYSMEM_BITS); - #endif - VMCOREINFO_STRUCT_SIZE(page); -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index 487312a5ceabb..47fcc3fe9dc5a 100644 ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -3760,11 +3760,17 @@ static void attach_entity_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *s - */ - static void detach_entity_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *se) - { -+ /* -+ * cfs_rq->avg.period_contrib can be used for both cfs_rq and se. -+ * See ___update_load_avg() for details. -+ */ -+ u32 divider = get_pelt_divider(&cfs_rq->avg); -+ - dequeue_load_avg(cfs_rq, se); - sub_positive(&cfs_rq->avg.util_avg, se->avg.util_avg); -- sub_positive(&cfs_rq->avg.util_sum, se->avg.util_sum); -+ cfs_rq->avg.util_sum = cfs_rq->avg.util_avg * divider; - sub_positive(&cfs_rq->avg.runnable_avg, se->avg.runnable_avg); -- sub_positive(&cfs_rq->avg.runnable_sum, se->avg.runnable_sum); -+ cfs_rq->avg.runnable_sum = cfs_rq->avg.runnable_avg * divider; - - add_tg_cfs_propagate(cfs_rq, -se->avg.load_sum); - -diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index f2d4ee80feb34..7c8151d74faf0 100644 ---- a/kernel/trace/trace.c -+++ b/kernel/trace/trace.c -@@ -2198,9 +2198,6 @@ struct saved_cmdlines_buffer { - }; - static struct saved_cmdlines_buffer *savedcmd; - --/* temporary disable recording */ --static atomic_t trace_record_taskinfo_disabled __read_mostly; -- - static inline char *get_saved_cmdlines(int idx) - { - return &savedcmd->saved_cmdlines[idx * TASK_COMM_LEN]; -@@ -2486,8 +2483,6 @@ static bool tracing_record_taskinfo_skip(int flags) - { - if (unlikely(!(flags & (TRACE_RECORD_CMDLINE | TRACE_RECORD_TGID)))) - return true; -- if (atomic_read(&trace_record_taskinfo_disabled) || !tracing_is_on()) -- return true; - if (!__this_cpu_read(trace_taskinfo_save)) - return true; - return false; -@@ -3742,9 +3737,6 @@ static void *s_start(struct seq_file *m, loff_t *pos) - return ERR_PTR(-EBUSY); - #endif - -- if (!iter->snapshot) -- atomic_inc(&trace_record_taskinfo_disabled); -- - if (*pos != iter->pos) { - iter->ent = NULL; - iter->cpu = 0; -@@ -3787,9 +3779,6 @@ static void s_stop(struct seq_file *m, void *p) - return; - #endif - -- if (!iter->snapshot) -- atomic_dec(&trace_record_taskinfo_disabled); -- - trace_access_unlock(iter->cpu_file); - trace_event_read_unlock(); - } -diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c -index c1637f90c8a38..4702efb00ff21 100644 ---- a/kernel/trace/trace_clock.c -+++ b/kernel/trace/trace_clock.c -@@ -115,9 +115,9 @@ u64 notrace trace_clock_global(void) - prev_time = READ_ONCE(trace_clock_struct.prev_time); - now = sched_clock_cpu(this_cpu); - -- /* Make sure that now is always greater than prev_time */ -+ /* Make sure that now is always greater than or equal to prev_time */ - if ((s64)(now - prev_time) < 0) -- now = prev_time + 1; -+ now = prev_time; - - /* - * If in an NMI context then dont risk lockups and simply return -@@ -131,7 +131,7 @@ u64 notrace trace_clock_global(void) - /* Reread prev_time in case it was already updated */ - prev_time = READ_ONCE(trace_clock_struct.prev_time); - if ((s64)(now - prev_time) < 0) -- now = prev_time + 1; -+ now = prev_time; - - trace_clock_struct.prev_time = now; - -diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index ce63ec0187c55..3da4817190f3d 100644 ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -2127,12 +2127,18 @@ out: - * be restored when a newly allocated huge page must be freed. It is - * to be called after calling vma_needs_reservation to determine if a - * reservation exists. -+ * -+ * vma_del_reservation is used in error paths where an entry in the reserve -+ * map was created during huge page allocation and must be removed. It is to -+ * be called after calling vma_needs_reservation to determine if a reservation -+ * exists. - */ - enum vma_resv_mode { - VMA_NEEDS_RESV, - VMA_COMMIT_RESV, - VMA_END_RESV, - VMA_ADD_RESV, -+ VMA_DEL_RESV, - }; - static long __vma_reservation_common(struct hstate *h, - struct vm_area_struct *vma, unsigned long addr, -@@ -2176,11 +2182,21 @@ static long __vma_reservation_common(struct hstate *h, - ret = region_del(resv, idx, idx + 1); - } - break; -+ case VMA_DEL_RESV: -+ if (vma->vm_flags & VM_MAYSHARE) { -+ region_abort(resv, idx, idx + 1, 1); -+ ret = region_del(resv, idx, idx + 1); -+ } else { -+ ret = region_add(resv, idx, idx + 1, 1, NULL, NULL); -+ /* region_add calls of range 1 should never fail. */ -+ VM_BUG_ON(ret < 0); -+ } -+ break; - default: - BUG(); - } - -- if (vma->vm_flags & VM_MAYSHARE) -+ if (vma->vm_flags & VM_MAYSHARE || mode == VMA_DEL_RESV) - return ret; - else if (is_vma_resv_set(vma, HPAGE_RESV_OWNER) && ret >= 0) { - /* -@@ -2229,25 +2245,39 @@ static long vma_add_reservation(struct hstate *h, - return __vma_reservation_common(h, vma, addr, VMA_ADD_RESV); - } - -+static long vma_del_reservation(struct hstate *h, -+ struct vm_area_struct *vma, unsigned long addr) -+{ -+ return __vma_reservation_common(h, vma, addr, VMA_DEL_RESV); -+} -+ - /* -- * This routine is called to restore a reservation on error paths. In the -- * specific error paths, a huge page was allocated (via alloc_huge_page) -- * and is about to be freed. If a reservation for the page existed, -- * alloc_huge_page would have consumed the reservation and set -- * HPageRestoreReserve in the newly allocated page. When the page is freed -- * via free_huge_page, the global reservation count will be incremented if -- * HPageRestoreReserve is set. However, free_huge_page can not adjust the -- * reserve map. Adjust the reserve map here to be consistent with global -- * reserve count adjustments to be made by free_huge_page. -+ * This routine is called to restore reservation information on error paths. -+ * It should ONLY be called for pages allocated via alloc_huge_page(), and -+ * the hugetlb mutex should remain held when calling this routine. -+ * -+ * It handles two specific cases: -+ * 1) A reservation was in place and the page consumed the reservation. -+ * HPageRestoreReserve is set in the page. -+ * 2) No reservation was in place for the page, so HPageRestoreReserve is -+ * not set. However, alloc_huge_page always updates the reserve map. -+ * -+ * In case 1, free_huge_page later in the error path will increment the -+ * global reserve count. But, free_huge_page does not have enough context -+ * to adjust the reservation map. This case deals primarily with private -+ * mappings. Adjust the reserve map here to be consistent with global -+ * reserve count adjustments to be made by free_huge_page. Make sure the -+ * reserve map indicates there is a reservation present. -+ * -+ * In case 2, simply undo reserve map modifications done by alloc_huge_page. - */ --static void restore_reserve_on_error(struct hstate *h, -- struct vm_area_struct *vma, unsigned long address, -- struct page *page) -+void restore_reserve_on_error(struct hstate *h, struct vm_area_struct *vma, -+ unsigned long address, struct page *page) - { -- if (unlikely(HPageRestoreReserve(page))) { -- long rc = vma_needs_reservation(h, vma, address); -+ long rc = vma_needs_reservation(h, vma, address); - -- if (unlikely(rc < 0)) { -+ if (HPageRestoreReserve(page)) { -+ if (unlikely(rc < 0)) - /* - * Rare out of memory condition in reserve map - * manipulation. Clear HPageRestoreReserve so that -@@ -2260,16 +2290,57 @@ static void restore_reserve_on_error(struct hstate *h, - * accounting of reserve counts. - */ - ClearHPageRestoreReserve(page); -- } else if (rc) { -- rc = vma_add_reservation(h, vma, address); -- if (unlikely(rc < 0)) -+ else if (rc) -+ (void)vma_add_reservation(h, vma, address); -+ else -+ vma_end_reservation(h, vma, address); -+ } else { -+ if (!rc) { -+ /* -+ * This indicates there is an entry in the reserve map -+ * added by alloc_huge_page. We know it was added -+ * before the alloc_huge_page call, otherwise -+ * HPageRestoreReserve would be set on the page. -+ * Remove the entry so that a subsequent allocation -+ * does not consume a reservation. -+ */ -+ rc = vma_del_reservation(h, vma, address); -+ if (rc < 0) - /* -- * See above comment about rare out of -- * memory condition. -+ * VERY rare out of memory condition. Since -+ * we can not delete the entry, set -+ * HPageRestoreReserve so that the reserve -+ * count will be incremented when the page -+ * is freed. This reserve will be consumed -+ * on a subsequent allocation. - */ -- ClearHPageRestoreReserve(page); -+ SetHPageRestoreReserve(page); -+ } else if (rc < 0) { -+ /* -+ * Rare out of memory condition from -+ * vma_needs_reservation call. Memory allocation is -+ * only attempted if a new entry is needed. Therefore, -+ * this implies there is not an entry in the -+ * reserve map. -+ * -+ * For shared mappings, no entry in the map indicates -+ * no reservation. We are done. -+ */ -+ if (!(vma->vm_flags & VM_MAYSHARE)) -+ /* -+ * For private mappings, no entry indicates -+ * a reservation is present. Since we can -+ * not add an entry, set SetHPageRestoreReserve -+ * on the page so reserve count will be -+ * incremented when freed. This reserve will -+ * be consumed on a subsequent allocation. -+ */ -+ SetHPageRestoreReserve(page); - } else -- vma_end_reservation(h, vma, address); -+ /* -+ * No reservation present, do nothing -+ */ -+ vma_end_reservation(h, vma, address); - } - } - -@@ -3886,6 +3957,8 @@ again: - spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING); - entry = huge_ptep_get(src_pte); - if (!pte_same(src_pte_old, entry)) { -+ restore_reserve_on_error(h, vma, addr, -+ new); - put_page(new); - /* dst_entry won't change as in child */ - goto again; -@@ -4820,6 +4893,7 @@ out_release_unlock: - if (vm_shared) - unlock_page(page); - out_release_nounlock: -+ restore_reserve_on_error(h, dst_vma, dst_addr, page); - put_page(page); - goto out; - } -@@ -5664,6 +5738,21 @@ unlock: - return ret; - } - -+int get_hwpoison_huge_page(struct page *page, bool *hugetlb) -+{ -+ int ret = 0; -+ -+ *hugetlb = false; -+ spin_lock_irq(&hugetlb_lock); -+ if (PageHeadHuge(page)) { -+ *hugetlb = true; -+ if (HPageFreed(page) || HPageMigratable(page)) -+ ret = get_page_unless_zero(page); -+ } -+ spin_unlock_irq(&hugetlb_lock); -+ return ret; -+} -+ - void putback_active_hugepage(struct page *page) - { - spin_lock(&hugetlb_lock); -diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index bd3945446d47e..704d05057d8c3 100644 ---- a/mm/memory-failure.c -+++ b/mm/memory-failure.c -@@ -949,6 +949,17 @@ static int page_action(struct page_state *ps, struct page *p, - return (result == MF_RECOVERED || result == MF_DELAYED) ? 0 : -EBUSY; - } - -+/* -+ * Return true if a page type of a given page is supported by hwpoison -+ * mechanism (while handling could fail), otherwise false. This function -+ * does not return true for hugetlb or device memory pages, so it's assumed -+ * to be called only in the context where we never have such pages. -+ */ -+static inline bool HWPoisonHandlable(struct page *page) -+{ -+ return PageLRU(page) || __PageMovable(page); -+} -+ - /** - * __get_hwpoison_page() - Get refcount for memory error handling: - * @page: raw error page (hit by memory error) -@@ -959,8 +970,22 @@ static int page_action(struct page_state *ps, struct page *p, - static int __get_hwpoison_page(struct page *page) - { - struct page *head = compound_head(page); -+ int ret = 0; -+ bool hugetlb = false; -+ -+ ret = get_hwpoison_huge_page(head, &hugetlb); -+ if (hugetlb) -+ return ret; - -- if (!PageHuge(head) && PageTransHuge(head)) { -+ /* -+ * This check prevents from calling get_hwpoison_unless_zero() -+ * for any unsupported type of page in order to reduce the risk of -+ * unexpected races caused by taking a page refcount. -+ */ -+ if (!HWPoisonHandlable(head)) -+ return 0; -+ -+ if (PageTransHuge(head)) { - /* - * Non anonymous thp exists only in allocation/free time. We - * can't handle such a case correctly, so let's give it up. -@@ -1017,7 +1042,7 @@ try_again: - ret = -EIO; - } - } else { -- if (PageHuge(p) || PageLRU(p) || __PageMovable(p)) { -+ if (PageHuge(p) || HWPoisonHandlable(p)) { - ret = 1; - } else { - /* -@@ -1527,7 +1552,12 @@ try_again: - return 0; - } - -- if (!PageTransTail(p) && !PageLRU(p)) -+ /* -+ * __munlock_pagevec may clear a writeback page's LRU flag without -+ * page_lock. We need wait writeback completion for this page or it -+ * may trigger vfs BUG while evict inode. -+ */ -+ if (!PageTransTail(p) && !PageLRU(p) && !PageWriteback(p)) - goto identify_page_state; - - /* -diff --git a/mm/slab_common.c b/mm/slab_common.c -index 88e833986332e..ba2f4b01920fd 100644 ---- a/mm/slab_common.c -+++ b/mm/slab_common.c -@@ -89,8 +89,7 @@ EXPORT_SYMBOL(kmem_cache_size); - #ifdef CONFIG_DEBUG_VM - static int kmem_cache_sanity_check(const char *name, unsigned int size) - { -- if (!name || in_interrupt() || size < sizeof(void *) || -- size > KMALLOC_MAX_SIZE) { -+ if (!name || in_interrupt() || size > KMALLOC_MAX_SIZE) { - pr_err("kmem_cache_create(%s) integrity check failed\n", name); - return -EINVAL; - } -diff --git a/mm/slub.c b/mm/slub.c -index 3021ce9bf1b3d..602f9712ab53d 100644 ---- a/mm/slub.c -+++ b/mm/slub.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - #include - #include - #include "slab.h" -@@ -710,15 +711,15 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) - p, p - addr, get_freepointer(s, p)); - - if (s->flags & SLAB_RED_ZONE) -- print_section(KERN_ERR, "Redzone ", p - s->red_left_pad, -+ print_section(KERN_ERR, "Redzone ", p - s->red_left_pad, - s->red_left_pad); - else if (p > addr + 16) - print_section(KERN_ERR, "Bytes b4 ", p - 16, 16); - -- print_section(KERN_ERR, "Object ", p, -+ print_section(KERN_ERR, "Object ", p, - min_t(unsigned int, s->object_size, PAGE_SIZE)); - if (s->flags & SLAB_RED_ZONE) -- print_section(KERN_ERR, "Redzone ", p + s->object_size, -+ print_section(KERN_ERR, "Redzone ", p + s->object_size, - s->inuse - s->object_size); - - off = get_info_end(s); -@@ -730,7 +731,7 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) - - if (off != size_from_object(s)) - /* Beginning of the filler is the free pointer */ -- print_section(KERN_ERR, "Padding ", p + off, -+ print_section(KERN_ERR, "Padding ", p + off, - size_from_object(s) - off); - - dump_stack(); -@@ -907,11 +908,11 @@ static int check_object(struct kmem_cache *s, struct page *page, - u8 *endobject = object + s->object_size; - - if (s->flags & SLAB_RED_ZONE) { -- if (!check_bytes_and_report(s, page, object, "Redzone", -+ if (!check_bytes_and_report(s, page, object, "Left Redzone", - object - s->red_left_pad, val, s->red_left_pad)) - return 0; - -- if (!check_bytes_and_report(s, page, object, "Redzone", -+ if (!check_bytes_and_report(s, page, object, "Right Redzone", - endobject, val, s->inuse - s->object_size)) - return 0; - } else { -@@ -926,7 +927,7 @@ static int check_object(struct kmem_cache *s, struct page *page, - if (val != SLUB_RED_ACTIVE && (s->flags & __OBJECT_POISON) && - (!check_bytes_and_report(s, page, p, "Poison", p, - POISON_FREE, s->object_size - 1) || -- !check_bytes_and_report(s, page, p, "Poison", -+ !check_bytes_and_report(s, page, p, "End Poison", - p + s->object_size - 1, POISON_END, 1))) - return 0; - /* -@@ -3687,7 +3688,6 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) - { - slab_flags_t flags = s->flags; - unsigned int size = s->object_size; -- unsigned int freepointer_area; - unsigned int order; - - /* -@@ -3696,13 +3696,6 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) - * the possible location of the free pointer. - */ - size = ALIGN(size, sizeof(void *)); -- /* -- * This is the area of the object where a freepointer can be -- * safely written. If redzoning adds more to the inuse size, we -- * can't use that portion for writing the freepointer, so -- * s->offset must be limited within this for the general case. -- */ -- freepointer_area = size; - - #ifdef CONFIG_SLUB_DEBUG - /* -@@ -3728,19 +3721,21 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) - - /* - * With that we have determined the number of bytes in actual use -- * by the object. This is the potential offset to the free pointer. -+ * by the object and redzoning. - */ - s->inuse = size; - -- if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || -- s->ctor)) { -+ if ((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) || -+ ((flags & SLAB_RED_ZONE) && s->object_size < sizeof(void *)) || -+ s->ctor) { - /* - * Relocate free pointer after the object if it is not - * permitted to overwrite the first word of the object on - * kmem_cache_free. - * - * This is the case if we do RCU, have a constructor or -- * destructor or are poisoning the objects. -+ * destructor, are poisoning the objects, or are -+ * redzoning an object smaller than sizeof(void *). - * - * The assumption that s->offset >= s->inuse means free - * pointer is outside of the object is used in the -@@ -3749,13 +3744,13 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) - */ - s->offset = size; - size += sizeof(void *); -- } else if (freepointer_area > sizeof(void *)) { -+ } else { - /* - * Store freelist pointer near middle of object to keep - * it away from the edges of the object to avoid small - * sized over/underflows from neighboring allocations. - */ -- s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); -+ s->offset = ALIGN_DOWN(s->object_size / 2, sizeof(void *)); - } - - #ifdef CONFIG_SLUB_DEBUG -diff --git a/mm/swapfile.c b/mm/swapfile.c -index 084a5b9a18e5c..2097648df212d 100644 ---- a/mm/swapfile.c -+++ b/mm/swapfile.c -@@ -1900,7 +1900,7 @@ unsigned int count_swap_pages(int type, int free) - - static inline int pte_same_as_swp(pte_t pte, pte_t swp_pte) - { -- return pte_same(pte_swp_clear_soft_dirty(pte), swp_pte); -+ return pte_same(pte_swp_clear_flags(pte), swp_pte); - } - - /* -diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c -index a5e313cd6f447..b9dd150f6f01d 100644 ---- a/net/batman-adv/bat_iv_ogm.c -+++ b/net/batman-adv/bat_iv_ogm.c -@@ -409,8 +409,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet) - if (WARN_ON(!forw_packet->if_outgoing)) - return; - -- if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface)) -+ if (forw_packet->if_outgoing->soft_iface != soft_iface) { -+ pr_warn("%s: soft interface switch for queued OGM\n", __func__); - return; -+ } - - if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE) - return; -diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h -index af3430c2d6ea8..660dec6785ad9 100644 ---- a/net/bridge/br_private.h -+++ b/net/bridge/br_private.h -@@ -90,8 +90,8 @@ struct bridge_mcast_stats { - #endif - - struct br_tunnel_info { -- __be64 tunnel_id; -- struct metadata_dst *tunnel_dst; -+ __be64 tunnel_id; -+ struct metadata_dst __rcu *tunnel_dst; - }; - - /* private vlan flags */ -diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c -index 169e005fbda29..debe167202782 100644 ---- a/net/bridge/br_vlan_tunnel.c -+++ b/net/bridge/br_vlan_tunnel.c -@@ -41,26 +41,33 @@ static struct net_bridge_vlan *br_vlan_tunnel_lookup(struct rhashtable *tbl, - br_vlan_tunnel_rht_params); - } - -+static void vlan_tunnel_info_release(struct net_bridge_vlan *vlan) -+{ -+ struct metadata_dst *tdst = rtnl_dereference(vlan->tinfo.tunnel_dst); -+ -+ WRITE_ONCE(vlan->tinfo.tunnel_id, 0); -+ RCU_INIT_POINTER(vlan->tinfo.tunnel_dst, NULL); -+ dst_release(&tdst->dst); -+} -+ - void vlan_tunnel_info_del(struct net_bridge_vlan_group *vg, - struct net_bridge_vlan *vlan) - { -- if (!vlan->tinfo.tunnel_dst) -+ if (!rcu_access_pointer(vlan->tinfo.tunnel_dst)) - return; - rhashtable_remove_fast(&vg->tunnel_hash, &vlan->tnode, - br_vlan_tunnel_rht_params); -- vlan->tinfo.tunnel_id = 0; -- dst_release(&vlan->tinfo.tunnel_dst->dst); -- vlan->tinfo.tunnel_dst = NULL; -+ vlan_tunnel_info_release(vlan); - } - - static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg, - struct net_bridge_vlan *vlan, u32 tun_id) - { -- struct metadata_dst *metadata = NULL; -+ struct metadata_dst *metadata = rtnl_dereference(vlan->tinfo.tunnel_dst); - __be64 key = key32_to_tunnel_id(cpu_to_be32(tun_id)); - int err; - -- if (vlan->tinfo.tunnel_dst) -+ if (metadata) - return -EEXIST; - - metadata = __ip_tun_set_dst(0, 0, 0, 0, 0, TUNNEL_KEY, -@@ -69,8 +76,8 @@ static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg, - return -EINVAL; - - metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX | IP_TUNNEL_INFO_BRIDGE; -- vlan->tinfo.tunnel_dst = metadata; -- vlan->tinfo.tunnel_id = key; -+ rcu_assign_pointer(vlan->tinfo.tunnel_dst, metadata); -+ WRITE_ONCE(vlan->tinfo.tunnel_id, key); - - err = rhashtable_lookup_insert_fast(&vg->tunnel_hash, &vlan->tnode, - br_vlan_tunnel_rht_params); -@@ -79,9 +86,7 @@ static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg, - - return 0; - out: -- dst_release(&vlan->tinfo.tunnel_dst->dst); -- vlan->tinfo.tunnel_dst = NULL; -- vlan->tinfo.tunnel_id = 0; -+ vlan_tunnel_info_release(vlan); - - return err; - } -@@ -182,12 +187,15 @@ int br_handle_ingress_vlan_tunnel(struct sk_buff *skb, - int br_handle_egress_vlan_tunnel(struct sk_buff *skb, - struct net_bridge_vlan *vlan) - { -+ struct metadata_dst *tunnel_dst; -+ __be64 tunnel_id; - int err; - -- if (!vlan || !vlan->tinfo.tunnel_id) -+ if (!vlan) - return 0; - -- if (unlikely(!skb_vlan_tag_present(skb))) -+ tunnel_id = READ_ONCE(vlan->tinfo.tunnel_id); -+ if (!tunnel_id || unlikely(!skb_vlan_tag_present(skb))) - return 0; - - skb_dst_drop(skb); -@@ -195,7 +203,9 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, - if (err) - return err; - -- skb_dst_set(skb, dst_clone(&vlan->tinfo.tunnel_dst->dst)); -+ tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst); -+ if (tunnel_dst && dst_hold_safe(&tunnel_dst->dst)) -+ skb_dst_set(skb, &tunnel_dst->dst); - - return 0; - } -diff --git a/net/can/bcm.c b/net/can/bcm.c -index 909b9e684e043..f3e4d9528fa38 100644 ---- a/net/can/bcm.c -+++ b/net/can/bcm.c -@@ -125,7 +125,7 @@ struct bcm_sock { - struct sock sk; - int bound; - int ifindex; -- struct notifier_block notifier; -+ struct list_head notifier; - struct list_head rx_ops; - struct list_head tx_ops; - unsigned long dropped_usr_msgs; -@@ -133,6 +133,10 @@ struct bcm_sock { - char procname [32]; /* inode number in decimal with \0 */ - }; - -+static LIST_HEAD(bcm_notifier_list); -+static DEFINE_SPINLOCK(bcm_notifier_lock); -+static struct bcm_sock *bcm_busy_notifier; -+ - static inline struct bcm_sock *bcm_sk(const struct sock *sk) - { - return (struct bcm_sock *)sk; -@@ -402,6 +406,7 @@ static enum hrtimer_restart bcm_tx_timeout_handler(struct hrtimer *hrtimer) - if (!op->count && (op->flags & TX_COUNTEVT)) { - - /* create notification to user */ -+ memset(&msg_head, 0, sizeof(msg_head)); - msg_head.opcode = TX_EXPIRED; - msg_head.flags = op->flags; - msg_head.count = op->count; -@@ -439,6 +444,7 @@ static void bcm_rx_changed(struct bcm_op *op, struct canfd_frame *data) - /* this element is not throttled anymore */ - data->flags &= (BCM_CAN_FLAGS_MASK|RX_RECV); - -+ memset(&head, 0, sizeof(head)); - head.opcode = RX_CHANGED; - head.flags = op->flags; - head.count = op->count; -@@ -560,6 +566,7 @@ static enum hrtimer_restart bcm_rx_timeout_handler(struct hrtimer *hrtimer) - } - - /* create notification to user */ -+ memset(&msg_head, 0, sizeof(msg_head)); - msg_head.opcode = RX_TIMEOUT; - msg_head.flags = op->flags; - msg_head.count = op->count; -@@ -1378,20 +1385,15 @@ static int bcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) - /* - * notification handler for netdevice status changes - */ --static int bcm_notifier(struct notifier_block *nb, unsigned long msg, -- void *ptr) -+static void bcm_notify(struct bcm_sock *bo, unsigned long msg, -+ struct net_device *dev) - { -- struct net_device *dev = netdev_notifier_info_to_dev(ptr); -- struct bcm_sock *bo = container_of(nb, struct bcm_sock, notifier); - struct sock *sk = &bo->sk; - struct bcm_op *op; - int notify_enodev = 0; - - if (!net_eq(dev_net(dev), sock_net(sk))) -- return NOTIFY_DONE; -- -- if (dev->type != ARPHRD_CAN) -- return NOTIFY_DONE; -+ return; - - switch (msg) { - -@@ -1426,7 +1428,28 @@ static int bcm_notifier(struct notifier_block *nb, unsigned long msg, - sk->sk_error_report(sk); - } - } -+} - -+static int bcm_notifier(struct notifier_block *nb, unsigned long msg, -+ void *ptr) -+{ -+ struct net_device *dev = netdev_notifier_info_to_dev(ptr); -+ -+ if (dev->type != ARPHRD_CAN) -+ return NOTIFY_DONE; -+ if (msg != NETDEV_UNREGISTER && msg != NETDEV_DOWN) -+ return NOTIFY_DONE; -+ if (unlikely(bcm_busy_notifier)) /* Check for reentrant bug. */ -+ return NOTIFY_DONE; -+ -+ spin_lock(&bcm_notifier_lock); -+ list_for_each_entry(bcm_busy_notifier, &bcm_notifier_list, notifier) { -+ spin_unlock(&bcm_notifier_lock); -+ bcm_notify(bcm_busy_notifier, msg, dev); -+ spin_lock(&bcm_notifier_lock); -+ } -+ bcm_busy_notifier = NULL; -+ spin_unlock(&bcm_notifier_lock); - return NOTIFY_DONE; - } - -@@ -1446,9 +1469,9 @@ static int bcm_init(struct sock *sk) - INIT_LIST_HEAD(&bo->rx_ops); - - /* set notifier */ -- bo->notifier.notifier_call = bcm_notifier; -- -- register_netdevice_notifier(&bo->notifier); -+ spin_lock(&bcm_notifier_lock); -+ list_add_tail(&bo->notifier, &bcm_notifier_list); -+ spin_unlock(&bcm_notifier_lock); - - return 0; - } -@@ -1471,7 +1494,14 @@ static int bcm_release(struct socket *sock) - - /* remove bcm_ops, timer, rx_unregister(), etc. */ - -- unregister_netdevice_notifier(&bo->notifier); -+ spin_lock(&bcm_notifier_lock); -+ while (bcm_busy_notifier == bo) { -+ spin_unlock(&bcm_notifier_lock); -+ schedule_timeout_uninterruptible(1); -+ spin_lock(&bcm_notifier_lock); -+ } -+ list_del(&bo->notifier); -+ spin_unlock(&bcm_notifier_lock); - - lock_sock(sk); - -@@ -1692,6 +1722,10 @@ static struct pernet_operations canbcm_pernet_ops __read_mostly = { - .exit = canbcm_pernet_exit, - }; - -+static struct notifier_block canbcm_notifier = { -+ .notifier_call = bcm_notifier -+}; -+ - static int __init bcm_module_init(void) - { - int err; -@@ -1705,12 +1739,14 @@ static int __init bcm_module_init(void) - } - - register_pernet_subsys(&canbcm_pernet_ops); -+ register_netdevice_notifier(&canbcm_notifier); - return 0; - } - - static void __exit bcm_module_exit(void) - { - can_proto_unregister(&bcm_can_proto); -+ unregister_netdevice_notifier(&canbcm_notifier); - unregister_pernet_subsys(&canbcm_pernet_ops); - } - -diff --git a/net/can/isotp.c b/net/can/isotp.c -index 253b24417c8e5..be6183f8ca110 100644 ---- a/net/can/isotp.c -+++ b/net/can/isotp.c -@@ -143,10 +143,14 @@ struct isotp_sock { - u32 force_tx_stmin; - u32 force_rx_stmin; - struct tpcon rx, tx; -- struct notifier_block notifier; -+ struct list_head notifier; - wait_queue_head_t wait; - }; - -+static LIST_HEAD(isotp_notifier_list); -+static DEFINE_SPINLOCK(isotp_notifier_lock); -+static struct isotp_sock *isotp_busy_notifier; -+ - static inline struct isotp_sock *isotp_sk(const struct sock *sk) - { - return (struct isotp_sock *)sk; -@@ -1013,7 +1017,14 @@ static int isotp_release(struct socket *sock) - /* wait for complete transmission of current pdu */ - wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); - -- unregister_netdevice_notifier(&so->notifier); -+ spin_lock(&isotp_notifier_lock); -+ while (isotp_busy_notifier == so) { -+ spin_unlock(&isotp_notifier_lock); -+ schedule_timeout_uninterruptible(1); -+ spin_lock(&isotp_notifier_lock); -+ } -+ list_del(&so->notifier); -+ spin_unlock(&isotp_notifier_lock); - - lock_sock(sk); - -@@ -1317,21 +1328,16 @@ static int isotp_getsockopt(struct socket *sock, int level, int optname, - return 0; - } - --static int isotp_notifier(struct notifier_block *nb, unsigned long msg, -- void *ptr) -+static void isotp_notify(struct isotp_sock *so, unsigned long msg, -+ struct net_device *dev) - { -- struct net_device *dev = netdev_notifier_info_to_dev(ptr); -- struct isotp_sock *so = container_of(nb, struct isotp_sock, notifier); - struct sock *sk = &so->sk; - - if (!net_eq(dev_net(dev), sock_net(sk))) -- return NOTIFY_DONE; -- -- if (dev->type != ARPHRD_CAN) -- return NOTIFY_DONE; -+ return; - - if (so->ifindex != dev->ifindex) -- return NOTIFY_DONE; -+ return; - - switch (msg) { - case NETDEV_UNREGISTER: -@@ -1357,7 +1363,28 @@ static int isotp_notifier(struct notifier_block *nb, unsigned long msg, - sk->sk_error_report(sk); - break; - } -+} - -+static int isotp_notifier(struct notifier_block *nb, unsigned long msg, -+ void *ptr) -+{ -+ struct net_device *dev = netdev_notifier_info_to_dev(ptr); -+ -+ if (dev->type != ARPHRD_CAN) -+ return NOTIFY_DONE; -+ if (msg != NETDEV_UNREGISTER && msg != NETDEV_DOWN) -+ return NOTIFY_DONE; -+ if (unlikely(isotp_busy_notifier)) /* Check for reentrant bug. */ -+ return NOTIFY_DONE; -+ -+ spin_lock(&isotp_notifier_lock); -+ list_for_each_entry(isotp_busy_notifier, &isotp_notifier_list, notifier) { -+ spin_unlock(&isotp_notifier_lock); -+ isotp_notify(isotp_busy_notifier, msg, dev); -+ spin_lock(&isotp_notifier_lock); -+ } -+ isotp_busy_notifier = NULL; -+ spin_unlock(&isotp_notifier_lock); - return NOTIFY_DONE; - } - -@@ -1394,8 +1421,9 @@ static int isotp_init(struct sock *sk) - - init_waitqueue_head(&so->wait); - -- so->notifier.notifier_call = isotp_notifier; -- register_netdevice_notifier(&so->notifier); -+ spin_lock(&isotp_notifier_lock); -+ list_add_tail(&so->notifier, &isotp_notifier_list); -+ spin_unlock(&isotp_notifier_lock); - - return 0; - } -@@ -1442,6 +1470,10 @@ static const struct can_proto isotp_can_proto = { - .prot = &isotp_proto, - }; - -+static struct notifier_block canisotp_notifier = { -+ .notifier_call = isotp_notifier -+}; -+ - static __init int isotp_module_init(void) - { - int err; -@@ -1451,6 +1483,8 @@ static __init int isotp_module_init(void) - err = can_proto_register(&isotp_can_proto); - if (err < 0) - pr_err("can: registration of isotp protocol failed\n"); -+ else -+ register_netdevice_notifier(&canisotp_notifier); - - return err; - } -@@ -1458,6 +1492,7 @@ static __init int isotp_module_init(void) - static __exit void isotp_module_exit(void) - { - can_proto_unregister(&isotp_can_proto); -+ unregister_netdevice_notifier(&canisotp_notifier); - } - - module_init(isotp_module_init); -diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c -index e09d087ba2409..c3946c3558826 100644 ---- a/net/can/j1939/transport.c -+++ b/net/can/j1939/transport.c -@@ -330,6 +330,9 @@ static void j1939_session_skb_drop_old(struct j1939_session *session) - - if ((do_skcb->offset + do_skb->len) < offset_start) { - __skb_unlink(do_skb, &session->skb_queue); -+ /* drop ref taken in j1939_session_skb_queue() */ -+ skb_unref(do_skb); -+ - kfree_skb(do_skb); - } - spin_unlock_irqrestore(&session->skb_queue.lock, flags); -@@ -349,12 +352,13 @@ void j1939_session_skb_queue(struct j1939_session *session, - - skcb->flags |= J1939_ECU_LOCAL_SRC; - -+ skb_get(skb); - skb_queue_tail(&session->skb_queue, skb); - } - - static struct --sk_buff *j1939_session_skb_find_by_offset(struct j1939_session *session, -- unsigned int offset_start) -+sk_buff *j1939_session_skb_get_by_offset(struct j1939_session *session, -+ unsigned int offset_start) - { - struct j1939_priv *priv = session->priv; - struct j1939_sk_buff_cb *do_skcb; -@@ -371,6 +375,10 @@ sk_buff *j1939_session_skb_find_by_offset(struct j1939_session *session, - skb = do_skb; - } - } -+ -+ if (skb) -+ skb_get(skb); -+ - spin_unlock_irqrestore(&session->skb_queue.lock, flags); - - if (!skb) -@@ -381,12 +389,12 @@ sk_buff *j1939_session_skb_find_by_offset(struct j1939_session *session, - return skb; - } - --static struct sk_buff *j1939_session_skb_find(struct j1939_session *session) -+static struct sk_buff *j1939_session_skb_get(struct j1939_session *session) - { - unsigned int offset_start; - - offset_start = session->pkt.dpo * 7; -- return j1939_session_skb_find_by_offset(session, offset_start); -+ return j1939_session_skb_get_by_offset(session, offset_start); - } - - /* see if we are receiver -@@ -776,7 +784,7 @@ static int j1939_session_tx_dat(struct j1939_session *session) - int ret = 0; - u8 dat[8]; - -- se_skb = j1939_session_skb_find_by_offset(session, session->pkt.tx * 7); -+ se_skb = j1939_session_skb_get_by_offset(session, session->pkt.tx * 7); - if (!se_skb) - return -ENOBUFS; - -@@ -801,7 +809,8 @@ static int j1939_session_tx_dat(struct j1939_session *session) - netdev_err_once(priv->ndev, - "%s: 0x%p: requested data outside of queued buffer: offset %i, len %i, pkt.tx: %i\n", - __func__, session, skcb->offset, se_skb->len , session->pkt.tx); -- return -EOVERFLOW; -+ ret = -EOVERFLOW; -+ goto out_free; - } - - if (!len) { -@@ -835,6 +844,12 @@ static int j1939_session_tx_dat(struct j1939_session *session) - if (pkt_done) - j1939_tp_set_rxtimeout(session, 250); - -+ out_free: -+ if (ret) -+ kfree_skb(se_skb); -+ else -+ consume_skb(se_skb); -+ - return ret; - } - -@@ -1007,7 +1022,7 @@ static int j1939_xtp_txnext_receiver(struct j1939_session *session) - static int j1939_simple_txnext(struct j1939_session *session) - { - struct j1939_priv *priv = session->priv; -- struct sk_buff *se_skb = j1939_session_skb_find(session); -+ struct sk_buff *se_skb = j1939_session_skb_get(session); - struct sk_buff *skb; - int ret; - -@@ -1015,8 +1030,10 @@ static int j1939_simple_txnext(struct j1939_session *session) - return 0; - - skb = skb_clone(se_skb, GFP_ATOMIC); -- if (!skb) -- return -ENOMEM; -+ if (!skb) { -+ ret = -ENOMEM; -+ goto out_free; -+ } - - can_skb_set_owner(skb, se_skb->sk); - -@@ -1024,12 +1041,18 @@ static int j1939_simple_txnext(struct j1939_session *session) - - ret = j1939_send_one(priv, skb); - if (ret) -- return ret; -+ goto out_free; - - j1939_sk_errqueue(session, J1939_ERRQUEUE_SCHED); - j1939_sk_queue_activate_next(session); - -- return 0; -+ out_free: -+ if (ret) -+ kfree_skb(se_skb); -+ else -+ consume_skb(se_skb); -+ -+ return ret; - } - - static bool j1939_session_deactivate_locked(struct j1939_session *session) -@@ -1170,9 +1193,10 @@ static void j1939_session_completed(struct j1939_session *session) - struct sk_buff *skb; - - if (!session->transmission) { -- skb = j1939_session_skb_find(session); -+ skb = j1939_session_skb_get(session); - /* distribute among j1939 receivers */ - j1939_sk_recv(session->priv, skb); -+ consume_skb(skb); - } - - j1939_session_deactivate_activate_next(session); -@@ -1744,7 +1768,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, - { - struct j1939_priv *priv = session->priv; - struct j1939_sk_buff_cb *skcb; -- struct sk_buff *se_skb; -+ struct sk_buff *se_skb = NULL; - const u8 *dat; - u8 *tpdat; - int offset; -@@ -1786,7 +1810,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, - goto out_session_cancel; - } - -- se_skb = j1939_session_skb_find_by_offset(session, packet * 7); -+ se_skb = j1939_session_skb_get_by_offset(session, packet * 7); - if (!se_skb) { - netdev_warn(priv->ndev, "%s: 0x%p: no skb found\n", __func__, - session); -@@ -1848,11 +1872,13 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session, - j1939_tp_set_rxtimeout(session, 250); - } - session->last_cmd = 0xff; -+ consume_skb(se_skb); - j1939_session_put(session); - - return; - - out_session_cancel: -+ kfree_skb(se_skb); - j1939_session_timers_cancel(session); - j1939_session_cancel(session, J1939_XTP_ABORT_FAULT); - j1939_session_put(session); -diff --git a/net/can/raw.c b/net/can/raw.c -index 139d9471ddcf4..ac96fc2100253 100644 ---- a/net/can/raw.c -+++ b/net/can/raw.c -@@ -83,7 +83,7 @@ struct raw_sock { - struct sock sk; - int bound; - int ifindex; -- struct notifier_block notifier; -+ struct list_head notifier; - int loopback; - int recv_own_msgs; - int fd_frames; -@@ -95,6 +95,10 @@ struct raw_sock { - struct uniqframe __percpu *uniq; - }; - -+static LIST_HEAD(raw_notifier_list); -+static DEFINE_SPINLOCK(raw_notifier_lock); -+static struct raw_sock *raw_busy_notifier; -+ - /* Return pointer to store the extra msg flags for raw_recvmsg(). - * We use the space of one unsigned int beyond the 'struct sockaddr_can' - * in skb->cb. -@@ -263,21 +267,16 @@ static int raw_enable_allfilters(struct net *net, struct net_device *dev, - return err; - } - --static int raw_notifier(struct notifier_block *nb, -- unsigned long msg, void *ptr) -+static void raw_notify(struct raw_sock *ro, unsigned long msg, -+ struct net_device *dev) - { -- struct net_device *dev = netdev_notifier_info_to_dev(ptr); -- struct raw_sock *ro = container_of(nb, struct raw_sock, notifier); - struct sock *sk = &ro->sk; - - if (!net_eq(dev_net(dev), sock_net(sk))) -- return NOTIFY_DONE; -- -- if (dev->type != ARPHRD_CAN) -- return NOTIFY_DONE; -+ return; - - if (ro->ifindex != dev->ifindex) -- return NOTIFY_DONE; -+ return; - - switch (msg) { - case NETDEV_UNREGISTER: -@@ -305,7 +304,28 @@ static int raw_notifier(struct notifier_block *nb, - sk->sk_error_report(sk); - break; - } -+} -+ -+static int raw_notifier(struct notifier_block *nb, unsigned long msg, -+ void *ptr) -+{ -+ struct net_device *dev = netdev_notifier_info_to_dev(ptr); -+ -+ if (dev->type != ARPHRD_CAN) -+ return NOTIFY_DONE; -+ if (msg != NETDEV_UNREGISTER && msg != NETDEV_DOWN) -+ return NOTIFY_DONE; -+ if (unlikely(raw_busy_notifier)) /* Check for reentrant bug. */ -+ return NOTIFY_DONE; - -+ spin_lock(&raw_notifier_lock); -+ list_for_each_entry(raw_busy_notifier, &raw_notifier_list, notifier) { -+ spin_unlock(&raw_notifier_lock); -+ raw_notify(raw_busy_notifier, msg, dev); -+ spin_lock(&raw_notifier_lock); -+ } -+ raw_busy_notifier = NULL; -+ spin_unlock(&raw_notifier_lock); - return NOTIFY_DONE; - } - -@@ -334,9 +354,9 @@ static int raw_init(struct sock *sk) - return -ENOMEM; - - /* set notifier */ -- ro->notifier.notifier_call = raw_notifier; -- -- register_netdevice_notifier(&ro->notifier); -+ spin_lock(&raw_notifier_lock); -+ list_add_tail(&ro->notifier, &raw_notifier_list); -+ spin_unlock(&raw_notifier_lock); - - return 0; - } -@@ -351,7 +371,14 @@ static int raw_release(struct socket *sock) - - ro = raw_sk(sk); - -- unregister_netdevice_notifier(&ro->notifier); -+ spin_lock(&raw_notifier_lock); -+ while (raw_busy_notifier == ro) { -+ spin_unlock(&raw_notifier_lock); -+ schedule_timeout_uninterruptible(1); -+ spin_lock(&raw_notifier_lock); -+ } -+ list_del(&ro->notifier); -+ spin_unlock(&raw_notifier_lock); - - lock_sock(sk); - -@@ -889,6 +916,10 @@ static const struct can_proto raw_can_proto = { - .prot = &raw_proto, - }; - -+static struct notifier_block canraw_notifier = { -+ .notifier_call = raw_notifier -+}; -+ - static __init int raw_module_init(void) - { - int err; -@@ -898,6 +929,8 @@ static __init int raw_module_init(void) - err = can_proto_register(&raw_can_proto); - if (err < 0) - pr_err("can: registration of raw protocol failed\n"); -+ else -+ register_netdevice_notifier(&canraw_notifier); - - return err; - } -@@ -905,6 +938,7 @@ static __init int raw_module_init(void) - static __exit void raw_module_exit(void) - { - can_proto_unregister(&raw_can_proto); -+ unregister_netdevice_notifier(&canraw_notifier); - } - - module_init(raw_module_init); -diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c -index 43b6ac4c44395..cc8dafb25d612 100644 ---- a/net/core/net_namespace.c -+++ b/net/core/net_namespace.c -@@ -641,6 +641,18 @@ void __put_net(struct net *net) - } - EXPORT_SYMBOL_GPL(__put_net); - -+/** -+ * get_net_ns - increment the refcount of the network namespace -+ * @ns: common namespace (net) -+ * -+ * Returns the net's common namespace. -+ */ -+struct ns_common *get_net_ns(struct ns_common *ns) -+{ -+ return &get_net(container_of(ns, struct net, ns))->ns; -+} -+EXPORT_SYMBOL_GPL(get_net_ns); -+ - struct net *get_net_ns_by_fd(int fd) - { - struct file *file; -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 9ad046917b340..2123427883baa 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -4833,10 +4833,12 @@ static int rtnl_bridge_notify(struct net_device *dev) - if (err < 0) - goto errout; - -- if (!skb->len) { -- err = -EINVAL; -+ /* Notification info is only filled for bridge ports, not the bridge -+ * device itself. Therefore, a zero notification length is valid and -+ * should not result in an error. -+ */ -+ if (!skb->len) - goto errout; -- } - - rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC); - return 0; -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index c421c8f809256..7997d99afbd8e 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -1252,6 +1252,7 @@ static void __msg_zerocopy_callback(struct ubuf_info *uarg) - struct sock *sk = skb->sk; - struct sk_buff_head *q; - unsigned long flags; -+ bool is_zerocopy; - u32 lo, hi; - u16 len; - -@@ -1266,6 +1267,7 @@ static void __msg_zerocopy_callback(struct ubuf_info *uarg) - len = uarg->len; - lo = uarg->id; - hi = uarg->id + len - 1; -+ is_zerocopy = uarg->zerocopy; - - serr = SKB_EXT_ERR(skb); - memset(serr, 0, sizeof(*serr)); -@@ -1273,7 +1275,7 @@ static void __msg_zerocopy_callback(struct ubuf_info *uarg) - serr->ee.ee_origin = SO_EE_ORIGIN_ZEROCOPY; - serr->ee.ee_data = hi; - serr->ee.ee_info = lo; -- if (!uarg->zerocopy) -+ if (!is_zerocopy) - serr->ee.ee_code |= SO_EE_CODE_ZEROCOPY_COPIED; - - q = &sk->sk_error_queue; -diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c -index c3a5489964cde..9908b922cce8d 100644 ---- a/net/ethtool/strset.c -+++ b/net/ethtool/strset.c -@@ -328,6 +328,8 @@ static int strset_reply_size(const struct ethnl_req_info *req_base, - int len = 0; - int ret; - -+ len += nla_total_size(0); /* ETHTOOL_A_STRSET_STRINGSETS */ -+ - for (i = 0; i < ETH_SS_COUNT; i++) { - const struct strset_info *set_info = &data->sets[i]; - -diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c -index bfaf327e9d121..e0480c6cebaad 100644 ---- a/net/ipv4/cipso_ipv4.c -+++ b/net/ipv4/cipso_ipv4.c -@@ -472,6 +472,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) - kfree(doi_def->map.std->lvl.local); - kfree(doi_def->map.std->cat.cipso); - kfree(doi_def->map.std->cat.local); -+ kfree(doi_def->map.std); - break; - } - kfree(doi_def); -diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c -index 616e2dc1c8fa4..cd65d3146c300 100644 ---- a/net/ipv4/icmp.c -+++ b/net/ipv4/icmp.c -@@ -759,6 +759,13 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, - icmp_param.data_len = room; - icmp_param.head_len = sizeof(struct icmphdr); - -+ /* if we don't have a source address at this point, fall back to the -+ * dummy address instead of sending out a packet with a source address -+ * of 0.0.0.0 -+ */ -+ if (!fl4.saddr) -+ fl4.saddr = htonl(INADDR_DUMMY); -+ - icmp_push_reply(&icmp_param, &fl4, &ipc, &rt); - ende: - ip_rt_put(rt); -diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c -index 7b272bbed2b43..6b3c558a4f232 100644 ---- a/net/ipv4/igmp.c -+++ b/net/ipv4/igmp.c -@@ -1801,6 +1801,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev) - while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) { - in_dev->mc_list = i->next_rcu; - in_dev->mc_count--; -+ ip_mc_clear_src(i); - ip_ma_put(i); - } - } -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index d635b4f32d348..09506203156d1 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -2081,6 +2081,19 @@ martian_source: - return err; - } - -+/* get device for dst_alloc with local routes */ -+static struct net_device *ip_rt_get_dev(struct net *net, -+ const struct fib_result *res) -+{ -+ struct fib_nh_common *nhc = res->fi ? res->nhc : NULL; -+ struct net_device *dev = NULL; -+ -+ if (nhc) -+ dev = l3mdev_master_dev_rcu(nhc->nhc_dev); -+ -+ return dev ? : net->loopback_dev; -+} -+ - /* - * NOTE. We drop all the packets that has local source - * addresses, because every properly looped back packet -@@ -2237,7 +2250,7 @@ local_input: - } - } - -- rth = rt_dst_alloc(l3mdev_master_dev_rcu(dev) ? : net->loopback_dev, -+ rth = rt_dst_alloc(ip_rt_get_dev(net, res), - flags | RTCF_LOCAL, res->type, - IN_DEV_ORCONF(in_dev, NOPOLICY), false); - if (!rth) -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index c586a6bb8c6d0..3dd340679d096 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -2576,6 +2576,9 @@ void udp_destroy_sock(struct sock *sk) - { - struct udp_sock *up = udp_sk(sk); - bool slow = lock_sock_fast(sk); -+ -+ /* protects from races with udp_abort() */ -+ sock_set_flag(sk, SOCK_DEAD); - udp_flush_pending_frames(sk); - unlock_sock_fast(sk, slow); - if (static_branch_unlikely(&udp_encap_needed_key)) { -@@ -2826,10 +2829,17 @@ int udp_abort(struct sock *sk, int err) - { - lock_sock(sk); - -+ /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing -+ * with close() -+ */ -+ if (sock_flag(sk, SOCK_DEAD)) -+ goto out; -+ - sk->sk_err = err; - sk->sk_error_report(sk); - __udp_disconnect(sk, 0); - -+out: - release_sock(sk); - - return 0; -diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c -index e204163c7036c..92f3235fa2874 100644 ---- a/net/ipv6/netfilter/nft_fib_ipv6.c -+++ b/net/ipv6/netfilter/nft_fib_ipv6.c -@@ -135,6 +135,17 @@ void nft_fib6_eval_type(const struct nft_expr *expr, struct nft_regs *regs, - } - EXPORT_SYMBOL_GPL(nft_fib6_eval_type); - -+static bool nft_fib_v6_skip_icmpv6(const struct sk_buff *skb, u8 next, const struct ipv6hdr *iph) -+{ -+ if (likely(next != IPPROTO_ICMPV6)) -+ return false; -+ -+ if (ipv6_addr_type(&iph->saddr) != IPV6_ADDR_ANY) -+ return false; -+ -+ return ipv6_addr_type(&iph->daddr) & IPV6_ADDR_LINKLOCAL; -+} -+ - void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, - const struct nft_pktinfo *pkt) - { -@@ -163,10 +174,13 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, - - lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph); - -- if (nft_hook(pkt) == NF_INET_PRE_ROUTING && -- nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { -- nft_fib_store_result(dest, priv, nft_in(pkt)); -- return; -+ if (nft_hook(pkt) == NF_INET_PRE_ROUTING || -+ nft_hook(pkt) == NF_INET_INGRESS) { -+ if (nft_fib_is_loopback(pkt->skb, nft_in(pkt)) || -+ nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) { -+ nft_fib_store_result(dest, priv, nft_in(pkt)); -+ return; -+ } - } - - *dest = 0; -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index d25e5a9252fdb..29288f134d7ac 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -1597,6 +1597,9 @@ void udpv6_destroy_sock(struct sock *sk) - { - struct udp_sock *up = udp_sk(sk); - lock_sock(sk); -+ -+ /* protects from races with udp_abort() */ -+ sock_set_flag(sk, SOCK_DEAD); - udp_v6_flush_pending_frames(sk); - release_sock(sk); - -diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c -index 5296898875ffb..223fbcafd6fce 100644 ---- a/net/mac80211/debugfs.c -+++ b/net/mac80211/debugfs.c -@@ -4,7 +4,7 @@ - * - * Copyright 2007 Johannes Berg - * Copyright 2013-2014 Intel Mobile Communications GmbH -- * Copyright (C) 2018 - 2019 Intel Corporation -+ * Copyright (C) 2018 - 2019, 2021 Intel Corporation - */ - - #include -@@ -387,10 +387,17 @@ static ssize_t reset_write(struct file *file, const char __user *user_buf, - size_t count, loff_t *ppos) - { - struct ieee80211_local *local = file->private_data; -+ int ret; - - rtnl_lock(); -+ wiphy_lock(local->hw.wiphy); - __ieee80211_suspend(&local->hw, NULL); -- __ieee80211_resume(&local->hw); -+ ret = __ieee80211_resume(&local->hw); -+ wiphy_unlock(local->hw.wiphy); -+ -+ if (ret) -+ cfg80211_shutdown_all_interfaces(local->hw.wiphy); -+ - rtnl_unlock(); - - return count; -diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c -index 6f8885766cbaa..6ebfd484e61d2 100644 ---- a/net/mac80211/iface.c -+++ b/net/mac80211/iface.c -@@ -475,14 +475,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do - GFP_KERNEL); - } - -- /* APs need special treatment */ - if (sdata->vif.type == NL80211_IFTYPE_AP) { -- struct ieee80211_sub_if_data *vlan, *tmpsdata; -- -- /* down all dependent devices, that is VLANs */ -- list_for_each_entry_safe(vlan, tmpsdata, &sdata->u.ap.vlans, -- u.vlan.list) -- dev_close(vlan->dev); - WARN_ON(!list_empty(&sdata->u.ap.vlans)); - } else if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) { - /* remove all packets in parent bc_buf pointing to this dev */ -@@ -640,6 +633,15 @@ static int ieee80211_stop(struct net_device *dev) - { - struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); - -+ /* close all dependent VLAN interfaces before locking wiphy */ -+ if (sdata->vif.type == NL80211_IFTYPE_AP) { -+ struct ieee80211_sub_if_data *vlan, *tmpsdata; -+ -+ list_for_each_entry_safe(vlan, tmpsdata, &sdata->u.ap.vlans, -+ u.vlan.list) -+ dev_close(vlan->dev); -+ } -+ - wiphy_lock(sdata->local->hw.wiphy); - ieee80211_do_stop(sdata, true); - wiphy_unlock(sdata->local->hw.wiphy); -@@ -1589,6 +1591,9 @@ static int ieee80211_runtime_change_iftype(struct ieee80211_sub_if_data *sdata, - - switch (sdata->vif.type) { - case NL80211_IFTYPE_AP: -+ if (!list_empty(&sdata->u.ap.vlans)) -+ return -EBUSY; -+ break; - case NL80211_IFTYPE_STATION: - case NL80211_IFTYPE_ADHOC: - case NL80211_IFTYPE_OCB: -diff --git a/net/mac80211/main.c b/net/mac80211/main.c -index 0331f3a3c40e0..9dd741b68f268 100644 ---- a/net/mac80211/main.c -+++ b/net/mac80211/main.c -@@ -252,6 +252,7 @@ static void ieee80211_restart_work(struct work_struct *work) - struct ieee80211_local *local = - container_of(work, struct ieee80211_local, restart_work); - struct ieee80211_sub_if_data *sdata; -+ int ret; - - /* wait for scan work complete */ - flush_workqueue(local->workqueue); -@@ -294,8 +295,12 @@ static void ieee80211_restart_work(struct work_struct *work) - /* wait for all packet processing to be done */ - synchronize_net(); - -- ieee80211_reconfig(local); -+ ret = ieee80211_reconfig(local); - wiphy_unlock(local->hw.wiphy); -+ -+ if (ret) -+ cfg80211_shutdown_all_interfaces(local->hw.wiphy); -+ - rtnl_unlock(); - } - -diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c -index ecad9b10984ff..e627a11844a9b 100644 ---- a/net/mac80211/rc80211_minstrel_ht.c -+++ b/net/mac80211/rc80211_minstrel_ht.c -@@ -1516,7 +1516,7 @@ minstrel_ht_get_rate(void *priv, struct ieee80211_sta *sta, void *priv_sta, - (info->control.flags & IEEE80211_TX_CTRL_PORT_CTRL_PROTO)) - return; - -- if (time_is_before_jiffies(mi->sample_time)) -+ if (time_is_after_jiffies(mi->sample_time)) - return; - - mi->sample_time = jiffies + MINSTREL_SAMPLE_INTERVAL; -diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c -index d4cc9ac2d7033..6b50cb5e0e3cc 100644 ---- a/net/mac80211/scan.c -+++ b/net/mac80211/scan.c -@@ -251,13 +251,24 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb) - struct ieee80211_mgmt *mgmt = (void *)skb->data; - struct ieee80211_bss *bss; - struct ieee80211_channel *channel; -+ size_t min_hdr_len = offsetof(struct ieee80211_mgmt, -+ u.probe_resp.variable); -+ -+ if (!ieee80211_is_probe_resp(mgmt->frame_control) && -+ !ieee80211_is_beacon(mgmt->frame_control) && -+ !ieee80211_is_s1g_beacon(mgmt->frame_control)) -+ return; - - if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { -- if (skb->len < 15) -- return; -- } else if (skb->len < 24 || -- (!ieee80211_is_probe_resp(mgmt->frame_control) && -- !ieee80211_is_beacon(mgmt->frame_control))) -+ if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) -+ min_hdr_len = offsetof(struct ieee80211_ext, -+ u.s1g_short_beacon.variable); -+ else -+ min_hdr_len = offsetof(struct ieee80211_ext, -+ u.s1g_beacon); -+ } -+ -+ if (skb->len < min_hdr_len) - return; - - sdata1 = rcu_dereference(local->scan_sdata); -diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c -index 28422d6870967..d33dc4e023715 100644 ---- a/net/mac80211/tx.c -+++ b/net/mac80211/tx.c -@@ -2002,6 +2002,26 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, - ieee80211_tx(sdata, sta, skb, false); - } - -+static bool ieee80211_validate_radiotap_len(struct sk_buff *skb) -+{ -+ struct ieee80211_radiotap_header *rthdr = -+ (struct ieee80211_radiotap_header *)skb->data; -+ -+ /* check for not even having the fixed radiotap header part */ -+ if (unlikely(skb->len < sizeof(struct ieee80211_radiotap_header))) -+ return false; /* too short to be possibly valid */ -+ -+ /* is it a header version we can trust to find length from? */ -+ if (unlikely(rthdr->it_version)) -+ return false; /* only version 0 is supported */ -+ -+ /* does the skb contain enough to deliver on the alleged length? */ -+ if (unlikely(skb->len < ieee80211_get_radiotap_len(skb->data))) -+ return false; /* skb too short for claimed rt header extent */ -+ -+ return true; -+} -+ - bool ieee80211_parse_tx_radiotap(struct sk_buff *skb, - struct net_device *dev) - { -@@ -2010,8 +2030,6 @@ bool ieee80211_parse_tx_radiotap(struct sk_buff *skb, - struct ieee80211_radiotap_header *rthdr = - (struct ieee80211_radiotap_header *) skb->data; - struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); -- struct ieee80211_supported_band *sband = -- local->hw.wiphy->bands[info->band]; - int ret = ieee80211_radiotap_iterator_init(&iterator, rthdr, skb->len, - NULL); - u16 txflags; -@@ -2024,17 +2042,8 @@ bool ieee80211_parse_tx_radiotap(struct sk_buff *skb, - u8 vht_mcs = 0, vht_nss = 0; - int i; - -- /* check for not even having the fixed radiotap header part */ -- if (unlikely(skb->len < sizeof(struct ieee80211_radiotap_header))) -- return false; /* too short to be possibly valid */ -- -- /* is it a header version we can trust to find length from? */ -- if (unlikely(rthdr->it_version)) -- return false; /* only version 0 is supported */ -- -- /* does the skb contain enough to deliver on the alleged length? */ -- if (unlikely(skb->len < ieee80211_get_radiotap_len(skb->data))) -- return false; /* skb too short for claimed rt header extent */ -+ if (!ieee80211_validate_radiotap_len(skb)) -+ return false; - - info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT | - IEEE80211_TX_CTL_DONTFRAG; -@@ -2174,6 +2183,9 @@ bool ieee80211_parse_tx_radiotap(struct sk_buff *skb, - return false; - - if (rate_found) { -+ struct ieee80211_supported_band *sband = -+ local->hw.wiphy->bands[info->band]; -+ - info->control.flags |= IEEE80211_TX_CTRL_RATE_INJECT; - - for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) { -@@ -2187,7 +2199,7 @@ bool ieee80211_parse_tx_radiotap(struct sk_buff *skb, - } else if (rate_flags & IEEE80211_TX_RC_VHT_MCS) { - ieee80211_rate_set_vht(info->control.rates, vht_mcs, - vht_nss); -- } else { -+ } else if (sband) { - for (i = 0; i < sband->n_bitrates; i++) { - if (rate * 5 != sband->bitrates[i].bitrate) - continue; -@@ -2224,8 +2236,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb, - info->flags = IEEE80211_TX_CTL_REQ_TX_STATUS | - IEEE80211_TX_CTL_INJECTED; - -- /* Sanity-check and process the injection radiotap header */ -- if (!ieee80211_parse_tx_radiotap(skb, dev)) -+ /* Sanity-check the length of the radiotap header */ -+ if (!ieee80211_validate_radiotap_len(skb)) - goto fail; - - /* we now know there is a radiotap header with a length we can use */ -@@ -2339,6 +2351,14 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb, - ieee80211_select_queue_80211(sdata, skb, hdr); - skb_set_queue_mapping(skb, ieee80211_ac_from_tid(skb->priority)); - -+ /* -+ * Process the radiotap header. This will now take into account the -+ * selected chandef above to accurately set injection rates and -+ * retransmissions. -+ */ -+ if (!ieee80211_parse_tx_radiotap(skb, dev)) -+ goto fail_rcu; -+ - /* remove the injection radiotap header */ - skb_pull(skb, len_rthdr); - -diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index c0fa526a45b4d..53755a05f73b5 100644 ---- a/net/mac80211/util.c -+++ b/net/mac80211/util.c -@@ -2186,8 +2186,6 @@ static void ieee80211_handle_reconfig_failure(struct ieee80211_local *local) - list_for_each_entry(ctx, &local->chanctx_list, list) - ctx->driver_present = false; - mutex_unlock(&local->chanctx_mtx); -- -- cfg80211_shutdown_all_interfaces(local->hw.wiphy); - } - - static void ieee80211_assign_chanctx(struct ieee80211_local *local, -diff --git a/net/mptcp/options.c b/net/mptcp/options.c -index 8848a9e2a95b1..47d90cf31f125 100644 ---- a/net/mptcp/options.c -+++ b/net/mptcp/options.c -@@ -337,6 +337,8 @@ void mptcp_get_options(const struct sk_buff *skb, - length--; - continue; - default: -+ if (length < 2) -+ return; - opsize = *ptr++; - if (opsize < 2) /* "silly options" */ - return; -diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c -index 225b988215171..d8187ac065397 100644 ---- a/net/mptcp/protocol.c -+++ b/net/mptcp/protocol.c -@@ -287,11 +287,13 @@ static bool __mptcp_move_skb(struct mptcp_sock *msk, struct sock *ssk, - - /* try to fetch required memory from subflow */ - if (!sk_rmem_schedule(sk, skb, skb->truesize)) { -- if (ssk->sk_forward_alloc < skb->truesize) -- goto drop; -- __sk_mem_reclaim(ssk, skb->truesize); -- if (!sk_rmem_schedule(sk, skb, skb->truesize)) -+ int amount = sk_mem_pages(skb->truesize) << SK_MEM_QUANTUM_SHIFT; -+ -+ if (ssk->sk_forward_alloc < amount) - goto drop; -+ -+ ssk->sk_forward_alloc -= amount; -+ sk->sk_forward_alloc += amount; - } - - /* the skb map_seq accounts for the skb offset: -@@ -687,18 +689,22 @@ static bool __mptcp_ofo_queue(struct mptcp_sock *msk) - /* In most cases we will be able to lock the mptcp socket. If its already - * owned, we need to defer to the work queue to avoid ABBA deadlock. - */ --static void move_skbs_to_msk(struct mptcp_sock *msk, struct sock *ssk) -+static bool move_skbs_to_msk(struct mptcp_sock *msk, struct sock *ssk) - { - struct sock *sk = (struct sock *)msk; - unsigned int moved = 0; - - if (inet_sk_state_load(sk) == TCP_CLOSE) -- return; -- -- mptcp_data_lock(sk); -+ return false; - - __mptcp_move_skbs_from_subflow(msk, ssk, &moved); - __mptcp_ofo_queue(msk); -+ if (unlikely(ssk->sk_err)) { -+ if (!sock_owned_by_user(sk)) -+ __mptcp_error_report(sk); -+ else -+ set_bit(MPTCP_ERROR_REPORT, &msk->flags); -+ } - - /* If the moves have caught up with the DATA_FIN sequence number - * it's time to ack the DATA_FIN and change socket state, but -@@ -707,7 +713,7 @@ static void move_skbs_to_msk(struct mptcp_sock *msk, struct sock *ssk) - */ - if (mptcp_pending_data_fin(sk, NULL)) - mptcp_schedule_work(sk); -- mptcp_data_unlock(sk); -+ return moved > 0; - } - - void mptcp_data_ready(struct sock *sk, struct sock *ssk) -@@ -715,7 +721,6 @@ void mptcp_data_ready(struct sock *sk, struct sock *ssk) - struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); - struct mptcp_sock *msk = mptcp_sk(sk); - int sk_rbuf, ssk_rbuf; -- bool wake; - - /* The peer can send data while we are shutting down this - * subflow at msk destruction time, but we must avoid enqueuing -@@ -724,28 +729,22 @@ void mptcp_data_ready(struct sock *sk, struct sock *ssk) - if (unlikely(subflow->disposable)) - return; - -- /* move_skbs_to_msk below can legitly clear the data_avail flag, -- * but we will need later to properly woke the reader, cache its -- * value -- */ -- wake = subflow->data_avail == MPTCP_SUBFLOW_DATA_AVAIL; -- if (wake) -- set_bit(MPTCP_DATA_READY, &msk->flags); -- - ssk_rbuf = READ_ONCE(ssk->sk_rcvbuf); - sk_rbuf = READ_ONCE(sk->sk_rcvbuf); - if (unlikely(ssk_rbuf > sk_rbuf)) - sk_rbuf = ssk_rbuf; - -- /* over limit? can't append more skbs to msk */ -+ /* over limit? can't append more skbs to msk, Also, no need to wake-up*/ - if (atomic_read(&sk->sk_rmem_alloc) > sk_rbuf) -- goto wake; -- -- move_skbs_to_msk(msk, ssk); -+ return; - --wake: -- if (wake) -+ /* Wake-up the reader only for in-sequence data */ -+ mptcp_data_lock(sk); -+ if (move_skbs_to_msk(msk, ssk)) { -+ set_bit(MPTCP_DATA_READY, &msk->flags); - sk->sk_data_ready(sk); -+ } -+ mptcp_data_unlock(sk); - } - - void __mptcp_flush_join_list(struct mptcp_sock *msk) -@@ -848,7 +847,7 @@ static struct sock *mptcp_subflow_recv_lookup(const struct mptcp_sock *msk) - sock_owned_by_me(sk); - - mptcp_for_each_subflow(msk, subflow) { -- if (subflow->data_avail) -+ if (READ_ONCE(subflow->data_avail)) - return mptcp_subflow_tcp_sock(subflow); - } - -@@ -1939,6 +1938,9 @@ static bool __mptcp_move_skbs(struct mptcp_sock *msk) - done = __mptcp_move_skbs_from_subflow(msk, ssk, &moved); - mptcp_data_unlock(sk); - tcp_cleanup_rbuf(ssk, moved); -+ -+ if (unlikely(ssk->sk_err)) -+ __mptcp_error_report(sk); - unlock_sock_fast(ssk, slowpath); - } while (!done); - -diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h -index e21a5bc36cf08..14e89e4bd4a80 100644 ---- a/net/mptcp/protocol.h -+++ b/net/mptcp/protocol.h -@@ -372,7 +372,6 @@ mptcp_subflow_rsk(const struct request_sock *rsk) - enum mptcp_data_avail { - MPTCP_SUBFLOW_NODATA, - MPTCP_SUBFLOW_DATA_AVAIL, -- MPTCP_SUBFLOW_OOO_DATA - }; - - struct mptcp_delegated_action { -diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c -index 8425cd393bf3e..d6d8ad4f918e7 100644 ---- a/net/mptcp/subflow.c -+++ b/net/mptcp/subflow.c -@@ -754,10 +754,10 @@ static u64 expand_seq(u64 old_seq, u16 old_data_len, u64 seq) - return seq | ((old_seq + old_data_len + 1) & GENMASK_ULL(63, 32)); - } - --static void warn_bad_map(struct mptcp_subflow_context *subflow, u32 ssn) -+static void dbg_bad_map(struct mptcp_subflow_context *subflow, u32 ssn) - { -- WARN_ONCE(1, "Bad mapping: ssn=%d map_seq=%d map_data_len=%d", -- ssn, subflow->map_subflow_seq, subflow->map_data_len); -+ pr_debug("Bad mapping: ssn=%d map_seq=%d map_data_len=%d", -+ ssn, subflow->map_subflow_seq, subflow->map_data_len); - } - - static bool skb_is_fully_mapped(struct sock *ssk, struct sk_buff *skb) -@@ -782,13 +782,13 @@ static bool validate_mapping(struct sock *ssk, struct sk_buff *skb) - /* Mapping covers data later in the subflow stream, - * currently unsupported. - */ -- warn_bad_map(subflow, ssn); -+ dbg_bad_map(subflow, ssn); - return false; - } - if (unlikely(!before(ssn, subflow->map_subflow_seq + - subflow->map_data_len))) { - /* Mapping does covers past subflow data, invalid */ -- warn_bad_map(subflow, ssn + skb->len); -+ dbg_bad_map(subflow, ssn); - return false; - } - return true; -@@ -974,7 +974,7 @@ static bool subflow_check_data_avail(struct sock *ssk) - pr_debug("msk=%p ssk=%p data_avail=%d skb=%p", subflow->conn, ssk, - subflow->data_avail, skb_peek(&ssk->sk_receive_queue)); - if (!skb_peek(&ssk->sk_receive_queue)) -- subflow->data_avail = 0; -+ WRITE_ONCE(subflow->data_avail, 0); - if (subflow->data_avail) - return true; - -@@ -1012,18 +1012,13 @@ static bool subflow_check_data_avail(struct sock *ssk) - ack_seq = mptcp_subflow_get_mapped_dsn(subflow); - pr_debug("msk ack_seq=%llx subflow ack_seq=%llx", old_ack, - ack_seq); -- if (ack_seq == old_ack) { -- subflow->data_avail = MPTCP_SUBFLOW_DATA_AVAIL; -- break; -- } else if (after64(ack_seq, old_ack)) { -- subflow->data_avail = MPTCP_SUBFLOW_OOO_DATA; -- break; -+ if (unlikely(before64(ack_seq, old_ack))) { -+ mptcp_subflow_discard_data(ssk, skb, old_ack - ack_seq); -+ continue; - } - -- /* only accept in-sequence mapping. Old values are spurious -- * retransmission -- */ -- mptcp_subflow_discard_data(ssk, skb, old_ack - ack_seq); -+ WRITE_ONCE(subflow->data_avail, MPTCP_SUBFLOW_DATA_AVAIL); -+ break; - } - return true; - -@@ -1038,10 +1033,9 @@ fallback: - * subflow_error_report() will introduce the appropriate barriers - */ - ssk->sk_err = EBADMSG; -- ssk->sk_error_report(ssk); - tcp_set_state(ssk, TCP_CLOSE); - tcp_send_active_reset(ssk, GFP_ATOMIC); -- subflow->data_avail = 0; -+ WRITE_ONCE(subflow->data_avail, 0); - return false; - } - -@@ -1051,7 +1045,7 @@ fallback: - subflow->map_seq = READ_ONCE(msk->ack_seq); - subflow->map_data_len = skb->len; - subflow->map_subflow_seq = tcp_sk(ssk)->copied_seq - subflow->ssn_offset; -- subflow->data_avail = MPTCP_SUBFLOW_DATA_AVAIL; -+ WRITE_ONCE(subflow->data_avail, MPTCP_SUBFLOW_DATA_AVAIL); - return true; - } - -@@ -1063,7 +1057,7 @@ bool mptcp_subflow_data_available(struct sock *sk) - if (subflow->map_valid && - mptcp_subflow_get_map_offset(subflow) >= subflow->map_data_len) { - subflow->map_valid = 0; -- subflow->data_avail = 0; -+ WRITE_ONCE(subflow->data_avail, 0); - - pr_debug("Done with mapping: seq=%u data_len=%u", - subflow->map_subflow_seq, -@@ -1091,41 +1085,6 @@ void mptcp_space(const struct sock *ssk, int *space, int *full_space) - *full_space = tcp_full_space(sk); - } - --static void subflow_data_ready(struct sock *sk) --{ -- struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); -- u16 state = 1 << inet_sk_state_load(sk); -- struct sock *parent = subflow->conn; -- struct mptcp_sock *msk; -- -- msk = mptcp_sk(parent); -- if (state & TCPF_LISTEN) { -- /* MPJ subflow are removed from accept queue before reaching here, -- * avoid stray wakeups -- */ -- if (reqsk_queue_empty(&inet_csk(sk)->icsk_accept_queue)) -- return; -- -- set_bit(MPTCP_DATA_READY, &msk->flags); -- parent->sk_data_ready(parent); -- return; -- } -- -- WARN_ON_ONCE(!__mptcp_check_fallback(msk) && !subflow->mp_capable && -- !subflow->mp_join && !(state & TCPF_CLOSE)); -- -- if (mptcp_subflow_data_available(sk)) -- mptcp_data_ready(parent, sk); --} -- --static void subflow_write_space(struct sock *ssk) --{ -- struct sock *sk = mptcp_subflow_ctx(ssk)->conn; -- -- mptcp_propagate_sndbuf(sk, ssk); -- mptcp_write_space(sk); --} -- - void __mptcp_error_report(struct sock *sk) - { - struct mptcp_subflow_context *subflow; -@@ -1166,6 +1125,43 @@ static void subflow_error_report(struct sock *ssk) - mptcp_data_unlock(sk); - } - -+static void subflow_data_ready(struct sock *sk) -+{ -+ struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); -+ u16 state = 1 << inet_sk_state_load(sk); -+ struct sock *parent = subflow->conn; -+ struct mptcp_sock *msk; -+ -+ msk = mptcp_sk(parent); -+ if (state & TCPF_LISTEN) { -+ /* MPJ subflow are removed from accept queue before reaching here, -+ * avoid stray wakeups -+ */ -+ if (reqsk_queue_empty(&inet_csk(sk)->icsk_accept_queue)) -+ return; -+ -+ set_bit(MPTCP_DATA_READY, &msk->flags); -+ parent->sk_data_ready(parent); -+ return; -+ } -+ -+ WARN_ON_ONCE(!__mptcp_check_fallback(msk) && !subflow->mp_capable && -+ !subflow->mp_join && !(state & TCPF_CLOSE)); -+ -+ if (mptcp_subflow_data_available(sk)) -+ mptcp_data_ready(parent, sk); -+ else if (unlikely(sk->sk_err)) -+ subflow_error_report(sk); -+} -+ -+static void subflow_write_space(struct sock *ssk) -+{ -+ struct sock *sk = mptcp_subflow_ctx(ssk)->conn; -+ -+ mptcp_propagate_sndbuf(sk, ssk); -+ mptcp_write_space(sk); -+} -+ - static struct inet_connection_sock_af_ops * - subflow_default_af_ops(struct sock *sk) - { -@@ -1474,6 +1470,8 @@ static void subflow_state_change(struct sock *sk) - */ - if (mptcp_subflow_data_available(sk)) - mptcp_data_ready(parent, sk); -+ else if (unlikely(sk->sk_err)) -+ subflow_error_report(sk); - - subflow_sched_work_if_closed(mptcp_sk(parent), sk); - -diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c -index b100c04a0e435..3d6d49420db8b 100644 ---- a/net/netfilter/nf_synproxy_core.c -+++ b/net/netfilter/nf_synproxy_core.c -@@ -31,6 +31,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, - int length = (th->doff * 4) - sizeof(*th); - u8 buf[40], *ptr; - -+ if (unlikely(length < 0)) -+ return false; -+ - ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf); - if (ptr == NULL) - return false; -@@ -47,6 +50,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, - length--; - continue; - default: -+ if (length < 2) -+ return true; - opsize = *ptr++; - if (opsize < 2) - return true; -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 31016c144c48b..9d5ea23529657 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -4317,13 +4317,44 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, - err = nf_tables_set_alloc_name(&ctx, set, name); - kfree(name); - if (err < 0) -- goto err_set_alloc_name; -+ goto err_set_name; -+ -+ udata = NULL; -+ if (udlen) { -+ udata = set->data + size; -+ nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); -+ } -+ -+ INIT_LIST_HEAD(&set->bindings); -+ set->table = table; -+ write_pnet(&set->net, net); -+ set->ops = ops; -+ set->ktype = ktype; -+ set->klen = desc.klen; -+ set->dtype = dtype; -+ set->objtype = objtype; -+ set->dlen = desc.dlen; -+ set->flags = flags; -+ set->size = desc.size; -+ set->policy = policy; -+ set->udlen = udlen; -+ set->udata = udata; -+ set->timeout = timeout; -+ set->gc_int = gc_int; -+ -+ set->field_count = desc.field_count; -+ for (i = 0; i < desc.field_count; i++) -+ set->field_len[i] = desc.field_len[i]; -+ -+ err = ops->init(set, &desc, nla); -+ if (err < 0) -+ goto err_set_init; - - if (nla[NFTA_SET_EXPR]) { - expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); - if (IS_ERR(expr)) { - err = PTR_ERR(expr); -- goto err_set_alloc_name; -+ goto err_set_expr_alloc; - } - set->exprs[0] = expr; - set->num_exprs++; -@@ -4334,74 +4365,44 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, - - if (!(flags & NFT_SET_EXPR)) { - err = -EINVAL; -- goto err_set_alloc_name; -+ goto err_set_expr_alloc; - } - i = 0; - nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { - if (i == NFT_SET_EXPR_MAX) { - err = -E2BIG; -- goto err_set_init; -+ goto err_set_expr_alloc; - } - if (nla_type(tmp) != NFTA_LIST_ELEM) { - err = -EINVAL; -- goto err_set_init; -+ goto err_set_expr_alloc; - } - expr = nft_set_elem_expr_alloc(&ctx, set, tmp); - if (IS_ERR(expr)) { - err = PTR_ERR(expr); -- goto err_set_init; -+ goto err_set_expr_alloc; - } - set->exprs[i++] = expr; - set->num_exprs++; - } - } - -- udata = NULL; -- if (udlen) { -- udata = set->data + size; -- nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); -- } -- -- INIT_LIST_HEAD(&set->bindings); -- set->table = table; -- write_pnet(&set->net, net); -- set->ops = ops; -- set->ktype = ktype; -- set->klen = desc.klen; -- set->dtype = dtype; -- set->objtype = objtype; -- set->dlen = desc.dlen; -- set->flags = flags; -- set->size = desc.size; -- set->policy = policy; -- set->udlen = udlen; -- set->udata = udata; -- set->timeout = timeout; -- set->gc_int = gc_int; - set->handle = nf_tables_alloc_handle(table); - -- set->field_count = desc.field_count; -- for (i = 0; i < desc.field_count; i++) -- set->field_len[i] = desc.field_len[i]; -- -- err = ops->init(set, &desc, nla); -- if (err < 0) -- goto err_set_init; -- - err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); - if (err < 0) -- goto err_set_trans; -+ goto err_set_expr_alloc; - - list_add_tail_rcu(&set->list, &table->sets); - table->use++; - return 0; - --err_set_trans: -- ops->destroy(set); --err_set_init: -+err_set_expr_alloc: - for (i = 0; i < set->num_exprs; i++) - nft_expr_destroy(&ctx, set->exprs[i]); --err_set_alloc_name: -+ -+ ops->destroy(set); -+err_set_init: - kfree(set->name); - err_set_name: - kvfree(set); -diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c -index 1e4fb568fa841..24f10bf7d8a3f 100644 ---- a/net/qrtr/qrtr.c -+++ b/net/qrtr/qrtr.c -@@ -435,7 +435,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) - struct qrtr_sock *ipc; - struct sk_buff *skb; - struct qrtr_cb *cb; -- unsigned int size; -+ size_t size; - unsigned int ver; - size_t hdrlen; - -diff --git a/net/rds/recv.c b/net/rds/recv.c -index aba4afe4dfedc..967d115f97efd 100644 ---- a/net/rds/recv.c -+++ b/net/rds/recv.c -@@ -714,7 +714,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, - - if (rds_cmsg_recv(inc, msg, rs)) { - ret = -EFAULT; -- goto out; -+ break; - } - rds_recvmsg_zcookie(rs, msg); - -diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c -index ba7f57cb41c30..143786d8cde03 100644 ---- a/net/sched/act_ct.c -+++ b/net/sched/act_ct.c -@@ -904,14 +904,19 @@ static int tcf_ct_act_nat(struct sk_buff *skb, - } - - err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); -- if (err == NF_ACCEPT && -- ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { -- if (maniptype == NF_NAT_MANIP_SRC) -- maniptype = NF_NAT_MANIP_DST; -- else -- maniptype = NF_NAT_MANIP_SRC; -- -- err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); -+ if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { -+ if (ct->status & IPS_SRC_NAT) { -+ if (maniptype == NF_NAT_MANIP_SRC) -+ maniptype = NF_NAT_MANIP_DST; -+ else -+ maniptype = NF_NAT_MANIP_SRC; -+ -+ err = ct_nat_execute(skb, ct, ctinfo, range, -+ maniptype); -+ } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { -+ err = ct_nat_execute(skb, ct, ctinfo, NULL, -+ NF_NAT_MANIP_SRC); -+ } - } - return err; - #else -diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c -index 7d37638ee1c7a..5c15968b5155b 100644 ---- a/net/sched/sch_cake.c -+++ b/net/sched/sch_cake.c -@@ -943,7 +943,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb, - } - - tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); -- if (!tcph) -+ if (!tcph || tcph->doff < 5) - return NULL; - - return skb_header_pointer(skb, offset, -@@ -967,6 +967,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph, - length--; - continue; - } -+ if (length < 2) -+ break; - opsize = *ptr++; - if (opsize < 2 || opsize > length) - break; -@@ -1104,6 +1106,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph, - length--; - continue; - } -+ if (length < 2) -+ break; - opsize = *ptr++; - if (opsize < 2 || opsize > length) - break; -diff --git a/net/socket.c b/net/socket.c -index 84a8049c2b099..03259cb919f7e 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -1072,19 +1072,6 @@ static long sock_do_ioctl(struct net *net, struct socket *sock, - * what to do with it - that's up to the protocol still. - */ - --/** -- * get_net_ns - increment the refcount of the network namespace -- * @ns: common namespace (net) -- * -- * Returns the net's common namespace. -- */ -- --struct ns_common *get_net_ns(struct ns_common *ns) --{ -- return &get_net(container_of(ns, struct net, ns))->ns; --} --EXPORT_SYMBOL_GPL(get_net_ns); -- - static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg) - { - struct socket *sock; -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 5a31307ceb76d..5d1192ceb1397 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -535,12 +535,14 @@ static void unix_release_sock(struct sock *sk, int embrion) - u->path.mnt = NULL; - state = sk->sk_state; - sk->sk_state = TCP_CLOSE; -+ -+ skpair = unix_peer(sk); -+ unix_peer(sk) = NULL; -+ - unix_state_unlock(sk); - - wake_up_interruptible_all(&u->peer_wait); - -- skpair = unix_peer(sk); -- - if (skpair != NULL) { - if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { - unix_state_lock(skpair); -@@ -555,7 +557,6 @@ static void unix_release_sock(struct sock *sk, int embrion) - - unix_dgram_peer_wake_disconnect(sk, skpair); - sock_put(skpair); /* It may now die */ -- unix_peer(sk) = NULL; - } - - /* Try to flush out this socket. Throw out buffers at least */ -diff --git a/net/wireless/Makefile b/net/wireless/Makefile -index 2eee93985ab0d..af590ae606b69 100644 ---- a/net/wireless/Makefile -+++ b/net/wireless/Makefile -@@ -28,7 +28,7 @@ $(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.hex) - @$(kecho) " GEN $@" - @(echo '#include "reg.h"'; \ - echo 'const u8 shipped_regdb_certs[] = {'; \ -- cat $^ ; \ -+ echo | cat - $^ ; \ - echo '};'; \ - echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);'; \ - ) > $@ -diff --git a/net/wireless/core.c b/net/wireless/core.c -index 589ee5a69a2e5..0e364f32794d3 100644 ---- a/net/wireless/core.c -+++ b/net/wireless/core.c -@@ -1339,6 +1339,11 @@ void cfg80211_register_wdev(struct cfg80211_registered_device *rdev, - rdev->devlist_generation++; - wdev->registered = true; - -+ if (wdev->netdev && -+ sysfs_create_link(&wdev->netdev->dev.kobj, &rdev->wiphy.dev.kobj, -+ "phy80211")) -+ pr_err("failed to add phy80211 symlink to netdev!\n"); -+ - nl80211_notify_iface(rdev, wdev, NL80211_CMD_NEW_INTERFACE); - } - -@@ -1364,14 +1369,6 @@ int cfg80211_register_netdevice(struct net_device *dev) - if (ret) - goto out; - -- if (sysfs_create_link(&dev->dev.kobj, &rdev->wiphy.dev.kobj, -- "phy80211")) { -- pr_err("failed to add phy80211 symlink to netdev!\n"); -- unregister_netdevice(dev); -- ret = -EINVAL; -- goto out; -- } -- - cfg80211_register_wdev(rdev, wdev); - ret = 0; - out: -diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c -index a95c79d183492..a817d8e3e4b36 100644 ---- a/net/wireless/pmsr.c -+++ b/net/wireless/pmsr.c -@@ -324,6 +324,7 @@ void cfg80211_pmsr_complete(struct wireless_dev *wdev, - gfp_t gfp) - { - struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); -+ struct cfg80211_pmsr_request *tmp, *prev, *to_free = NULL; - struct sk_buff *msg; - void *hdr; - -@@ -354,9 +355,20 @@ free_msg: - nlmsg_free(msg); - free_request: - spin_lock_bh(&wdev->pmsr_lock); -- list_del(&req->list); -+ /* -+ * cfg80211_pmsr_process_abort() may have already moved this request -+ * to the free list, and will free it later. In this case, don't free -+ * it here. -+ */ -+ list_for_each_entry_safe(tmp, prev, &wdev->pmsr_list, list) { -+ if (tmp == req) { -+ list_del(&req->list); -+ to_free = req; -+ break; -+ } -+ } - spin_unlock_bh(&wdev->pmsr_lock); -- kfree(req); -+ kfree(to_free); - } - EXPORT_SYMBOL_GPL(cfg80211_pmsr_complete); - -diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c -index 9b959e3b09c6d..0c3f05c9be27a 100644 ---- a/net/wireless/sysfs.c -+++ b/net/wireless/sysfs.c -@@ -133,6 +133,10 @@ static int wiphy_resume(struct device *dev) - if (rdev->wiphy.registered && rdev->ops->resume) - ret = rdev_resume(rdev); - wiphy_unlock(&rdev->wiphy); -+ -+ if (ret) -+ cfg80211_shutdown_all_interfaces(&rdev->wiphy); -+ - rtnl_unlock(); - - return ret; -diff --git a/sound/soc/codecs/rt5659.c b/sound/soc/codecs/rt5659.c -index 91a4ef7f620ca..a9b079d56fd69 100644 ---- a/sound/soc/codecs/rt5659.c -+++ b/sound/soc/codecs/rt5659.c -@@ -2433,13 +2433,18 @@ static int set_dmic_power(struct snd_soc_dapm_widget *w, - return 0; - } - --static const struct snd_soc_dapm_widget rt5659_dapm_widgets[] = { -+static const struct snd_soc_dapm_widget rt5659_particular_dapm_widgets[] = { - SND_SOC_DAPM_SUPPLY("LDO2", RT5659_PWR_ANLG_3, RT5659_PWR_LDO2_BIT, 0, - NULL, 0), -- SND_SOC_DAPM_SUPPLY("PLL", RT5659_PWR_ANLG_3, RT5659_PWR_PLL_BIT, 0, -- NULL, 0), -+ SND_SOC_DAPM_SUPPLY("MICBIAS1", RT5659_PWR_ANLG_2, RT5659_PWR_MB1_BIT, -+ 0, NULL, 0), - SND_SOC_DAPM_SUPPLY("Mic Det Power", RT5659_PWR_VOL, - RT5659_PWR_MIC_DET_BIT, 0, NULL, 0), -+}; -+ -+static const struct snd_soc_dapm_widget rt5659_dapm_widgets[] = { -+ SND_SOC_DAPM_SUPPLY("PLL", RT5659_PWR_ANLG_3, RT5659_PWR_PLL_BIT, 0, -+ NULL, 0), - SND_SOC_DAPM_SUPPLY("Mono Vref", RT5659_PWR_ANLG_1, - RT5659_PWR_VREF3_BIT, 0, NULL, 0), - -@@ -2464,8 +2469,6 @@ static const struct snd_soc_dapm_widget rt5659_dapm_widgets[] = { - RT5659_ADC_MONO_R_ASRC_SFT, 0, NULL, 0), - - /* Input Side */ -- SND_SOC_DAPM_SUPPLY("MICBIAS1", RT5659_PWR_ANLG_2, RT5659_PWR_MB1_BIT, -- 0, NULL, 0), - SND_SOC_DAPM_SUPPLY("MICBIAS2", RT5659_PWR_ANLG_2, RT5659_PWR_MB2_BIT, - 0, NULL, 0), - SND_SOC_DAPM_SUPPLY("MICBIAS3", RT5659_PWR_ANLG_2, RT5659_PWR_MB3_BIT, -@@ -3660,10 +3663,23 @@ static int rt5659_set_bias_level(struct snd_soc_component *component, - - static int rt5659_probe(struct snd_soc_component *component) - { -+ struct snd_soc_dapm_context *dapm = -+ snd_soc_component_get_dapm(component); - struct rt5659_priv *rt5659 = snd_soc_component_get_drvdata(component); - - rt5659->component = component; - -+ switch (rt5659->pdata.jd_src) { -+ case RT5659_JD_HDA_HEADER: -+ break; -+ -+ default: -+ snd_soc_dapm_new_controls(dapm, -+ rt5659_particular_dapm_widgets, -+ ARRAY_SIZE(rt5659_particular_dapm_widgets)); -+ break; -+ } -+ - return 0; - } - -diff --git a/sound/soc/codecs/rt5682-sdw.c b/sound/soc/codecs/rt5682-sdw.c -index b49f1e16125d4..d1dd7f720ba48 100644 ---- a/sound/soc/codecs/rt5682-sdw.c -+++ b/sound/soc/codecs/rt5682-sdw.c -@@ -462,7 +462,8 @@ static int rt5682_io_init(struct device *dev, struct sdw_slave *slave) - - regmap_update_bits(rt5682->regmap, RT5682_CBJ_CTRL_2, - RT5682_EXT_JD_SRC, RT5682_EXT_JD_SRC_MANUAL); -- regmap_write(rt5682->regmap, RT5682_CBJ_CTRL_1, 0xd042); -+ regmap_write(rt5682->regmap, RT5682_CBJ_CTRL_1, 0xd142); -+ regmap_update_bits(rt5682->regmap, RT5682_CBJ_CTRL_5, 0x0700, 0x0600); - regmap_update_bits(rt5682->regmap, RT5682_CBJ_CTRL_3, - RT5682_CBJ_IN_BUF_EN, RT5682_CBJ_IN_BUF_EN); - regmap_update_bits(rt5682->regmap, RT5682_SAR_IL_CMD_1, -diff --git a/sound/soc/codecs/tas2562.h b/sound/soc/codecs/tas2562.h -index 81866aeb3fbfa..55b2a1f52ca37 100644 ---- a/sound/soc/codecs/tas2562.h -+++ b/sound/soc/codecs/tas2562.h -@@ -57,13 +57,13 @@ - #define TAS2562_TDM_CFG0_RAMPRATE_MASK BIT(5) - #define TAS2562_TDM_CFG0_RAMPRATE_44_1 BIT(5) - #define TAS2562_TDM_CFG0_SAMPRATE_MASK GENMASK(3, 1) --#define TAS2562_TDM_CFG0_SAMPRATE_7305_8KHZ 0x0 --#define TAS2562_TDM_CFG0_SAMPRATE_14_7_16KHZ 0x1 --#define TAS2562_TDM_CFG0_SAMPRATE_22_05_24KHZ 0x2 --#define TAS2562_TDM_CFG0_SAMPRATE_29_4_32KHZ 0x3 --#define TAS2562_TDM_CFG0_SAMPRATE_44_1_48KHZ 0x4 --#define TAS2562_TDM_CFG0_SAMPRATE_88_2_96KHZ 0x5 --#define TAS2562_TDM_CFG0_SAMPRATE_176_4_192KHZ 0x6 -+#define TAS2562_TDM_CFG0_SAMPRATE_7305_8KHZ (0x0 << 1) -+#define TAS2562_TDM_CFG0_SAMPRATE_14_7_16KHZ (0x1 << 1) -+#define TAS2562_TDM_CFG0_SAMPRATE_22_05_24KHZ (0x2 << 1) -+#define TAS2562_TDM_CFG0_SAMPRATE_29_4_32KHZ (0x3 << 1) -+#define TAS2562_TDM_CFG0_SAMPRATE_44_1_48KHZ (0x4 << 1) -+#define TAS2562_TDM_CFG0_SAMPRATE_88_2_96KHZ (0x5 << 1) -+#define TAS2562_TDM_CFG0_SAMPRATE_176_4_192KHZ (0x6 << 1) - - #define TAS2562_TDM_CFG2_RIGHT_JUSTIFY BIT(6) - -diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c -index f62f81ceab0d2..9dcbe5d5a428c 100644 ---- a/sound/soc/fsl/fsl-asoc-card.c -+++ b/sound/soc/fsl/fsl-asoc-card.c -@@ -732,6 +732,7 @@ static int fsl_asoc_card_probe(struct platform_device *pdev) - /* Initialize sound card */ - priv->pdev = pdev; - priv->card.dev = &pdev->dev; -+ priv->card.owner = THIS_MODULE; - ret = snd_soc_of_parse_card_name(&priv->card, "model"); - if (ret) { - snprintf(priv->name, sizeof(priv->name), "%s-audio", -diff --git a/sound/soc/qcom/lpass-cpu.c b/sound/soc/qcom/lpass-cpu.c -index 936384a94f25e..74d3d8c586080 100644 ---- a/sound/soc/qcom/lpass-cpu.c -+++ b/sound/soc/qcom/lpass-cpu.c -@@ -93,8 +93,30 @@ static void lpass_cpu_daiops_shutdown(struct snd_pcm_substream *substream, - struct snd_soc_dai *dai) - { - struct lpass_data *drvdata = snd_soc_dai_get_drvdata(dai); -+ struct lpaif_i2sctl *i2sctl = drvdata->i2sctl; -+ unsigned int id = dai->driver->id; - - clk_disable_unprepare(drvdata->mi2s_osr_clk[dai->driver->id]); -+ /* -+ * Ensure LRCLK is disabled even in device node validation. -+ * Will not impact if disabled in lpass_cpu_daiops_trigger() -+ * suspend. -+ */ -+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) -+ regmap_fields_write(i2sctl->spken, id, LPAIF_I2SCTL_SPKEN_DISABLE); -+ else -+ regmap_fields_write(i2sctl->micen, id, LPAIF_I2SCTL_MICEN_DISABLE); -+ -+ /* -+ * BCLK may not be enabled if lpass_cpu_daiops_prepare is called before -+ * lpass_cpu_daiops_shutdown. It's paired with the clk_enable in -+ * lpass_cpu_daiops_prepare. -+ */ -+ if (drvdata->mi2s_was_prepared[dai->driver->id]) { -+ drvdata->mi2s_was_prepared[dai->driver->id] = false; -+ clk_disable(drvdata->mi2s_bit_clk[dai->driver->id]); -+ } -+ - clk_unprepare(drvdata->mi2s_bit_clk[dai->driver->id]); - } - -@@ -275,6 +297,18 @@ static int lpass_cpu_daiops_trigger(struct snd_pcm_substream *substream, - case SNDRV_PCM_TRIGGER_START: - case SNDRV_PCM_TRIGGER_RESUME: - case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: -+ /* -+ * Ensure lpass BCLK/LRCLK is enabled during -+ * device resume as lpass_cpu_daiops_prepare() is not called -+ * after the device resumes. We don't check mi2s_was_prepared before -+ * enable/disable BCLK in trigger events because: -+ * 1. These trigger events are paired, so the BCLK -+ * enable_count is balanced. -+ * 2. the BCLK can be shared (ex: headset and headset mic), -+ * we need to increase the enable_count so that we don't -+ * turn off the shared BCLK while other devices are using -+ * it. -+ */ - if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { - ret = regmap_fields_write(i2sctl->spken, id, - LPAIF_I2SCTL_SPKEN_ENABLE); -@@ -296,6 +330,10 @@ static int lpass_cpu_daiops_trigger(struct snd_pcm_substream *substream, - case SNDRV_PCM_TRIGGER_STOP: - case SNDRV_PCM_TRIGGER_SUSPEND: - case SNDRV_PCM_TRIGGER_PAUSE_PUSH: -+ /* -+ * To ensure lpass BCLK/LRCLK is disabled during -+ * device suspend. -+ */ - if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { - ret = regmap_fields_write(i2sctl->spken, id, - LPAIF_I2SCTL_SPKEN_DISABLE); -@@ -315,12 +353,53 @@ static int lpass_cpu_daiops_trigger(struct snd_pcm_substream *substream, - return ret; - } - -+static int lpass_cpu_daiops_prepare(struct snd_pcm_substream *substream, -+ struct snd_soc_dai *dai) -+{ -+ struct lpass_data *drvdata = snd_soc_dai_get_drvdata(dai); -+ struct lpaif_i2sctl *i2sctl = drvdata->i2sctl; -+ unsigned int id = dai->driver->id; -+ int ret; -+ -+ /* -+ * Ensure lpass BCLK/LRCLK is enabled bit before playback/capture -+ * data flow starts. This allows other codec to have some delay before -+ * the data flow. -+ * (ex: to drop start up pop noise before capture starts). -+ */ -+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) -+ ret = regmap_fields_write(i2sctl->spken, id, LPAIF_I2SCTL_SPKEN_ENABLE); -+ else -+ ret = regmap_fields_write(i2sctl->micen, id, LPAIF_I2SCTL_MICEN_ENABLE); -+ -+ if (ret) { -+ dev_err(dai->dev, "error writing to i2sctl reg: %d\n", ret); -+ return ret; -+ } -+ -+ /* -+ * Check mi2s_was_prepared before enabling BCLK as lpass_cpu_daiops_prepare can -+ * be called multiple times. It's paired with the clk_disable in -+ * lpass_cpu_daiops_shutdown. -+ */ -+ if (!drvdata->mi2s_was_prepared[dai->driver->id]) { -+ ret = clk_enable(drvdata->mi2s_bit_clk[id]); -+ if (ret) { -+ dev_err(dai->dev, "error in enabling mi2s bit clk: %d\n", ret); -+ return ret; -+ } -+ drvdata->mi2s_was_prepared[dai->driver->id] = true; -+ } -+ return 0; -+} -+ - const struct snd_soc_dai_ops asoc_qcom_lpass_cpu_dai_ops = { - .set_sysclk = lpass_cpu_daiops_set_sysclk, - .startup = lpass_cpu_daiops_startup, - .shutdown = lpass_cpu_daiops_shutdown, - .hw_params = lpass_cpu_daiops_hw_params, - .trigger = lpass_cpu_daiops_trigger, -+ .prepare = lpass_cpu_daiops_prepare, - }; - EXPORT_SYMBOL_GPL(asoc_qcom_lpass_cpu_dai_ops); - -diff --git a/sound/soc/qcom/lpass.h b/sound/soc/qcom/lpass.h -index 83b2e08ade060..7f72214404baf 100644 ---- a/sound/soc/qcom/lpass.h -+++ b/sound/soc/qcom/lpass.h -@@ -67,6 +67,10 @@ struct lpass_data { - /* MI2S SD lines to use for playback/capture */ - unsigned int mi2s_playback_sd_mode[LPASS_MAX_MI2S_PORTS]; - unsigned int mi2s_capture_sd_mode[LPASS_MAX_MI2S_PORTS]; -+ -+ /* The state of MI2S prepare dai_ops was called */ -+ bool mi2s_was_prepared[LPASS_MAX_MI2S_PORTS]; -+ - int hdmi_port_enable; - - /* low-power audio interface (LPAIF) registers */ -diff --git a/tools/include/uapi/linux/in.h b/tools/include/uapi/linux/in.h -index 7d6687618d808..d1b327036ae43 100644 ---- a/tools/include/uapi/linux/in.h -+++ b/tools/include/uapi/linux/in.h -@@ -289,6 +289,9 @@ struct sockaddr_in { - /* Address indicating an error return. */ - #define INADDR_NONE ((unsigned long int) 0xffffffff) - -+/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */ -+#define INADDR_DUMMY ((unsigned long int) 0xc0000008) -+ - /* Network number for local host loopback. */ - #define IN_LOOPBACKNET 127 - -diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c -index 007fe5d594386..fe2bec500bf68 100644 ---- a/tools/lib/bpf/xsk.c -+++ b/tools/lib/bpf/xsk.c -@@ -928,7 +928,7 @@ int xsk_socket__create_shared(struct xsk_socket **xsk_ptr, - goto out_put_ctx; - } - if (xsk->fd == umem->fd) -- umem->rx_ring_setup_done = true; -+ umem->tx_ring_setup_done = true; - } - - err = xsk_get_mmap_offsets(xsk->fd, &off); -diff --git a/tools/perf/trace/beauty/include/linux/socket.h b/tools/perf/trace/beauty/include/linux/socket.h -index 385894b4a8bba..42222a84167f3 100644 ---- a/tools/perf/trace/beauty/include/linux/socket.h -+++ b/tools/perf/trace/beauty/include/linux/socket.h -@@ -438,6 +438,4 @@ extern int __sys_socketpair(int family, int type, int protocol, - int __user *usockvec); - extern int __sys_shutdown_sock(struct socket *sock, int how); - extern int __sys_shutdown(int fd, int how); -- --extern struct ns_common *get_net_ns(struct ns_common *ns); - #endif /* _LINUX_SOCKET_H */ -diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c -index 26c990e323781..939aed36e0c2a 100644 ---- a/tools/perf/util/metricgroup.c -+++ b/tools/perf/util/metricgroup.c -@@ -162,10 +162,10 @@ static bool contains_event(struct evsel **metric_events, int num_events, - return false; - } - --static bool evsel_same_pmu(struct evsel *ev1, struct evsel *ev2) -+static bool evsel_same_pmu_or_none(struct evsel *ev1, struct evsel *ev2) - { - if (!ev1->pmu_name || !ev2->pmu_name) -- return false; -+ return true; - - return !strcmp(ev1->pmu_name, ev2->pmu_name); - } -@@ -288,7 +288,7 @@ static struct evsel *find_evsel_group(struct evlist *perf_evlist, - */ - if (!has_constraint && - ev->leader != metric_events[i]->leader && -- evsel_same_pmu(ev->leader, metric_events[i]->leader)) -+ evsel_same_pmu_or_none(ev->leader, metric_events[i]->leader)) - break; - if (!strcmp(metric_events[i]->name, ev->name)) { - set_bit(ev->idx, evlist_used); -@@ -1072,16 +1072,18 @@ static int metricgroup__add_metric_sys_event_iter(struct pmu_event *pe, - - ret = add_metric(d->metric_list, pe, d->metric_no_group, &m, NULL, d->ids); - if (ret) -- return ret; -+ goto out; - - ret = resolve_metric(d->metric_no_group, - d->metric_list, NULL, d->ids); - if (ret) -- return ret; -+ goto out; - - *(d->has_match) = true; - -- return *d->ret; -+out: -+ *(d->ret) = ret; -+ return ret; - } - - static int metricgroup__add_metric(const char *metric, bool metric_no_group, -diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh -index 2b5707738609e..6fad54c7ecb4a 100755 ---- a/tools/testing/selftests/net/fib_tests.sh -+++ b/tools/testing/selftests/net/fib_tests.sh -@@ -1384,12 +1384,37 @@ ipv4_rt_replace() - ipv4_rt_replace_mpath - } - -+# checks that cached input route on VRF port is deleted -+# when VRF is deleted -+ipv4_local_rt_cache() -+{ -+ run_cmd "ip addr add 10.0.0.1/32 dev lo" -+ run_cmd "ip netns add test-ns" -+ run_cmd "ip link add veth-outside type veth peer name veth-inside" -+ run_cmd "ip link add vrf-100 type vrf table 1100" -+ run_cmd "ip link set veth-outside master vrf-100" -+ run_cmd "ip link set veth-inside netns test-ns" -+ run_cmd "ip link set veth-outside up" -+ run_cmd "ip link set vrf-100 up" -+ run_cmd "ip route add 10.1.1.1/32 dev veth-outside table 1100" -+ run_cmd "ip netns exec test-ns ip link set veth-inside up" -+ run_cmd "ip netns exec test-ns ip addr add 10.1.1.1/32 dev veth-inside" -+ run_cmd "ip netns exec test-ns ip route add 10.0.0.1/32 dev veth-inside" -+ run_cmd "ip netns exec test-ns ip route add default via 10.0.0.1" -+ run_cmd "ip netns exec test-ns ping 10.0.0.1 -c 1 -i 1" -+ run_cmd "ip link delete vrf-100" -+ -+ # if we do not hang test is a success -+ log_test $? 0 "Cached route removed from VRF port device" -+} -+ - ipv4_route_test() - { - route_setup - - ipv4_rt_add - ipv4_rt_replace -+ ipv4_local_rt_cache - - route_cleanup - } -diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.sh b/tools/testing/selftests/net/mptcp/mptcp_connect.sh -index 65b3b983efc26..8763706b0d047 100755 ---- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh -+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh -@@ -197,9 +197,6 @@ ip -net "$ns4" link set ns4eth3 up - ip -net "$ns4" route add default via 10.0.3.2 - ip -net "$ns4" route add default via dead:beef:3::2 - --# use TCP syn cookies, even if no flooding was detected. --ip netns exec "$ns2" sysctl -q net.ipv4.tcp_syncookies=2 -- - set_ethtool_flags() { - local ns="$1" - local dev="$2" -@@ -711,6 +708,14 @@ for sender in $ns1 $ns2 $ns3 $ns4;do - exit $ret - fi - -+ # ns1<->ns2 is not subject to reordering/tc delays. Use it to test -+ # mptcp syncookie support. -+ if [ $sender = $ns1 ]; then -+ ip netns exec "$ns2" sysctl -q net.ipv4.tcp_syncookies=2 -+ else -+ ip netns exec "$ns2" sysctl -q net.ipv4.tcp_syncookies=1 -+ fi -+ - run_tests "$ns2" $sender 10.0.1.2 - run_tests "$ns2" $sender dead:beef:1::2 - run_tests "$ns2" $sender 10.0.2.1 diff --git a/patch/kernel/archive/sunxi-5.12/patch-5.12.13-14.patch b/patch/kernel/archive/sunxi-5.12/patch-5.12.13-14.patch new file mode 100644 index 0000000000..6e18a21d9a --- /dev/null +++ b/patch/kernel/archive/sunxi-5.12/patch-5.12.13-14.patch @@ -0,0 +1,4590 @@ +diff --git a/Makefile b/Makefile +index d2fe36db78aed..433f164f9ee0f 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 5 + PATCHLEVEL = 12 +-SUBLEVEL = 13 ++SUBLEVEL = 14 + EXTRAVERSION = + NAME = Frozen Wasteland + +diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c +index 1a5edf562e85e..73ca7797b92f6 100644 +--- a/arch/arm/kernel/setup.c ++++ b/arch/arm/kernel/setup.c +@@ -545,9 +545,11 @@ void notrace cpu_init(void) + * In Thumb-2, msr with an immediate value is not allowed. + */ + #ifdef CONFIG_THUMB2_KERNEL +-#define PLC "r" ++#define PLC_l "l" ++#define PLC_r "r" + #else +-#define PLC "I" ++#define PLC_l "I" ++#define PLC_r "I" + #endif + + /* +@@ -569,15 +571,15 @@ void notrace cpu_init(void) + "msr cpsr_c, %9" + : + : "r" (stk), +- PLC (PSR_F_BIT | PSR_I_BIT | IRQ_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | IRQ_MODE), + "I" (offsetof(struct stack, irq[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | ABT_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | ABT_MODE), + "I" (offsetof(struct stack, abt[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | UND_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | UND_MODE), + "I" (offsetof(struct stack, und[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | FIQ_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | FIQ_MODE), + "I" (offsetof(struct stack, fiq[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | SVC_MODE) ++ PLC_l (PSR_F_BIT | PSR_I_BIT | SVC_MODE) + : "r14"); + #endif + } +diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile +index 5243bf2327c02..a5ee34117321d 100644 +--- a/arch/riscv/Makefile ++++ b/arch/riscv/Makefile +@@ -16,7 +16,7 @@ ifeq ($(CONFIG_DYNAMIC_FTRACE),y) + CC_FLAGS_FTRACE := -fpatchable-function-entry=8 + endif + +-ifeq ($(CONFIG_64BIT)$(CONFIG_CMODEL_MEDLOW),yy) ++ifeq ($(CONFIG_CMODEL_MEDLOW),y) + KBUILD_CFLAGS_MODULE += -mcmodel=medany + endif + +diff --git a/arch/riscv/boot/dts/sifive/fu740-c000.dtsi b/arch/riscv/boot/dts/sifive/fu740-c000.dtsi +index eeb4f8c3e0e72..d0d206cdb9990 100644 +--- a/arch/riscv/boot/dts/sifive/fu740-c000.dtsi ++++ b/arch/riscv/boot/dts/sifive/fu740-c000.dtsi +@@ -272,7 +272,7 @@ + cache-size = <2097152>; + cache-unified; + interrupt-parent = <&plic0>; +- interrupts = <19 20 21 22>; ++ interrupts = <19 21 22 20>; + reg = <0x0 0x2010000 0x0 0x1000>; + }; + gpio: gpio@10060000 { +diff --git a/arch/s390/include/asm/stacktrace.h b/arch/s390/include/asm/stacktrace.h +index 2b543163d90a0..76c6034428be8 100644 +--- a/arch/s390/include/asm/stacktrace.h ++++ b/arch/s390/include/asm/stacktrace.h +@@ -91,12 +91,16 @@ struct stack_frame { + CALL_ARGS_4(arg1, arg2, arg3, arg4); \ + register unsigned long r4 asm("6") = (unsigned long)(arg5) + +-#define CALL_FMT_0 "=&d" (r2) : +-#define CALL_FMT_1 "+&d" (r2) : +-#define CALL_FMT_2 CALL_FMT_1 "d" (r3), +-#define CALL_FMT_3 CALL_FMT_2 "d" (r4), +-#define CALL_FMT_4 CALL_FMT_3 "d" (r5), +-#define CALL_FMT_5 CALL_FMT_4 "d" (r6), ++/* ++ * To keep this simple mark register 2-6 as being changed (volatile) ++ * by the called function, even though register 6 is saved/nonvolatile. ++ */ ++#define CALL_FMT_0 "=&d" (r2) ++#define CALL_FMT_1 "+&d" (r2) ++#define CALL_FMT_2 CALL_FMT_1, "+&d" (r3) ++#define CALL_FMT_3 CALL_FMT_2, "+&d" (r4) ++#define CALL_FMT_4 CALL_FMT_3, "+&d" (r5) ++#define CALL_FMT_5 CALL_FMT_4, "+&d" (r6) + + #define CALL_CLOBBER_5 "0", "1", "14", "cc", "memory" + #define CALL_CLOBBER_4 CALL_CLOBBER_5 +@@ -118,7 +122,7 @@ struct stack_frame { + " brasl 14,%[_fn]\n" \ + " la 15,0(%[_prev])\n" \ + : [_prev] "=&a" (prev), CALL_FMT_##nr \ +- [_stack] "R" (stack), \ ++ : [_stack] "R" (stack), \ + [_bc] "i" (offsetof(struct stack_frame, back_chain)), \ + [_frame] "d" (frame), \ + [_fn] "X" (fn) : CALL_CLOBBER_##nr); \ +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index 9cc71ca9a88f9..e84f495e7eb29 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -418,6 +418,7 @@ ENTRY(\name) + xgr %r6,%r6 + xgr %r7,%r7 + xgr %r10,%r10 ++ xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11) + mvc __PT_R8(64,%r11),__LC_SAVE_AREA_ASYNC + stmg %r8,%r9,__PT_PSW(%r11) + tm %r8,0x0001 # coming from user space? +diff --git a/arch/s390/kernel/signal.c b/arch/s390/kernel/signal.c +index 90163e6184f5c..080e7aed181f4 100644 +--- a/arch/s390/kernel/signal.c ++++ b/arch/s390/kernel/signal.c +@@ -512,7 +512,6 @@ void arch_do_signal_or_restart(struct pt_regs *regs, bool has_signal) + + /* No handlers present - check for system call restart */ + clear_pt_regs_flag(regs, PIF_SYSCALL); +- clear_pt_regs_flag(regs, PIF_SYSCALL_RESTART); + if (current->thread.system_call) { + regs->int_code = current->thread.system_call; + switch (regs->gprs[2]) { +diff --git a/arch/s390/kernel/topology.c b/arch/s390/kernel/topology.c +index bfcc327acc6b2..26aa2614ee352 100644 +--- a/arch/s390/kernel/topology.c ++++ b/arch/s390/kernel/topology.c +@@ -66,7 +66,10 @@ static void cpu_group_map(cpumask_t *dst, struct mask_info *info, unsigned int c + { + static cpumask_t mask; + +- cpumask_copy(&mask, cpumask_of(cpu)); ++ cpumask_clear(&mask); ++ if (!cpu_online(cpu)) ++ goto out; ++ cpumask_set_cpu(cpu, &mask); + switch (topology_mode) { + case TOPOLOGY_MODE_HW: + while (info) { +@@ -83,10 +86,10 @@ static void cpu_group_map(cpumask_t *dst, struct mask_info *info, unsigned int c + default: + fallthrough; + case TOPOLOGY_MODE_SINGLE: +- cpumask_copy(&mask, cpumask_of(cpu)); + break; + } + cpumask_and(&mask, &mask, cpu_online_mask); ++out: + cpumask_copy(dst, &mask); + } + +@@ -95,7 +98,10 @@ static void cpu_thread_map(cpumask_t *dst, unsigned int cpu) + static cpumask_t mask; + int i; + +- cpumask_copy(&mask, cpumask_of(cpu)); ++ cpumask_clear(&mask); ++ if (!cpu_online(cpu)) ++ goto out; ++ cpumask_set_cpu(cpu, &mask); + if (topology_mode != TOPOLOGY_MODE_HW) + goto out; + cpu -= cpu % (smp_cpu_mtid + 1); +diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c +index 4efd39aacb9f2..8767dc53b5699 100644 +--- a/arch/x86/entry/common.c ++++ b/arch/x86/entry/common.c +@@ -127,8 +127,8 @@ static noinstr bool __do_fast_syscall_32(struct pt_regs *regs) + /* User code screwed up. */ + regs->ax = -EFAULT; + +- instrumentation_end(); + local_irq_disable(); ++ instrumentation_end(); + irqentry_exit_to_user_mode(regs); + return false; + } +@@ -266,15 +266,16 @@ __visible noinstr void xen_pv_evtchn_do_upcall(struct pt_regs *regs) + irqentry_state_t state = irqentry_enter(regs); + bool inhcall; + ++ instrumentation_begin(); + run_sysvec_on_irqstack_cond(__xen_pv_evtchn_do_upcall, regs); + + inhcall = get_and_clear_inhcall(); + if (inhcall && !WARN_ON_ONCE(state.exit_rcu)) { +- instrumentation_begin(); + irqentry_exit_cond_resched(); + instrumentation_end(); + restore_inhcall(inhcall); + } else { ++ instrumentation_end(); + irqentry_exit(regs, state); + } + } +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c +index 18df171296955..7050a9ebd73f1 100644 +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -45,9 +45,11 @@ + #include "perf_event.h" + + struct x86_pmu x86_pmu __read_mostly; ++static struct pmu pmu; + + DEFINE_PER_CPU(struct cpu_hw_events, cpu_hw_events) = { + .enabled = 1, ++ .pmu = &pmu, + }; + + DEFINE_STATIC_KEY_FALSE(rdpmc_never_available_key); +@@ -380,10 +382,12 @@ int x86_reserve_hardware(void) + if (!atomic_inc_not_zero(&pmc_refcount)) { + mutex_lock(&pmc_reserve_mutex); + if (atomic_read(&pmc_refcount) == 0) { +- if (!reserve_pmc_hardware()) ++ if (!reserve_pmc_hardware()) { + err = -EBUSY; +- else ++ } else { + reserve_ds_buffers(); ++ reserve_lbr_buffers(); ++ } + } + if (!err) + atomic_inc(&pmc_refcount); +@@ -724,16 +728,23 @@ void x86_pmu_enable_all(int added) + } + } + +-static struct pmu pmu; +- + static inline int is_x86_event(struct perf_event *event) + { + return event->pmu == &pmu; + } + +-struct pmu *x86_get_pmu(void) ++struct pmu *x86_get_pmu(unsigned int cpu) + { +- return &pmu; ++ struct cpu_hw_events *cpuc = &per_cpu(cpu_hw_events, cpu); ++ ++ /* ++ * All CPUs of the hybrid type have been offline. ++ * The x86_get_pmu() should not be invoked. ++ */ ++ if (WARN_ON_ONCE(!cpuc->pmu)) ++ return &pmu; ++ ++ return cpuc->pmu; + } + /* + * Event scheduler state: +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 4c18e7fb58f58..77fe4fece6798 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -4879,7 +4879,7 @@ static void update_tfa_sched(void *ignored) + * and if so force schedule out for all event types all contexts + */ + if (test_bit(3, cpuc->active_mask)) +- perf_pmu_resched(x86_get_pmu()); ++ perf_pmu_resched(x86_get_pmu(smp_processor_id())); + } + + static ssize_t show_sysctl_tfa(struct device *cdev, +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index d32b302719fe5..72df2f392c863 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -2192,7 +2192,7 @@ void __init intel_ds_init(void) + PERF_SAMPLE_TIME; + x86_pmu.flags |= PMU_FL_PEBS_ALL; + pebs_qual = "-baseline"; +- x86_get_pmu()->capabilities |= PERF_PMU_CAP_EXTENDED_REGS; ++ x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_EXTENDED_REGS; + } else { + /* Only basic record supported */ + x86_pmu.large_pebs_flags &= +@@ -2207,7 +2207,7 @@ void __init intel_ds_init(void) + + if (x86_pmu.intel_cap.pebs_output_pt_available) { + pr_cont("PEBS-via-PT, "); +- x86_get_pmu()->capabilities |= PERF_PMU_CAP_AUX_OUTPUT; ++ x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_AUX_OUTPUT; + } + + break; +diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c +index 21890dacfcfee..c9cd6ce0fa2ad 100644 +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -658,7 +658,6 @@ static inline bool branch_user_callstack(unsigned br_sel) + + void intel_pmu_lbr_add(struct perf_event *event) + { +- struct kmem_cache *kmem_cache = event->pmu->task_ctx_cache; + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); + + if (!x86_pmu.lbr_nr) +@@ -696,16 +695,11 @@ void intel_pmu_lbr_add(struct perf_event *event) + perf_sched_cb_inc(event->ctx->pmu); + if (!cpuc->lbr_users++ && !event->total_time_running) + intel_pmu_lbr_reset(); +- +- if (static_cpu_has(X86_FEATURE_ARCH_LBR) && +- kmem_cache && !cpuc->lbr_xsave && +- (cpuc->lbr_users != cpuc->lbr_pebs_users)) +- cpuc->lbr_xsave = kmem_cache_alloc(kmem_cache, GFP_KERNEL); + } + + void release_lbr_buffers(void) + { +- struct kmem_cache *kmem_cache = x86_get_pmu()->task_ctx_cache; ++ struct kmem_cache *kmem_cache; + struct cpu_hw_events *cpuc; + int cpu; + +@@ -714,6 +708,7 @@ void release_lbr_buffers(void) + + for_each_possible_cpu(cpu) { + cpuc = per_cpu_ptr(&cpu_hw_events, cpu); ++ kmem_cache = x86_get_pmu(cpu)->task_ctx_cache; + if (kmem_cache && cpuc->lbr_xsave) { + kmem_cache_free(kmem_cache, cpuc->lbr_xsave); + cpuc->lbr_xsave = NULL; +@@ -721,6 +716,27 @@ void release_lbr_buffers(void) + } + } + ++void reserve_lbr_buffers(void) ++{ ++ struct kmem_cache *kmem_cache; ++ struct cpu_hw_events *cpuc; ++ int cpu; ++ ++ if (!static_cpu_has(X86_FEATURE_ARCH_LBR)) ++ return; ++ ++ for_each_possible_cpu(cpu) { ++ cpuc = per_cpu_ptr(&cpu_hw_events, cpu); ++ kmem_cache = x86_get_pmu(cpu)->task_ctx_cache; ++ if (!kmem_cache || cpuc->lbr_xsave) ++ continue; ++ ++ cpuc->lbr_xsave = kmem_cache_alloc_node(kmem_cache, ++ GFP_KERNEL | __GFP_ZERO, ++ cpu_to_node(cpu)); ++ } ++} ++ + void intel_pmu_lbr_del(struct perf_event *event) + { + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); +@@ -1609,7 +1625,7 @@ void intel_pmu_lbr_init_hsw(void) + x86_pmu.lbr_sel_mask = LBR_SEL_MASK; + x86_pmu.lbr_sel_map = hsw_lbr_sel_map; + +- x86_get_pmu()->task_ctx_cache = create_lbr_kmem_cache(size, 0); ++ x86_get_pmu(smp_processor_id())->task_ctx_cache = create_lbr_kmem_cache(size, 0); + + if (lbr_from_signext_quirk_needed()) + static_branch_enable(&lbr_from_quirk_key); +@@ -1629,7 +1645,7 @@ __init void intel_pmu_lbr_init_skl(void) + x86_pmu.lbr_sel_mask = LBR_SEL_MASK; + x86_pmu.lbr_sel_map = hsw_lbr_sel_map; + +- x86_get_pmu()->task_ctx_cache = create_lbr_kmem_cache(size, 0); ++ x86_get_pmu(smp_processor_id())->task_ctx_cache = create_lbr_kmem_cache(size, 0); + + /* + * SW branch filter usage: +@@ -1726,7 +1742,7 @@ static bool is_arch_lbr_xsave_available(void) + + void __init intel_pmu_arch_lbr_init(void) + { +- struct pmu *pmu = x86_get_pmu(); ++ struct pmu *pmu = x86_get_pmu(smp_processor_id()); + union cpuid28_eax eax; + union cpuid28_ebx ebx; + union cpuid28_ecx ecx; +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h +index 53b2b5fc23bca..35cdece5644fb 100644 +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -327,6 +327,8 @@ struct cpu_hw_events { + int n_pair; /* Large increment events */ + + void *kfree_on_online[X86_PERF_KFREE_MAX]; ++ ++ struct pmu *pmu; + }; + + #define __EVENT_CONSTRAINT_RANGE(c, e, n, m, w, o, f) { \ +@@ -905,7 +907,7 @@ static struct perf_pmu_events_ht_attr event_attr_##v = { \ + .event_str_ht = ht, \ + } + +-struct pmu *x86_get_pmu(void); ++struct pmu *x86_get_pmu(unsigned int cpu); + extern struct x86_pmu x86_pmu __read_mostly; + + static __always_inline struct x86_perf_task_context_opt *task_context_opt(void *ctx) +@@ -1135,6 +1137,8 @@ void reserve_ds_buffers(void); + + void release_lbr_buffers(void); + ++void reserve_lbr_buffers(void); ++ + extern struct event_constraint bts_constraint; + extern struct event_constraint vlbr_constraint; + +@@ -1282,6 +1286,10 @@ static inline void release_lbr_buffers(void) + { + } + ++static inline void reserve_lbr_buffers(void) ++{ ++} ++ + static inline int intel_pmu_init(void) + { + return 0; +diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h +index fdee23ea4e173..16bf4d4a8159e 100644 +--- a/arch/x86/include/asm/fpu/internal.h ++++ b/arch/x86/include/asm/fpu/internal.h +@@ -204,6 +204,14 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu) + asm volatile("fxsaveq %[fx]" : [fx] "=m" (fpu->state.fxsave)); + } + ++static inline void fxsave(struct fxregs_state *fx) ++{ ++ if (IS_ENABLED(CONFIG_X86_32)) ++ asm volatile( "fxsave %[fx]" : [fx] "=m" (*fx)); ++ else ++ asm volatile("fxsaveq %[fx]" : [fx] "=m" (*fx)); ++} ++ + /* These macros all use (%edi)/(%rdi) as the single memory argument. */ + #define XSAVE ".byte " REX_PREFIX "0x0f,0xae,0x27" + #define XSAVEOPT ".byte " REX_PREFIX "0x0f,0xae,0x37" +@@ -268,28 +276,6 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu) + : "D" (st), "m" (*st), "a" (lmask), "d" (hmask) \ + : "memory") + +-/* +- * This function is called only during boot time when x86 caps are not set +- * up and alternative can not be used yet. +- */ +-static inline void copy_xregs_to_kernel_booting(struct xregs_state *xstate) +-{ +- u64 mask = xfeatures_mask_all; +- u32 lmask = mask; +- u32 hmask = mask >> 32; +- int err; +- +- WARN_ON(system_state != SYSTEM_BOOTING); +- +- if (boot_cpu_has(X86_FEATURE_XSAVES)) +- XSTATE_OP(XSAVES, xstate, lmask, hmask, err); +- else +- XSTATE_OP(XSAVE, xstate, lmask, hmask, err); +- +- /* We should never fault when copying to a kernel buffer: */ +- WARN_ON_FPU(err); +-} +- + /* + * This function is called only during boot time when x86 caps are not set + * up and alternative can not be used yet. +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c +index ec3ae30547920..b7b92cdf3add4 100644 +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -221,28 +221,18 @@ sanitize_restored_user_xstate(union fpregs_state *state, + + if (use_xsave()) { + /* +- * Note: we don't need to zero the reserved bits in the +- * xstate_header here because we either didn't copy them at all, +- * or we checked earlier that they aren't set. ++ * Clear all feature bits which are not set in ++ * user_xfeatures and clear all extended features ++ * for fx_only mode. + */ ++ u64 mask = fx_only ? XFEATURE_MASK_FPSSE : user_xfeatures; + + /* +- * 'user_xfeatures' might have bits clear which are +- * set in header->xfeatures. This represents features that +- * were in init state prior to a signal delivery, and need +- * to be reset back to the init state. Clear any user +- * feature bits which are set in the kernel buffer to get +- * them back to the init state. +- * +- * Supervisor state is unchanged by input from userspace. +- * Ensure supervisor state bits stay set and supervisor +- * state is not modified. ++ * Supervisor state has to be preserved. The sigframe ++ * restore can only modify user features, i.e. @mask ++ * cannot contain them. + */ +- if (fx_only) +- header->xfeatures = XFEATURE_MASK_FPSSE; +- else +- header->xfeatures &= user_xfeatures | +- xfeatures_mask_supervisor(); ++ header->xfeatures &= mask | xfeatures_mask_supervisor(); + } + + if (use_fxsr()) { +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index 2ad57cc14b83f..451435d7ff413 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -440,6 +440,25 @@ static void __init print_xstate_offset_size(void) + } + } + ++/* ++ * All supported features have either init state all zeros or are ++ * handled in setup_init_fpu() individually. This is an explicit ++ * feature list and does not use XFEATURE_MASK*SUPPORTED to catch ++ * newly added supported features at build time and make people ++ * actually look at the init state for the new feature. ++ */ ++#define XFEATURES_INIT_FPSTATE_HANDLED \ ++ (XFEATURE_MASK_FP | \ ++ XFEATURE_MASK_SSE | \ ++ XFEATURE_MASK_YMM | \ ++ XFEATURE_MASK_OPMASK | \ ++ XFEATURE_MASK_ZMM_Hi256 | \ ++ XFEATURE_MASK_Hi16_ZMM | \ ++ XFEATURE_MASK_PKRU | \ ++ XFEATURE_MASK_BNDREGS | \ ++ XFEATURE_MASK_BNDCSR | \ ++ XFEATURE_MASK_PASID) ++ + /* + * setup the xstate image representing the init state + */ +@@ -447,6 +466,10 @@ static void __init setup_init_fpu_buf(void) + { + static int on_boot_cpu __initdata = 1; + ++ BUILD_BUG_ON((XFEATURE_MASK_USER_SUPPORTED | ++ XFEATURE_MASK_SUPERVISOR_SUPPORTED) != ++ XFEATURES_INIT_FPSTATE_HANDLED); ++ + WARN_ON_FPU(!on_boot_cpu); + on_boot_cpu = 0; + +@@ -466,10 +489,22 @@ static void __init setup_init_fpu_buf(void) + copy_kernel_to_xregs_booting(&init_fpstate.xsave); + + /* +- * Dump the init state again. This is to identify the init state +- * of any feature which is not represented by all zero's. ++ * All components are now in init state. Read the state back so ++ * that init_fpstate contains all non-zero init state. This only ++ * works with XSAVE, but not with XSAVEOPT and XSAVES because ++ * those use the init optimization which skips writing data for ++ * components in init state. ++ * ++ * XSAVE could be used, but that would require to reshuffle the ++ * data when XSAVES is available because XSAVES uses xstate ++ * compaction. But doing so is a pointless exercise because most ++ * components have an all zeros init state except for the legacy ++ * ones (FP and SSE). Those can be saved with FXSAVE into the ++ * legacy area. Adding new features requires to ensure that init ++ * state is all zeroes or if not to add the necessary handling ++ * here. + */ +- copy_xregs_to_kernel_booting(&init_fpstate.xsave); ++ fxsave(&init_fpstate.fxsave); + } + + static int xfeature_uncompacted_offset(int xfeature_nr) +diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c +index dbc6214d69def..8f3b438f6fd3b 100644 +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -143,9 +143,25 @@ static void sev_asid_free(int asid) + mutex_unlock(&sev_bitmap_lock); + } + +-static void sev_unbind_asid(struct kvm *kvm, unsigned int handle) ++static void sev_decommission(unsigned int handle) + { + struct sev_data_decommission *decommission; ++ ++ if (!handle) ++ return; ++ ++ decommission = kzalloc(sizeof(*decommission), GFP_KERNEL); ++ if (!decommission) ++ return; ++ ++ decommission->handle = handle; ++ sev_guest_decommission(decommission, NULL); ++ ++ kfree(decommission); ++} ++ ++static void sev_unbind_asid(struct kvm *kvm, unsigned int handle) ++{ + struct sev_data_deactivate *data; + + if (!handle) +@@ -165,15 +181,7 @@ static void sev_unbind_asid(struct kvm *kvm, unsigned int handle) + + kfree(data); + +- decommission = kzalloc(sizeof(*decommission), GFP_KERNEL); +- if (!decommission) +- return; +- +- /* decommission handle */ +- decommission->handle = handle; +- sev_guest_decommission(decommission, NULL); +- +- kfree(decommission); ++ sev_decommission(handle); + } + + static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp) +@@ -303,8 +311,10 @@ static int sev_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp) + + /* Bind ASID to this guest */ + ret = sev_bind_asid(kvm, start->handle, error); +- if (ret) ++ if (ret) { ++ sev_decommission(start->handle); + goto e_free_session; ++ } + + /* return handle to userspace */ + params.handle = start->handle; +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c +index 0a0e168be1cbe..9b0e771302cee 100644 +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -779,4 +779,48 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar); + ++#define RS690_LOWER_TOP_OF_DRAM2 0x30 ++#define RS690_LOWER_TOP_OF_DRAM2_VALID 0x1 ++#define RS690_UPPER_TOP_OF_DRAM2 0x31 ++#define RS690_HTIU_NB_INDEX 0xA8 ++#define RS690_HTIU_NB_INDEX_WR_ENABLE 0x100 ++#define RS690_HTIU_NB_DATA 0xAC ++ ++/* ++ * Some BIOS implementations support RAM above 4GB, but do not configure the ++ * PCI host to respond to bus master accesses for these addresses. These ++ * implementations set the TOP_OF_DRAM_SLOT1 register correctly, so PCI DMA ++ * works as expected for addresses below 4GB. ++ * ++ * Reference: "AMD RS690 ASIC Family Register Reference Guide" (pg. 2-57) ++ * https://www.amd.com/system/files/TechDocs/43372_rs690_rrg_3.00o.pdf ++ */ ++static void rs690_fix_64bit_dma(struct pci_dev *pdev) ++{ ++ u32 val = 0; ++ phys_addr_t top_of_dram = __pa(high_memory - 1) + 1; ++ ++ if (top_of_dram <= (1ULL << 32)) ++ return; ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_LOWER_TOP_OF_DRAM2); ++ pci_read_config_dword(pdev, RS690_HTIU_NB_DATA, &val); ++ ++ if (val) ++ return; ++ ++ pci_info(pdev, "Adjusting top of DRAM to %pa for 64-bit DMA support\n", &top_of_dram); ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_UPPER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE); ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, top_of_dram >> 32); ++ ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX, ++ RS690_LOWER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE); ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, ++ top_of_dram | RS690_LOWER_TOP_OF_DRAM2_VALID); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7910, rs690_fix_64bit_dma); ++ + #endif +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 8183ddb3700c4..64db5852432e7 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -592,8 +592,10 @@ DEFINE_IDTENTRY_RAW(xenpv_exc_debug) + DEFINE_IDTENTRY_RAW(exc_xen_unknown_trap) + { + /* This should never happen and there is no way to handle it. */ ++ instrumentation_begin(); + pr_err("Unknown trap in Xen PV mode."); + BUG(); ++ instrumentation_end(); + } + + #ifdef CONFIG_X86_MCE +diff --git a/certs/Kconfig b/certs/Kconfig +index c94e93d8bccf0..ab88d2a7f3c7f 100644 +--- a/certs/Kconfig ++++ b/certs/Kconfig +@@ -83,4 +83,21 @@ config SYSTEM_BLACKLIST_HASH_LIST + wrapper to incorporate the list into the kernel. Each should + be a string of hex digits. + ++config SYSTEM_REVOCATION_LIST ++ bool "Provide system-wide ring of revocation certificates" ++ depends on SYSTEM_BLACKLIST_KEYRING ++ depends on PKCS7_MESSAGE_PARSER=y ++ help ++ If set, this allows revocation certificates to be stored in the ++ blacklist keyring and implements a hook whereby a PKCS#7 message can ++ be checked to see if it matches such a certificate. ++ ++config SYSTEM_REVOCATION_KEYS ++ string "X.509 certificates to be preloaded into the system blacklist keyring" ++ depends on SYSTEM_REVOCATION_LIST ++ help ++ If set, this option should be the filename of a PEM-formatted file ++ containing X.509 certificates to be included in the default blacklist ++ keyring. ++ + endmenu +diff --git a/certs/Makefile b/certs/Makefile +index f4c25b67aad90..b6db52ebf0beb 100644 +--- a/certs/Makefile ++++ b/certs/Makefile +@@ -3,8 +3,9 @@ + # Makefile for the linux kernel signature checking certificates. + # + +-obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +-obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ++obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o ++obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o ++obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o + ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o + else +@@ -29,7 +30,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF + $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) + endif # CONFIG_SYSTEM_TRUSTED_KEYRING + +-clean-files := x509_certificate_list .x509.list ++clean-files := x509_certificate_list .x509.list x509_revocation_list + + ifeq ($(CONFIG_MODULE_SIG),y) + ############################################################################### +@@ -104,3 +105,17 @@ targets += signing_key.x509 + $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE + $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) + endif # CONFIG_MODULE_SIG ++ ++ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) ++ ++$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) ++ ++$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list ++ ++quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) ++ cmd_extract_certs = scripts/extract-cert $(2) $@ ++ ++targets += x509_revocation_list ++$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE ++ $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) ++endif +diff --git a/certs/blacklist.c b/certs/blacklist.c +index bffe4c6f4a9e2..c9a435b15af40 100644 +--- a/certs/blacklist.c ++++ b/certs/blacklist.c +@@ -17,9 +17,15 @@ + #include + #include + #include "blacklist.h" ++#include "common.h" + + static struct key *blacklist_keyring; + ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++extern __initconst const u8 revocation_certificate_list[]; ++extern __initconst const unsigned long revocation_certificate_list_size; ++#endif ++ + /* + * The description must be a type prefix, a colon and then an even number of + * hex digits. The hash is kept in the description. +@@ -145,6 +151,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len) + } + EXPORT_SYMBOL_GPL(is_binary_blacklisted); + ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++/** ++ * add_key_to_revocation_list - Add a revocation certificate to the blacklist ++ * @data: The data blob containing the certificate ++ * @size: The size of data blob ++ */ ++int add_key_to_revocation_list(const char *data, size_t size) ++{ ++ key_ref_t key; ++ ++ key = key_create_or_update(make_key_ref(blacklist_keyring, true), ++ "asymmetric", ++ NULL, ++ data, ++ size, ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), ++ KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); ++ ++ if (IS_ERR(key)) { ++ pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); ++ return PTR_ERR(key); ++ } ++ ++ return 0; ++} ++ ++/** ++ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked ++ * @pkcs7: The PKCS#7 message to check ++ */ ++int is_key_on_revocation_list(struct pkcs7_message *pkcs7) ++{ ++ int ret; ++ ++ ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); ++ ++ if (ret == 0) ++ return -EKEYREJECTED; ++ ++ return -ENOKEY; ++} ++#endif ++ + /* + * Initialise the blacklist + */ +@@ -177,3 +226,18 @@ static int __init blacklist_init(void) + * Must be initialised before we try and load the keys into the keyring. + */ + device_initcall(blacklist_init); ++ ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++/* ++ * Load the compiled-in list of revocation X.509 certificates. ++ */ ++static __init int load_revocation_certificate_list(void) ++{ ++ if (revocation_certificate_list_size) ++ pr_notice("Loading compiled-in revocation X.509 certificates\n"); ++ ++ return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size, ++ blacklist_keyring); ++} ++late_initcall(load_revocation_certificate_list); ++#endif +diff --git a/certs/blacklist.h b/certs/blacklist.h +index 1efd6fa0dc608..51b320cf85749 100644 +--- a/certs/blacklist.h ++++ b/certs/blacklist.h +@@ -1,3 +1,5 @@ + #include ++#include ++#include + + extern const char __initconst *const blacklist_hashes[]; +diff --git a/certs/common.c b/certs/common.c +new file mode 100644 +index 0000000000000..16a220887a53e +--- /dev/null ++++ b/certs/common.c +@@ -0,0 +1,57 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++ ++#include ++#include ++#include "common.h" ++ ++int load_certificate_list(const u8 cert_list[], ++ const unsigned long list_size, ++ const struct key *keyring) ++{ ++ key_ref_t key; ++ const u8 *p, *end; ++ size_t plen; ++ ++ p = cert_list; ++ end = p + list_size; ++ while (p < end) { ++ /* Each cert begins with an ASN.1 SEQUENCE tag and must be more ++ * than 256 bytes in size. ++ */ ++ if (end - p < 4) ++ goto dodgy_cert; ++ if (p[0] != 0x30 && ++ p[1] != 0x82) ++ goto dodgy_cert; ++ plen = (p[2] << 8) | p[3]; ++ plen += 4; ++ if (plen > end - p) ++ goto dodgy_cert; ++ ++ key = key_create_or_update(make_key_ref(keyring, 1), ++ "asymmetric", ++ NULL, ++ p, ++ plen, ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW | KEY_USR_READ), ++ KEY_ALLOC_NOT_IN_QUOTA | ++ KEY_ALLOC_BUILT_IN | ++ KEY_ALLOC_BYPASS_RESTRICTION); ++ if (IS_ERR(key)) { ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", ++ PTR_ERR(key)); ++ } else { ++ pr_notice("Loaded X.509 cert '%s'\n", ++ key_ref_to_ptr(key)->description); ++ key_ref_put(key); ++ } ++ p += plen; ++ } ++ ++ return 0; ++ ++dodgy_cert: ++ pr_err("Problem parsing in-kernel X.509 certificate list\n"); ++ return 0; ++} +diff --git a/certs/common.h b/certs/common.h +new file mode 100644 +index 0000000000000..abdb5795936b7 +--- /dev/null ++++ b/certs/common.h +@@ -0,0 +1,9 @@ ++/* SPDX-License-Identifier: GPL-2.0-or-later */ ++ ++#ifndef _CERT_COMMON_H ++#define _CERT_COMMON_H ++ ++int load_certificate_list(const u8 cert_list[], const unsigned long list_size, ++ const struct key *keyring); ++ ++#endif +diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S +new file mode 100644 +index 0000000000000..f21aae8a8f0ef +--- /dev/null ++++ b/certs/revocation_certificates.S +@@ -0,0 +1,21 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#include ++#include ++ ++ __INITRODATA ++ ++ .align 8 ++ .globl revocation_certificate_list ++revocation_certificate_list: ++__revocation_list_start: ++ .incbin "certs/x509_revocation_list" ++__revocation_list_end: ++ ++ .align 8 ++ .globl revocation_certificate_list_size ++revocation_certificate_list_size: ++#ifdef CONFIG_64BIT ++ .quad __revocation_list_end - __revocation_list_start ++#else ++ .long __revocation_list_end - __revocation_list_start ++#endif +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 4b693da488f14..0c9a4795e847b 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "common.h" + + static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +@@ -137,54 +138,10 @@ device_initcall(system_trusted_keyring_init); + */ + static __init int load_system_certificate_list(void) + { +- key_ref_t key; +- const u8 *p, *end; +- size_t plen; +- + pr_notice("Loading compiled-in X.509 certificates\n"); + +- p = system_certificate_list; +- end = p + system_certificate_list_size; +- while (p < end) { +- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more +- * than 256 bytes in size. +- */ +- if (end - p < 4) +- goto dodgy_cert; +- if (p[0] != 0x30 && +- p[1] != 0x82) +- goto dodgy_cert; +- plen = (p[2] << 8) | p[3]; +- plen += 4; +- if (plen > end - p) +- goto dodgy_cert; +- +- key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), +- "asymmetric", +- NULL, +- p, +- plen, +- ((KEY_POS_ALL & ~KEY_POS_SETATTR) | +- KEY_USR_VIEW | KEY_USR_READ), +- KEY_ALLOC_NOT_IN_QUOTA | +- KEY_ALLOC_BUILT_IN | +- KEY_ALLOC_BYPASS_RESTRICTION); +- if (IS_ERR(key)) { +- pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", +- PTR_ERR(key)); +- } else { +- pr_notice("Loaded X.509 cert '%s'\n", +- key_ref_to_ptr(key)->description); +- key_ref_put(key); +- } +- p += plen; +- } +- +- return 0; +- +-dodgy_cert: +- pr_err("Problem parsing in-kernel X.509 certificate list\n"); +- return 0; ++ return load_certificate_list(system_certificate_list, system_certificate_list_size, ++ builtin_trusted_keys); + } + late_initcall(load_system_certificate_list); + +@@ -242,6 +199,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len, + pr_devel("PKCS#7 platform keyring is not available\n"); + goto error; + } ++ ++ ret = is_key_on_revocation_list(pkcs7); ++ if (ret != -ENOKEY) { ++ pr_devel("PKCS#7 platform key is on revocation list\n"); ++ goto error; ++ } + } + ret = pkcs7_validate_trust(pkcs7, trusted_keys); + if (ret < 0) { +diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c +index 88310ac9ce906..62c536f9d9258 100644 +--- a/drivers/base/swnode.c ++++ b/drivers/base/swnode.c +@@ -1032,7 +1032,15 @@ int device_add_software_node(struct device *dev, const struct software_node *nod + } + + set_secondary_fwnode(dev, &swnode->fwnode); +- software_node_notify(dev, KOBJ_ADD); ++ ++ /* ++ * If the device has been fully registered by the time this function is ++ * called, software_node_notify() must be called separately so that the ++ * symlinks get created and the reference count of the node is kept in ++ * balance. ++ */ ++ if (device_is_registered(dev)) ++ software_node_notify(dev, KOBJ_ADD); + + return 0; + } +@@ -1052,7 +1060,8 @@ void device_remove_software_node(struct device *dev) + if (!swnode) + return; + +- software_node_notify(dev, KOBJ_REMOVE); ++ if (device_is_registered(dev)) ++ software_node_notify(dev, KOBJ_REMOVE); + set_secondary_fwnode(dev, NULL); + kobject_put(&swnode->kobj); + } +@@ -1106,8 +1115,7 @@ int software_node_notify(struct device *dev, unsigned long action) + + switch (action) { + case KOBJ_ADD: +- ret = sysfs_create_link_nowarn(&dev->kobj, &swnode->kobj, +- "software_node"); ++ ret = sysfs_create_link(&dev->kobj, &swnode->kobj, "software_node"); + if (ret) + break; + +diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig +index 03b1b03349477..c42b17b76640e 100644 +--- a/drivers/dma/Kconfig ++++ b/drivers/dma/Kconfig +@@ -690,6 +690,7 @@ config XILINX_ZYNQMP_DMA + + config XILINX_ZYNQMP_DPDMA + tristate "Xilinx DPDMA Engine" ++ depends on HAS_IOMEM && OF + select DMA_ENGINE + select DMA_VIRTUAL_CHANNELS + help +diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c +index 1d8a3876b7452..5ba8e8bc609fc 100644 +--- a/drivers/dma/idxd/cdev.c ++++ b/drivers/dma/idxd/cdev.c +@@ -110,6 +110,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp) + pasid = iommu_sva_get_pasid(sva); + if (pasid == IOMMU_PASID_INVALID) { + iommu_sva_unbind_device(sva); ++ rc = -EINVAL; + goto failed; + } + +diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c +index 27c07350971dd..375e7e647df6b 100644 +--- a/drivers/dma/mediatek/mtk-uart-apdma.c ++++ b/drivers/dma/mediatek/mtk-uart-apdma.c +@@ -131,10 +131,7 @@ static unsigned int mtk_uart_apdma_read(struct mtk_chan *c, unsigned int reg) + + static void mtk_uart_apdma_desc_free(struct virt_dma_desc *vd) + { +- struct dma_chan *chan = vd->tx.chan; +- struct mtk_chan *c = to_mtk_uart_apdma_chan(chan); +- +- kfree(c->desc); ++ kfree(container_of(vd, struct mtk_uart_apdma_desc, vd)); + } + + static void mtk_uart_apdma_start_tx(struct mtk_chan *c) +@@ -207,14 +204,9 @@ static void mtk_uart_apdma_start_rx(struct mtk_chan *c) + + static void mtk_uart_apdma_tx_handler(struct mtk_chan *c) + { +- struct mtk_uart_apdma_desc *d = c->desc; +- + mtk_uart_apdma_write(c, VFF_INT_FLAG, VFF_TX_INT_CLR_B); + mtk_uart_apdma_write(c, VFF_INT_EN, VFF_INT_EN_CLR_B); + mtk_uart_apdma_write(c, VFF_EN, VFF_EN_CLR_B); +- +- list_del(&d->vd.node); +- vchan_cookie_complete(&d->vd); + } + + static void mtk_uart_apdma_rx_handler(struct mtk_chan *c) +@@ -245,9 +237,17 @@ static void mtk_uart_apdma_rx_handler(struct mtk_chan *c) + + c->rx_status = d->avail_len - cnt; + mtk_uart_apdma_write(c, VFF_RPT, wg); ++} + +- list_del(&d->vd.node); +- vchan_cookie_complete(&d->vd); ++static void mtk_uart_apdma_chan_complete_handler(struct mtk_chan *c) ++{ ++ struct mtk_uart_apdma_desc *d = c->desc; ++ ++ if (d) { ++ list_del(&d->vd.node); ++ vchan_cookie_complete(&d->vd); ++ c->desc = NULL; ++ } + } + + static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id) +@@ -261,6 +261,7 @@ static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id) + mtk_uart_apdma_rx_handler(c); + else if (c->dir == DMA_MEM_TO_DEV) + mtk_uart_apdma_tx_handler(c); ++ mtk_uart_apdma_chan_complete_handler(c); + spin_unlock_irqrestore(&c->vc.lock, flags); + + return IRQ_HANDLED; +@@ -348,7 +349,7 @@ static struct dma_async_tx_descriptor *mtk_uart_apdma_prep_slave_sg + return NULL; + + /* Now allocate and setup the descriptor */ +- d = kzalloc(sizeof(*d), GFP_ATOMIC); ++ d = kzalloc(sizeof(*d), GFP_NOWAIT); + if (!d) + return NULL; + +@@ -366,7 +367,7 @@ static void mtk_uart_apdma_issue_pending(struct dma_chan *chan) + unsigned long flags; + + spin_lock_irqsave(&c->vc.lock, flags); +- if (vchan_issue_pending(&c->vc)) { ++ if (vchan_issue_pending(&c->vc) && !c->desc) { + vd = vchan_next_desc(&c->vc); + c->desc = to_mtk_uart_apdma_desc(&vd->tx); + +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index d530c1bf11d97..6885b3dcd7a97 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1913,7 +1913,7 @@ static int rcar_dmac_probe(struct platform_device *pdev) + + /* Enable runtime PM and initialize the device. */ + pm_runtime_enable(&pdev->dev); +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) { + dev_err(&pdev->dev, "runtime PM get sync failed (%d)\n", ret); + return ret; +diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c +index 36ba8b43e78de..18cbd1e43c2e8 100644 +--- a/drivers/dma/stm32-mdma.c ++++ b/drivers/dma/stm32-mdma.c +@@ -1452,7 +1452,7 @@ static int stm32_mdma_alloc_chan_resources(struct dma_chan *c) + return -ENOMEM; + } + +- ret = pm_runtime_get_sync(dmadev->ddev.dev); ++ ret = pm_runtime_resume_and_get(dmadev->ddev.dev); + if (ret < 0) + return ret; + +@@ -1718,7 +1718,7 @@ static int stm32_mdma_pm_suspend(struct device *dev) + u32 ccr, id; + int ret; + +- ret = pm_runtime_get_sync(dev); ++ ret = pm_runtime_resume_and_get(dev); + if (ret < 0) + return ret; + +diff --git a/drivers/dma/xilinx/xilinx_dpdma.c b/drivers/dma/xilinx/xilinx_dpdma.c +index ff7dfb3fdeb47..6c709803203ad 100644 +--- a/drivers/dma/xilinx/xilinx_dpdma.c ++++ b/drivers/dma/xilinx/xilinx_dpdma.c +@@ -113,6 +113,7 @@ + #define XILINX_DPDMA_CH_VDO 0x020 + #define XILINX_DPDMA_CH_PYLD_SZ 0x024 + #define XILINX_DPDMA_CH_DESC_ID 0x028 ++#define XILINX_DPDMA_CH_DESC_ID_MASK GENMASK(15, 0) + + /* DPDMA descriptor fields */ + #define XILINX_DPDMA_DESC_CONTROL_PREEMBLE 0xa5 +@@ -866,7 +867,8 @@ static void xilinx_dpdma_chan_queue_transfer(struct xilinx_dpdma_chan *chan) + * will be used, but it should be enough. + */ + list_for_each_entry(sw_desc, &desc->descriptors, node) +- sw_desc->hw.desc_id = desc->vdesc.tx.cookie; ++ sw_desc->hw.desc_id = desc->vdesc.tx.cookie ++ & XILINX_DPDMA_CH_DESC_ID_MASK; + + sw_desc = list_first_entry(&desc->descriptors, + struct xilinx_dpdma_sw_desc, node); +@@ -1086,7 +1088,8 @@ static void xilinx_dpdma_chan_vsync_irq(struct xilinx_dpdma_chan *chan) + if (!chan->running || !pending) + goto out; + +- desc_id = dpdma_read(chan->reg, XILINX_DPDMA_CH_DESC_ID); ++ desc_id = dpdma_read(chan->reg, XILINX_DPDMA_CH_DESC_ID) ++ & XILINX_DPDMA_CH_DESC_ID_MASK; + + /* If the retrigger raced with vsync, retry at the next frame. */ + sw_desc = list_first_entry(&pending->descriptors, +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c +index d8419565b92cc..5fecf5aa6e858 100644 +--- a/drivers/dma/xilinx/zynqmp_dma.c ++++ b/drivers/dma/xilinx/zynqmp_dma.c +@@ -468,7 +468,7 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan) + struct zynqmp_dma_desc_sw *desc; + int i, ret; + +- ret = pm_runtime_get_sync(chan->dev); ++ ret = pm_runtime_resume_and_get(chan->dev); + if (ret < 0) + return ret; + +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c +index 1631727bf0da1..c7b5446d01fd2 100644 +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -1880,6 +1880,7 @@ static void gpio_v2_line_info_changed_to_v1( + struct gpio_v2_line_info_changed *lic_v2, + struct gpioline_info_changed *lic_v1) + { ++ memset(lic_v1, 0, sizeof(*lic_v1)); + gpio_v2_line_info_to_v1(&lic_v2->info, &lic_v1->info); + lic_v1->timestamp = lic_v2->timestamp_ns; + lic_v1->event_type = lic_v2->event_type; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c +index 47e0b48dc26fd..1c4623d25a62a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c +@@ -214,9 +214,21 @@ static int amdgpu_dma_buf_pin(struct dma_buf_attachment *attach) + { + struct drm_gem_object *obj = attach->dmabuf->priv; + struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj); ++ int r; + + /* pin buffer into GTT */ +- return amdgpu_bo_pin(bo, AMDGPU_GEM_DOMAIN_GTT); ++ r = amdgpu_bo_pin(bo, AMDGPU_GEM_DOMAIN_GTT); ++ if (r) ++ return r; ++ ++ if (bo->tbo.moving) { ++ r = dma_fence_wait(bo->tbo.moving, true); ++ if (r) { ++ amdgpu_bo_unpin(bo); ++ return r; ++ } ++ } ++ return 0; + } + + /** +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index 72d23651501d4..2342c5d216f9b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -6769,12 +6769,8 @@ static int gfx_v10_0_kiq_init_register(struct amdgpu_ring *ring) + if (ring->use_doorbell) { + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER, + (adev->doorbell_index.kiq * 2) << 2); +- /* If GC has entered CGPG, ringing doorbell > first page doesn't +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround +- * this issue. +- */ + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER, +- (adev->doorbell.size - 4)); ++ (adev->doorbell_index.userqueue_end * 2) << 2); + } + + WREG32_SOC15(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL, +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index 1fdfb7783404e..d2c020a91c0be 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -3623,12 +3623,8 @@ static int gfx_v9_0_kiq_init_register(struct amdgpu_ring *ring) + if (ring->use_doorbell) { + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER, + (adev->doorbell_index.kiq * 2) << 2); +- /* If GC has entered CGPG, ringing doorbell > first page doesn't +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround +- * this issue. +- */ + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER, +- (adev->doorbell.size - 4)); ++ (adev->doorbell_index.userqueue_end * 2) << 2); + } + + WREG32_SOC15_RLC(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL, +diff --git a/drivers/gpu/drm/kmb/kmb_drv.c b/drivers/gpu/drm/kmb/kmb_drv.c +index f64e06e1067dd..96ea1a2c11dd6 100644 +--- a/drivers/gpu/drm/kmb/kmb_drv.c ++++ b/drivers/gpu/drm/kmb/kmb_drv.c +@@ -137,6 +137,7 @@ static int kmb_hw_init(struct drm_device *drm, unsigned long flags) + /* Allocate LCD interrupt resources */ + irq_lcd = platform_get_irq(pdev, 0); + if (irq_lcd < 0) { ++ ret = irq_lcd; + drm_err(&kmb->drm, "irq_lcd not found"); + goto setup_fail; + } +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c +index 347488685f745..60019d0532fcf 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c +@@ -93,7 +93,22 @@ int nouveau_gem_prime_pin(struct drm_gem_object *obj) + if (ret) + return -EINVAL; + +- return 0; ++ ret = ttm_bo_reserve(&nvbo->bo, false, false, NULL); ++ if (ret) ++ goto error; ++ ++ if (nvbo->bo.moving) ++ ret = dma_fence_wait(nvbo->bo.moving, true); ++ ++ ttm_bo_unreserve(&nvbo->bo); ++ if (ret) ++ goto error; ++ ++ return ret; ++ ++error: ++ nouveau_bo_unpin(nvbo); ++ return ret; + } + + void nouveau_gem_prime_unpin(struct drm_gem_object *obj) +diff --git a/drivers/gpu/drm/radeon/radeon_prime.c b/drivers/gpu/drm/radeon/radeon_prime.c +index 42a87948e28c5..4a90807351e72 100644 +--- a/drivers/gpu/drm/radeon/radeon_prime.c ++++ b/drivers/gpu/drm/radeon/radeon_prime.c +@@ -77,9 +77,19 @@ int radeon_gem_prime_pin(struct drm_gem_object *obj) + + /* pin buffer into GTT */ + ret = radeon_bo_pin(bo, RADEON_GEM_DOMAIN_GTT, NULL); +- if (likely(ret == 0)) +- bo->prime_shared_count++; +- ++ if (unlikely(ret)) ++ goto error; ++ ++ if (bo->tbo.moving) { ++ ret = dma_fence_wait(bo->tbo.moving, false); ++ if (unlikely(ret)) { ++ radeon_bo_unpin(bo); ++ goto error; ++ } ++ } ++ ++ bo->prime_shared_count++; ++error: + radeon_bo_unreserve(bo); + return ret; + } +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 1fda574579afc..8106b5634fe10 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -159,6 +159,8 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force) + struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector); + bool connected = false; + ++ WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev)); ++ + if (vc4_hdmi->hpd_gpio) { + if (gpio_get_value_cansleep(vc4_hdmi->hpd_gpio) ^ + vc4_hdmi->hpd_active_low) +@@ -180,10 +182,12 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force) + } + } + ++ pm_runtime_put(&vc4_hdmi->pdev->dev); + return connector_status_connected; + } + + cec_phys_addr_invalidate(vc4_hdmi->cec_adap); ++ pm_runtime_put(&vc4_hdmi->pdev->dev); + return connector_status_disconnected; + } + +@@ -473,7 +477,6 @@ static void vc4_hdmi_encoder_post_crtc_powerdown(struct drm_encoder *encoder, + HDMI_READ(HDMI_VID_CTL) & ~VC4_HD_VID_CTL_ENABLE); + + clk_disable_unprepare(vc4_hdmi->pixel_bvb_clock); +- clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + + ret = pm_runtime_put(&vc4_hdmi->pdev->dev); +@@ -784,13 +787,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder, + return; + } + +- ret = clk_prepare_enable(vc4_hdmi->hsm_clock); +- if (ret) { +- DRM_ERROR("Failed to turn on HSM clock: %d\n", ret); +- clk_disable_unprepare(vc4_hdmi->pixel_clock); +- return; +- } +- + vc4_hdmi_cec_update_clk_div(vc4_hdmi); + + /* +@@ -801,7 +797,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder, + (hsm_rate > VC4_HSM_MID_CLOCK ? 150000000 : 75000000)); + if (ret) { + DRM_ERROR("Failed to set pixel bvb clock rate: %d\n", ret); +- clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + return; + } +@@ -809,7 +804,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder, + ret = clk_prepare_enable(vc4_hdmi->pixel_bvb_clock); + if (ret) { + DRM_ERROR("Failed to turn on pixel bvb clock: %d\n", ret); +- clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + return; + } +@@ -1929,6 +1923,29 @@ static int vc5_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi) + return 0; + } + ++#ifdef CONFIG_PM ++static int vc4_hdmi_runtime_suspend(struct device *dev) ++{ ++ struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev); ++ ++ clk_disable_unprepare(vc4_hdmi->hsm_clock); ++ ++ return 0; ++} ++ ++static int vc4_hdmi_runtime_resume(struct device *dev) ++{ ++ struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev); ++ int ret; ++ ++ ret = clk_prepare_enable(vc4_hdmi->hsm_clock); ++ if (ret) ++ return ret; ++ ++ return 0; ++} ++#endif ++ + static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data) + { + const struct vc4_hdmi_variant *variant = of_device_get_match_data(dev); +@@ -2165,11 +2182,18 @@ static const struct of_device_id vc4_hdmi_dt_match[] = { + {} + }; + ++static const struct dev_pm_ops vc4_hdmi_pm_ops = { ++ SET_RUNTIME_PM_OPS(vc4_hdmi_runtime_suspend, ++ vc4_hdmi_runtime_resume, ++ NULL) ++}; ++ + struct platform_driver vc4_hdmi_driver = { + .probe = vc4_hdmi_dev_probe, + .remove = vc4_hdmi_dev_remove, + .driver = { + .name = "vc4_hdmi", + .of_match_table = vc4_hdmi_dt_match, ++ .pm = &vc4_hdmi_pm_ops, + }, + }; +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index f9e1c2ceaac05..04a1e38f2a6f0 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -978,6 +978,9 @@ static s32 i801_access(struct i2c_adapter *adap, u16 addr, + } + + out: ++ /* Unlock the SMBus device for use by BIOS/ACPI */ ++ outb_p(SMBHSTSTS_INUSE_STS, SMBHSTSTS(priv)); ++ + pm_runtime_mark_last_busy(&priv->pci_dev->dev); + pm_runtime_put_autosuspend(&priv->pci_dev->dev); + mutex_unlock(&priv->acpi_lock); +diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c b/drivers/i2c/busses/i2c-robotfuzz-osif.c +index a39f7d0927973..66dfa211e736b 100644 +--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c ++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c +@@ -83,7 +83,7 @@ static int osif_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs, + } + } + +- ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0); ++ ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0); + if (ret) { + dev_err(&adapter->dev, "failure sending STOP\n"); + return -EREMOTEIO; +@@ -153,7 +153,7 @@ static int osif_probe(struct usb_interface *interface, + * Set bus frequency. The frequency is: + * 120,000,000 / ( 16 + 2 * div * 4^prescale). + * Using dev = 52, prescale = 0 give 100KHz */ +- ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0, ++ ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0, + NULL, 0); + if (ret) { + dev_err(&interface->dev, "failure sending bit rate"); +diff --git a/drivers/mmc/host/meson-gx-mmc.c b/drivers/mmc/host/meson-gx-mmc.c +index 016a6106151a5..3f28eb4d17fe7 100644 +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -165,6 +165,7 @@ struct meson_host { + + unsigned int bounce_buf_size; + void *bounce_buf; ++ void __iomem *bounce_iomem_buf; + dma_addr_t bounce_dma_addr; + struct sd_emmc_desc *descs; + dma_addr_t descs_dma_addr; +@@ -745,6 +746,47 @@ static void meson_mmc_desc_chain_transfer(struct mmc_host *mmc, u32 cmd_cfg) + writel(start, host->regs + SD_EMMC_START); + } + ++/* local sg copy to buffer version with _to/fromio usage for dram_access_quirk */ ++static void meson_mmc_copy_buffer(struct meson_host *host, struct mmc_data *data, ++ size_t buflen, bool to_buffer) ++{ ++ unsigned int sg_flags = SG_MITER_ATOMIC; ++ struct scatterlist *sgl = data->sg; ++ unsigned int nents = data->sg_len; ++ struct sg_mapping_iter miter; ++ unsigned int offset = 0; ++ ++ if (to_buffer) ++ sg_flags |= SG_MITER_FROM_SG; ++ else ++ sg_flags |= SG_MITER_TO_SG; ++ ++ sg_miter_start(&miter, sgl, nents, sg_flags); ++ ++ while ((offset < buflen) && sg_miter_next(&miter)) { ++ unsigned int len; ++ ++ len = min(miter.length, buflen - offset); ++ ++ /* When dram_access_quirk, the bounce buffer is a iomem mapping */ ++ if (host->dram_access_quirk) { ++ if (to_buffer) ++ memcpy_toio(host->bounce_iomem_buf + offset, miter.addr, len); ++ else ++ memcpy_fromio(miter.addr, host->bounce_iomem_buf + offset, len); ++ } else { ++ if (to_buffer) ++ memcpy(host->bounce_buf + offset, miter.addr, len); ++ else ++ memcpy(miter.addr, host->bounce_buf + offset, len); ++ } ++ ++ offset += len; ++ } ++ ++ sg_miter_stop(&miter); ++} ++ + static void meson_mmc_start_cmd(struct mmc_host *mmc, struct mmc_command *cmd) + { + struct meson_host *host = mmc_priv(mmc); +@@ -788,8 +830,7 @@ static void meson_mmc_start_cmd(struct mmc_host *mmc, struct mmc_command *cmd) + if (data->flags & MMC_DATA_WRITE) { + cmd_cfg |= CMD_CFG_DATA_WR; + WARN_ON(xfer_bytes > host->bounce_buf_size); +- sg_copy_to_buffer(data->sg, data->sg_len, +- host->bounce_buf, xfer_bytes); ++ meson_mmc_copy_buffer(host, data, xfer_bytes, true); + dma_wmb(); + } + +@@ -958,8 +999,7 @@ static irqreturn_t meson_mmc_irq_thread(int irq, void *dev_id) + if (meson_mmc_bounce_buf_read(data)) { + xfer_bytes = data->blksz * data->blocks; + WARN_ON(xfer_bytes > host->bounce_buf_size); +- sg_copy_from_buffer(data->sg, data->sg_len, +- host->bounce_buf, xfer_bytes); ++ meson_mmc_copy_buffer(host, data, xfer_bytes, false); + } + + next_cmd = meson_mmc_get_next_command(cmd); +@@ -1179,7 +1219,7 @@ static int meson_mmc_probe(struct platform_device *pdev) + * instead of the DDR memory + */ + host->bounce_buf_size = SD_EMMC_SRAM_DATA_BUF_LEN; +- host->bounce_buf = host->regs + SD_EMMC_SRAM_DATA_BUF_OFF; ++ host->bounce_iomem_buf = host->regs + SD_EMMC_SRAM_DATA_BUF_OFF; + host->bounce_dma_addr = res->start + SD_EMMC_SRAM_DATA_BUF_OFF; + } else { + /* data bounce buffer */ +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 9f30748da4ab9..8c38f224becbc 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -350,6 +350,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); + return -ENODEV; +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +index 17d5b649eb36b..e81dd34a3cac2 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +@@ -1266,9 +1266,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn, + p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC; + + p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled; ++ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) != ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + memcpy(&p_hwfn->p_dcbx_info->set.config.params, + &dcbx_info->operational.params, +- sizeof(struct qed_dcbx_admin_params)); ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + p_hwfn->p_dcbx_info->set.config.valid = true; + + memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set)); +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 1df2c002c9f64..f7a56e05ec8a4 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -1673,7 +1673,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch(stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings)); ++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings)); + break; + } + } +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index f029c7c03804f..393cf99856ed3 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2287,7 +2287,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *sh_eth_gstrings_stats, ++ memcpy(data, sh_eth_gstrings_stats, + sizeof(sh_eth_gstrings_stats)); + break; + } +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 01bb36e7cff0a..6bd3a389d389c 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -774,12 +774,15 @@ static void temac_start_xmit_done(struct net_device *ndev) + stat = be32_to_cpu(cur_p->app0); + + while (stat & STS_CTRL_APP0_CMPLT) { ++ /* Make sure that the other fields are read after bd is ++ * released by dma ++ */ ++ rmb(); + dma_unmap_single(ndev->dev.parent, be32_to_cpu(cur_p->phys), + be32_to_cpu(cur_p->len), DMA_TO_DEVICE); + skb = (struct sk_buff *)ptr_from_txbd(cur_p); + if (skb) + dev_consume_skb_irq(skb); +- cur_p->app0 = 0; + cur_p->app1 = 0; + cur_p->app2 = 0; + cur_p->app3 = 0; +@@ -788,6 +791,12 @@ static void temac_start_xmit_done(struct net_device *ndev) + ndev->stats.tx_packets++; + ndev->stats.tx_bytes += be32_to_cpu(cur_p->len); + ++ /* app0 must be visible last, as it is used to flag ++ * availability of the bd ++ */ ++ smp_mb(); ++ cur_p->app0 = 0; ++ + lp->tx_bd_ci++; + if (lp->tx_bd_ci >= lp->tx_bd_num) + lp->tx_bd_ci = 0; +@@ -814,6 +823,9 @@ static inline int temac_check_tx_bd_space(struct temac_local *lp, int num_frag) + if (cur_p->app0) + return NETDEV_TX_BUSY; + ++ /* Make sure to read next bd app0 after this one */ ++ rmb(); ++ + tail++; + if (tail >= lp->tx_bd_num) + tail = 0; +@@ -930,6 +942,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + wmb(); + lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */ + ++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) { ++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__); ++ netif_stop_queue(ndev); ++ } ++ + return NETDEV_TX_OK; + } + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index 9bd9a5c0b1db3..6bbc81ad295fb 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -826,16 +826,12 @@ static int dp83867_phy_reset(struct phy_device *phydev) + { + int err; + +- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET); ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART); + if (err < 0) + return err; + + usleep_range(10, 20); + +- /* After reset FORCE_LINK_GOOD bit is set. Although the +- * default value should be unset. Disable FORCE_LINK_GOOD +- * for the phy to work properly. +- */ + return phy_modify(phydev, MII_DP83867_PHYCTRL, + DP83867_PHYCR_FORCE_LINK_GOOD, 0); + } +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 6700f1970b240..bc55ec739af90 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -575,7 +575,7 @@ static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + + if (info->flags & QMI_WWAN_FLAG_PASS_THROUGH) { + skb->protocol = htons(ETH_P_MAP); +- return (netif_rx(skb) == NET_RX_SUCCESS); ++ return 1; + } + + switch (skb->data[0] & 0xf0) { +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 20fb5638ac653..23fae943a1192 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -6078,7 +6078,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); ++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); + break; + } + } +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index fa7d4c20dc13a..30b39cb4056a3 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -1693,8 +1693,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw) + static void mac80211_hwsim_stop(struct ieee80211_hw *hw) + { + struct mac80211_hwsim_data *data = hw->priv; ++ + data->started = false; + hrtimer_cancel(&data->beacon_timer); ++ ++ while (!skb_queue_empty(&data->pending)) ++ ieee80211_free_txskb(hw, skb_dequeue(&data->pending)); ++ + wiphy_dbg(hw->wiphy, "%s\n", __func__); + } + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index e4d4e399004b4..16a17215f633d 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1870,11 +1870,21 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags) + int err; + int i, bars = 0; + +- if (atomic_inc_return(&dev->enable_cnt) > 1) { +- pci_update_current_state(dev, dev->current_state); +- return 0; /* already enabled */ ++ /* ++ * Power state could be unknown at this point, either due to a fresh ++ * boot or a device removal call. So get the current power state ++ * so that things like MSI message writing will behave as expected ++ * (e.g. if the device really is in D0 at enable time). ++ */ ++ if (dev->pm_cap) { ++ u16 pmcsr; ++ pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr); ++ dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK); + } + ++ if (atomic_inc_return(&dev->enable_cnt) > 1) ++ return 0; /* already enabled */ ++ + bridge = pci_upstream_bridge(dev); + if (bridge) + pci_enable_bridge(bridge); +diff --git a/drivers/pinctrl/pinctrl-microchip-sgpio.c b/drivers/pinctrl/pinctrl-microchip-sgpio.c +index c12fa57ebd12c..165cb7a597155 100644 +--- a/drivers/pinctrl/pinctrl-microchip-sgpio.c ++++ b/drivers/pinctrl/pinctrl-microchip-sgpio.c +@@ -845,8 +845,10 @@ static int microchip_sgpio_probe(struct platform_device *pdev) + i = 0; + device_for_each_child_node(dev, fwnode) { + ret = microchip_sgpio_register_bank(dev, priv, fwnode, i++); +- if (ret) ++ if (ret) { ++ fwnode_handle_put(fwnode); + return ret; ++ } + } + + if (priv->in.gpio.ngpio != priv->out.gpio.ngpio) { +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c +index 7d9bdedcd71bb..3af4430543dca 100644 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -1229,7 +1229,7 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, + struct device *dev = pctl->dev; + struct resource res; + int npins = STM32_GPIO_PINS_PER_BANK; +- int bank_nr, err; ++ int bank_nr, err, i = 0; + + if (!IS_ERR(bank->rstc)) + reset_control_deassert(bank->rstc); +@@ -1251,9 +1251,14 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, + + of_property_read_string(np, "st,bank-name", &bank->gpio_chip.label); + +- if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, 0, &args)) { ++ if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, i, &args)) { + bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK; + bank->gpio_chip.base = args.args[1]; ++ ++ npins = args.args[2]; ++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, ++ ++i, &args)) ++ npins += args.args[2]; + } else { + bank_nr = pctl->nbanks; + bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK; +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index ed0b1bb99f083..a0356f3707b86 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1387,6 +1387,22 @@ static void sd_uninit_command(struct scsi_cmnd *SCpnt) + } + } + ++static bool sd_need_revalidate(struct block_device *bdev, ++ struct scsi_disk *sdkp) ++{ ++ if (sdkp->device->removable || sdkp->write_prot) { ++ if (bdev_check_media_change(bdev)) ++ return true; ++ } ++ ++ /* ++ * Force a full rescan after ioctl(BLKRRPART). While the disk state has ++ * nothing to do with partitions, BLKRRPART is used to force a full ++ * revalidate after things like a format for historical reasons. ++ */ ++ return test_bit(GD_NEED_PART_SCAN, &bdev->bd_disk->state); ++} ++ + /** + * sd_open - open a scsi disk device + * @bdev: Block device of the scsi disk to open +@@ -1423,10 +1439,8 @@ static int sd_open(struct block_device *bdev, fmode_t mode) + if (!scsi_block_when_processing_errors(sdev)) + goto error_out; + +- if (sdev->removable || sdkp->write_prot) { +- if (bdev_check_media_change(bdev)) +- sd_revalidate_disk(bdev->bd_disk); +- } ++ if (sd_need_revalidate(bdev, sdkp)) ++ sd_revalidate_disk(bdev->bd_disk); + + /* + * If the drive is empty, just let the open fail. +diff --git a/drivers/spi/spi-nxp-fspi.c b/drivers/spi/spi-nxp-fspi.c +index ab9035662717a..bcc0b5a3a459c 100644 +--- a/drivers/spi/spi-nxp-fspi.c ++++ b/drivers/spi/spi-nxp-fspi.c +@@ -1033,12 +1033,6 @@ static int nxp_fspi_probe(struct platform_device *pdev) + goto err_put_ctrl; + } + +- /* Clear potential interrupts */ +- reg = fspi_readl(f, f->iobase + FSPI_INTR); +- if (reg) +- fspi_writel(f, reg, f->iobase + FSPI_INTR); +- +- + /* find the resources - controller memory mapped space */ + if (is_acpi_node(f->dev->fwnode)) + res = platform_get_resource(pdev, IORESOURCE_MEM, 1); +@@ -1076,6 +1070,11 @@ static int nxp_fspi_probe(struct platform_device *pdev) + } + } + ++ /* Clear potential interrupts */ ++ reg = fspi_readl(f, f->iobase + FSPI_INTR); ++ if (reg) ++ fspi_writel(f, reg, f->iobase + FSPI_INTR); ++ + /* find the irq */ + ret = platform_get_irq(pdev, 0); + if (ret < 0) +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 7bbfd58958bcc..d7e361fb05482 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -642,6 +642,9 @@ static void xen_irq_lateeoi_locked(struct irq_info *info, bool spurious) + } + + info->eoi_time = 0; ++ ++ /* is_active hasn't been reset yet, do it now. */ ++ smp_store_release(&info->is_active, 0); + do_unmask(info, EVT_MASK_REASON_EOI_PENDING); + } + +@@ -811,6 +814,7 @@ static void xen_evtchn_close(evtchn_port_t port) + BUG(); + } + ++/* Not called for lateeoi events. */ + static void event_handler_exit(struct irq_info *info) + { + smp_store_release(&info->is_active, 0); +@@ -1883,7 +1887,12 @@ static void lateeoi_ack_dynirq(struct irq_data *data) + + if (VALID_EVTCHN(evtchn)) { + do_mask(info, EVT_MASK_REASON_EOI_PENDING); +- event_handler_exit(info); ++ /* ++ * Don't call event_handler_exit(). ++ * Need to keep is_active non-zero in order to ignore re-raised ++ * events after cpu affinity changes while a lateeoi is pending. ++ */ ++ clear_evtchn(evtchn); + } + } + +diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c +index 26e66436f0058..c000fe338f7e0 100644 +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -1302,6 +1302,45 @@ ceph_find_incompatible(struct page *page) + return NULL; + } + ++/** ++ * prep_noread_page - prep a page for writing without reading first ++ * @page: page being prepared ++ * @pos: starting position for the write ++ * @len: length of write ++ * ++ * In some cases, write_begin doesn't need to read at all: ++ * - full page write ++ * - file is currently zero-length ++ * - write that lies in a page that is completely beyond EOF ++ * - write that covers the the page from start to EOF or beyond it ++ * ++ * If any of these criteria are met, then zero out the unwritten parts ++ * of the page and return true. Otherwise, return false. ++ */ ++static bool skip_page_read(struct page *page, loff_t pos, size_t len) ++{ ++ struct inode *inode = page->mapping->host; ++ loff_t i_size = i_size_read(inode); ++ size_t offset = offset_in_page(pos); ++ ++ /* Full page write */ ++ if (offset == 0 && len >= PAGE_SIZE) ++ return true; ++ ++ /* pos beyond last page in the file */ ++ if (pos - offset >= i_size) ++ goto zero_out; ++ ++ /* write that covers the whole page from start to EOF or beyond it */ ++ if (offset == 0 && (pos + len) >= i_size) ++ goto zero_out; ++ ++ return false; ++zero_out: ++ zero_user_segments(page, 0, offset, offset + len, PAGE_SIZE); ++ return true; ++} ++ + /* + * We are only allowed to write into/dirty the page if the page is + * clean, or already dirty within the same snap context. +@@ -1315,7 +1354,6 @@ static int ceph_write_begin(struct file *file, struct address_space *mapping, + struct ceph_snap_context *snapc; + struct page *page = NULL; + pgoff_t index = pos >> PAGE_SHIFT; +- int pos_in_page = pos & ~PAGE_MASK; + int r = 0; + + dout("write_begin file %p inode %p page %p %d~%d\n", file, inode, page, (int)pos, (int)len); +@@ -1350,19 +1388,9 @@ static int ceph_write_begin(struct file *file, struct address_space *mapping, + break; + } + +- /* +- * In some cases we don't need to read at all: +- * - full page write +- * - write that lies completely beyond EOF +- * - write that covers the the page from start to EOF or beyond it +- */ +- if ((pos_in_page == 0 && len == PAGE_SIZE) || +- (pos >= i_size_read(inode)) || +- (pos_in_page == 0 && (pos + len) >= i_size_read(inode))) { +- zero_user_segments(page, 0, pos_in_page, +- pos_in_page + len, PAGE_SIZE); ++ /* No need to read in some cases */ ++ if (skip_page_read(page, pos, len)) + break; +- } + + /* + * We need to read it. If we get back -EINPROGRESS, then the page was +diff --git a/fs/ceph/file.c b/fs/ceph/file.c +index 209535d5b8d38..3d2e3dd4ee01d 100644 +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -578,6 +578,7 @@ static int ceph_finish_async_create(struct inode *dir, struct dentry *dentry, + struct ceph_inode_info *ci = ceph_inode(dir); + struct inode *inode; + struct timespec64 now; ++ struct ceph_mds_client *mdsc = ceph_sb_to_mdsc(dir->i_sb); + struct ceph_vino vino = { .ino = req->r_deleg_ino, + .snap = CEPH_NOSNAP }; + +@@ -615,8 +616,10 @@ static int ceph_finish_async_create(struct inode *dir, struct dentry *dentry, + + ceph_file_layout_to_legacy(lo, &in.layout); + ++ down_read(&mdsc->snap_rwsem); + ret = ceph_fill_inode(inode, NULL, &iinfo, NULL, req->r_session, + req->r_fmode, NULL); ++ up_read(&mdsc->snap_rwsem); + if (ret) { + dout("%s failed to fill inode: %d\n", __func__, ret); + ceph_dir_clear_complete(dir); +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 179d2ef69a24a..7ee6023adb363 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -762,6 +762,8 @@ int ceph_fill_inode(struct inode *inode, struct page *locked_page, + bool new_version = false; + bool fill_inline = false; + ++ lockdep_assert_held(&mdsc->snap_rwsem); ++ + dout("%s %p ino %llx.%llx v %llu had %llu\n", __func__, + inode, ceph_vinop(inode), le64_to_cpu(info->version), + ci->i_version); +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index 303d71430bdd1..9c6c0e2e5880a 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -1053,6 +1053,7 @@ void nilfs_sysfs_delete_device_group(struct the_nilfs *nilfs) + nilfs_sysfs_delete_superblock_group(nilfs); + nilfs_sysfs_delete_segctor_group(nilfs); + kobject_del(&nilfs->ns_dev_kobj); ++ kobject_put(&nilfs->ns_dev_kobj); + kfree(nilfs->ns_dev_subgroups); + } + +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index fb8b07daa9d15..875e002a41804 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -31,6 +31,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted( + #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted + #endif + ++extern struct pkcs7_message *pkcs7; + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING + extern int mark_hash_blacklisted(const char *hash); + extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, +@@ -49,6 +50,20 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) + } + #endif + ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++extern int add_key_to_revocation_list(const char *data, size_t size); ++extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); ++#else ++static inline int add_key_to_revocation_list(const char *data, size_t size) ++{ ++ return 0; ++} ++static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) ++{ ++ return -ENOKEY; ++} ++#endif ++ + #ifdef CONFIG_IMA_BLACKLIST_KEYRING + extern struct key *ima_blacklist_keyring; + +diff --git a/include/linux/debug_locks.h b/include/linux/debug_locks.h +index 2915f56ad4214..edb5c186b0b7a 100644 +--- a/include/linux/debug_locks.h ++++ b/include/linux/debug_locks.h +@@ -27,8 +27,10 @@ extern int debug_locks_off(void); + int __ret = 0; \ + \ + if (!oops_in_progress && unlikely(c)) { \ ++ instrumentation_begin(); \ + if (debug_locks_off() && !debug_locks_silent) \ + WARN(1, "DEBUG_LOCKS_WARN_ON(%s)", #c); \ ++ instrumentation_end(); \ + __ret = 1; \ + } \ + __ret; \ +diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h +index ba973efcd3692..6686a0baa91d3 100644 +--- a/include/linux/huge_mm.h ++++ b/include/linux/huge_mm.h +@@ -289,6 +289,7 @@ struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr, + vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t orig_pmd); + + extern struct page *huge_zero_page; ++extern unsigned long huge_zero_pfn; + + static inline bool is_huge_zero_page(struct page *page) + { +@@ -297,7 +298,7 @@ static inline bool is_huge_zero_page(struct page *page) + + static inline bool is_huge_zero_pmd(pmd_t pmd) + { +- return is_huge_zero_page(pmd_page(pmd)); ++ return READ_ONCE(huge_zero_pfn) == pmd_pfn(pmd) && pmd_present(pmd); + } + + static inline bool is_huge_zero_pud(pud_t pud) +@@ -443,6 +444,11 @@ static inline bool is_huge_zero_page(struct page *page) + return false; + } + ++static inline bool is_huge_zero_pmd(pmd_t pmd) ++{ ++ return false; ++} ++ + static inline bool is_huge_zero_pud(pud_t pud) + { + return false; +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index 5dae4187210d9..28fa3f9bbbfdd 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -728,17 +728,6 @@ static inline int hstate_index(struct hstate *h) + return h - hstates; + } + +-pgoff_t __basepage_index(struct page *page); +- +-/* Return page->index in PAGE_SIZE units */ +-static inline pgoff_t basepage_index(struct page *page) +-{ +- if (!PageCompound(page)) +- return page->index; +- +- return __basepage_index(page); +-} +- + extern int dissolve_free_huge_page(struct page *page); + extern int dissolve_free_huge_pages(unsigned long start_pfn, + unsigned long end_pfn); +@@ -969,11 +958,6 @@ static inline int hstate_index(struct hstate *h) + return 0; + } + +-static inline pgoff_t basepage_index(struct page *page) +-{ +- return page->index; +-} +- + static inline int dissolve_free_huge_page(struct page *page) + { + return 0; +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 6c1b29bb35636..cfb0842a7fb96 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1680,6 +1680,7 @@ struct zap_details { + struct address_space *check_mapping; /* Check page->mapping if set */ + pgoff_t first_index; /* Lowest page->index to unmap */ + pgoff_t last_index; /* Highest page->index to unmap */ ++ struct page *single_page; /* Locked page to be unmapped */ + }; + + struct page *vm_normal_page(struct vm_area_struct *vma, unsigned long addr, +@@ -1727,6 +1728,7 @@ extern vm_fault_t handle_mm_fault(struct vm_area_struct *vma, + extern int fixup_user_fault(struct mm_struct *mm, + unsigned long address, unsigned int fault_flags, + bool *unlocked); ++void unmap_mapping_page(struct page *page); + void unmap_mapping_pages(struct address_space *mapping, + pgoff_t start, pgoff_t nr, bool even_cows); + void unmap_mapping_range(struct address_space *mapping, +@@ -1747,6 +1749,7 @@ static inline int fixup_user_fault(struct mm_struct *mm, unsigned long address, + BUG(); + return -EFAULT; + } ++static inline void unmap_mapping_page(struct page *page) { } + static inline void unmap_mapping_pages(struct address_space *mapping, + pgoff_t start, pgoff_t nr, bool even_cows) { } + static inline void unmap_mapping_range(struct address_space *mapping, +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h +index 8c9947fd62f30..e0023e5f9aa67 100644 +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -501,7 +501,7 @@ static inline struct page *read_mapping_page(struct address_space *mapping, + } + + /* +- * Get index of the page with in radix-tree ++ * Get index of the page within radix-tree (but not for hugetlb pages). + * (TODO: remove once hugetlb pages will have ->index in PAGE_SIZE) + */ + static inline pgoff_t page_to_index(struct page *page) +@@ -520,15 +520,16 @@ static inline pgoff_t page_to_index(struct page *page) + return pgoff; + } + ++extern pgoff_t hugetlb_basepage_index(struct page *page); ++ + /* +- * Get the offset in PAGE_SIZE. +- * (TODO: hugepage should have ->index in PAGE_SIZE) ++ * Get the offset in PAGE_SIZE (even for hugetlb pages). ++ * (TODO: hugetlb pages should have ->index in PAGE_SIZE) + */ + static inline pgoff_t page_to_pgoff(struct page *page) + { +- if (unlikely(PageHeadHuge(page))) +- return page->index << compound_order(page); +- ++ if (unlikely(PageHuge(page))) ++ return hugetlb_basepage_index(page); + return page_to_index(page); + } + +diff --git a/include/linux/rmap.h b/include/linux/rmap.h +index def5c62c93b3b..8d04e7deedc66 100644 +--- a/include/linux/rmap.h ++++ b/include/linux/rmap.h +@@ -91,6 +91,7 @@ enum ttu_flags { + + TTU_SPLIT_HUGE_PMD = 0x4, /* split huge PMD if any */ + TTU_IGNORE_MLOCK = 0x8, /* ignore mlock */ ++ TTU_SYNC = 0x10, /* avoid racy checks with PVMW_SYNC */ + TTU_IGNORE_HWPOISON = 0x20, /* corrupted page is recoverable */ + TTU_BATCH_FLUSH = 0x40, /* Batch TLB flushes where possible + * and caller guarantees they will +diff --git a/include/net/sock.h b/include/net/sock.h +index 62e3811e95a78..b9bdeca1d784f 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1928,7 +1928,8 @@ static inline u32 net_tx_rndhash(void) + + static inline void sk_set_txhash(struct sock *sk) + { +- sk->sk_txhash = net_tx_rndhash(); ++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */ ++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash()); + } + + static inline bool sk_rethink_txhash(struct sock *sk) +@@ -2200,9 +2201,12 @@ static inline void sock_poll_wait(struct file *filp, struct socket *sock, + + static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk) + { +- if (sk->sk_txhash) { ++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */ ++ u32 txhash = READ_ONCE(sk->sk_txhash); ++ ++ if (txhash) { + skb->l4_hash = 1; +- skb->hash = sk->sk_txhash; ++ skb->hash = txhash; + } + } + +@@ -2260,8 +2264,13 @@ struct sk_buff *sock_dequeue_err_skb(struct sock *sk); + static inline int sock_error(struct sock *sk) + { + int err; +- if (likely(!sk->sk_err)) ++ ++ /* Avoid an atomic operation for the common case. ++ * This is racy since another cpu/thread can change sk_err under us. ++ */ ++ if (likely(data_race(!sk->sk_err))) + return 0; ++ + err = xchg(&sk->sk_err, 0); + return -err; + } +diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c +index fe4c01c14ab2c..e96f3808e4316 100644 +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -724,11 +724,17 @@ void swiotlb_tbl_sync_single(struct device *hwdev, phys_addr_t tlb_addr, + int index = (tlb_addr - io_tlb_start) >> IO_TLB_SHIFT; + size_t orig_size = io_tlb_orig_size[index]; + phys_addr_t orig_addr = io_tlb_orig_addr[index]; ++ unsigned int tlb_offset; + + if (orig_addr == INVALID_PHYS_ADDR) + return; + +- validate_sync_size_and_truncate(hwdev, orig_size, &size); ++ tlb_offset = (tlb_addr & (IO_TLB_SIZE - 1)) - ++ swiotlb_align_offset(hwdev, orig_addr); ++ ++ orig_addr += tlb_offset; ++ ++ validate_sync_size_and_truncate(hwdev, orig_size - tlb_offset, &size); + + switch (target) { + case SYNC_FOR_CPU: +diff --git a/kernel/futex.c b/kernel/futex.c +index a8629b695d38e..5aa6d0a6c7677 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -35,7 +35,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -650,7 +649,7 @@ again: + + key->both.offset |= FUT_OFF_INODE; /* inode-based key */ + key->shared.i_seq = get_inode_sequence_number(inode); +- key->shared.pgoff = basepage_index(tail); ++ key->shared.pgoff = page_to_pgoff(tail); + rcu_read_unlock(); + } + +diff --git a/kernel/kthread.c b/kernel/kthread.c +index 6d3c488a0f824..4fdf2bd9b5589 100644 +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -1092,8 +1092,38 @@ void kthread_flush_work(struct kthread_work *work) + EXPORT_SYMBOL_GPL(kthread_flush_work); + + /* +- * This function removes the work from the worker queue. Also it makes sure +- * that it won't get queued later via the delayed work's timer. ++ * Make sure that the timer is neither set nor running and could ++ * not manipulate the work list_head any longer. ++ * ++ * The function is called under worker->lock. The lock is temporary ++ * released but the timer can't be set again in the meantime. ++ */ ++static void kthread_cancel_delayed_work_timer(struct kthread_work *work, ++ unsigned long *flags) ++{ ++ struct kthread_delayed_work *dwork = ++ container_of(work, struct kthread_delayed_work, work); ++ struct kthread_worker *worker = work->worker; ++ ++ /* ++ * del_timer_sync() must be called to make sure that the timer ++ * callback is not running. The lock must be temporary released ++ * to avoid a deadlock with the callback. In the meantime, ++ * any queuing is blocked by setting the canceling counter. ++ */ ++ work->canceling++; ++ raw_spin_unlock_irqrestore(&worker->lock, *flags); ++ del_timer_sync(&dwork->timer); ++ raw_spin_lock_irqsave(&worker->lock, *flags); ++ work->canceling--; ++} ++ ++/* ++ * This function removes the work from the worker queue. ++ * ++ * It is called under worker->lock. The caller must make sure that ++ * the timer used by delayed work is not running, e.g. by calling ++ * kthread_cancel_delayed_work_timer(). + * + * The work might still be in use when this function finishes. See the + * current_work proceed by the worker. +@@ -1101,28 +1131,8 @@ EXPORT_SYMBOL_GPL(kthread_flush_work); + * Return: %true if @work was pending and successfully canceled, + * %false if @work was not pending + */ +-static bool __kthread_cancel_work(struct kthread_work *work, bool is_dwork, +- unsigned long *flags) ++static bool __kthread_cancel_work(struct kthread_work *work) + { +- /* Try to cancel the timer if exists. */ +- if (is_dwork) { +- struct kthread_delayed_work *dwork = +- container_of(work, struct kthread_delayed_work, work); +- struct kthread_worker *worker = work->worker; +- +- /* +- * del_timer_sync() must be called to make sure that the timer +- * callback is not running. The lock must be temporary released +- * to avoid a deadlock with the callback. In the meantime, +- * any queuing is blocked by setting the canceling counter. +- */ +- work->canceling++; +- raw_spin_unlock_irqrestore(&worker->lock, *flags); +- del_timer_sync(&dwork->timer); +- raw_spin_lock_irqsave(&worker->lock, *flags); +- work->canceling--; +- } +- + /* + * Try to remove the work from a worker list. It might either + * be from worker->work_list or from worker->delayed_work_list. +@@ -1175,11 +1185,23 @@ bool kthread_mod_delayed_work(struct kthread_worker *worker, + /* Work must not be used with >1 worker, see kthread_queue_work() */ + WARN_ON_ONCE(work->worker != worker); + +- /* Do not fight with another command that is canceling this work. */ ++ /* ++ * Temporary cancel the work but do not fight with another command ++ * that is canceling the work as well. ++ * ++ * It is a bit tricky because of possible races with another ++ * mod_delayed_work() and cancel_delayed_work() callers. ++ * ++ * The timer must be canceled first because worker->lock is released ++ * when doing so. But the work can be removed from the queue (list) ++ * only when it can be queued again so that the return value can ++ * be used for reference counting. ++ */ ++ kthread_cancel_delayed_work_timer(work, &flags); + if (work->canceling) + goto out; ++ ret = __kthread_cancel_work(work); + +- ret = __kthread_cancel_work(work, true, &flags); + fast_queue: + __kthread_queue_delayed_work(worker, dwork, delay); + out: +@@ -1201,7 +1223,10 @@ static bool __kthread_cancel_work_sync(struct kthread_work *work, bool is_dwork) + /* Work must not be used with >1 worker, see kthread_queue_work(). */ + WARN_ON_ONCE(work->worker != worker); + +- ret = __kthread_cancel_work(work, is_dwork, &flags); ++ if (is_dwork) ++ kthread_cancel_delayed_work_timer(work, &flags); ++ ++ ret = __kthread_cancel_work(work); + + if (worker->current_work != work) + goto out_fast; +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index f39c383c71804..5bf6b1659215d 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -842,7 +842,7 @@ static int count_matching_names(struct lock_class *new_class) + } + + /* used from NMI context -- must be lockless */ +-static __always_inline struct lock_class * ++static noinstr struct lock_class * + look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass) + { + struct lockdep_subclass_key *key; +@@ -850,12 +850,14 @@ look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass) + struct lock_class *class; + + if (unlikely(subclass >= MAX_LOCKDEP_SUBCLASSES)) { ++ instrumentation_begin(); + debug_locks_off(); + printk(KERN_ERR + "BUG: looking up invalid subclass: %u\n", subclass); + printk(KERN_ERR + "turning off the locking correctness validator.\n"); + dump_stack(); ++ instrumentation_end(); + return NULL; + } + +diff --git a/kernel/module.c b/kernel/module.c +index 30479355ab850..260d6f3f6d68f 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -266,9 +266,18 @@ static void module_assert_mutex_or_preempt(void) + #endif + } + ++#ifdef CONFIG_MODULE_SIG + static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); + module_param(sig_enforce, bool_enable_only, 0644); + ++void set_module_sig_enforced(void) ++{ ++ sig_enforce = true; ++} ++#else ++#define sig_enforce false ++#endif ++ + /* + * Export sig_enforce kernel cmdline parameter to allow other subsystems rely + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. +@@ -279,11 +288,6 @@ bool is_module_sig_enforced(void) + } + EXPORT_SYMBOL(is_module_sig_enforced); + +-void set_module_sig_enforced(void) +-{ +- sig_enforce = true; +-} +- + /* Block module loading/unloading? */ + int modules_disabled = 0; + core_param(nomodule, modules_disabled, bint, 0); +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index 651218ded9817..ef37acd28e4ac 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -965,7 +965,7 @@ void psi_cgroup_free(struct cgroup *cgroup) + */ + void cgroup_move_task(struct task_struct *task, struct css_set *to) + { +- unsigned int task_flags = 0; ++ unsigned int task_flags; + struct rq_flags rf; + struct rq *rq; + +@@ -980,15 +980,31 @@ void cgroup_move_task(struct task_struct *task, struct css_set *to) + + rq = task_rq_lock(task, &rf); + +- if (task_on_rq_queued(task)) { +- task_flags = TSK_RUNNING; +- if (task_current(rq, task)) +- task_flags |= TSK_ONCPU; +- } else if (task->in_iowait) +- task_flags = TSK_IOWAIT; +- +- if (task->in_memstall) +- task_flags |= TSK_MEMSTALL; ++ /* ++ * We may race with schedule() dropping the rq lock between ++ * deactivating prev and switching to next. Because the psi ++ * updates from the deactivation are deferred to the switch ++ * callback to save cgroup tree updates, the task's scheduling ++ * state here is not coherent with its psi state: ++ * ++ * schedule() cgroup_move_task() ++ * rq_lock() ++ * deactivate_task() ++ * p->on_rq = 0 ++ * psi_dequeue() // defers TSK_RUNNING & TSK_IOWAIT updates ++ * pick_next_task() ++ * rq_unlock() ++ * rq_lock() ++ * psi_task_change() // old cgroup ++ * task->cgroups = to ++ * psi_task_change() // new cgroup ++ * rq_unlock() ++ * rq_lock() ++ * psi_sched_switch() // does deferred updates in new cgroup ++ * ++ * Don't rely on the scheduling state. Use psi_flags instead. ++ */ ++ task_flags = task->psi_flags; + + if (task_flags) + psi_task_change(task, task_flags, 0); +diff --git a/lib/debug_locks.c b/lib/debug_locks.c +index 06d3135bd184c..a75ee30b77cb8 100644 +--- a/lib/debug_locks.c ++++ b/lib/debug_locks.c +@@ -36,7 +36,7 @@ EXPORT_SYMBOL_GPL(debug_locks_silent); + /* + * Generic 'turn off all lock debugging' function: + */ +-noinstr int debug_locks_off(void) ++int debug_locks_off(void) + { + if (debug_locks && __debug_locks_off()) { + if (!debug_locks_silent) { +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index ae907a9c20506..44c455dbbd637 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -61,6 +61,7 @@ static struct shrinker deferred_split_shrinker; + + static atomic_t huge_zero_refcount; + struct page *huge_zero_page __read_mostly; ++unsigned long huge_zero_pfn __read_mostly = ~0UL; + + bool transparent_hugepage_enabled(struct vm_area_struct *vma) + { +@@ -97,6 +98,7 @@ retry: + __free_pages(zero_page, compound_order(zero_page)); + goto retry; + } ++ WRITE_ONCE(huge_zero_pfn, page_to_pfn(zero_page)); + + /* We take additional reference here. It will be put back by shrinker */ + atomic_set(&huge_zero_refcount, 2); +@@ -146,6 +148,7 @@ static unsigned long shrink_huge_zero_page_scan(struct shrinker *shrink, + if (atomic_cmpxchg(&huge_zero_refcount, 1, 0) == 1) { + struct page *zero_page = xchg(&huge_zero_page, NULL); + BUG_ON(zero_page == NULL); ++ WRITE_ONCE(huge_zero_pfn, ~0UL); + __free_pages(zero_page, compound_order(zero_page)); + return HPAGE_PMD_NR; + } +@@ -2046,7 +2049,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + count_vm_event(THP_SPLIT_PMD); + + if (!vma_is_anonymous(vma)) { +- _pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd); ++ old_pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd); + /* + * We are going to unmap this huge page. So + * just go ahead and zap it +@@ -2055,16 +2058,25 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + zap_deposited_table(mm, pmd); + if (vma_is_special_huge(vma)) + return; +- page = pmd_page(_pmd); +- if (!PageDirty(page) && pmd_dirty(_pmd)) +- set_page_dirty(page); +- if (!PageReferenced(page) && pmd_young(_pmd)) +- SetPageReferenced(page); +- page_remove_rmap(page, true); +- put_page(page); ++ if (unlikely(is_pmd_migration_entry(old_pmd))) { ++ swp_entry_t entry; ++ ++ entry = pmd_to_swp_entry(old_pmd); ++ page = migration_entry_to_page(entry); ++ } else { ++ page = pmd_page(old_pmd); ++ if (!PageDirty(page) && pmd_dirty(old_pmd)) ++ set_page_dirty(page); ++ if (!PageReferenced(page) && pmd_young(old_pmd)) ++ SetPageReferenced(page); ++ page_remove_rmap(page, true); ++ put_page(page); ++ } + add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR); + return; +- } else if (pmd_trans_huge(*pmd) && is_huge_zero_pmd(*pmd)) { ++ } ++ ++ if (is_huge_zero_pmd(*pmd)) { + /* + * FIXME: Do we want to invalidate secondary mmu by calling + * mmu_notifier_invalidate_range() see comments below inside +@@ -2346,17 +2358,17 @@ void vma_adjust_trans_huge(struct vm_area_struct *vma, + + static void unmap_page(struct page *page) + { +- enum ttu_flags ttu_flags = TTU_IGNORE_MLOCK | ++ enum ttu_flags ttu_flags = TTU_IGNORE_MLOCK | TTU_SYNC | + TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD; +- bool unmap_success; + + VM_BUG_ON_PAGE(!PageHead(page), page); + + if (PageAnon(page)) + ttu_flags |= TTU_SPLIT_FREEZE; + +- unmap_success = try_to_unmap(page, ttu_flags); +- VM_BUG_ON_PAGE(!unmap_success, page); ++ try_to_unmap(page, ttu_flags); ++ ++ VM_WARN_ON_ONCE_PAGE(page_mapped(page), page); + } + + static void remap_page(struct page *page, unsigned int nr) +@@ -2667,7 +2679,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + struct deferred_split *ds_queue = get_deferred_split_queue(head); + struct anon_vma *anon_vma = NULL; + struct address_space *mapping = NULL; +- int count, mapcount, extra_pins, ret; ++ int extra_pins, ret; + pgoff_t end; + + VM_BUG_ON_PAGE(is_huge_zero_page(head), head); +@@ -2726,7 +2738,6 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + } + + unmap_page(head); +- VM_BUG_ON_PAGE(compound_mapcount(head), head); + + /* block interrupt reentry in xa_lock and spinlock */ + local_irq_disable(); +@@ -2744,9 +2755,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + + /* Prevent deferred_split_scan() touching ->_refcount */ + spin_lock(&ds_queue->split_queue_lock); +- count = page_count(head); +- mapcount = total_mapcount(head); +- if (!mapcount && page_ref_freeze(head, 1 + extra_pins)) { ++ if (page_ref_freeze(head, 1 + extra_pins)) { + if (!list_empty(page_deferred_list(head))) { + ds_queue->split_queue_len--; + list_del(page_deferred_list(head)); +@@ -2766,16 +2775,9 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + __split_huge_page(page, list, end); + ret = 0; + } else { +- if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) { +- pr_alert("total_mapcount: %u, page_count(): %u\n", +- mapcount, count); +- if (PageTail(page)) +- dump_page(head, NULL); +- dump_page(page, "total_mapcount(head) > 0"); +- BUG(); +- } + spin_unlock(&ds_queue->split_queue_lock); +-fail: if (mapping) ++fail: ++ if (mapping) + xa_unlock(&mapping->i_pages); + local_irq_enable(); + remap_page(head, thp_nr_pages(head)); +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 3da4817190f3d..7ba7d9b20494a 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1584,15 +1584,12 @@ struct address_space *hugetlb_page_mapping_lock_write(struct page *hpage) + return NULL; + } + +-pgoff_t __basepage_index(struct page *page) ++pgoff_t hugetlb_basepage_index(struct page *page) + { + struct page *page_head = compound_head(page); + pgoff_t index = page_index(page_head); + unsigned long compound_idx; + +- if (!PageHuge(page_head)) +- return page_index(page); +- + if (compound_order(page_head) >= MAX_ORDER) + compound_idx = page_to_pfn(page) - page_to_pfn(page_head); + else +diff --git a/mm/internal.h b/mm/internal.h +index 1432feec62df0..08323e622bbd1 100644 +--- a/mm/internal.h ++++ b/mm/internal.h +@@ -379,27 +379,52 @@ static inline void mlock_migrate_page(struct page *newpage, struct page *page) + extern pmd_t maybe_pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma); + + /* +- * At what user virtual address is page expected in @vma? ++ * At what user virtual address is page expected in vma? ++ * Returns -EFAULT if all of the page is outside the range of vma. ++ * If page is a compound head, the entire compound page is considered. + */ + static inline unsigned long +-__vma_address(struct page *page, struct vm_area_struct *vma) ++vma_address(struct page *page, struct vm_area_struct *vma) + { +- pgoff_t pgoff = page_to_pgoff(page); +- return vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); ++ pgoff_t pgoff; ++ unsigned long address; ++ ++ VM_BUG_ON_PAGE(PageKsm(page), page); /* KSM page->index unusable */ ++ pgoff = page_to_pgoff(page); ++ if (pgoff >= vma->vm_pgoff) { ++ address = vma->vm_start + ++ ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); ++ /* Check for address beyond vma (or wrapped through 0?) */ ++ if (address < vma->vm_start || address >= vma->vm_end) ++ address = -EFAULT; ++ } else if (PageHead(page) && ++ pgoff + compound_nr(page) - 1 >= vma->vm_pgoff) { ++ /* Test above avoids possibility of wrap to 0 on 32-bit */ ++ address = vma->vm_start; ++ } else { ++ address = -EFAULT; ++ } ++ return address; + } + ++/* ++ * Then at what user virtual address will none of the page be found in vma? ++ * Assumes that vma_address() already returned a good starting address. ++ * If page is a compound head, the entire compound page is considered. ++ */ + static inline unsigned long +-vma_address(struct page *page, struct vm_area_struct *vma) ++vma_address_end(struct page *page, struct vm_area_struct *vma) + { +- unsigned long start, end; +- +- start = __vma_address(page, vma); +- end = start + thp_size(page) - PAGE_SIZE; +- +- /* page should be within @vma mapping range */ +- VM_BUG_ON_VMA(end < vma->vm_start || start >= vma->vm_end, vma); +- +- return max(start, vma->vm_start); ++ pgoff_t pgoff; ++ unsigned long address; ++ ++ VM_BUG_ON_PAGE(PageKsm(page), page); /* KSM page->index unusable */ ++ pgoff = page_to_pgoff(page) + compound_nr(page); ++ address = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); ++ /* Check for address beyond vma (or wrapped through 0?) */ ++ if (address < vma->vm_start || address > vma->vm_end) ++ address = vma->vm_end; ++ return address; + } + + static inline struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf, +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 704d05057d8c3..4db6f95e55be0 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -658,6 +658,7 @@ static int truncate_error_page(struct page *p, unsigned long pfn, + */ + static int me_kernel(struct page *p, unsigned long pfn) + { ++ unlock_page(p); + return MF_IGNORED; + } + +@@ -667,6 +668,7 @@ static int me_kernel(struct page *p, unsigned long pfn) + static int me_unknown(struct page *p, unsigned long pfn) + { + pr_err("Memory failure: %#lx: Unknown page state\n", pfn); ++ unlock_page(p); + return MF_FAILED; + } + +@@ -675,6 +677,7 @@ static int me_unknown(struct page *p, unsigned long pfn) + */ + static int me_pagecache_clean(struct page *p, unsigned long pfn) + { ++ int ret; + struct address_space *mapping; + + delete_from_lru_cache(p); +@@ -683,8 +686,10 @@ static int me_pagecache_clean(struct page *p, unsigned long pfn) + * For anonymous pages we're done the only reference left + * should be the one m_f() holds. + */ +- if (PageAnon(p)) +- return MF_RECOVERED; ++ if (PageAnon(p)) { ++ ret = MF_RECOVERED; ++ goto out; ++ } + + /* + * Now truncate the page in the page cache. This is really +@@ -698,7 +703,8 @@ static int me_pagecache_clean(struct page *p, unsigned long pfn) + /* + * Page has been teared down in the meanwhile + */ +- return MF_FAILED; ++ ret = MF_FAILED; ++ goto out; + } + + /* +@@ -706,7 +712,10 @@ static int me_pagecache_clean(struct page *p, unsigned long pfn) + * + * Open: to take i_mutex or not for this? Right now we don't. + */ +- return truncate_error_page(p, pfn, mapping); ++ ret = truncate_error_page(p, pfn, mapping); ++out: ++ unlock_page(p); ++ return ret; + } + + /* +@@ -782,24 +791,26 @@ static int me_pagecache_dirty(struct page *p, unsigned long pfn) + */ + static int me_swapcache_dirty(struct page *p, unsigned long pfn) + { ++ int ret; ++ + ClearPageDirty(p); + /* Trigger EIO in shmem: */ + ClearPageUptodate(p); + +- if (!delete_from_lru_cache(p)) +- return MF_DELAYED; +- else +- return MF_FAILED; ++ ret = delete_from_lru_cache(p) ? MF_FAILED : MF_DELAYED; ++ unlock_page(p); ++ return ret; + } + + static int me_swapcache_clean(struct page *p, unsigned long pfn) + { ++ int ret; ++ + delete_from_swap_cache(p); + +- if (!delete_from_lru_cache(p)) +- return MF_RECOVERED; +- else +- return MF_FAILED; ++ ret = delete_from_lru_cache(p) ? MF_FAILED : MF_RECOVERED; ++ unlock_page(p); ++ return ret; + } + + /* +@@ -820,6 +831,7 @@ static int me_huge_page(struct page *p, unsigned long pfn) + mapping = page_mapping(hpage); + if (mapping) { + res = truncate_error_page(hpage, pfn, mapping); ++ unlock_page(hpage); + } else { + res = MF_FAILED; + unlock_page(hpage); +@@ -834,7 +846,6 @@ static int me_huge_page(struct page *p, unsigned long pfn) + page_ref_inc(p); + res = MF_RECOVERED; + } +- lock_page(hpage); + } + + return res; +@@ -866,6 +877,8 @@ static struct page_state { + unsigned long mask; + unsigned long res; + enum mf_action_page_type type; ++ ++ /* Callback ->action() has to unlock the relevant page inside it. */ + int (*action)(struct page *p, unsigned long pfn); + } error_states[] = { + { reserved, reserved, MF_MSG_KERNEL, me_kernel }, +@@ -929,6 +942,7 @@ static int page_action(struct page_state *ps, struct page *p, + int result; + int count; + ++ /* page p should be unlocked after returning from ps->action(). */ + result = ps->action(p, pfn); + + count = page_count(p) - 1; +@@ -1313,7 +1327,7 @@ static int memory_failure_hugetlb(unsigned long pfn, int flags) + goto out; + } + +- res = identify_page_state(pfn, p, page_flags); ++ return identify_page_state(pfn, p, page_flags); + out: + unlock_page(head); + return res; +@@ -1429,9 +1443,10 @@ int memory_failure(unsigned long pfn, int flags) + struct page *hpage; + struct page *orig_head; + struct dev_pagemap *pgmap; +- int res; ++ int res = 0; + unsigned long page_flags; + bool retry = true; ++ static DEFINE_MUTEX(mf_mutex); + + if (!sysctl_memory_failure_recovery) + panic("Memory failure on page %lx", pfn); +@@ -1449,13 +1464,18 @@ int memory_failure(unsigned long pfn, int flags) + return -ENXIO; + } + ++ mutex_lock(&mf_mutex); ++ + try_again: +- if (PageHuge(p)) +- return memory_failure_hugetlb(pfn, flags); ++ if (PageHuge(p)) { ++ res = memory_failure_hugetlb(pfn, flags); ++ goto unlock_mutex; ++ } ++ + if (TestSetPageHWPoison(p)) { + pr_err("Memory failure: %#lx: already hardware poisoned\n", + pfn); +- return 0; ++ goto unlock_mutex; + } + + orig_head = hpage = compound_head(p); +@@ -1488,17 +1508,19 @@ try_again: + res = MF_FAILED; + } + action_result(pfn, MF_MSG_BUDDY, res); +- return res == MF_RECOVERED ? 0 : -EBUSY; ++ res = res == MF_RECOVERED ? 0 : -EBUSY; + } else { + action_result(pfn, MF_MSG_KERNEL_HIGH_ORDER, MF_IGNORED); +- return -EBUSY; ++ res = -EBUSY; + } ++ goto unlock_mutex; + } + + if (PageTransHuge(hpage)) { + if (try_to_split_thp_page(p, "Memory Failure") < 0) { + action_result(pfn, MF_MSG_UNSPLIT_THP, MF_IGNORED); +- return -EBUSY; ++ res = -EBUSY; ++ goto unlock_mutex; + } + VM_BUG_ON_PAGE(!page_count(p), p); + } +@@ -1522,7 +1544,7 @@ try_again: + if (PageCompound(p) && compound_head(p) != orig_head) { + action_result(pfn, MF_MSG_DIFFERENT_COMPOUND, MF_IGNORED); + res = -EBUSY; +- goto out; ++ goto unlock_page; + } + + /* +@@ -1542,14 +1564,14 @@ try_again: + num_poisoned_pages_dec(); + unlock_page(p); + put_page(p); +- return 0; ++ goto unlock_mutex; + } + if (hwpoison_filter(p)) { + if (TestClearPageHWPoison(p)) + num_poisoned_pages_dec(); + unlock_page(p); + put_page(p); +- return 0; ++ goto unlock_mutex; + } + + /* +@@ -1573,7 +1595,7 @@ try_again: + if (!hwpoison_user_mappings(p, pfn, flags, &p)) { + action_result(pfn, MF_MSG_UNMAP_FAILED, MF_IGNORED); + res = -EBUSY; +- goto out; ++ goto unlock_page; + } + + /* +@@ -1582,13 +1604,17 @@ try_again: + if (PageLRU(p) && !PageSwapCache(p) && p->mapping == NULL) { + action_result(pfn, MF_MSG_TRUNCATED_LRU, MF_IGNORED); + res = -EBUSY; +- goto out; ++ goto unlock_page; + } + + identify_page_state: + res = identify_page_state(pfn, p, page_flags); +-out: ++ mutex_unlock(&mf_mutex); ++ return res; ++unlock_page: + unlock_page(p); ++unlock_mutex: ++ mutex_unlock(&mf_mutex); + return res; + } + EXPORT_SYMBOL_GPL(memory_failure); +diff --git a/mm/memory.c b/mm/memory.c +index 14a6c66b37483..36624986130be 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1361,7 +1361,18 @@ static inline unsigned long zap_pmd_range(struct mmu_gather *tlb, + else if (zap_huge_pmd(tlb, vma, pmd, addr)) + goto next; + /* fall through */ ++ } else if (details && details->single_page && ++ PageTransCompound(details->single_page) && ++ next - addr == HPAGE_PMD_SIZE && pmd_none(*pmd)) { ++ spinlock_t *ptl = pmd_lock(tlb->mm, pmd); ++ /* ++ * Take and drop THP pmd lock so that we cannot return ++ * prematurely, while zap_huge_pmd() has cleared *pmd, ++ * but not yet decremented compound_mapcount(). ++ */ ++ spin_unlock(ptl); + } ++ + /* + * Here there can be other concurrent MADV_DONTNEED or + * trans huge page faults running, and if the pmd is +@@ -3193,6 +3204,36 @@ static inline void unmap_mapping_range_tree(struct rb_root_cached *root, + } + } + ++/** ++ * unmap_mapping_page() - Unmap single page from processes. ++ * @page: The locked page to be unmapped. ++ * ++ * Unmap this page from any userspace process which still has it mmaped. ++ * Typically, for efficiency, the range of nearby pages has already been ++ * unmapped by unmap_mapping_pages() or unmap_mapping_range(). But once ++ * truncation or invalidation holds the lock on a page, it may find that ++ * the page has been remapped again: and then uses unmap_mapping_page() ++ * to unmap it finally. ++ */ ++void unmap_mapping_page(struct page *page) ++{ ++ struct address_space *mapping = page->mapping; ++ struct zap_details details = { }; ++ ++ VM_BUG_ON(!PageLocked(page)); ++ VM_BUG_ON(PageTail(page)); ++ ++ details.check_mapping = mapping; ++ details.first_index = page->index; ++ details.last_index = page->index + thp_nr_pages(page) - 1; ++ details.single_page = page; ++ ++ i_mmap_lock_write(mapping); ++ if (unlikely(!RB_EMPTY_ROOT(&mapping->i_mmap.rb_root))) ++ unmap_mapping_range_tree(&mapping->i_mmap, &details); ++ i_mmap_unlock_write(mapping); ++} ++ + /** + * unmap_mapping_pages() - Unmap pages from processes. + * @mapping: The address space containing pages to be unmapped. +diff --git a/mm/migrate.c b/mm/migrate.c +index 773622cffe779..40455e753c5b4 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -322,6 +322,7 @@ void __migration_entry_wait(struct mm_struct *mm, pte_t *ptep, + goto out; + + page = migration_entry_to_page(entry); ++ page = compound_head(page); + + /* + * Once page cache replacement of page migration started, page_count +diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c +index 86e3a3688d592..3350faeb199a6 100644 +--- a/mm/page_vma_mapped.c ++++ b/mm/page_vma_mapped.c +@@ -116,6 +116,13 @@ static bool check_pte(struct page_vma_mapped_walk *pvmw) + return pfn_is_match(pvmw->page, pfn); + } + ++static void step_forward(struct page_vma_mapped_walk *pvmw, unsigned long size) ++{ ++ pvmw->address = (pvmw->address + size) & ~(size - 1); ++ if (!pvmw->address) ++ pvmw->address = ULONG_MAX; ++} ++ + /** + * page_vma_mapped_walk - check if @pvmw->page is mapped in @pvmw->vma at + * @pvmw->address +@@ -144,6 +151,7 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + { + struct mm_struct *mm = pvmw->vma->vm_mm; + struct page *page = pvmw->page; ++ unsigned long end; + pgd_t *pgd; + p4d_t *p4d; + pud_t *pud; +@@ -153,10 +161,11 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + if (pvmw->pmd && !pvmw->pte) + return not_found(pvmw); + +- if (pvmw->pte) +- goto next_pte; ++ if (unlikely(PageHuge(page))) { ++ /* The only possible mapping was handled on last iteration */ ++ if (pvmw->pte) ++ return not_found(pvmw); + +- if (unlikely(PageHuge(pvmw->page))) { + /* when pud is not present, pte will be NULL */ + pvmw->pte = huge_pte_offset(mm, pvmw->address, page_size(page)); + if (!pvmw->pte) +@@ -168,78 +177,108 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + return not_found(pvmw); + return true; + } +-restart: +- pgd = pgd_offset(mm, pvmw->address); +- if (!pgd_present(*pgd)) +- return false; +- p4d = p4d_offset(pgd, pvmw->address); +- if (!p4d_present(*p4d)) +- return false; +- pud = pud_offset(p4d, pvmw->address); +- if (!pud_present(*pud)) +- return false; +- pvmw->pmd = pmd_offset(pud, pvmw->address); ++ + /* +- * Make sure the pmd value isn't cached in a register by the +- * compiler and used as a stale value after we've observed a +- * subsequent update. ++ * Seek to next pte only makes sense for THP. ++ * But more important than that optimization, is to filter out ++ * any PageKsm page: whose page->index misleads vma_address() ++ * and vma_address_end() to disaster. + */ +- pmde = READ_ONCE(*pvmw->pmd); +- if (pmd_trans_huge(pmde) || is_pmd_migration_entry(pmde)) { +- pvmw->ptl = pmd_lock(mm, pvmw->pmd); +- if (likely(pmd_trans_huge(*pvmw->pmd))) { +- if (pvmw->flags & PVMW_MIGRATION) +- return not_found(pvmw); +- if (pmd_page(*pvmw->pmd) != page) +- return not_found(pvmw); +- return true; +- } else if (!pmd_present(*pvmw->pmd)) { +- if (thp_migration_supported()) { +- if (!(pvmw->flags & PVMW_MIGRATION)) ++ end = PageTransCompound(page) ? ++ vma_address_end(page, pvmw->vma) : ++ pvmw->address + PAGE_SIZE; ++ if (pvmw->pte) ++ goto next_pte; ++restart: ++ do { ++ pgd = pgd_offset(mm, pvmw->address); ++ if (!pgd_present(*pgd)) { ++ step_forward(pvmw, PGDIR_SIZE); ++ continue; ++ } ++ p4d = p4d_offset(pgd, pvmw->address); ++ if (!p4d_present(*p4d)) { ++ step_forward(pvmw, P4D_SIZE); ++ continue; ++ } ++ pud = pud_offset(p4d, pvmw->address); ++ if (!pud_present(*pud)) { ++ step_forward(pvmw, PUD_SIZE); ++ continue; ++ } ++ ++ pvmw->pmd = pmd_offset(pud, pvmw->address); ++ /* ++ * Make sure the pmd value isn't cached in a register by the ++ * compiler and used as a stale value after we've observed a ++ * subsequent update. ++ */ ++ pmde = READ_ONCE(*pvmw->pmd); ++ ++ if (pmd_trans_huge(pmde) || is_pmd_migration_entry(pmde)) { ++ pvmw->ptl = pmd_lock(mm, pvmw->pmd); ++ pmde = *pvmw->pmd; ++ if (likely(pmd_trans_huge(pmde))) { ++ if (pvmw->flags & PVMW_MIGRATION) + return not_found(pvmw); +- if (is_migration_entry(pmd_to_swp_entry(*pvmw->pmd))) { +- swp_entry_t entry = pmd_to_swp_entry(*pvmw->pmd); ++ if (pmd_page(pmde) != page) ++ return not_found(pvmw); ++ return true; ++ } ++ if (!pmd_present(pmde)) { ++ swp_entry_t entry; + +- if (migration_entry_to_page(entry) != page) +- return not_found(pvmw); +- return true; +- } ++ if (!thp_migration_supported() || ++ !(pvmw->flags & PVMW_MIGRATION)) ++ return not_found(pvmw); ++ entry = pmd_to_swp_entry(pmde); ++ if (!is_migration_entry(entry) || ++ migration_entry_to_page(entry) != page) ++ return not_found(pvmw); ++ return true; + } +- return not_found(pvmw); +- } else { + /* THP pmd was split under us: handle on pte level */ + spin_unlock(pvmw->ptl); + pvmw->ptl = NULL; ++ } else if (!pmd_present(pmde)) { ++ /* ++ * If PVMW_SYNC, take and drop THP pmd lock so that we ++ * cannot return prematurely, while zap_huge_pmd() has ++ * cleared *pmd but not decremented compound_mapcount(). ++ */ ++ if ((pvmw->flags & PVMW_SYNC) && ++ PageTransCompound(page)) { ++ spinlock_t *ptl = pmd_lock(mm, pvmw->pmd); ++ ++ spin_unlock(ptl); ++ } ++ step_forward(pvmw, PMD_SIZE); ++ continue; + } +- } else if (!pmd_present(pmde)) { +- return false; +- } +- if (!map_pte(pvmw)) +- goto next_pte; +- while (1) { ++ if (!map_pte(pvmw)) ++ goto next_pte; ++this_pte: + if (check_pte(pvmw)) + return true; + next_pte: +- /* Seek to next pte only makes sense for THP */ +- if (!PageTransHuge(pvmw->page) || PageHuge(pvmw->page)) +- return not_found(pvmw); + do { + pvmw->address += PAGE_SIZE; +- if (pvmw->address >= pvmw->vma->vm_end || +- pvmw->address >= +- __vma_address(pvmw->page, pvmw->vma) + +- thp_size(pvmw->page)) ++ if (pvmw->address >= end) + return not_found(pvmw); + /* Did we cross page table boundary? */ +- if (pvmw->address % PMD_SIZE == 0) { +- pte_unmap(pvmw->pte); ++ if ((pvmw->address & (PMD_SIZE - PAGE_SIZE)) == 0) { + if (pvmw->ptl) { + spin_unlock(pvmw->ptl); + pvmw->ptl = NULL; + } ++ pte_unmap(pvmw->pte); ++ pvmw->pte = NULL; + goto restart; +- } else { +- pvmw->pte++; ++ } ++ pvmw->pte++; ++ if ((pvmw->flags & PVMW_SYNC) && !pvmw->ptl) { ++ pvmw->ptl = pte_lockptr(mm, pvmw->pmd); ++ spin_lock(pvmw->ptl); + } + } while (pte_none(*pvmw->pte)); + +@@ -247,7 +286,10 @@ next_pte: + pvmw->ptl = pte_lockptr(mm, pvmw->pmd); + spin_lock(pvmw->ptl); + } +- } ++ goto this_pte; ++ } while (pvmw->address < end); ++ ++ return false; + } + + /** +@@ -266,14 +308,10 @@ int page_mapped_in_vma(struct page *page, struct vm_area_struct *vma) + .vma = vma, + .flags = PVMW_SYNC, + }; +- unsigned long start, end; +- +- start = __vma_address(page, vma); +- end = start + thp_size(page) - PAGE_SIZE; + +- if (unlikely(end < vma->vm_start || start >= vma->vm_end)) ++ pvmw.address = vma_address(page, vma); ++ if (pvmw.address == -EFAULT) + return 0; +- pvmw.address = max(start, vma->vm_start); + if (!page_vma_mapped_walk(&pvmw)) + return 0; + page_vma_mapped_walk_done(&pvmw); +diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c +index c2210e1cdb515..4e640baf97948 100644 +--- a/mm/pgtable-generic.c ++++ b/mm/pgtable-generic.c +@@ -135,9 +135,8 @@ pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, unsigned long address, + { + pmd_t pmd; + VM_BUG_ON(address & ~HPAGE_PMD_MASK); +- VM_BUG_ON(!pmd_present(*pmdp)); +- /* Below assumes pmd_present() is true */ +- VM_BUG_ON(!pmd_trans_huge(*pmdp) && !pmd_devmap(*pmdp)); ++ VM_BUG_ON(pmd_present(*pmdp) && !pmd_trans_huge(*pmdp) && ++ !pmd_devmap(*pmdp)); + pmd = pmdp_huge_get_and_clear(vma->vm_mm, address, pmdp); + flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); + return pmd; +diff --git a/mm/rmap.c b/mm/rmap.c +index b0fc27e77d6d7..3665d062cc9ce 100644 +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -707,7 +707,6 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags) + */ + unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma) + { +- unsigned long address; + if (PageAnon(page)) { + struct anon_vma *page__anon_vma = page_anon_vma(page); + /* +@@ -717,15 +716,13 @@ unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma) + if (!vma->anon_vma || !page__anon_vma || + vma->anon_vma->root != page__anon_vma->root) + return -EFAULT; +- } else if (page->mapping) { +- if (!vma->vm_file || vma->vm_file->f_mapping != page->mapping) +- return -EFAULT; +- } else ++ } else if (!vma->vm_file) { + return -EFAULT; +- address = __vma_address(page, vma); +- if (unlikely(address < vma->vm_start || address >= vma->vm_end)) ++ } else if (vma->vm_file->f_mapping != compound_head(page)->mapping) { + return -EFAULT; +- return address; ++ } ++ ++ return vma_address(page, vma); + } + + pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address) +@@ -919,7 +916,7 @@ static bool page_mkclean_one(struct page *page, struct vm_area_struct *vma, + */ + mmu_notifier_range_init(&range, MMU_NOTIFY_PROTECTION_PAGE, + 0, vma, vma->vm_mm, address, +- min(vma->vm_end, address + page_size(page))); ++ vma_address_end(page, vma)); + mmu_notifier_invalidate_range_start(&range); + + while (page_vma_mapped_walk(&pvmw)) { +@@ -1405,6 +1402,15 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma, + struct mmu_notifier_range range; + enum ttu_flags flags = (enum ttu_flags)(long)arg; + ++ /* ++ * When racing against e.g. zap_pte_range() on another cpu, ++ * in between its ptep_get_and_clear_full() and page_remove_rmap(), ++ * try_to_unmap() may return false when it is about to become true, ++ * if page table locking is skipped: use TTU_SYNC to wait for that. ++ */ ++ if (flags & TTU_SYNC) ++ pvmw.flags = PVMW_SYNC; ++ + /* munlock has nothing to gain from examining un-locked vmas */ + if ((flags & TTU_MUNLOCK) && !(vma->vm_flags & VM_LOCKED)) + return true; +@@ -1426,9 +1432,10 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma, + * Note that the page can not be free in this function as call of + * try_to_unmap() must hold a reference on the page. + */ ++ range.end = PageKsm(page) ? ++ address + PAGE_SIZE : vma_address_end(page, vma); + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm, +- address, +- min(vma->vm_end, address + page_size(page))); ++ address, range.end); + if (PageHuge(page)) { + /* + * If sharing is possible, start and end will be adjusted +@@ -1777,7 +1784,13 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags) + else + rmap_walk(page, &rwc); + +- return !page_mapcount(page) ? true : false; ++ /* ++ * When racing against e.g. zap_pte_range() on another cpu, ++ * in between its ptep_get_and_clear_full() and page_remove_rmap(), ++ * try_to_unmap() may return false when it is about to become true, ++ * if page table locking is skipped: use TTU_SYNC to wait for that. ++ */ ++ return !page_mapcount(page); + } + + /** +@@ -1874,6 +1887,7 @@ static void rmap_walk_anon(struct page *page, struct rmap_walk_control *rwc, + struct vm_area_struct *vma = avc->vma; + unsigned long address = vma_address(page, vma); + ++ VM_BUG_ON_VMA(address == -EFAULT, vma); + cond_resched(); + + if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg)) +@@ -1928,6 +1942,7 @@ static void rmap_walk_file(struct page *page, struct rmap_walk_control *rwc, + pgoff_start, pgoff_end) { + unsigned long address = vma_address(page, vma); + ++ VM_BUG_ON_VMA(address == -EFAULT, vma); + cond_resched(); + + if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg)) +diff --git a/mm/truncate.c b/mm/truncate.c +index 455944264663e..bf092be0a6f01 100644 +--- a/mm/truncate.c ++++ b/mm/truncate.c +@@ -168,13 +168,10 @@ void do_invalidatepage(struct page *page, unsigned int offset, + * its lock, b) when a concurrent invalidate_mapping_pages got there first and + * c) when tmpfs swizzles a page between a tmpfs inode and swapper_space. + */ +-static void +-truncate_cleanup_page(struct address_space *mapping, struct page *page) ++static void truncate_cleanup_page(struct page *page) + { +- if (page_mapped(page)) { +- unsigned int nr = thp_nr_pages(page); +- unmap_mapping_pages(mapping, page->index, nr, false); +- } ++ if (page_mapped(page)) ++ unmap_mapping_page(page); + + if (page_has_private(page)) + do_invalidatepage(page, 0, thp_size(page)); +@@ -219,7 +216,7 @@ int truncate_inode_page(struct address_space *mapping, struct page *page) + if (page->mapping != mapping) + return -EIO; + +- truncate_cleanup_page(mapping, page); ++ truncate_cleanup_page(page); + delete_from_page_cache(page); + return 0; + } +@@ -326,7 +323,7 @@ void truncate_inode_pages_range(struct address_space *mapping, + index = indices[pagevec_count(&pvec) - 1] + 1; + truncate_exceptional_pvec_entries(mapping, &pvec, indices); + for (i = 0; i < pagevec_count(&pvec); i++) +- truncate_cleanup_page(mapping, pvec.pages[i]); ++ truncate_cleanup_page(pvec.pages[i]); + delete_from_page_cache_batch(mapping, &pvec); + for (i = 0; i < pagevec_count(&pvec); i++) + unlock_page(pvec.pages[i]); +@@ -652,6 +649,16 @@ int invalidate_inode_pages2_range(struct address_space *mapping, + continue; + } + ++ if (!did_range_unmap && page_mapped(page)) { ++ /* ++ * If page is mapped, before taking its lock, ++ * zap the rest of the file in one hit. ++ */ ++ unmap_mapping_pages(mapping, index, ++ (1 + end - index), false); ++ did_range_unmap = 1; ++ } ++ + lock_page(page); + WARN_ON(page_to_index(page) != index); + if (page->mapping != mapping) { +@@ -659,23 +666,11 @@ int invalidate_inode_pages2_range(struct address_space *mapping, + continue; + } + wait_on_page_writeback(page); +- if (page_mapped(page)) { +- if (!did_range_unmap) { +- /* +- * Zap the rest of the file in one hit. +- */ +- unmap_mapping_pages(mapping, index, +- (1 + end - index), false); +- did_range_unmap = 1; +- } else { +- /* +- * Just zap this page +- */ +- unmap_mapping_pages(mapping, index, +- 1, false); +- } +- } ++ ++ if (page_mapped(page)) ++ unmap_mapping_page(page); + BUG_ON(page_mapped(page)); ++ + ret2 = do_launder_page(mapping, page); + if (ret2 == 0) { + if (!invalidate_complete_page2(mapping, page)) +diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c +index 2603966da904d..e910890a868c1 100644 +--- a/net/ethtool/ioctl.c ++++ b/net/ethtool/ioctl.c +@@ -1421,7 +1421,7 @@ static int ethtool_get_any_eeprom(struct net_device *dev, void __user *useraddr, + if (eeprom.offset + eeprom.len > total_len) + return -EINVAL; + +- data = kmalloc(PAGE_SIZE, GFP_USER); ++ data = kzalloc(PAGE_SIZE, GFP_USER); + if (!data) + return -ENOMEM; + +@@ -1486,7 +1486,7 @@ static int ethtool_set_eeprom(struct net_device *dev, void __user *useraddr) + if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev)) + return -EINVAL; + +- data = kmalloc(PAGE_SIZE, GFP_USER); ++ data = kzalloc(PAGE_SIZE, GFP_USER); + if (!data) + return -ENOMEM; + +@@ -1765,7 +1765,7 @@ static int ethtool_self_test(struct net_device *dev, char __user *useraddr) + return -EFAULT; + + test.len = test_len; +- data = kmalloc_array(test_len, sizeof(u64), GFP_USER); ++ data = kcalloc(test_len, sizeof(u64), GFP_USER); + if (!data) + return -ENOMEM; + +@@ -2281,7 +2281,7 @@ static int ethtool_get_tunable(struct net_device *dev, void __user *useraddr) + ret = ethtool_tunable_valid(&tuna); + if (ret) + return ret; +- data = kmalloc(tuna.len, GFP_USER); ++ data = kzalloc(tuna.len, GFP_USER); + if (!data) + return -ENOMEM; + ret = ops->get_tunable(dev, &tuna, data); +@@ -2473,7 +2473,7 @@ static int get_phy_tunable(struct net_device *dev, void __user *useraddr) + ret = ethtool_phy_tunable_valid(&tuna); + if (ret) + return ret; +- data = kmalloc(tuna.len, GFP_USER); ++ data = kzalloc(tuna.len, GFP_USER); + if (!data) + return -ENOMEM; + if (phy_drv_tunable) { +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 1355e6c0d5677..faa7856c7fb07 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -575,7 +575,7 @@ int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr, + return err; + } + +- if (!inet_sk(sk)->inet_num && inet_autobind(sk)) ++ if (data_race(!inet_sk(sk)->inet_num) && inet_autobind(sk)) + return -EAGAIN; + return sk->sk_prot->connect(sk, uaddr, addr_len); + } +@@ -803,7 +803,7 @@ int inet_send_prepare(struct sock *sk) + sock_rps_record_flow(sk); + + /* We may need to bind the socket. */ +- if (!inet_sk(sk)->inet_num && !sk->sk_prot->no_autobind && ++ if (data_race(!inet_sk(sk)->inet_num) && !sk->sk_prot->no_autobind && + inet_autobind(sk)) + return -EAGAIN; + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 2e35f68da40a7..1c6429c353a96 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1989,7 +1989,7 @@ static int inet_set_link_af(struct net_device *dev, const struct nlattr *nla, + return -EAFNOSUPPORT; + + if (nla_parse_nested_deprecated(tb, IFLA_INET_MAX, nla, NULL, NULL) < 0) +- BUG(); ++ return -EINVAL; + + if (tb[IFLA_INET_CONF]) { + nla_for_each_nested(a, tb[IFLA_INET_CONF], rem) +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 8b943f85fff9d..ea22768f76b8a 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -952,6 +952,7 @@ bool ping_rcv(struct sk_buff *skb) + struct sock *sk; + struct net *net = dev_net(skb->dev); + struct icmphdr *icmph = icmp_hdr(skb); ++ bool rc = false; + + /* We assume the packet has already been checked by icmp_rcv */ + +@@ -966,14 +967,15 @@ bool ping_rcv(struct sk_buff *skb) + struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); + + pr_debug("rcv on socket %p\n", sk); +- if (skb2) +- ping_queue_rcv_skb(sk, skb2); ++ if (skb2 && !ping_queue_rcv_skb(sk, skb2)) ++ rc = true; + sock_put(sk); +- return true; + } +- pr_debug("no socket, dropping\n"); + +- return false; ++ if (!rc) ++ pr_debug("no socket, dropping\n"); ++ ++ return rc; + } + EXPORT_SYMBOL_GPL(ping_rcv); + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index a9e53f5942fae..eab0a46983c0b 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5822,7 +5822,7 @@ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla, + return -EAFNOSUPPORT; + + if (nla_parse_nested_deprecated(tb, IFLA_INET6_MAX, nla, NULL, NULL) < 0) +- BUG(); ++ return -EINVAL; + + if (tb[IFLA_INET6_TOKEN]) { + err = inet6_set_iftoken(idev, nla_data(tb[IFLA_INET6_TOKEN]), +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 02e818d740f60..5ec437e8e7132 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1442,7 +1442,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) + rcu_read_lock(); + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); + +- if (WARN_ON_ONCE(!chanctx_conf)) { ++ if (!chanctx_conf) { + rcu_read_unlock(); + return NULL; + } +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 0fe91dc9817eb..437d88822d8f8 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4062,10 +4062,14 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, + if (elems.mbssid_config_ie) + bss_conf->profile_periodicity = + elems.mbssid_config_ie->profile_periodicity; ++ else ++ bss_conf->profile_periodicity = 0; + + if (elems.ext_capab_len >= 11 && + (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT)) + bss_conf->ema_ap = true; ++ else ++ bss_conf->ema_ap = false; + + /* continue assoc process */ + ifmgd->assoc_data->timeout = jiffies; +@@ -5802,12 +5806,16 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, + beacon_ies->data, beacon_ies->len); + if (elem && elem->datalen >= 3) + sdata->vif.bss_conf.profile_periodicity = elem->data[2]; ++ else ++ sdata->vif.bss_conf.profile_periodicity = 0; + + elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY, + beacon_ies->data, beacon_ies->len); + if (elem && elem->datalen >= 11 && + (elem->data[10] & WLAN_EXT_CAPA11_EMA_SUPPORT)) + sdata->vif.bss_conf.ema_ap = true; ++ else ++ sdata->vif.bss_conf.ema_ap = false; + } else { + assoc_data->timeout = jiffies; + assoc_data->timeout_started = true; +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 59de7a86599dc..cb5cbf02dbac9 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2239,17 +2239,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + sc = le16_to_cpu(hdr->seq_ctrl); + frag = sc & IEEE80211_SCTL_FRAG; + +- if (is_multicast_ether_addr(hdr->addr1)) { +- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount); +- goto out_no_led; +- } +- + if (rx->sta) + cache = &rx->sta->frags; + + if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) + goto out; + ++ if (is_multicast_ether_addr(hdr->addr1)) ++ return RX_DROP_MONITOR; ++ + I802_DEBUG_INC(rx->local->rx_handlers_fragments); + + if (skb_linearize(rx->skb)) +@@ -2375,7 +2373,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + + out: + ieee80211_led_rx(rx->local); +- out_no_led: + if (rx->sta) + rx->sta->rx_stats.packets++; + return RX_CONTINUE; +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 53755a05f73b5..06342693799eb 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -955,7 +955,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + + switch (elem->data[0]) { + case WLAN_EID_EXT_HE_MU_EDCA: +- if (len == sizeof(*elems->mu_edca_param_set)) { ++ if (len >= sizeof(*elems->mu_edca_param_set)) { + elems->mu_edca_param_set = data; + if (crc) + *crc = crc32_be(*crc, (void *)elem, +@@ -976,7 +976,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + } + break; + case WLAN_EID_EXT_UORA: +- if (len == 1) ++ if (len >= 1) + elems->uora_element = data; + break; + case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: +@@ -984,7 +984,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + elems->max_channel_switch_time = data; + break; + case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: +- if (len == sizeof(*elems->mbssid_config_ie)) ++ if (len >= sizeof(*elems->mbssid_config_ie)) + elems->mbssid_config_ie = data; + break; + case WLAN_EID_EXT_HE_SPR: +@@ -993,7 +993,7 @@ static void ieee80211_parse_extension_element(u32 *crc, + elems->he_spr = data; + break; + case WLAN_EID_EXT_HE_6GHZ_CAPA: +- if (len == sizeof(*elems->he_6ghz_capa)) ++ if (len >= sizeof(*elems->he_6ghz_capa)) + elems->he_6ghz_capa = data; + break; + } +@@ -1082,14 +1082,14 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + + switch (id) { + case WLAN_EID_LINK_ID: +- if (elen + 2 != sizeof(struct ieee80211_tdls_lnkie)) { ++ if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { + elem_parse_failed = true; + break; + } + elems->lnk_id = (void *)(pos - 2); + break; + case WLAN_EID_CHAN_SWITCH_TIMING: +- if (elen != sizeof(struct ieee80211_ch_switch_timing)) { ++ if (elen < sizeof(struct ieee80211_ch_switch_timing)) { + elem_parse_failed = true; + break; + } +@@ -1252,7 +1252,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + elems->sec_chan_offs = (void *)pos; + break; + case WLAN_EID_CHAN_SWITCH_PARAM: +- if (elen != ++ if (elen < + sizeof(*elems->mesh_chansw_params_ie)) { + elem_parse_failed = true; + break; +@@ -1261,7 +1261,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + break; + case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: + if (!action || +- elen != sizeof(*elems->wide_bw_chansw_ie)) { ++ elen < sizeof(*elems->wide_bw_chansw_ie)) { + elem_parse_failed = true; + break; + } +@@ -1280,7 +1280,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + ie = cfg80211_find_ie(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, + pos, elen); + if (ie) { +- if (ie[1] == sizeof(*elems->wide_bw_chansw_ie)) ++ if (ie[1] >= sizeof(*elems->wide_bw_chansw_ie)) + elems->wide_bw_chansw_ie = + (void *)(ie + 2); + else +@@ -1324,7 +1324,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + elems->cisco_dtpc_elem = pos; + break; + case WLAN_EID_ADDBA_EXT: +- if (elen != sizeof(struct ieee80211_addba_ext_ie)) { ++ if (elen < sizeof(struct ieee80211_addba_ext_ie)) { + elem_parse_failed = true; + break; + } +@@ -1350,7 +1350,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, + elem, elems); + break; + case WLAN_EID_S1G_CAPABILITIES: +- if (elen == sizeof(*elems->s1g_capab)) ++ if (elen >= sizeof(*elems->s1g_capab)) + elems->s1g_capab = (void *)pos; + else + elem_parse_failed = true; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index c52557ec7fb33..68a4dd2512427 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2683,7 +2683,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + } + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2896,7 +2896,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -3034,10 +3034,13 @@ static int packet_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + struct sock *sk = sock->sk; + struct packet_sock *po = pkt_sk(sk); + +- if (po->tx_ring.pg_vec) ++ /* Reading tx_ring.pg_vec without holding pg_vec_lock is racy. ++ * tpacket_snd() will redo the check safely. ++ */ ++ if (data_race(po->tx_ring.pg_vec)) + return tpacket_snd(po, msg); +- else +- return packet_snd(sock, msg, len); ++ ++ return packet_snd(sock, msg, len); + } + + /* +@@ -3168,7 +3171,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + /* prevents packet_notifier() from calling + * register_prot_hook() + */ +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, true); + rcu_read_lock(); + dev_curr = po->prot_hook.dev; +@@ -3178,17 +3181,17 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + } + + BUG_ON(po->running); +- po->num = proto; ++ WRITE_ONCE(po->num, proto); + po->prot_hook.type = proto; + + if (unlikely(unlisted)) { + dev_put(dev); + po->prot_hook.dev = NULL; +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + packet_cached_dev_reset(po); + } else { + po->prot_hook.dev = dev; +- po->ifindex = dev ? dev->ifindex : 0; ++ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0); + packet_cached_dev_assign(po, dev); + } + } +@@ -3502,7 +3505,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, + uaddr->sa_family = AF_PACKET; + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex)); + if (dev) + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); + rcu_read_unlock(); +@@ -3517,16 +3520,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, + struct sock *sk = sock->sk; + struct packet_sock *po = pkt_sk(sk); + DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr); ++ int ifindex; + + if (peer) + return -EOPNOTSUPP; + ++ ifindex = READ_ONCE(po->ifindex); + sll->sll_family = AF_PACKET; +- sll->sll_ifindex = po->ifindex; +- sll->sll_protocol = po->num; ++ sll->sll_ifindex = ifindex; ++ sll->sll_protocol = READ_ONCE(po->num); + sll->sll_pkttype = 0; + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); + if (dev) { + sll->sll_hatype = dev->type; + sll->sll_halen = dev->addr_len; +@@ -4105,7 +4110,7 @@ static int packet_notifier(struct notifier_block *this, + } + if (msg == NETDEV_UNREGISTER) { + packet_cached_dev_reset(po); +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + if (po->prot_hook.dev) + dev_put(po->prot_hook.dev); + po->prot_hook.dev = NULL; +@@ -4411,7 +4416,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + was_running = po->running; + num = po->num; + if (was_running) { +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, false); + } + spin_unlock(&po->bind_lock); +@@ -4446,7 +4451,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + + spin_lock(&po->bind_lock); + if (was_running) { +- po->num = num; ++ WRITE_ONCE(po->num, num); + register_prot_hook(sk); + } + spin_unlock(&po->bind_lock); +@@ -4616,8 +4621,8 @@ static int packet_seq_show(struct seq_file *seq, void *v) + s, + refcount_read(&s->sk_refcnt), + s->sk_type, +- ntohs(po->num), +- po->ifindex, ++ ntohs(READ_ONCE(po->num)), ++ READ_ONCE(po->ifindex), + po->running, + atomic_read(&s->sk_rmem_alloc), + from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)), +diff --git a/net/wireless/util.c b/net/wireless/util.c +index f342b61476754..726e7d2342bd5 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1059,6 +1059,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev, + case NL80211_IFTYPE_MESH_POINT: + /* mesh should be handled? */ + break; ++ case NL80211_IFTYPE_OCB: ++ cfg80211_leave_ocb(rdev, dev); ++ break; + default: + break; + } +diff --git a/scripts/Makefile b/scripts/Makefile +index c36106bce80ee..9adb6d247818f 100644 +--- a/scripts/Makefile ++++ b/scripts/Makefile +@@ -14,6 +14,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler + hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file + hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert + hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert ++hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert + + HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include + HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h +index f9b19524da112..1e9baa5c4fc6e 100644 +--- a/scripts/recordmcount.h ++++ b/scripts/recordmcount.h +@@ -192,15 +192,20 @@ static unsigned int get_symindex(Elf_Sym const *sym, Elf32_Word const *symtab, + Elf32_Word const *symtab_shndx) + { + unsigned long offset; ++ unsigned short shndx = w2(sym->st_shndx); + int index; + +- if (sym->st_shndx != SHN_XINDEX) +- return w2(sym->st_shndx); ++ if (shndx > SHN_UNDEF && shndx < SHN_LORESERVE) ++ return shndx; + +- offset = (unsigned long)sym - (unsigned long)symtab; +- index = offset / sizeof(*sym); ++ if (shndx == SHN_XINDEX) { ++ offset = (unsigned long)sym - (unsigned long)symtab; ++ index = offset / sizeof(*sym); + +- return w(symtab_shndx[index]); ++ return w(symtab_shndx[index]); ++ } ++ ++ return 0; + } + + static unsigned int get_shnum(Elf_Ehdr const *ehdr, Elf_Shdr const *shdr0) +diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c +index c5ba695c10e3a..5604bd57c9907 100644 +--- a/security/integrity/platform_certs/keyring_handler.c ++++ b/security/integrity/platform_certs/keyring_handler.c +@@ -55,6 +55,15 @@ static __init void uefi_blacklist_binary(const char *source, + uefi_blacklist_hash(source, data, len, "bin:", 4); + } + ++/* ++ * Add an X509 cert to the revocation list. ++ */ ++static __init void uefi_revocation_list_x509(const char *source, ++ const void *data, size_t len) ++{ ++ add_key_to_revocation_list(data, len); ++} ++ + /* + * Return the appropriate handler for particular signature list types found in + * the UEFI db and MokListRT tables. +@@ -76,5 +85,7 @@ __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) + return uefi_blacklist_x509_tbs; + if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) + return uefi_blacklist_binary; ++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) ++ return uefi_revocation_list_x509; + return 0; + } +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c +index ee4b4c666854f..f290f78c3f301 100644 +--- a/security/integrity/platform_certs/load_uefi.c ++++ b/security/integrity/platform_certs/load_uefi.c +@@ -132,8 +132,9 @@ static int __init load_moklist_certs(void) + static int __init load_uefi_certs(void) + { + efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; +- void *db = NULL, *dbx = NULL; +- unsigned long dbsize = 0, dbxsize = 0; ++ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; ++ void *db = NULL, *dbx = NULL, *mokx = NULL; ++ unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; + efi_status_t status; + int rc = 0; + +@@ -175,6 +176,21 @@ static int __init load_uefi_certs(void) + kfree(dbx); + } + ++ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); ++ if (!mokx) { ++ if (status == EFI_NOT_FOUND) ++ pr_debug("mokx variable wasn't found\n"); ++ else ++ pr_info("Couldn't get mokx list\n"); ++ } else { ++ rc = parse_efi_signature_list("UEFI:MokListXRT", ++ mokx, mokxsize, ++ get_handler_for_dbx); ++ if (rc) ++ pr_err("Couldn't parse mokx signatures %d\n", rc); ++ kfree(mokx); ++ } ++ + /* Load the MokListRT certs */ + rc = load_moklist_certs(); + +diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c +index 58b5a349d3baf..ea3158b0d551d 100644 +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -1147,7 +1147,7 @@ static void do_test_single(struct bpf_test *test, bool unpriv, + } + } + +- if (test->insn_processed) { ++ if (!unpriv && test->insn_processed) { + uint32_t insn_processed; + char *proc; + +diff --git a/tools/testing/selftests/bpf/verifier/and.c b/tools/testing/selftests/bpf/verifier/and.c +index ca8fdb1b3f015..7d7ebee5cc7a8 100644 +--- a/tools/testing/selftests/bpf/verifier/and.c ++++ b/tools/testing/selftests/bpf/verifier/and.c +@@ -61,6 +61,8 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 !read_ok", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 0 + }, +diff --git a/tools/testing/selftests/bpf/verifier/bounds.c b/tools/testing/selftests/bpf/verifier/bounds.c +index 8a1caf46ffbc3..e061e8799ce23 100644 +--- a/tools/testing/selftests/bpf/verifier/bounds.c ++++ b/tools/testing/selftests/bpf/verifier/bounds.c +@@ -508,6 +508,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT + }, + { +@@ -528,6 +530,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT + }, + { +@@ -569,6 +573,8 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 min value is outside of the allowed memory range", ++ .result_unpriv = REJECT, + .fixup_map_hash_8b = { 3 }, + .result = ACCEPT, + }, +@@ -589,6 +595,8 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 min value is outside of the allowed memory range", ++ .result_unpriv = REJECT, + .fixup_map_hash_8b = { 3 }, + .result = ACCEPT, + }, +@@ -609,6 +617,8 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 min value is outside of the allowed memory range", ++ .result_unpriv = REJECT, + .fixup_map_hash_8b = { 3 }, + .result = ACCEPT, + }, +@@ -674,6 +684,8 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 min value is outside of the allowed memory range", ++ .result_unpriv = REJECT, + .fixup_map_hash_8b = { 3 }, + .result = ACCEPT, + }, +@@ -695,6 +707,8 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 min value is outside of the allowed memory range", ++ .result_unpriv = REJECT, + .fixup_map_hash_8b = { 3 }, + .result = ACCEPT, + }, +diff --git a/tools/testing/selftests/bpf/verifier/dead_code.c b/tools/testing/selftests/bpf/verifier/dead_code.c +index 5cf361d8eb1cc..721ec9391be5a 100644 +--- a/tools/testing/selftests/bpf/verifier/dead_code.c ++++ b/tools/testing/selftests/bpf/verifier/dead_code.c +@@ -8,6 +8,8 @@ + BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 10, -4), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R9 !read_ok", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 7, + }, +diff --git a/tools/testing/selftests/bpf/verifier/jmp32.c b/tools/testing/selftests/bpf/verifier/jmp32.c +index bd5cae4a7f733..1c857b2fbdf0a 100644 +--- a/tools/testing/selftests/bpf/verifier/jmp32.c ++++ b/tools/testing/selftests/bpf/verifier/jmp32.c +@@ -87,6 +87,8 @@ + BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R9 !read_ok", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, + { +@@ -150,6 +152,8 @@ + BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R9 !read_ok", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, + { +@@ -213,6 +217,8 @@ + BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R9 !read_ok", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, + { +@@ -280,6 +286,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 2, + }, +@@ -348,6 +356,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 2, + }, +@@ -416,6 +426,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 2, + }, +@@ -484,6 +496,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 2, + }, +@@ -552,6 +566,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 2, + }, +@@ -620,6 +636,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 2, + }, +@@ -688,6 +706,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 2, + }, +@@ -756,6 +776,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R0 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 2, + }, +diff --git a/tools/testing/selftests/bpf/verifier/jset.c b/tools/testing/selftests/bpf/verifier/jset.c +index 8dcd4e0383d57..11fc68da735ea 100644 +--- a/tools/testing/selftests/bpf/verifier/jset.c ++++ b/tools/testing/selftests/bpf/verifier/jset.c +@@ -82,8 +82,8 @@ + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, +- .retval_unpriv = 1, +- .result_unpriv = ACCEPT, ++ .errstr_unpriv = "R9 !read_ok", ++ .result_unpriv = REJECT, + .retval = 1, + .result = ACCEPT, + }, +@@ -141,7 +141,8 @@ + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, +- .result_unpriv = ACCEPT, ++ .errstr_unpriv = "R9 !read_ok", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, + { +@@ -162,6 +163,7 @@ + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, +- .result_unpriv = ACCEPT, ++ .errstr_unpriv = "R9 !read_ok", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, +diff --git a/tools/testing/selftests/bpf/verifier/unpriv.c b/tools/testing/selftests/bpf/verifier/unpriv.c +index bd436df5cc326..111801aea5e35 100644 +--- a/tools/testing/selftests/bpf/verifier/unpriv.c ++++ b/tools/testing/selftests/bpf/verifier/unpriv.c +@@ -420,6 +420,8 @@ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R7 invalid mem access 'inv'", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 0, + }, +diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c +index 7ae2859d495c5..a3e593ddfafc9 100644 +--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c ++++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c +@@ -120,7 +120,7 @@ + .fixup_map_array_48b = { 1 }, + .result = ACCEPT, + .result_unpriv = REJECT, +- .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", ++ .errstr_unpriv = "R2 pointer comparison prohibited", + .retval = 0, + }, + { +@@ -159,7 +159,8 @@ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + // fake-dead code; targeted from branch A to +- // prevent dead code sanitization ++ // prevent dead code sanitization, rejected ++ // via branch B however + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), +@@ -167,7 +168,7 @@ + .fixup_map_array_48b = { 1 }, + .result = ACCEPT, + .result_unpriv = REJECT, +- .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", ++ .errstr_unpriv = "R0 invalid mem access 'inv'", + .retval = 0, + }, + { +diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c +index 2f0e4365f61bd..8b90256bca96d 100644 +--- a/tools/testing/selftests/kvm/lib/kvm_util.c ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c +@@ -58,7 +58,7 @@ int kvm_check_cap(long cap) + exit(KSFT_SKIP); + + ret = ioctl(kvm_fd, KVM_CHECK_EXTENSION, cap); +- TEST_ASSERT(ret != -1, "KVM_CHECK_EXTENSION IOCTL failed,\n" ++ TEST_ASSERT(ret >= 0, "KVM_CHECK_EXTENSION IOCTL failed,\n" + " rc: %i errno: %i", ret, errno); + + close(kvm_fd); +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 5cabc6c748db1..4cce5735271ef 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1919,6 +1919,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault) + return true; + } + ++static int kvm_try_get_pfn(kvm_pfn_t pfn) ++{ ++ if (kvm_is_reserved_pfn(pfn)) ++ return 1; ++ return get_page_unless_zero(pfn_to_page(pfn)); ++} ++ + static int hva_to_pfn_remapped(struct vm_area_struct *vma, + unsigned long addr, bool *async, + bool write_fault, bool *writable, +@@ -1968,13 +1975,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, + * Whoever called remap_pfn_range is also going to call e.g. + * unmap_mapping_range before the underlying pages are freed, + * causing a call to our MMU notifier. ++ * ++ * Certain IO or PFNMAP mappings can be backed with valid ++ * struct pages, but be allocated without refcounting e.g., ++ * tail pages of non-compound higher order allocations, which ++ * would then underflow the refcount when the caller does the ++ * required put_page. Don't allow those pages here. + */ +- kvm_get_pfn(pfn); ++ if (!kvm_try_get_pfn(pfn)) ++ r = -EFAULT; + + out: + pte_unmap_unlock(ptep, ptl); + *p_pfn = pfn; +- return 0; ++ ++ return r; + } + + /*