diff --git a/config/boards/clearfogbase.conf b/config/boards/clearfogbase.conf index e30c6f688a..6484bf11e8 100644 --- a/config/boards/clearfogbase.conf +++ b/config/boards/clearfogbase.conf @@ -8,6 +8,6 @@ MODULES_NEXT="mv_cesa" BUILD_DESKTOP="no" # KERNEL_TARGET="default,next,dev" -CLI_TARGET="stretch,xenial:default,next" +CLI_TARGET="stretch,bionic:default,next" # -CLI_BETA_TARGET="" \ No newline at end of file +CLI_BETA_TARGET="" diff --git a/config/boards/clearfogpro.conf b/config/boards/clearfogpro.conf index 07b69a1eb5..b2f1b8cf7b 100644 --- a/config/boards/clearfogpro.conf +++ b/config/boards/clearfogpro.conf @@ -8,6 +8,6 @@ MODULES_NEXT="#mv88e6xxx_drv mv_cesa" BUILD_DESKTOP="no" # KERNEL_TARGET="default,next,dev" -CLI_TARGET="stretch,xenial:default,next" +CLI_TARGET="stretch,bionic:default,next" # -CLI_BETA_TARGET="" \ No newline at end of file +CLI_BETA_TARGET="" diff --git a/config/kernel/linux-mvebu-default.config b/config/kernel/linux-mvebu-default.config index 3a9da501c8..6f5b4a42f2 100644 --- a/config/kernel/linux-mvebu-default.config +++ b/config/kernel/linux-mvebu-default.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.4.128 Kernel Configuration +# Linux/arm 4.4.150 Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y @@ -157,6 +157,7 @@ CONFIG_RD_LZMA=y CONFIG_RD_XZ=y CONFIG_RD_LZO=y CONFIG_RD_LZ4=y +CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set CONFIG_SYSCTL=y CONFIG_ANON_INODES=y @@ -2772,7 +2773,6 @@ CONFIG_SPI_SPIDEV=m # CONFIG_PPS=m # CONFIG_PPS_DEBUG is not set -# CONFIG_NTP_PPS is not set # # PPS clients support diff --git a/config/kernel/linux-mvebu-next.config b/config/kernel/linux-mvebu-next.config index cc25305209..1e710aa73c 100644 --- a/config/kernel/linux-mvebu-next.config +++ b/config/kernel/linux-mvebu-next.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.14.57 Kernel Configuration +# Linux/arm 4.14.66 Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y diff --git a/patch/kernel/mvebu-default/04-patch-4.4.128-129.patch b/patch/kernel/mvebu-default/04-patch-4.4.128-129.patch new file mode 100644 index 0000000000..a10487fbdf --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.128-129.patch @@ -0,0 +1,3460 @@ +diff --git a/Makefile b/Makefile +index 575459bb47eb..096d7e867b6c 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 128 ++SUBLEVEL = 129 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/boot/dts/at91sam9g25.dtsi b/arch/arm/boot/dts/at91sam9g25.dtsi +index a7da0dd0c98f..0898213f3bb2 100644 +--- a/arch/arm/boot/dts/at91sam9g25.dtsi ++++ b/arch/arm/boot/dts/at91sam9g25.dtsi +@@ -21,7 +21,7 @@ + atmel,mux-mask = < + /* A B C */ + 0xffffffff 0xffe0399f 0xc000001c /* pioA */ +- 0x0007ffff 0x8000fe3f 0x00000000 /* pioB */ ++ 0x0007ffff 0x00047e3f 0x00000000 /* pioB */ + 0x80000000 0x07c0ffff 0xb83fffff /* pioC */ + 0x003fffff 0x003f8000 0x00000000 /* pioD */ + >; +diff --git a/arch/arm/boot/dts/sama5d4.dtsi b/arch/arm/boot/dts/sama5d4.dtsi +index 3daf8d5d7878..fb0d1b252dc8 100644 +--- a/arch/arm/boot/dts/sama5d4.dtsi ++++ b/arch/arm/boot/dts/sama5d4.dtsi +@@ -1354,7 +1354,7 @@ + pinctrl@fc06a000 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "atmel,at91sam9x5-pinctrl", "atmel,at91rm9200-pinctrl", "simple-bus"; ++ compatible = "atmel,sama5d3-pinctrl", "atmel,at91sam9x5-pinctrl", "simple-bus"; + ranges = <0xfc068000 0xfc068000 0x100 + 0xfc06a000 0xfc06a000 0x4000>; + /* WARNING: revisit as pin spec has changed */ +diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h +index c74c32ccc647..4f281768937f 100644 +--- a/arch/mips/include/asm/uaccess.h ++++ b/arch/mips/include/asm/uaccess.h +@@ -1238,6 +1238,13 @@ __clear_user(void __user *addr, __kernel_size_t size) + { + __kernel_size_t res; + ++#ifdef CONFIG_CPU_MICROMIPS ++/* micromips memset / bzero also clobbers t7 & t8 */ ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31" ++#else ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31" ++#endif /* CONFIG_CPU_MICROMIPS */ ++ + if (eva_kernel_access()) { + __asm__ __volatile__( + "move\t$4, %1\n\t" +@@ -1247,7 +1254,7 @@ __clear_user(void __user *addr, __kernel_size_t size) + "move\t%0, $6" + : "=r" (res) + : "r" (addr), "r" (size) +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); ++ : bzero_clobbers); + } else { + might_fault(); + __asm__ __volatile__( +@@ -1258,7 +1265,7 @@ __clear_user(void __user *addr, __kernel_size_t size) + "move\t%0, $6" + : "=r" (res) + : "r" (addr), "r" (size) +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); ++ : bzero_clobbers); + } + + return res; +diff --git a/arch/mips/lib/memset.S b/arch/mips/lib/memset.S +index 8f0019a2e5c8..2d33cf2185d9 100644 +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -218,7 +218,7 @@ + 1: PTR_ADDIU a0, 1 /* fill bytewise */ + R10KCBARRIER(0(ra)) + bne t1, a0, 1b +- sb a1, -1(a0) ++ EX(sb, a1, -1(a0), .Lsmall_fixup\@) + + 2: jr ra /* done */ + move a2, zero +@@ -249,13 +249,18 @@ + PTR_L t0, TI_TASK($28) + andi a2, STORMASK + LONG_L t0, THREAD_BUADDR(t0) +- LONG_ADDU a2, t1 ++ LONG_ADDU a2, a0 + jr ra + LONG_SUBU a2, t0 + + .Llast_fixup\@: + jr ra +- andi v1, a2, STORMASK ++ nop ++ ++.Lsmall_fixup\@: ++ PTR_SUBU a2, t1, a0 ++ jr ra ++ PTR_ADDIU a2, 1 + + .endm + +diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c +index dba508fe1683..4f7060ec6875 100644 +--- a/arch/parisc/kernel/drivers.c ++++ b/arch/parisc/kernel/drivers.c +@@ -648,6 +648,10 @@ static int match_pci_device(struct device *dev, int index, + (modpath->mod == PCI_FUNC(devfn))); + } + ++ /* index might be out of bounds for bc[] */ ++ if (index >= 6) ++ return 0; ++ + id = PCI_SLOT(pdev->devfn) | (PCI_FUNC(pdev->devfn) << 5); + return (modpath->bc[index] == id); + } +diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h +index 0eca6efc0631..b9e16855a037 100644 +--- a/arch/powerpc/include/asm/barrier.h ++++ b/arch/powerpc/include/asm/barrier.h +@@ -36,7 +36,8 @@ + + #define smp_store_mb(var, value) do { WRITE_ONCE(var, value); mb(); } while (0) + +-#ifdef __SUBARCH_HAS_LWSYNC ++/* The sub-arch has lwsync */ ++#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC) + # define SMPWMB LWSYNC + #else + # define SMPWMB eieio +diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h +index 07a99e638449..bab3461115bb 100644 +--- a/arch/powerpc/include/asm/opal.h ++++ b/arch/powerpc/include/asm/opal.h +@@ -21,6 +21,9 @@ + /* We calculate number of sg entries based on PAGE_SIZE */ + #define SG_ENTRIES_PER_NODE ((PAGE_SIZE - 16) / sizeof(struct opal_sg_entry)) + ++/* Default time to sleep or delay between OPAL_BUSY/OPAL_BUSY_EVENT loops */ ++#define OPAL_BUSY_DELAY_MS 10 ++ + /* /sys/firmware/opal */ + extern struct kobject *opal_kobj; + +diff --git a/arch/powerpc/include/asm/synch.h b/arch/powerpc/include/asm/synch.h +index c50868681f9e..e8d6a842f4bb 100644 +--- a/arch/powerpc/include/asm/synch.h ++++ b/arch/powerpc/include/asm/synch.h +@@ -5,10 +5,6 @@ + #include + #include + +-#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC) +-#define __SUBARCH_HAS_LWSYNC +-#endif +- + #ifndef __ASSEMBLY__ + extern unsigned int __start___lwsync_fixup, __stop___lwsync_fixup; + extern void do_lwsync_fixups(unsigned long value, void *fixup_start, +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c +index 98f81800e00c..304f07cfa262 100644 +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -788,7 +788,8 @@ static void eeh_restore_bridge_bars(struct eeh_dev *edev) + eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]); + + /* PCI Command: 0x4 */ +- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]); ++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] | ++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER); + + /* Check the PCIe link is ready */ + eeh_bridge_check_link(edev); +diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c +index a18d648d31a6..3af014684872 100644 +--- a/arch/powerpc/lib/feature-fixups.c ++++ b/arch/powerpc/lib/feature-fixups.c +@@ -53,7 +53,7 @@ static int patch_alt_instruction(unsigned int *src, unsigned int *dest, + unsigned int *target = (unsigned int *)branch_target(src); + + /* Branch within the section doesn't need translating */ +- if (target < alt_start || target >= alt_end) { ++ if (target < alt_start || target > alt_end) { + instr = translate_branch(dest, src); + if (!instr) + return 1; +diff --git a/arch/powerpc/platforms/powernv/opal-nvram.c b/arch/powerpc/platforms/powernv/opal-nvram.c +index 9db4398ded5d..1bceb95f422d 100644 +--- a/arch/powerpc/platforms/powernv/opal-nvram.c ++++ b/arch/powerpc/platforms/powernv/opal-nvram.c +@@ -11,6 +11,7 @@ + + #define DEBUG + ++#include + #include + #include + #include +@@ -56,9 +57,17 @@ static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index) + + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_write_nvram(__pa(buf), count, off); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ msleep(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); ++ } else if (rc == OPAL_BUSY) { ++ msleep(OPAL_BUSY_DELAY_MS); ++ } + } ++ ++ if (rc) ++ return -EIO; ++ + *index += count; + return count; + } +diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c +index b2e5902bd8f4..c670279b33f0 100644 +--- a/arch/s390/hypfs/inode.c ++++ b/arch/s390/hypfs/inode.c +@@ -318,7 +318,7 @@ static void hypfs_kill_super(struct super_block *sb) + + if (sb->s_root) + hypfs_delete_tree(sb->s_root); +- if (sb_info->update_file) ++ if (sb_info && sb_info->update_file) + hypfs_remove(sb_info->update_file); + kfree(sb->s_fs_info); + sb->s_fs_info = NULL; +diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c +index 42570d8fb265..e73979236659 100644 +--- a/arch/s390/kernel/ipl.c ++++ b/arch/s390/kernel/ipl.c +@@ -798,6 +798,7 @@ static ssize_t reipl_generic_loadparm_store(struct ipl_parameter_block *ipb, + /* copy and convert to ebcdic */ + memcpy(ipb->hdr.loadparm, buf, lp_len); + ASCEBC(ipb->hdr.loadparm, LOADPARM_LEN); ++ ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID; + return len; + } + +diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c +index c211153ca69a..56648f4f8b41 100644 +--- a/arch/um/os-Linux/signal.c ++++ b/arch/um/os-Linux/signal.c +@@ -140,7 +140,7 @@ static void (*handlers[_NSIG])(int sig, struct siginfo *si, mcontext_t *mc) = { + + static void hard_handler(int sig, siginfo_t *si, void *p) + { +- struct ucontext *uc = p; ++ ucontext_t *uc = p; + mcontext_t *mc = &uc->uc_mcontext; + unsigned long pending = 1UL << sig; + +diff --git a/arch/x86/um/stub_segv.c b/arch/x86/um/stub_segv.c +index 1518d2805ae8..fd6825537b97 100644 +--- a/arch/x86/um/stub_segv.c ++++ b/arch/x86/um/stub_segv.c +@@ -10,7 +10,7 @@ + void __attribute__ ((__section__ (".__syscall_stub"))) + stub_segv_handler(int sig, siginfo_t *info, void *p) + { +- struct ucontext *uc = p; ++ ucontext_t *uc = p; + + GET_FAULTINFO_FROM_MC(*((struct faultinfo *) STUB_DATA), + &uc->uc_mcontext); +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index b48ecbfc4498..8c5503c0bad7 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -205,6 +205,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + "3570R/370R/470R/450R/510R/4450RV"), + }, + }, ++ { ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1557060 */ ++ .callback = video_detect_force_video, ++ .ident = "SAMSUNG 670Z5E", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "670Z5E"), ++ }, ++ }, + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1094948 */ + .callback = video_detect_force_video, +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 4ac63c0e50c7..fd377b956199 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1582,7 +1582,7 @@ int regmap_raw_write(struct regmap *map, unsigned int reg, + return -EINVAL; + if (val_len % map->format.val_bytes) + return -EINVAL; +- if (map->max_raw_write && map->max_raw_write > val_len) ++ if (map->max_raw_write && map->max_raw_write < val_len) + return -E2BIG; + + map->lock(map->lock_arg); +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 1dd16f26e77d..e8165ec55e6f 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1121,11 +1121,15 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info) + if (info->lo_encrypt_type) { + unsigned int type = info->lo_encrypt_type; + +- if (type >= MAX_LO_CRYPT) +- return -EINVAL; ++ if (type >= MAX_LO_CRYPT) { ++ err = -EINVAL; ++ goto exit; ++ } + xfer = xfer_funcs[type]; +- if (xfer == NULL) +- return -EINVAL; ++ if (xfer == NULL) { ++ err = -EINVAL; ++ goto exit; ++ } + } else + xfer = NULL; + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index bd9fc2baa6aa..dffd06a3bb76 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -724,7 +724,7 @@ retry: + + static int credit_entropy_bits_safe(struct entropy_store *r, int nbits) + { +- const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1)); ++ const int nbits_max = r->poolinfo->poolwords * 32; + + if (nbits < 0) + return -EINVAL; +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 7c4b1ffe874f..d56ba46e6b78 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -891,9 +891,7 @@ static void bcm2835_pll_off(struct clk_hw *hw) + const struct bcm2835_pll_data *data = pll->data; + + spin_lock(&cprman->regs_lock); +- cprman_write(cprman, data->cm_ctrl_reg, +- cprman_read(cprman, data->cm_ctrl_reg) | +- CM_PLL_ANARST); ++ cprman_write(cprman, data->cm_ctrl_reg, CM_PLL_ANARST); + cprman_write(cprman, data->a2w_ctrl_reg, + cprman_read(cprman, data->a2w_ctrl_reg) | + A2W_PLL_CTRL_PWRDN); +@@ -929,6 +927,10 @@ static int bcm2835_pll_on(struct clk_hw *hw) + cpu_relax(); + } + ++ cprman_write(cprman, data->a2w_ctrl_reg, ++ cprman_read(cprman, data->a2w_ctrl_reg) | ++ A2W_PLL_CTRL_PRST_DISABLE); ++ + return 0; + } + +diff --git a/drivers/clk/mvebu/armada-38x.c b/drivers/clk/mvebu/armada-38x.c +index 8bccf4ecdab6..9ff4ea63932d 100644 +--- a/drivers/clk/mvebu/armada-38x.c ++++ b/drivers/clk/mvebu/armada-38x.c +@@ -75,11 +76,11 @@ static const struct coreclk_ratio armada_38x_coreclk_ratios[] __initconst = { + }; + + static const int armada_38x_cpu_l2_ratios[32][2] __initconst = { +- {0, 1}, {0, 1}, {0, 1}, {0, 1}, +- {1, 2}, {0, 1}, {0, 1}, {0, 1}, ++ {1, 2}, {0, 1}, {1, 2}, {0, 1}, ++ {1, 2}, {0, 1}, {1, 2}, {0, 1}, + {1, 2}, {0, 1}, {0, 1}, {0, 1}, + {1, 2}, {0, 1}, {0, 1}, {0, 1}, +- {0, 1}, {0, 1}, {0, 1}, {0, 1}, ++ {1, 2}, {0, 1}, {0, 1}, {1, 2}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, +@@ -90,7 +91,7 @@ static const int armada_38x_cpu_ddr_ratios[32][2] __initconst = { + {1, 2}, {0, 1}, {0, 1}, {0, 1}, + {1, 2}, {0, 1}, {0, 1}, {0, 1}, + {1, 2}, {0, 1}, {0, 1}, {0, 1}, +- {0, 1}, {0, 1}, {0, 1}, {0, 1}, ++ {1, 2}, {0, 1}, {0, 1}, {7, 15}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, + {0, 1}, {0, 1}, {0, 1}, {0, 1}, +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 66c073fc8afc..82a7c89caae2 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1473,10 +1473,10 @@ at_xdmac_tx_status(struct dma_chan *chan, dma_cookie_t cookie, + for (retry = 0; retry < AT_XDMAC_RESIDUE_MAX_RETRIES; retry++) { + check_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc; + rmb(); +- initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD); +- rmb(); + cur_ubc = at_xdmac_chan_read(atchan, AT_XDMAC_CUBC); + rmb(); ++ initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD); ++ rmb(); + cur_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc; + rmb(); + +diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c +index fb6ad143873f..83aee9e814ba 100644 +--- a/drivers/gpu/drm/radeon/radeon_object.c ++++ b/drivers/gpu/drm/radeon/radeon_object.c +@@ -238,9 +238,10 @@ int radeon_bo_create(struct radeon_device *rdev, + * may be slow + * See https://bugs.freedesktop.org/show_bug.cgi?id=88758 + */ +- ++#ifndef CONFIG_COMPILE_TEST + #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance \ + thanks to write-combining ++#endif + + if (bo->flags & RADEON_GEM_GTT_WC) + DRM_INFO_ONCE("Please enable CONFIG_MTRR and CONFIG_X86_PAT for " +diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c +index d9007cc37be1..892d0a71d766 100644 +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -5964,9 +5964,9 @@ static void si_set_pcie_lane_width_in_smc(struct radeon_device *rdev, + { + u32 lane_width; + u32 new_lane_width = +- (radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT; ++ ((radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1; + u32 current_lane_width = +- (radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT; ++ ((radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1; + + if (new_lane_width != current_lane_width) { + radeon_set_pcie_lanes(rdev, new_lane_width); +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index d07fb967f92b..e4541c6bf3d3 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1331,7 +1331,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags) + * of implement() working on 8 byte chunks + */ + +- int len = hid_report_len(report) + 7; ++ u32 len = hid_report_len(report) + 7; + + return kmalloc(len, flags); + } +@@ -1396,7 +1396,7 @@ void __hid_request(struct hid_device *hid, struct hid_report *report, + { + char *buf; + int ret; +- int len; ++ u32 len; + + buf = hid_alloc_report_buf(report, GFP_KERNEL); + if (!buf) +@@ -1422,14 +1422,14 @@ out: + } + EXPORT_SYMBOL_GPL(__hid_request); + +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, + int interrupt) + { + struct hid_report_enum *report_enum = hid->report_enum + type; + struct hid_report *report; + struct hid_driver *hdrv; + unsigned int a; +- int rsize, csize = size; ++ u32 rsize, csize = size; + u8 *cdata = data; + int ret = 0; + +@@ -1487,7 +1487,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event); + * + * This is data entry for lower layers. + */ +-int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt) ++int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt) + { + struct hid_report_enum *report_enum; + struct hid_driver *hdrv; +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 53e54855c366..8d74e691ac90 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1258,7 +1258,8 @@ static void hidinput_led_worker(struct work_struct *work) + led_work); + struct hid_field *field; + struct hid_report *report; +- int len, ret; ++ int ret; ++ u32 len; + __u8 *buf; + + field = hidinput_get_led_field(hid); +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index f62a9d6601cc..9de379c1b3fd 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -314,7 +314,8 @@ static struct attribute_group mt_attribute_group = { + static void mt_get_feature(struct hid_device *hdev, struct hid_report *report) + { + struct mt_device *td = hid_get_drvdata(hdev); +- int ret, size = hid_report_len(report); ++ int ret; ++ u32 size = hid_report_len(report); + u8 *buf; + + /* +@@ -919,7 +920,7 @@ static void mt_set_input_mode(struct hid_device *hdev) + struct hid_report_enum *re; + struct mt_class *cls = &td->mtclass; + char *buf; +- int report_len; ++ u32 report_len; + + if (td->inputmode < 0) + return; +diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c +index 67cd059a8f46..41a4a2af9db1 100644 +--- a/drivers/hid/hid-rmi.c ++++ b/drivers/hid/hid-rmi.c +@@ -110,8 +110,8 @@ struct rmi_data { + u8 *writeReport; + u8 *readReport; + +- int input_report_size; +- int output_report_size; ++ u32 input_report_size; ++ u32 output_report_size; + + unsigned long flags; + +diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c +index 9c2d7c23f296..c0c4df198725 100644 +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -197,6 +197,11 @@ static ssize_t hidraw_get_report(struct file *file, char __user *buffer, size_t + int ret = 0, len; + unsigned char report_number; + ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { ++ ret = -ENODEV; ++ goto out; ++ } ++ + dev = hidraw_table[minor]->hid; + + if (!dev->ll_driver->raw_request) { +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index 312aa1e33fb2..4c3ed078c6b9 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -137,10 +137,10 @@ struct i2c_hid { + * register of the HID + * descriptor. */ + unsigned int bufsize; /* i2c buffer size */ +- char *inbuf; /* Input buffer */ +- char *rawbuf; /* Raw Input buffer */ +- char *cmdbuf; /* Command buffer */ +- char *argsbuf; /* Command arguments buffer */ ++ u8 *inbuf; /* Input buffer */ ++ u8 *rawbuf; /* Raw Input buffer */ ++ u8 *cmdbuf; /* Command buffer */ ++ u8 *argsbuf; /* Command arguments buffer */ + + unsigned long flags; /* device flags */ + +@@ -387,7 +387,8 @@ static int i2c_hid_hwreset(struct i2c_client *client) + + static void i2c_hid_get_input(struct i2c_hid *ihid) + { +- int ret, ret_size; ++ int ret; ++ u32 ret_size; + int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); + + if (size > ihid->bufsize) +@@ -412,7 +413,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) + return; + } + +- if (ret_size > size) { ++ if ((ret_size > size) || (ret_size <= 2)) { + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", + __func__, size, ret_size); + return; +diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c +index a629f7c130f0..ac63e562071f 100644 +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -447,6 +447,7 @@ static int ina2xx_probe(struct i2c_client *client, + + /* set the device type */ + data->config = &ina2xx_config[id->driver_data]; ++ mutex_init(&data->config_lock); + + if (of_property_read_u32(dev->of_node, "shunt-resistor", &val) < 0) { + struct ina2xx_platform_data *pdata = dev_get_platdata(dev); +@@ -473,8 +474,6 @@ static int ina2xx_probe(struct i2c_client *client, + return -ENODEV; + } + +- mutex_init(&data->config_lock); +- + data->groups[group++] = &ina2xx_group; + if (id->driver_data == ina226) + data->groups[group++] = &ina226_group; +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 960fcb613198..ea3bc9bb1b7a 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1230,6 +1230,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx, + if (!optlen) + return -EINVAL; + ++ if (!ctx->cm_id->device) ++ return -EINVAL; ++ + memset(&sa_path, 0, sizeof(sa_path)); + + ib_sa_unpack_path(path_data->path_rec, &sa_path); +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index 9a99cee2665a..4fd2892613dd 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2581,9 +2581,11 @@ static int srp_abort(struct scsi_cmnd *scmnd) + ret = FAST_IO_FAIL; + else + ret = FAILED; +- srp_free_req(ch, req, scmnd, 0); +- scmnd->result = DID_ABORT << 16; +- scmnd->scsi_done(scmnd); ++ if (ret == SUCCESS) { ++ srp_free_req(ch, req, scmnd, 0); ++ scmnd->result = DID_ABORT << 16; ++ scmnd->scsi_done(scmnd); ++ } + + return ret; + } +@@ -3309,12 +3311,10 @@ static ssize_t srp_create_target(struct device *dev, + num_online_nodes()); + const int ch_end = ((node_idx + 1) * target->ch_count / + num_online_nodes()); +- const int cv_start = (node_idx * ibdev->num_comp_vectors / +- num_online_nodes() + target->comp_vector) +- % ibdev->num_comp_vectors; +- const int cv_end = ((node_idx + 1) * ibdev->num_comp_vectors / +- num_online_nodes() + target->comp_vector) +- % ibdev->num_comp_vectors; ++ const int cv_start = node_idx * ibdev->num_comp_vectors / ++ num_online_nodes(); ++ const int cv_end = (node_idx + 1) * ibdev->num_comp_vectors / ++ num_online_nodes(); + int cpu_idx = 0; + + for_each_online_cpu(cpu) { +diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c +index a7d516f973dd..10068a481e22 100644 +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -389,6 +389,7 @@ int intel_svm_bind_mm(struct device *dev, int *pasid, int flags, struct svm_dev_ + pasid_max - 1, GFP_KERNEL); + if (ret < 0) { + kfree(svm); ++ kfree(sdev); + goto out; + } + svm->pasid = ret; +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +index 943f90e392a7..e0ae2f34623a 100644 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user *kp, + static int put_v4l2_window32(struct v4l2_window __user *kp, + struct v4l2_window32 __user *up) + { +- struct v4l2_clip __user *kclips = kp->clips; ++ struct v4l2_clip __user *kclips; + struct v4l2_clip32 __user *uclips; + compat_caddr_t p; + u32 clipcount; +@@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user *kp, + if (!clipcount) + return 0; + ++ if (get_user(kclips, &kp->clips)) ++ return -EFAULT; + if (get_user(p, &up->clips)) + return -EFAULT; + uclips = compat_ptr(p); +diff --git a/drivers/mmc/host/jz4740_mmc.c b/drivers/mmc/host/jz4740_mmc.c +index 76e8bce6f46e..ad572a0f2124 100644 +--- a/drivers/mmc/host/jz4740_mmc.c ++++ b/drivers/mmc/host/jz4740_mmc.c +@@ -368,9 +368,9 @@ static void jz4740_mmc_set_irq_enabled(struct jz4740_mmc_host *host, + host->irq_mask &= ~irq; + else + host->irq_mask |= irq; +- spin_unlock_irqrestore(&host->lock, flags); + + writew(host->irq_mask, host->base + JZ_REG_MMC_IMASK); ++ spin_unlock_irqrestore(&host->lock, flags); + } + + static void jz4740_mmc_clock_enable(struct jz4740_mmc_host *host, +diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c +index b2fb0528c092..07ad86759d92 100644 +--- a/drivers/mtd/ubi/block.c ++++ b/drivers/mtd/ubi/block.c +@@ -244,7 +244,7 @@ static int ubiblock_open(struct block_device *bdev, fmode_t mode) + * in any case. + */ + if (mode & FMODE_WRITE) { +- ret = -EPERM; ++ ret = -EROFS; + goto out_unlock; + } + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index 27de0463226e..a2e6c7848b0a 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -889,6 +889,17 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, + return -EINVAL; + } + ++ /* ++ * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes. ++ * MLC NAND is different and needs special care, otherwise UBI or UBIFS ++ * will die soon and you will lose all your data. ++ */ ++ if (mtd->type == MTD_MLCNANDFLASH) { ++ pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n", ++ mtd->index); ++ return -EINVAL; ++ } ++ + if (ubi_num == UBI_DEV_NUM_AUTO) { + /* Search for an empty slot in the @ubi_devices array */ + for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++) +diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c +index 30d3999dddba..ed62f1efe6eb 100644 +--- a/drivers/mtd/ubi/fastmap-wl.c ++++ b/drivers/mtd/ubi/fastmap-wl.c +@@ -360,7 +360,6 @@ static void ubi_fastmap_close(struct ubi_device *ubi) + { + int i; + +- flush_work(&ubi->fm_work); + return_unused_pool_pebs(ubi, &ubi->fm_pool); + return_unused_pool_pebs(ubi, &ubi->fm_wl_pool); + +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index 27ed25252aac..cfd81eb1b532 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -509,6 +509,10 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize) + if(x < 0 || x > comp->rslot_limit) + goto bad; + ++ /* Check if the cstate is initialized */ ++ if (!comp->rstate[x].initialized) ++ goto bad; ++ + comp->flags &=~ SLF_TOSS; + comp->recv_current = x; + } else { +@@ -673,6 +677,7 @@ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize) + if (cs->cs_tcp.doff > 5) + memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4); + cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2; ++ cs->initialized = true; + /* Put headers back on packet + * Neither header checksum is recalculated + */ +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c +index f9343bee1de3..6578127db847 100644 +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -704,6 +704,12 @@ static const struct usb_device_id products[] = { + USB_CDC_SUBCLASS_ETHERNET, + USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&wwan_info, ++}, { ++ /* Cinterion AHS3 modem by GEMALTO */ ++ USB_DEVICE_AND_INTERFACE_INFO(0x1e2d, 0x0055, USB_CLASS_COMM, ++ USB_CDC_SUBCLASS_ETHERNET, ++ USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&wwan_info, + }, { + /* Telit modules */ + USB_VENDOR_AND_INTERFACE_INFO(0x1bc7, USB_CLASS_COMM, +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index ebdee8f01f65..a6d429950cb0 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -618,7 +618,8 @@ static int lan78xx_read_otp(struct lan78xx_net *dev, u32 offset, + offset += 0x100; + else + ret = -EINVAL; +- ret = lan78xx_read_raw_otp(dev, offset, length, data); ++ if (!ret) ++ ret = lan78xx_read_raw_otp(dev, offset, length, data); + } + + return ret; +diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +index b7f72f9c7988..b3691712df61 100644 +--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c ++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +@@ -1454,6 +1454,7 @@ static int rtl8187_probe(struct usb_interface *intf, + goto err_free_dev; + } + mutex_init(&priv->io_mutex); ++ mutex_init(&priv->conf_mutex); + + SET_IEEE80211_DEV(dev, &intf->dev); + usb_set_intfdata(intf, dev); +@@ -1627,7 +1628,6 @@ static int rtl8187_probe(struct usb_interface *intf, + printk(KERN_ERR "rtl8187: Cannot register device\n"); + goto err_free_dmabuf; + } +- mutex_init(&priv->conf_mutex); + skb_queue_head_init(&priv->b_tx_status.queue); + + wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n", +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 0b8d2655985f..fee4c01fbdfd 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -2024,7 +2024,10 @@ static void netback_changed(struct xenbus_device *dev, + case XenbusStateInitialised: + case XenbusStateReconfiguring: + case XenbusStateReconfigured: ++ break; ++ + case XenbusStateUnknown: ++ wake_up_all(&module_unload_q); + break; + + case XenbusStateInitWait: +@@ -2155,7 +2158,9 @@ static int xennet_remove(struct xenbus_device *dev) + xenbus_switch_state(dev, XenbusStateClosing); + wait_event(module_unload_q, + xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosing); ++ XenbusStateClosing || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown); + + xenbus_switch_state(dev, XenbusStateClosed); + wait_event(module_unload_q, +diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c +index 0b3e0bfa7be5..572ca192cb1f 100644 +--- a/drivers/pci/hotplug/acpiphp_glue.c ++++ b/drivers/pci/hotplug/acpiphp_glue.c +@@ -587,6 +587,7 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot) + { + unsigned long long sta = 0; + struct acpiphp_func *func; ++ u32 dvid; + + list_for_each_entry(func, &slot->funcs, sibling) { + if (func->flags & FUNC_HAS_STA) { +@@ -597,19 +598,27 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot) + if (ACPI_SUCCESS(status) && sta) + break; + } else { +- u32 dvid; +- +- pci_bus_read_config_dword(slot->bus, +- PCI_DEVFN(slot->device, +- func->function), +- PCI_VENDOR_ID, &dvid); +- if (dvid != 0xffffffff) { ++ if (pci_bus_read_dev_vendor_id(slot->bus, ++ PCI_DEVFN(slot->device, func->function), ++ &dvid, 0)) { + sta = ACPI_STA_ALL; + break; + } + } + } + ++ if (!sta) { ++ /* ++ * Check for the slot itself since it may be that the ++ * ACPI slot is a device below PCIe upstream port so in ++ * that case it may not even be reachable yet. ++ */ ++ if (pci_bus_read_dev_vendor_id(slot->bus, ++ PCI_DEVFN(slot->device, 0), &dvid, 0)) { ++ sta = ACPI_STA_ALL; ++ } ++ } ++ + return (unsigned int)sta; + } + +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index 4bb5262f7aee..742ca57ece8c 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -126,7 +126,7 @@ static inline int qdio_check_ccq(struct qdio_q *q, unsigned int ccq) + static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state, + int start, int count, int auto_ack) + { +- int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0; ++ int rc, tmp_count = count, tmp_start = start, nr = q->nr; + unsigned int ccq = 0; + + qperf_inc(q, eqbs); +@@ -149,14 +149,7 @@ again: + qperf_inc(q, eqbs_partial); + DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x", + tmp_count); +- /* +- * Retry once, if that fails bail out and process the +- * extracted buffers before trying again. +- */ +- if (!retried++) +- goto again; +- else +- return count - tmp_count; ++ return count - tmp_count; + } + + DBF_ERROR("%4x EQBS ERROR", SCH_NO(q)); +@@ -212,7 +205,10 @@ again: + return 0; + } + +-/* returns number of examined buffers and their common state in *state */ ++/* ++ * Returns number of examined buffers and their common state in *state. ++ * Requested number of buffers-to-examine must be > 0. ++ */ + static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr, + unsigned char *state, unsigned int count, + int auto_ack, int merge_pending) +@@ -223,17 +219,23 @@ static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr, + if (is_qebsm(q)) + return qdio_do_eqbs(q, state, bufnr, count, auto_ack); + +- for (i = 0; i < count; i++) { +- if (!__state) { +- __state = q->slsb.val[bufnr]; +- if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) +- __state = SLSB_P_OUTPUT_EMPTY; +- } else if (merge_pending) { +- if ((q->slsb.val[bufnr] & __state) != __state) +- break; +- } else if (q->slsb.val[bufnr] != __state) +- break; ++ /* get initial state: */ ++ __state = q->slsb.val[bufnr]; ++ if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) ++ __state = SLSB_P_OUTPUT_EMPTY; ++ ++ for (i = 1; i < count; i++) { + bufnr = next_buf(bufnr); ++ ++ /* merge PENDING into EMPTY: */ ++ if (merge_pending && ++ q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING && ++ __state == SLSB_P_OUTPUT_EMPTY) ++ continue; ++ ++ /* stop if next state differs from initial state: */ ++ if (q->slsb.val[bufnr] != __state) ++ break; + } + *state = __state; + return i; +diff --git a/drivers/thermal/imx_thermal.c b/drivers/thermal/imx_thermal.c +index c5547bd711db..6a8300108148 100644 +--- a/drivers/thermal/imx_thermal.c ++++ b/drivers/thermal/imx_thermal.c +@@ -589,6 +589,9 @@ static int imx_thermal_probe(struct platform_device *pdev) + regmap_write(map, TEMPSENSE0 + REG_CLR, TEMPSENSE0_POWER_DOWN); + regmap_write(map, TEMPSENSE0 + REG_SET, TEMPSENSE0_MEASURE_TEMP); + ++ data->irq_enabled = true; ++ data->mode = THERMAL_DEVICE_ENABLED; ++ + ret = devm_request_threaded_irq(&pdev->dev, data->irq, + imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread, + 0, "imx_thermal", data); +@@ -600,9 +603,6 @@ static int imx_thermal_probe(struct platform_device *pdev) + return ret; + } + +- data->irq_enabled = true; +- data->mode = THERMAL_DEVICE_ENABLED; +- + return 0; + } + +diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c +index 20a41f7de76f..6713fd1958e7 100644 +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -627,6 +627,7 @@ static const struct dev_pm_ops nhi_pm_ops = { + * we just disable hotplug, the + * pci-tunnels stay alive. + */ ++ .thaw_noirq = nhi_resume_noirq, + .restore_noirq = nhi_resume_noirq, + }; + +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index 41dda25da049..190e5dc15738 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -2238,6 +2238,12 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file, + } + if (tty_hung_up_p(file)) + break; ++ /* ++ * Abort readers for ttys which never actually ++ * get hung up. See __tty_hangup(). ++ */ ++ if (test_bit(TTY_HUPPING, &tty->flags)) ++ break; + if (!timeout) + break; + if (file->f_flags & O_NONBLOCK) { +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index a638c1738547..89fd20382ce4 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -702,6 +702,14 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session) + return; + } + ++ /* ++ * Some console devices aren't actually hung up for technical and ++ * historical reasons, which can lead to indefinite interruptible ++ * sleep in n_tty_read(). The following explicitly tells ++ * n_tty_read() to abort readers. ++ */ ++ set_bit(TTY_HUPPING, &tty->flags); ++ + /* inuse_filps is protected by the single tty lock, + this really needs to change if we want to flush the + workqueue with the lock held */ +@@ -757,6 +765,7 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session) + * can't yet guarantee all that. + */ + set_bit(TTY_HUPPED, &tty->flags); ++ clear_bit(TTY_HUPPING, &tty->flags); + tty_unlock(tty); + + if (f) +diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c +index 358ca8dd784f..a5240b4d7ab9 100644 +--- a/drivers/usb/core/generic.c ++++ b/drivers/usb/core/generic.c +@@ -208,8 +208,13 @@ static int generic_suspend(struct usb_device *udev, pm_message_t msg) + if (!udev->parent) + rc = hcd_bus_suspend(udev, msg); + +- /* Non-root devices don't need to do anything for FREEZE or PRETHAW */ +- else if (msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW) ++ /* ++ * Non-root USB2 devices don't need to do anything for FREEZE ++ * or PRETHAW. USB3 devices don't support global suspend and ++ * needs to be selectively suspended. ++ */ ++ else if ((msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW) ++ && (udev->speed < USB_SPEED_SUPER)) + rc = 0; + else + rc = usb_port_suspend(udev, msg); +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index d2c0c1a8d979..68230adf2449 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -167,7 +167,7 @@ static int dwc3_pci_probe(struct pci_dev *pci, + ret = platform_device_add_resources(dwc3, res, ARRAY_SIZE(res)); + if (ret) { + dev_err(dev, "couldn't add resources to dwc3 device\n"); +- return ret; ++ goto err; + } + + pci_set_drvdata(pci, dwc3); +diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c +index 10d30afe4a3c..a0d1417362cd 100644 +--- a/drivers/usb/musb/musb_gadget_ep0.c ++++ b/drivers/usb/musb/musb_gadget_ep0.c +@@ -114,15 +114,19 @@ static int service_tx_status_request( + } + + is_in = epnum & USB_DIR_IN; +- if (is_in) { +- epnum &= 0x0f; ++ epnum &= 0x0f; ++ if (epnum >= MUSB_C_NUM_EPS) { ++ handled = -EINVAL; ++ break; ++ } ++ ++ if (is_in) + ep = &musb->endpoints[epnum].ep_in; +- } else { ++ else + ep = &musb->endpoints[epnum].ep_out; +- } + regs = musb->endpoints[epnum].regs; + +- if (epnum >= MUSB_C_NUM_EPS || !ep->desc) { ++ if (!ep->desc) { + handled = -EINVAL; + break; + } +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index fe2b470d7ec6..c55c632a3b24 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -752,6 +752,62 @@ static int __init init_pci_cap_pcix_perm(struct perm_bits *perm) + return 0; + } + ++static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos, ++ int count, struct perm_bits *perm, ++ int offset, __le32 val) ++{ ++ __le16 *ctrl = (__le16 *)(vdev->vconfig + pos - ++ offset + PCI_EXP_DEVCTL); ++ int readrq = le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ; ++ ++ count = vfio_default_config_write(vdev, pos, count, perm, offset, val); ++ if (count < 0) ++ return count; ++ ++ /* ++ * The FLR bit is virtualized, if set and the device supports PCIe ++ * FLR, issue a reset_function. Regardless, clear the bit, the spec ++ * requires it to be always read as zero. NB, reset_function might ++ * not use a PCIe FLR, we don't have that level of granularity. ++ */ ++ if (*ctrl & cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR)) { ++ u32 cap; ++ int ret; ++ ++ *ctrl &= ~cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR); ++ ++ ret = pci_user_read_config_dword(vdev->pdev, ++ pos - offset + PCI_EXP_DEVCAP, ++ &cap); ++ ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) ++ pci_try_reset_function(vdev->pdev); ++ } ++ ++ /* ++ * MPS is virtualized to the user, writes do not change the physical ++ * register since determining a proper MPS value requires a system wide ++ * device view. The MRRS is largely independent of MPS, but since the ++ * user does not have that system-wide view, they might set a safe, but ++ * inefficiently low value. Here we allow writes through to hardware, ++ * but we set the floor to the physical device MPS setting, so that ++ * we can at least use full TLPs, as defined by the MPS value. ++ * ++ * NB, if any devices actually depend on an artificially low MRRS ++ * setting, this will need to be revisited, perhaps with a quirk ++ * though pcie_set_readrq(). ++ */ ++ if (readrq != (le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ)) { ++ readrq = 128 << ++ ((le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ) >> 12); ++ readrq = max(readrq, pcie_get_mps(vdev->pdev)); ++ ++ pcie_set_readrq(vdev->pdev, readrq); ++ } ++ ++ return count; ++} ++ + /* Permissions for PCI Express capability */ + static int __init init_pci_cap_exp_perm(struct perm_bits *perm) + { +@@ -759,26 +815,67 @@ static int __init init_pci_cap_exp_perm(struct perm_bits *perm) + if (alloc_perm_bits(perm, PCI_CAP_EXP_ENDPOINT_SIZEOF_V2)) + return -ENOMEM; + ++ perm->writefn = vfio_exp_config_write; ++ + p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE); + + /* +- * Allow writes to device control fields (includes FLR!) +- * but not to devctl_phantom which could confuse IOMMU +- * or to the ARI bit in devctl2 which is set at probe time ++ * Allow writes to device control fields, except devctl_phantom, ++ * which could confuse IOMMU, MPS, which can break communication ++ * with other physical devices, and the ARI bit in devctl2, which ++ * is set at probe time. FLR and MRRS get virtualized via our ++ * writefn. + */ +- p_setw(perm, PCI_EXP_DEVCTL, NO_VIRT, ~PCI_EXP_DEVCTL_PHANTOM); ++ p_setw(perm, PCI_EXP_DEVCTL, ++ PCI_EXP_DEVCTL_BCR_FLR | PCI_EXP_DEVCTL_PAYLOAD | ++ PCI_EXP_DEVCTL_READRQ, ~PCI_EXP_DEVCTL_PHANTOM); + p_setw(perm, PCI_EXP_DEVCTL2, NO_VIRT, ~PCI_EXP_DEVCTL2_ARI); + return 0; + } + ++static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos, ++ int count, struct perm_bits *perm, ++ int offset, __le32 val) ++{ ++ u8 *ctrl = vdev->vconfig + pos - offset + PCI_AF_CTRL; ++ ++ count = vfio_default_config_write(vdev, pos, count, perm, offset, val); ++ if (count < 0) ++ return count; ++ ++ /* ++ * The FLR bit is virtualized, if set and the device supports AF ++ * FLR, issue a reset_function. Regardless, clear the bit, the spec ++ * requires it to be always read as zero. NB, reset_function might ++ * not use an AF FLR, we don't have that level of granularity. ++ */ ++ if (*ctrl & PCI_AF_CTRL_FLR) { ++ u8 cap; ++ int ret; ++ ++ *ctrl &= ~PCI_AF_CTRL_FLR; ++ ++ ret = pci_user_read_config_byte(vdev->pdev, ++ pos - offset + PCI_AF_CAP, ++ &cap); ++ ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) ++ pci_try_reset_function(vdev->pdev); ++ } ++ ++ return count; ++} ++ + /* Permissions for Advanced Function capability */ + static int __init init_pci_cap_af_perm(struct perm_bits *perm) + { + if (alloc_perm_bits(perm, pci_cap_length[PCI_CAP_ID_AF])) + return -ENOMEM; + ++ perm->writefn = vfio_af_config_write; ++ + p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE); +- p_setb(perm, PCI_AF_CTRL, NO_VIRT, PCI_AF_CTRL_FLR); ++ p_setb(perm, PCI_AF_CTRL, PCI_AF_CTRL_FLR, PCI_AF_CTRL_FLR); + return 0; + } + +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index 016bd9355190..aa93df5833dc 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -450,7 +450,7 @@ static bool watchdog_is_running(void) + + is_running = (superio_inb(watchdog.sioaddr, SIO_REG_ENABLE) & BIT(0)) + && (superio_inb(watchdog.sioaddr, F71808FG_REG_WDT_CONF) +- & F71808FG_FLAG_WD_EN); ++ & BIT(F71808FG_FLAG_WD_EN)); + + superio_exit(watchdog.sioaddr); + +diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c +index 7a54c6a867c8..500098cdb960 100644 +--- a/fs/autofs4/root.c ++++ b/fs/autofs4/root.c +@@ -746,7 +746,7 @@ static int autofs4_dir_mkdir(struct inode *dir, struct dentry *dentry, umode_t m + + autofs4_del_active(dentry); + +- inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555); ++ inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode); + if (!inode) + return -ENOMEM; + d_add(dentry, inode); +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index f97110461c19..78c51ce913db 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -242,8 +242,6 @@ static int ext4_init_block_bitmap(struct super_block *sb, + */ + ext4_mark_bitmap_end(num_clusters_in_group(sb, block_group), + sb->s_blocksize * 8, bh->b_data); +- ext4_block_bitmap_csum_set(sb, block_group, gdp, bh); +- ext4_group_desc_csum_set(sb, block_group, gdp); + return 0; + } + +@@ -447,6 +445,7 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + err = ext4_init_block_bitmap(sb, bh, block_group, desc); + set_bitmap_uptodate(bh); + set_buffer_uptodate(bh); ++ set_buffer_verified(bh); + ext4_unlock_group(sb, block_group); + unlock_buffer(bh); + if (err) { +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 5388207d2832..e10c12f59c58 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -63,44 +63,6 @@ void ext4_mark_bitmap_end(int start_bit, int end_bit, char *bitmap) + memset(bitmap + (i >> 3), 0xff, (end_bit - i) >> 3); + } + +-/* Initializes an uninitialized inode bitmap */ +-static int ext4_init_inode_bitmap(struct super_block *sb, +- struct buffer_head *bh, +- ext4_group_t block_group, +- struct ext4_group_desc *gdp) +-{ +- struct ext4_group_info *grp; +- struct ext4_sb_info *sbi = EXT4_SB(sb); +- J_ASSERT_BH(bh, buffer_locked(bh)); +- +- /* If checksum is bad mark all blocks and inodes use to prevent +- * allocation, essentially implementing a per-group read-only flag. */ +- if (!ext4_group_desc_csum_verify(sb, block_group, gdp)) { +- grp = ext4_get_group_info(sb, block_group); +- if (!EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) +- percpu_counter_sub(&sbi->s_freeclusters_counter, +- grp->bb_free); +- set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT, &grp->bb_state); +- if (!EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) { +- int count; +- count = ext4_free_inodes_count(sb, gdp); +- percpu_counter_sub(&sbi->s_freeinodes_counter, +- count); +- } +- set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state); +- return -EFSBADCRC; +- } +- +- memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); +- ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8, +- bh->b_data); +- ext4_inode_bitmap_csum_set(sb, block_group, gdp, bh, +- EXT4_INODES_PER_GROUP(sb) / 8); +- ext4_group_desc_csum_set(sb, block_group, gdp); +- +- return 0; +-} +- + void ext4_end_bitmap_read(struct buffer_head *bh, int uptodate) + { + if (uptodate) { +@@ -184,17 +146,14 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + + ext4_lock_group(sb, block_group); + if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { +- err = ext4_init_inode_bitmap(sb, bh, block_group, desc); ++ memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); ++ ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), ++ sb->s_blocksize * 8, bh->b_data); + set_bitmap_uptodate(bh); + set_buffer_uptodate(bh); + set_buffer_verified(bh); + ext4_unlock_group(sb, block_group); + unlock_buffer(bh); +- if (err) { +- ext4_error(sb, "Failed to init inode bitmap for group " +- "%u: %d", block_group, err); +- goto out; +- } + return bh; + } + ext4_unlock_group(sb, block_group); +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index dad8e7bdf0a6..3006b81c107f 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -376,7 +376,7 @@ out: + static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode, + unsigned int len) + { +- int ret, size; ++ int ret, size, no_expand; + struct ext4_inode_info *ei = EXT4_I(inode); + + if (!ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) +@@ -386,15 +386,14 @@ static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode, + if (size < len) + return -ENOSPC; + +- down_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_lock_xattr(inode, &no_expand); + + if (ei->i_inline_off) + ret = ext4_update_inline_data(handle, inode, len); + else + ret = ext4_create_inline_data(handle, inode, len); + +- up_write(&EXT4_I(inode)->xattr_sem); +- ++ ext4_write_unlock_xattr(inode, &no_expand); + return ret; + } + +@@ -523,7 +522,7 @@ static int ext4_convert_inline_data_to_extent(struct address_space *mapping, + struct inode *inode, + unsigned flags) + { +- int ret, needed_blocks; ++ int ret, needed_blocks, no_expand; + handle_t *handle = NULL; + int retries = 0, sem_held = 0; + struct page *page = NULL; +@@ -563,7 +562,7 @@ retry: + goto out; + } + +- down_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_lock_xattr(inode, &no_expand); + sem_held = 1; + /* If some one has already done this for us, just exit. */ + if (!ext4_has_inline_data(inode)) { +@@ -599,7 +598,7 @@ retry: + page_cache_release(page); + page = NULL; + ext4_orphan_add(handle, inode); +- up_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_unlock_xattr(inode, &no_expand); + sem_held = 0; + ext4_journal_stop(handle); + handle = NULL; +@@ -625,7 +624,7 @@ out: + page_cache_release(page); + } + if (sem_held) +- up_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_unlock_xattr(inode, &no_expand); + if (handle) + ext4_journal_stop(handle); + brelse(iloc.bh); +@@ -718,7 +717,7 @@ convert: + int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len, + unsigned copied, struct page *page) + { +- int ret; ++ int ret, no_expand; + void *kaddr; + struct ext4_iloc iloc; + +@@ -736,7 +735,7 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len, + goto out; + } + +- down_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_lock_xattr(inode, &no_expand); + BUG_ON(!ext4_has_inline_data(inode)); + + kaddr = kmap_atomic(page); +@@ -746,7 +745,7 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len, + /* clear page dirty so that writepages wouldn't work for us. */ + ClearPageDirty(page); + +- up_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_unlock_xattr(inode, &no_expand); + brelse(iloc.bh); + out: + return copied; +@@ -757,7 +756,7 @@ ext4_journalled_write_inline_data(struct inode *inode, + unsigned len, + struct page *page) + { +- int ret; ++ int ret, no_expand; + void *kaddr; + struct ext4_iloc iloc; + +@@ -767,11 +766,11 @@ ext4_journalled_write_inline_data(struct inode *inode, + return NULL; + } + +- down_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_lock_xattr(inode, &no_expand); + kaddr = kmap_atomic(page); + ext4_write_inline_data(inode, &iloc, kaddr, 0, len); + kunmap_atomic(kaddr); +- up_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_unlock_xattr(inode, &no_expand); + + return iloc.bh; + } +@@ -1255,7 +1254,7 @@ out: + int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname, + struct dentry *dentry, struct inode *inode) + { +- int ret, inline_size; ++ int ret, inline_size, no_expand; + void *inline_start; + struct ext4_iloc iloc; + struct inode *dir = d_inode(dentry->d_parent); +@@ -1264,7 +1263,7 @@ int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname, + if (ret) + return ret; + +- down_write(&EXT4_I(dir)->xattr_sem); ++ ext4_write_lock_xattr(dir, &no_expand); + if (!ext4_has_inline_data(dir)) + goto out; + +@@ -1310,7 +1309,7 @@ int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname, + + out: + ext4_mark_inode_dirty(handle, dir); +- up_write(&EXT4_I(dir)->xattr_sem); ++ ext4_write_unlock_xattr(dir, &no_expand); + brelse(iloc.bh); + return ret; + } +@@ -1670,7 +1669,7 @@ int ext4_delete_inline_entry(handle_t *handle, + struct buffer_head *bh, + int *has_inline_data) + { +- int err, inline_size; ++ int err, inline_size, no_expand; + struct ext4_iloc iloc; + void *inline_start; + +@@ -1678,7 +1677,7 @@ int ext4_delete_inline_entry(handle_t *handle, + if (err) + return err; + +- down_write(&EXT4_I(dir)->xattr_sem); ++ ext4_write_lock_xattr(dir, &no_expand); + if (!ext4_has_inline_data(dir)) { + *has_inline_data = 0; + goto out; +@@ -1713,7 +1712,7 @@ int ext4_delete_inline_entry(handle_t *handle, + + ext4_show_inline_dir(dir, iloc.bh, inline_start, inline_size); + out: +- up_write(&EXT4_I(dir)->xattr_sem); ++ ext4_write_unlock_xattr(dir, &no_expand); + brelse(iloc.bh); + if (err != -ENOENT) + ext4_std_error(dir->i_sb, err); +@@ -1812,11 +1811,11 @@ out: + + int ext4_destroy_inline_data(handle_t *handle, struct inode *inode) + { +- int ret; ++ int ret, no_expand; + +- down_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_lock_xattr(inode, &no_expand); + ret = ext4_destroy_inline_data_nolock(handle, inode); +- up_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_unlock_xattr(inode, &no_expand); + + return ret; + } +@@ -1901,7 +1900,7 @@ out: + void ext4_inline_data_truncate(struct inode *inode, int *has_inline) + { + handle_t *handle; +- int inline_size, value_len, needed_blocks; ++ int inline_size, value_len, needed_blocks, no_expand; + size_t i_size; + void *value = NULL; + struct ext4_xattr_ibody_find is = { +@@ -1918,7 +1917,7 @@ void ext4_inline_data_truncate(struct inode *inode, int *has_inline) + if (IS_ERR(handle)) + return; + +- down_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_lock_xattr(inode, &no_expand); + if (!ext4_has_inline_data(inode)) { + *has_inline = 0; + ext4_journal_stop(handle); +@@ -1976,7 +1975,7 @@ out_error: + up_write(&EXT4_I(inode)->i_data_sem); + out: + brelse(is.iloc.bh); +- up_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_unlock_xattr(inode, &no_expand); + kfree(value); + if (inode->i_nlink) + ext4_orphan_del(handle, inode); +@@ -1992,7 +1991,7 @@ out: + + int ext4_convert_inline_data(struct inode *inode) + { +- int error, needed_blocks; ++ int error, needed_blocks, no_expand; + handle_t *handle; + struct ext4_iloc iloc; + +@@ -2014,15 +2013,10 @@ int ext4_convert_inline_data(struct inode *inode) + goto out_free; + } + +- down_write(&EXT4_I(inode)->xattr_sem); +- if (!ext4_has_inline_data(inode)) { +- up_write(&EXT4_I(inode)->xattr_sem); +- goto out; +- } +- +- error = ext4_convert_inline_data_nolock(handle, inode, &iloc); +- up_write(&EXT4_I(inode)->xattr_sem); +-out: ++ ext4_write_lock_xattr(inode, &no_expand); ++ if (ext4_has_inline_data(inode)) ++ error = ext4_convert_inline_data_nolock(handle, inode, &iloc); ++ ext4_write_unlock_xattr(inode, &no_expand); + ext4_journal_stop(handle); + out_free: + brelse(iloc.bh); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index f0cabc8c96cb..56ce7fd0f0d0 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1515,6 +1515,8 @@ static void mpage_release_unused_pages(struct mpage_da_data *mpd, + BUG_ON(!PageLocked(page)); + BUG_ON(PageWriteback(page)); + if (invalidate) { ++ if (page_mapped(page)) ++ clear_page_dirty_for_io(page); + block_invalidatepage(page, 0, PAGE_CACHE_SIZE); + ClearPageUptodate(page); + } +@@ -3256,29 +3258,29 @@ static ssize_t ext4_ext_direct_IO(struct kiocb *iocb, struct iov_iter *iter, + * case, we allocate an io_end structure to hook to the iocb. + */ + iocb->private = NULL; +- ext4_inode_aio_set(inode, NULL); +- if (!is_sync_kiocb(iocb)) { +- io_end = ext4_init_io_end(inode, GFP_NOFS); +- if (!io_end) { +- ret = -ENOMEM; +- goto retake_lock; +- } +- /* +- * Grab reference for DIO. Will be dropped in ext4_end_io_dio() +- */ +- iocb->private = ext4_get_io_end(io_end); +- /* +- * we save the io structure for current async direct +- * IO, so that later ext4_map_blocks() could flag the +- * io structure whether there is a unwritten extents +- * needs to be converted when IO is completed. +- */ +- ext4_inode_aio_set(inode, io_end); +- } +- + if (overwrite) { + get_block_func = ext4_get_block_write_nolock; + } else { ++ ext4_inode_aio_set(inode, NULL); ++ if (!is_sync_kiocb(iocb)) { ++ io_end = ext4_init_io_end(inode, GFP_NOFS); ++ if (!io_end) { ++ ret = -ENOMEM; ++ goto retake_lock; ++ } ++ /* ++ * Grab reference for DIO. Will be dropped in ++ * ext4_end_io_dio() ++ */ ++ iocb->private = ext4_get_io_end(io_end); ++ /* ++ * we save the io structure for current async direct ++ * IO, so that later ext4_map_blocks() could flag the ++ * io structure whether there is a unwritten extents ++ * needs to be converted when IO is completed. ++ */ ++ ext4_inode_aio_set(inode, io_end); ++ } + get_block_func = ext4_get_block_write; + dio_flags = DIO_LOCKING; + } +@@ -4231,6 +4233,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) + goto bad_inode; + raw_inode = ext4_raw_inode(&iloc); + ++ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { ++ EXT4_ERROR_INODE(inode, "root inode unallocated"); ++ ret = -EFSCORRUPTED; ++ goto bad_inode; ++ } ++ + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { + ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 742455292dfe..0e0438b5ddbe 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2131,6 +2131,8 @@ static int ext4_check_descriptors(struct super_block *sb, + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (block_bitmap < first_block || block_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -2143,6 +2145,8 @@ static int ext4_check_descriptors(struct super_block *sb, + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (inode_bitmap < first_block || inode_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -2155,6 +2159,8 @@ static int ext4_check_descriptors(struct super_block *sb, + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode table for group %u overlaps " + "superblock", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; + } + if (inode_table < first_block || + inode_table + sbi->s_itb_per_group - 1 > last_block) { +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 8d661b3c47b6..c7cad05aed27 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1117,16 +1117,14 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index, + struct ext4_xattr_block_find bs = { + .s = { .not_found = -ENODATA, }, + }; +- unsigned long no_expand; ++ int no_expand; + int error; + + if (!name) + return -EINVAL; + if (strlen(name) > 255) + return -ERANGE; +- down_write(&EXT4_I(inode)->xattr_sem); +- no_expand = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND); +- ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND); ++ ext4_write_lock_xattr(inode, &no_expand); + + error = ext4_reserve_inode_write(handle, inode, &is.iloc); + if (error) +@@ -1187,7 +1185,7 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index, + ext4_xattr_update_super_block(handle, inode->i_sb); + inode->i_ctime = ext4_current_time(inode); + if (!value) +- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND); ++ no_expand = 0; + error = ext4_mark_iloc_dirty(handle, inode, &is.iloc); + /* + * The bh is consumed by ext4_mark_iloc_dirty, even with +@@ -1201,9 +1199,7 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index, + cleanup: + brelse(is.iloc.bh); + brelse(bs.bh); +- if (no_expand == 0) +- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND); +- up_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_unlock_xattr(inode, &no_expand); + return error; + } + +@@ -1287,12 +1283,11 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize, + int error = 0, tried_min_extra_isize = 0; + int s_min_extra_isize = le16_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_min_extra_isize); + int isize_diff; /* How much do we need to grow i_extra_isize */ ++ int no_expand; ++ ++ if (ext4_write_trylock_xattr(inode, &no_expand) == 0) ++ return 0; + +- down_write(&EXT4_I(inode)->xattr_sem); +- /* +- * Set EXT4_STATE_NO_EXPAND to avoid recursion when marking inode dirty +- */ +- ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND); + retry: + isize_diff = new_extra_isize - EXT4_I(inode)->i_extra_isize; + if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) +@@ -1486,8 +1481,7 @@ retry: + } + brelse(bh); + out: +- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND); +- up_write(&EXT4_I(inode)->xattr_sem); ++ ext4_write_unlock_xattr(inode, &no_expand); + return 0; + + cleanup: +@@ -1499,10 +1493,10 @@ cleanup: + kfree(bs); + brelse(bh); + /* +- * We deliberately leave EXT4_STATE_NO_EXPAND set here since inode +- * size expansion failed. ++ * Inode size expansion failed; don't try again + */ +- up_write(&EXT4_I(inode)->xattr_sem); ++ no_expand = 1; ++ ext4_write_unlock_xattr(inode, &no_expand); + return error; + } + +diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h +index ddc0957760ba..c000ed398555 100644 +--- a/fs/ext4/xattr.h ++++ b/fs/ext4/xattr.h +@@ -101,6 +101,38 @@ extern const struct xattr_handler ext4_xattr_security_handler; + + #define EXT4_XATTR_NAME_ENCRYPTION_CONTEXT "c" + ++/* ++ * The EXT4_STATE_NO_EXPAND is overloaded and used for two purposes. ++ * The first is to signal that there the inline xattrs and data are ++ * taking up so much space that we might as well not keep trying to ++ * expand it. The second is that xattr_sem is taken for writing, so ++ * we shouldn't try to recurse into the inode expansion. For this ++ * second case, we need to make sure that we take save and restore the ++ * NO_EXPAND state flag appropriately. ++ */ ++static inline void ext4_write_lock_xattr(struct inode *inode, int *save) ++{ ++ down_write(&EXT4_I(inode)->xattr_sem); ++ *save = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND); ++ ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND); ++} ++ ++static inline int ext4_write_trylock_xattr(struct inode *inode, int *save) ++{ ++ if (down_write_trylock(&EXT4_I(inode)->xattr_sem) == 0) ++ return 0; ++ *save = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND); ++ ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND); ++ return 1; ++} ++ ++static inline void ext4_write_unlock_xattr(struct inode *inode, int *save) ++{ ++ if (*save == 0) ++ ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND); ++ up_write(&EXT4_I(inode)->xattr_sem); ++} ++ + extern ssize_t ext4_listxattr(struct dentry *, char *, size_t); + + extern int ext4_xattr_get(struct inode *, int, const char *, void *, size_t); +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 22b30249fbcb..0fe667875852 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -747,11 +747,12 @@ int inode_congested(struct inode *inode, int cong_bits) + */ + if (inode && inode_to_wb_is_valid(inode)) { + struct bdi_writeback *wb; +- bool locked, congested; ++ struct wb_lock_cookie lock_cookie = {}; ++ bool congested; + +- wb = unlocked_inode_to_wb_begin(inode, &locked); ++ wb = unlocked_inode_to_wb_begin(inode, &lock_cookie); + congested = wb_congested(wb, cong_bits); +- unlocked_inode_to_wb_end(inode, locked); ++ unlocked_inode_to_wb_end(inode, &lock_cookie); + return congested; + } + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 624a57a9c4aa..4759df4eb8ce 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -914,7 +914,7 @@ out: + } + + /* +- * This is a variaon of __jbd2_update_log_tail which checks for validity of ++ * This is a variation of __jbd2_update_log_tail which checks for validity of + * provided log tail and locks j_checkpoint_mutex. So it is safe against races + * with other threads updating log tail. + */ +@@ -1384,6 +1384,9 @@ int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid, + journal_superblock_t *sb = journal->j_superblock; + int ret; + ++ if (is_journal_aborted(journal)) ++ return -EIO; ++ + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); + jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n", + tail_block, tail_tid); +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index d86c5e3176a1..600da1a4df29 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -345,7 +345,7 @@ static void jffs2_put_super (struct super_block *sb) + static void jffs2_kill_sb(struct super_block *sb) + { + struct jffs2_sb_info *c = JFFS2_SB_INFO(sb); +- if (!(sb->s_flags & MS_RDONLY)) ++ if (c && !(sb->s_flags & MS_RDONLY)) + jffs2_stop_garbage_collect_thread(c); + kill_mtd_super(sb); + kfree(c); +diff --git a/fs/namei.c b/fs/namei.c +index 0fcad42e4d3e..de57dd59d95f 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -219,9 +219,10 @@ getname_kernel(const char * filename) + if (len <= EMBEDDED_NAME_MAX) { + result->name = (char *)result->iname; + } else if (len <= PATH_MAX) { ++ const size_t size = offsetof(struct filename, iname[1]); + struct filename *tmp; + +- tmp = kmalloc(sizeof(*tmp), GFP_KERNEL); ++ tmp = kmalloc(size, GFP_KERNEL); + if (unlikely(!tmp)) { + __putname(result); + return ERR_PTR(-ENOMEM); +diff --git a/fs/namespace.c b/fs/namespace.c +index ec4078d16eb7..a879560ea144 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1018,7 +1018,8 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root, + goto out_free; + } + +- mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED); ++ mnt->mnt.mnt_flags = old->mnt.mnt_flags; ++ mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL); + /* Don't allow unprivileged users to change mount flags */ + if (flag & CL_UNPRIVILEGED) { + mnt->mnt.mnt_flags |= MNT_LOCK_ATIME; +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c +index e0e5f7c3c99f..8a459b179183 100644 +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -92,7 +92,7 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark, + u32 event_mask, + void *data, int data_type) + { +- __u32 marks_mask, marks_ignored_mask; ++ __u32 marks_mask = 0, marks_ignored_mask = 0; + struct path *path = data; + + pr_debug("%s: inode_mark=%p vfsmnt_mark=%p mask=%x data=%p" +@@ -108,24 +108,20 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark, + !d_can_lookup(path->dentry)) + return false; + +- if (inode_mark && vfsmnt_mark) { +- marks_mask = (vfsmnt_mark->mask | inode_mark->mask); +- marks_ignored_mask = (vfsmnt_mark->ignored_mask | inode_mark->ignored_mask); +- } else if (inode_mark) { +- /* +- * if the event is for a child and this inode doesn't care about +- * events on the child, don't send it! +- */ +- if ((event_mask & FS_EVENT_ON_CHILD) && +- !(inode_mark->mask & FS_EVENT_ON_CHILD)) +- return false; +- marks_mask = inode_mark->mask; +- marks_ignored_mask = inode_mark->ignored_mask; +- } else if (vfsmnt_mark) { +- marks_mask = vfsmnt_mark->mask; +- marks_ignored_mask = vfsmnt_mark->ignored_mask; +- } else { +- BUG(); ++ /* ++ * if the event is for a child and this inode doesn't care about ++ * events on the child, don't send it! ++ */ ++ if (inode_mark && ++ (!(event_mask & FS_EVENT_ON_CHILD) || ++ (inode_mark->mask & FS_EVENT_ON_CHILD))) { ++ marks_mask |= inode_mark->mask; ++ marks_ignored_mask |= inode_mark->ignored_mask; ++ } ++ ++ if (vfsmnt_mark) { ++ marks_mask |= vfsmnt_mark->mask; ++ marks_ignored_mask |= vfsmnt_mark->ignored_mask; + } + + if (d_is_dir(path->dentry) && +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c +index a72097b625ef..00985f9db9f7 100644 +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -2643,7 +2643,7 @@ static int journal_init_dev(struct super_block *super, + if (IS_ERR(journal->j_dev_bd)) { + result = PTR_ERR(journal->j_dev_bd); + journal->j_dev_bd = NULL; +- reiserfs_warning(super, ++ reiserfs_warning(super, "sh-457", + "journal_init_dev: Cannot open '%s': %i", + jdev_name, result); + return result; +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c +index 1fd90c079537..0bb6de356451 100644 +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1728,8 +1728,11 @@ static void ubifs_remount_ro(struct ubifs_info *c) + + dbg_save_space_info(c); + +- for (i = 0; i < c->jhead_cnt; i++) +- ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ for (i = 0; i < c->jhead_cnt; i++) { ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ if (err) ++ ubifs_ro_mode(c, err); ++ } + + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_DIRTY); + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS); +@@ -1795,8 +1798,11 @@ static void ubifs_put_super(struct super_block *sb) + int err; + + /* Synchronize write-buffers */ +- for (i = 0; i < c->jhead_cnt; i++) +- ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ for (i = 0; i < c->jhead_cnt; i++) { ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf); ++ if (err) ++ ubifs_ro_mode(c, err); ++ } + + /* + * We are being cleanly unmounted which means the +diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h +index 140c29635069..a307c37c2e6c 100644 +--- a/include/linux/backing-dev-defs.h ++++ b/include/linux/backing-dev-defs.h +@@ -191,6 +191,11 @@ static inline void set_bdi_congested(struct backing_dev_info *bdi, int sync) + set_wb_congested(bdi->wb.congested, sync); + } + ++struct wb_lock_cookie { ++ bool locked; ++ unsigned long flags; ++}; ++ + #ifdef CONFIG_CGROUP_WRITEBACK + + /** +diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h +index 89d3de3e096b..361274ce5815 100644 +--- a/include/linux/backing-dev.h ++++ b/include/linux/backing-dev.h +@@ -366,7 +366,7 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode) + /** + * unlocked_inode_to_wb_begin - begin unlocked inode wb access transaction + * @inode: target inode +- * @lockedp: temp bool output param, to be passed to the end function ++ * @cookie: output param, to be passed to the end function + * + * The caller wants to access the wb associated with @inode but isn't + * holding inode->i_lock, mapping->tree_lock or wb->list_lock. This +@@ -374,12 +374,12 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode) + * association doesn't change until the transaction is finished with + * unlocked_inode_to_wb_end(). + * +- * The caller must call unlocked_inode_to_wb_end() with *@lockdep +- * afterwards and can't sleep during transaction. IRQ may or may not be +- * disabled on return. ++ * The caller must call unlocked_inode_to_wb_end() with *@cookie afterwards and ++ * can't sleep during the transaction. IRQs may or may not be disabled on ++ * return. + */ + static inline struct bdi_writeback * +-unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp) ++unlocked_inode_to_wb_begin(struct inode *inode, struct wb_lock_cookie *cookie) + { + rcu_read_lock(); + +@@ -387,10 +387,10 @@ unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp) + * Paired with store_release in inode_switch_wb_work_fn() and + * ensures that we see the new wb if we see cleared I_WB_SWITCH. + */ +- *lockedp = smp_load_acquire(&inode->i_state) & I_WB_SWITCH; ++ cookie->locked = smp_load_acquire(&inode->i_state) & I_WB_SWITCH; + +- if (unlikely(*lockedp)) +- spin_lock_irq(&inode->i_mapping->tree_lock); ++ if (unlikely(cookie->locked)) ++ spin_lock_irqsave(&inode->i_mapping->tree_lock, cookie->flags); + + /* + * Protected by either !I_WB_SWITCH + rcu_read_lock() or tree_lock. +@@ -402,12 +402,14 @@ unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp) + /** + * unlocked_inode_to_wb_end - end inode wb access transaction + * @inode: target inode +- * @locked: *@lockedp from unlocked_inode_to_wb_begin() ++ * @cookie: @cookie from unlocked_inode_to_wb_begin() + */ +-static inline void unlocked_inode_to_wb_end(struct inode *inode, bool locked) ++static inline void unlocked_inode_to_wb_end(struct inode *inode, ++ struct wb_lock_cookie *cookie) + { +- if (unlikely(locked)) +- spin_unlock_irq(&inode->i_mapping->tree_lock); ++ if (unlikely(cookie->locked)) ++ spin_unlock_irqrestore(&inode->i_mapping->tree_lock, ++ cookie->flags); + + rcu_read_unlock(); + } +@@ -454,12 +456,13 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode) + } + + static inline struct bdi_writeback * +-unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp) ++unlocked_inode_to_wb_begin(struct inode *inode, struct wb_lock_cookie *cookie) + { + return inode_to_wb(inode); + } + +-static inline void unlocked_inode_to_wb_end(struct inode *inode, bool locked) ++static inline void unlocked_inode_to_wb_end(struct inode *inode, ++ struct wb_lock_cookie *cookie) + { + } + +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 251a1d382e23..fd86687f8119 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -793,7 +793,7 @@ extern int hidinput_connect(struct hid_device *hid, unsigned int force); + extern void hidinput_disconnect(struct hid_device *); + + int hid_set_field(struct hid_field *, unsigned, __s32); +-int hid_input_report(struct hid_device *, int type, u8 *, int, int); ++int hid_input_report(struct hid_device *, int type, u8 *, u32, int); + int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field); + struct hid_field *hidinput_get_led_field(struct hid_device *hid); + unsigned int hidinput_count_leds(struct hid_device *hid); +@@ -1098,13 +1098,13 @@ static inline void hid_hw_wait(struct hid_device *hdev) + * + * @report: the report we want to know the length + */ +-static inline int hid_report_len(struct hid_report *report) ++static inline u32 hid_report_len(struct hid_report *report) + { + /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */ + return ((report->size - 1) >> 3) + 1 + (report->id > 0); + } + +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, + int interrupt); + + /* HID quirks API */ +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 55f950afb60d..a100946607a5 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -225,10 +225,14 @@ extern pgprot_t protection_map[16]; + * ->fault function. The vma's ->fault is responsible for returning a bitmask + * of VM_FAULT_xxx flags that give details about how the fault was handled. + * ++ * MM layer fills up gfp_mask for page allocations but fault handler might ++ * alter it if its implementation requires a different allocation context. ++ * + * pgoff should be used in favour of virtual_address, if possible. + */ + struct vm_fault { + unsigned int flags; /* FAULT_FLAG_xxx flags */ ++ gfp_t gfp_mask; /* gfp mask to be used for allocations */ + pgoff_t pgoff; /* Logical page offset based on vma */ + void __user *virtual_address; /* Faulting virtual address */ + +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a1042afff99a..d67ceb3f5958 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -342,6 +342,7 @@ struct tty_file_private { + #define TTY_PTY_LOCK 16 /* pty private */ + #define TTY_NO_WRITE_SPLIT 17 /* Preserve write boundaries to driver */ + #define TTY_HUPPED 18 /* Post driver->hangup() */ ++#define TTY_HUPPING 19 /* Hangup in progress */ + #define TTY_LDISC_HALTED 22 /* Line discipline is halted */ + + #define TTY_WRITE_FLUSH(tty) tty_write_flush((tty)) +diff --git a/include/net/slhc_vj.h b/include/net/slhc_vj.h +index 8716d5942b65..8fcf8908a694 100644 +--- a/include/net/slhc_vj.h ++++ b/include/net/slhc_vj.h +@@ -127,6 +127,7 @@ typedef __u32 int32; + */ + struct cstate { + byte_t cs_this; /* connection id number (xmit) */ ++ bool initialized; /* true if initialized */ + struct cstate *next; /* next in ring (xmit) */ + struct iphdr cs_ip; /* ip/tcp hdr from most recent packet */ + struct tcphdr cs_tcp; +diff --git a/include/sound/pcm_oss.h b/include/sound/pcm_oss.h +index 760c969d885d..12bbf8c81112 100644 +--- a/include/sound/pcm_oss.h ++++ b/include/sound/pcm_oss.h +@@ -57,6 +57,7 @@ struct snd_pcm_oss_runtime { + char *buffer; /* vmallocated period */ + size_t buffer_used; /* used length from period buffer */ + struct mutex params_lock; ++ atomic_t rw_ref; /* concurrent read/write accesses */ + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + struct snd_pcm_plugin *plugin_first; + struct snd_pcm_plugin *plugin_last; +diff --git a/ipc/shm.c b/ipc/shm.c +index 4982a4e7f009..a492dd81cf56 100644 +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -198,6 +198,12 @@ static int __shm_open(struct vm_area_struct *vma) + if (IS_ERR(shp)) + return PTR_ERR(shp); + ++ if (shp->shm_file != sfd->file) { ++ /* ID was reused */ ++ shm_unlock(shp); ++ return -EINVAL; ++ } ++ + shp->shm_atim = get_seconds(); + shp->shm_lprid = task_tgid_vnr(current); + shp->shm_nattch++; +@@ -414,8 +420,9 @@ static int shm_mmap(struct file *file, struct vm_area_struct *vma) + int ret; + + /* +- * In case of remap_file_pages() emulation, the file can represent +- * removed IPC ID: propogate shm_lock() error to caller. ++ * In case of remap_file_pages() emulation, the file can represent an ++ * IPC ID that was removed, and possibly even reused by another shm ++ * segment already. Propagate this case as an error to caller. + */ + ret =__shm_open(vma); + if (ret) +@@ -439,6 +446,7 @@ static int shm_release(struct inode *ino, struct file *file) + struct shm_file_data *sfd = shm_file_data(file); + + put_ipc_ns(sfd->ns); ++ fput(sfd->file); + shm_file_data(file) = NULL; + kfree(sfd); + return 0; +@@ -1198,7 +1206,16 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, + file->f_mapping = shp->shm_file->f_mapping; + sfd->id = shp->shm_perm.id; + sfd->ns = get_ipc_ns(ns); +- sfd->file = shp->shm_file; ++ /* ++ * We need to take a reference to the real shm file to prevent the ++ * pointer from becoming stale in cases where the lifetime of the outer ++ * file extends beyond that of the shm segment. It's not usually ++ * possible, but it can happen during remap_file_pages() emulation as ++ * that unmaps the memory, then does ->mmap() via file reference only. ++ * We'll deny the ->mmap() if the shm segment was since removed, but to ++ * detect shm ID reuse we need to compare the file pointers. ++ */ ++ sfd->file = get_file(shp->shm_file); + sfd->vm_ops = NULL; + + err = security_mmap_file(file, prot, flags); +diff --git a/kernel/resource.c b/kernel/resource.c +index a4a94e700fb9..41718cd8cab5 100644 +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -611,7 +611,8 @@ static int __find_resource(struct resource *root, struct resource *old, + alloc.start = constraint->alignf(constraint->alignf_data, &avail, + size, constraint->align); + alloc.end = alloc.start + size - 1; +- if (resource_contains(&avail, &alloc)) { ++ if (alloc.start <= alloc.end && ++ resource_contains(&avail, &alloc)) { + new->start = alloc.start; + new->end = alloc.end; + return 0; +diff --git a/mm/filemap.c b/mm/filemap.c +index 69f75c77c098..b15f1d8bba43 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -571,7 +571,7 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask) + VM_BUG_ON_PAGE(!PageLocked(new), new); + VM_BUG_ON_PAGE(new->mapping, new); + +- error = radix_tree_preload(gfp_mask & ~__GFP_HIGHMEM); ++ error = radix_tree_preload(gfp_mask & GFP_RECLAIM_MASK); + if (!error) { + struct address_space *mapping = old->mapping; + void (*freepage)(struct page *); +@@ -630,7 +630,7 @@ static int __add_to_page_cache_locked(struct page *page, + return error; + } + +- error = radix_tree_maybe_preload(gfp_mask & ~__GFP_HIGHMEM); ++ error = radix_tree_maybe_preload(gfp_mask & GFP_RECLAIM_MASK); + if (error) { + if (!huge) + mem_cgroup_cancel_charge(page, memcg); +@@ -1192,8 +1192,7 @@ no_page: + if (fgp_flags & FGP_ACCESSED) + __SetPageReferenced(page); + +- err = add_to_page_cache_lru(page, mapping, offset, +- gfp_mask & GFP_RECLAIM_MASK); ++ err = add_to_page_cache_lru(page, mapping, offset, gfp_mask); + if (unlikely(err)) { + page_cache_release(page); + page = NULL; +@@ -1827,19 +1826,18 @@ EXPORT_SYMBOL(generic_file_read_iter); + * This adds the requested page to the page cache if it isn't already there, + * and schedules an I/O to read in its contents from disk. + */ +-static int page_cache_read(struct file *file, pgoff_t offset) ++static int page_cache_read(struct file *file, pgoff_t offset, gfp_t gfp_mask) + { + struct address_space *mapping = file->f_mapping; + struct page *page; + int ret; + + do { +- page = page_cache_alloc_cold(mapping); ++ page = __page_cache_alloc(gfp_mask|__GFP_COLD); + if (!page) + return -ENOMEM; + +- ret = add_to_page_cache_lru(page, mapping, offset, +- mapping_gfp_constraint(mapping, GFP_KERNEL)); ++ ret = add_to_page_cache_lru(page, mapping, offset, gfp_mask); + if (ret == 0) + ret = mapping->a_ops->readpage(file, page); + else if (ret == -EEXIST) +@@ -2020,7 +2018,7 @@ no_cached_page: + * We're only likely to ever get here if MADV_RANDOM is in + * effect. + */ +- error = page_cache_read(file, offset); ++ error = page_cache_read(file, offset, vmf->gfp_mask); + + /* + * The page we want has now been added to the page cache. +diff --git a/mm/memory.c b/mm/memory.c +index 31ca97f7ebbc..177cb7d111a9 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1990,6 +1990,20 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo + copy_user_highpage(dst, src, va, vma); + } + ++static gfp_t __get_fault_gfp_mask(struct vm_area_struct *vma) ++{ ++ struct file *vm_file = vma->vm_file; ++ ++ if (vm_file) ++ return mapping_gfp_mask(vm_file->f_mapping) | __GFP_FS | __GFP_IO; ++ ++ /* ++ * Special mappings (e.g. VDSO) do not have any file so fake ++ * a default GFP_KERNEL for them. ++ */ ++ return GFP_KERNEL; ++} ++ + /* + * Notify the address space that the page is about to become writable so that + * it can prohibit this or wait for the page to get into an appropriate state. +@@ -2005,6 +2019,7 @@ static int do_page_mkwrite(struct vm_area_struct *vma, struct page *page, + vmf.virtual_address = (void __user *)(address & PAGE_MASK); + vmf.pgoff = page->index; + vmf.flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE; ++ vmf.gfp_mask = __get_fault_gfp_mask(vma); + vmf.page = page; + vmf.cow_page = NULL; + +@@ -2770,6 +2785,7 @@ static int __do_fault(struct vm_area_struct *vma, unsigned long address, + vmf.pgoff = pgoff; + vmf.flags = flags; + vmf.page = NULL; ++ vmf.gfp_mask = __get_fault_gfp_mask(vma); + vmf.cow_page = cow_page; + + ret = vma->vm_ops->fault(vma, &vmf); +@@ -2936,6 +2952,7 @@ static void do_fault_around(struct vm_area_struct *vma, unsigned long address, + vmf.pgoff = pgoff; + vmf.max_pgoff = max_pgoff; + vmf.flags = flags; ++ vmf.gfp_mask = __get_fault_gfp_mask(vma); + vma->vm_ops->map_pages(vma, &vmf); + } + +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index 6d0dbde4503b..3309dbda7ffa 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -2510,13 +2510,13 @@ void account_page_redirty(struct page *page) + if (mapping && mapping_cap_account_dirty(mapping)) { + struct inode *inode = mapping->host; + struct bdi_writeback *wb; +- bool locked; ++ struct wb_lock_cookie cookie = {}; + +- wb = unlocked_inode_to_wb_begin(inode, &locked); ++ wb = unlocked_inode_to_wb_begin(inode, &cookie); + current->nr_dirtied--; + dec_zone_page_state(page, NR_DIRTIED); + dec_wb_stat(wb, WB_DIRTIED); +- unlocked_inode_to_wb_end(inode, locked); ++ unlocked_inode_to_wb_end(inode, &cookie); + } + } + EXPORT_SYMBOL(account_page_redirty); +@@ -2622,15 +2622,15 @@ void cancel_dirty_page(struct page *page) + struct inode *inode = mapping->host; + struct bdi_writeback *wb; + struct mem_cgroup *memcg; +- bool locked; ++ struct wb_lock_cookie cookie = {}; + + memcg = mem_cgroup_begin_page_stat(page); +- wb = unlocked_inode_to_wb_begin(inode, &locked); ++ wb = unlocked_inode_to_wb_begin(inode, &cookie); + + if (TestClearPageDirty(page)) + account_page_cleaned(page, mapping, memcg, wb); + +- unlocked_inode_to_wb_end(inode, locked); ++ unlocked_inode_to_wb_end(inode, &cookie); + mem_cgroup_end_page_stat(memcg); + } else { + ClearPageDirty(page); +@@ -2663,7 +2663,7 @@ int clear_page_dirty_for_io(struct page *page) + struct inode *inode = mapping->host; + struct bdi_writeback *wb; + struct mem_cgroup *memcg; +- bool locked; ++ struct wb_lock_cookie cookie = {}; + + /* + * Yes, Virginia, this is indeed insane. +@@ -2701,14 +2701,14 @@ int clear_page_dirty_for_io(struct page *page) + * exclusion. + */ + memcg = mem_cgroup_begin_page_stat(page); +- wb = unlocked_inode_to_wb_begin(inode, &locked); ++ wb = unlocked_inode_to_wb_begin(inode, &cookie); + if (TestClearPageDirty(page)) { + mem_cgroup_dec_page_stat(memcg, MEM_CGROUP_STAT_DIRTY); + dec_zone_page_state(page, NR_FILE_DIRTY); + dec_wb_stat(wb, WB_RECLAIMABLE); + ret = 1; + } +- unlocked_inode_to_wb_end(inode, locked); ++ unlocked_inode_to_wb_end(inode, &cookie); + mem_cgroup_end_page_stat(memcg); + return ret; + } +diff --git a/mm/slab.c b/mm/slab.c +index 4765c97ce690..fa49c01225a7 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -3915,7 +3915,8 @@ next: + next_reap_node(); + out: + /* Set up the next iteration */ +- schedule_delayed_work(work, round_jiffies_relative(REAPTIMEOUT_AC)); ++ schedule_delayed_work_on(smp_processor_id(), work, ++ round_jiffies_relative(REAPTIMEOUT_AC)); + } + + #ifdef CONFIG_SLABINFO +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index d81186d34558..9103dd15511c 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -1375,6 +1375,7 @@ rpc_gssd_dummy_depopulate(struct dentry *pipe_dentry) + struct dentry *clnt_dir = pipe_dentry->d_parent; + struct dentry *gssd_dir = clnt_dir->d_parent; + ++ dget(pipe_dentry); + __rpc_rmpipe(d_inode(clnt_dir), pipe_dentry); + __rpc_depopulate(clnt_dir, gssd_dummy_info_file, 0, 1); + __rpc_depopulate(gssd_dir, gssd_dummy_clnt_dir, 0, 1); +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 6cd8aec146f2..07feb35f1935 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -833,8 +833,25 @@ static int choose_rate(struct snd_pcm_substream *substream, + return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL); + } + +-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, +- bool trylock) ++/* parameter locking: returns immediately if tried during streaming */ ++static int lock_params(struct snd_pcm_runtime *runtime) ++{ ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; ++ if (atomic_read(&runtime->oss.rw_ref)) { ++ mutex_unlock(&runtime->oss.params_lock); ++ return -EBUSY; ++ } ++ return 0; ++} ++ ++static void unlock_params(struct snd_pcm_runtime *runtime) ++{ ++ mutex_unlock(&runtime->oss.params_lock); ++} ++ ++/* call with params_lock held */ ++static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) + { + struct snd_pcm_runtime *runtime = substream->runtime; + struct snd_pcm_hw_params *params, *sparams; +@@ -848,12 +865,9 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, + struct snd_mask sformat_mask; + struct snd_mask mask; + +- if (trylock) { +- if (!(mutex_trylock(&runtime->oss.params_lock))) +- return -EAGAIN; +- } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) +- return -EINTR; +- sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); ++ if (!runtime->oss.params) ++ return 0; ++ sw_params = kzalloc(sizeof(*sw_params), GFP_KERNEL); + params = kmalloc(sizeof(*params), GFP_KERNEL); + sparams = kmalloc(sizeof(*sparams), GFP_KERNEL); + if (!sw_params || !params || !sparams) { +@@ -991,7 +1005,6 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, + goto failure; + } + +- memset(sw_params, 0, sizeof(*sw_params)); + if (runtime->oss.trigger) { + sw_params->start_threshold = 1; + } else { +@@ -1079,6 +1092,23 @@ failure: + kfree(sw_params); + kfree(params); + kfree(sparams); ++ return err; ++} ++ ++/* this one takes the lock by itself */ ++static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, ++ bool trylock) ++{ ++ struct snd_pcm_runtime *runtime = substream->runtime; ++ int err; ++ ++ if (trylock) { ++ if (!(mutex_trylock(&runtime->oss.params_lock))) ++ return -EAGAIN; ++ } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; ++ ++ err = snd_pcm_oss_change_params_locked(substream); + mutex_unlock(&runtime->oss.params_lock); + return err; + } +@@ -1107,6 +1137,10 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil + return 0; + } + ++/* call with params_lock held */ ++/* NOTE: this always call PREPARE unconditionally no matter whether ++ * runtime->oss.prepare is set or not ++ */ + static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream) + { + int err; +@@ -1131,14 +1165,35 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream) + struct snd_pcm_runtime *runtime; + int err; + +- if (substream == NULL) +- return 0; + runtime = substream->runtime; + if (runtime->oss.params) { + err = snd_pcm_oss_change_params(substream, false); + if (err < 0) + return err; + } ++ if (runtime->oss.prepare) { ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; ++ err = snd_pcm_oss_prepare(substream); ++ mutex_unlock(&runtime->oss.params_lock); ++ if (err < 0) ++ return err; ++ } ++ return 0; ++} ++ ++/* call with params_lock held */ ++static int snd_pcm_oss_make_ready_locked(struct snd_pcm_substream *substream) ++{ ++ struct snd_pcm_runtime *runtime; ++ int err; ++ ++ runtime = substream->runtime; ++ if (runtime->oss.params) { ++ err = snd_pcm_oss_change_params_locked(substream); ++ if (err < 0) ++ return err; ++ } + if (runtime->oss.prepare) { + err = snd_pcm_oss_prepare(substream); + if (err < 0) +@@ -1367,13 +1422,15 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha + if (atomic_read(&substream->mmap_count)) + return -ENXIO; + +- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) +- return tmp; ++ atomic_inc(&runtime->oss.rw_ref); + while (bytes > 0) { + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + tmp = -ERESTARTSYS; + break; + } ++ tmp = snd_pcm_oss_make_ready_locked(substream); ++ if (tmp < 0) ++ goto err; + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { + tmp = bytes; + if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes) +@@ -1429,6 +1486,7 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha + } + tmp = 0; + } ++ atomic_dec(&runtime->oss.rw_ref); + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; + } + +@@ -1474,13 +1532,15 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use + if (atomic_read(&substream->mmap_count)) + return -ENXIO; + +- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) +- return tmp; ++ atomic_inc(&runtime->oss.rw_ref); + while (bytes > 0) { + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + tmp = -ERESTARTSYS; + break; + } ++ tmp = snd_pcm_oss_make_ready_locked(substream); ++ if (tmp < 0) ++ goto err; + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { + if (runtime->oss.buffer_used == 0) { + tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1); +@@ -1521,6 +1581,7 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use + } + tmp = 0; + } ++ atomic_dec(&runtime->oss.rw_ref); + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; + } + +@@ -1536,10 +1597,12 @@ static int snd_pcm_oss_reset(struct snd_pcm_oss_file *pcm_oss_file) + continue; + runtime = substream->runtime; + snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); ++ mutex_lock(&runtime->oss.params_lock); + runtime->oss.prepare = 1; + runtime->oss.buffer_used = 0; + runtime->oss.prev_hw_ptr_period = 0; + runtime->oss.period_ptr = 0; ++ mutex_unlock(&runtime->oss.params_lock); + } + return 0; + } +@@ -1625,9 +1688,13 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + goto __direct; + if ((err = snd_pcm_oss_make_ready(substream)) < 0) + return err; ++ atomic_inc(&runtime->oss.rw_ref); ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) { ++ atomic_dec(&runtime->oss.rw_ref); ++ return -ERESTARTSYS; ++ } + format = snd_pcm_oss_format_from(runtime->oss.format); + width = snd_pcm_format_physical_width(format); +- mutex_lock(&runtime->oss.params_lock); + if (runtime->oss.buffer_used > 0) { + #ifdef OSS_DEBUG + pcm_dbg(substream->pcm, "sync: buffer_used\n"); +@@ -1637,10 +1704,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + runtime->oss.buffer + runtime->oss.buffer_used, + size); + err = snd_pcm_oss_sync1(substream, runtime->oss.period_bytes); +- if (err < 0) { +- mutex_unlock(&runtime->oss.params_lock); +- return err; +- } ++ if (err < 0) ++ goto unlock; + } else if (runtime->oss.period_ptr > 0) { + #ifdef OSS_DEBUG + pcm_dbg(substream->pcm, "sync: period_ptr\n"); +@@ -1650,10 +1715,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + runtime->oss.buffer, + size * 8 / width); + err = snd_pcm_oss_sync1(substream, size); +- if (err < 0) { +- mutex_unlock(&runtime->oss.params_lock); +- return err; +- } ++ if (err < 0) ++ goto unlock; + } + /* + * The ALSA's period might be a bit large than OSS one. +@@ -1684,7 +1747,11 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + snd_pcm_lib_writev(substream, buffers, size); + } + } ++unlock: + mutex_unlock(&runtime->oss.params_lock); ++ atomic_dec(&runtime->oss.rw_ref); ++ if (err < 0) ++ return err; + /* + * finish sync: drain the buffer + */ +@@ -1695,7 +1762,9 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + substream->f_flags = saved_f_flags; + if (err < 0) + return err; ++ mutex_lock(&runtime->oss.params_lock); + runtime->oss.prepare = 1; ++ mutex_unlock(&runtime->oss.params_lock); + } + + substream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE]; +@@ -1706,8 +1775,10 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); + if (err < 0) + return err; ++ mutex_lock(&runtime->oss.params_lock); + runtime->oss.buffer_used = 0; + runtime->oss.prepare = 1; ++ mutex_unlock(&runtime->oss.params_lock); + } + return 0; + } +@@ -1719,6 +1790,8 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate) + for (idx = 1; idx >= 0; --idx) { + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; + struct snd_pcm_runtime *runtime; ++ int err; ++ + if (substream == NULL) + continue; + runtime = substream->runtime; +@@ -1726,10 +1799,14 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate) + rate = 1000; + else if (rate > 192000) + rate = 192000; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; + if (runtime->oss.rate != rate) { + runtime->oss.params = 1; + runtime->oss.rate = rate; + } ++ unlock_params(runtime); + } + return snd_pcm_oss_get_rate(pcm_oss_file); + } +@@ -1754,13 +1831,19 @@ static int snd_pcm_oss_set_channels(struct snd_pcm_oss_file *pcm_oss_file, unsig + for (idx = 1; idx >= 0; --idx) { + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; + struct snd_pcm_runtime *runtime; ++ int err; ++ + if (substream == NULL) + continue; + runtime = substream->runtime; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; + if (runtime->oss.channels != channels) { + runtime->oss.params = 1; + runtime->oss.channels = channels; + } ++ unlock_params(runtime); + } + return snd_pcm_oss_get_channels(pcm_oss_file); + } +@@ -1833,6 +1916,7 @@ static int snd_pcm_oss_get_formats(struct snd_pcm_oss_file *pcm_oss_file) + static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int format) + { + int formats, idx; ++ int err; + + if (format != AFMT_QUERY) { + formats = snd_pcm_oss_get_formats(pcm_oss_file); +@@ -1846,10 +1930,14 @@ static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int for + if (substream == NULL) + continue; + runtime = substream->runtime; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; + if (runtime->oss.format != format) { + runtime->oss.params = 1; + runtime->oss.format = format; + } ++ unlock_params(runtime); + } + } + return snd_pcm_oss_get_format(pcm_oss_file); +@@ -1869,8 +1957,6 @@ static int snd_pcm_oss_set_subdivide1(struct snd_pcm_substream *substream, int s + { + struct snd_pcm_runtime *runtime; + +- if (substream == NULL) +- return 0; + runtime = substream->runtime; + if (subdivide == 0) { + subdivide = runtime->oss.subdivision; +@@ -1894,9 +1980,17 @@ static int snd_pcm_oss_set_subdivide(struct snd_pcm_oss_file *pcm_oss_file, int + + for (idx = 1; idx >= 0; --idx) { + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; ++ struct snd_pcm_runtime *runtime; ++ + if (substream == NULL) + continue; +- if ((err = snd_pcm_oss_set_subdivide1(substream, subdivide)) < 0) ++ runtime = substream->runtime; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; ++ err = snd_pcm_oss_set_subdivide1(substream, subdivide); ++ unlock_params(runtime); ++ if (err < 0) + return err; + } + return err; +@@ -1906,8 +2000,6 @@ static int snd_pcm_oss_set_fragment1(struct snd_pcm_substream *substream, unsign + { + struct snd_pcm_runtime *runtime; + +- if (substream == NULL) +- return 0; + runtime = substream->runtime; + if (runtime->oss.subdivision || runtime->oss.fragshift) + return -EINVAL; +@@ -1927,9 +2019,17 @@ static int snd_pcm_oss_set_fragment(struct snd_pcm_oss_file *pcm_oss_file, unsig + + for (idx = 1; idx >= 0; --idx) { + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; ++ struct snd_pcm_runtime *runtime; ++ + if (substream == NULL) + continue; +- if ((err = snd_pcm_oss_set_fragment1(substream, val)) < 0) ++ runtime = substream->runtime; ++ err = lock_params(runtime); ++ if (err < 0) ++ return err; ++ err = snd_pcm_oss_set_fragment1(substream, val); ++ unlock_params(runtime); ++ if (err < 0) + return err; + } + return err; +@@ -2013,6 +2113,9 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + } + if (psubstream) { + runtime = psubstream->runtime; ++ cmd = 0; ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; + if (trigger & PCM_ENABLE_OUTPUT) { + if (runtime->oss.trigger) + goto _skip1; +@@ -2030,13 +2133,19 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + cmd = SNDRV_PCM_IOCTL_DROP; + runtime->oss.prepare = 1; + } +- err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL); +- if (err < 0) +- return err; +- } + _skip1: ++ mutex_unlock(&runtime->oss.params_lock); ++ if (cmd) { ++ err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL); ++ if (err < 0) ++ return err; ++ } ++ } + if (csubstream) { + runtime = csubstream->runtime; ++ cmd = 0; ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) ++ return -ERESTARTSYS; + if (trigger & PCM_ENABLE_INPUT) { + if (runtime->oss.trigger) + goto _skip2; +@@ -2051,11 +2160,14 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + cmd = SNDRV_PCM_IOCTL_DROP; + runtime->oss.prepare = 1; + } +- err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL); +- if (err < 0) +- return err; +- } + _skip2: ++ mutex_unlock(&runtime->oss.params_lock); ++ if (cmd) { ++ err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL); ++ if (err < 0) ++ return err; ++ } ++ } + return 0; + } + +@@ -2307,6 +2419,7 @@ static void snd_pcm_oss_init_substream(struct snd_pcm_substream *substream, + runtime->oss.maxfrags = 0; + runtime->oss.subdivision = 0; + substream->pcm_release = snd_pcm_oss_release_substream; ++ atomic_set(&runtime->oss.rw_ref, 0); + } + + static int snd_pcm_oss_release_file(struct snd_pcm_oss_file *pcm_oss_file) +diff --git a/sound/core/pcm.c b/sound/core/pcm.c +index 074363b63cc4..6bda8f6c5f84 100644 +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1025,8 +1026,13 @@ void snd_pcm_detach_substream(struct snd_pcm_substream *substream) + snd_free_pages((void*)runtime->control, + PAGE_ALIGN(sizeof(struct snd_pcm_mmap_control))); + kfree(runtime->hw_constraints.rules); +- kfree(runtime); ++ /* Avoid concurrent access to runtime via PCM timer interface */ ++ if (substream->timer) ++ spin_lock_irq(&substream->timer->lock); + substream->runtime = NULL; ++ if (substream->timer) ++ spin_unlock_irq(&substream->timer->lock); ++ kfree(runtime); + put_pid(substream->pid); + substream->pid = NULL; + substream->pstr->substream_opened--; +diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c +index 09a89094dcf7..4e304a24924a 100644 +--- a/sound/core/rawmidi_compat.c ++++ b/sound/core/rawmidi_compat.c +@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile, + struct snd_rawmidi_params params; + unsigned int val; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(params.stream, &src->stream) || + get_user(params.buffer_size, &src->buffer_size) || + get_user(params.avail_min, &src->avail_min) || +@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile, + params.no_active_sensing = val; + switch (params.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + return snd_rawmidi_output_params(rfile->output, ¶ms); + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + return snd_rawmidi_input_params(rfile->input, ¶ms); + } + return -EINVAL; +@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_compat(struct snd_rawmidi_file *rfile, + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: +@@ -113,16 +117,18 @@ static int snd_rawmidi_ioctl_status_x32(struct snd_rawmidi_file *rfile, + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index fbd00821e326..3be91696ac35 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1549,7 +1549,8 @@ static void azx_check_snoop_available(struct azx *chip) + */ + u8 val; + pci_read_config_byte(chip->pci, 0x42, &val); +- if (!(val & 0x80) && chip->pci->revision == 0x30) ++ if (!(val & 0x80) && (chip->pci->revision == 0x30 || ++ chip->pci->revision == 0x20)) + snoop = false; + } + +diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c +index 4452fea0b118..bd4998f577a0 100644 +--- a/sound/soc/codecs/ssm2602.c ++++ b/sound/soc/codecs/ssm2602.c +@@ -54,10 +54,17 @@ struct ssm2602_priv { + * using 2 wire for device control, so we cache them instead. + * There is no point in caching the reset register + */ +-static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = { +- 0x0097, 0x0097, 0x0079, 0x0079, +- 0x000a, 0x0008, 0x009f, 0x000a, +- 0x0000, 0x0000 ++static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = { ++ { .reg = 0x00, .def = 0x0097 }, ++ { .reg = 0x01, .def = 0x0097 }, ++ { .reg = 0x02, .def = 0x0079 }, ++ { .reg = 0x03, .def = 0x0079 }, ++ { .reg = 0x04, .def = 0x000a }, ++ { .reg = 0x05, .def = 0x0008 }, ++ { .reg = 0x06, .def = 0x009f }, ++ { .reg = 0x07, .def = 0x000a }, ++ { .reg = 0x08, .def = 0x0000 }, ++ { .reg = 0x09, .def = 0x0000 } + }; + + +@@ -618,8 +625,8 @@ const struct regmap_config ssm2602_regmap_config = { + .volatile_reg = ssm2602_register_volatile, + + .cache_type = REGCACHE_RBTREE, +- .reg_defaults_raw = ssm2602_reg, +- .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg), ++ .reg_defaults = ssm2602_reg, ++ .num_reg_defaults = ARRAY_SIZE(ssm2602_reg), + }; + EXPORT_SYMBOL_GPL(ssm2602_regmap_config); + +diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c +index cebea9b7f769..6a9be1df7851 100644 +--- a/sound/usb/line6/midi.c ++++ b/sound/usb/line6/midi.c +@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_line6 *line6, unsigned char *data, + } + + usb_fill_int_urb(urb, line6->usbdev, +- usb_sndbulkpipe(line6->usbdev, ++ usb_sndintpipe(line6->usbdev, + line6->properties->ep_ctrl_w), + transfer_buffer, length, midi_sent, line6, + line6->interval); +diff --git a/tools/perf/tests/code-reading.c b/tools/perf/tests/code-reading.c +index 6ea4fcfaab36..a767a6400c5c 100644 +--- a/tools/perf/tests/code-reading.c ++++ b/tools/perf/tests/code-reading.c +@@ -182,8 +182,6 @@ static int read_object_code(u64 addr, size_t len, u8 cpumode, + unsigned char buf2[BUFSZ]; + size_t ret_len; + u64 objdump_addr; +- const char *objdump_name; +- char decomp_name[KMOD_DECOMP_LEN]; + int ret; + + pr_debug("Reading object code for memory address: %#"PRIx64"\n", addr); +@@ -244,25 +242,9 @@ static int read_object_code(u64 addr, size_t len, u8 cpumode, + state->done[state->done_cnt++] = al.map->start; + } + +- objdump_name = al.map->dso->long_name; +- if (dso__needs_decompress(al.map->dso)) { +- if (dso__decompress_kmodule_path(al.map->dso, objdump_name, +- decomp_name, +- sizeof(decomp_name)) < 0) { +- pr_debug("decompression failed\n"); +- return -1; +- } +- +- objdump_name = decomp_name; +- } +- + /* Read the object code using objdump */ + objdump_addr = map__rip_2objdump(al.map, al.addr); +- ret = read_via_objdump(objdump_name, objdump_addr, buf2, len); +- +- if (dso__needs_decompress(al.map->dso)) +- unlink(objdump_name); +- ++ ret = read_via_objdump(al.map->dso->long_name, objdump_addr, buf2, len); + if (ret > 0) { + /* + * The kernel maps are inaccurate - assume objdump is right in +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index eeeae0629ad3..0b540b84f8b7 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1270,6 +1270,7 @@ static int intel_pt_overflow(struct intel_pt_decoder *decoder) + intel_pt_clear_tx_flags(decoder); + decoder->have_tma = false; + decoder->cbr = 0; ++ decoder->timestamp_insn_cnt = 0; + decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC; + decoder->overflow = true; + return -EOVERFLOW; +@@ -1492,6 +1493,7 @@ static int intel_pt_walk_fup_tip(struct intel_pt_decoder *decoder) + case INTEL_PT_PSBEND: + intel_pt_log("ERROR: Missing TIP after FUP\n"); + decoder->pkt_state = INTEL_PT_STATE_ERR3; ++ decoder->pkt_step = 0; + return -ENOENT; + + case INTEL_PT_OVF: +@@ -2152,14 +2154,6 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder) + return &decoder->state; + } + +-static bool intel_pt_at_psb(unsigned char *buf, size_t len) +-{ +- if (len < INTEL_PT_PSB_LEN) +- return false; +- return memmem(buf, INTEL_PT_PSB_LEN, INTEL_PT_PSB_STR, +- INTEL_PT_PSB_LEN); +-} +- + /** + * intel_pt_next_psb - move buffer pointer to the start of the next PSB packet. + * @buf: pointer to buffer pointer +@@ -2248,6 +2242,7 @@ static unsigned char *intel_pt_last_psb(unsigned char *buf, size_t len) + * @buf: buffer + * @len: size of buffer + * @tsc: TSC value returned ++ * @rem: returns remaining size when TSC is found + * + * Find a TSC packet in @buf and return the TSC value. This function assumes + * that @buf starts at a PSB and that PSB+ will contain TSC and so stops if a +@@ -2255,7 +2250,8 @@ static unsigned char *intel_pt_last_psb(unsigned char *buf, size_t len) + * + * Return: %true if TSC is found, false otherwise. + */ +-static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc) ++static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc, ++ size_t *rem) + { + struct intel_pt_pkt packet; + int ret; +@@ -2266,6 +2262,7 @@ static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc) + return false; + if (packet.type == INTEL_PT_TSC) { + *tsc = packet.payload; ++ *rem = len; + return true; + } + if (packet.type == INTEL_PT_PSBEND) +@@ -2316,6 +2313,8 @@ static int intel_pt_tsc_cmp(uint64_t tsc1, uint64_t tsc2) + * @len_a: size of first buffer + * @buf_b: second buffer + * @len_b: size of second buffer ++ * @consecutive: returns true if there is data in buf_b that is consecutive ++ * to buf_a + * + * If the trace contains TSC we can look at the last TSC of @buf_a and the + * first TSC of @buf_b in order to determine if the buffers overlap, and then +@@ -2328,33 +2327,41 @@ static int intel_pt_tsc_cmp(uint64_t tsc1, uint64_t tsc2) + static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a, + size_t len_a, + unsigned char *buf_b, +- size_t len_b) ++ size_t len_b, bool *consecutive) + { + uint64_t tsc_a, tsc_b; + unsigned char *p; +- size_t len; ++ size_t len, rem_a, rem_b; + + p = intel_pt_last_psb(buf_a, len_a); + if (!p) + return buf_b; /* No PSB in buf_a => no overlap */ + + len = len_a - (p - buf_a); +- if (!intel_pt_next_tsc(p, len, &tsc_a)) { ++ if (!intel_pt_next_tsc(p, len, &tsc_a, &rem_a)) { + /* The last PSB+ in buf_a is incomplete, so go back one more */ + len_a -= len; + p = intel_pt_last_psb(buf_a, len_a); + if (!p) + return buf_b; /* No full PSB+ => assume no overlap */ + len = len_a - (p - buf_a); +- if (!intel_pt_next_tsc(p, len, &tsc_a)) ++ if (!intel_pt_next_tsc(p, len, &tsc_a, &rem_a)) + return buf_b; /* No TSC in buf_a => assume no overlap */ + } + + while (1) { + /* Ignore PSB+ with no TSC */ +- if (intel_pt_next_tsc(buf_b, len_b, &tsc_b) && +- intel_pt_tsc_cmp(tsc_a, tsc_b) < 0) +- return buf_b; /* tsc_a < tsc_b => no overlap */ ++ if (intel_pt_next_tsc(buf_b, len_b, &tsc_b, &rem_b)) { ++ int cmp = intel_pt_tsc_cmp(tsc_a, tsc_b); ++ ++ /* Same TSC, so buffers are consecutive */ ++ if (!cmp && rem_b >= rem_a) { ++ *consecutive = true; ++ return buf_b + len_b - (rem_b - rem_a); ++ } ++ if (cmp < 0) ++ return buf_b; /* tsc_a < tsc_b => no overlap */ ++ } + + if (!intel_pt_step_psb(&buf_b, &len_b)) + return buf_b + len_b; /* No PSB in buf_b => no data */ +@@ -2368,6 +2375,8 @@ static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a, + * @buf_b: second buffer + * @len_b: size of second buffer + * @have_tsc: can use TSC packets to detect overlap ++ * @consecutive: returns true if there is data in buf_b that is consecutive ++ * to buf_a + * + * When trace samples or snapshots are recorded there is the possibility that + * the data overlaps. Note that, for the purposes of decoding, data is only +@@ -2378,7 +2387,7 @@ static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a, + */ + unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a, + unsigned char *buf_b, size_t len_b, +- bool have_tsc) ++ bool have_tsc, bool *consecutive) + { + unsigned char *found; + +@@ -2390,7 +2399,8 @@ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a, + return buf_b; /* No overlap */ + + if (have_tsc) { +- found = intel_pt_find_overlap_tsc(buf_a, len_a, buf_b, len_b); ++ found = intel_pt_find_overlap_tsc(buf_a, len_a, buf_b, len_b, ++ consecutive); + if (found) + return found; + } +@@ -2405,28 +2415,16 @@ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a, + } + + /* Now len_b >= len_a */ +- if (len_b > len_a) { +- /* The leftover buffer 'b' must start at a PSB */ +- while (!intel_pt_at_psb(buf_b + len_a, len_b - len_a)) { +- if (!intel_pt_step_psb(&buf_a, &len_a)) +- return buf_b; /* No overlap */ +- } +- } +- + while (1) { + /* Potential overlap so check the bytes */ + found = memmem(buf_a, len_a, buf_b, len_a); +- if (found) ++ if (found) { ++ *consecutive = true; + return buf_b + len_a; ++ } + + /* Try again at next PSB in buffer 'a' */ + if (!intel_pt_step_psb(&buf_a, &len_a)) + return buf_b; /* No overlap */ +- +- /* The leftover buffer 'b' must start at a PSB */ +- while (!intel_pt_at_psb(buf_b + len_a, len_b - len_a)) { +- if (!intel_pt_step_psb(&buf_a, &len_a)) +- return buf_b; /* No overlap */ +- } + } + } +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h +index 02c38fec1c37..89a3eda6a318 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h +@@ -102,7 +102,7 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder); + + unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a, + unsigned char *buf_b, size_t len_b, +- bool have_tsc); ++ bool have_tsc, bool *consecutive); + + int intel_pt__strerror(int code, char *buf, size_t buflen); + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index 89927b5beebf..3693cb26ec66 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -125,6 +125,7 @@ struct intel_pt_queue { + bool stop; + bool step_through_buffers; + bool use_buffer_pid_tid; ++ bool sync_switch; + pid_t pid, tid; + int cpu; + int switch_state; +@@ -188,14 +189,17 @@ static void intel_pt_dump_event(struct intel_pt *pt, unsigned char *buf, + static int intel_pt_do_fix_overlap(struct intel_pt *pt, struct auxtrace_buffer *a, + struct auxtrace_buffer *b) + { ++ bool consecutive = false; + void *start; + + start = intel_pt_find_overlap(a->data, a->size, b->data, b->size, +- pt->have_tsc); ++ pt->have_tsc, &consecutive); + if (!start) + return -EINVAL; + b->use_size = b->data + b->size - start; + b->use_data = start; ++ if (b->use_size && consecutive) ++ b->consecutive = true; + return 0; + } + +@@ -849,10 +853,12 @@ static int intel_pt_setup_queue(struct intel_pt *pt, + if (pt->timeless_decoding || !pt->have_sched_switch) + ptq->use_buffer_pid_tid = true; + } ++ ++ ptq->sync_switch = pt->sync_switch; + } + + if (!ptq->on_heap && +- (!pt->sync_switch || ++ (!ptq->sync_switch || + ptq->switch_state != INTEL_PT_SS_EXPECTING_SWITCH_EVENT)) { + const struct intel_pt_state *state; + int ret; +@@ -1235,7 +1241,7 @@ static int intel_pt_sample(struct intel_pt_queue *ptq) + if (pt->synth_opts.last_branch) + intel_pt_update_last_branch_rb(ptq); + +- if (!pt->sync_switch) ++ if (!ptq->sync_switch) + return 0; + + if (intel_pt_is_switch_ip(ptq, state->to_ip)) { +@@ -1316,6 +1322,21 @@ static u64 intel_pt_switch_ip(struct intel_pt *pt, u64 *ptss_ip) + return switch_ip; + } + ++static void intel_pt_enable_sync_switch(struct intel_pt *pt) ++{ ++ unsigned int i; ++ ++ pt->sync_switch = true; ++ ++ for (i = 0; i < pt->queues.nr_queues; i++) { ++ struct auxtrace_queue *queue = &pt->queues.queue_array[i]; ++ struct intel_pt_queue *ptq = queue->priv; ++ ++ if (ptq) ++ ptq->sync_switch = true; ++ } ++} ++ + static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp) + { + const struct intel_pt_state *state = ptq->state; +@@ -1332,7 +1353,7 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp) + if (pt->switch_ip) { + intel_pt_log("switch_ip: %"PRIx64" ptss_ip: %"PRIx64"\n", + pt->switch_ip, pt->ptss_ip); +- pt->sync_switch = true; ++ intel_pt_enable_sync_switch(pt); + } + } + } +@@ -1348,9 +1369,9 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp) + if (state->err) { + if (state->err == INTEL_PT_ERR_NODATA) + return 1; +- if (pt->sync_switch && ++ if (ptq->sync_switch && + state->from_ip >= pt->kernel_start) { +- pt->sync_switch = false; ++ ptq->sync_switch = false; + intel_pt_next_tid(pt, ptq); + } + if (pt->synth_opts.errors) { +@@ -1376,7 +1397,7 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp) + state->timestamp, state->est_timestamp); + ptq->timestamp = state->est_timestamp; + /* Use estimated TSC in unknown switch state */ +- } else if (pt->sync_switch && ++ } else if (ptq->sync_switch && + ptq->switch_state == INTEL_PT_SS_UNKNOWN && + intel_pt_is_switch_ip(ptq, state->to_ip) && + ptq->next_tid == -1) { +@@ -1523,7 +1544,7 @@ static int intel_pt_sync_switch(struct intel_pt *pt, int cpu, pid_t tid, + return 1; + + ptq = intel_pt_cpu_to_ptq(pt, cpu); +- if (!ptq) ++ if (!ptq || !ptq->sync_switch) + return 1; + + switch (ptq->switch_state) { diff --git a/patch/kernel/mvebu-default/04-patch-4.4.129-130.patch b/patch/kernel/mvebu-default/04-patch-4.4.129-130.patch new file mode 100644 index 0000000000..ef36942126 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.129-130.patch @@ -0,0 +1,2698 @@ +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index f53ef1ac3122..4df6bd7d01ed 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -2402,6 +2402,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + + noalign [KNL,ARM] + ++ noaltinstr [S390] Disables alternative instructions patching ++ (CPU alternatives feature). ++ + noapic [SMP,APIC] Tells the kernel to not make use of any + IOAPICs that may be present in the system. + +diff --git a/Makefile b/Makefile +index 096d7e867b6c..151477d4d5e5 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 129 ++SUBLEVEL = 130 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig +index 2ee95ece0498..9bdaeb38a768 100644 +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -111,6 +111,7 @@ config S390 + select GENERIC_CLOCKEVENTS + select GENERIC_CPU_AUTOPROBE + select GENERIC_CPU_DEVICES if !SMP ++ select GENERIC_CPU_VULNERABILITIES + select GENERIC_FIND_FIRST_BIT + select GENERIC_SMP_IDLE_THREAD + select GENERIC_TIME_VSYSCALL +@@ -705,6 +706,51 @@ config SECCOMP + + If unsure, say Y. + ++config KERNEL_NOBP ++ def_bool n ++ prompt "Enable modified branch prediction for the kernel by default" ++ help ++ If this option is selected the kernel will switch to a modified ++ branch prediction mode if the firmware interface is available. ++ The modified branch prediction mode improves the behaviour in ++ regard to speculative execution. ++ ++ With the option enabled the kernel parameter "nobp=0" or "nospec" ++ can be used to run the kernel in the normal branch prediction mode. ++ ++ With the option disabled the modified branch prediction mode is ++ enabled with the "nobp=1" kernel parameter. ++ ++ If unsure, say N. ++ ++config EXPOLINE ++ def_bool n ++ prompt "Avoid speculative indirect branches in the kernel" ++ help ++ Compile the kernel with the expoline compiler options to guard ++ against kernel-to-user data leaks by avoiding speculative indirect ++ branches. ++ Requires a compiler with -mindirect-branch=thunk support for full ++ protection. The kernel may run slower. ++ ++ If unsure, say N. ++ ++choice ++ prompt "Expoline default" ++ depends on EXPOLINE ++ default EXPOLINE_FULL ++ ++config EXPOLINE_OFF ++ bool "spectre_v2=off" ++ ++config EXPOLINE_AUTO ++ bool "spectre_v2=auto" ++ ++config EXPOLINE_FULL ++ bool "spectre_v2=on" ++ ++endchoice ++ + endmenu + + menu "Power Management" +@@ -754,6 +800,7 @@ config PFAULT + config SHARED_KERNEL + bool "VM shared kernel support" + depends on !JUMP_LABEL ++ depends on !ALTERNATIVES + help + Select this option, if you want to share the text segment of the + Linux kernel between different VM guests. This reduces memory +diff --git a/arch/s390/Makefile b/arch/s390/Makefile +index e8d4423e4f85..d924f9b6dc73 100644 +--- a/arch/s390/Makefile ++++ b/arch/s390/Makefile +@@ -77,6 +77,16 @@ ifeq ($(call cc-option-yn,-mwarn-dynamicstack),y) + cflags-$(CONFIG_WARN_DYNAMIC_STACK) += -mwarn-dynamicstack + endif + ++ifdef CONFIG_EXPOLINE ++ ifeq ($(call cc-option-yn,$(CC_FLAGS_MARCH) -mindirect-branch=thunk),y) ++ CC_FLAGS_EXPOLINE := -mindirect-branch=thunk ++ CC_FLAGS_EXPOLINE += -mfunction-return=thunk ++ CC_FLAGS_EXPOLINE += -mindirect-branch-table ++ export CC_FLAGS_EXPOLINE ++ cflags-y += $(CC_FLAGS_EXPOLINE) -DCC_USING_EXPOLINE ++ endif ++endif ++ + ifdef CONFIG_FUNCTION_TRACER + # make use of hotpatch feature if the compiler supports it + cc_hotpatch := -mhotpatch=0,3 +diff --git a/arch/s390/include/asm/alternative.h b/arch/s390/include/asm/alternative.h +new file mode 100644 +index 000000000000..a72002056b54 +--- /dev/null ++++ b/arch/s390/include/asm/alternative.h +@@ -0,0 +1,149 @@ ++#ifndef _ASM_S390_ALTERNATIVE_H ++#define _ASM_S390_ALTERNATIVE_H ++ ++#ifndef __ASSEMBLY__ ++ ++#include ++#include ++#include ++ ++struct alt_instr { ++ s32 instr_offset; /* original instruction */ ++ s32 repl_offset; /* offset to replacement instruction */ ++ u16 facility; /* facility bit set for replacement */ ++ u8 instrlen; /* length of original instruction */ ++ u8 replacementlen; /* length of new instruction */ ++} __packed; ++ ++void apply_alternative_instructions(void); ++void apply_alternatives(struct alt_instr *start, struct alt_instr *end); ++ ++/* ++ * |661: |662: |6620 |663: ++ * +-----------+---------------------+ ++ * | oldinstr | oldinstr_padding | ++ * | +----------+----------+ ++ * | | | | ++ * | | >6 bytes |6/4/2 nops| ++ * | |6 bytes jg-----------> ++ * +-----------+---------------------+ ++ * ^^ static padding ^^ ++ * ++ * .altinstr_replacement section ++ * +---------------------+-----------+ ++ * |6641: |6651: ++ * | alternative instr 1 | ++ * +-----------+---------+- - - - - -+ ++ * |6642: |6652: | ++ * | alternative instr 2 | padding ++ * +---------------------+- - - - - -+ ++ * ^ runtime ^ ++ * ++ * .altinstructions section ++ * +---------------------------------+ ++ * | alt_instr entries for each | ++ * | alternative instr | ++ * +---------------------------------+ ++ */ ++ ++#define b_altinstr(num) "664"#num ++#define e_altinstr(num) "665"#num ++ ++#define e_oldinstr_pad_end "663" ++#define oldinstr_len "662b-661b" ++#define oldinstr_total_len e_oldinstr_pad_end"b-661b" ++#define altinstr_len(num) e_altinstr(num)"b-"b_altinstr(num)"b" ++#define oldinstr_pad_len(num) \ ++ "-(((" altinstr_len(num) ")-(" oldinstr_len ")) > 0) * " \ ++ "((" altinstr_len(num) ")-(" oldinstr_len "))" ++ ++#define INSTR_LEN_SANITY_CHECK(len) \ ++ ".if " len " > 254\n" \ ++ "\t.error \"cpu alternatives does not support instructions " \ ++ "blocks > 254 bytes\"\n" \ ++ ".endif\n" \ ++ ".if (" len ") %% 2\n" \ ++ "\t.error \"cpu alternatives instructions length is odd\"\n" \ ++ ".endif\n" ++ ++#define OLDINSTR_PADDING(oldinstr, num) \ ++ ".if " oldinstr_pad_len(num) " > 6\n" \ ++ "\tjg " e_oldinstr_pad_end "f\n" \ ++ "6620:\n" \ ++ "\t.fill (" oldinstr_pad_len(num) " - (6620b-662b)) / 2, 2, 0x0700\n" \ ++ ".else\n" \ ++ "\t.fill " oldinstr_pad_len(num) " / 6, 6, 0xc0040000\n" \ ++ "\t.fill " oldinstr_pad_len(num) " %% 6 / 4, 4, 0x47000000\n" \ ++ "\t.fill " oldinstr_pad_len(num) " %% 6 %% 4 / 2, 2, 0x0700\n" \ ++ ".endif\n" ++ ++#define OLDINSTR(oldinstr, num) \ ++ "661:\n\t" oldinstr "\n662:\n" \ ++ OLDINSTR_PADDING(oldinstr, num) \ ++ e_oldinstr_pad_end ":\n" \ ++ INSTR_LEN_SANITY_CHECK(oldinstr_len) ++ ++#define OLDINSTR_2(oldinstr, num1, num2) \ ++ "661:\n\t" oldinstr "\n662:\n" \ ++ ".if " altinstr_len(num1) " < " altinstr_len(num2) "\n" \ ++ OLDINSTR_PADDING(oldinstr, num2) \ ++ ".else\n" \ ++ OLDINSTR_PADDING(oldinstr, num1) \ ++ ".endif\n" \ ++ e_oldinstr_pad_end ":\n" \ ++ INSTR_LEN_SANITY_CHECK(oldinstr_len) ++ ++#define ALTINSTR_ENTRY(facility, num) \ ++ "\t.long 661b - .\n" /* old instruction */ \ ++ "\t.long " b_altinstr(num)"b - .\n" /* alt instruction */ \ ++ "\t.word " __stringify(facility) "\n" /* facility bit */ \ ++ "\t.byte " oldinstr_total_len "\n" /* source len */ \ ++ "\t.byte " altinstr_len(num) "\n" /* alt instruction len */ ++ ++#define ALTINSTR_REPLACEMENT(altinstr, num) /* replacement */ \ ++ b_altinstr(num)":\n\t" altinstr "\n" e_altinstr(num) ":\n" \ ++ INSTR_LEN_SANITY_CHECK(altinstr_len(num)) ++ ++/* alternative assembly primitive: */ ++#define ALTERNATIVE(oldinstr, altinstr, facility) \ ++ ".pushsection .altinstr_replacement, \"ax\"\n" \ ++ ALTINSTR_REPLACEMENT(altinstr, 1) \ ++ ".popsection\n" \ ++ OLDINSTR(oldinstr, 1) \ ++ ".pushsection .altinstructions,\"a\"\n" \ ++ ALTINSTR_ENTRY(facility, 1) \ ++ ".popsection\n" ++ ++#define ALTERNATIVE_2(oldinstr, altinstr1, facility1, altinstr2, facility2)\ ++ ".pushsection .altinstr_replacement, \"ax\"\n" \ ++ ALTINSTR_REPLACEMENT(altinstr1, 1) \ ++ ALTINSTR_REPLACEMENT(altinstr2, 2) \ ++ ".popsection\n" \ ++ OLDINSTR_2(oldinstr, 1, 2) \ ++ ".pushsection .altinstructions,\"a\"\n" \ ++ ALTINSTR_ENTRY(facility1, 1) \ ++ ALTINSTR_ENTRY(facility2, 2) \ ++ ".popsection\n" ++ ++/* ++ * Alternative instructions for different CPU types or capabilities. ++ * ++ * This allows to use optimized instructions even on generic binary ++ * kernels. ++ * ++ * oldinstr is padded with jump and nops at compile time if altinstr is ++ * longer. altinstr is padded with jump and nops at run-time during patching. ++ * ++ * For non barrier like inlines please define new variants ++ * without volatile and memory clobber. ++ */ ++#define alternative(oldinstr, altinstr, facility) \ ++ asm volatile(ALTERNATIVE(oldinstr, altinstr, facility) : : : "memory") ++ ++#define alternative_2(oldinstr, altinstr1, facility1, altinstr2, facility2) \ ++ asm volatile(ALTERNATIVE_2(oldinstr, altinstr1, facility1, \ ++ altinstr2, facility2) ::: "memory") ++ ++#endif /* __ASSEMBLY__ */ ++ ++#endif /* _ASM_S390_ALTERNATIVE_H */ +diff --git a/arch/s390/include/asm/barrier.h b/arch/s390/include/asm/barrier.h +index d68e11e0df5e..e903b28e7358 100644 +--- a/arch/s390/include/asm/barrier.h ++++ b/arch/s390/include/asm/barrier.h +@@ -53,4 +53,28 @@ do { \ + ___p1; \ + }) + ++/** ++ * array_index_mask_nospec - generate a mask for array_idx() that is ++ * ~0UL when the bounds check succeeds and 0 otherwise ++ * @index: array element index ++ * @size: number of elements in array ++ */ ++#define array_index_mask_nospec array_index_mask_nospec ++static inline unsigned long array_index_mask_nospec(unsigned long index, ++ unsigned long size) ++{ ++ unsigned long mask; ++ ++ if (__builtin_constant_p(size) && size > 0) { ++ asm(" clgr %2,%1\n" ++ " slbgr %0,%0\n" ++ :"=d" (mask) : "d" (size-1), "d" (index) :"cc"); ++ return mask; ++ } ++ asm(" clgr %1,%2\n" ++ " slbgr %0,%0\n" ++ :"=d" (mask) : "d" (size), "d" (index) :"cc"); ++ return ~mask; ++} ++ + #endif /* __ASM_BARRIER_H */ +diff --git a/arch/s390/include/asm/facility.h b/arch/s390/include/asm/facility.h +index 0aa6a7ed95a3..155fcc7bcba6 100644 +--- a/arch/s390/include/asm/facility.h ++++ b/arch/s390/include/asm/facility.h +@@ -13,6 +13,24 @@ + + #define MAX_FACILITY_BIT (256*8) /* stfle_fac_list has 256 bytes */ + ++static inline void __set_facility(unsigned long nr, void *facilities) ++{ ++ unsigned char *ptr = (unsigned char *) facilities; ++ ++ if (nr >= MAX_FACILITY_BIT) ++ return; ++ ptr[nr >> 3] |= 0x80 >> (nr & 7); ++} ++ ++static inline void __clear_facility(unsigned long nr, void *facilities) ++{ ++ unsigned char *ptr = (unsigned char *) facilities; ++ ++ if (nr >= MAX_FACILITY_BIT) ++ return; ++ ptr[nr >> 3] &= ~(0x80 >> (nr & 7)); ++} ++ + static inline int __test_facility(unsigned long nr, void *facilities) + { + unsigned char *ptr; +diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h +index e9a983f40a24..7d9c5917da2b 100644 +--- a/arch/s390/include/asm/kvm_host.h ++++ b/arch/s390/include/asm/kvm_host.h +@@ -136,7 +136,8 @@ struct kvm_s390_sie_block { + __u16 ipa; /* 0x0056 */ + __u32 ipb; /* 0x0058 */ + __u32 scaoh; /* 0x005c */ +- __u8 reserved60; /* 0x0060 */ ++#define FPF_BPBC 0x20 ++ __u8 fpf; /* 0x0060 */ + __u8 ecb; /* 0x0061 */ + __u8 ecb2; /* 0x0062 */ + #define ECB3_AES 0x04 +diff --git a/arch/s390/include/asm/lowcore.h b/arch/s390/include/asm/lowcore.h +index afe1cfebf1a4..8520c23e419b 100644 +--- a/arch/s390/include/asm/lowcore.h ++++ b/arch/s390/include/asm/lowcore.h +@@ -155,7 +155,9 @@ struct _lowcore { + /* Per cpu primary space access list */ + __u32 paste[16]; /* 0x0400 */ + +- __u8 pad_0x04c0[0x0e00-0x0440]; /* 0x0440 */ ++ /* br %r1 trampoline */ ++ __u16 br_r1_trampoline; /* 0x0440 */ ++ __u8 pad_0x0442[0x0e00-0x0442]; /* 0x0442 */ + + /* + * 0xe00 contains the address of the IPL Parameter Information +@@ -170,7 +172,8 @@ struct _lowcore { + __u8 pad_0x0e20[0x0f00-0x0e20]; /* 0x0e20 */ + + /* Extended facility list */ +- __u64 stfle_fac_list[32]; /* 0x0f00 */ ++ __u64 stfle_fac_list[16]; /* 0x0f00 */ ++ __u64 alt_stfle_fac_list[16]; /* 0x0f80 */ + __u8 pad_0x1000[0x11b0-0x1000]; /* 0x1000 */ + + /* Pointer to vector register save area */ +diff --git a/arch/s390/include/asm/nospec-branch.h b/arch/s390/include/asm/nospec-branch.h +new file mode 100644 +index 000000000000..b4bd8c41e9d3 +--- /dev/null ++++ b/arch/s390/include/asm/nospec-branch.h +@@ -0,0 +1,17 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ASM_S390_EXPOLINE_H ++#define _ASM_S390_EXPOLINE_H ++ ++#ifndef __ASSEMBLY__ ++ ++#include ++ ++extern int nospec_disable; ++ ++void nospec_init_branches(void); ++void nospec_auto_detect(void); ++void nospec_revert(s32 *start, s32 *end); ++ ++#endif /* __ASSEMBLY__ */ ++ ++#endif /* _ASM_S390_EXPOLINE_H */ +diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h +index c61ed7890cef..f915a0f1b0fc 100644 +--- a/arch/s390/include/asm/processor.h ++++ b/arch/s390/include/asm/processor.h +@@ -69,6 +69,7 @@ extern void s390_adjust_jiffies(void); + extern const struct seq_operations cpuinfo_op; + extern int sysctl_ieee_emulation_warnings; + extern void execve_tail(void); ++extern void __bpon(void); + + /* + * User space process size: 2GB for 31 bit, 4TB or 8PT for 64 bit. +@@ -315,6 +316,9 @@ extern void memcpy_absolute(void *, void *, size_t); + memcpy_absolute(&(dest), &__tmp, sizeof(__tmp)); \ + } + ++extern int s390_isolate_bp(void); ++extern int s390_isolate_bp_guest(void); ++ + #endif /* __ASSEMBLY__ */ + + #endif /* __ASM_S390_PROCESSOR_H */ +diff --git a/arch/s390/include/asm/thread_info.h b/arch/s390/include/asm/thread_info.h +index 692b9247c019..b2504163c8fa 100644 +--- a/arch/s390/include/asm/thread_info.h ++++ b/arch/s390/include/asm/thread_info.h +@@ -78,6 +78,8 @@ void arch_release_task_struct(struct task_struct *tsk); + #define TIF_SECCOMP 5 /* secure computing */ + #define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */ + #define TIF_UPROBE 7 /* breakpointed or single-stepping */ ++#define TIF_ISOLATE_BP 8 /* Run process with isolated BP */ ++#define TIF_ISOLATE_BP_GUEST 9 /* Run KVM guests with isolated BP */ + #define TIF_31BIT 16 /* 32bit process */ + #define TIF_MEMDIE 17 /* is terminating due to OOM killer */ + #define TIF_RESTORE_SIGMASK 18 /* restore signal mask in do_signal() */ +@@ -93,6 +95,8 @@ void arch_release_task_struct(struct task_struct *tsk); + #define _TIF_SECCOMP _BITUL(TIF_SECCOMP) + #define _TIF_SYSCALL_TRACEPOINT _BITUL(TIF_SYSCALL_TRACEPOINT) + #define _TIF_UPROBE _BITUL(TIF_UPROBE) ++#define _TIF_ISOLATE_BP _BITUL(TIF_ISOLATE_BP) ++#define _TIF_ISOLATE_BP_GUEST _BITUL(TIF_ISOLATE_BP_GUEST) + #define _TIF_31BIT _BITUL(TIF_31BIT) + #define _TIF_SINGLE_STEP _BITUL(TIF_SINGLE_STEP) + +diff --git a/arch/s390/include/uapi/asm/kvm.h b/arch/s390/include/uapi/asm/kvm.h +index ef1a5fcc6c66..beb508a9e72c 100644 +--- a/arch/s390/include/uapi/asm/kvm.h ++++ b/arch/s390/include/uapi/asm/kvm.h +@@ -151,6 +151,7 @@ struct kvm_guest_debug_arch { + #define KVM_SYNC_ARCH0 (1UL << 4) + #define KVM_SYNC_PFAULT (1UL << 5) + #define KVM_SYNC_VRS (1UL << 6) ++#define KVM_SYNC_BPBC (1UL << 10) + /* definition of registers in kvm_run */ + struct kvm_sync_regs { + __u64 prefix; /* prefix register */ +@@ -168,6 +169,8 @@ struct kvm_sync_regs { + __u64 vrs[32][2]; /* vector registers */ + __u8 reserved[512]; /* for future vector expansion */ + __u32 fpc; /* only valid with vector registers */ ++ __u8 bpbc : 1; /* bp mode */ ++ __u8 reserved2 : 7; + }; + + #define KVM_REG_S390_TODPR (KVM_REG_S390 | KVM_REG_SIZE_U32 | 0x1) +diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile +index dc167a23b920..8ccfbf22ecbb 100644 +--- a/arch/s390/kernel/Makefile ++++ b/arch/s390/kernel/Makefile +@@ -44,10 +44,13 @@ obj-y += processor.o sys_s390.o ptrace.o signal.o cpcmd.o ebcdic.o nmi.o + obj-y += debug.o irq.o ipl.o dis.o diag.o sclp.o vdso.o + obj-y += sysinfo.o jump_label.o lgr.o os_info.o machine_kexec.o pgm_check.o + obj-y += runtime_instr.o cache.o dumpstack.o +-obj-y += entry.o reipl.o relocate_kernel.o ++obj-y += entry.o reipl.o relocate_kernel.o alternative.o ++obj-y += nospec-branch.o + + extra-y += head.o head64.o vmlinux.lds + ++CFLAGS_REMOVE_nospec-branch.o += $(CC_FLAGS_EXPOLINE) ++ + obj-$(CONFIG_MODULES) += s390_ksyms.o module.o + obj-$(CONFIG_SMP) += smp.o + obj-$(CONFIG_SCHED_BOOK) += topology.o +diff --git a/arch/s390/kernel/alternative.c b/arch/s390/kernel/alternative.c +new file mode 100644 +index 000000000000..b57b293998dc +--- /dev/null ++++ b/arch/s390/kernel/alternative.c +@@ -0,0 +1,112 @@ ++#include ++#include ++#include ++#include ++ ++#define MAX_PATCH_LEN (255 - 1) ++ ++static int __initdata_or_module alt_instr_disabled; ++ ++static int __init disable_alternative_instructions(char *str) ++{ ++ alt_instr_disabled = 1; ++ return 0; ++} ++ ++early_param("noaltinstr", disable_alternative_instructions); ++ ++struct brcl_insn { ++ u16 opc; ++ s32 disp; ++} __packed; ++ ++static u16 __initdata_or_module nop16 = 0x0700; ++static u32 __initdata_or_module nop32 = 0x47000000; ++static struct brcl_insn __initdata_or_module nop48 = { ++ 0xc004, 0 ++}; ++ ++static const void *nops[] __initdata_or_module = { ++ &nop16, ++ &nop32, ++ &nop48 ++}; ++ ++static void __init_or_module add_jump_padding(void *insns, unsigned int len) ++{ ++ struct brcl_insn brcl = { ++ 0xc0f4, ++ len / 2 ++ }; ++ ++ memcpy(insns, &brcl, sizeof(brcl)); ++ insns += sizeof(brcl); ++ len -= sizeof(brcl); ++ ++ while (len > 0) { ++ memcpy(insns, &nop16, 2); ++ insns += 2; ++ len -= 2; ++ } ++} ++ ++static void __init_or_module add_padding(void *insns, unsigned int len) ++{ ++ if (len > 6) ++ add_jump_padding(insns, len); ++ else if (len >= 2) ++ memcpy(insns, nops[len / 2 - 1], len); ++} ++ ++static void __init_or_module __apply_alternatives(struct alt_instr *start, ++ struct alt_instr *end) ++{ ++ struct alt_instr *a; ++ u8 *instr, *replacement; ++ u8 insnbuf[MAX_PATCH_LEN]; ++ ++ /* ++ * The scan order should be from start to end. A later scanned ++ * alternative code can overwrite previously scanned alternative code. ++ */ ++ for (a = start; a < end; a++) { ++ int insnbuf_sz = 0; ++ ++ instr = (u8 *)&a->instr_offset + a->instr_offset; ++ replacement = (u8 *)&a->repl_offset + a->repl_offset; ++ ++ if (!__test_facility(a->facility, ++ S390_lowcore.alt_stfle_fac_list)) ++ continue; ++ ++ if (unlikely(a->instrlen % 2 || a->replacementlen % 2)) { ++ WARN_ONCE(1, "cpu alternatives instructions length is " ++ "odd, skipping patching\n"); ++ continue; ++ } ++ ++ memcpy(insnbuf, replacement, a->replacementlen); ++ insnbuf_sz = a->replacementlen; ++ ++ if (a->instrlen > a->replacementlen) { ++ add_padding(insnbuf + a->replacementlen, ++ a->instrlen - a->replacementlen); ++ insnbuf_sz += a->instrlen - a->replacementlen; ++ } ++ ++ s390_kernel_write(instr, insnbuf, insnbuf_sz); ++ } ++} ++ ++void __init_or_module apply_alternatives(struct alt_instr *start, ++ struct alt_instr *end) ++{ ++ if (!alt_instr_disabled) ++ __apply_alternatives(start, end); ++} ++ ++extern struct alt_instr __alt_instructions[], __alt_instructions_end[]; ++void __init apply_alternative_instructions(void) ++{ ++ apply_alternatives(__alt_instructions, __alt_instructions_end); ++} +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c +index ee7b8e7ca4f8..8eccead675d4 100644 +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -279,6 +279,11 @@ static noinline __init void setup_facility_list(void) + { + stfle(S390_lowcore.stfle_fac_list, + ARRAY_SIZE(S390_lowcore.stfle_fac_list)); ++ memcpy(S390_lowcore.alt_stfle_fac_list, ++ S390_lowcore.stfle_fac_list, ++ sizeof(S390_lowcore.alt_stfle_fac_list)); ++ if (!IS_ENABLED(CONFIG_KERNEL_NOBP)) ++ __clear_facility(82, S390_lowcore.alt_stfle_fac_list); + } + + static __init void detect_diag9c(void) +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index 4612ed7ec2e5..c63730326215 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -104,6 +104,7 @@ _PIF_WORK = (_PIF_PER_TRAP) + j 3f + 1: LAST_BREAK %r14 + UPDATE_VTIME %r14,%r15,\timer ++ BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP + 2: lg %r15,__LC_ASYNC_STACK # load async stack + 3: la %r11,STACK_FRAME_OVERHEAD(%r15) + .endm +@@ -162,8 +163,137 @@ _PIF_WORK = (_PIF_PER_TRAP) + tm off+\addr, \mask + .endm + ++ .macro BPOFF ++ .pushsection .altinstr_replacement, "ax" ++660: .long 0xb2e8c000 ++ .popsection ++661: .long 0x47000000 ++ .pushsection .altinstructions, "a" ++ .long 661b - . ++ .long 660b - . ++ .word 82 ++ .byte 4 ++ .byte 4 ++ .popsection ++ .endm ++ ++ .macro BPON ++ .pushsection .altinstr_replacement, "ax" ++662: .long 0xb2e8d000 ++ .popsection ++663: .long 0x47000000 ++ .pushsection .altinstructions, "a" ++ .long 663b - . ++ .long 662b - . ++ .word 82 ++ .byte 4 ++ .byte 4 ++ .popsection ++ .endm ++ ++ .macro BPENTER tif_ptr,tif_mask ++ .pushsection .altinstr_replacement, "ax" ++662: .word 0xc004, 0x0000, 0x0000 # 6 byte nop ++ .word 0xc004, 0x0000, 0x0000 # 6 byte nop ++ .popsection ++664: TSTMSK \tif_ptr,\tif_mask ++ jz . + 8 ++ .long 0xb2e8d000 ++ .pushsection .altinstructions, "a" ++ .long 664b - . ++ .long 662b - . ++ .word 82 ++ .byte 12 ++ .byte 12 ++ .popsection ++ .endm ++ ++ .macro BPEXIT tif_ptr,tif_mask ++ TSTMSK \tif_ptr,\tif_mask ++ .pushsection .altinstr_replacement, "ax" ++662: jnz . + 8 ++ .long 0xb2e8d000 ++ .popsection ++664: jz . + 8 ++ .long 0xb2e8c000 ++ .pushsection .altinstructions, "a" ++ .long 664b - . ++ .long 662b - . ++ .word 82 ++ .byte 8 ++ .byte 8 ++ .popsection ++ .endm ++ ++#ifdef CONFIG_EXPOLINE ++ ++ .macro GEN_BR_THUNK name,reg,tmp ++ .section .text.\name,"axG",@progbits,\name,comdat ++ .globl \name ++ .hidden \name ++ .type \name,@function ++\name: ++ .cfi_startproc ++#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES ++ exrl 0,0f ++#else ++ larl \tmp,0f ++ ex 0,0(\tmp) ++#endif ++ j . ++0: br \reg ++ .cfi_endproc ++ .endm ++ ++ GEN_BR_THUNK __s390x_indirect_jump_r1use_r9,%r9,%r1 ++ GEN_BR_THUNK __s390x_indirect_jump_r1use_r14,%r14,%r1 ++ GEN_BR_THUNK __s390x_indirect_jump_r11use_r14,%r14,%r11 ++ ++ .macro BASR_R14_R9 ++0: brasl %r14,__s390x_indirect_jump_r1use_r9 ++ .pushsection .s390_indirect_branches,"a",@progbits ++ .long 0b-. ++ .popsection ++ .endm ++ ++ .macro BR_R1USE_R14 ++0: jg __s390x_indirect_jump_r1use_r14 ++ .pushsection .s390_indirect_branches,"a",@progbits ++ .long 0b-. ++ .popsection ++ .endm ++ ++ .macro BR_R11USE_R14 ++0: jg __s390x_indirect_jump_r11use_r14 ++ .pushsection .s390_indirect_branches,"a",@progbits ++ .long 0b-. ++ .popsection ++ .endm ++ ++#else /* CONFIG_EXPOLINE */ ++ ++ .macro BASR_R14_R9 ++ basr %r14,%r9 ++ .endm ++ ++ .macro BR_R1USE_R14 ++ br %r14 ++ .endm ++ ++ .macro BR_R11USE_R14 ++ br %r14 ++ .endm ++ ++#endif /* CONFIG_EXPOLINE */ ++ ++ + .section .kprobes.text, "ax" + ++ENTRY(__bpon) ++ .globl __bpon ++ BPON ++ BR_R1USE_R14 ++ + /* + * Scheduler resume function, called by switch_to + * gpr2 = (task_struct *) prev +@@ -190,9 +320,9 @@ ENTRY(__switch_to) + mvc __LC_CURRENT_PID(4,%r0),__TASK_pid(%r3) # store pid of next + lmg %r6,%r15,__SF_GPRS(%r15) # load gprs of next task + TSTMSK __LC_MACHINE_FLAGS,MACHINE_FLAG_LPP +- bzr %r14 ++ jz 0f + .insn s,0xb2800000,__LC_LPP # set program parameter +- br %r14 ++0: BR_R1USE_R14 + + .L__critical_start: + +@@ -204,9 +334,11 @@ ENTRY(__switch_to) + */ + ENTRY(sie64a) + stmg %r6,%r14,__SF_GPRS(%r15) # save kernel registers ++ lg %r12,__LC_CURRENT + stg %r2,__SF_EMPTY(%r15) # save control block pointer + stg %r3,__SF_EMPTY+8(%r15) # save guest register save area + xc __SF_EMPTY+16(8,%r15),__SF_EMPTY+16(%r15) # reason code = 0 ++ mvc __SF_EMPTY+24(8,%r15),__TI_flags(%r12) # copy thread flags + TSTMSK __LC_CPU_FLAGS,_CIF_FPU # load guest fp/vx registers ? + jno .Lsie_load_guest_gprs + brasl %r14,load_fpu_regs # load guest fp/vx regs +@@ -223,7 +355,11 @@ ENTRY(sie64a) + jnz .Lsie_skip + TSTMSK __LC_CPU_FLAGS,_CIF_FPU + jo .Lsie_skip # exit if fp/vx regs changed ++ BPEXIT __SF_EMPTY+24(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST) + sie 0(%r14) ++.Lsie_exit: ++ BPOFF ++ BPENTER __SF_EMPTY+24(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST) + .Lsie_skip: + ni __SIE_PROG0C+3(%r14),0xfe # no longer in SIE + lctlg %c1,%c1,__LC_USER_ASCE # load primary asce +@@ -244,9 +380,15 @@ ENTRY(sie64a) + sie_exit: + lg %r14,__SF_EMPTY+8(%r15) # load guest register save area + stmg %r0,%r13,0(%r14) # save guest gprs 0-13 ++ xgr %r0,%r0 # clear guest registers to ++ xgr %r1,%r1 # prevent speculative use ++ xgr %r2,%r2 ++ xgr %r3,%r3 ++ xgr %r4,%r4 ++ xgr %r5,%r5 + lmg %r6,%r14,__SF_GPRS(%r15) # restore kernel registers + lg %r2,__SF_EMPTY+16(%r15) # return exit reason code +- br %r14 ++ BR_R1USE_R14 + .Lsie_fault: + lghi %r14,-EFAULT + stg %r14,__SF_EMPTY+16(%r15) # set exit reason code +@@ -267,6 +409,7 @@ ENTRY(system_call) + stpt __LC_SYNC_ENTER_TIMER + .Lsysc_stmg: + stmg %r8,%r15,__LC_SAVE_AREA_SYNC ++ BPOFF + lg %r10,__LC_LAST_BREAK + lg %r12,__LC_THREAD_INFO + lghi %r14,_PIF_SYSCALL +@@ -276,12 +419,15 @@ ENTRY(system_call) + LAST_BREAK %r13 + .Lsysc_vtime: + UPDATE_VTIME %r10,%r13,__LC_SYNC_ENTER_TIMER ++ BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP + stmg %r0,%r7,__PT_R0(%r11) + mvc __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC + mvc __PT_PSW(16,%r11),__LC_SVC_OLD_PSW + mvc __PT_INT_CODE(4,%r11),__LC_SVC_ILC + stg %r14,__PT_FLAGS(%r11) + .Lsysc_do_svc: ++ # clear user controlled register to prevent speculative use ++ xgr %r0,%r0 + lg %r10,__TI_sysc_table(%r12) # address of system call table + llgh %r8,__PT_INT_CODE+2(%r11) + slag %r8,%r8,2 # shift and test for svc 0 +@@ -299,7 +445,7 @@ ENTRY(system_call) + lgf %r9,0(%r8,%r10) # get system call add. + TSTMSK __TI_flags(%r12),_TIF_TRACE + jnz .Lsysc_tracesys +- basr %r14,%r9 # call sys_xxxx ++ BASR_R14_R9 # call sys_xxxx + stg %r2,__PT_R2(%r11) # store return value + + .Lsysc_return: +@@ -311,6 +457,7 @@ ENTRY(system_call) + jnz .Lsysc_work # check for work + TSTMSK __LC_CPU_FLAGS,_CIF_WORK + jnz .Lsysc_work ++ BPEXIT __TI_flags(%r12),_TIF_ISOLATE_BP + .Lsysc_restore: + lg %r14,__LC_VDSO_PER_CPU + lmg %r0,%r10,__PT_R0(%r11) +@@ -438,7 +585,7 @@ ENTRY(system_call) + lmg %r3,%r7,__PT_R3(%r11) + stg %r7,STACK_FRAME_OVERHEAD(%r15) + lg %r2,__PT_ORIG_GPR2(%r11) +- basr %r14,%r9 # call sys_xxx ++ BASR_R14_R9 # call sys_xxx + stg %r2,__PT_R2(%r11) # store return value + .Lsysc_tracenogo: + TSTMSK __TI_flags(%r12),_TIF_TRACE +@@ -462,7 +609,7 @@ ENTRY(ret_from_fork) + lmg %r9,%r10,__PT_R9(%r11) # load gprs + ENTRY(kernel_thread_starter) + la %r2,0(%r10) +- basr %r14,%r9 ++ BASR_R14_R9 + j .Lsysc_tracenogo + + /* +@@ -471,6 +618,7 @@ ENTRY(kernel_thread_starter) + + ENTRY(pgm_check_handler) + stpt __LC_SYNC_ENTER_TIMER ++ BPOFF + stmg %r8,%r15,__LC_SAVE_AREA_SYNC + lg %r10,__LC_LAST_BREAK + lg %r12,__LC_THREAD_INFO +@@ -495,6 +643,7 @@ ENTRY(pgm_check_handler) + j 3f + 2: LAST_BREAK %r14 + UPDATE_VTIME %r14,%r15,__LC_SYNC_ENTER_TIMER ++ BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP + lg %r15,__LC_KERNEL_STACK + lg %r14,__TI_task(%r12) + aghi %r14,__TASK_thread # pointer to thread_struct +@@ -504,6 +653,15 @@ ENTRY(pgm_check_handler) + mvc __THREAD_trap_tdb(256,%r14),0(%r13) + 3: la %r11,STACK_FRAME_OVERHEAD(%r15) + stmg %r0,%r7,__PT_R0(%r11) ++ # clear user controlled registers to prevent speculative use ++ xgr %r0,%r0 ++ xgr %r1,%r1 ++ xgr %r2,%r2 ++ xgr %r3,%r3 ++ xgr %r4,%r4 ++ xgr %r5,%r5 ++ xgr %r6,%r6 ++ xgr %r7,%r7 + mvc __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC + stmg %r8,%r9,__PT_PSW(%r11) + mvc __PT_INT_CODE(4,%r11),__LC_PGM_ILC +@@ -525,9 +683,9 @@ ENTRY(pgm_check_handler) + nill %r10,0x007f + sll %r10,2 + je .Lpgm_return +- lgf %r1,0(%r10,%r1) # load address of handler routine ++ lgf %r9,0(%r10,%r1) # load address of handler routine + lgr %r2,%r11 # pass pointer to pt_regs +- basr %r14,%r1 # branch to interrupt-handler ++ BASR_R14_R9 # branch to interrupt-handler + .Lpgm_return: + LOCKDEP_SYS_EXIT + tm __PT_PSW+1(%r11),0x01 # returning to user ? +@@ -560,6 +718,7 @@ ENTRY(pgm_check_handler) + ENTRY(io_int_handler) + STCK __LC_INT_CLOCK + stpt __LC_ASYNC_ENTER_TIMER ++ BPOFF + stmg %r8,%r15,__LC_SAVE_AREA_ASYNC + lg %r10,__LC_LAST_BREAK + lg %r12,__LC_THREAD_INFO +@@ -567,6 +726,16 @@ ENTRY(io_int_handler) + lmg %r8,%r9,__LC_IO_OLD_PSW + SWITCH_ASYNC __LC_SAVE_AREA_ASYNC,__LC_ASYNC_ENTER_TIMER + stmg %r0,%r7,__PT_R0(%r11) ++ # clear user controlled registers to prevent speculative use ++ xgr %r0,%r0 ++ xgr %r1,%r1 ++ xgr %r2,%r2 ++ xgr %r3,%r3 ++ xgr %r4,%r4 ++ xgr %r5,%r5 ++ xgr %r6,%r6 ++ xgr %r7,%r7 ++ xgr %r10,%r10 + mvc __PT_R8(64,%r11),__LC_SAVE_AREA_ASYNC + stmg %r8,%r9,__PT_PSW(%r11) + mvc __PT_INT_CODE(12,%r11),__LC_SUBCHANNEL_ID +@@ -601,9 +770,13 @@ ENTRY(io_int_handler) + lg %r14,__LC_VDSO_PER_CPU + lmg %r0,%r10,__PT_R0(%r11) + mvc __LC_RETURN_PSW(16),__PT_PSW(%r11) ++ tm __PT_PSW+1(%r11),0x01 # returning to user ? ++ jno .Lio_exit_kernel ++ BPEXIT __TI_flags(%r12),_TIF_ISOLATE_BP + .Lio_exit_timer: + stpt __LC_EXIT_TIMER + mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER ++.Lio_exit_kernel: + lmg %r11,%r15,__PT_R11(%r11) + lpswe __LC_RETURN_PSW + .Lio_done: +@@ -735,6 +908,7 @@ ENTRY(io_int_handler) + ENTRY(ext_int_handler) + STCK __LC_INT_CLOCK + stpt __LC_ASYNC_ENTER_TIMER ++ BPOFF + stmg %r8,%r15,__LC_SAVE_AREA_ASYNC + lg %r10,__LC_LAST_BREAK + lg %r12,__LC_THREAD_INFO +@@ -742,6 +916,16 @@ ENTRY(ext_int_handler) + lmg %r8,%r9,__LC_EXT_OLD_PSW + SWITCH_ASYNC __LC_SAVE_AREA_ASYNC,__LC_ASYNC_ENTER_TIMER + stmg %r0,%r7,__PT_R0(%r11) ++ # clear user controlled registers to prevent speculative use ++ xgr %r0,%r0 ++ xgr %r1,%r1 ++ xgr %r2,%r2 ++ xgr %r3,%r3 ++ xgr %r4,%r4 ++ xgr %r5,%r5 ++ xgr %r6,%r6 ++ xgr %r7,%r7 ++ xgr %r10,%r10 + mvc __PT_R8(64,%r11),__LC_SAVE_AREA_ASYNC + stmg %r8,%r9,__PT_PSW(%r11) + lghi %r1,__LC_EXT_PARAMS2 +@@ -773,11 +957,12 @@ ENTRY(psw_idle) + .insn rsy,0xeb0000000017,%r1,5,__SF_EMPTY+16(%r15) + .Lpsw_idle_stcctm: + #endif ++ BPON + STCK __CLOCK_IDLE_ENTER(%r2) + stpt __TIMER_IDLE_ENTER(%r2) + .Lpsw_idle_lpsw: + lpswe __SF_EMPTY(%r15) +- br %r14 ++ BR_R1USE_R14 + .Lpsw_idle_end: + + /* +@@ -791,7 +976,7 @@ ENTRY(save_fpu_regs) + lg %r2,__LC_CURRENT + aghi %r2,__TASK_thread + TSTMSK __LC_CPU_FLAGS,_CIF_FPU +- bor %r14 ++ jo .Lsave_fpu_regs_exit + stfpc __THREAD_FPU_fpc(%r2) + .Lsave_fpu_regs_fpc_end: + lg %r3,__THREAD_FPU_regs(%r2) +@@ -821,7 +1006,8 @@ ENTRY(save_fpu_regs) + std 15,120(%r3) + .Lsave_fpu_regs_done: + oi __LC_CPU_FLAGS+7,_CIF_FPU +- br %r14 ++.Lsave_fpu_regs_exit: ++ BR_R1USE_R14 + .Lsave_fpu_regs_end: + + /* +@@ -838,7 +1024,7 @@ load_fpu_regs: + lg %r4,__LC_CURRENT + aghi %r4,__TASK_thread + TSTMSK __LC_CPU_FLAGS,_CIF_FPU +- bnor %r14 ++ jno .Lload_fpu_regs_exit + lfpc __THREAD_FPU_fpc(%r4) + TSTMSK __LC_MACHINE_FLAGS,MACHINE_FLAG_VX + lg %r4,__THREAD_FPU_regs(%r4) # %r4 <- reg save area +@@ -867,7 +1053,8 @@ load_fpu_regs: + ld 15,120(%r4) + .Lload_fpu_regs_done: + ni __LC_CPU_FLAGS+7,255-_CIF_FPU +- br %r14 ++.Lload_fpu_regs_exit: ++ BR_R1USE_R14 + .Lload_fpu_regs_end: + + .L__critical_end: +@@ -877,6 +1064,7 @@ load_fpu_regs: + */ + ENTRY(mcck_int_handler) + STCK __LC_MCCK_CLOCK ++ BPOFF + la %r1,4095 # revalidate r1 + spt __LC_CPU_TIMER_SAVE_AREA-4095(%r1) # revalidate cpu timer + lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1)# revalidate gprs +@@ -908,6 +1096,16 @@ ENTRY(mcck_int_handler) + .Lmcck_skip: + lghi %r14,__LC_GPREGS_SAVE_AREA+64 + stmg %r0,%r7,__PT_R0(%r11) ++ # clear user controlled registers to prevent speculative use ++ xgr %r0,%r0 ++ xgr %r1,%r1 ++ xgr %r2,%r2 ++ xgr %r3,%r3 ++ xgr %r4,%r4 ++ xgr %r5,%r5 ++ xgr %r6,%r6 ++ xgr %r7,%r7 ++ xgr %r10,%r10 + mvc __PT_R8(64,%r11),0(%r14) + stmg %r8,%r9,__PT_PSW(%r11) + xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11) +@@ -933,6 +1131,7 @@ ENTRY(mcck_int_handler) + mvc __LC_RETURN_MCCK_PSW(16),__PT_PSW(%r11) # move return PSW + tm __LC_RETURN_MCCK_PSW+1,0x01 # returning to user ? + jno 0f ++ BPEXIT __TI_flags(%r12),_TIF_ISOLATE_BP + stpt __LC_EXIT_TIMER + mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER + 0: lmg %r11,%r15,__PT_R11(%r11) +@@ -1028,7 +1227,7 @@ cleanup_critical: + jl 0f + clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end + jl .Lcleanup_load_fpu_regs +-0: br %r14 ++0: BR_R11USE_R14 + + .align 8 + .Lcleanup_table: +@@ -1053,11 +1252,12 @@ cleanup_critical: + .quad .Lsie_done + + .Lcleanup_sie: ++ BPENTER __SF_EMPTY+24(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST) + lg %r9,__SF_EMPTY(%r15) # get control block pointer + ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE + lctlg %c1,%c1,__LC_USER_ASCE # load primary asce + larl %r9,sie_exit # skip forward to sie_exit +- br %r14 ++ BR_R11USE_R14 + #endif + + .Lcleanup_system_call: +@@ -1099,7 +1299,8 @@ cleanup_critical: + srag %r9,%r9,23 + jz 0f + mvc __TI_last_break(8,%r12),16(%r11) +-0: # set up saved register r11 ++0: BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP ++ # set up saved register r11 + lg %r15,__LC_KERNEL_STACK + la %r9,STACK_FRAME_OVERHEAD(%r15) + stg %r9,24(%r11) # r11 pt_regs pointer +@@ -1114,7 +1315,7 @@ cleanup_critical: + stg %r15,56(%r11) # r15 stack pointer + # set new psw address and exit + larl %r9,.Lsysc_do_svc +- br %r14 ++ BR_R11USE_R14 + .Lcleanup_system_call_insn: + .quad system_call + .quad .Lsysc_stmg +@@ -1124,7 +1325,7 @@ cleanup_critical: + + .Lcleanup_sysc_tif: + larl %r9,.Lsysc_tif +- br %r14 ++ BR_R11USE_R14 + + .Lcleanup_sysc_restore: + # check if stpt has been executed +@@ -1141,14 +1342,14 @@ cleanup_critical: + mvc 0(64,%r11),__PT_R8(%r9) + lmg %r0,%r7,__PT_R0(%r9) + 1: lmg %r8,%r9,__LC_RETURN_PSW +- br %r14 ++ BR_R11USE_R14 + .Lcleanup_sysc_restore_insn: + .quad .Lsysc_exit_timer + .quad .Lsysc_done - 4 + + .Lcleanup_io_tif: + larl %r9,.Lio_tif +- br %r14 ++ BR_R11USE_R14 + + .Lcleanup_io_restore: + # check if stpt has been executed +@@ -1162,7 +1363,7 @@ cleanup_critical: + mvc 0(64,%r11),__PT_R8(%r9) + lmg %r0,%r7,__PT_R0(%r9) + 1: lmg %r8,%r9,__LC_RETURN_PSW +- br %r14 ++ BR_R11USE_R14 + .Lcleanup_io_restore_insn: + .quad .Lio_exit_timer + .quad .Lio_done - 4 +@@ -1214,17 +1415,17 @@ cleanup_critical: + # prepare return psw + nihh %r8,0xfcfd # clear irq & wait state bits + lg %r9,48(%r11) # return from psw_idle +- br %r14 ++ BR_R11USE_R14 + .Lcleanup_idle_insn: + .quad .Lpsw_idle_lpsw + + .Lcleanup_save_fpu_regs: + larl %r9,save_fpu_regs +- br %r14 ++ BR_R11USE_R14 + + .Lcleanup_load_fpu_regs: + larl %r9,load_fpu_regs +- br %r14 ++ BR_R11USE_R14 + + /* + * Integer constants +@@ -1240,7 +1441,6 @@ cleanup_critical: + .Lsie_critical_length: + .quad .Lsie_done - .Lsie_gmap + #endif +- + .section .rodata, "a" + #define SYSCALL(esame,emu) .long esame + .globl sys_call_table +diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c +index e73979236659..837bb301023f 100644 +--- a/arch/s390/kernel/ipl.c ++++ b/arch/s390/kernel/ipl.c +@@ -563,6 +563,7 @@ static struct kset *ipl_kset; + + static void __ipl_run(void *unused) + { ++ __bpon(); + diag308(DIAG308_IPL, NULL); + if (MACHINE_IS_VM) + __cpcmd("IPL", NULL, 0, NULL); +diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c +new file mode 100644 +index 000000000000..9f3b5b382743 +--- /dev/null ++++ b/arch/s390/kernel/nospec-branch.c +@@ -0,0 +1,169 @@ ++// SPDX-License-Identifier: GPL-2.0 ++#include ++#include ++#include ++#include ++ ++static int __init nobp_setup_early(char *str) ++{ ++ bool enabled; ++ int rc; ++ ++ rc = kstrtobool(str, &enabled); ++ if (rc) ++ return rc; ++ if (enabled && test_facility(82)) { ++ /* ++ * The user explicitely requested nobp=1, enable it and ++ * disable the expoline support. ++ */ ++ __set_facility(82, S390_lowcore.alt_stfle_fac_list); ++ if (IS_ENABLED(CONFIG_EXPOLINE)) ++ nospec_disable = 1; ++ } else { ++ __clear_facility(82, S390_lowcore.alt_stfle_fac_list); ++ } ++ return 0; ++} ++early_param("nobp", nobp_setup_early); ++ ++static int __init nospec_setup_early(char *str) ++{ ++ __clear_facility(82, S390_lowcore.alt_stfle_fac_list); ++ return 0; ++} ++early_param("nospec", nospec_setup_early); ++ ++static int __init nospec_report(void) ++{ ++ if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) ++ pr_info("Spectre V2 mitigation: execute trampolines.\n"); ++ if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) ++ pr_info("Spectre V2 mitigation: limited branch prediction.\n"); ++ return 0; ++} ++arch_initcall(nospec_report); ++ ++#ifdef CONFIG_SYSFS ++ssize_t cpu_show_spectre_v1(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Mitigation: __user pointer sanitization\n"); ++} ++ ++ssize_t cpu_show_spectre_v2(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) ++ return sprintf(buf, "Mitigation: execute trampolines\n"); ++ if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) ++ return sprintf(buf, "Mitigation: limited branch prediction.\n"); ++ return sprintf(buf, "Vulnerable\n"); ++} ++#endif ++ ++#ifdef CONFIG_EXPOLINE ++ ++int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF); ++ ++static int __init nospectre_v2_setup_early(char *str) ++{ ++ nospec_disable = 1; ++ return 0; ++} ++early_param("nospectre_v2", nospectre_v2_setup_early); ++ ++void __init nospec_auto_detect(void) ++{ ++ if (IS_ENABLED(CC_USING_EXPOLINE)) { ++ /* ++ * The kernel has been compiled with expolines. ++ * Keep expolines enabled and disable nobp. ++ */ ++ nospec_disable = 0; ++ __clear_facility(82, S390_lowcore.alt_stfle_fac_list); ++ } ++ /* ++ * If the kernel has not been compiled with expolines the ++ * nobp setting decides what is done, this depends on the ++ * CONFIG_KERNEL_NP option and the nobp/nospec parameters. ++ */ ++} ++ ++static int __init spectre_v2_setup_early(char *str) ++{ ++ if (str && !strncmp(str, "on", 2)) { ++ nospec_disable = 0; ++ __clear_facility(82, S390_lowcore.alt_stfle_fac_list); ++ } ++ if (str && !strncmp(str, "off", 3)) ++ nospec_disable = 1; ++ if (str && !strncmp(str, "auto", 4)) ++ nospec_auto_detect(); ++ return 0; ++} ++early_param("spectre_v2", spectre_v2_setup_early); ++ ++static void __init_or_module __nospec_revert(s32 *start, s32 *end) ++{ ++ enum { BRCL_EXPOLINE, BRASL_EXPOLINE } type; ++ u8 *instr, *thunk, *br; ++ u8 insnbuf[6]; ++ s32 *epo; ++ ++ /* Second part of the instruction replace is always a nop */ ++ memcpy(insnbuf + 2, (char[]) { 0x47, 0x00, 0x00, 0x00 }, 4); ++ for (epo = start; epo < end; epo++) { ++ instr = (u8 *) epo + *epo; ++ if (instr[0] == 0xc0 && (instr[1] & 0x0f) == 0x04) ++ type = BRCL_EXPOLINE; /* brcl instruction */ ++ else if (instr[0] == 0xc0 && (instr[1] & 0x0f) == 0x05) ++ type = BRASL_EXPOLINE; /* brasl instruction */ ++ else ++ continue; ++ thunk = instr + (*(int *)(instr + 2)) * 2; ++ if (thunk[0] == 0xc6 && thunk[1] == 0x00) ++ /* exrl %r0, */ ++ br = thunk + (*(int *)(thunk + 2)) * 2; ++ else if (thunk[0] == 0xc0 && (thunk[1] & 0x0f) == 0x00 && ++ thunk[6] == 0x44 && thunk[7] == 0x00 && ++ (thunk[8] & 0x0f) == 0x00 && thunk[9] == 0x00 && ++ (thunk[1] & 0xf0) == (thunk[8] & 0xf0)) ++ /* larl %rx, + ex %r0,0(%rx) */ ++ br = thunk + (*(int *)(thunk + 2)) * 2; ++ else ++ continue; ++ if (br[0] != 0x07 || (br[1] & 0xf0) != 0xf0) ++ continue; ++ switch (type) { ++ case BRCL_EXPOLINE: ++ /* brcl to thunk, replace with br + nop */ ++ insnbuf[0] = br[0]; ++ insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f); ++ break; ++ case BRASL_EXPOLINE: ++ /* brasl to thunk, replace with basr + nop */ ++ insnbuf[0] = 0x0d; ++ insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f); ++ break; ++ } ++ ++ s390_kernel_write(instr, insnbuf, 6); ++ } ++} ++ ++void __init_or_module nospec_revert(s32 *start, s32 *end) ++{ ++ if (nospec_disable) ++ __nospec_revert(start, end); ++} ++ ++extern s32 __nospec_call_start[], __nospec_call_end[]; ++extern s32 __nospec_return_start[], __nospec_return_end[]; ++void __init nospec_init_branches(void) ++{ ++ nospec_revert(__nospec_call_start, __nospec_call_end); ++ nospec_revert(__nospec_return_start, __nospec_return_end); ++} ++ ++#endif /* CONFIG_EXPOLINE */ +diff --git a/arch/s390/kernel/processor.c b/arch/s390/kernel/processor.c +index 7ce00e7a709a..ab236bd970bb 100644 +--- a/arch/s390/kernel/processor.c ++++ b/arch/s390/kernel/processor.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -113,3 +114,20 @@ const struct seq_operations cpuinfo_op = { + .show = show_cpuinfo, + }; + ++int s390_isolate_bp(void) ++{ ++ if (!test_facility(82)) ++ return -EOPNOTSUPP; ++ set_thread_flag(TIF_ISOLATE_BP); ++ return 0; ++} ++EXPORT_SYMBOL(s390_isolate_bp); ++ ++int s390_isolate_bp_guest(void) ++{ ++ if (!test_facility(82)) ++ return -EOPNOTSUPP; ++ set_thread_flag(TIF_ISOLATE_BP_GUEST); ++ return 0; ++} ++EXPORT_SYMBOL(s390_isolate_bp_guest); +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index d097d71685df..e7a43a30e3ff 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -63,6 +63,8 @@ + #include + #include + #include ++#include ++#include + #include "entry.h" + + /* +@@ -333,7 +335,9 @@ static void __init setup_lowcore(void) + lc->machine_flags = S390_lowcore.machine_flags; + lc->stfl_fac_list = S390_lowcore.stfl_fac_list; + memcpy(lc->stfle_fac_list, S390_lowcore.stfle_fac_list, +- MAX_FACILITY_BIT/8); ++ sizeof(lc->stfle_fac_list)); ++ memcpy(lc->alt_stfle_fac_list, S390_lowcore.alt_stfle_fac_list, ++ sizeof(lc->alt_stfle_fac_list)); + if (MACHINE_HAS_VX) + lc->vector_save_area_addr = + (unsigned long) &lc->vector_save_area; +@@ -370,6 +374,7 @@ static void __init setup_lowcore(void) + #ifdef CONFIG_SMP + lc->spinlock_lockval = arch_spin_lockval(0); + #endif ++ lc->br_r1_trampoline = 0x07f1; /* br %r1 */ + + set_prefix((u32)(unsigned long) lc); + lowcore_ptr[0] = lc; +@@ -841,6 +846,9 @@ void __init setup_arch(char **cmdline_p) + init_mm.end_data = (unsigned long) &_edata; + init_mm.brk = (unsigned long) &_end; + ++ if (IS_ENABLED(CONFIG_EXPOLINE_AUTO)) ++ nospec_auto_detect(); ++ + parse_early_param(); + os_info_init(); + setup_ipl(); +@@ -893,6 +901,10 @@ void __init setup_arch(char **cmdline_p) + conmode_default(); + set_preferred_console(); + ++ apply_alternative_instructions(); ++ if (IS_ENABLED(CONFIG_EXPOLINE)) ++ nospec_init_branches(); ++ + /* Setup zfcpdump support */ + setup_zfcpdump(); + +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c +index 9062df575afe..77f4f334a465 100644 +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -200,6 +200,7 @@ static int pcpu_alloc_lowcore(struct pcpu *pcpu, int cpu) + lc->panic_stack = panic_stack + PANIC_FRAME_OFFSET; + lc->cpu_nr = cpu; + lc->spinlock_lockval = arch_spin_lockval(cpu); ++ lc->br_r1_trampoline = 0x07f1; /* br %r1 */ + if (MACHINE_HAS_VX) + lc->vector_save_area_addr = + (unsigned long) &lc->vector_save_area; +@@ -250,7 +251,9 @@ static void pcpu_prepare_secondary(struct pcpu *pcpu, int cpu) + __ctl_store(lc->cregs_save_area, 0, 15); + save_access_regs((unsigned int *) lc->access_regs_save_area); + memcpy(lc->stfle_fac_list, S390_lowcore.stfle_fac_list, +- MAX_FACILITY_BIT/8); ++ sizeof(lc->stfle_fac_list)); ++ memcpy(lc->alt_stfle_fac_list, S390_lowcore.alt_stfle_fac_list, ++ sizeof(lc->alt_stfle_fac_list)); + } + + static void pcpu_attach_task(struct pcpu *pcpu, struct task_struct *tsk) +@@ -299,6 +302,7 @@ static void pcpu_delegate(struct pcpu *pcpu, void (*func)(void *), + mem_assign_absolute(lc->restart_fn, (unsigned long) func); + mem_assign_absolute(lc->restart_data, (unsigned long) data); + mem_assign_absolute(lc->restart_source, source_cpu); ++ __bpon(); + asm volatile( + "0: sigp 0,%0,%2 # sigp restart to target cpu\n" + " brc 2,0b # busy, try again\n" +@@ -888,6 +892,7 @@ void __cpu_die(unsigned int cpu) + void __noreturn cpu_die(void) + { + idle_task_exit(); ++ __bpon(); + pcpu_sigp_retry(pcpu_devices + smp_processor_id(), SIGP_STOP, 0); + for (;;) ; + } +diff --git a/arch/s390/kernel/uprobes.c b/arch/s390/kernel/uprobes.c +index 66956c09d5bf..3d04dfdabc9f 100644 +--- a/arch/s390/kernel/uprobes.c ++++ b/arch/s390/kernel/uprobes.c +@@ -147,6 +147,15 @@ unsigned long arch_uretprobe_hijack_return_addr(unsigned long trampoline, + return orig; + } + ++bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx, ++ struct pt_regs *regs) ++{ ++ if (ctx == RP_CHECK_CHAIN_CALL) ++ return user_stack_pointer(regs) <= ret->stack; ++ else ++ return user_stack_pointer(regs) < ret->stack; ++} ++ + /* Instruction Emulation */ + + static void adjust_psw_addr(psw_t *psw, unsigned long len) +diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S +index 6c553f6e791a..a4ae08e416e6 100644 +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -78,6 +78,43 @@ SECTIONS + EXIT_DATA + } + ++ /* ++ * struct alt_inst entries. From the header (alternative.h): ++ * "Alternative instructions for different CPU types or capabilities" ++ * Think locking instructions on spinlocks. ++ * Note, that it is a part of __init region. ++ */ ++ . = ALIGN(8); ++ .altinstructions : { ++ __alt_instructions = .; ++ *(.altinstructions) ++ __alt_instructions_end = .; ++ } ++ ++ /* ++ * And here are the replacement instructions. The linker sticks ++ * them as binary blobs. The .altinstructions has enough data to ++ * get the address and the length of them to patch the kernel safely. ++ * Note, that it is a part of __init region. ++ */ ++ .altinstr_replacement : { ++ *(.altinstr_replacement) ++ } ++ ++ /* ++ * Table with the patch locations to undo expolines ++ */ ++ .nospec_call_table : { ++ __nospec_call_start = . ; ++ *(.s390_indirect*) ++ __nospec_call_end = . ; ++ } ++ .nospec_return_table : { ++ __nospec_return_start = . ; ++ *(.s390_return*) ++ __nospec_return_end = . ; ++ } ++ + /* early.c uses stsi, which requires page aligned data. */ + . = ALIGN(PAGE_SIZE); + INIT_DATA_SECTION(0x100) +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 23e3f5d77a24..b011140e6b06 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -257,6 +257,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) + case KVM_CAP_S390_VECTOR_REGISTERS: + r = MACHINE_HAS_VX; + break; ++ case KVM_CAP_S390_BPB: ++ r = test_facility(82); ++ break; + default: + r = 0; + } +@@ -1264,6 +1267,8 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) + KVM_SYNC_PFAULT; + if (test_kvm_facility(vcpu->kvm, 129)) + vcpu->run->kvm_valid_regs |= KVM_SYNC_VRS; ++ if (test_kvm_facility(vcpu->kvm, 82)) ++ vcpu->run->kvm_valid_regs |= KVM_SYNC_BPBC; + + if (kvm_is_ucontrol(vcpu->kvm)) + return __kvm_ucontrol_vcpu_init(vcpu); +@@ -1327,6 +1332,7 @@ static void kvm_s390_vcpu_initial_reset(struct kvm_vcpu *vcpu) + current->thread.fpu.fpc = 0; + vcpu->arch.sie_block->gbea = 1; + vcpu->arch.sie_block->pp = 0; ++ vcpu->arch.sie_block->fpf &= ~FPF_BPBC; + vcpu->arch.pfault_token = KVM_S390_PFAULT_TOKEN_INVALID; + kvm_clear_async_pf_completion_queue(vcpu); + if (!kvm_s390_user_cpu_state_ctrl(vcpu->kvm)) +@@ -2145,6 +2151,11 @@ static void sync_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) + if (vcpu->arch.pfault_token == KVM_S390_PFAULT_TOKEN_INVALID) + kvm_clear_async_pf_completion_queue(vcpu); + } ++ if ((kvm_run->kvm_dirty_regs & KVM_SYNC_BPBC) && ++ test_kvm_facility(vcpu->kvm, 82)) { ++ vcpu->arch.sie_block->fpf &= ~FPF_BPBC; ++ vcpu->arch.sie_block->fpf |= kvm_run->s.regs.bpbc ? FPF_BPBC : 0; ++ } + kvm_run->kvm_dirty_regs = 0; + } + +@@ -2162,6 +2173,7 @@ static void store_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) + kvm_run->s.regs.pft = vcpu->arch.pfault_token; + kvm_run->s.regs.pfs = vcpu->arch.pfault_select; + kvm_run->s.regs.pfc = vcpu->arch.pfault_compare; ++ kvm_run->s.regs.bpbc = (vcpu->arch.sie_block->fpf & FPF_BPBC) == FPF_BPBC; + } + + int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) +diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c +index eb02087650d2..c42d4a3d9494 100644 +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -408,7 +408,7 @@ static unsigned long calc_hpet_ref(u64 deltatsc, u64 hpet1, u64 hpet2) + hpet2 -= hpet1; + tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD)); + do_div(tmp, 1000000); +- do_div(deltatsc, tmp); ++ deltatsc = div64_u64(deltatsc, tmp); + + return (unsigned long) deltatsc; + } +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index c206ccda899b..b5f245d2875c 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2358,7 +2358,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, + if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT) + return media_changed(cdi, 1); + +- if ((unsigned int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + + info = kmalloc(sizeof(*info), GFP_KERNEL); +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c +index 930424e55439..251d64ca41ce 100644 +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -521,7 +521,7 @@ static int drv260x_probe(struct i2c_client *client, + if (!haptics) + return -ENOMEM; + +- haptics->rated_voltage = DRV260X_DEF_OD_CLAMP_VOLT; ++ haptics->overdrive_voltage = DRV260X_DEF_OD_CLAMP_VOLT; + haptics->rated_voltage = DRV260X_DEF_RATED_VOLT; + + if (pdata) { +diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c +index 7ebccfa8072a..cb790b68920f 100644 +--- a/drivers/message/fusion/mptsas.c ++++ b/drivers/message/fusion/mptsas.c +@@ -1994,6 +1994,7 @@ static struct scsi_host_template mptsas_driver_template = { + .cmd_per_lun = 7, + .use_clustering = ENABLE_CLUSTERING, + .shost_attrs = mptscsih_host_attrs, ++ .no_write_same = 1, + }; + + static int mptsas_get_linkerrors(struct sas_phy *phy) +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 278d12888cab..339118f3c718 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1614,8 +1614,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev) + } /* switch(bond_mode) */ + + #ifdef CONFIG_NET_POLL_CONTROLLER +- slave_dev->npinfo = bond->dev->npinfo; +- if (slave_dev->npinfo) { ++ if (bond->dev->npinfo) { + if (slave_enable_netpoll(new_slave)) { + netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n"); + res = -EBUSY; +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index b7b859c3a0c7..583d50f80b24 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -638,6 +638,10 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, + lock_sock(sk); + + error = -EINVAL; ++ ++ if (sockaddr_len != sizeof(struct sockaddr_pppox)) ++ goto end; ++ + if (sp->sa_protocol != PX_PROTO_OE) + goto end; + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 9bca36e1fefd..e74709e4b5dd 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -247,6 +247,17 @@ static void __team_option_inst_mark_removed_port(struct team *team, + } + } + ++static bool __team_option_inst_tmp_find(const struct list_head *opts, ++ const struct team_option_inst *needle) ++{ ++ struct team_option_inst *opt_inst; ++ ++ list_for_each_entry(opt_inst, opts, tmp_list) ++ if (opt_inst == needle) ++ return true; ++ return false; ++} ++ + static int __team_options_register(struct team *team, + const struct team_option *option, + size_t option_count) +@@ -1039,14 +1050,11 @@ static void team_port_leave(struct team *team, struct team_port *port) + } + + #ifdef CONFIG_NET_POLL_CONTROLLER +-static int team_port_enable_netpoll(struct team *team, struct team_port *port) ++static int __team_port_enable_netpoll(struct team_port *port) + { + struct netpoll *np; + int err; + +- if (!team->dev->npinfo) +- return 0; +- + np = kzalloc(sizeof(*np), GFP_KERNEL); + if (!np) + return -ENOMEM; +@@ -1060,6 +1068,14 @@ static int team_port_enable_netpoll(struct team *team, struct team_port *port) + return err; + } + ++static int team_port_enable_netpoll(struct team_port *port) ++{ ++ if (!port->team->dev->npinfo) ++ return 0; ++ ++ return __team_port_enable_netpoll(port); ++} ++ + static void team_port_disable_netpoll(struct team_port *port) + { + struct netpoll *np = port->np; +@@ -1074,7 +1090,7 @@ static void team_port_disable_netpoll(struct team_port *port) + kfree(np); + } + #else +-static int team_port_enable_netpoll(struct team *team, struct team_port *port) ++static int team_port_enable_netpoll(struct team_port *port) + { + return 0; + } +@@ -1181,7 +1197,7 @@ static int team_port_add(struct team *team, struct net_device *port_dev) + goto err_vids_add; + } + +- err = team_port_enable_netpoll(team, port); ++ err = team_port_enable_netpoll(port); + if (err) { + netdev_err(dev, "Failed to enable netpoll on device %s\n", + portname); +@@ -1889,7 +1905,7 @@ static int team_netpoll_setup(struct net_device *dev, + + mutex_lock(&team->lock); + list_for_each_entry(port, &team->port_list, list) { +- err = team_port_enable_netpoll(team, port); ++ err = __team_port_enable_netpoll(port); + if (err) { + __team_netpoll_cleanup(team); + break; +@@ -2544,6 +2560,14 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + if (err) + goto team_put; + opt_inst->changed = true; ++ ++ /* dumb/evil user-space can send us duplicate opt, ++ * keep only the last one ++ */ ++ if (__team_option_inst_tmp_find(&opt_inst_list, ++ opt_inst)) ++ continue; ++ + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + if (!opt_found) { +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c +index 6578127db847..f71abe50ea6f 100644 +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -461,6 +461,7 @@ static const struct driver_info wwan_info = { + #define REALTEK_VENDOR_ID 0x0bda + #define SAMSUNG_VENDOR_ID 0x04e8 + #define LENOVO_VENDOR_ID 0x17ef ++#define LINKSYS_VENDOR_ID 0x13b1 + #define NVIDIA_VENDOR_ID 0x0955 + #define HP_VENDOR_ID 0x03f0 + +@@ -650,6 +651,15 @@ static const struct usb_device_id products[] = { + .driver_info = 0, + }, + ++#if IS_ENABLED(CONFIG_USB_RTL8152) ++/* Linksys USB3GIGV1 Ethernet Adapter */ ++{ ++ USB_DEVICE_AND_INTERFACE_INFO(LINKSYS_VENDOR_ID, 0x0041, USB_CLASS_COMM, ++ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), ++ .driver_info = 0, ++}, ++#endif ++ + /* Lenovo Thinkpad USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */ + { + USB_DEVICE_AND_INTERFACE_INFO(LENOVO_VENDOR_ID, 0x7205, USB_CLASS_COMM, +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 89950f5cea71..b2c1a435357f 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -506,6 +506,7 @@ enum rtl8152_flags { + #define VENDOR_ID_REALTEK 0x0bda + #define VENDOR_ID_SAMSUNG 0x04e8 + #define VENDOR_ID_LENOVO 0x17ef ++#define VENDOR_ID_LINKSYS 0x13b1 + #define VENDOR_ID_NVIDIA 0x0955 + + #define MCU_TYPE_PLA 0x0100 +@@ -4376,6 +4377,7 @@ static struct usb_device_id rtl8152_table[] = { + {REALTEK_USB_DEVICE(VENDOR_ID_SAMSUNG, 0xa101)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x7205)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x304f)}, ++ {REALTEK_USB_DEVICE(VENDOR_ID_LINKSYS, 0x0041)}, + {REALTEK_USB_DEVICE(VENDOR_ID_NVIDIA, 0x09ff)}, + {} + }; +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 09e14ce85dd0..0c8efdff4843 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -5285,9 +5285,8 @@ static void ath10k_sta_rc_update_wk(struct work_struct *wk) + sta->addr, smps, err); + } + +- if (changed & IEEE80211_RC_SUPP_RATES_CHANGED || +- changed & IEEE80211_RC_NSS_CHANGED) { +- ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM supp rates/nss\n", ++ if (changed & IEEE80211_RC_SUPP_RATES_CHANGED) { ++ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM supp rates\n", + sta->addr); + + err = ath10k_station_assoc(ar, arvif->vif, sta, true); +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 41382f89abe1..4435c7bbb625 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -1595,6 +1595,10 @@ bool ath9k_hw_check_alive(struct ath_hw *ah) + int count = 50; + u32 reg, last_val; + ++ /* Check if chip failed to wake up */ ++ if (REG_READ(ah, AR_CFG) == 0xdeadbeef) ++ return false; ++ + if (AR_SREV_9300(ah)) + return !ath9k_hw_detect_mac_hang(ah); + +diff --git a/drivers/s390/char/Makefile b/drivers/s390/char/Makefile +index 6fa9364d1c07..835f1054976b 100644 +--- a/drivers/s390/char/Makefile ++++ b/drivers/s390/char/Makefile +@@ -2,6 +2,8 @@ + # S/390 character devices + # + ++CFLAGS_REMOVE_sclp_early_core.o += $(CC_FLAGS_EXPOLINE) ++ + obj-y += ctrlchar.o keyboard.o defkeymap.o sclp.o sclp_rw.o sclp_quiesce.o \ + sclp_cmd.o sclp_config.o sclp_cpi_sys.o sclp_ocf.o sclp_ctl.o \ + sclp_early.o +diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c +index 1e16331891a9..f9d6a9f00640 100644 +--- a/drivers/s390/cio/chsc.c ++++ b/drivers/s390/cio/chsc.c +@@ -451,6 +451,7 @@ static void chsc_process_sei_link_incident(struct chsc_sei_nt0_area *sei_area) + + static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area) + { ++ struct channel_path *chp; + struct chp_link link; + struct chp_id chpid; + int status; +@@ -463,10 +464,17 @@ static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area) + chpid.id = sei_area->rsid; + /* allocate a new channel path structure, if needed */ + status = chp_get_status(chpid); +- if (status < 0) +- chp_new(chpid); +- else if (!status) ++ if (!status) + return; ++ ++ if (status < 0) { ++ chp_new(chpid); ++ } else { ++ chp = chpid_to_chp(chpid); ++ mutex_lock(&chp->lock); ++ chp_update_desc(chp); ++ mutex_unlock(&chp->lock); ++ } + memset(&link, 0, sizeof(struct chp_link)); + link.chpid = chpid; + if ((sei_area->vf & 0xc0) != 0) { +diff --git a/drivers/staging/android/ion/ion_system_heap.c b/drivers/staging/android/ion/ion_system_heap.c +index d4c3e5512dd5..b69dfc706440 100644 +--- a/drivers/staging/android/ion/ion_system_heap.c ++++ b/drivers/staging/android/ion/ion_system_heap.c +@@ -27,7 +27,7 @@ + #include "ion_priv.h" + + static gfp_t high_order_gfp_flags = (GFP_HIGHUSER | __GFP_ZERO | __GFP_NOWARN | +- __GFP_NORETRY) & ~__GFP_DIRECT_RECLAIM; ++ __GFP_NORETRY) & ~__GFP_RECLAIM; + static gfp_t low_order_gfp_flags = (GFP_HIGHUSER | __GFP_ZERO | __GFP_NOWARN); + static const unsigned int orders[] = {8, 4, 0}; + static const int num_orders = ARRAY_SIZE(orders); +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c +index 49a0d6b027c1..76dacd5307b9 100644 +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -673,6 +673,9 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, + goto mknod_out; + } + ++ if (!S_ISCHR(mode) && !S_ISBLK(mode)) ++ goto mknod_out; ++ + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)) + goto mknod_out; + +@@ -681,10 +684,8 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, + + buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL); + if (buf == NULL) { +- kfree(full_path); + rc = -ENOMEM; +- free_xid(xid); +- return rc; ++ goto mknod_out; + } + + if (backup_cred(cifs_sb)) +@@ -731,7 +732,7 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode, + pdev->minor = cpu_to_le64(MINOR(device_number)); + rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms, + &bytes_written, iov, 1); +- } /* else if (S_ISFIFO) */ ++ } + tcon->ses->server->ops->close(xid, tcon, &fid); + d_drop(direntry); + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 4759df4eb8ce..9398d1b70545 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -275,11 +275,11 @@ loop: + goto loop; + + end_loop: +- write_unlock(&journal->j_state_lock); + del_timer_sync(&journal->j_commit_timer); + journal->j_task = NULL; + wake_up(&journal->j_wait_done_commit); + jbd_debug(1, "Journal thread exiting.\n"); ++ write_unlock(&journal->j_state_lock); + return 0; + } + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 19db03dbbd00..dd676ba758ee 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -585,7 +585,7 @@ static inline bool skb_vlan_tagged(const struct sk_buff *skb) + * Returns true if the skb is tagged with multiple vlan headers, regardless + * of whether it is hardware accelerated or not. + */ +-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) ++static inline bool skb_vlan_tagged_multi(struct sk_buff *skb) + { + __be16 protocol = skb->protocol; + +@@ -596,6 +596,9 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) + protocol != htons(ETH_P_8021AD))) + return false; + ++ if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN))) ++ return false; ++ + veh = (struct vlan_ethhdr *)skb->data; + protocol = veh->h_vlan_encapsulated_proto; + } +@@ -613,7 +616,7 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) + * + * Returns features without unsafe ones if the skb has multiple tags. + */ +-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb, ++static inline netdev_features_t vlan_features_check(struct sk_buff *skb, + netdev_features_t features) + { + if (skb_vlan_tagged_multi(skb)) { +diff --git a/include/net/llc_conn.h b/include/net/llc_conn.h +index fe994d2e5286..ea985aa7a6c5 100644 +--- a/include/net/llc_conn.h ++++ b/include/net/llc_conn.h +@@ -97,6 +97,7 @@ static __inline__ char llc_backlog_type(struct sk_buff *skb) + + struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority, + struct proto *prot, int kern); ++void llc_sk_stop_all_timers(struct sock *sk, bool sync); + void llc_sk_free(struct sock *sk); + + void llc_sk_reset(struct sock *sk); +diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h +index 03f3618612aa..376d0ab5b9f2 100644 +--- a/include/uapi/linux/kvm.h ++++ b/include/uapi/linux/kvm.h +@@ -831,6 +831,7 @@ struct kvm_ppc_smmu_info { + #define KVM_CAP_GUEST_DEBUG_HW_WPS 120 + #define KVM_CAP_SPLIT_IRQCHIP 121 + #define KVM_CAP_IOEVENTFD_ANY_LENGTH 122 ++#define KVM_CAP_S390_BPB 152 + + #ifdef KVM_CAP_IRQ_ROUTING + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 835ac4d9f349..6aeb0ef4fe70 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8133,9 +8133,9 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr, + * __u16 sample size limit. + */ + if (attr->sample_stack_user >= USHRT_MAX) +- ret = -EINVAL; ++ return -EINVAL; + else if (!IS_ALIGNED(attr->sample_stack_user, sizeof(u64))) +- ret = -EINVAL; ++ return -EINVAL; + } + + if (attr->sample_type & PERF_SAMPLE_REGS_INTR) +diff --git a/net/core/dev.c b/net/core/dev.c +index dc63c37d5301..3bcbf931a910 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2706,7 +2706,7 @@ netdev_features_t passthru_features_check(struct sk_buff *skb, + } + EXPORT_SYMBOL(passthru_features_check); + +-static netdev_features_t dflt_features_check(const struct sk_buff *skb, ++static netdev_features_t dflt_features_check(struct sk_buff *skb, + struct net_device *dev, + netdev_features_t features) + { +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 33432e64804c..f60b93627876 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -54,7 +54,8 @@ do { \ + static void neigh_timer_handler(unsigned long arg); + static void __neigh_notify(struct neighbour *n, int type, int flags); + static void neigh_update_notify(struct neighbour *neigh); +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev); ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, ++ struct net_device *dev); + + #ifdef CONFIG_PROC_FS + static const struct file_operations neigh_stat_seq_fops; +@@ -254,8 +255,7 @@ int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev) + { + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev); +- pneigh_ifdown(tbl, dev); +- write_unlock_bh(&tbl->lock); ++ pneigh_ifdown_and_unlock(tbl, dev); + + del_timer_sync(&tbl->proxy_timer); + pneigh_queue_purge(&tbl->proxy_queue); +@@ -645,9 +645,10 @@ int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey, + return -ENOENT; + } + +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev) ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, ++ struct net_device *dev) + { +- struct pneigh_entry *n, **np; ++ struct pneigh_entry *n, **np, *freelist = NULL; + u32 h; + + for (h = 0; h <= PNEIGH_HASHMASK; h++) { +@@ -655,16 +656,23 @@ static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev) + while ((n = *np) != NULL) { + if (!dev || n->dev == dev) { + *np = n->next; +- if (tbl->pdestructor) +- tbl->pdestructor(n); +- if (n->dev) +- dev_put(n->dev); +- kfree(n); ++ n->next = freelist; ++ freelist = n; + continue; + } + np = &n->next; + } + } ++ write_unlock_bh(&tbl->lock); ++ while ((n = freelist)) { ++ freelist = n->next; ++ n->next = NULL; ++ if (tbl->pdestructor) ++ tbl->pdestructor(n); ++ if (n->dev) ++ dev_put(n->dev); ++ kfree(n); ++ } + return -ENOENT; + } + +@@ -2280,12 +2288,16 @@ static int neigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb, + + err = nlmsg_parse(nlh, sizeof(struct ndmsg), tb, NDA_MAX, NULL); + if (!err) { +- if (tb[NDA_IFINDEX]) ++ if (tb[NDA_IFINDEX]) { ++ if (nla_len(tb[NDA_IFINDEX]) != sizeof(u32)) ++ return -EINVAL; + filter_idx = nla_get_u32(tb[NDA_IFINDEX]); +- +- if (tb[NDA_MASTER]) ++ } ++ if (tb[NDA_MASTER]) { ++ if (nla_len(tb[NDA_MASTER]) != sizeof(u32)) ++ return -EINVAL; + filter_master_idx = nla_get_u32(tb[NDA_MASTER]); +- ++ } + if (filter_idx || filter_master_idx) + flags |= NLM_F_DUMP_FILTERED; + } +diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c +index 6abc5012200b..e26df2764e83 100644 +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -91,9 +92,9 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) + + next_opt = memchr(opt, '#', end - opt) ?: end; + opt_len = next_opt - opt; +- if (!opt_len) { +- printk(KERN_WARNING +- "Empty option to dns_resolver key\n"); ++ if (opt_len <= 0 || opt_len > 128) { ++ pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", ++ opt_len); + return -EINVAL; + } + +@@ -127,10 +128,8 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) + } + + bad_option_value: +- printk(KERN_WARNING +- "Option '%*.*s' to dns_resolver key:" +- " bad/missing value\n", +- opt_nlen, opt_nlen, opt); ++ pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", ++ opt_nlen, opt_nlen, opt); + return -EINVAL; + } while (opt = next_opt + 1, opt < end); + } +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 23d77ff1da59..82d2b55c953a 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2589,8 +2589,10 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + #ifdef CONFIG_TCP_MD5SIG + case TCP_MD5SIG: +- /* Read the IP->Key mappings from userspace */ +- err = tp->af_specific->md5_parse(sk, optval, optlen); ++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ++ err = tp->af_specific->md5_parse(sk, optval, optlen); ++ else ++ err = -EINVAL; + break; + #endif + case TCP_USER_TIMEOUT: +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 96115d1e0d90..ed018760502e 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3869,11 +3869,8 @@ const u8 *tcp_parse_md5sig_option(const struct tcphdr *th) + int length = (th->doff << 2) - sizeof(*th); + const u8 *ptr = (const u8 *)(th + 1); + +- /* If the TCP option is too short, we can short cut */ +- if (length < TCPOLEN_MD5SIG) +- return NULL; +- +- while (length > 0) { ++ /* If not enough data remaining, we can short cut */ ++ while (length >= TCPOLEN_MD5SIG) { + int opcode = *ptr++; + int opsize; + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 99920fcea97c..2f6d8f57fdd4 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2711,6 +2711,7 @@ void rt6_mtu_change(struct net_device *dev, unsigned int mtu) + + static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = { + [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) }, ++ [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) }, + [RTA_OIF] = { .type = NLA_U32 }, + [RTA_IIF] = { .type = NLA_U32 }, + [RTA_PRIORITY] = { .type = NLA_U32 }, +@@ -2716,6 +2716,7 @@ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = { + [RTA_IIF] = { .type = NLA_U32 }, + [RTA_PRIORITY] = { .type = NLA_U32 }, + [RTA_METRICS] = { .type = NLA_NESTED }, ++ [RTA_TABLE] = { .type = NLA_U32 }, + [RTA_MULTIPATH] = { .len = sizeof(struct rtnexthop) }, + [RTA_PREF] = { .type = NLA_U8 }, + [RTA_ENCAP_TYPE] = { .type = NLA_U16 }, + +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 67f2e72723b2..2764c4bd072c 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -606,6 +606,13 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr, + lock_sock(sk); + + error = -EINVAL; ++ ++ if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6)) ++ goto end; ++ + if (sp->sa_protocol != PX_PROTO_OL2TP) + goto end; + +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index 1e698768aca8..09f2f3471ad6 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -197,9 +197,19 @@ static int llc_ui_release(struct socket *sock) + llc->laddr.lsap, llc->daddr.lsap); + if (!llc_send_disc(sk)) + llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo); +- if (!sock_flag(sk, SOCK_ZAPPED)) ++ if (!sock_flag(sk, SOCK_ZAPPED)) { ++ struct llc_sap *sap = llc->sap; ++ ++ /* Hold this for release_sock(), so that llc_backlog_rcv() ++ * could still use it. ++ */ ++ llc_sap_hold(sap); + llc_sap_remove_socket(llc->sap, sk); +- release_sock(sk); ++ release_sock(sk); ++ llc_sap_put(sap); ++ } else { ++ release_sock(sk); ++ } + if (llc->dev) + dev_put(llc->dev); + sock_put(sk); +diff --git a/net/llc/llc_c_ac.c b/net/llc/llc_c_ac.c +index ea225bd2672c..f8d4ab8ca1a5 100644 +--- a/net/llc/llc_c_ac.c ++++ b/net/llc/llc_c_ac.c +@@ -1096,14 +1096,7 @@ int llc_conn_ac_inc_tx_win_size(struct sock *sk, struct sk_buff *skb) + + int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb) + { +- struct llc_sock *llc = llc_sk(sk); +- +- del_timer(&llc->pf_cycle_timer.timer); +- del_timer(&llc->ack_timer.timer); +- del_timer(&llc->rej_sent_timer.timer); +- del_timer(&llc->busy_state_timer.timer); +- llc->ack_must_be_send = 0; +- llc->ack_pf = 0; ++ llc_sk_stop_all_timers(sk, false); + return 0; + } + +diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c +index 8bc5a1bd2d45..d861b74ad068 100644 +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -951,6 +951,26 @@ out: + return sk; + } + ++void llc_sk_stop_all_timers(struct sock *sk, bool sync) ++{ ++ struct llc_sock *llc = llc_sk(sk); ++ ++ if (sync) { ++ del_timer_sync(&llc->pf_cycle_timer.timer); ++ del_timer_sync(&llc->ack_timer.timer); ++ del_timer_sync(&llc->rej_sent_timer.timer); ++ del_timer_sync(&llc->busy_state_timer.timer); ++ } else { ++ del_timer(&llc->pf_cycle_timer.timer); ++ del_timer(&llc->ack_timer.timer); ++ del_timer(&llc->rej_sent_timer.timer); ++ del_timer(&llc->busy_state_timer.timer); ++ } ++ ++ llc->ack_must_be_send = 0; ++ llc->ack_pf = 0; ++} ++ + /** + * llc_sk_free - Frees a LLC socket + * @sk - socket to free +@@ -963,7 +983,7 @@ void llc_sk_free(struct sock *sk) + + llc->state = LLC_CONN_OUT_OF_SVC; + /* Stop all (possibly) running timers */ +- llc_conn_ac_stop_all_timers(sk, NULL); ++ llc_sk_stop_all_timers(sk, true); + #ifdef DEBUG_LLC_CONN_ALLOC + printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__, + skb_queue_len(&llc->pdu_unack_q), +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 92ca3e106c2b..f165514a4db5 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -332,11 +332,11 @@ static void packet_pick_tx_queue(struct net_device *dev, struct sk_buff *skb) + skb_set_queue_mapping(skb, queue_index); + } + +-/* register_prot_hook must be invoked with the po->bind_lock held, ++/* __register_prot_hook must be invoked through register_prot_hook + * or from a context in which asynchronous accesses to the packet + * socket is not possible (packet_create()). + */ +-static void register_prot_hook(struct sock *sk) ++static void __register_prot_hook(struct sock *sk) + { + struct packet_sock *po = pkt_sk(sk); + +@@ -351,8 +351,13 @@ static void register_prot_hook(struct sock *sk) + } + } + +-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock +- * held. If the sync parameter is true, we will temporarily drop ++static void register_prot_hook(struct sock *sk) ++{ ++ lockdep_assert_held_once(&pkt_sk(sk)->bind_lock); ++ __register_prot_hook(sk); ++} ++ ++/* If the sync parameter is true, we will temporarily drop + * the po->bind_lock and do a synchronize_net to make sure no + * asynchronous packet processing paths still refer to the elements + * of po->prot_hook. If the sync parameter is false, it is the +@@ -362,6 +367,8 @@ static void __unregister_prot_hook(struct sock *sk, bool sync) + { + struct packet_sock *po = pkt_sk(sk); + ++ lockdep_assert_held_once(&po->bind_lock); ++ + po->running = 0; + + if (po->fanout) +@@ -2892,6 +2899,7 @@ static int packet_release(struct socket *sock) + + packet_flush_mclist(sk); + ++ lock_sock(sk); + if (po->rx_ring.pg_vec) { + memset(&req_u, 0, sizeof(req_u)); + packet_set_ring(sk, &req_u, 1, 0); +@@ -2901,6 +2909,7 @@ static int packet_release(struct socket *sock) + memset(&req_u, 0, sizeof(req_u)); + packet_set_ring(sk, &req_u, 1, 1); + } ++ release_sock(sk); + + f = fanout_release(sk); + +@@ -3134,7 +3143,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + + if (proto) { + po->prot_hook.type = proto; +- register_prot_hook(sk); ++ __register_prot_hook(sk); + } + + mutex_lock(&net->packet.sklist_lock); +@@ -3570,6 +3579,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + union tpacket_req_u req_u; + int len; + ++ lock_sock(sk); + switch (po->tp_version) { + case TPACKET_V1: + case TPACKET_V2: +@@ -3580,14 +3590,21 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + len = sizeof(req_u.req3); + break; + } +- if (optlen < len) +- return -EINVAL; +- if (pkt_sk(sk)->has_vnet_hdr) +- return -EINVAL; +- if (copy_from_user(&req_u.req, optval, len)) +- return -EFAULT; +- return packet_set_ring(sk, &req_u, 0, +- optname == PACKET_TX_RING); ++ if (optlen < len) { ++ ret = -EINVAL; ++ } else { ++ if (pkt_sk(sk)->has_vnet_hdr) { ++ ret = -EINVAL; ++ } else { ++ if (copy_from_user(&req_u.req, optval, len)) ++ ret = -EFAULT; ++ else ++ ret = packet_set_ring(sk, &req_u, 0, ++ optname == PACKET_TX_RING); ++ } ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_COPY_THRESH: + { +@@ -3653,12 +3670,18 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; +- po->tp_loss = !!val; +- return 0; ++ ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_loss = !!val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_AUXDATA: + { +@@ -3669,7 +3692,9 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + ++ lock_sock(sk); + po->auxdata = !!val; ++ release_sock(sk); + return 0; + } + case PACKET_ORIGDEV: +@@ -3681,7 +3706,9 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + ++ lock_sock(sk); + po->origdev = !!val; ++ release_sock(sk); + return 0; + } + case PACKET_VNET_HDR: +@@ -3690,15 +3717,20 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + + if (sock->type != SOCK_RAW) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (optlen < sizeof(val)) + return -EINVAL; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + +- po->has_vnet_hdr = !!val; +- return 0; ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->has_vnet_hdr = !!val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_TIMESTAMP: + { +@@ -3736,11 +3768,17 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; +- po->tp_tx_has_off = !!val; ++ ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_tx_has_off = !!val; ++ ret = 0; ++ } ++ release_sock(sk); + return 0; + } + case PACKET_QDISC_BYPASS: +@@ -4116,7 +4154,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + /* Added to avoid minimal code churn */ + struct tpacket_req *req = &req_u->req; + +- lock_sock(sk); + /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ + if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { + WARN(1, "Tx-ring is not supported.\n"); +@@ -4252,7 +4289,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + if (pg_vec) + free_pg_vec(pg_vec, order, req->tp_block_nr); + out: +- release_sock(sk); + return err; + } + +diff --git a/net/packet/internal.h b/net/packet/internal.h +index d55bfc34d6b3..1309e2a7baad 100644 +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -109,10 +109,12 @@ struct packet_sock { + int copy_thresh; + spinlock_t bind_lock; + struct mutex pg_vec_lock; +- unsigned int running:1, /* prot_hook is attached*/ +- auxdata:1, ++ unsigned int running; /* bind_lock must be held */ ++ unsigned int auxdata:1, /* writer must hold sock lock */ + origdev:1, +- has_vnet_hdr:1; ++ has_vnet_hdr:1, ++ tp_loss:1, ++ tp_tx_has_off:1; + int pressure; + int ifindex; /* bound device */ + __be16 num; +@@ -122,8 +124,6 @@ struct packet_sock { + enum tpacket_versions tp_version; + unsigned int tp_hdrlen; + unsigned int tp_reserve; +- unsigned int tp_loss:1; +- unsigned int tp_tx_has_off:1; + unsigned int tp_tstamp; + struct net_device __rcu *cached_dev; + int (*xmit)(struct sk_buff *skb); +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index edb8514b4e00..1cd7b7e33fa3 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -519,46 +519,49 @@ static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr, + addr->v6.sin6_scope_id = 0; + } + +-/* Compare addresses exactly. +- * v4-mapped-v6 is also in consideration. +- */ +-static int sctp_v6_cmp_addr(const union sctp_addr *addr1, +- const union sctp_addr *addr2) ++static int __sctp_v6_cmp_addr(const union sctp_addr *addr1, ++ const union sctp_addr *addr2) + { + if (addr1->sa.sa_family != addr2->sa.sa_family) { + if (addr1->sa.sa_family == AF_INET && + addr2->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) { +- if (addr2->v6.sin6_port == addr1->v4.sin_port && +- addr2->v6.sin6_addr.s6_addr32[3] == +- addr1->v4.sin_addr.s_addr) +- return 1; +- } ++ ipv6_addr_v4mapped(&addr2->v6.sin6_addr) && ++ addr2->v6.sin6_addr.s6_addr32[3] == ++ addr1->v4.sin_addr.s_addr) ++ return 1; ++ + if (addr2->sa.sa_family == AF_INET && + addr1->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) { +- if (addr1->v6.sin6_port == addr2->v4.sin_port && +- addr1->v6.sin6_addr.s6_addr32[3] == +- addr2->v4.sin_addr.s_addr) +- return 1; +- } ++ ipv6_addr_v4mapped(&addr1->v6.sin6_addr) && ++ addr1->v6.sin6_addr.s6_addr32[3] == ++ addr2->v4.sin_addr.s_addr) ++ return 1; ++ + return 0; + } +- if (addr1->v6.sin6_port != addr2->v6.sin6_port) +- return 0; ++ + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) + return 0; ++ + /* If this is a linklocal address, compare the scope_id. */ +- if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) { +- if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && +- (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) { +- return 0; +- } +- } ++ if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) && ++ addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && ++ addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id) ++ return 0; + + return 1; + } + ++/* Compare addresses exactly. ++ * v4-mapped-v6 is also in consideration. ++ */ ++static int sctp_v6_cmp_addr(const union sctp_addr *addr1, ++ const union sctp_addr *addr2) ++{ ++ return __sctp_v6_cmp_addr(addr1, addr2) && ++ addr1->v6.sin6_port == addr2->v6.sin6_port; ++} ++ + /* Initialize addr struct to INADDR_ANY. */ + static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port) + { +@@ -843,8 +846,8 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1, + const union sctp_addr *addr2, + struct sctp_sock *opt) + { +- struct sctp_af *af1, *af2; + struct sock *sk = sctp_opt2sk(opt); ++ struct sctp_af *af1, *af2; + + af1 = sctp_get_af_specific(addr1->sa.sa_family); + af2 = sctp_get_af_specific(addr2->sa.sa_family); +@@ -860,10 +863,7 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1, + if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2)) + return 1; + +- if (addr1->sa.sa_family != addr2->sa.sa_family) +- return 0; +- +- return af1->cmp_addr(addr1, addr2); ++ return __sctp_v6_cmp_addr(addr1, addr2); + } + + /* Verify that the provided sockaddr looks bindable. Common verification, +diff --git a/net/tipc/net.c b/net/tipc/net.c +index 77bf9113c7a7..2763bd369b79 100644 +--- a/net/tipc/net.c ++++ b/net/tipc/net.c +@@ -44,7 +44,8 @@ + + static const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = { + [TIPC_NLA_NET_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_NET_ID] = { .type = NLA_U32 } ++ [TIPC_NLA_NET_ID] = { .type = NLA_U32 }, ++ [TIPC_NLA_NET_ADDR] = { .type = NLA_U32 }, + }; + + /* diff --git a/patch/kernel/mvebu-default/04-patch-4.4.130-131.patch b/patch/kernel/mvebu-default/04-patch-4.4.130-131.patch new file mode 100644 index 0000000000..0a4d3770d1 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.130-131.patch @@ -0,0 +1,1558 @@ +diff --git a/Makefile b/Makefile +index 151477d4d5e5..6ec65396a56d 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 130 ++SUBLEVEL = 131 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/x86/include/uapi/asm/msgbuf.h b/arch/x86/include/uapi/asm/msgbuf.h +index 809134c644a6..90ab9a795b49 100644 +--- a/arch/x86/include/uapi/asm/msgbuf.h ++++ b/arch/x86/include/uapi/asm/msgbuf.h +@@ -1 +1,32 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++#ifndef __ASM_X64_MSGBUF_H ++#define __ASM_X64_MSGBUF_H ++ ++#if !defined(__x86_64__) || !defined(__ILP32__) + #include ++#else ++/* ++ * The msqid64_ds structure for x86 architecture with x32 ABI. ++ * ++ * On x86-32 and x86-64 we can just use the generic definition, but ++ * x32 uses the same binary layout as x86_64, which is differnet ++ * from other 32-bit architectures. ++ */ ++ ++struct msqid64_ds { ++ struct ipc64_perm msg_perm; ++ __kernel_time_t msg_stime; /* last msgsnd time */ ++ __kernel_time_t msg_rtime; /* last msgrcv time */ ++ __kernel_time_t msg_ctime; /* last change time */ ++ __kernel_ulong_t msg_cbytes; /* current number of bytes on queue */ ++ __kernel_ulong_t msg_qnum; /* number of messages in queue */ ++ __kernel_ulong_t msg_qbytes; /* max number of bytes on queue */ ++ __kernel_pid_t msg_lspid; /* pid of last msgsnd */ ++ __kernel_pid_t msg_lrpid; /* last receive pid */ ++ __kernel_ulong_t __unused4; ++ __kernel_ulong_t __unused5; ++}; ++ ++#endif ++ ++#endif /* __ASM_GENERIC_MSGBUF_H */ +diff --git a/arch/x86/include/uapi/asm/shmbuf.h b/arch/x86/include/uapi/asm/shmbuf.h +index 83c05fc2de38..644421f3823b 100644 +--- a/arch/x86/include/uapi/asm/shmbuf.h ++++ b/arch/x86/include/uapi/asm/shmbuf.h +@@ -1 +1,43 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++#ifndef __ASM_X86_SHMBUF_H ++#define __ASM_X86_SHMBUF_H ++ ++#if !defined(__x86_64__) || !defined(__ILP32__) + #include ++#else ++/* ++ * The shmid64_ds structure for x86 architecture with x32 ABI. ++ * ++ * On x86-32 and x86-64 we can just use the generic definition, but ++ * x32 uses the same binary layout as x86_64, which is differnet ++ * from other 32-bit architectures. ++ */ ++ ++struct shmid64_ds { ++ struct ipc64_perm shm_perm; /* operation perms */ ++ size_t shm_segsz; /* size of segment (bytes) */ ++ __kernel_time_t shm_atime; /* last attach time */ ++ __kernel_time_t shm_dtime; /* last detach time */ ++ __kernel_time_t shm_ctime; /* last change time */ ++ __kernel_pid_t shm_cpid; /* pid of creator */ ++ __kernel_pid_t shm_lpid; /* pid of last operator */ ++ __kernel_ulong_t shm_nattch; /* no. of current attaches */ ++ __kernel_ulong_t __unused4; ++ __kernel_ulong_t __unused5; ++}; ++ ++struct shminfo64 { ++ __kernel_ulong_t shmmax; ++ __kernel_ulong_t shmmin; ++ __kernel_ulong_t shmmni; ++ __kernel_ulong_t shmseg; ++ __kernel_ulong_t shmall; ++ __kernel_ulong_t __unused1; ++ __kernel_ulong_t __unused2; ++ __kernel_ulong_t __unused3; ++ __kernel_ulong_t __unused4; ++}; ++ ++#endif ++ ++#endif /* __ASM_X86_SHMBUF_H */ +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index fe89f938e0f0..00c7878043ef 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1442,6 +1442,8 @@ static inline void mwait_play_dead(void) + void *mwait_ptr; + int i; + ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) ++ return; + if (!this_cpu_has(X86_FEATURE_MWAIT)) + return; + if (!this_cpu_has(X86_FEATURE_CLFLUSH)) +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index f0099360039e..1accc01fb0ca 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -68,11 +68,12 @@ static ssize_t driver_override_show(struct device *_dev, + struct device_attribute *attr, char *buf) + { + struct amba_device *dev = to_amba_device(_dev); ++ ssize_t len; + +- if (!dev->driver_override) +- return 0; +- +- return sprintf(buf, "%s\n", dev->driver_override); ++ device_lock(_dev); ++ len = sprintf(buf, "%s\n", dev->driver_override); ++ device_unlock(_dev); ++ return len; + } + + static ssize_t driver_override_store(struct device *_dev, +@@ -80,9 +81,10 @@ static ssize_t driver_override_store(struct device *_dev, + const char *buf, size_t count) + { + struct amba_device *dev = to_amba_device(_dev); +- char *driver_override, *old = dev->driver_override, *cp; ++ char *driver_override, *old, *cp; + +- if (count > PATH_MAX) ++ /* We need to keep extra room for a newline */ ++ if (count >= (PAGE_SIZE - 1)) + return -EINVAL; + + driver_override = kstrndup(buf, count, GFP_KERNEL); +@@ -93,12 +95,15 @@ static ssize_t driver_override_store(struct device *_dev, + if (cp) + *cp = '\0'; + ++ device_lock(_dev); ++ old = dev->driver_override; + if (strlen(driver_override)) { + dev->driver_override = driver_override; + } else { + kfree(driver_override); + dev->driver_override = NULL; + } ++ device_unlock(_dev); + + kfree(old); + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index be0b09a0fb44..2aca689061e1 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1399,7 +1399,6 @@ static int add_port(struct ports_device *portdev, u32 id) + { + char debugfs_name[16]; + struct port *port; +- struct port_buffer *buf; + dev_t devt; + unsigned int nr_added_bufs; + int err; +@@ -1510,8 +1509,6 @@ static int add_port(struct ports_device *portdev, u32 id) + return 0; + + free_inbufs: +- while ((buf = virtqueue_detach_unused_buf(port->in_vq))) +- free_buf(buf, true); + free_device: + device_destroy(pdrvdata.class, port->dev->devt); + free_cdev: +@@ -1536,34 +1533,14 @@ static void remove_port(struct kref *kref) + + static void remove_port_data(struct port *port) + { +- struct port_buffer *buf; +- + spin_lock_irq(&port->inbuf_lock); + /* Remove unused data this port might have received. */ + discard_port_data(port); + spin_unlock_irq(&port->inbuf_lock); + +- /* Remove buffers we queued up for the Host to send us data in. */ +- do { +- spin_lock_irq(&port->inbuf_lock); +- buf = virtqueue_detach_unused_buf(port->in_vq); +- spin_unlock_irq(&port->inbuf_lock); +- if (buf) +- free_buf(buf, true); +- } while (buf); +- + spin_lock_irq(&port->outvq_lock); + reclaim_consumed_buffers(port); + spin_unlock_irq(&port->outvq_lock); +- +- /* Free pending buffers from the out-queue. */ +- do { +- spin_lock_irq(&port->outvq_lock); +- buf = virtqueue_detach_unused_buf(port->out_vq); +- spin_unlock_irq(&port->outvq_lock); +- if (buf) +- free_buf(buf, true); +- } while (buf); + } + + /* +@@ -1788,13 +1765,24 @@ static void control_work_handler(struct work_struct *work) + spin_unlock(&portdev->c_ivq_lock); + } + ++static void flush_bufs(struct virtqueue *vq, bool can_sleep) ++{ ++ struct port_buffer *buf; ++ unsigned int len; ++ ++ while ((buf = virtqueue_get_buf(vq, &len))) ++ free_buf(buf, can_sleep); ++} ++ + static void out_intr(struct virtqueue *vq) + { + struct port *port; + + port = find_port_by_vq(vq->vdev->priv, vq); +- if (!port) ++ if (!port) { ++ flush_bufs(vq, false); + return; ++ } + + wake_up_interruptible(&port->waitqueue); + } +@@ -1805,8 +1793,10 @@ static void in_intr(struct virtqueue *vq) + unsigned long flags; + + port = find_port_by_vq(vq->vdev->priv, vq); +- if (!port) ++ if (!port) { ++ flush_bufs(vq, false); + return; ++ } + + spin_lock_irqsave(&port->inbuf_lock, flags); + port->inbuf = get_inbuf(port); +@@ -1981,6 +1971,15 @@ static const struct file_operations portdev_fops = { + + static void remove_vqs(struct ports_device *portdev) + { ++ struct virtqueue *vq; ++ ++ virtio_device_for_each_vq(portdev->vdev, vq) { ++ struct port_buffer *buf; ++ ++ flush_bufs(vq, true); ++ while ((buf = virtqueue_detach_unused_buf(vq))) ++ free_buf(buf, true); ++ } + portdev->vdev->config->del_vqs(portdev->vdev); + kfree(portdev->in_vqs); + kfree(portdev->out_vqs); +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 5a0f8a745b9d..52436b3c01bb 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -324,7 +324,7 @@ retry: + ret = virtqueue_add_sgs(vq, sgs, outcnt, incnt, vbuf, GFP_ATOMIC); + if (ret == -ENOSPC) { + spin_unlock(&vgdev->ctrlq.qlock); +- wait_event(vgdev->ctrlq.ack_queue, vq->num_free); ++ wait_event(vgdev->ctrlq.ack_queue, vq->num_free >= outcnt + incnt); + spin_lock(&vgdev->ctrlq.qlock); + goto retry; + } else { +@@ -399,7 +399,7 @@ retry: + ret = virtqueue_add_sgs(vq, sgs, outcnt, 0, vbuf, GFP_ATOMIC); + if (ret == -ENOSPC) { + spin_unlock(&vgdev->cursorq.qlock); +- wait_event(vgdev->cursorq.ack_queue, vq->num_free); ++ wait_event(vgdev->cursorq.ack_queue, vq->num_free >= outcnt); + spin_lock(&vgdev->cursorq.qlock); + goto retry; + } else { +diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c +index 286b97a304cf..4509ee0b294a 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -45,6 +45,7 @@ + #define I82802AB 0x00ad + #define I82802AC 0x00ac + #define PF38F4476 0x881c ++#define M28F00AP30 0x8963 + /* STMicroelectronics chips */ + #define M50LPW080 0x002F + #define M50FLW080A 0x0080 +@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct cfi_private *cfi, + extp->MinorVersion = '1'; + } + ++static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip) ++{ ++ /* ++ * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t ++ * Erase Supend for their small Erase Blocks(0x8000) ++ */ ++ if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30) ++ return 1; ++ return 0; ++} ++ + static inline struct cfi_pri_intelext * + read_pri_intelext(struct map_info *map, __u16 adr) + { +@@ -825,21 +837,30 @@ static int chip_ready (struct map_info *map, struct flchip *chip, unsigned long + (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1)))) + goto sleep; + ++ /* Do not allow suspend iff read/write to EB address */ ++ if ((adr & chip->in_progress_block_mask) == ++ chip->in_progress_block_addr) ++ goto sleep; ++ ++ /* do not suspend small EBs, buggy Micron Chips */ ++ if (cfi_is_micron_28F00AP30(cfi, chip) && ++ (chip->in_progress_block_mask == ~(0x8000-1))) ++ goto sleep; + + /* Erase suspend */ +- map_write(map, CMD(0xB0), adr); ++ map_write(map, CMD(0xB0), chip->in_progress_block_addr); + + /* If the flash has finished erasing, then 'erase suspend' + * appears to make some (28F320) flash devices switch to + * 'read' mode. Make sure that we switch to 'read status' + * mode so we get the right data. --rmk + */ +- map_write(map, CMD(0x70), adr); ++ map_write(map, CMD(0x70), chip->in_progress_block_addr); + chip->oldstate = FL_ERASING; + chip->state = FL_ERASE_SUSPENDING; + chip->erase_suspended = 1; + for (;;) { +- status = map_read(map, adr); ++ status = map_read(map, chip->in_progress_block_addr); + if (map_word_andequal(map, status, status_OK, status_OK)) + break; + +@@ -1035,8 +1056,8 @@ static void put_chip(struct map_info *map, struct flchip *chip, unsigned long ad + sending the 0x70 (Read Status) command to an erasing + chip and expecting it to be ignored, that's what we + do. */ +- map_write(map, CMD(0xd0), adr); +- map_write(map, CMD(0x70), adr); ++ map_write(map, CMD(0xd0), chip->in_progress_block_addr); ++ map_write(map, CMD(0x70), chip->in_progress_block_addr); + chip->oldstate = FL_READY; + chip->state = FL_ERASING; + break; +@@ -1927,6 +1948,8 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + map_write(map, CMD(0xD0), adr); + chip->state = FL_ERASING; + chip->erase_suspended = 0; ++ chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(len - 1); + + ret = INVAL_CACHE_AND_WAIT(map, chip, adr, + adr, len, +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index c3624eb571d1..31448a2b39ae 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -814,9 +814,10 @@ static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr + (mode == FL_WRITING && (cfip->EraseSuspend & 0x2)))) + goto sleep; + +- /* We could check to see if we're trying to access the sector +- * that is currently being erased. However, no user will try +- * anything like that so we just wait for the timeout. */ ++ /* Do not allow suspend iff read/write to EB address */ ++ if ((adr & chip->in_progress_block_mask) == ++ chip->in_progress_block_addr) ++ goto sleep; + + /* Erase suspend */ + /* It's harmless to issue the Erase-Suspend and Erase-Resume +@@ -2265,6 +2266,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + chip->state = FL_ERASING; + chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(map->size - 1); + + INVALIDATE_CACHE_UDELAY(map, chip, + adr, map->size, +@@ -2354,6 +2356,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + chip->state = FL_ERASING; + chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(len - 1); + + INVALIDATE_CACHE_UDELAY(map, chip, + adr, len, +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index dd72205ba298..8c9e4a3ec3fb 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1929,6 +1929,8 @@ sd_spinup_disk(struct scsi_disk *sdkp) + break; /* standby */ + if (sshdr.asc == 4 && sshdr.ascq == 0xc) + break; /* unavailable */ ++ if (sshdr.asc == 4 && sshdr.ascq == 0x1b) ++ break; /* sanitize in progress */ + /* + * Issue command to spin up drive when not ready + */ +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 78bd121ecede..6060c3e8925e 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -137,6 +137,9 @@ struct gsm_dlci { + struct mutex mutex; + + /* Link layer */ ++ int mode; ++#define DLCI_MODE_ABM 0 /* Normal Asynchronous Balanced Mode */ ++#define DLCI_MODE_ADM 1 /* Asynchronous Disconnected Mode */ + spinlock_t lock; /* Protects the internal state */ + struct timer_list t1; /* Retransmit timer for SABM and UA */ + int retries; +@@ -1380,7 +1383,13 @@ retry: + ctrl->data = data; + ctrl->len = clen; + gsm->pending_cmd = ctrl; +- gsm->cretries = gsm->n2; ++ ++ /* If DLCI0 is in ADM mode skip retries, it won't respond */ ++ if (gsm->dlci[0]->mode == DLCI_MODE_ADM) ++ gsm->cretries = 1; ++ else ++ gsm->cretries = gsm->n2; ++ + mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100); + gsm_control_transmit(gsm, ctrl); + spin_unlock_irqrestore(&gsm->control_lock, flags); +@@ -1488,6 +1497,7 @@ static void gsm_dlci_t1(unsigned long data) + if (debug & 8) + pr_info("DLCI %d opening in ADM mode.\n", + dlci->addr); ++ dlci->mode = DLCI_MODE_ADM; + gsm_dlci_open(dlci); + } else { + gsm_dlci_close(dlci); +@@ -2881,11 +2891,22 @@ static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk) + static int gsm_carrier_raised(struct tty_port *port) + { + struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port); ++ struct gsm_mux *gsm = dlci->gsm; ++ + /* Not yet open so no carrier info */ + if (dlci->state != DLCI_OPEN) + return 0; + if (debug & 2) + return 1; ++ ++ /* ++ * Basic mode with control channel in ADM mode may not respond ++ * to CMD_MSC at all and modem_rx is empty. ++ */ ++ if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM && ++ !dlci->modem_rx) ++ return 1; ++ + return dlci->modem_rx & TIOCM_CD; + } + +diff --git a/drivers/tty/serial/serial_mctrl_gpio.c b/drivers/tty/serial/serial_mctrl_gpio.c +index 3eb57eb532f1..02147361eaa9 100644 +--- a/drivers/tty/serial/serial_mctrl_gpio.c ++++ b/drivers/tty/serial/serial_mctrl_gpio.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + #include "serial_mctrl_gpio.h" + +@@ -193,6 +194,7 @@ struct mctrl_gpios *mctrl_gpio_init(struct uart_port *port, unsigned int idx) + + return gpios; + } ++EXPORT_SYMBOL_GPL(mctrl_gpio_init); + + void mctrl_gpio_free(struct device *dev, struct mctrl_gpios *gpios) + { +@@ -247,3 +249,6 @@ void mctrl_gpio_disable_ms(struct mctrl_gpios *gpios) + disable_irq(gpios->irq[i]); + } + } ++EXPORT_SYMBOL_GPL(mctrl_gpio_disable_ms); ++ ++MODULE_LICENSE("GPL"); +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 89fd20382ce4..198451fa9e5d 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -3154,7 +3154,10 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + + kref_init(&tty->kref); + tty->magic = TTY_MAGIC; +- tty_ldisc_init(tty); ++ if (tty_ldisc_init(tty)) { ++ kfree(tty); ++ return NULL; ++ } + tty->session = NULL; + tty->pgrp = NULL; + mutex_init(&tty->legacy_mutex); +diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c +index 9bee25cfa0be..d9e013dc2c08 100644 +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -168,12 +168,11 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc) + return ERR_CAST(ldops); + } + +- ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL); +- if (ld == NULL) { +- put_ldops(ldops); +- return ERR_PTR(-ENOMEM); +- } +- ++ /* ++ * There is no way to handle allocation failure of only 16 bytes. ++ * Let's simplify error handling and save more memory. ++ */ ++ ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL | __GFP_NOFAIL); + ld->ops = ldops; + ld->tty = tty; + +@@ -804,12 +803,13 @@ void tty_ldisc_release(struct tty_struct *tty) + * the tty structure is not completely set up when this call is made. + */ + +-void tty_ldisc_init(struct tty_struct *tty) ++int tty_ldisc_init(struct tty_struct *tty) + { + struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY); + if (IS_ERR(ld)) +- panic("n_tty: init_tty"); ++ return PTR_ERR(ld); + tty->ldisc = ld; ++ return 0; + } + + /** +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 87a83d925eea..9c4f9b6e57e2 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -2339,6 +2339,7 @@ void usb_hcd_resume_root_hub (struct usb_hcd *hcd) + + spin_lock_irqsave (&hcd_root_hub_lock, flags); + if (hcd->rh_registered) { ++ pm_wakeup_event(&hcd->self.root_hub->dev, 0); + set_bit(HCD_FLAG_WAKEUP_PENDING, &hcd->flags); + queue_work(pm_wq, &hcd->wakeup_work); + } +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 0f38f577c047..6d84f6c8fbe6 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -632,12 +632,17 @@ void usb_wakeup_notification(struct usb_device *hdev, + unsigned int portnum) + { + struct usb_hub *hub; ++ struct usb_port *port_dev; + + if (!hdev) + return; + + hub = usb_hub_to_struct_hub(hdev); + if (hub) { ++ port_dev = hub->ports[portnum - 1]; ++ if (port_dev && port_dev->child) ++ pm_wakeup_event(&port_dev->child->dev, 0); ++ + set_bit(portnum, hub->wakeup_bits); + kick_hub_wq(hub); + } +@@ -3361,8 +3366,11 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg) + + /* Skip the initial Clear-Suspend step for a remote wakeup */ + status = hub_port_status(hub, port1, &portstatus, &portchange); +- if (status == 0 && !port_is_suspended(hub, portstatus)) ++ if (status == 0 && !port_is_suspended(hub, portstatus)) { ++ if (portchange & USB_PORT_STAT_C_SUSPEND) ++ pm_wakeup_event(&udev->dev, 0); + goto SuspendCleared; ++ } + + /* see 7.1.7.7; affects power usage, but not budgeting */ + if (hub_is_superspeed(hub->hdev)) +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 4f1c6f8d4352..40ce175655e6 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -45,6 +45,9 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x03f0, 0x0701), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, + ++ /* HP v222w 16GB Mini USB Drive */ ++ { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Creative SB Audigy 2 NX */ + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME }, + +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig +index 584ae8cbaf1c..77c3ebe860c5 100644 +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -62,6 +62,7 @@ config USB_SERIAL_SIMPLE + - Fundamental Software dongle. + - Google USB serial devices + - HP4x calculators ++ - Libtransistor USB console + - a number of Motorola phones + - Motorola Tetra devices + - Novatel Wireless GPS receivers +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 64a4427678b0..32cadca198b2 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -210,6 +210,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */ + { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */ + { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */ ++ { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */ + { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */ + { } /* Terminating Entry */ + }; +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index a224c7a3ce09..3e5b189a79b4 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1911,7 +1911,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial) + return ftdi_jtag_probe(serial); + + if (udev->product && +- (!strcmp(udev->product, "BeagleBone/XDS100V2") || ++ (!strcmp(udev->product, "Arrow USB Blaster") || ++ !strcmp(udev->product, "BeagleBone/XDS100V2") || + !strcmp(udev->product, "SNAP Connect E10"))) + return ftdi_jtag_probe(serial); + +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index 6aa7ff2c1cf7..2674da40d9cd 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -66,6 +66,11 @@ DEVICE(flashloader, FLASHLOADER_IDS); + 0x01) } + DEVICE(google, GOOGLE_IDS); + ++/* Libtransistor USB console */ ++#define LIBTRANSISTOR_IDS() \ ++ { USB_DEVICE(0x1209, 0x8b00) } ++DEVICE(libtransistor, LIBTRANSISTOR_IDS); ++ + /* ViVOpay USB Serial Driver */ + #define VIVOPAY_IDS() \ + { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */ +@@ -113,6 +118,7 @@ static struct usb_serial_driver * const serial_drivers[] = { + &funsoft_device, + &flashloader_device, + &google_device, ++ &libtransistor_device, + &vivopay_device, + &moto_modem_device, + &motorola_tetra_device, +@@ -129,6 +135,7 @@ static const struct usb_device_id id_table[] = { + FUNSOFT_IDS(), + FLASHLOADER_IDS(), + GOOGLE_IDS(), ++ LIBTRANSISTOR_IDS(), + VIVOPAY_IDS(), + MOTO_IDS(), + MOTOROLA_TETRA_IDS(), +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c +index 325b4c05acdd..f761e02e75c9 100644 +--- a/drivers/usb/usbip/stub_main.c ++++ b/drivers/usb/usbip/stub_main.c +@@ -201,7 +201,12 @@ static ssize_t rebind_store(struct device_driver *dev, const char *buf, + if (!bid) + return -ENODEV; + ++ /* device_attach() callers should hold parent lock for USB */ ++ if (bid->udev->dev.parent) ++ device_lock(bid->udev->dev.parent); + ret = device_attach(&bid->udev->dev); ++ if (bid->udev->dev.parent) ++ device_unlock(bid->udev->dev.parent); + if (ret < 0) { + dev_err(&bid->udev->dev, "rebind failed\n"); + return ret; +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index f875ccaa55f9..0fc5ace57c0e 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -248,7 +248,7 @@ enum usbip_side { + #define SDEV_EVENT_ERROR_SUBMIT (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define SDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) + +-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE) ++#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE) + #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index 78c51ce913db..c57a94f1c198 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -320,6 +320,7 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb, + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_grpblk_t offset; + ext4_grpblk_t next_zero_bit; ++ ext4_grpblk_t max_bit = EXT4_CLUSTERS_PER_GROUP(sb); + ext4_fsblk_t blk; + ext4_fsblk_t group_first_block; + +@@ -337,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb, + /* check whether block bitmap block number is set */ + blk = ext4_block_bitmap(sb, desc); + offset = blk - group_first_block; +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit || ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + /* bad block bitmap */ + return blk; + + /* check whether the inode bitmap block number is set */ + blk = ext4_inode_bitmap(sb, desc); + offset = blk - group_first_block; +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit || ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + /* bad block bitmap */ + return blk; + + /* check whether the inode table block number is set */ + blk = ext4_inode_table(sb, desc); + offset = blk - group_first_block; ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit || ++ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= max_bit) ++ return blk; + next_zero_bit = ext4_find_next_zero_bit(bh->b_data, + EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), + EXT4_B2C(sbi, offset)); +@@ -416,6 +422,7 @@ struct buffer_head * + ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + { + struct ext4_group_desc *desc; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh; + ext4_fsblk_t bitmap_blk; + int err; +@@ -424,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + if (!desc) + return ERR_PTR(-EFSCORRUPTED); + bitmap_blk = ext4_block_bitmap(sb, desc); ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { ++ ext4_error(sb, "Invalid block bitmap block %llu in " ++ "block_group %u", bitmap_blk, block_group); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + bh = sb_getblk(sb, bitmap_blk); + if (unlikely(!bh)) { + ext4_error(sb, "Cannot get buffer for block bitmap - " +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 403c4bae3e18..4705c21f9d03 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5380,8 +5380,9 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, + stop = le32_to_cpu(extent->ee_block); + + /* +- * In case of left shift, Don't start shifting extents until we make +- * sure the hole is big enough to accommodate the shift. ++ * For left shifts, make sure the hole on the left is big enough to ++ * accommodate the shift. For right shifts, make sure the last extent ++ * won't be shifted beyond EXT_MAX_BLOCKS. + */ + if (SHIFT == SHIFT_LEFT) { + path = ext4_find_extent(inode, start - 1, &path, +@@ -5401,9 +5402,14 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, + + if ((start == ex_start && shift > ex_start) || + (shift > start - ex_end)) { +- ext4_ext_drop_refs(path); +- kfree(path); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out; ++ } ++ } else { ++ if (shift > EXT_MAX_BLOCKS - ++ (stop + ext4_ext_get_actual_len(extent))) { ++ ret = -EINVAL; ++ goto out; + } + } + +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index e10c12f59c58..9fe55b7d4c2c 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -119,6 +119,7 @@ static struct buffer_head * + ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + { + struct ext4_group_desc *desc; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh = NULL; + ext4_fsblk_t bitmap_blk; + int err; +@@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + return ERR_PTR(-EFSCORRUPTED); + + bitmap_blk = ext4_inode_bitmap(sb, desc); ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { ++ ext4_error(sb, "Invalid inode bitmap blk %llu in " ++ "block_group %u", bitmap_blk, block_group); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + bh = sb_getblk(sb, bitmap_blk); + if (unlikely(!bh)) { + ext4_error(sb, "Cannot read inode bitmap - " +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index a2e724053919..f3a31f55f372 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -527,6 +527,7 @@ int jbd2_journal_start_reserved(handle_t *handle, unsigned int type, + */ + ret = start_this_handle(journal, handle, GFP_NOFS); + if (ret < 0) { ++ handle->h_journal = journal; + jbd2_journal_free_reserved(handle); + return ret; + } +diff --git a/include/linux/mtd/flashchip.h b/include/linux/mtd/flashchip.h +index b63fa457febd..3529683f691e 100644 +--- a/include/linux/mtd/flashchip.h ++++ b/include/linux/mtd/flashchip.h +@@ -85,6 +85,7 @@ struct flchip { + unsigned int write_suspended:1; + unsigned int erase_suspended:1; + unsigned long in_progress_block_addr; ++ unsigned long in_progress_block_mask; + + struct mutex mutex; + wait_queue_head_t wq; /* Wait on here when we're waiting for the chip +diff --git a/include/linux/tty.h b/include/linux/tty.h +index d67ceb3f5958..812cdd8cff22 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -586,7 +586,7 @@ extern int tty_unregister_ldisc(int disc); + extern int tty_set_ldisc(struct tty_struct *tty, int ldisc); + extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty); + extern void tty_ldisc_release(struct tty_struct *tty); +-extern void tty_ldisc_init(struct tty_struct *tty); ++extern int __must_check tty_ldisc_init(struct tty_struct *tty); + extern void tty_ldisc_deinit(struct tty_struct *tty); + extern void tty_ldisc_begin(void); + +diff --git a/include/linux/virtio.h b/include/linux/virtio.h +index 8f4d4bfa6d46..d7844d215381 100644 +--- a/include/linux/virtio.h ++++ b/include/linux/virtio.h +@@ -124,6 +124,9 @@ int virtio_device_freeze(struct virtio_device *dev); + int virtio_device_restore(struct virtio_device *dev); + #endif + ++#define virtio_device_for_each_vq(vdev, vq) \ ++ list_for_each_entry(vq, &vdev->vqs, list) ++ + /** + * virtio_driver - operations for a virtio I/O driver + * @driver: underlying device driver (populate name and owner). +diff --git a/include/sound/control.h b/include/sound/control.h +index 21d047f229a1..4142757080f8 100644 +--- a/include/sound/control.h ++++ b/include/sound/control.h +@@ -22,6 +22,7 @@ + * + */ + ++#include + #include + + #define snd_kcontrol_chip(kcontrol) ((kcontrol)->private_data) +@@ -147,12 +148,14 @@ int snd_ctl_get_preferred_subdevice(struct snd_card *card, int type); + + static inline unsigned int snd_ctl_get_ioffnum(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) + { +- return id->numid - kctl->id.numid; ++ unsigned int ioff = id->numid - kctl->id.numid; ++ return array_index_nospec(ioff, kctl->count); + } + + static inline unsigned int snd_ctl_get_ioffidx(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) + { +- return id->index - kctl->id.index; ++ unsigned int ioff = id->index - kctl->id.index; ++ return array_index_nospec(ioff, kctl->count); + } + + static inline unsigned int snd_ctl_get_ioff(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) +diff --git a/lib/kobject.c b/lib/kobject.c +index 7cbccd2b4c72..895edb63fba4 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -234,14 +234,12 @@ static int kobject_add_internal(struct kobject *kobj) + + /* be noisy on error issues */ + if (error == -EEXIST) +- WARN(1, "%s failed for %s with " +- "-EEXIST, don't try to register things with " +- "the same name in the same directory.\n", +- __func__, kobject_name(kobj)); ++ pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n", ++ __func__, kobject_name(kobj)); + else +- WARN(1, "%s failed for %s (error: %d parent: %s)\n", +- __func__, kobject_name(kobj), error, +- parent ? kobject_name(parent) : "'none'"); ++ pr_err("%s failed for %s (error: %d parent: %s)\n", ++ __func__, kobject_name(kobj), error, ++ parent ? kobject_name(parent) : "'none'"); + } else + kobj->state_in_sysfs = 1; + +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index a6b2f2138c9d..ad3c9e96a275 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2531,6 +2531,11 @@ static int try_write(struct ceph_connection *con) + int ret = 1; + + dout("try_write start %p state %lu\n", con, con->state); ++ if (con->state != CON_STATE_PREOPEN && ++ con->state != CON_STATE_CONNECTING && ++ con->state != CON_STATE_NEGOTIATING && ++ con->state != CON_STATE_OPEN) ++ return 0; + + more: + dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes); +@@ -2556,6 +2561,8 @@ more: + } + + more_kvec: ++ BUG_ON(!con->sock); ++ + /* kvec data queued? */ + if (con->out_kvec_left) { + ret = write_partial_kvec(con); +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index ce2954a31238..3de88974eeb6 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2727,6 +2727,7 @@ static int snd_pcm_sync_ptr(struct snd_pcm_substream *substream, + sync_ptr.s.status.hw_ptr = status->hw_ptr; + sync_ptr.s.status.tstamp = status->tstamp; + sync_ptr.s.status.suspended_state = status->suspended_state; ++ sync_ptr.s.status.audio_tstamp = status->audio_tstamp; + snd_pcm_stream_unlock_irq(substream); + if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr))) + return -EFAULT; +diff --git a/sound/core/seq/oss/seq_oss_event.c b/sound/core/seq/oss/seq_oss_event.c +index c3908862bc8b..86ca584c27b2 100644 +--- a/sound/core/seq/oss/seq_oss_event.c ++++ b/sound/core/seq/oss/seq_oss_event.c +@@ -26,6 +26,7 @@ + #include + #include "seq_oss_readq.h" + #include "seq_oss_writeq.h" ++#include + + + /* +@@ -287,10 +288,10 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st + { + struct seq_oss_synthinfo *info; + +- if (!snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- info = &dp->synths[dev]; + switch (info->arg.event_passing) { + case SNDRV_SEQ_OSS_PROCESS_EVENTS: + if (! info->ch || ch < 0 || ch >= info->nr_voices) { +@@ -298,6 +299,7 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev); + } + ++ ch = array_index_nospec(ch, info->nr_voices); + if (note == 255 && info->ch[ch].note >= 0) { + /* volume control */ + int type; +@@ -347,10 +349,10 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + { + struct seq_oss_synthinfo *info; + +- if (!snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- info = &dp->synths[dev]; + switch (info->arg.event_passing) { + case SNDRV_SEQ_OSS_PROCESS_EVENTS: + if (! info->ch || ch < 0 || ch >= info->nr_voices) { +@@ -358,6 +360,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev); + } + ++ ch = array_index_nospec(ch, info->nr_voices); + if (info->ch[ch].note >= 0) { + note = info->ch[ch].note; + info->ch[ch].vel = 0; +@@ -381,7 +384,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + static int + set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, int vel, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ if (!snd_seq_oss_synth_info(dp, dev)) + return -ENXIO; + + ev->type = type; +@@ -399,7 +402,7 @@ set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, + static int + set_control_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int param, int val, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ if (!snd_seq_oss_synth_info(dp, dev)) + return -ENXIO; + + ev->type = type; +diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c +index b30b2139e3f0..9debd1b8fd28 100644 +--- a/sound/core/seq/oss/seq_oss_midi.c ++++ b/sound/core/seq/oss/seq_oss_midi.c +@@ -29,6 +29,7 @@ + #include "../seq_lock.h" + #include + #include ++#include + + + /* +@@ -315,6 +316,7 @@ get_mididev(struct seq_oss_devinfo *dp, int dev) + { + if (dev < 0 || dev >= dp->max_mididev) + return NULL; ++ dev = array_index_nospec(dev, dp->max_mididev); + return get_mdev(dev); + } + +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c +index b16dbef04174..ea545f9291b4 100644 +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + /* + * constants +@@ -339,17 +340,13 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp) + dp->max_synthdev = 0; + } + +-/* +- * check if the specified device is MIDI mapped device +- */ +-static int +-is_midi_dev(struct seq_oss_devinfo *dp, int dev) ++static struct seq_oss_synthinfo * ++get_synthinfo_nospec(struct seq_oss_devinfo *dp, int dev) + { + if (dev < 0 || dev >= dp->max_synthdev) +- return 0; +- if (dp->synths[dev].is_midi) +- return 1; +- return 0; ++ return NULL; ++ dev = array_index_nospec(dev, SNDRV_SEQ_OSS_MAX_SYNTH_DEVS); ++ return &dp->synths[dev]; + } + + /* +@@ -359,14 +356,20 @@ static struct seq_oss_synth * + get_synthdev(struct seq_oss_devinfo *dp, int dev) + { + struct seq_oss_synth *rec; +- if (dev < 0 || dev >= dp->max_synthdev) +- return NULL; +- if (! dp->synths[dev].opened) ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); ++ ++ if (!info) + return NULL; +- if (dp->synths[dev].is_midi) +- return &midi_synth_dev; +- if ((rec = get_sdev(dev)) == NULL) ++ if (!info->opened) + return NULL; ++ if (info->is_midi) { ++ rec = &midi_synth_dev; ++ snd_use_lock_use(&rec->use_lock); ++ } else { ++ rec = get_sdev(dev); ++ if (!rec) ++ return NULL; ++ } + if (! rec->opened) { + snd_use_lock_free(&rec->use_lock); + return NULL; +@@ -402,10 +405,8 @@ snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev) + struct seq_oss_synth *rec; + struct seq_oss_synthinfo *info; + +- if (snd_BUG_ON(dev < 0 || dev >= dp->max_synthdev)) +- return; +- info = &dp->synths[dev]; +- if (! info->opened) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info || !info->opened) + return; + if (info->sysex) + info->sysex->len = 0; /* reset sysex */ +@@ -454,12 +455,14 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + const char __user *buf, int p, int c) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info; + int rc; + +- if (dev < 0 || dev >= dp->max_synthdev) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info) + return -ENXIO; + +- if (is_midi_dev(dp, dev)) ++ if (info->is_midi) + return 0; + if ((rec = get_synthdev(dp, dev)) == NULL) + return -ENXIO; +@@ -467,24 +470,25 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + if (rec->oper.load_patch == NULL) + rc = -ENXIO; + else +- rc = rec->oper.load_patch(&dp->synths[dev].arg, fmt, buf, p, c); ++ rc = rec->oper.load_patch(&info->arg, fmt, buf, p, c); + snd_use_lock_free(&rec->use_lock); + return rc; + } + + /* +- * check if the device is valid synth device ++ * check if the device is valid synth device and return the synth info + */ +-int +-snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev) ++struct seq_oss_synthinfo * ++snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, int dev) + { + struct seq_oss_synth *rec; ++ + rec = get_synthdev(dp, dev); + if (rec) { + snd_use_lock_free(&rec->use_lock); +- return 1; ++ return get_synthinfo_nospec(dp, dev); + } +- return 0; ++ return NULL; + } + + +@@ -499,16 +503,18 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + int i, send; + unsigned char *dest; + struct seq_oss_synth_sysex *sysex; ++ struct seq_oss_synthinfo *info; + +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- sysex = dp->synths[dev].sysex; ++ sysex = info->sysex; + if (sysex == NULL) { + sysex = kzalloc(sizeof(*sysex), GFP_KERNEL); + if (sysex == NULL) + return -ENOMEM; +- dp->synths[dev].sysex = sysex; ++ info->sysex = sysex; + } + + send = 0; +@@ -553,10 +559,12 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + int + snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ struct seq_oss_synthinfo *info = snd_seq_oss_synth_info(dp, dev); ++ ++ if (!info) + return -EINVAL; +- snd_seq_oss_fill_addr(dp, ev, dp->synths[dev].arg.addr.client, +- dp->synths[dev].arg.addr.port); ++ snd_seq_oss_fill_addr(dp, ev, info->arg.addr.client, ++ info->arg.addr.port); + return 0; + } + +@@ -568,16 +576,18 @@ int + snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, unsigned long addr) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info; + int rc; + +- if (is_midi_dev(dp, dev)) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info || info->is_midi) + return -ENXIO; + if ((rec = get_synthdev(dp, dev)) == NULL) + return -ENXIO; + if (rec->oper.ioctl == NULL) + rc = -ENXIO; + else +- rc = rec->oper.ioctl(&dp->synths[dev].arg, cmd, addr); ++ rc = rec->oper.ioctl(&info->arg, cmd, addr); + snd_use_lock_free(&rec->use_lock); + return rc; + } +@@ -589,7 +599,10 @@ snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, u + int + snd_seq_oss_synth_raw_event(struct seq_oss_devinfo *dp, int dev, unsigned char *data, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev) || is_midi_dev(dp, dev)) ++ struct seq_oss_synthinfo *info; ++ ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info || info->is_midi) + return -ENXIO; + ev->type = SNDRV_SEQ_EVENT_OSS; + memcpy(ev->data.raw8.d, data, 8); +diff --git a/sound/core/seq/oss/seq_oss_synth.h b/sound/core/seq/oss/seq_oss_synth.h +index 74ac55f166b6..a63f9e22974d 100644 +--- a/sound/core/seq/oss/seq_oss_synth.h ++++ b/sound/core/seq/oss/seq_oss_synth.h +@@ -37,7 +37,8 @@ void snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp); + void snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev); + int snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + const char __user *buf, int p, int c); +-int snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev); ++struct seq_oss_synthinfo *snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, ++ int dev); + int snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + struct snd_seq_event *ev); + int snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev); +diff --git a/sound/drivers/opl3/opl3_synth.c b/sound/drivers/opl3/opl3_synth.c +index ddcc1a325a61..42920a243328 100644 +--- a/sound/drivers/opl3/opl3_synth.c ++++ b/sound/drivers/opl3/opl3_synth.c +@@ -21,6 +21,7 @@ + + #include + #include ++#include + #include + #include + +@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v + { + unsigned short reg_side; + unsigned char op_offset; +- unsigned char voice_offset; ++ unsigned char voice_offset, voice_op; + + unsigned short opl3_reg; + unsigned char reg_val; +@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v + voice_offset = voice->voice - MAX_OPL2_VOICES; + } + /* Get register offset of operator */ +- op_offset = snd_opl3_regmap[voice_offset][voice->op]; ++ voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES); ++ voice_op = array_index_nospec(voice->op, 4); ++ op_offset = snd_opl3_regmap[voice_offset][voice_op]; + + reg_val = 0x00; + /* Set amplitude modulation (tremolo) effect */ +diff --git a/sound/pci/asihpi/hpimsginit.c b/sound/pci/asihpi/hpimsginit.c +index 7eb617175fde..a31a70dccecf 100644 +--- a/sound/pci/asihpi/hpimsginit.c ++++ b/sound/pci/asihpi/hpimsginit.c +@@ -23,6 +23,7 @@ + + #include "hpi_internal.h" + #include "hpimsginit.h" ++#include + + /* The actual message size for each object type */ + static u16 msg_size[HPI_OBJ_MAXINDEX + 1] = HPI_MESSAGE_SIZE_BY_OBJECT; +@@ -39,10 +40,12 @@ static void hpi_init_message(struct hpi_message *phm, u16 object, + { + u16 size; + +- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) ++ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) { ++ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1); + size = msg_size[object]; +- else ++ } else { + size = sizeof(*phm); ++ } + + memset(phm, 0, size); + phm->size = size; +@@ -66,10 +69,12 @@ void hpi_init_response(struct hpi_response *phr, u16 object, u16 function, + { + u16 size; + +- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) ++ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) { ++ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1); + size = res_size[object]; +- else ++ } else { + size = sizeof(*phr); ++ } + + memset(phr, 0, sizeof(*phr)); + phr->size = size; +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index d17937b92331..7a32abbe0cef 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + #ifdef MODULE_FIRMWARE + MODULE_FIRMWARE("asihpi/dsp5000.bin"); +@@ -182,7 +183,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + struct hpi_adapter *pa = NULL; + + if (hm->h.adapter_index < ARRAY_SIZE(adapters)) +- pa = &adapters[hm->h.adapter_index]; ++ pa = &adapters[array_index_nospec(hm->h.adapter_index, ++ ARRAY_SIZE(adapters))]; + + if (!pa || !pa->adapter || !pa->adapter->type) { + hpi_init_response(&hr->r0, hm->h.object, +diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c +index 57df06e76968..cc009a4a3d1d 100644 +--- a/sound/pci/hda/hda_hwdep.c ++++ b/sound/pci/hda/hda_hwdep.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include "hda_codec.h" + #include "hda_local.h" +@@ -51,7 +52,16 @@ static int get_wcap_ioctl(struct hda_codec *codec, + + if (get_user(verb, &arg->verb)) + return -EFAULT; +- res = get_wcaps(codec, verb >> 24); ++ /* open-code get_wcaps(verb>>24) with nospec */ ++ verb >>= 24; ++ if (verb < codec->core.start_nid || ++ verb >= codec->core.start_nid + codec->core.num_nodes) { ++ res = 0; ++ } else { ++ verb -= codec->core.start_nid; ++ verb = array_index_nospec(verb, codec->core.num_nodes); ++ res = codec->wcaps[verb]; ++ } + if (put_user(res, &arg->res)) + return -EFAULT; + return 0; +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 8cb14e27988b..6a789278970e 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -329,6 +329,7 @@ static void alc_fill_eapd_coef(struct hda_codec *codec) + break; + case 0x10ec0225: + case 0x10ec0233: ++ case 0x10ec0235: + case 0x10ec0236: + case 0x10ec0255: + case 0x10ec0256: +@@ -6296,6 +6297,7 @@ static int patch_alc269(struct hda_codec *codec) + case 0x10ec0298: + spec->codec_variant = ALC269_TYPE_ALC298; + break; ++ case 0x10ec0235: + case 0x10ec0255: + spec->codec_variant = ALC269_TYPE_ALC255; + break; +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index a4a999a0317e..1a0c0d16a279 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -137,6 +137,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -5692,40 +5693,43 @@ static int snd_hdspm_channel_info(struct snd_pcm_substream *substream, + struct snd_pcm_channel_info *info) + { + struct hdspm *hdspm = snd_pcm_substream_chip(substream); ++ unsigned int channel = info->channel; + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) { ++ if (snd_BUG_ON(channel >= hdspm->max_channels_out)) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: output channel out of range (%d)\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- if (hdspm->channel_map_out[info->channel] < 0) { ++ channel = array_index_nospec(channel, hdspm->max_channels_out); ++ if (hdspm->channel_map_out[channel] < 0) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: output channel %d mapped out\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- info->offset = hdspm->channel_map_out[info->channel] * ++ info->offset = hdspm->channel_map_out[channel] * + HDSPM_CHANNEL_BUFFER_BYTES; + } else { +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) { ++ if (snd_BUG_ON(channel >= hdspm->max_channels_in)) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: input channel out of range (%d)\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- if (hdspm->channel_map_in[info->channel] < 0) { ++ channel = array_index_nospec(channel, hdspm->max_channels_in); ++ if (hdspm->channel_map_in[channel] < 0) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: input channel %d mapped out\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- info->offset = hdspm->channel_map_in[info->channel] * ++ info->offset = hdspm->channel_map_in[channel] * + HDSPM_CHANNEL_BUFFER_BYTES; + } + +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c +index fdbc0aa2776a..c253bdf92e36 100644 +--- a/sound/pci/rme9652/rme9652.c ++++ b/sound/pci/rme9652/rme9652.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2036,9 +2037,10 @@ static int snd_rme9652_channel_info(struct snd_pcm_substream *substream, + if (snd_BUG_ON(info->channel >= RME9652_NCHANNELS)) + return -EINVAL; + +- if ((chn = rme9652->channel_map[info->channel]) < 0) { ++ chn = rme9652->channel_map[array_index_nospec(info->channel, ++ RME9652_NCHANNELS)]; ++ if (chn < 0) + return -EINVAL; +- } + + info->offset = chn * RME9652_CHANNEL_BUFFER_BYTES; + info->first = 0; +diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c +index 59f234e51971..e8adead8be00 100644 +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -143,6 +143,13 @@ static int fsl_esai_divisor_cal(struct snd_soc_dai *dai, bool tx, u32 ratio, + + psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8; + ++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */ ++ if (ratio <= 256) { ++ pm = ratio; ++ fp = 1; ++ goto out; ++ } ++ + /* Set the max fluctuation -- 0.1% of the max devisor */ + savesub = (psr ? 1 : 8) * 256 * maxfp / 1000; + +diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c +index 1f8fb0d904e0..f5cf23ffb35b 100644 +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -351,8 +351,11 @@ static struct usbmix_name_map bose_companion5_map[] = { + /* + * Dell usb dock with ALC4020 codec had a firmware problem where it got + * screwed up when zero volume is passed; just skip it as a workaround ++ * ++ * Also the extension unit gives an access error, so skip it as well. + */ + static const struct usbmix_name_map dell_alc4020_map[] = { ++ { 4, NULL }, /* extension unit */ + { 16, NULL }, + { 19, NULL }, + { 0 } diff --git a/patch/kernel/mvebu-default/04-patch-4.4.131-132.patch b/patch/kernel/mvebu-default/04-patch-4.4.131-132.patch new file mode 100644 index 0000000000..c2f7c0270f --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.131-132.patch @@ -0,0 +1,2948 @@ +diff --git a/Makefile b/Makefile +index 6ec65396a56d..ace4a655548a 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 131 ++SUBLEVEL = 132 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index b011140e6b06..5ddb1debba95 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -118,8 +118,8 @@ struct kvm_stats_debugfs_item debugfs_entries[] = { + + /* upper facilities limit for kvm */ + unsigned long kvm_s390_fac_list_mask[] = { +- 0xffe6fffbfcfdfc40UL, +- 0x005e800000000000UL, ++ 0xffe6ffffffffffffUL, ++ 0x005effffffffffffUL, + }; + + unsigned long kvm_s390_fac_list_mask_size(void) +diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c +index b52a8d08ab36..fbf2edc3eb35 100644 +--- a/arch/x86/kernel/cpu/perf_event.c ++++ b/arch/x86/kernel/cpu/perf_event.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -297,17 +298,20 @@ set_ext_hw_attr(struct hw_perf_event *hwc, struct perf_event *event) + + config = attr->config; + +- cache_type = (config >> 0) & 0xff; ++ cache_type = (config >> 0) & 0xff; + if (cache_type >= PERF_COUNT_HW_CACHE_MAX) + return -EINVAL; ++ cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX); + + cache_op = (config >> 8) & 0xff; + if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX) + return -EINVAL; ++ cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX); + + cache_result = (config >> 16) & 0xff; + if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX) + return -EINVAL; ++ cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX); + + val = hw_cache_event_ids[cache_type][cache_op][cache_result]; + +@@ -404,6 +408,8 @@ int x86_setup_perfctr(struct perf_event *event) + if (attr->config >= x86_pmu.max_events) + return -EINVAL; + ++ attr->config = array_index_nospec((unsigned long)attr->config, x86_pmu.max_events); ++ + /* + * The generic map: + */ +diff --git a/arch/x86/kernel/cpu/perf_event_intel_cstate.c b/arch/x86/kernel/cpu/perf_event_intel_cstate.c +index 75a38b5a2e26..5b8c90935270 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_cstate.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_cstate.c +@@ -88,6 +88,7 @@ + #include + #include + #include ++#include + #include + #include "perf_event.h" + +@@ -409,6 +410,7 @@ static int cstate_pmu_event_init(struct perf_event *event) + } else if (event->pmu == &cstate_pkg_pmu) { + if (cfg >= PERF_CSTATE_PKG_EVENT_MAX) + return -EINVAL; ++ cfg = array_index_nospec((unsigned long)cfg, PERF_CSTATE_PKG_EVENT_MAX); + if (!pkg_msr[cfg].attr) + return -EINVAL; + event->hw.event_base = pkg_msr[cfg].msr; +diff --git a/arch/x86/kernel/cpu/perf_event_msr.c b/arch/x86/kernel/cpu/perf_event_msr.c +index ec863b9a9f78..067427384a63 100644 +--- a/arch/x86/kernel/cpu/perf_event_msr.c ++++ b/arch/x86/kernel/cpu/perf_event_msr.c +@@ -1,4 +1,5 @@ + #include ++#include + + enum perf_msr_id { + PERF_MSR_TSC = 0, +@@ -115,9 +116,6 @@ static int msr_event_init(struct perf_event *event) + if (event->attr.type != event->pmu->type) + return -ENOENT; + +- if (cfg >= PERF_MSR_EVENT_MAX) +- return -EINVAL; +- + /* unsupported modes and filters */ + if (event->attr.exclude_user || + event->attr.exclude_kernel || +@@ -128,6 +126,11 @@ static int msr_event_init(struct perf_event *event) + event->attr.sample_period) /* no sampling */ + return -EINVAL; + ++ if (cfg >= PERF_MSR_EVENT_MAX) ++ return -EINVAL; ++ ++ cfg = array_index_nospec((unsigned long)cfg, PERF_MSR_EVENT_MAX); ++ + if (!msr[cfg].attr) + return -EINVAL; + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index ca50eeb13097..b5953f1d1a18 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -157,16 +157,16 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + void *private; + int err; + +- /* If caller uses non-allowed flag, return error. */ +- if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) +- return -EINVAL; +- + if (sock->state == SS_CONNECTED) + return -EINVAL; + + if (addr_len != sizeof(*sa)) + return -EINVAL; + ++ /* If caller uses non-allowed flag, return error. */ ++ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) ++ return -EINVAL; ++ + sa->salg_type[sizeof(sa->salg_type) - 1] = 0; + sa->salg_name[sizeof(sa->salg_name) - 1] = 0; + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 2d677ba46d77..60d6db82ce5a 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4243,6 +4243,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NOLPM, }, + ++ /* Sandisk devices which are known to not handle LPM well */ ++ { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, ++ + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, +diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c +index cecfb943762f..6eab52b92e01 100644 +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1456,6 +1457,8 @@ static int zatm_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg) + return -EFAULT; + if (pool < 0 || pool > ZATM_LAST_POOL) + return -EINVAL; ++ pool = array_index_nospec(pool, ++ ZATM_LAST_POOL + 1); + spin_lock_irqsave(&zatm_dev->lock, flags); + info = zatm_dev->pool_info[pool]; + if (cmd == ZATM_GETPOOLZ) { +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 7fca7cfd5b09..54cef3dc0beb 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -216,6 +216,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, +@@ -246,7 +247,6 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, + + /* QCA ROME chipset */ +- { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME }, +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 098e562bd579..9b97f70fbb3d 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -1991,6 +1991,7 @@ void vmw_kms_helper_resource_finish(struct vmw_validation_ctx *ctx, + vmw_kms_helper_buffer_finish(res->dev_priv, NULL, ctx->buf, + out_fence, NULL); + ++ vmw_dmabuf_unreference(&ctx->buf); + vmw_resource_unreserve(res, false, NULL, 0); + mutex_unlock(&res->dev_priv->cmdbuf_mutex); + } +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index ea3bc9bb1b7a..2b9c00faca7d 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -675,7 +675,7 @@ static ssize_t ucma_resolve_ip(struct ucma_file *file, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + +- if (!rdma_addr_size_in6(&cmd.src_addr) || ++ if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) || + !rdma_addr_size_in6(&cmd.dst_addr)) + return -EINVAL; + +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index cfcfbb6b84d7..c5390f6f94c5 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -231,7 +231,11 @@ static int set_rq_size(struct mlx5_ib_dev *dev, struct ib_qp_cap *cap, + } else { + if (ucmd) { + qp->rq.wqe_cnt = ucmd->rq_wqe_count; ++ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift)) ++ return -EINVAL; + qp->rq.wqe_shift = ucmd->rq_wqe_shift; ++ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig) ++ return -EINVAL; + qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig; + qp->rq.max_post = qp->rq.wqe_cnt; + } else { +@@ -1348,18 +1352,18 @@ enum { + + static int ib_rate_to_mlx5(struct mlx5_ib_dev *dev, u8 rate) + { +- if (rate == IB_RATE_PORT_CURRENT) { ++ if (rate == IB_RATE_PORT_CURRENT) + return 0; +- } else if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) { ++ ++ if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) + return -EINVAL; +- } else { +- while (rate != IB_RATE_2_5_GBPS && +- !(1 << (rate + MLX5_STAT_RATE_OFFSET) & +- MLX5_CAP_GEN(dev->mdev, stat_rate_support))) +- --rate; +- } + +- return rate + MLX5_STAT_RATE_OFFSET; ++ while (rate != IB_RATE_PORT_CURRENT && ++ !(1 << (rate + MLX5_STAT_RATE_OFFSET) & ++ MLX5_CAP_GEN(dev->mdev, stat_rate_support))) ++ --rate; ++ ++ return rate ? rate + MLX5_STAT_RATE_OFFSET : rate; + } + + static int mlx5_set_path(struct mlx5_ib_dev *dev, const struct ib_ah_attr *ah, +diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c +index 766bf2660116..5f04b2d94635 100644 +--- a/drivers/input/input-leds.c ++++ b/drivers/input/input-leds.c +@@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler, + const struct input_device_id *id) + { + struct input_leds *leds; ++ struct input_led *led; + unsigned int num_leds; + unsigned int led_code; + int led_no; +@@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler *handler, + + led_no = 0; + for_each_set_bit(led_code, dev->ledbit, LED_CNT) { +- struct input_led *led = &leds->leds[led_no]; ++ if (!input_led_info[led_code].name) ++ continue; + ++ led = &leds->leds[led_no]; + led->handle = &leds->handle; + led->code = led_code; + +- if (!input_led_info[led_code].name) +- continue; +- + led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", + dev_name(&dev->dev), + input_led_info[led_code].name); +diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c +index 2d5794ec338b..88dfe3008cf4 100644 +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -2522,6 +2522,15 @@ static const struct dmi_system_id mxt_dmi_table[] = { + }, + .driver_data = samus_platform_data, + }, ++ { ++ /* Samsung Chromebook Pro */ ++ .ident = "Samsung Chromebook Pro", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Google"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Caroline"), ++ }, ++ .driver_data = samus_platform_data, ++ }, + { + /* Other Google Chromebooks */ + .ident = "Chromebook", +diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +index e2a239c1f40b..40a335c6b792 100644 +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +@@ -1032,14 +1032,87 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip, + /* Loop over status bytes, accumulating ECC status. */ + status = auxiliary_virt + nfc_geo->auxiliary_status_offset; + ++ read_page_swap_end(this, buf, nfc_geo->payload_size, ++ this->payload_virt, this->payload_phys, ++ nfc_geo->payload_size, ++ payload_virt, payload_phys); ++ + for (i = 0; i < nfc_geo->ecc_chunk_count; i++, status++) { + if ((*status == STATUS_GOOD) || (*status == STATUS_ERASED)) + continue; + + if (*status == STATUS_UNCORRECTABLE) { ++ int eccbits = nfc_geo->ecc_strength * nfc_geo->gf_len; ++ u8 *eccbuf = this->raw_buffer; ++ int offset, bitoffset; ++ int eccbytes; ++ int flips; ++ ++ /* Read ECC bytes into our internal raw_buffer */ ++ offset = nfc_geo->metadata_size * 8; ++ offset += ((8 * nfc_geo->ecc_chunk_size) + eccbits) * (i + 1); ++ offset -= eccbits; ++ bitoffset = offset % 8; ++ eccbytes = DIV_ROUND_UP(offset + eccbits, 8); ++ offset /= 8; ++ eccbytes -= offset; ++ chip->cmdfunc(mtd, NAND_CMD_RNDOUT, offset, -1); ++ chip->read_buf(mtd, eccbuf, eccbytes); ++ ++ /* ++ * ECC data are not byte aligned and we may have ++ * in-band data in the first and last byte of ++ * eccbuf. Set non-eccbits to one so that ++ * nand_check_erased_ecc_chunk() does not count them ++ * as bitflips. ++ */ ++ if (bitoffset) ++ eccbuf[0] |= GENMASK(bitoffset - 1, 0); ++ ++ bitoffset = (bitoffset + eccbits) % 8; ++ if (bitoffset) ++ eccbuf[eccbytes - 1] |= GENMASK(7, bitoffset); ++ ++ /* ++ * The ECC hardware has an uncorrectable ECC status ++ * code in case we have bitflips in an erased page. As ++ * nothing was written into this subpage the ECC is ++ * obviously wrong and we can not trust it. We assume ++ * at this point that we are reading an erased page and ++ * try to correct the bitflips in buffer up to ++ * ecc_strength bitflips. If this is a page with random ++ * data, we exceed this number of bitflips and have a ++ * ECC failure. Otherwise we use the corrected buffer. ++ */ ++ if (i == 0) { ++ /* The first block includes metadata */ ++ flips = nand_check_erased_ecc_chunk( ++ buf + i * nfc_geo->ecc_chunk_size, ++ nfc_geo->ecc_chunk_size, ++ eccbuf, eccbytes, ++ auxiliary_virt, ++ nfc_geo->metadata_size, ++ nfc_geo->ecc_strength); ++ } else { ++ flips = nand_check_erased_ecc_chunk( ++ buf + i * nfc_geo->ecc_chunk_size, ++ nfc_geo->ecc_chunk_size, ++ eccbuf, eccbytes, ++ NULL, 0, ++ nfc_geo->ecc_strength); ++ } ++ ++ if (flips > 0) { ++ max_bitflips = max_t(unsigned int, max_bitflips, ++ flips); ++ mtd->ecc_stats.corrected += flips; ++ continue; ++ } ++ + mtd->ecc_stats.failed++; + continue; + } ++ + mtd->ecc_stats.corrected += *status; + max_bitflips = max_t(unsigned int, max_bitflips, *status); + } +@@ -1062,11 +1135,6 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip, + chip->oob_poi[0] = ((uint8_t *) auxiliary_virt)[0]; + } + +- read_page_swap_end(this, buf, nfc_geo->payload_size, +- this->payload_virt, this->payload_phys, +- nfc_geo->payload_size, +- payload_virt, payload_phys); +- + return max_bitflips; + } + +diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c +index db1855b0e08f..59f891bebcc6 100644 +--- a/drivers/net/can/usb/kvaser_usb.c ++++ b/drivers/net/can/usb/kvaser_usb.c +@@ -1175,7 +1175,7 @@ static void kvaser_usb_rx_can_msg(const struct kvaser_usb *dev, + + skb = alloc_can_skb(priv->netdev, &cf); + if (!skb) { +- stats->tx_dropped++; ++ stats->rx_dropped++; + return; + } + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index b0ea8dee5f06..a6f0a8f516d6 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -631,6 +631,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x05c6, 0x9080, 8)}, + {QMI_FIXED_INTF(0x05c6, 0x9083, 3)}, + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)}, ++ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */ + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index ee638cb8b48f..0c23768aa1ec 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -67,6 +67,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .board_size = QCA988X_BOARD_DATA_SZ, + .board_ext_size = QCA988X_BOARD_EXT_DATA_SZ, + }, ++ .decap_align_bytes = 4, + }, + { + .id = QCA6174_HW_2_1_VERSION, +@@ -85,6 +86,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .board_size = QCA6174_BOARD_DATA_SZ, + .board_ext_size = QCA6174_BOARD_EXT_DATA_SZ, + }, ++ .decap_align_bytes = 4, + }, + { + .id = QCA6174_HW_2_1_VERSION, +@@ -103,6 +105,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .board_size = QCA6174_BOARD_DATA_SZ, + .board_ext_size = QCA6174_BOARD_EXT_DATA_SZ, + }, ++ .decap_align_bytes = 4, + }, + { + .id = QCA6174_HW_3_0_VERSION, +@@ -121,6 +124,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .board_size = QCA6174_BOARD_DATA_SZ, + .board_ext_size = QCA6174_BOARD_EXT_DATA_SZ, + }, ++ .decap_align_bytes = 4, + }, + { + .id = QCA6174_HW_3_2_VERSION, +@@ -140,6 +144,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .board_size = QCA6174_BOARD_DATA_SZ, + .board_ext_size = QCA6174_BOARD_EXT_DATA_SZ, + }, ++ .decap_align_bytes = 4, + }, + { + .id = QCA99X0_HW_2_0_DEV_VERSION, +@@ -159,6 +164,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .board_size = QCA99X0_BOARD_DATA_SZ, + .board_ext_size = QCA99X0_BOARD_EXT_DATA_SZ, + }, ++ .decap_align_bytes = 1, + }, + { + .id = QCA9377_HW_1_0_DEV_VERSION, +@@ -177,6 +183,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .board_size = QCA9377_BOARD_DATA_SZ, + .board_ext_size = QCA9377_BOARD_EXT_DATA_SZ, + }, ++ .decap_align_bytes = 4, + }, + { + .id = QCA9377_HW_1_1_DEV_VERSION, +@@ -195,6 +202,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .board_size = QCA9377_BOARD_DATA_SZ, + .board_ext_size = QCA9377_BOARD_EXT_DATA_SZ, + }, ++ .decap_align_bytes = 4, + }, + }; + +diff --git a/drivers/net/wireless/ath/ath10k/core.h b/drivers/net/wireless/ath/ath10k/core.h +index 858d75f49a9f..257836a0cfbc 100644 +--- a/drivers/net/wireless/ath/ath10k/core.h ++++ b/drivers/net/wireless/ath/ath10k/core.h +@@ -670,6 +670,10 @@ struct ath10k { + size_t board_size; + size_t board_ext_size; + } fw; ++ ++ /* Number of bytes used for alignment in rx_hdr_status */ ++ int decap_align_bytes; ++ + } hw_params; + + const struct firmware *board; +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 6060dda4e910..d26cb37b1fbd 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -979,7 +979,7 @@ static void ath10k_process_rx(struct ath10k *ar, + *status = *rx_status; + + ath10k_dbg(ar, ATH10K_DBG_DATA, +- "rx skb %p len %u peer %pM %s %s sn %u %s%s%s%s%s %srate_idx %u vht_nss %u freq %u band %u flag 0x%x fcs-err %i mic-err %i amsdu-more %i\n", ++ "rx skb %p len %u peer %pM %s %s sn %u %s%s%s%s%s %srate_idx %u vht_nss %u freq %u band %u flag 0x%llx fcs-err %i mic-err %i amsdu-more %i\n", + skb, + skb->len, + ieee80211_get_SA(hdr), +@@ -1076,7 +1076,21 @@ static void ath10k_htt_rx_h_undecap_raw(struct ath10k *ar, + hdr = (void *)msdu->data; + + /* Tail */ +- skb_trim(msdu, msdu->len - ath10k_htt_rx_crypto_tail_len(ar, enctype)); ++ if (status->flag & RX_FLAG_IV_STRIPPED) { ++ skb_trim(msdu, msdu->len - ++ ath10k_htt_rx_crypto_tail_len(ar, enctype)); ++ } else { ++ /* MIC */ ++ if ((status->flag & RX_FLAG_MIC_STRIPPED) && ++ enctype == HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2) ++ skb_trim(msdu, msdu->len - 8); ++ ++ /* ICV */ ++ if (status->flag & RX_FLAG_ICV_STRIPPED && ++ enctype != HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2) ++ skb_trim(msdu, msdu->len - ++ ath10k_htt_rx_crypto_tail_len(ar, enctype)); ++ } + + /* MMIC */ + if (!ieee80211_has_morefrags(hdr->frame_control) && +@@ -1095,12 +1109,14 @@ static void ath10k_htt_rx_h_undecap_raw(struct ath10k *ar, + static void ath10k_htt_rx_h_undecap_nwifi(struct ath10k *ar, + struct sk_buff *msdu, + struct ieee80211_rx_status *status, +- const u8 first_hdr[64]) ++ const u8 first_hdr[64], ++ enum htt_rx_mpdu_encrypt_type enctype) + { + struct ieee80211_hdr *hdr; + size_t hdr_len; + u8 da[ETH_ALEN]; + u8 sa[ETH_ALEN]; ++ int bytes_aligned = ar->hw_params.decap_align_bytes; + + /* Delivered decapped frame: + * [nwifi 802.11 header] <-- replaced with 802.11 hdr +@@ -1123,6 +1139,14 @@ static void ath10k_htt_rx_h_undecap_nwifi(struct ath10k *ar, + /* push original 802.11 header */ + hdr = (struct ieee80211_hdr *)first_hdr; + hdr_len = ieee80211_hdrlen(hdr->frame_control); ++ ++ if (!(status->flag & RX_FLAG_IV_STRIPPED)) { ++ memcpy(skb_push(msdu, ++ ath10k_htt_rx_crypto_param_len(ar, enctype)), ++ (void *)hdr + round_up(hdr_len, bytes_aligned), ++ ath10k_htt_rx_crypto_param_len(ar, enctype)); ++ } ++ + memcpy(skb_push(msdu, hdr_len), hdr, hdr_len); + + /* original 802.11 header has a different DA and in +@@ -1180,6 +1204,7 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar, + void *rfc1042; + u8 da[ETH_ALEN]; + u8 sa[ETH_ALEN]; ++ int bytes_aligned = ar->hw_params.decap_align_bytes; + + /* Delivered decapped frame: + * [eth header] <-- replaced with 802.11 hdr & rfc1042/llc +@@ -1203,6 +1228,14 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar, + /* push original 802.11 header */ + hdr = (struct ieee80211_hdr *)first_hdr; + hdr_len = ieee80211_hdrlen(hdr->frame_control); ++ ++ if (!(status->flag & RX_FLAG_IV_STRIPPED)) { ++ memcpy(skb_push(msdu, ++ ath10k_htt_rx_crypto_param_len(ar, enctype)), ++ (void *)hdr + round_up(hdr_len, bytes_aligned), ++ ath10k_htt_rx_crypto_param_len(ar, enctype)); ++ } ++ + memcpy(skb_push(msdu, hdr_len), hdr, hdr_len); + + /* original 802.11 header has a different DA and in +@@ -1216,10 +1249,12 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar, + static void ath10k_htt_rx_h_undecap_snap(struct ath10k *ar, + struct sk_buff *msdu, + struct ieee80211_rx_status *status, +- const u8 first_hdr[64]) ++ const u8 first_hdr[64], ++ enum htt_rx_mpdu_encrypt_type enctype) + { + struct ieee80211_hdr *hdr; + size_t hdr_len; ++ int bytes_aligned = ar->hw_params.decap_align_bytes; + + /* Delivered decapped frame: + * [amsdu header] <-- replaced with 802.11 hdr +@@ -1231,6 +1266,14 @@ static void ath10k_htt_rx_h_undecap_snap(struct ath10k *ar, + + hdr = (struct ieee80211_hdr *)first_hdr; + hdr_len = ieee80211_hdrlen(hdr->frame_control); ++ ++ if (!(status->flag & RX_FLAG_IV_STRIPPED)) { ++ memcpy(skb_push(msdu, ++ ath10k_htt_rx_crypto_param_len(ar, enctype)), ++ (void *)hdr + round_up(hdr_len, bytes_aligned), ++ ath10k_htt_rx_crypto_param_len(ar, enctype)); ++ } ++ + memcpy(skb_push(msdu, hdr_len), hdr, hdr_len); + } + +@@ -1265,13 +1308,15 @@ static void ath10k_htt_rx_h_undecap(struct ath10k *ar, + is_decrypted); + break; + case RX_MSDU_DECAP_NATIVE_WIFI: +- ath10k_htt_rx_h_undecap_nwifi(ar, msdu, status, first_hdr); ++ ath10k_htt_rx_h_undecap_nwifi(ar, msdu, status, first_hdr, ++ enctype); + break; + case RX_MSDU_DECAP_ETHERNET2_DIX: + ath10k_htt_rx_h_undecap_eth(ar, msdu, status, first_hdr, enctype); + break; + case RX_MSDU_DECAP_8023_SNAP_LLC: +- ath10k_htt_rx_h_undecap_snap(ar, msdu, status, first_hdr); ++ ath10k_htt_rx_h_undecap_snap(ar, msdu, status, first_hdr, ++ enctype); + break; + } + } +@@ -1314,7 +1359,8 @@ static void ath10k_htt_rx_h_csum_offload(struct sk_buff *msdu) + + static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, + struct sk_buff_head *amsdu, +- struct ieee80211_rx_status *status) ++ struct ieee80211_rx_status *status, ++ bool fill_crypt_header) + { + struct sk_buff *first; + struct sk_buff *last; +@@ -1324,7 +1370,6 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, + enum htt_rx_mpdu_encrypt_type enctype; + u8 first_hdr[64]; + u8 *qos; +- size_t hdr_len; + bool has_fcs_err; + bool has_crypto_err; + bool has_tkip_err; +@@ -1345,15 +1390,17 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, + * decapped header. It'll be used for undecapping of each MSDU. + */ + hdr = (void *)rxd->rx_hdr_status; +- hdr_len = ieee80211_hdrlen(hdr->frame_control); +- memcpy(first_hdr, hdr, hdr_len); ++ memcpy(first_hdr, hdr, RX_HTT_HDR_STATUS_LEN); + + /* Each A-MSDU subframe will use the original header as the base and be + * reported as a separate MSDU so strip the A-MSDU bit from QoS Ctl. + */ + hdr = (void *)first_hdr; +- qos = ieee80211_get_qos_ctl(hdr); +- qos[0] &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT; ++ ++ if (ieee80211_is_data_qos(hdr->frame_control)) { ++ qos = ieee80211_get_qos_ctl(hdr); ++ qos[0] &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT; ++ } + + /* Some attention flags are valid only in the last MSDU. */ + last = skb_peek_tail(amsdu); +@@ -1387,11 +1434,17 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, + if (has_tkip_err) + status->flag |= RX_FLAG_MMIC_ERROR; + +- if (is_decrypted) ++ if (is_decrypted) { + status->flag |= RX_FLAG_DECRYPTED | +- RX_FLAG_IV_STRIPPED | + RX_FLAG_MMIC_STRIPPED; + ++ if (fill_crypt_header) ++ status->flag |= RX_FLAG_MIC_STRIPPED | ++ RX_FLAG_ICV_STRIPPED; ++ else ++ status->flag |= RX_FLAG_IV_STRIPPED; ++ } ++ + skb_queue_walk(amsdu, msdu) { + ath10k_htt_rx_h_csum_offload(msdu); + ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype, +@@ -1404,6 +1457,9 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, + if (!is_decrypted) + continue; + ++ if (fill_crypt_header) ++ continue; ++ + hdr = (void *)msdu->data; + hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED); + } +@@ -1414,6 +1470,9 @@ static void ath10k_htt_rx_h_deliver(struct ath10k *ar, + struct ieee80211_rx_status *status) + { + struct sk_buff *msdu; ++ struct sk_buff *first_subframe; ++ ++ first_subframe = skb_peek(amsdu); + + while ((msdu = __skb_dequeue(amsdu))) { + /* Setup per-MSDU flags */ +@@ -1422,6 +1481,13 @@ static void ath10k_htt_rx_h_deliver(struct ath10k *ar, + else + status->flag |= RX_FLAG_AMSDU_MORE; + ++ if (msdu == first_subframe) { ++ first_subframe = NULL; ++ status->flag &= ~RX_FLAG_ALLOW_SAME_PN; ++ } else { ++ status->flag |= RX_FLAG_ALLOW_SAME_PN; ++ } ++ + ath10k_process_rx(ar, status, msdu); + } + } +@@ -1607,7 +1673,7 @@ static void ath10k_htt_rx_handler(struct ath10k_htt *htt, + ath10k_htt_rx_h_ppdu(ar, &amsdu, rx_status, 0xffff); + ath10k_htt_rx_h_unchain(ar, &amsdu, ret > 0); + ath10k_htt_rx_h_filter(ar, &amsdu, rx_status); +- ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status); ++ ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true); + ath10k_htt_rx_h_deliver(ar, &amsdu, rx_status); + } + +@@ -1653,7 +1719,7 @@ static void ath10k_htt_rx_frag_handler(struct ath10k_htt *htt, + + ath10k_htt_rx_h_ppdu(ar, &amsdu, rx_status, 0xffff); + ath10k_htt_rx_h_filter(ar, &amsdu, rx_status); +- ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status); ++ ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true); + ath10k_htt_rx_h_deliver(ar, &amsdu, rx_status); + + if (fw_desc_len > 0) { +@@ -1952,7 +2018,7 @@ static void ath10k_htt_rx_in_ord_ind(struct ath10k *ar, struct sk_buff *skb) + */ + ath10k_htt_rx_h_ppdu(ar, &amsdu, status, vdev_id); + ath10k_htt_rx_h_filter(ar, &amsdu, status); +- ath10k_htt_rx_h_mpdu(ar, &amsdu, status); ++ ath10k_htt_rx_h_mpdu(ar, &amsdu, status, false); + ath10k_htt_rx_h_deliver(ar, &amsdu, status); + break; + case -EAGAIN: +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index 9bec8237231d..99c21aac68bd 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -57,7 +57,7 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + RX_FLAG_MMIC_STRIPPED | + RX_FLAG_DECRYPTED; + +- wcn36xx_dbg(WCN36XX_DBG_RX, "status.flags=%x\n", status.flag); ++ wcn36xx_dbg(WCN36XX_DBG_RX, "status.flags=%llx\n", status.flag); + + memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status)); + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 22dcccf2d286..6a287c81a7be 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -157,7 +157,9 @@ static const unsigned short full_speed_maxpacket_maxes[4] = { + static const unsigned short high_speed_maxpacket_maxes[4] = { + [USB_ENDPOINT_XFER_CONTROL] = 64, + [USB_ENDPOINT_XFER_ISOC] = 1024, +- [USB_ENDPOINT_XFER_BULK] = 512, ++ ++ /* Bulk should be 512, but some devices use 1024: we will warn below */ ++ [USB_ENDPOINT_XFER_BULK] = 1024, + [USB_ENDPOINT_XFER_INT] = 1024, + }; + static const unsigned short super_speed_maxpacket_maxes[4] = { +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c +index 0d843e0f8055..494823f21c28 100644 +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -1048,7 +1048,9 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep, + /* set tx_reinit and schedule the next qh */ + ep->tx_reinit = 1; + } +- musb_start_urb(musb, is_in, next_qh); ++ ++ if (next_qh) ++ musb_start_urb(musb, is_in, next_qh); + } + } + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 1799aa058a5b..d982c455e18e 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -236,6 +236,8 @@ static void option_instat_callback(struct urb *urb); + /* These Quectel products use Qualcomm's vendor ID */ + #define QUECTEL_PRODUCT_UC20 0x9003 + #define QUECTEL_PRODUCT_UC15 0x9090 ++/* These u-blox products use Qualcomm's vendor ID */ ++#define UBLOX_PRODUCT_R410M 0x90b2 + /* These Yuga products use Qualcomm's vendor ID */ + #define YUGA_PRODUCT_CLM920_NC5 0x9625 + +@@ -244,6 +246,7 @@ static void option_instat_callback(struct urb *urb); + #define QUECTEL_PRODUCT_EC21 0x0121 + #define QUECTEL_PRODUCT_EC25 0x0125 + #define QUECTEL_PRODUCT_BG96 0x0296 ++#define QUECTEL_PRODUCT_EP06 0x0306 + + #define CMOTECH_VENDOR_ID 0x16d8 + #define CMOTECH_PRODUCT_6001 0x6001 +@@ -550,147 +553,15 @@ static void option_instat_callback(struct urb *urb); + #define WETELECOM_PRODUCT_6802 0x6802 + #define WETELECOM_PRODUCT_WMD300 0x6803 + +-struct option_blacklist_info { +- /* bitmask of interface numbers blacklisted for send_setup */ +- const unsigned long sendsetup; +- /* bitmask of interface numbers that are reserved */ +- const unsigned long reserved; +-}; +- +-static const struct option_blacklist_info four_g_w14_blacklist = { +- .sendsetup = BIT(0) | BIT(1), +-}; +- +-static const struct option_blacklist_info four_g_w100_blacklist = { +- .sendsetup = BIT(1) | BIT(2), +- .reserved = BIT(3), +-}; +- +-static const struct option_blacklist_info alcatel_x200_blacklist = { +- .sendsetup = BIT(0) | BIT(1), +- .reserved = BIT(4), +-}; +- +-static const struct option_blacklist_info zte_0037_blacklist = { +- .sendsetup = BIT(0) | BIT(1), +-}; +- +-static const struct option_blacklist_info zte_k3765_z_blacklist = { +- .sendsetup = BIT(0) | BIT(1) | BIT(2), +- .reserved = BIT(4), +-}; +- +-static const struct option_blacklist_info zte_ad3812_z_blacklist = { +- .sendsetup = BIT(0) | BIT(1) | BIT(2), +-}; +- +-static const struct option_blacklist_info zte_mc2718_z_blacklist = { +- .sendsetup = BIT(1) | BIT(2) | BIT(3) | BIT(4), +-}; +- +-static const struct option_blacklist_info zte_mc2716_z_blacklist = { +- .sendsetup = BIT(1) | BIT(2) | BIT(3), +-}; +- +-static const struct option_blacklist_info zte_me3620_mbim_blacklist = { +- .reserved = BIT(2) | BIT(3) | BIT(4), +-}; +- +-static const struct option_blacklist_info zte_me3620_xl_blacklist = { +- .reserved = BIT(3) | BIT(4) | BIT(5), +-}; +- +-static const struct option_blacklist_info zte_zm8620_x_blacklist = { +- .reserved = BIT(3) | BIT(4) | BIT(5), +-}; +- +-static const struct option_blacklist_info huawei_cdc12_blacklist = { +- .reserved = BIT(1) | BIT(2), +-}; +- +-static const struct option_blacklist_info net_intf0_blacklist = { +- .reserved = BIT(0), +-}; + +-static const struct option_blacklist_info net_intf1_blacklist = { +- .reserved = BIT(1), +-}; ++/* Device flags */ + +-static const struct option_blacklist_info net_intf2_blacklist = { +- .reserved = BIT(2), +-}; ++/* Interface does not support modem-control requests */ ++#define NCTRL(ifnum) ((BIT(ifnum) & 0xff) << 8) + +-static const struct option_blacklist_info net_intf3_blacklist = { +- .reserved = BIT(3), +-}; ++/* Interface is reserved */ ++#define RSVD(ifnum) ((BIT(ifnum) & 0xff) << 0) + +-static const struct option_blacklist_info net_intf4_blacklist = { +- .reserved = BIT(4), +-}; +- +-static const struct option_blacklist_info net_intf5_blacklist = { +- .reserved = BIT(5), +-}; +- +-static const struct option_blacklist_info net_intf6_blacklist = { +- .reserved = BIT(6), +-}; +- +-static const struct option_blacklist_info zte_mf626_blacklist = { +- .sendsetup = BIT(0) | BIT(1), +- .reserved = BIT(4), +-}; +- +-static const struct option_blacklist_info zte_1255_blacklist = { +- .reserved = BIT(3) | BIT(4), +-}; +- +-static const struct option_blacklist_info simcom_sim7100e_blacklist = { +- .reserved = BIT(5) | BIT(6), +-}; +- +-static const struct option_blacklist_info telit_me910_blacklist = { +- .sendsetup = BIT(0), +- .reserved = BIT(1) | BIT(3), +-}; +- +-static const struct option_blacklist_info telit_me910_dual_modem_blacklist = { +- .sendsetup = BIT(0), +- .reserved = BIT(3), +-}; +- +-static const struct option_blacklist_info telit_le910_blacklist = { +- .sendsetup = BIT(0), +- .reserved = BIT(1) | BIT(2), +-}; +- +-static const struct option_blacklist_info telit_le920_blacklist = { +- .sendsetup = BIT(0), +- .reserved = BIT(1) | BIT(5), +-}; +- +-static const struct option_blacklist_info telit_le920a4_blacklist_1 = { +- .sendsetup = BIT(0), +- .reserved = BIT(1), +-}; +- +-static const struct option_blacklist_info telit_le922_blacklist_usbcfg0 = { +- .sendsetup = BIT(2), +- .reserved = BIT(0) | BIT(1) | BIT(3), +-}; +- +-static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = { +- .sendsetup = BIT(0), +- .reserved = BIT(1) | BIT(2) | BIT(3), +-}; +- +-static const struct option_blacklist_info cinterion_rmnet2_blacklist = { +- .reserved = BIT(4) | BIT(5), +-}; +- +-static const struct option_blacklist_info yuga_clm920_nc5_blacklist = { +- .reserved = BIT(1) | BIT(4), +-}; + + static const struct usb_device_id option_ids[] = { + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, +@@ -724,26 +595,26 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GKE) }, + { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GLE) }, + { USB_DEVICE(QUANTA_VENDOR_ID, 0xea42), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c05, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c1f, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173S6, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t) &net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1442, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist }, ++ .driver_info = RSVD(1) | RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K3765, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist }, ++ .driver_info = RSVD(1) | RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x14ac, 0xff, 0xff, 0xff), /* Huawei E1820 */ +- .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4605, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist }, ++ .driver_info = RSVD(1) | RSVD(2) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0xff, 0xff) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x01) }, + { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x02) }, +@@ -1188,65 +1059,70 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC680) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6000)}, /* ZTE AC8700 */ + { USB_DEVICE_AND_INTERFACE_INFO(QUALCOMM_VENDOR_ID, 0x6001, 0xff, 0xff, 0xff), /* 4G LTE usb-modem U901 */ +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ + /* Quectel products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)}, + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + /* Yuga products use Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, YUGA_PRODUCT_CLM920_NC5), +- .driver_info = (kernel_ulong_t)&yuga_clm920_nc5_blacklist }, ++ .driver_info = RSVD(1) | RSVD(4) }, ++ /* u-blox products using Qualcomm vendor ID */ ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M), ++ .driver_info = RSVD(1) | RSVD(3) }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06), ++ .driver_info = RSVD(4) | RSVD(5) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6004) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6005) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CGU_628A) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHE_628S), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_301), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_628), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_628S) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CDU_680) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CDU_685A) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_720S), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7002), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_629K), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7004), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7005) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CGU_629), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_629S), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_720I), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7212), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7213), +- .driver_info = (kernel_ulong_t)&net_intf0_blacklist }, ++ .driver_info = RSVD(0) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7251), +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7252), +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7253), +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UC864E) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UC864G) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_DUAL) }, +@@ -1254,38 +1130,38 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0), +- .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, ++ .driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG1), +- .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG2), +- .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3), +- .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff), +- .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, ++ .driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), +- .driver_info = (kernel_ulong_t)&telit_me910_blacklist }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), +- .driver_info = (kernel_ulong_t)&telit_me910_dual_modem_blacklist }, ++ .driver_info = NCTRL(0) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), +- .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), +- .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), +- .driver_info = (kernel_ulong_t)&telit_le920_blacklist }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(5) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1207) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1208), +- .driver_info = (kernel_ulong_t)&telit_le920a4_blacklist_1 }, ++ .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1211), +- .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1212), +- .driver_info = (kernel_ulong_t)&telit_le920a4_blacklist_1 }, ++ .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1213, 0xff) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214), +- .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0003, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0004, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0005, 0xff, 0xff, 0xff) }, +@@ -1301,58 +1177,58 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0010, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0011, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0012, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0013, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF628, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0016, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0017, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0018, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0019, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0020, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0021, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0022, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0023, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0024, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0025, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0028, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0029, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0030, 0xff, 0xff, 0xff) }, +- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF626, 0xff, +- 0xff, 0xff), .driver_info = (kernel_ulong_t)&zte_mf626_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF626, 0xff, 0xff, 0xff), ++ .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0032, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0033, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0034, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0037, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&zte_0037_blacklist }, ++ .driver_info = NCTRL(0) | NCTRL(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0038, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0039, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0040, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0042, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0043, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0044, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0048, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0049, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0050, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0051, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0052, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0054, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0055, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0056, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0057, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0058, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0061, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0062, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0063, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0064, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0065, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0066, 0xff, 0xff, 0xff) }, +@@ -1377,26 +1253,26 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0096, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0097, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0104, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0105, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0106, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0108, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0113, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0117, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0118, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0121, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0122, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0123, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0124, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0125, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf6_blacklist }, ++ .driver_info = RSVD(6) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0126, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0128, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0135, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0136, 0xff, 0xff, 0xff) }, +@@ -1412,50 +1288,50 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0155, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0156, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0157, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0158, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0159, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0161, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0162, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0164, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0165, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0167, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0189, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0191, 0xff, 0xff, 0xff), /* ZTE EuFi890 */ +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0196, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0197, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0199, 0xff, 0xff, 0xff), /* ZTE MF820S */ +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0200, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0201, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0254, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0257, 0xff, 0xff, 0xff), /* ZTE MF821 */ +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0265, 0xff, 0xff, 0xff), /* ONDA MT8205 */ +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0284, 0xff, 0xff, 0xff), /* ZTE MF880 */ +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0317, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0326, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0330, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0395, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0412, 0xff, 0xff, 0xff), /* Telewell TW-LTE 4G */ +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1012, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1018, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1021, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1057, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1058, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1059, 0xff, 0xff, 0xff) }, +@@ -1572,23 +1448,23 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1170, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1244, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1245, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1246, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1247, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1248, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1249, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1250, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1251, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1252, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1253, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1254, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1255, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&zte_1255_blacklist }, ++ .driver_info = RSVD(3) | RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1256, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1257, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1258, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1259, 0xff, 0xff, 0xff) }, +@@ -1603,7 +1479,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1268, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1269, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1270, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1271, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1272, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1273, 0xff, 0xff, 0xff) }, +@@ -1639,17 +1515,17 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1303, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1333, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1401, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1402, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1424, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1425, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1426, 0xff, 0xff, 0xff), /* ZTE MF91 */ +- .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff, 0xff), /* Telewell TW-LTE 4G v2 */ +- .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) }, +@@ -1667,8 +1543,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1596, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1598, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1600, 0xff, 0xff, 0xff) }, +- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff, +- 0xff, 0xff), .driver_info = (kernel_ulong_t)&zte_k3765_z_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff, 0xff, 0xff), ++ .driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) | RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2003, 0xff, 0xff, 0xff) }, + + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0014, 0xff, 0xff, 0xff) }, /* ZTE CDMA products */ +@@ -1679,20 +1555,20 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0073, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0094, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0130, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf1_blacklist }, ++ .driver_info = RSVD(1) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0133, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0141, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0147, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0152, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0168, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0170, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0176, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0178, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff42, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff43, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff44, 0xff, 0xff, 0xff) }, +@@ -1844,19 +1720,19 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AC2726, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AC8710T, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MC2718, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&zte_mc2718_z_blacklist }, ++ .driver_info = NCTRL(1) | NCTRL(2) | NCTRL(3) | NCTRL(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AD3812, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&zte_ad3812_z_blacklist }, ++ .driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MC2716, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&zte_mc2716_z_blacklist }, ++ .driver_info = NCTRL(1) | NCTRL(2) | NCTRL(3) }, + { USB_DEVICE(ZTE_VENDOR_ID, ZTE_PRODUCT_ME3620_L), +- .driver_info = (kernel_ulong_t)&zte_me3620_xl_blacklist }, ++ .driver_info = RSVD(3) | RSVD(4) | RSVD(5) }, + { USB_DEVICE(ZTE_VENDOR_ID, ZTE_PRODUCT_ME3620_MBIM), +- .driver_info = (kernel_ulong_t)&zte_me3620_mbim_blacklist }, ++ .driver_info = RSVD(2) | RSVD(3) | RSVD(4) }, + { USB_DEVICE(ZTE_VENDOR_ID, ZTE_PRODUCT_ME3620_X), +- .driver_info = (kernel_ulong_t)&zte_me3620_xl_blacklist }, ++ .driver_info = RSVD(3) | RSVD(4) | RSVD(5) }, + { USB_DEVICE(ZTE_VENDOR_ID, ZTE_PRODUCT_ZM8620_X), +- .driver_info = (kernel_ulong_t)&zte_zm8620_x_blacklist }, ++ .driver_info = RSVD(3) | RSVD(4) | RSVD(5) }, + { USB_VENDOR_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff, 0x02, 0x01) }, + { USB_VENDOR_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff, 0x02, 0x05) }, + { USB_VENDOR_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff, 0x86, 0x10) }, +@@ -1876,37 +1752,34 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(ALINK_VENDOR_ID, ALINK_PRODUCT_PH300) }, + { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, + { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E), +- .driver_info = (kernel_ulong_t)&simcom_sim7100e_blacklist }, ++ .driver_info = RSVD(5) | RSVD(6) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200), +- .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist +- }, ++ .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D), +- .driver_info = (kernel_ulong_t)&net_intf6_blacklist }, ++ .driver_info = RSVD(6) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, 0x0052), +- .driver_info = (kernel_ulong_t)&net_intf6_blacklist }, ++ .driver_info = RSVD(6) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, 0x00b6), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, 0x00b7), +- .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, ++ .driver_info = RSVD(5) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L100V), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L800MA), +- .driver_info = (kernel_ulong_t)&net_intf2_blacklist }, ++ .driver_info = RSVD(2) }, + { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) }, + { USB_DEVICE(TLAYTECH_VENDOR_ID, TLAYTECH_PRODUCT_TEU800) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14), +- .driver_info = (kernel_ulong_t)&four_g_w14_blacklist +- }, ++ .driver_info = NCTRL(0) | NCTRL(1) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100), +- .driver_info = (kernel_ulong_t)&four_g_w100_blacklist +- }, ++ .driver_info = NCTRL(1) | NCTRL(2) | RSVD(3) }, + {USB_DEVICE(LONGCHEER_VENDOR_ID, FUJISOFT_PRODUCT_FS040U), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist}, ++ .driver_info = RSVD(3)}, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9801, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ .driver_info = RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9803, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) }, + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) }, + { USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) }, +@@ -1932,14 +1805,14 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_E) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_P) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_2RMNET, 0xff), +- .driver_info = (kernel_ulong_t)&cinterion_rmnet2_blacklist }, ++ .driver_info = RSVD(4) | RSVD(5) }, + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_AUDIO, 0xff), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, +@@ -1949,20 +1822,20 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, /* HC28 enumerates with Siemens or Cinterion VID depending on FW revision */ + { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) }, + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD120), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD140), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD145) }, + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD155), +- .driver_info = (kernel_ulong_t)&net_intf6_blacklist }, ++ .driver_info = RSVD(6) }, + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200), +- .driver_info = (kernel_ulong_t)&net_intf6_blacklist }, ++ .driver_info = RSVD(6) }, + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD160), +- .driver_info = (kernel_ulong_t)&net_intf6_blacklist }, ++ .driver_info = RSVD(6) }, + { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD500), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */ + { USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730 LTE USB modem.*/ + { USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM600) }, +@@ -2039,9 +1912,9 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) }, + { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */ + { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180), +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(TPLINK_VENDOR_ID, 0x9000), /* TP-Link MA260 */ +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE(CHANGHONG_VENDOR_ID, CHANGHONG_PRODUCT_CH690) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d01, 0xff, 0x02, 0x01) }, /* D-Link DWM-156 (variant) */ + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d01, 0xff, 0x00, 0x00) }, /* D-Link DWM-156 (variant) */ +@@ -2052,9 +1925,9 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d04, 0xff) }, /* D-Link DWM-158 */ + { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d0e, 0xff) }, /* D-Link DWM-157 C1 */ + { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */ +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e35, 0xff), /* D-Link DWM-222 */ +- .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */ +@@ -2114,7 +1987,7 @@ static int option_probe(struct usb_serial *serial, + struct usb_interface_descriptor *iface_desc = + &serial->interface->cur_altsetting->desc; + struct usb_device_descriptor *dev_desc = &serial->dev->descriptor; +- const struct option_blacklist_info *blacklist; ++ unsigned long device_flags = id->driver_info; + + /* Never bind to the CD-Rom emulation interface */ + if (iface_desc->bInterfaceClass == 0x08) +@@ -2125,9 +1998,7 @@ static int option_probe(struct usb_serial *serial, + * the same class/subclass/protocol as the serial interfaces. Look at + * the Windows driver .INF files for reserved interface numbers. + */ +- blacklist = (void *)id->driver_info; +- if (blacklist && test_bit(iface_desc->bInterfaceNumber, +- &blacklist->reserved)) ++ if (device_flags & RSVD(iface_desc->bInterfaceNumber)) + return -ENODEV; + /* + * Don't bind network interface on Samsung GT-B3730, it is handled by +@@ -2138,8 +2009,8 @@ static int option_probe(struct usb_serial *serial, + iface_desc->bInterfaceClass != USB_CLASS_CDC_DATA) + return -ENODEV; + +- /* Store the blacklist info so we can use it during attach. */ +- usb_set_serial_data(serial, (void *)blacklist); ++ /* Store the device flags so we can use them during attach. */ ++ usb_set_serial_data(serial, (void *)device_flags); + + return 0; + } +@@ -2147,22 +2018,21 @@ static int option_probe(struct usb_serial *serial, + static int option_attach(struct usb_serial *serial) + { + struct usb_interface_descriptor *iface_desc; +- const struct option_blacklist_info *blacklist; + struct usb_wwan_intf_private *data; ++ unsigned long device_flags; + + data = kzalloc(sizeof(struct usb_wwan_intf_private), GFP_KERNEL); + if (!data) + return -ENOMEM; + +- /* Retrieve blacklist info stored at probe. */ +- blacklist = usb_get_serial_data(serial); ++ /* Retrieve device flags stored at probe. */ ++ device_flags = (unsigned long)usb_get_serial_data(serial); + + iface_desc = &serial->interface->cur_altsetting->desc; + +- if (!blacklist || !test_bit(iface_desc->bInterfaceNumber, +- &blacklist->sendsetup)) { ++ if (!(device_flags & NCTRL(iface_desc->bInterfaceNumber))) + data->use_send_setup = 1; +- } ++ + spin_lock_init(&data->susp_lock); + + usb_set_serial_data(serial, data); +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c +index 337a0be89fcf..dbc3801b43eb 100644 +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -338,47 +338,48 @@ static int palm_os_3_probe(struct usb_serial *serial, + goto exit; + } + +- if (retval == sizeof(*connection_info)) { +- connection_info = (struct visor_connection_info *) +- transfer_buffer; +- +- num_ports = le16_to_cpu(connection_info->num_ports); +- for (i = 0; i < num_ports; ++i) { +- switch ( +- connection_info->connections[i].port_function_id) { +- case VISOR_FUNCTION_GENERIC: +- string = "Generic"; +- break; +- case VISOR_FUNCTION_DEBUGGER: +- string = "Debugger"; +- break; +- case VISOR_FUNCTION_HOTSYNC: +- string = "HotSync"; +- break; +- case VISOR_FUNCTION_CONSOLE: +- string = "Console"; +- break; +- case VISOR_FUNCTION_REMOTE_FILE_SYS: +- string = "Remote File System"; +- break; +- default: +- string = "unknown"; +- break; +- } +- dev_info(dev, "%s: port %d, is for %s use\n", +- serial->type->description, +- connection_info->connections[i].port, string); +- } ++ if (retval != sizeof(*connection_info)) { ++ dev_err(dev, "Invalid connection information received from device\n"); ++ retval = -ENODEV; ++ goto exit; + } +- /* +- * Handle devices that report invalid stuff here. +- */ ++ ++ connection_info = (struct visor_connection_info *)transfer_buffer; ++ ++ num_ports = le16_to_cpu(connection_info->num_ports); ++ ++ /* Handle devices that report invalid stuff here. */ + if (num_ports == 0 || num_ports > 2) { + dev_warn(dev, "%s: No valid connect info available\n", + serial->type->description); + num_ports = 2; + } + ++ for (i = 0; i < num_ports; ++i) { ++ switch (connection_info->connections[i].port_function_id) { ++ case VISOR_FUNCTION_GENERIC: ++ string = "Generic"; ++ break; ++ case VISOR_FUNCTION_DEBUGGER: ++ string = "Debugger"; ++ break; ++ case VISOR_FUNCTION_HOTSYNC: ++ string = "HotSync"; ++ break; ++ case VISOR_FUNCTION_CONSOLE: ++ string = "Console"; ++ break; ++ case VISOR_FUNCTION_REMOTE_FILE_SYS: ++ string = "Remote File System"; ++ break; ++ default: ++ string = "unknown"; ++ break; ++ } ++ dev_info(dev, "%s: port %d, is for %s use\n", ++ serial->type->description, ++ connection_info->connections[i].port, string); ++ } + dev_info(dev, "%s: Number of ports: %d\n", serial->type->description, + num_ports); + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 0fe667875852..cfb75dbb96f5 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -1906,7 +1906,7 @@ void wb_workfn(struct work_struct *work) + } + + if (!list_empty(&wb->work_list)) +- mod_delayed_work(bdi_wq, &wb->dwork, 0); ++ wb_wakeup(wb); + else if (wb_has_dirty_io(wb) && dirty_writeback_interval) + wb_wakeup_delayed(wb); + +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c +index 3dd47307363f..e917aec4babe 100644 +--- a/fs/xfs/xfs_file.c ++++ b/fs/xfs/xfs_file.c +@@ -969,22 +969,26 @@ xfs_file_fallocate( + if (error) + goto out_unlock; + } else if (mode & FALLOC_FL_INSERT_RANGE) { +- unsigned int blksize_mask = i_blocksize(inode) - 1; ++ unsigned int blksize_mask = i_blocksize(inode) - 1; ++ loff_t isize = i_size_read(inode); + +- new_size = i_size_read(inode) + len; + if (offset & blksize_mask || len & blksize_mask) { + error = -EINVAL; + goto out_unlock; + } + +- /* check the new inode size does not wrap through zero */ +- if (new_size > inode->i_sb->s_maxbytes) { ++ /* ++ * New inode size must not exceed ->s_maxbytes, accounting for ++ * possible signed overflow. ++ */ ++ if (inode->i_sb->s_maxbytes - isize < len) { + error = -EFBIG; + goto out_unlock; + } ++ new_size = isize + len; + + /* Offset should be less than i_size */ +- if (offset >= i_size_read(inode)) { ++ if (offset >= isize) { + error = -EINVAL; + goto out_unlock; + } +diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h +index c9b3eb70f340..567017b5fc9e 100644 +--- a/include/net/inet_timewait_sock.h ++++ b/include/net/inet_timewait_sock.h +@@ -55,6 +55,7 @@ struct inet_timewait_sock { + #define tw_family __tw_common.skc_family + #define tw_state __tw_common.skc_state + #define tw_reuse __tw_common.skc_reuse ++#define tw_reuseport __tw_common.skc_reuseport + #define tw_ipv6only __tw_common.skc_ipv6only + #define tw_bound_dev_if __tw_common.skc_bound_dev_if + #define tw_node __tw_common.skc_nulls_node +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 4e51f9a5a177..7a49a31f6ddc 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -975,7 +975,7 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info) + * @RX_FLAG_DECRYPTED: This frame was decrypted in hardware. + * @RX_FLAG_MMIC_STRIPPED: the Michael MIC is stripped off this frame, + * verification has been done by the hardware. +- * @RX_FLAG_IV_STRIPPED: The IV/ICV are stripped from this frame. ++ * @RX_FLAG_IV_STRIPPED: The IV and ICV are stripped from this frame. + * If this flag is set, the stack cannot do any replay detection + * hence the driver or hardware will have to do that. + * @RX_FLAG_PN_VALIDATED: Currently only valid for CCMP/GCMP frames, this +@@ -1013,6 +1013,8 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info) + * on this subframe + * @RX_FLAG_AMPDU_DELIM_CRC_KNOWN: The delimiter CRC field is known (the CRC + * is stored in the @ampdu_delimiter_crc field) ++ * @RX_FLAG_MIC_STRIPPED: The mic was stripped of this packet. Decryption was ++ * done by the hardware + * @RX_FLAG_LDPC: LDPC was used + * @RX_FLAG_STBC_MASK: STBC 2 bit bitmask. 1 - Nss=1, 2 - Nss=2, 3 - Nss=3 + * @RX_FLAG_10MHZ: 10 MHz (half channel) was used +@@ -1029,6 +1031,11 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info) + * @RX_FLAG_RADIOTAP_VENDOR_DATA: This frame contains vendor-specific + * radiotap data in the skb->data (before the frame) as described by + * the &struct ieee80211_vendor_radiotap. ++ * @RX_FLAG_ALLOW_SAME_PN: Allow the same PN as same packet before. ++ * This is used for AMSDU subframes which can have the same PN as ++ * the first subframe. ++ * @RX_FLAG_ICV_STRIPPED: The ICV is stripped from this frame. CRC checking must ++ * be done in the hardware. + */ + enum mac80211_rx_flags { + RX_FLAG_MMIC_ERROR = BIT(0), +@@ -1059,6 +1066,9 @@ enum mac80211_rx_flags { + RX_FLAG_5MHZ = BIT(29), + RX_FLAG_AMSDU_MORE = BIT(30), + RX_FLAG_RADIOTAP_VENDOR_DATA = BIT(31), ++ RX_FLAG_MIC_STRIPPED = BIT_ULL(32), ++ RX_FLAG_ALLOW_SAME_PN = BIT_ULL(33), ++ RX_FLAG_ICV_STRIPPED = BIT_ULL(34), + }; + + #define RX_FLAG_STBC_SHIFT 26 +@@ -1113,7 +1123,7 @@ struct ieee80211_rx_status { + u64 mactime; + u32 device_timestamp; + u32 ampdu_reference; +- u32 flag; ++ u64 flag; + u16 freq; + u8 vht_flag; + u8 rate_idx; +diff --git a/include/net/nexthop.h b/include/net/nexthop.h +index 3334dbfa5aa4..7fc78663ec9d 100644 +--- a/include/net/nexthop.h ++++ b/include/net/nexthop.h +@@ -6,7 +6,7 @@ + + static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining) + { +- return remaining >= sizeof(*rtnh) && ++ return remaining >= (int)sizeof(*rtnh) && + rtnh->rtnh_len >= sizeof(*rtnh) && + rtnh->rtnh_len <= remaining; + } +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index 3608fa1aec8a..0eb11b4ac4c7 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -102,7 +102,7 @@ static void *array_map_lookup_elem(struct bpf_map *map, void *key) + static int array_map_get_next_key(struct bpf_map *map, void *key, void *next_key) + { + struct bpf_array *array = container_of(map, struct bpf_array, map); +- u32 index = *(u32 *)key; ++ u32 index = key ? *(u32 *)key : U32_MAX; + u32 *next = (u32 *)next_key; + + if (index >= array->map.max_entries) { +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 34777b3746fa..a35abe048239 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -169,12 +169,15 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) + struct hlist_head *head; + struct htab_elem *l, *next_l; + u32 hash, key_size; +- int i; ++ int i = 0; + + WARN_ON_ONCE(!rcu_read_lock_held()); + + key_size = map->key_size; + ++ if (!key) ++ goto find_first_elem; ++ + hash = htab_map_hash(key, key_size); + + head = select_bucket(htab, hash); +@@ -182,10 +185,8 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) + /* lookup the key */ + l = lookup_elem_raw(head, hash, key, key_size); + +- if (!l) { +- i = 0; ++ if (!l) + goto find_first_elem; +- } + + /* key was found, get next key in the same bucket */ + next_l = hlist_entry_safe(rcu_dereference_raw(hlist_next_rcu(&l->hash_node)), +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index dc19b6e210e6..4b9bbfe764e8 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -390,14 +390,18 @@ static int map_get_next_key(union bpf_attr *attr) + if (IS_ERR(map)) + return PTR_ERR(map); + +- err = -ENOMEM; +- key = kmalloc(map->key_size, GFP_USER); +- if (!key) +- goto err_put; +- +- err = -EFAULT; +- if (copy_from_user(key, ukey, map->key_size) != 0) +- goto free_key; ++ if (ukey) { ++ err = -ENOMEM; ++ key = kmalloc(map->key_size, GFP_USER); ++ if (!key) ++ goto err_put; ++ ++ err = -EFAULT; ++ if (copy_from_user(key, ukey, map->key_size) != 0) ++ goto free_key; ++ } else { ++ key = NULL; ++ } + + err = -ENOMEM; + next_key = kmalloc(map->key_size, GFP_USER); +diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c +index 9c418002b8c1..75f835d353db 100644 +--- a/kernel/events/callchain.c ++++ b/kernel/events/callchain.c +@@ -107,14 +107,8 @@ int get_callchain_buffers(void) + goto exit; + } + +- if (count > 1) { +- /* If the allocation failed, give up */ +- if (!callchain_cpus_entries) +- err = -ENOMEM; +- goto exit; +- } +- +- err = alloc_callchain_buffers(); ++ if (count == 1) ++ err = alloc_callchain_buffers(); + exit: + if (err) + atomic_dec(&nr_callchain_events); +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 6aeb0ef4fe70..92d1f12f4407 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -229,7 +229,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, + loff_t *ppos) + { +- int ret = proc_dointvec(table, write, buffer, lenp, ppos); ++ int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); + + if (ret || !write) + return ret; +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 014b69528194..58013ef228a1 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +@@ -779,8 +780,10 @@ perf_mmap_to_page(struct ring_buffer *rb, unsigned long pgoff) + return NULL; + + /* AUX space */ +- if (pgoff >= rb->aux_pgoff) +- return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]); ++ if (pgoff >= rb->aux_pgoff) { ++ int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages); ++ return virt_to_page(rb->aux_pages[aux_pgoff]); ++ } + } + + return __perf_mmap_to_page(rb, pgoff); +diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c +index f0e5408499b6..1ab2db6c127b 100644 +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -322,6 +322,9 @@ static int regex_match_full(char *str, struct regex *r, int len) + + static int regex_match_front(char *str, struct regex *r, int len) + { ++ if (len < r->len) ++ return 0; ++ + if (strncmp(str, r->pattern, r->len) == 0) + return 1; + return 0; +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index d2f6d0be3503..68bb89ad9d28 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs, + return; + + ret = strncpy_from_user(dst, src, maxlen); ++ if (ret == maxlen) ++ dst[--ret] = '\0'; + + if (ret < 0) { /* Failed to fetch string */ + ((u8 *)get_rloc_data(dest))[0] = '\0'; +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c +index ecd536de603a..eda85bbf1c2e 100644 +--- a/kernel/tracepoint.c ++++ b/kernel/tracepoint.c +@@ -202,7 +202,7 @@ static int tracepoint_add_func(struct tracepoint *tp, + lockdep_is_held(&tracepoints_mutex)); + old = func_add(&tp_funcs, func, prio); + if (IS_ERR(old)) { +- WARN_ON_ONCE(1); ++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); + return PTR_ERR(old); + } + +@@ -235,7 +235,7 @@ static int tracepoint_remove_func(struct tracepoint *tp, + lockdep_is_held(&tracepoints_mutex)); + old = func_remove(&tp_funcs, func); + if (IS_ERR(old)) { +- WARN_ON_ONCE(1); ++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); + return PTR_ERR(old); + } + +diff --git a/mm/percpu.c b/mm/percpu.c +index ef6353f0adbd..1c784df3bdfe 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -68,6 +68,7 @@ + #include + #include + #include ++#include + + #include + #include +diff --git a/net/atm/lec.c b/net/atm/lec.c +index cd3b37989057..10e4066991b8 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = { 0x01, 0x80, 0xc2, 0x00, 0x00 }; + #include + #include + ++/* Hardening for Spectre-v1 */ ++#include ++ + #include "lec.h" + #include "lec_arpc.h" + #include "resources.h" +@@ -697,8 +700,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) + bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc)); + if (bytes_left != 0) + pr_info("copy from user failed for %d bytes\n", bytes_left); +- if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF || +- !dev_lec[ioc_data.dev_num]) ++ if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF) ++ return -EINVAL; ++ ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF); ++ if (!dev_lec[ioc_data.dev_num]) + return -EINVAL; + vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL); + if (!vpriv) +diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c +index c0548d268e1a..e3e6a3e2ca22 100644 +--- a/net/core/dev_addr_lists.c ++++ b/net/core/dev_addr_lists.c +@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list, + return -EINVAL; + + list_for_each_entry(ha, &list->list, list) { +- if (!memcmp(ha->addr, addr, addr_len) && +- ha->type == addr_type) { ++ if (ha->type == addr_type && ++ !memcmp(ha->addr, addr, addr_len)) { + if (global) { + /* check if addr is already used as global */ + if (ha->global_use) +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 7d3442594e0d..5668dd3f9969 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -827,6 +827,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) + n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len; + n->cloned = 1; + n->nohdr = 0; ++ n->peeked = 0; + n->destructor = NULL; + C(tail); + C(end); +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 6eb2bbf9873b..45fd82e61e79 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -618,6 +618,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + ireq = inet_rsk(req); + sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); + sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); ++ ireq->ir_mark = inet_request_mark(sk, skb); + ireq->ireq_family = AF_INET; + ireq->ir_iif = sk->sk_bound_dev_if; + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 09a9ab65f4e1..0bf41faeffc4 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -345,6 +345,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; + ireq->ireq_family = AF_INET6; ++ ireq->ir_mark = inet_request_mark(sk, skb); + + if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index c67f9bd7699c..d8316869947a 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -182,6 +182,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, + tw->tw_dport = inet->inet_dport; + tw->tw_family = sk->sk_family; + tw->tw_reuse = sk->sk_reuse; ++ tw->tw_reuseport = sk->sk_reuseport; + tw->tw_hash = sk->sk_hash; + tw->tw_ipv6only = 0; + tw->tw_transparent = inet->transparent; +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 82d2b55c953a..b531a0997664 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2450,7 +2450,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + case TCP_REPAIR_QUEUE: + if (!tp->repair) + err = -EPERM; +- else if (val < TCP_QUEUES_NR) ++ else if ((unsigned int)val < TCP_QUEUES_NR) + tp->repair_queue = val; + else + err = -EINVAL; +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 33344f5a66a8..ec26a84b00e2 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2663,8 +2663,9 @@ u64 ieee80211_calculate_rx_timestamp(struct ieee80211_local *local, + + rate = cfg80211_calculate_bitrate(&ri); + if (WARN_ONCE(!rate, +- "Invalid bitrate: flags=0x%x, idx=%d, vht_nss=%d\n", +- status->flag, status->rate_idx, status->vht_nss)) ++ "Invalid bitrate: flags=0x%llx, idx=%d, vht_nss=%d\n", ++ (unsigned long long)status->flag, status->rate_idx, ++ status->vht_nss)) + return 0; + + /* rewind from end of MPDU */ +diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c +index efa3f48f1ec5..73e8f347802e 100644 +--- a/net/mac80211/wep.c ++++ b/net/mac80211/wep.c +@@ -293,7 +293,8 @@ ieee80211_crypto_wep_decrypt(struct ieee80211_rx_data *rx) + return RX_DROP_UNUSABLE; + ieee80211_wep_remove_iv(rx->local, rx->skb, rx->key); + /* remove ICV */ +- if (pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN)) ++ if (!(status->flag & RX_FLAG_ICV_STRIPPED) && ++ pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN)) + return RX_DROP_UNUSABLE; + } + +diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c +index e19ea1c53afa..cb439e06919f 100644 +--- a/net/mac80211/wpa.c ++++ b/net/mac80211/wpa.c +@@ -298,7 +298,8 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx) + return RX_DROP_UNUSABLE; + + /* Trim ICV */ +- skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN); ++ if (!(status->flag & RX_FLAG_ICV_STRIPPED)) ++ skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN); + + /* Remove IV */ + memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen); +@@ -508,25 +509,31 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx, + !ieee80211_is_robust_mgmt_frame(skb)) + return RX_CONTINUE; + +- data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len; +- if (!rx->sta || data_len < 0) +- return RX_DROP_UNUSABLE; +- + if (status->flag & RX_FLAG_DECRYPTED) { + if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN)) + return RX_DROP_UNUSABLE; ++ if (status->flag & RX_FLAG_MIC_STRIPPED) ++ mic_len = 0; + } else { + if (skb_linearize(rx->skb)) + return RX_DROP_UNUSABLE; + } + ++ data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len; ++ if (!rx->sta || data_len < 0) ++ return RX_DROP_UNUSABLE; ++ + if (!(status->flag & RX_FLAG_PN_VALIDATED)) { ++ int res; ++ + ccmp_hdr2pn(pn, skb->data + hdrlen); + + queue = rx->security_idx; + +- if (memcmp(pn, key->u.ccmp.rx_pn[queue], +- IEEE80211_CCMP_PN_LEN) <= 0) { ++ res = memcmp(pn, key->u.ccmp.rx_pn[queue], ++ IEEE80211_CCMP_PN_LEN); ++ if (res < 0 || ++ (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) { + key->u.ccmp.replays++; + return RX_DROP_UNUSABLE; + } +@@ -724,8 +731,7 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx) + struct sk_buff *skb = rx->skb; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); + u8 pn[IEEE80211_GCMP_PN_LEN]; +- int data_len; +- int queue; ++ int data_len, queue, mic_len = IEEE80211_GCMP_MIC_LEN; + + hdrlen = ieee80211_hdrlen(hdr->frame_control); + +@@ -733,26 +739,31 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx) + !ieee80211_is_robust_mgmt_frame(skb)) + return RX_CONTINUE; + +- data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - +- IEEE80211_GCMP_MIC_LEN; +- if (!rx->sta || data_len < 0) +- return RX_DROP_UNUSABLE; +- + if (status->flag & RX_FLAG_DECRYPTED) { + if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_GCMP_HDR_LEN)) + return RX_DROP_UNUSABLE; ++ if (status->flag & RX_FLAG_MIC_STRIPPED) ++ mic_len = 0; + } else { + if (skb_linearize(rx->skb)) + return RX_DROP_UNUSABLE; + } + ++ data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len; ++ if (!rx->sta || data_len < 0) ++ return RX_DROP_UNUSABLE; ++ + if (!(status->flag & RX_FLAG_PN_VALIDATED)) { ++ int res; ++ + gcmp_hdr2pn(pn, skb->data + hdrlen); + + queue = rx->security_idx; + +- if (memcmp(pn, key->u.gcmp.rx_pn[queue], +- IEEE80211_GCMP_PN_LEN) <= 0) { ++ res = memcmp(pn, key->u.gcmp.rx_pn[queue], ++ IEEE80211_GCMP_PN_LEN); ++ if (res < 0 || ++ (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) { + key->u.gcmp.replays++; + return RX_DROP_UNUSABLE; + } +@@ -776,7 +787,7 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx) + } + + /* Remove GCMP header and MIC */ +- if (pskb_trim(skb, skb->len - IEEE80211_GCMP_MIC_LEN)) ++ if (pskb_trim(skb, skb->len - mic_len)) + return RX_DROP_UNUSABLE; + memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen); + skb_pull(skb, IEEE80211_GCMP_HDR_LEN); +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 2f0e4f61c40f..c0656510c4dc 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2352,11 +2352,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + strlcpy(cfg.mcast_ifn, dm->mcast_ifn, + sizeof(cfg.mcast_ifn)); + cfg.syncid = dm->syncid; +- rtnl_lock(); +- mutex_lock(&ipvs->sync_mutex); + ret = start_sync_thread(ipvs, &cfg, dm->state); +- mutex_unlock(&ipvs->sync_mutex); +- rtnl_unlock(); + } else { + mutex_lock(&ipvs->sync_mutex); + ret = stop_sync_thread(ipvs, dm->state); +@@ -3435,12 +3431,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs) + if (ipvs->mixed_address_family_dests > 0) + return -EINVAL; + +- rtnl_lock(); +- mutex_lock(&ipvs->sync_mutex); + ret = start_sync_thread(ipvs, &c, + nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE])); +- mutex_unlock(&ipvs->sync_mutex); +- rtnl_unlock(); + return ret; + } + +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index 1b07578bedf3..cec7234b7a1d 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -48,6 +48,7 @@ + #include + #include + #include ++#include + + #include /* Used for ntoh_seq and hton_seq */ + +@@ -1356,15 +1357,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val) + /* + * Specifiy default interface for outgoing multicasts + */ +-static int set_mcast_if(struct sock *sk, char *ifname) ++static int set_mcast_if(struct sock *sk, struct net_device *dev) + { +- struct net_device *dev; + struct inet_sock *inet = inet_sk(sk); +- struct net *net = sock_net(sk); +- +- dev = __dev_get_by_name(net, ifname); +- if (!dev) +- return -ENODEV; + + if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) + return -EINVAL; +@@ -1392,19 +1387,14 @@ static int set_mcast_if(struct sock *sk, char *ifname) + * in the in_addr structure passed in as a parameter. + */ + static int +-join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) ++join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev) + { +- struct net *net = sock_net(sk); + struct ip_mreqn mreq; +- struct net_device *dev; + int ret; + + memset(&mreq, 0, sizeof(mreq)); + memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr)); + +- dev = __dev_get_by_name(net, ifname); +- if (!dev) +- return -ENODEV; + if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) + return -EINVAL; + +@@ -1419,15 +1409,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname) + + #ifdef CONFIG_IP_VS_IPV6 + static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, +- char *ifname) ++ struct net_device *dev) + { +- struct net *net = sock_net(sk); +- struct net_device *dev; + int ret; + +- dev = __dev_get_by_name(net, ifname); +- if (!dev) +- return -ENODEV; + if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if) + return -EINVAL; + +@@ -1439,24 +1424,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr, + } + #endif + +-static int bind_mcastif_addr(struct socket *sock, char *ifname) ++static int bind_mcastif_addr(struct socket *sock, struct net_device *dev) + { +- struct net *net = sock_net(sock->sk); +- struct net_device *dev; + __be32 addr; + struct sockaddr_in sin; + +- dev = __dev_get_by_name(net, ifname); +- if (!dev) +- return -ENODEV; +- + addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE); + if (!addr) + pr_err("You probably need to specify IP address on " + "multicast interface.\n"); + + IP_VS_DBG(7, "binding socket with (%s) %pI4\n", +- ifname, &addr); ++ dev->name, &addr); + + /* Now bind the socket with the address of multicast interface */ + sin.sin_family = AF_INET; +@@ -1489,7 +1468,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen, + /* + * Set up sending multicast socket over UDP + */ +-static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) ++static int make_send_sock(struct netns_ipvs *ipvs, int id, ++ struct net_device *dev, struct socket **sock_ret) + { + /* multicast addr */ + union ipvs_sockaddr mcast_addr; +@@ -1501,9 +1481,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) + IPPROTO_UDP, &sock); + if (result < 0) { + pr_err("Error during creation of socket; terminating\n"); +- return ERR_PTR(result); ++ goto error; + } +- result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn); ++ *sock_ret = sock; ++ result = set_mcast_if(sock->sk, dev); + if (result < 0) { + pr_err("Error setting outbound mcast interface\n"); + goto error; +@@ -1518,7 +1499,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) + set_sock_size(sock->sk, 1, result); + + if (AF_INET == ipvs->mcfg.mcast_af) +- result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn); ++ result = bind_mcastif_addr(sock, dev); + else + result = 0; + if (result < 0) { +@@ -1534,19 +1515,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id) + goto error; + } + +- return sock; ++ return 0; + + error: +- sock_release(sock); +- return ERR_PTR(result); ++ return result; + } + + + /* + * Set up receiving multicast socket over UDP + */ +-static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, +- int ifindex) ++static int make_receive_sock(struct netns_ipvs *ipvs, int id, ++ struct net_device *dev, struct socket **sock_ret) + { + /* multicast addr */ + union ipvs_sockaddr mcast_addr; +@@ -1558,8 +1538,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, + IPPROTO_UDP, &sock); + if (result < 0) { + pr_err("Error during creation of socket; terminating\n"); +- return ERR_PTR(result); ++ goto error; + } ++ *sock_ret = sock; + /* it is equivalent to the REUSEADDR option in user-space */ + sock->sk->sk_reuse = SK_CAN_REUSE; + result = sysctl_sync_sock_size(ipvs); +@@ -1567,7 +1548,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, + set_sock_size(sock->sk, 0, result); + + get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id); +- sock->sk->sk_bound_dev_if = ifindex; ++ sock->sk->sk_bound_dev_if = dev->ifindex; + result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen); + if (result < 0) { + pr_err("Error binding to the multicast addr\n"); +@@ -1578,21 +1559,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id, + #ifdef CONFIG_IP_VS_IPV6 + if (ipvs->bcfg.mcast_af == AF_INET6) + result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr, +- ipvs->bcfg.mcast_ifn); ++ dev); + else + #endif + result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr, +- ipvs->bcfg.mcast_ifn); ++ dev); + if (result < 0) { + pr_err("Error joining to the multicast group\n"); + goto error; + } + +- return sock; ++ return 0; + + error: +- sock_release(sock); +- return ERR_PTR(result); ++ return result; + } + + +@@ -1777,13 +1757,12 @@ static int sync_thread_backup(void *data) + int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + int state) + { +- struct ip_vs_sync_thread_data *tinfo; ++ struct ip_vs_sync_thread_data *tinfo = NULL; + struct task_struct **array = NULL, *task; +- struct socket *sock; + struct net_device *dev; + char *name; + int (*threadfn)(void *data); +- int id, count, hlen; ++ int id = 0, count, hlen; + int result = -ENOMEM; + u16 mtu, min_mtu; + +@@ -1791,6 +1770,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %Zd bytes\n", + sizeof(struct ip_vs_sync_conn_v0)); + ++ /* Do not hold one mutex and then to block on another */ ++ for (;;) { ++ rtnl_lock(); ++ if (mutex_trylock(&ipvs->sync_mutex)) ++ break; ++ rtnl_unlock(); ++ mutex_lock(&ipvs->sync_mutex); ++ if (rtnl_trylock()) ++ break; ++ mutex_unlock(&ipvs->sync_mutex); ++ } ++ + if (!ipvs->sync_state) { + count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX); + ipvs->threads_mask = count - 1; +@@ -1809,7 +1800,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + dev = __dev_get_by_name(ipvs->net, c->mcast_ifn); + if (!dev) { + pr_err("Unknown mcast interface: %s\n", c->mcast_ifn); +- return -ENODEV; ++ result = -ENODEV; ++ goto out_early; + } + hlen = (AF_INET6 == c->mcast_af) ? + sizeof(struct ipv6hdr) + sizeof(struct udphdr) : +@@ -1826,26 +1818,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + c->sync_maxlen = mtu - hlen; + + if (state == IP_VS_STATE_MASTER) { ++ result = -EEXIST; + if (ipvs->ms) +- return -EEXIST; ++ goto out_early; + + ipvs->mcfg = *c; + name = "ipvs-m:%d:%d"; + threadfn = sync_thread_master; + } else if (state == IP_VS_STATE_BACKUP) { ++ result = -EEXIST; + if (ipvs->backup_threads) +- return -EEXIST; ++ goto out_early; + + ipvs->bcfg = *c; + name = "ipvs-b:%d:%d"; + threadfn = sync_thread_backup; + } else { +- return -EINVAL; ++ result = -EINVAL; ++ goto out_early; + } + + if (state == IP_VS_STATE_MASTER) { + struct ipvs_master_sync_state *ms; + ++ result = -ENOMEM; + ipvs->ms = kzalloc(count * sizeof(ipvs->ms[0]), GFP_KERNEL); + if (!ipvs->ms) + goto out; +@@ -1861,39 +1857,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + } else { + array = kzalloc(count * sizeof(struct task_struct *), + GFP_KERNEL); ++ result = -ENOMEM; + if (!array) + goto out; + } + +- tinfo = NULL; + for (id = 0; id < count; id++) { +- if (state == IP_VS_STATE_MASTER) +- sock = make_send_sock(ipvs, id); +- else +- sock = make_receive_sock(ipvs, id, dev->ifindex); +- if (IS_ERR(sock)) { +- result = PTR_ERR(sock); +- goto outtinfo; +- } ++ result = -ENOMEM; + tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL); + if (!tinfo) +- goto outsocket; ++ goto out; + tinfo->ipvs = ipvs; +- tinfo->sock = sock; ++ tinfo->sock = NULL; + if (state == IP_VS_STATE_BACKUP) { + tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen, + GFP_KERNEL); + if (!tinfo->buf) +- goto outtinfo; ++ goto out; + } else { + tinfo->buf = NULL; + } + tinfo->id = id; ++ if (state == IP_VS_STATE_MASTER) ++ result = make_send_sock(ipvs, id, dev, &tinfo->sock); ++ else ++ result = make_receive_sock(ipvs, id, dev, &tinfo->sock); ++ if (result < 0) ++ goto out; + + task = kthread_run(threadfn, tinfo, name, ipvs->gen, id); + if (IS_ERR(task)) { + result = PTR_ERR(task); +- goto outtinfo; ++ goto out; + } + tinfo = NULL; + if (state == IP_VS_STATE_MASTER) +@@ -1910,20 +1905,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + ipvs->sync_state |= state; + spin_unlock_bh(&ipvs->sync_buff_lock); + ++ mutex_unlock(&ipvs->sync_mutex); ++ rtnl_unlock(); ++ + /* increase the module use count */ + ip_vs_use_count_inc(); + + return 0; + +-outsocket: +- sock_release(sock); +- +-outtinfo: +- if (tinfo) { +- sock_release(tinfo->sock); +- kfree(tinfo->buf); +- kfree(tinfo); +- } ++out: ++ /* We do not need RTNL lock anymore, release it here so that ++ * sock_release below and in the kthreads can use rtnl_lock ++ * to leave the mcast group. ++ */ ++ rtnl_unlock(); + count = id; + while (count-- > 0) { + if (state == IP_VS_STATE_MASTER) +@@ -1931,13 +1926,23 @@ outtinfo: + else + kthread_stop(array[count]); + } +- kfree(array); +- +-out: + if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) { + kfree(ipvs->ms); + ipvs->ms = NULL; + } ++ mutex_unlock(&ipvs->sync_mutex); ++ if (tinfo) { ++ if (tinfo->sock) ++ sock_release(tinfo->sock); ++ kfree(tinfo->buf); ++ kfree(tinfo); ++ } ++ kfree(array); ++ return result; ++ ++out_early: ++ mutex_unlock(&ipvs->sync_mutex); ++ rtnl_unlock(); + return result; + } + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 98fe9691337c..818400fddc9b 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1795,6 +1795,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + + if (msg->msg_namelen) { + err = -EINVAL; ++ if (msg->msg_namelen < sizeof(struct sockaddr_nl)) ++ goto out; + if (addr->nl_family != AF_NETLINK) + goto out; + dst_portid = addr->nl_pid; +diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c +index 93127220cb54..e6e249cc651c 100644 +--- a/net/rfkill/rfkill-gpio.c ++++ b/net/rfkill/rfkill-gpio.c +@@ -140,13 +140,18 @@ static int rfkill_gpio_probe(struct platform_device *pdev) + + ret = rfkill_register(rfkill->rfkill_dev); + if (ret < 0) +- return ret; ++ goto err_destroy; + + platform_set_drvdata(pdev, rfkill); + + dev_info(&pdev->dev, "%s device registered.\n", rfkill->name); + + return 0; ++ ++err_destroy: ++ rfkill_destroy(rfkill->rfkill_dev); ++ ++ return ret; + } + + static int rfkill_gpio_remove(struct platform_device *pdev) +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 5d9f25cb6426..90270d7110a3 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2480,7 +2480,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + + #ifdef CONFIG_COMPAT + if (is_compat_task()) +- return -ENOTSUPP; ++ return -EOPNOTSUPP; + #endif + + type = nlh->nlmsg_type; +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c +index 1f64ab0c2a95..7ae080bae15c 100644 +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -426,6 +426,8 @@ static int snd_pcm_ioctl_xfern_compat(struct snd_pcm_substream *substream, + return -ENOTTY; + if (substream->stream != dir) + return -EINVAL; ++ if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN) ++ return -EBADFD; + + if ((ch = substream->runtime->channels) > 128) + return -EINVAL; +diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c +index 3b126af4a026..ef494ffc1369 100644 +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream, + } + return; + } ++ spin_lock_irqsave(&substream->runtime->lock, flags); + if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) { + if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0) +- return; ++ goto out; + vmidi->event.type = SNDRV_SEQ_EVENT_NONE; + } +- spin_lock_irqsave(&substream->runtime->lock, flags); + while (1) { + count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf)); + if (count <= 0) +diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c +index dc91002d1e0d..847f70348d4d 100644 +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -296,6 +296,8 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd) + cable->pause |= stream; + loopback_timer_stop(dpcm); + spin_unlock(&cable->lock); ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ loopback_active_notify(dpcm); + break; + case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: + case SNDRV_PCM_TRIGGER_RESUME: +@@ -304,6 +306,8 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd) + cable->pause &= ~stream; + loopback_timer_start(dpcm); + spin_unlock(&cable->lock); ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ loopback_active_notify(dpcm); + break; + default: + return -EINVAL; +@@ -828,9 +832,11 @@ static int loopback_rate_shift_get(struct snd_kcontrol *kcontrol, + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].rate_shift; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -862,9 +868,11 @@ static int loopback_notify_get(struct snd_kcontrol *kcontrol, + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -876,12 +884,14 @@ static int loopback_notify_put(struct snd_kcontrol *kcontrol, + int change = 0; + + val = ucontrol->value.integer.value[0] ? 1 : 0; ++ mutex_lock(&loopback->cable_lock); + if (val != loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify) { + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify = val; + change = 1; + } ++ mutex_unlock(&loopback->cable_lock); + return change; + } + +@@ -889,13 +899,18 @@ static int loopback_active_get(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); +- struct loopback_cable *cable = loopback->cables +- [kcontrol->id.subdevice][kcontrol->id.device ^ 1]; ++ struct loopback_cable *cable; ++ + unsigned int val = 0; + +- if (cable != NULL) +- val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? +- 1 : 0; ++ mutex_lock(&loopback->cable_lock); ++ cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1]; ++ if (cable != NULL) { ++ unsigned int running = cable->running ^ cable->pause; ++ ++ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0; ++ } ++ mutex_unlock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = val; + return 0; + } +@@ -938,9 +953,11 @@ static int loopback_rate_get(struct snd_kcontrol *kcontrol, + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].rate; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -960,9 +977,11 @@ static int loopback_channels_get(struct snd_kcontrol *kcontrol, + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].channels; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +diff --git a/tools/testing/selftests/firmware/fw_filesystem.sh b/tools/testing/selftests/firmware/fw_filesystem.sh +index 61f9b1dbbd9b..63c310cdac09 100755 +--- a/tools/testing/selftests/firmware/fw_filesystem.sh ++++ b/tools/testing/selftests/firmware/fw_filesystem.sh +@@ -29,9 +29,11 @@ test_finish() + echo "$OLD_TIMEOUT" >/sys/class/firmware/timeout + fi + if [ "$OLD_FWPATH" = "" ]; then +- OLD_FWPATH=" " ++ # A zero-length write won't work; write a null byte ++ printf '\000' >/sys/module/firmware_class/parameters/path ++ else ++ echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path + fi +- echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path + rm -f "$FW" + rmdir "$FWPATH" + } diff --git a/patch/kernel/mvebu-default/04-patch-4.4.132-133.patch b/patch/kernel/mvebu-default/04-patch-4.4.132-133.patch new file mode 100644 index 0000000000..437aa6f401 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.132-133.patch @@ -0,0 +1,4957 @@ +diff --git a/Makefile b/Makefile +index ace4a655548a..ac52ee65685b 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 132 ++SUBLEVEL = 133 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/alpha/include/asm/futex.h b/arch/alpha/include/asm/futex.h +index f939794363ac..56474690e685 100644 +--- a/arch/alpha/include/asm/futex.h ++++ b/arch/alpha/include/asm/futex.h +@@ -29,18 +29,10 @@ + : "r" (uaddr), "r"(oparg) \ + : "memory") + +-static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; + + pagefault_disable(); + +@@ -66,17 +58,9 @@ static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/arc/include/asm/futex.h b/arch/arc/include/asm/futex.h +index 11e1b1f3acda..eb887dd13e74 100644 +--- a/arch/arc/include/asm/futex.h ++++ b/arch/arc/include/asm/futex.h +@@ -73,20 +73,11 @@ + + #endif + +-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; + +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int))) +- return -EFAULT; +- + #ifndef CONFIG_ARC_HAS_LLSC + preempt_disable(); /* to guarantee atomic r-m-w of futex op */ + #endif +@@ -118,30 +109,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + preempt_enable(); + #endif + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: +- ret = (oldval == cmparg); +- break; +- case FUTEX_OP_CMP_NE: +- ret = (oldval != cmparg); +- break; +- case FUTEX_OP_CMP_LT: +- ret = (oldval < cmparg); +- break; +- case FUTEX_OP_CMP_GE: +- ret = (oldval >= cmparg); +- break; +- case FUTEX_OP_CMP_LE: +- ret = (oldval <= cmparg); +- break; +- case FUTEX_OP_CMP_GT: +- ret = (oldval > cmparg); +- break; +- default: +- ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +index 7a032dd84bb2..9e096d811bed 100644 +--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +@@ -88,7 +88,6 @@ + clocks = <&clks 201>; + VDDA-supply = <®_2p5v>; + VDDIO-supply = <®_3p3v>; +- lrclk-strength = <3>; + }; + }; + +diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h +index 2c16d9e7c03c..4a275fba6059 100644 +--- a/arch/arm/include/asm/assembler.h ++++ b/arch/arm/include/asm/assembler.h +@@ -530,4 +530,14 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) + #endif + .endm + ++#ifdef CONFIG_KPROBES ++#define _ASM_NOKPROBE(entry) \ ++ .pushsection "_kprobe_blacklist", "aw" ; \ ++ .balign 4 ; \ ++ .long entry; \ ++ .popsection ++#else ++#define _ASM_NOKPROBE(entry) ++#endif ++ + #endif /* __ASM_ASSEMBLER_H__ */ +diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h +index 6795368ad023..cc414382dab4 100644 +--- a/arch/arm/include/asm/futex.h ++++ b/arch/arm/include/asm/futex.h +@@ -128,20 +128,10 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + #endif /* !SMP */ + + static inline int +-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret, tmp; + +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; +- + #ifndef CONFIG_SMP + preempt_disable(); + #endif +@@ -172,17 +162,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) + preempt_enable(); + #endif + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c +index c92b535150a0..306a2a581785 100644 +--- a/arch/arm/kernel/traps.c ++++ b/arch/arm/kernel/traps.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -395,7 +396,8 @@ void unregister_undef_hook(struct undef_hook *hook) + raw_spin_unlock_irqrestore(&undef_lock, flags); + } + +-static int call_undef_hook(struct pt_regs *regs, unsigned int instr) ++static nokprobe_inline ++int call_undef_hook(struct pt_regs *regs, unsigned int instr) + { + struct undef_hook *hook; + unsigned long flags; +@@ -468,6 +470,7 @@ die_sig: + + arm_notify_die("Oops - undefined instruction", regs, &info, 0, 6); + } ++NOKPROBE_SYMBOL(do_undefinstr) + + /* + * Handle FIQ similarly to NMI on x86 systems. +diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S +index df73914e81c8..746e7801dcdf 100644 +--- a/arch/arm/lib/getuser.S ++++ b/arch/arm/lib/getuser.S +@@ -38,6 +38,7 @@ ENTRY(__get_user_1) + mov r0, #0 + ret lr + ENDPROC(__get_user_1) ++_ASM_NOKPROBE(__get_user_1) + + ENTRY(__get_user_2) + check_uaccess r0, 2, r1, r2, __get_user_bad +@@ -58,6 +59,7 @@ rb .req r0 + mov r0, #0 + ret lr + ENDPROC(__get_user_2) ++_ASM_NOKPROBE(__get_user_2) + + ENTRY(__get_user_4) + check_uaccess r0, 4, r1, r2, __get_user_bad +@@ -65,6 +67,7 @@ ENTRY(__get_user_4) + mov r0, #0 + ret lr + ENDPROC(__get_user_4) ++_ASM_NOKPROBE(__get_user_4) + + ENTRY(__get_user_8) + check_uaccess r0, 8, r1, r2, __get_user_bad8 +@@ -78,6 +81,7 @@ ENTRY(__get_user_8) + mov r0, #0 + ret lr + ENDPROC(__get_user_8) ++_ASM_NOKPROBE(__get_user_8) + + #ifdef __ARMEB__ + ENTRY(__get_user_32t_8) +@@ -91,6 +95,7 @@ ENTRY(__get_user_32t_8) + mov r0, #0 + ret lr + ENDPROC(__get_user_32t_8) ++_ASM_NOKPROBE(__get_user_32t_8) + + ENTRY(__get_user_64t_1) + check_uaccess r0, 1, r1, r2, __get_user_bad8 +@@ -98,6 +103,7 @@ ENTRY(__get_user_64t_1) + mov r0, #0 + ret lr + ENDPROC(__get_user_64t_1) ++_ASM_NOKPROBE(__get_user_64t_1) + + ENTRY(__get_user_64t_2) + check_uaccess r0, 2, r1, r2, __get_user_bad8 +@@ -114,6 +120,7 @@ rb .req r0 + mov r0, #0 + ret lr + ENDPROC(__get_user_64t_2) ++_ASM_NOKPROBE(__get_user_64t_2) + + ENTRY(__get_user_64t_4) + check_uaccess r0, 4, r1, r2, __get_user_bad8 +@@ -121,6 +128,7 @@ ENTRY(__get_user_64t_4) + mov r0, #0 + ret lr + ENDPROC(__get_user_64t_4) ++_ASM_NOKPROBE(__get_user_64t_4) + #endif + + __get_user_bad8: +@@ -131,6 +139,8 @@ __get_user_bad: + ret lr + ENDPROC(__get_user_bad) + ENDPROC(__get_user_bad8) ++_ASM_NOKPROBE(__get_user_bad) ++_ASM_NOKPROBE(__get_user_bad8) + + .pushsection __ex_table, "a" + .long 1b, __get_user_bad +diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c +index bcdecc25461b..b2aa9b32bff2 100644 +--- a/arch/arm/probes/kprobes/opt-arm.c ++++ b/arch/arm/probes/kprobes/opt-arm.c +@@ -165,13 +165,14 @@ optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) + { + unsigned long flags; + struct kprobe *p = &op->kp; +- struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); ++ struct kprobe_ctlblk *kcb; + + /* Save skipped registers */ + regs->ARM_pc = (unsigned long)op->kp.addr; + regs->ARM_ORIG_r0 = ~0UL; + + local_irq_save(flags); ++ kcb = get_kprobe_ctlblk(); + + if (kprobe_running()) { + kprobes_inc_nmissed_count(&op->kp); +@@ -191,6 +192,7 @@ optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) + + local_irq_restore(flags); + } ++NOKPROBE_SYMBOL(optimized_callback) + + int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *orig) + { +diff --git a/arch/frv/include/asm/futex.h b/arch/frv/include/asm/futex.h +index 4bea27f50a7a..2702bd802d44 100644 +--- a/arch/frv/include/asm/futex.h ++++ b/arch/frv/include/asm/futex.h +@@ -7,7 +7,8 @@ + #include + #include + +-extern int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr); ++extern int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, ++ u32 __user *uaddr); + + static inline int + futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +diff --git a/arch/frv/kernel/futex.c b/arch/frv/kernel/futex.c +index d155ca9e5098..37f7b2bf7f73 100644 +--- a/arch/frv/kernel/futex.c ++++ b/arch/frv/kernel/futex.c +@@ -186,20 +186,10 @@ static inline int atomic_futex_op_xchg_xor(int oparg, u32 __user *uaddr, int *_o + /* + * do the futex operations + */ +-int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; + +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; +- + pagefault_disable(); + + switch (op) { +@@ -225,18 +215,9 @@ int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; break; +- } +- } ++ if (!ret) ++ *oval = oldval; + + return ret; + +-} /* end futex_atomic_op_inuser() */ ++} /* end arch_futex_atomic_op_inuser() */ +diff --git a/arch/hexagon/include/asm/futex.h b/arch/hexagon/include/asm/futex.h +index 7e597f8434da..c607b77c8215 100644 +--- a/arch/hexagon/include/asm/futex.h ++++ b/arch/hexagon/include/asm/futex.h +@@ -31,18 +31,9 @@ + + + static inline int +-futex_atomic_op_inuser(int encoded_op, int __user *uaddr) ++arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int))) +- return -EFAULT; + + pagefault_disable(); + +@@ -72,30 +63,9 @@ futex_atomic_op_inuser(int encoded_op, int __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: +- ret = (oldval == cmparg); +- break; +- case FUTEX_OP_CMP_NE: +- ret = (oldval != cmparg); +- break; +- case FUTEX_OP_CMP_LT: +- ret = (oldval < cmparg); +- break; +- case FUTEX_OP_CMP_GE: +- ret = (oldval >= cmparg); +- break; +- case FUTEX_OP_CMP_LE: +- ret = (oldval <= cmparg); +- break; +- case FUTEX_OP_CMP_GT: +- ret = (oldval > cmparg); +- break; +- default: +- ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/ia64/include/asm/futex.h b/arch/ia64/include/asm/futex.h +index 76acbcd5c060..6d67dc1eaf2b 100644 +--- a/arch/ia64/include/asm/futex.h ++++ b/arch/ia64/include/asm/futex.h +@@ -45,18 +45,9 @@ do { \ + } while (0) + + static inline int +-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (! access_ok (VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; + + pagefault_disable(); + +@@ -84,17 +75,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/microblaze/include/asm/futex.h b/arch/microblaze/include/asm/futex.h +index 01848f056f43..a9dad9e5e132 100644 +--- a/arch/microblaze/include/asm/futex.h ++++ b/arch/microblaze/include/asm/futex.h +@@ -29,18 +29,9 @@ + }) + + static inline int +-futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; + + pagefault_disable(); + +@@ -66,30 +57,9 @@ futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: +- ret = (oldval == cmparg); +- break; +- case FUTEX_OP_CMP_NE: +- ret = (oldval != cmparg); +- break; +- case FUTEX_OP_CMP_LT: +- ret = (oldval < cmparg); +- break; +- case FUTEX_OP_CMP_GE: +- ret = (oldval >= cmparg); +- break; +- case FUTEX_OP_CMP_LE: +- ret = (oldval <= cmparg); +- break; +- case FUTEX_OP_CMP_GT: +- ret = (oldval > cmparg); +- break; +- default: +- ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/mips/include/asm/futex.h b/arch/mips/include/asm/futex.h +index 1de190bdfb9c..a9e61ea54ca9 100644 +--- a/arch/mips/include/asm/futex.h ++++ b/arch/mips/include/asm/futex.h +@@ -83,18 +83,9 @@ + } + + static inline int +-futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (! access_ok (VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; + + pagefault_disable(); + +@@ -125,17 +116,9 @@ futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/parisc/include/asm/futex.h b/arch/parisc/include/asm/futex.h +index 49df14805a9b..ae5b64981d72 100644 +--- a/arch/parisc/include/asm/futex.h ++++ b/arch/parisc/include/asm/futex.h +@@ -32,20 +32,11 @@ _futex_spin_unlock_irqrestore(u32 __user *uaddr, unsigned long int *flags) + } + + static inline int +-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + { + unsigned long int flags; + u32 val; +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(*uaddr))) +- return -EFAULT; + + pagefault_disable(); + +@@ -98,17 +89,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/powerpc/include/asm/firmware.h b/arch/powerpc/include/asm/firmware.h +index e05808a328db..b0629249778b 100644 +--- a/arch/powerpc/include/asm/firmware.h ++++ b/arch/powerpc/include/asm/firmware.h +@@ -47,12 +47,10 @@ + #define FW_FEATURE_VPHN ASM_CONST(0x0000000004000000) + #define FW_FEATURE_XCMO ASM_CONST(0x0000000008000000) + #define FW_FEATURE_OPAL ASM_CONST(0x0000000010000000) +-#define FW_FEATURE_OPALv2 ASM_CONST(0x0000000020000000) + #define FW_FEATURE_SET_MODE ASM_CONST(0x0000000040000000) + #define FW_FEATURE_BEST_ENERGY ASM_CONST(0x0000000080000000) + #define FW_FEATURE_TYPE1_AFFINITY ASM_CONST(0x0000000100000000) + #define FW_FEATURE_PRRN ASM_CONST(0x0000000200000000) +-#define FW_FEATURE_OPALv3 ASM_CONST(0x0000000400000000) + + #ifndef __ASSEMBLY__ + +@@ -70,8 +68,7 @@ enum { + FW_FEATURE_SET_MODE | FW_FEATURE_BEST_ENERGY | + FW_FEATURE_TYPE1_AFFINITY | FW_FEATURE_PRRN, + FW_FEATURE_PSERIES_ALWAYS = 0, +- FW_FEATURE_POWERNV_POSSIBLE = FW_FEATURE_OPAL | FW_FEATURE_OPALv2 | +- FW_FEATURE_OPALv3, ++ FW_FEATURE_POWERNV_POSSIBLE = FW_FEATURE_OPAL, + FW_FEATURE_POWERNV_ALWAYS = 0, + FW_FEATURE_PS3_POSSIBLE = FW_FEATURE_LPAR | FW_FEATURE_PS3_LV1, + FW_FEATURE_PS3_ALWAYS = FW_FEATURE_LPAR | FW_FEATURE_PS3_LV1, +diff --git a/arch/powerpc/include/asm/futex.h b/arch/powerpc/include/asm/futex.h +index 2a9cf845473b..f4c7467f7465 100644 +--- a/arch/powerpc/include/asm/futex.h ++++ b/arch/powerpc/include/asm/futex.h +@@ -31,18 +31,10 @@ + : "b" (uaddr), "i" (-EFAULT), "r" (oparg) \ + : "cr0", "memory") + +-static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (! access_ok (VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; + + pagefault_disable(); + +@@ -68,17 +60,9 @@ static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c +index 44c8d03558ac..318224784114 100644 +--- a/arch/powerpc/kernel/setup-common.c ++++ b/arch/powerpc/kernel/setup-common.c +@@ -217,14 +217,6 @@ static int show_cpuinfo(struct seq_file *m, void *v) + unsigned short maj; + unsigned short min; + +- /* We only show online cpus: disable preempt (overzealous, I +- * knew) to prevent cpu going down. */ +- preempt_disable(); +- if (!cpu_online(cpu_id)) { +- preempt_enable(); +- return 0; +- } +- + #ifdef CONFIG_SMP + pvr = per_cpu(cpu_pvr, cpu_id); + #else +@@ -329,9 +321,6 @@ static int show_cpuinfo(struct seq_file *m, void *v) + #ifdef CONFIG_SMP + seq_printf(m, "\n"); + #endif +- +- preempt_enable(); +- + /* If this is the last cpu, print the summary */ + if (cpumask_next(cpu_id, cpu_online_mask) >= nr_cpu_ids) + show_cpuinfo_summary(m); +diff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c b/arch/powerpc/platforms/powernv/eeh-powernv.c +index 92736851c795..3f653f5201e7 100644 +--- a/arch/powerpc/platforms/powernv/eeh-powernv.c ++++ b/arch/powerpc/platforms/powernv/eeh-powernv.c +@@ -48,8 +48,8 @@ static int pnv_eeh_init(void) + struct pci_controller *hose; + struct pnv_phb *phb; + +- if (!firmware_has_feature(FW_FEATURE_OPALv3)) { +- pr_warn("%s: OPALv3 is required !\n", ++ if (!firmware_has_feature(FW_FEATURE_OPAL)) { ++ pr_warn("%s: OPAL is required !\n", + __func__); + return -EINVAL; + } +diff --git a/arch/powerpc/platforms/powernv/idle.c b/arch/powerpc/platforms/powernv/idle.c +index 59d735d2e5c0..15bfbcd5debc 100644 +--- a/arch/powerpc/platforms/powernv/idle.c ++++ b/arch/powerpc/platforms/powernv/idle.c +@@ -242,7 +242,7 @@ static int __init pnv_init_idle_states(void) + if (cpuidle_disable != IDLE_NO_OVERRIDE) + goto out; + +- if (!firmware_has_feature(FW_FEATURE_OPALv3)) ++ if (!firmware_has_feature(FW_FEATURE_OPAL)) + goto out; + + power_mgt = of_find_node_by_path("/ibm,opal/power-mgt"); +diff --git a/arch/powerpc/platforms/powernv/opal-nvram.c b/arch/powerpc/platforms/powernv/opal-nvram.c +index 1bceb95f422d..5584247f5029 100644 +--- a/arch/powerpc/platforms/powernv/opal-nvram.c ++++ b/arch/powerpc/platforms/powernv/opal-nvram.c +@@ -44,6 +44,10 @@ static ssize_t opal_nvram_read(char *buf, size_t count, loff_t *index) + return count; + } + ++/* ++ * This can be called in the panic path with interrupts off, so use ++ * mdelay in that case. ++ */ + static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index) + { + s64 rc = OPAL_BUSY; +@@ -58,10 +62,16 @@ static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index) + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_write_nvram(__pa(buf), count, off); + if (rc == OPAL_BUSY_EVENT) { +- msleep(OPAL_BUSY_DELAY_MS); ++ if (in_interrupt() || irqs_disabled()) ++ mdelay(OPAL_BUSY_DELAY_MS); ++ else ++ msleep(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); + } else if (rc == OPAL_BUSY) { +- msleep(OPAL_BUSY_DELAY_MS); ++ if (in_interrupt() || irqs_disabled()) ++ mdelay(OPAL_BUSY_DELAY_MS); ++ else ++ msleep(OPAL_BUSY_DELAY_MS); + } + } + +diff --git a/arch/powerpc/platforms/powernv/opal-xscom.c b/arch/powerpc/platforms/powernv/opal-xscom.c +index 7634d1c62299..d0ac535cf5d7 100644 +--- a/arch/powerpc/platforms/powernv/opal-xscom.c ++++ b/arch/powerpc/platforms/powernv/opal-xscom.c +@@ -126,7 +126,7 @@ static const struct scom_controller opal_scom_controller = { + + static int opal_xscom_init(void) + { +- if (firmware_has_feature(FW_FEATURE_OPALv3)) ++ if (firmware_has_feature(FW_FEATURE_OPAL)) + scom_init(&opal_scom_controller); + return 0; + } +diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c +index ae29eaf85e9e..e48826aa314c 100644 +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -98,16 +98,11 @@ int __init early_init_dt_scan_opal(unsigned long node, + pr_debug("OPAL Entry = 0x%llx (sizep=%p runtimesz=%d)\n", + opal.size, sizep, runtimesz); + +- powerpc_firmware_features |= FW_FEATURE_OPAL; + if (of_flat_dt_is_compatible(node, "ibm,opal-v3")) { +- powerpc_firmware_features |= FW_FEATURE_OPALv2; +- powerpc_firmware_features |= FW_FEATURE_OPALv3; +- pr_info("OPAL V3 detected !\n"); +- } else if (of_flat_dt_is_compatible(node, "ibm,opal-v2")) { +- powerpc_firmware_features |= FW_FEATURE_OPALv2; +- pr_info("OPAL V2 detected !\n"); ++ powerpc_firmware_features |= FW_FEATURE_OPAL; ++ pr_info("OPAL detected !\n"); + } else { +- pr_info("OPAL V1 detected !\n"); ++ panic("OPAL != V3 detected, no longer supported.\n"); + } + + /* Reinit all cores with the right endian */ +@@ -352,17 +347,15 @@ int opal_put_chars(uint32_t vtermno, const char *data, int total_len) + * enough room and be done with it + */ + spin_lock_irqsave(&opal_write_lock, flags); +- if (firmware_has_feature(FW_FEATURE_OPALv2)) { +- rc = opal_console_write_buffer_space(vtermno, &olen); +- len = be64_to_cpu(olen); +- if (rc || len < total_len) { +- spin_unlock_irqrestore(&opal_write_lock, flags); +- /* Closed -> drop characters */ +- if (rc) +- return total_len; +- opal_poll_events(NULL); +- return -EAGAIN; +- } ++ rc = opal_console_write_buffer_space(vtermno, &olen); ++ len = be64_to_cpu(olen); ++ if (rc || len < total_len) { ++ spin_unlock_irqrestore(&opal_write_lock, flags); ++ /* Closed -> drop characters */ ++ if (rc) ++ return total_len; ++ opal_poll_events(NULL); ++ return -EAGAIN; + } + + /* We still try to handle partial completions, though they +@@ -696,10 +689,7 @@ static int __init opal_init(void) + } + + /* Register OPAL consoles if any ports */ +- if (firmware_has_feature(FW_FEATURE_OPALv2)) +- consoles = of_find_node_by_path("/ibm,opal/consoles"); +- else +- consoles = of_node_get(opal_node); ++ consoles = of_find_node_by_path("/ibm,opal/consoles"); + if (consoles) { + for_each_child_of_node(consoles, np) { + if (strcmp(np->name, "serial")) +diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c +index ecb7f3220355..eac3b7cc78c6 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -344,7 +344,7 @@ static void __init pnv_ioda_parse_m64_window(struct pnv_phb *phb) + return; + } + +- if (!firmware_has_feature(FW_FEATURE_OPALv3)) { ++ if (!firmware_has_feature(FW_FEATURE_OPAL)) { + pr_info(" Firmware too old to support M64 window\n"); + return; + } +diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c +index 30c6b3b7be90..c57afc619b20 100644 +--- a/arch/powerpc/platforms/powernv/setup.c ++++ b/arch/powerpc/platforms/powernv/setup.c +@@ -140,12 +140,8 @@ static void pnv_show_cpuinfo(struct seq_file *m) + if (root) + model = of_get_property(root, "model", NULL); + seq_printf(m, "machine\t\t: PowerNV %s\n", model); +- if (firmware_has_feature(FW_FEATURE_OPALv3)) +- seq_printf(m, "firmware\t: OPAL v3\n"); +- else if (firmware_has_feature(FW_FEATURE_OPALv2)) +- seq_printf(m, "firmware\t: OPAL v2\n"); +- else if (firmware_has_feature(FW_FEATURE_OPAL)) +- seq_printf(m, "firmware\t: OPAL v1\n"); ++ if (firmware_has_feature(FW_FEATURE_OPAL)) ++ seq_printf(m, "firmware\t: OPAL\n"); + else + seq_printf(m, "firmware\t: BML\n"); + of_node_put(root); +@@ -274,9 +270,9 @@ static void pnv_kexec_cpu_down(int crash_shutdown, int secondary) + { + xics_kexec_teardown_cpu(secondary); + +- /* On OPAL v3, we return all CPUs to firmware */ ++ /* On OPAL, we return all CPUs to firmware */ + +- if (!firmware_has_feature(FW_FEATURE_OPALv3)) ++ if (!firmware_has_feature(FW_FEATURE_OPAL)) + return; + + if (secondary) { +diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c +index ca264833ee64..ad7b1a3dbed0 100644 +--- a/arch/powerpc/platforms/powernv/smp.c ++++ b/arch/powerpc/platforms/powernv/smp.c +@@ -61,14 +61,15 @@ static int pnv_smp_kick_cpu(int nr) + unsigned long start_here = + __pa(ppc_function_entry(generic_secondary_smp_init)); + long rc; ++ uint8_t status; + + BUG_ON(nr < 0 || nr >= NR_CPUS); + + /* +- * If we already started or OPALv2 is not supported, we just ++ * If we already started or OPAL is not supported, we just + * kick the CPU via the PACA + */ +- if (paca[nr].cpu_start || !firmware_has_feature(FW_FEATURE_OPALv2)) ++ if (paca[nr].cpu_start || !firmware_has_feature(FW_FEATURE_OPAL)) + goto kick; + + /* +@@ -77,55 +78,42 @@ static int pnv_smp_kick_cpu(int nr) + * first time. OPAL v3 allows us to query OPAL to know if it + * has the CPUs, so we do that + */ +- if (firmware_has_feature(FW_FEATURE_OPALv3)) { +- uint8_t status; +- +- rc = opal_query_cpu_status(pcpu, &status); +- if (rc != OPAL_SUCCESS) { +- pr_warn("OPAL Error %ld querying CPU %d state\n", +- rc, nr); +- return -ENODEV; +- } ++ rc = opal_query_cpu_status(pcpu, &status); ++ if (rc != OPAL_SUCCESS) { ++ pr_warn("OPAL Error %ld querying CPU %d state\n", rc, nr); ++ return -ENODEV; ++ } + +- /* +- * Already started, just kick it, probably coming from +- * kexec and spinning +- */ +- if (status == OPAL_THREAD_STARTED) +- goto kick; ++ /* ++ * Already started, just kick it, probably coming from ++ * kexec and spinning ++ */ ++ if (status == OPAL_THREAD_STARTED) ++ goto kick; + +- /* +- * Available/inactive, let's kick it +- */ +- if (status == OPAL_THREAD_INACTIVE) { +- pr_devel("OPAL: Starting CPU %d (HW 0x%x)...\n", +- nr, pcpu); +- rc = opal_start_cpu(pcpu, start_here); +- if (rc != OPAL_SUCCESS) { +- pr_warn("OPAL Error %ld starting CPU %d\n", +- rc, nr); +- return -ENODEV; +- } +- } else { +- /* +- * An unavailable CPU (or any other unknown status) +- * shouldn't be started. It should also +- * not be in the possible map but currently it can +- * happen +- */ +- pr_devel("OPAL: CPU %d (HW 0x%x) is unavailable" +- " (status %d)...\n", nr, pcpu, status); ++ /* ++ * Available/inactive, let's kick it ++ */ ++ if (status == OPAL_THREAD_INACTIVE) { ++ pr_devel("OPAL: Starting CPU %d (HW 0x%x)...\n", nr, pcpu); ++ rc = opal_start_cpu(pcpu, start_here); ++ if (rc != OPAL_SUCCESS) { ++ pr_warn("OPAL Error %ld starting CPU %d\n", rc, nr); + return -ENODEV; + } + } else { + /* +- * On OPAL v2, we just kick it and hope for the best, +- * we must not test the error from opal_start_cpu() or +- * we would fail to get CPUs from kexec. ++ * An unavailable CPU (or any other unknown status) ++ * shouldn't be started. It should also ++ * not be in the possible map but currently it can ++ * happen + */ +- opal_start_cpu(pcpu, start_here); ++ pr_devel("OPAL: CPU %d (HW 0x%x) is unavailable" ++ " (status %d)...\n", nr, pcpu, status); ++ return -ENODEV; + } +- kick: ++ ++kick: + return smp_generic_kick_cpu(nr); + } + +diff --git a/arch/s390/include/asm/alternative-asm.h b/arch/s390/include/asm/alternative-asm.h +new file mode 100644 +index 000000000000..955d620db23e +--- /dev/null ++++ b/arch/s390/include/asm/alternative-asm.h +@@ -0,0 +1,108 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ASM_S390_ALTERNATIVE_ASM_H ++#define _ASM_S390_ALTERNATIVE_ASM_H ++ ++#ifdef __ASSEMBLY__ ++ ++/* ++ * Check the length of an instruction sequence. The length may not be larger ++ * than 254 bytes and it has to be divisible by 2. ++ */ ++.macro alt_len_check start,end ++ .if ( \end - \start ) > 254 ++ .error "cpu alternatives does not support instructions blocks > 254 bytes\n" ++ .endif ++ .if ( \end - \start ) % 2 ++ .error "cpu alternatives instructions length is odd\n" ++ .endif ++.endm ++ ++/* ++ * Issue one struct alt_instr descriptor entry (need to put it into ++ * the section .altinstructions, see below). This entry contains ++ * enough information for the alternatives patching code to patch an ++ * instruction. See apply_alternatives(). ++ */ ++.macro alt_entry orig_start, orig_end, alt_start, alt_end, feature ++ .long \orig_start - . ++ .long \alt_start - . ++ .word \feature ++ .byte \orig_end - \orig_start ++ .byte \alt_end - \alt_start ++.endm ++ ++/* ++ * Fill up @bytes with nops. The macro emits 6-byte nop instructions ++ * for the bulk of the area, possibly followed by a 4-byte and/or ++ * a 2-byte nop if the size of the area is not divisible by 6. ++ */ ++.macro alt_pad_fill bytes ++ .fill ( \bytes ) / 6, 6, 0xc0040000 ++ .fill ( \bytes ) % 6 / 4, 4, 0x47000000 ++ .fill ( \bytes ) % 6 % 4 / 2, 2, 0x0700 ++.endm ++ ++/* ++ * Fill up @bytes with nops. If the number of bytes is larger ++ * than 6, emit a jg instruction to branch over all nops, then ++ * fill an area of size (@bytes - 6) with nop instructions. ++ */ ++.macro alt_pad bytes ++ .if ( \bytes > 0 ) ++ .if ( \bytes > 6 ) ++ jg . + \bytes ++ alt_pad_fill \bytes - 6 ++ .else ++ alt_pad_fill \bytes ++ .endif ++ .endif ++.endm ++ ++/* ++ * Define an alternative between two instructions. If @feature is ++ * present, early code in apply_alternatives() replaces @oldinstr with ++ * @newinstr. ".skip" directive takes care of proper instruction padding ++ * in case @newinstr is longer than @oldinstr. ++ */ ++.macro ALTERNATIVE oldinstr, newinstr, feature ++ .pushsection .altinstr_replacement,"ax" ++770: \newinstr ++771: .popsection ++772: \oldinstr ++773: alt_len_check 770b, 771b ++ alt_len_check 772b, 773b ++ alt_pad ( ( 771b - 770b ) - ( 773b - 772b ) ) ++774: .pushsection .altinstructions,"a" ++ alt_entry 772b, 774b, 770b, 771b, \feature ++ .popsection ++.endm ++ ++/* ++ * Define an alternative between two instructions. If @feature is ++ * present, early code in apply_alternatives() replaces @oldinstr with ++ * @newinstr. ".skip" directive takes care of proper instruction padding ++ * in case @newinstr is longer than @oldinstr. ++ */ ++.macro ALTERNATIVE_2 oldinstr, newinstr1, feature1, newinstr2, feature2 ++ .pushsection .altinstr_replacement,"ax" ++770: \newinstr1 ++771: \newinstr2 ++772: .popsection ++773: \oldinstr ++774: alt_len_check 770b, 771b ++ alt_len_check 771b, 772b ++ alt_len_check 773b, 774b ++ .if ( 771b - 770b > 772b - 771b ) ++ alt_pad ( ( 771b - 770b ) - ( 774b - 773b ) ) ++ .else ++ alt_pad ( ( 772b - 771b ) - ( 774b - 773b ) ) ++ .endif ++775: .pushsection .altinstructions,"a" ++ alt_entry 773b, 775b, 770b, 771b,\feature1 ++ alt_entry 773b, 775b, 771b, 772b,\feature2 ++ .popsection ++.endm ++ ++#endif /* __ASSEMBLY__ */ ++ ++#endif /* _ASM_S390_ALTERNATIVE_ASM_H */ +diff --git a/arch/s390/include/asm/futex.h b/arch/s390/include/asm/futex.h +index a4811aa0304d..8f8eec9e1198 100644 +--- a/arch/s390/include/asm/futex.h ++++ b/arch/s390/include/asm/futex.h +@@ -21,17 +21,12 @@ + : "0" (-EFAULT), "d" (oparg), "a" (uaddr), \ + "m" (*uaddr) : "cc"); + +-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, newval, ret; + + load_kernel_asce(); +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; + + pagefault_disable(); + switch (op) { +@@ -60,17 +55,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + } + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h +new file mode 100644 +index 000000000000..087fc9b972c5 +--- /dev/null ++++ b/arch/s390/include/asm/nospec-insn.h +@@ -0,0 +1,182 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ASM_S390_NOSPEC_ASM_H ++#define _ASM_S390_NOSPEC_ASM_H ++ ++#ifdef __ASSEMBLY__ ++ ++#ifdef CONFIG_EXPOLINE ++ ++/* ++ * The expoline macros are used to create thunks in the same format ++ * as gcc generates them. The 'comdat' section flag makes sure that ++ * the various thunks are merged into a single copy. ++ */ ++ .macro __THUNK_PROLOG_NAME name ++ .pushsection .text.\name,"axG",@progbits,\name,comdat ++ .globl \name ++ .hidden \name ++ .type \name,@function ++\name: ++ .cfi_startproc ++ .endm ++ ++ .macro __THUNK_EPILOG ++ .cfi_endproc ++ .popsection ++ .endm ++ ++ .macro __THUNK_PROLOG_BR r1,r2 ++ __THUNK_PROLOG_NAME __s390x_indirect_jump_r\r2\()use_r\r1 ++ .endm ++ ++ .macro __THUNK_PROLOG_BC d0,r1,r2 ++ __THUNK_PROLOG_NAME __s390x_indirect_branch_\d0\()_\r2\()use_\r1 ++ .endm ++ ++ .macro __THUNK_BR r1,r2 ++ jg __s390x_indirect_jump_r\r2\()use_r\r1 ++ .endm ++ ++ .macro __THUNK_BC d0,r1,r2 ++ jg __s390x_indirect_branch_\d0\()_\r2\()use_\r1 ++ .endm ++ ++ .macro __THUNK_BRASL r1,r2,r3 ++ brasl \r1,__s390x_indirect_jump_r\r3\()use_r\r2 ++ .endm ++ ++ .macro __DECODE_RR expand,reg,ruse ++ .set __decode_fail,1 ++ .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ++ .ifc \reg,%r\r1 ++ .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ++ .ifc \ruse,%r\r2 ++ \expand \r1,\r2 ++ .set __decode_fail,0 ++ .endif ++ .endr ++ .endif ++ .endr ++ .if __decode_fail == 1 ++ .error "__DECODE_RR failed" ++ .endif ++ .endm ++ ++ .macro __DECODE_RRR expand,rsave,rtarget,ruse ++ .set __decode_fail,1 ++ .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ++ .ifc \rsave,%r\r1 ++ .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ++ .ifc \rtarget,%r\r2 ++ .irp r3,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ++ .ifc \ruse,%r\r3 ++ \expand \r1,\r2,\r3 ++ .set __decode_fail,0 ++ .endif ++ .endr ++ .endif ++ .endr ++ .endif ++ .endr ++ .if __decode_fail == 1 ++ .error "__DECODE_RRR failed" ++ .endif ++ .endm ++ ++ .macro __DECODE_DRR expand,disp,reg,ruse ++ .set __decode_fail,1 ++ .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ++ .ifc \reg,%r\r1 ++ .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ++ .ifc \ruse,%r\r2 ++ \expand \disp,\r1,\r2 ++ .set __decode_fail,0 ++ .endif ++ .endr ++ .endif ++ .endr ++ .if __decode_fail == 1 ++ .error "__DECODE_DRR failed" ++ .endif ++ .endm ++ ++ .macro __THUNK_EX_BR reg,ruse ++#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES ++ exrl 0,555f ++ j . ++#else ++ larl \ruse,555f ++ ex 0,0(\ruse) ++ j . ++#endif ++555: br \reg ++ .endm ++ ++ .macro __THUNK_EX_BC disp,reg,ruse ++#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES ++ exrl 0,556f ++ j . ++#else ++ larl \ruse,556f ++ ex 0,0(\ruse) ++ j . ++#endif ++556: b \disp(\reg) ++ .endm ++ ++ .macro GEN_BR_THUNK reg,ruse=%r1 ++ __DECODE_RR __THUNK_PROLOG_BR,\reg,\ruse ++ __THUNK_EX_BR \reg,\ruse ++ __THUNK_EPILOG ++ .endm ++ ++ .macro GEN_B_THUNK disp,reg,ruse=%r1 ++ __DECODE_DRR __THUNK_PROLOG_BC,\disp,\reg,\ruse ++ __THUNK_EX_BC \disp,\reg,\ruse ++ __THUNK_EPILOG ++ .endm ++ ++ .macro BR_EX reg,ruse=%r1 ++557: __DECODE_RR __THUNK_BR,\reg,\ruse ++ .pushsection .s390_indirect_branches,"a",@progbits ++ .long 557b-. ++ .popsection ++ .endm ++ ++ .macro B_EX disp,reg,ruse=%r1 ++558: __DECODE_DRR __THUNK_BC,\disp,\reg,\ruse ++ .pushsection .s390_indirect_branches,"a",@progbits ++ .long 558b-. ++ .popsection ++ .endm ++ ++ .macro BASR_EX rsave,rtarget,ruse=%r1 ++559: __DECODE_RRR __THUNK_BRASL,\rsave,\rtarget,\ruse ++ .pushsection .s390_indirect_branches,"a",@progbits ++ .long 559b-. ++ .popsection ++ .endm ++ ++#else ++ .macro GEN_BR_THUNK reg,ruse=%r1 ++ .endm ++ ++ .macro GEN_B_THUNK disp,reg,ruse=%r1 ++ .endm ++ ++ .macro BR_EX reg,ruse=%r1 ++ br \reg ++ .endm ++ ++ .macro B_EX disp,reg,ruse=%r1 ++ b \disp(\reg) ++ .endm ++ ++ .macro BASR_EX rsave,rtarget,ruse=%r1 ++ basr \rsave,\rtarget ++ .endm ++#endif ++ ++#endif /* __ASSEMBLY__ */ ++ ++#endif /* _ASM_S390_NOSPEC_ASM_H */ +diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile +index 8ccfbf22ecbb..c4d4d4ef5e58 100644 +--- a/arch/s390/kernel/Makefile ++++ b/arch/s390/kernel/Makefile +@@ -49,6 +49,7 @@ obj-y += nospec-branch.o + + extra-y += head.o head64.o vmlinux.lds + ++obj-$(CONFIG_SYSFS) += nospec-sysfs.o + CFLAGS_REMOVE_nospec-branch.o += $(CC_FLAGS_EXPOLINE) + + obj-$(CONFIG_MODULES) += s390_ksyms.o module.o +diff --git a/arch/s390/kernel/base.S b/arch/s390/kernel/base.S +index 326f717df587..61fca549a93b 100644 +--- a/arch/s390/kernel/base.S ++++ b/arch/s390/kernel/base.S +@@ -8,18 +8,22 @@ + + #include + #include ++#include + #include + #include + ++ GEN_BR_THUNK %r9 ++ GEN_BR_THUNK %r14 ++ + ENTRY(s390_base_mcck_handler) + basr %r13,0 + 0: lg %r15,__LC_PANIC_STACK # load panic stack + aghi %r15,-STACK_FRAME_OVERHEAD + larl %r1,s390_base_mcck_handler_fn +- lg %r1,0(%r1) +- ltgr %r1,%r1 ++ lg %r9,0(%r1) ++ ltgr %r9,%r9 + jz 1f +- basr %r14,%r1 ++ BASR_EX %r14,%r9 + 1: la %r1,4095 + lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1) + lpswe __LC_MCK_OLD_PSW +@@ -36,10 +40,10 @@ ENTRY(s390_base_ext_handler) + basr %r13,0 + 0: aghi %r15,-STACK_FRAME_OVERHEAD + larl %r1,s390_base_ext_handler_fn +- lg %r1,0(%r1) +- ltgr %r1,%r1 ++ lg %r9,0(%r1) ++ ltgr %r9,%r9 + jz 1f +- basr %r14,%r1 ++ BASR_EX %r14,%r9 + 1: lmg %r0,%r15,__LC_SAVE_AREA_ASYNC + ni __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit + lpswe __LC_EXT_OLD_PSW +@@ -56,10 +60,10 @@ ENTRY(s390_base_pgm_handler) + basr %r13,0 + 0: aghi %r15,-STACK_FRAME_OVERHEAD + larl %r1,s390_base_pgm_handler_fn +- lg %r1,0(%r1) +- ltgr %r1,%r1 ++ lg %r9,0(%r1) ++ ltgr %r9,%r9 + jz 1f +- basr %r14,%r1 ++ BASR_EX %r14,%r9 + lmg %r0,%r15,__LC_SAVE_AREA_SYNC + lpswe __LC_PGM_OLD_PSW + 1: lpswe disabled_wait_psw-0b(%r13) +@@ -116,7 +120,7 @@ ENTRY(diag308_reset) + larl %r4,.Lcontinue_psw # Restore PSW flags + lpswe 0(%r4) + .Lcontinue: +- br %r14 ++ BR_EX %r14 + .align 16 + .Lrestart_psw: + .long 0x00080000,0x80000000 + .Lrestart_part2 +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index c63730326215..5416d5d68308 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + __PT_R0 = __PT_GPRS + __PT_R1 = __PT_GPRS + 8 +@@ -225,74 +226,16 @@ _PIF_WORK = (_PIF_PER_TRAP) + .popsection + .endm + +-#ifdef CONFIG_EXPOLINE +- +- .macro GEN_BR_THUNK name,reg,tmp +- .section .text.\name,"axG",@progbits,\name,comdat +- .globl \name +- .hidden \name +- .type \name,@function +-\name: +- .cfi_startproc +-#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES +- exrl 0,0f +-#else +- larl \tmp,0f +- ex 0,0(\tmp) +-#endif +- j . +-0: br \reg +- .cfi_endproc +- .endm +- +- GEN_BR_THUNK __s390x_indirect_jump_r1use_r9,%r9,%r1 +- GEN_BR_THUNK __s390x_indirect_jump_r1use_r14,%r14,%r1 +- GEN_BR_THUNK __s390x_indirect_jump_r11use_r14,%r14,%r11 +- +- .macro BASR_R14_R9 +-0: brasl %r14,__s390x_indirect_jump_r1use_r9 +- .pushsection .s390_indirect_branches,"a",@progbits +- .long 0b-. +- .popsection +- .endm +- +- .macro BR_R1USE_R14 +-0: jg __s390x_indirect_jump_r1use_r14 +- .pushsection .s390_indirect_branches,"a",@progbits +- .long 0b-. +- .popsection +- .endm +- +- .macro BR_R11USE_R14 +-0: jg __s390x_indirect_jump_r11use_r14 +- .pushsection .s390_indirect_branches,"a",@progbits +- .long 0b-. +- .popsection +- .endm +- +-#else /* CONFIG_EXPOLINE */ +- +- .macro BASR_R14_R9 +- basr %r14,%r9 +- .endm +- +- .macro BR_R1USE_R14 +- br %r14 +- .endm +- +- .macro BR_R11USE_R14 +- br %r14 +- .endm +- +-#endif /* CONFIG_EXPOLINE */ +- ++ GEN_BR_THUNK %r9 ++ GEN_BR_THUNK %r14 ++ GEN_BR_THUNK %r14,%r11 + + .section .kprobes.text, "ax" + + ENTRY(__bpon) + .globl __bpon + BPON +- BR_R1USE_R14 ++ BR_EX %r14 + + /* + * Scheduler resume function, called by switch_to +@@ -322,7 +265,7 @@ ENTRY(__switch_to) + TSTMSK __LC_MACHINE_FLAGS,MACHINE_FLAG_LPP + jz 0f + .insn s,0xb2800000,__LC_LPP # set program parameter +-0: BR_R1USE_R14 ++0: BR_EX %r14 + + .L__critical_start: + +@@ -388,7 +331,7 @@ sie_exit: + xgr %r5,%r5 + lmg %r6,%r14,__SF_GPRS(%r15) # restore kernel registers + lg %r2,__SF_EMPTY+16(%r15) # return exit reason code +- BR_R1USE_R14 ++ BR_EX %r14 + .Lsie_fault: + lghi %r14,-EFAULT + stg %r14,__SF_EMPTY+16(%r15) # set exit reason code +@@ -445,7 +388,7 @@ ENTRY(system_call) + lgf %r9,0(%r8,%r10) # get system call add. + TSTMSK __TI_flags(%r12),_TIF_TRACE + jnz .Lsysc_tracesys +- BASR_R14_R9 # call sys_xxxx ++ BASR_EX %r14,%r9 # call sys_xxxx + stg %r2,__PT_R2(%r11) # store return value + + .Lsysc_return: +@@ -585,7 +528,7 @@ ENTRY(system_call) + lmg %r3,%r7,__PT_R3(%r11) + stg %r7,STACK_FRAME_OVERHEAD(%r15) + lg %r2,__PT_ORIG_GPR2(%r11) +- BASR_R14_R9 # call sys_xxx ++ BASR_EX %r14,%r9 # call sys_xxx + stg %r2,__PT_R2(%r11) # store return value + .Lsysc_tracenogo: + TSTMSK __TI_flags(%r12),_TIF_TRACE +@@ -609,7 +552,7 @@ ENTRY(ret_from_fork) + lmg %r9,%r10,__PT_R9(%r11) # load gprs + ENTRY(kernel_thread_starter) + la %r2,0(%r10) +- BASR_R14_R9 ++ BASR_EX %r14,%r9 + j .Lsysc_tracenogo + + /* +@@ -685,7 +628,7 @@ ENTRY(pgm_check_handler) + je .Lpgm_return + lgf %r9,0(%r10,%r1) # load address of handler routine + lgr %r2,%r11 # pass pointer to pt_regs +- BASR_R14_R9 # branch to interrupt-handler ++ BASR_EX %r14,%r9 # branch to interrupt-handler + .Lpgm_return: + LOCKDEP_SYS_EXIT + tm __PT_PSW+1(%r11),0x01 # returning to user ? +@@ -962,7 +905,7 @@ ENTRY(psw_idle) + stpt __TIMER_IDLE_ENTER(%r2) + .Lpsw_idle_lpsw: + lpswe __SF_EMPTY(%r15) +- BR_R1USE_R14 ++ BR_EX %r14 + .Lpsw_idle_end: + + /* +@@ -1007,7 +950,7 @@ ENTRY(save_fpu_regs) + .Lsave_fpu_regs_done: + oi __LC_CPU_FLAGS+7,_CIF_FPU + .Lsave_fpu_regs_exit: +- BR_R1USE_R14 ++ BR_EX %r14 + .Lsave_fpu_regs_end: + + /* +@@ -1054,7 +997,7 @@ load_fpu_regs: + .Lload_fpu_regs_done: + ni __LC_CPU_FLAGS+7,255-_CIF_FPU + .Lload_fpu_regs_exit: +- BR_R1USE_R14 ++ BR_EX %r14 + .Lload_fpu_regs_end: + + .L__critical_end: +@@ -1227,7 +1170,7 @@ cleanup_critical: + jl 0f + clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end + jl .Lcleanup_load_fpu_regs +-0: BR_R11USE_R14 ++0: BR_EX %r14 + + .align 8 + .Lcleanup_table: +@@ -1257,7 +1200,7 @@ cleanup_critical: + ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE + lctlg %c1,%c1,__LC_USER_ASCE # load primary asce + larl %r9,sie_exit # skip forward to sie_exit +- BR_R11USE_R14 ++ BR_EX %r14 + #endif + + .Lcleanup_system_call: +@@ -1315,7 +1258,7 @@ cleanup_critical: + stg %r15,56(%r11) # r15 stack pointer + # set new psw address and exit + larl %r9,.Lsysc_do_svc +- BR_R11USE_R14 ++ BR_EX %r14,%r11 + .Lcleanup_system_call_insn: + .quad system_call + .quad .Lsysc_stmg +@@ -1325,7 +1268,7 @@ cleanup_critical: + + .Lcleanup_sysc_tif: + larl %r9,.Lsysc_tif +- BR_R11USE_R14 ++ BR_EX %r14,%r11 + + .Lcleanup_sysc_restore: + # check if stpt has been executed +@@ -1342,14 +1285,14 @@ cleanup_critical: + mvc 0(64,%r11),__PT_R8(%r9) + lmg %r0,%r7,__PT_R0(%r9) + 1: lmg %r8,%r9,__LC_RETURN_PSW +- BR_R11USE_R14 ++ BR_EX %r14,%r11 + .Lcleanup_sysc_restore_insn: + .quad .Lsysc_exit_timer + .quad .Lsysc_done - 4 + + .Lcleanup_io_tif: + larl %r9,.Lio_tif +- BR_R11USE_R14 ++ BR_EX %r14,%r11 + + .Lcleanup_io_restore: + # check if stpt has been executed +@@ -1363,7 +1306,7 @@ cleanup_critical: + mvc 0(64,%r11),__PT_R8(%r9) + lmg %r0,%r7,__PT_R0(%r9) + 1: lmg %r8,%r9,__LC_RETURN_PSW +- BR_R11USE_R14 ++ BR_EX %r14,%r11 + .Lcleanup_io_restore_insn: + .quad .Lio_exit_timer + .quad .Lio_done - 4 +@@ -1415,17 +1358,17 @@ cleanup_critical: + # prepare return psw + nihh %r8,0xfcfd # clear irq & wait state bits + lg %r9,48(%r11) # return from psw_idle +- BR_R11USE_R14 ++ BR_EX %r14,%r11 + .Lcleanup_idle_insn: + .quad .Lpsw_idle_lpsw + + .Lcleanup_save_fpu_regs: + larl %r9,save_fpu_regs +- BR_R11USE_R14 ++ BR_EX %r14,%r11 + + .Lcleanup_load_fpu_regs: + larl %r9,load_fpu_regs +- BR_R11USE_R14 ++ BR_EX %r14,%r11 + + /* + * Integer constants +diff --git a/arch/s390/kernel/irq.c b/arch/s390/kernel/irq.c +index f41d5208aaf7..590e9394b4dd 100644 +--- a/arch/s390/kernel/irq.c ++++ b/arch/s390/kernel/irq.c +@@ -173,10 +173,9 @@ void do_softirq_own_stack(void) + new -= STACK_FRAME_OVERHEAD; + ((struct stack_frame *) new)->back_chain = old; + asm volatile(" la 15,0(%0)\n" +- " basr 14,%2\n" ++ " brasl 14,__do_softirq\n" + " la 15,0(%1)\n" +- : : "a" (new), "a" (old), +- "a" (__do_softirq) ++ : : "a" (new), "a" (old) + : "0", "1", "2", "3", "4", "5", "14", + "cc", "memory" ); + } else { +diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c +index 9f3b5b382743..d5eed651b5ab 100644 +--- a/arch/s390/kernel/nospec-branch.c ++++ b/arch/s390/kernel/nospec-branch.c +@@ -44,24 +44,6 @@ static int __init nospec_report(void) + } + arch_initcall(nospec_report); + +-#ifdef CONFIG_SYSFS +-ssize_t cpu_show_spectre_v1(struct device *dev, +- struct device_attribute *attr, char *buf) +-{ +- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); +-} +- +-ssize_t cpu_show_spectre_v2(struct device *dev, +- struct device_attribute *attr, char *buf) +-{ +- if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) +- return sprintf(buf, "Mitigation: execute trampolines\n"); +- if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) +- return sprintf(buf, "Mitigation: limited branch prediction.\n"); +- return sprintf(buf, "Vulnerable\n"); +-} +-#endif +- + #ifdef CONFIG_EXPOLINE + + int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF); +@@ -112,7 +94,6 @@ static void __init_or_module __nospec_revert(s32 *start, s32 *end) + s32 *epo; + + /* Second part of the instruction replace is always a nop */ +- memcpy(insnbuf + 2, (char[]) { 0x47, 0x00, 0x00, 0x00 }, 4); + for (epo = start; epo < end; epo++) { + instr = (u8 *) epo + *epo; + if (instr[0] == 0xc0 && (instr[1] & 0x0f) == 0x04) +@@ -133,18 +114,34 @@ static void __init_or_module __nospec_revert(s32 *start, s32 *end) + br = thunk + (*(int *)(thunk + 2)) * 2; + else + continue; +- if (br[0] != 0x07 || (br[1] & 0xf0) != 0xf0) ++ /* Check for unconditional branch 0x07f? or 0x47f???? */ ++ if ((br[0] & 0xbf) != 0x07 || (br[1] & 0xf0) != 0xf0) + continue; ++ ++ memcpy(insnbuf + 2, (char[]) { 0x47, 0x00, 0x07, 0x00 }, 4); + switch (type) { + case BRCL_EXPOLINE: +- /* brcl to thunk, replace with br + nop */ + insnbuf[0] = br[0]; + insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f); ++ if (br[0] == 0x47) { ++ /* brcl to b, replace with bc + nopr */ ++ insnbuf[2] = br[2]; ++ insnbuf[3] = br[3]; ++ } else { ++ /* brcl to br, replace with bcr + nop */ ++ } + break; + case BRASL_EXPOLINE: +- /* brasl to thunk, replace with basr + nop */ +- insnbuf[0] = 0x0d; + insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f); ++ if (br[0] == 0x47) { ++ /* brasl to b, replace with bas + nopr */ ++ insnbuf[0] = 0x4d; ++ insnbuf[2] = br[2]; ++ insnbuf[3] = br[3]; ++ } else { ++ /* brasl to br, replace with basr + nop */ ++ insnbuf[0] = 0x0d; ++ } + break; + } + +diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c +new file mode 100644 +index 000000000000..8affad5f18cb +--- /dev/null ++++ b/arch/s390/kernel/nospec-sysfs.c +@@ -0,0 +1,21 @@ ++// SPDX-License-Identifier: GPL-2.0 ++#include ++#include ++#include ++#include ++ ++ssize_t cpu_show_spectre_v1(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Mitigation: __user pointer sanitization\n"); ++} ++ ++ssize_t cpu_show_spectre_v2(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) ++ return sprintf(buf, "Mitigation: execute trampolines\n"); ++ if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) ++ return sprintf(buf, "Mitigation: limited branch prediction\n"); ++ return sprintf(buf, "Vulnerable\n"); ++} +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 3d8da1e742c2..b79d51459cf2 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -744,6 +744,10 @@ static int __hw_perf_event_init(struct perf_event *event) + */ + rate = 0; + if (attr->freq) { ++ if (!attr->sample_freq) { ++ err = -EINVAL; ++ goto out; ++ } + rate = freq_to_sample_rate(&si, attr->sample_freq); + rate = hw_limit_rate(&si, rate); + attr->freq = 0; +diff --git a/arch/s390/kernel/reipl.S b/arch/s390/kernel/reipl.S +index 52aab0bd84f8..6b1b91c17b40 100644 +--- a/arch/s390/kernel/reipl.S ++++ b/arch/s390/kernel/reipl.S +@@ -6,8 +6,11 @@ + + #include + #include ++#include + #include + ++ GEN_BR_THUNK %r14 ++ + # + # store_status + # +@@ -62,7 +65,7 @@ ENTRY(store_status) + st %r3,__LC_PSW_SAVE_AREA-SAVE_AREA_BASE + 4(%r1) + larl %r2,store_status + stg %r2,__LC_PSW_SAVE_AREA-SAVE_AREA_BASE + 8(%r1) +- br %r14 ++ BR_EX %r14 + + .section .bss + .align 8 +diff --git a/arch/s390/kernel/swsusp.S b/arch/s390/kernel/swsusp.S +index 2d6b6e81f812..60a829c77378 100644 +--- a/arch/s390/kernel/swsusp.S ++++ b/arch/s390/kernel/swsusp.S +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -23,6 +24,8 @@ + * (see below) in the resume process. + * This function runs with disabled interrupts. + */ ++ GEN_BR_THUNK %r14 ++ + .section .text + ENTRY(swsusp_arch_suspend) + stmg %r6,%r15,__SF_GPRS(%r15) +@@ -102,7 +105,7 @@ ENTRY(swsusp_arch_suspend) + spx 0x318(%r1) + lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) + lghi %r2,0 +- br %r14 ++ BR_EX %r14 + + /* + * Restore saved memory image to correct place and restore register context. +@@ -196,11 +199,10 @@ pgm_check_entry: + larl %r15,init_thread_union + ahi %r15,1<<(PAGE_SHIFT+THREAD_ORDER) + larl %r2,.Lpanic_string +- larl %r3,_sclp_print_early + lghi %r1,0 + sam31 + sigp %r1,%r0,SIGP_SET_ARCHITECTURE +- basr %r14,%r3 ++ brasl %r14,_sclp_print_early + larl %r3,.Ldisabled_wait_31 + lpsw 0(%r3) + 4: +@@ -266,7 +268,7 @@ restore_registers: + /* Return 0 */ + lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) + lghi %r2,0 +- br %r14 ++ BR_EX %r14 + + .section .data..nosave,"aw",@progbits + .align 8 +diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S +index c6d553e85ab1..16c5998b9792 100644 +--- a/arch/s390/lib/mem.S ++++ b/arch/s390/lib/mem.S +@@ -5,6 +5,9 @@ + */ + + #include ++#include ++ ++ GEN_BR_THUNK %r14 + + /* + * memset implementation +@@ -38,7 +41,7 @@ ENTRY(memset) + .Lmemset_clear_rest: + larl %r3,.Lmemset_xc + ex %r4,0(%r3) +- br %r14 ++ BR_EX %r14 + .Lmemset_fill: + stc %r3,0(%r2) + cghi %r4,1 +@@ -55,7 +58,7 @@ ENTRY(memset) + .Lmemset_fill_rest: + larl %r3,.Lmemset_mvc + ex %r4,0(%r3) +- br %r14 ++ BR_EX %r14 + .Lmemset_xc: + xc 0(1,%r1),0(%r1) + .Lmemset_mvc: +@@ -77,7 +80,7 @@ ENTRY(memcpy) + .Lmemcpy_rest: + larl %r5,.Lmemcpy_mvc + ex %r4,0(%r5) +- br %r14 ++ BR_EX %r14 + .Lmemcpy_loop: + mvc 0(256,%r1),0(%r3) + la %r1,256(%r1) +diff --git a/arch/s390/net/bpf_jit.S b/arch/s390/net/bpf_jit.S +index a1c917d881ec..fa716f2a95a7 100644 +--- a/arch/s390/net/bpf_jit.S ++++ b/arch/s390/net/bpf_jit.S +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include "bpf_jit.h" + + /* +@@ -53,7 +54,7 @@ ENTRY(sk_load_##NAME##_pos); \ + clg %r3,STK_OFF_HLEN(%r15); /* Offset + SIZE > hlen? */ \ + jh sk_load_##NAME##_slow; \ + LOAD %r14,-SIZE(%r3,%r12); /* Get data from skb */ \ +- b OFF_OK(%r6); /* Return */ \ ++ B_EX OFF_OK,%r6; /* Return */ \ + \ + sk_load_##NAME##_slow:; \ + lgr %r2,%r7; /* Arg1 = skb pointer */ \ +@@ -63,11 +64,14 @@ sk_load_##NAME##_slow:; \ + brasl %r14,skb_copy_bits; /* Get data from skb */ \ + LOAD %r14,STK_OFF_TMP(%r15); /* Load from temp bufffer */ \ + ltgr %r2,%r2; /* Set cc to (%r2 != 0) */ \ +- br %r6; /* Return */ ++ BR_EX %r6; /* Return */ + + sk_load_common(word, 4, llgf) /* r14 = *(u32 *) (skb->data+offset) */ + sk_load_common(half, 2, llgh) /* r14 = *(u16 *) (skb->data+offset) */ + ++ GEN_BR_THUNK %r6 ++ GEN_B_THUNK OFF_OK,%r6 ++ + /* + * Load 1 byte from SKB (optimized version) + */ +@@ -79,7 +83,7 @@ ENTRY(sk_load_byte_pos) + clg %r3,STK_OFF_HLEN(%r15) # Offset >= hlen? + jnl sk_load_byte_slow + llgc %r14,0(%r3,%r12) # Get byte from skb +- b OFF_OK(%r6) # Return OK ++ B_EX OFF_OK,%r6 # Return OK + + sk_load_byte_slow: + lgr %r2,%r7 # Arg1 = skb pointer +@@ -89,7 +93,7 @@ sk_load_byte_slow: + brasl %r14,skb_copy_bits # Get data from skb + llgc %r14,STK_OFF_TMP(%r15) # Load result from temp buffer + ltgr %r2,%r2 # Set cc to (%r2 != 0) +- br %r6 # Return cc ++ BR_EX %r6 # Return cc + + #define sk_negative_common(NAME, SIZE, LOAD) \ + sk_load_##NAME##_slow_neg:; \ +@@ -103,7 +107,7 @@ sk_load_##NAME##_slow_neg:; \ + jz bpf_error; \ + LOAD %r14,0(%r2); /* Get data from pointer */ \ + xr %r3,%r3; /* Set cc to zero */ \ +- br %r6; /* Return cc */ ++ BR_EX %r6; /* Return cc */ + + sk_negative_common(word, 4, llgf) + sk_negative_common(half, 2, llgh) +@@ -112,4 +116,4 @@ sk_negative_common(byte, 1, llgc) + bpf_error: + # force a return 0 from jit handler + ltgr %r15,%r15 # Set condition code +- br %r6 ++ BR_EX %r6 +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 1395eeb6005f..a26528afceb2 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -24,6 +24,8 @@ + #include + #include + #include ++#include ++#include + #include "bpf_jit.h" + + int bpf_jit_enable __read_mostly; +@@ -41,6 +43,8 @@ struct bpf_jit { + int base_ip; /* Base address for literal pool */ + int ret0_ip; /* Address of return 0 */ + int exit_ip; /* Address of exit */ ++ int r1_thunk_ip; /* Address of expoline thunk for 'br %r1' */ ++ int r14_thunk_ip; /* Address of expoline thunk for 'br %r14' */ + int tail_call_start; /* Tail call start offset */ + int labels[1]; /* Labels for local jumps */ + }; +@@ -248,6 +252,19 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) + REG_SET_SEEN(b2); \ + }) + ++#define EMIT6_PCREL_RILB(op, b, target) \ ++({ \ ++ int rel = (target - jit->prg) / 2; \ ++ _EMIT6(op | reg_high(b) << 16 | rel >> 16, rel & 0xffff); \ ++ REG_SET_SEEN(b); \ ++}) ++ ++#define EMIT6_PCREL_RIL(op, target) \ ++({ \ ++ int rel = (target - jit->prg) / 2; \ ++ _EMIT6(op | rel >> 16, rel & 0xffff); \ ++}) ++ + #define _EMIT6_IMM(op, imm) \ + ({ \ + unsigned int __imm = (imm); \ +@@ -475,8 +492,45 @@ static void bpf_jit_epilogue(struct bpf_jit *jit) + EMIT4(0xb9040000, REG_2, BPF_REG_0); + /* Restore registers */ + save_restore_regs(jit, REGS_RESTORE); ++ if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) { ++ jit->r14_thunk_ip = jit->prg; ++ /* Generate __s390_indirect_jump_r14 thunk */ ++ if (test_facility(35)) { ++ /* exrl %r0,.+10 */ ++ EMIT6_PCREL_RIL(0xc6000000, jit->prg + 10); ++ } else { ++ /* larl %r1,.+14 */ ++ EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14); ++ /* ex 0,0(%r1) */ ++ EMIT4_DISP(0x44000000, REG_0, REG_1, 0); ++ } ++ /* j . */ ++ EMIT4_PCREL(0xa7f40000, 0); ++ } + /* br %r14 */ + _EMIT2(0x07fe); ++ ++ if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable && ++ (jit->seen & SEEN_FUNC)) { ++ jit->r1_thunk_ip = jit->prg; ++ /* Generate __s390_indirect_jump_r1 thunk */ ++ if (test_facility(35)) { ++ /* exrl %r0,.+10 */ ++ EMIT6_PCREL_RIL(0xc6000000, jit->prg + 10); ++ /* j . */ ++ EMIT4_PCREL(0xa7f40000, 0); ++ /* br %r1 */ ++ _EMIT2(0x07f1); ++ } else { ++ /* larl %r1,.+14 */ ++ EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14); ++ /* ex 0,S390_lowcore.br_r1_tampoline */ ++ EMIT4_DISP(0x44000000, REG_0, REG_0, ++ offsetof(struct _lowcore, br_r1_trampoline)); ++ /* j . */ ++ EMIT4_PCREL(0xa7f40000, 0); ++ } ++ } + } + + /* +@@ -980,8 +1034,13 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + /* lg %w1,(%l) */ + EMIT6_DISP_LH(0xe3000000, 0x0004, REG_W1, REG_0, REG_L, + EMIT_CONST_U64(func)); +- /* basr %r14,%w1 */ +- EMIT2(0x0d00, REG_14, REG_W1); ++ if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) { ++ /* brasl %r14,__s390_indirect_jump_r1 */ ++ EMIT6_PCREL_RILB(0xc0050000, REG_14, jit->r1_thunk_ip); ++ } else { ++ /* basr %r14,%w1 */ ++ EMIT2(0x0d00, REG_14, REG_W1); ++ } + /* lgr %b0,%r2: load return value into %b0 */ + EMIT4(0xb9040000, BPF_REG_0, REG_2); + if (bpf_helper_changes_skb_data((void *)func)) { +diff --git a/arch/sh/include/asm/futex.h b/arch/sh/include/asm/futex.h +index 7be39a646fbd..e05187d26d76 100644 +--- a/arch/sh/include/asm/futex.h ++++ b/arch/sh/include/asm/futex.h +@@ -10,20 +10,11 @@ + /* XXX: UP variants, fix for SH-4A and SMP.. */ + #include + +-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, u32 oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; + +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; +- + pagefault_disable(); + + switch (op) { +@@ -49,17 +40,8 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; + + return ret; + } +diff --git a/arch/sparc/include/asm/futex_64.h b/arch/sparc/include/asm/futex_64.h +index 4e899b0dabf7..1cfd89d92208 100644 +--- a/arch/sparc/include/asm/futex_64.h ++++ b/arch/sparc/include/asm/futex_64.h +@@ -29,22 +29,14 @@ + : "r" (uaddr), "r" (oparg), "i" (-EFAULT) \ + : "memory") + +-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret, tem; + +- if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))) +- return -EFAULT; + if (unlikely((((unsigned long) uaddr) & 0x3UL))) + return -EINVAL; + +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- + pagefault_disable(); + + switch (op) { +@@ -69,17 +61,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/tile/include/asm/futex.h b/arch/tile/include/asm/futex.h +index 1a6ef1b69cb1..d96d9dab5c0b 100644 +--- a/arch/tile/include/asm/futex.h ++++ b/arch/tile/include/asm/futex.h +@@ -106,12 +106,9 @@ + lock = __atomic_hashed_lock((int __force *)uaddr) + #endif + +-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, u32 oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int uninitialized_var(val), ret; + + __futex_prolog(); +@@ -119,12 +116,6 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + /* The 32-bit futex code makes this assumption, so validate it here. */ + BUILD_BUG_ON(sizeof(atomic_t) != sizeof(int)); + +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; +- + pagefault_disable(); + switch (op) { + case FUTEX_OP_SET: +@@ -148,30 +139,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + } + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: +- ret = (val == cmparg); +- break; +- case FUTEX_OP_CMP_NE: +- ret = (val != cmparg); +- break; +- case FUTEX_OP_CMP_LT: +- ret = (val < cmparg); +- break; +- case FUTEX_OP_CMP_GE: +- ret = (val >= cmparg); +- break; +- case FUTEX_OP_CMP_LE: +- ret = (val <= cmparg); +- break; +- case FUTEX_OP_CMP_GT: +- ret = (val > cmparg); +- break; +- default: +- ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = val; ++ + return ret; + } + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 583d539a4197..2bc6651791cc 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -364,7 +364,8 @@ __setup_efi_pci32(efi_pci_io_protocol_32 *pci, struct pci_setup_rom **__rom) + if (status != EFI_SUCCESS) + goto free_struct; + +- memcpy(rom->romdata, pci->romimage, pci->romsize); ++ memcpy(rom->romdata, (void *)(unsigned long)pci->romimage, ++ pci->romsize); + return status; + + free_struct: +@@ -470,7 +471,8 @@ __setup_efi_pci64(efi_pci_io_protocol_64 *pci, struct pci_setup_rom **__rom) + if (status != EFI_SUCCESS) + goto free_struct; + +- memcpy(rom->romdata, pci->romimage, pci->romsize); ++ memcpy(rom->romdata, (void *)(unsigned long)pci->romimage, ++ pci->romsize); + return status; + + free_struct: +diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h +index b4c1f5453436..f4dc9b63bdda 100644 +--- a/arch/x86/include/asm/futex.h ++++ b/arch/x86/include/asm/futex.h +@@ -41,20 +41,11 @@ + "+m" (*uaddr), "=&r" (tem) \ + : "r" (oparg), "i" (-EFAULT), "1" (0)) + +-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret, tem; + +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; +- + pagefault_disable(); + + switch (op) { +@@ -80,30 +71,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: +- ret = (oldval == cmparg); +- break; +- case FUTEX_OP_CMP_NE: +- ret = (oldval != cmparg); +- break; +- case FUTEX_OP_CMP_LT: +- ret = (oldval < cmparg); +- break; +- case FUTEX_OP_CMP_GE: +- ret = (oldval >= cmparg); +- break; +- case FUTEX_OP_CMP_LE: +- ret = (oldval <= cmparg); +- break; +- case FUTEX_OP_CMP_GT: +- ret = (oldval > cmparg); +- break; +- default: +- ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c +index 469b23d6acc2..fd7e9937ddd6 100644 +--- a/arch/x86/kernel/machine_kexec_32.c ++++ b/arch/x86/kernel/machine_kexec_32.c +@@ -71,12 +71,17 @@ static void load_segments(void) + static void machine_kexec_free_page_tables(struct kimage *image) + { + free_page((unsigned long)image->arch.pgd); ++ image->arch.pgd = NULL; + #ifdef CONFIG_X86_PAE + free_page((unsigned long)image->arch.pmd0); ++ image->arch.pmd0 = NULL; + free_page((unsigned long)image->arch.pmd1); ++ image->arch.pmd1 = NULL; + #endif + free_page((unsigned long)image->arch.pte0); ++ image->arch.pte0 = NULL; + free_page((unsigned long)image->arch.pte1); ++ image->arch.pte1 = NULL; + } + + static int machine_kexec_alloc_page_tables(struct kimage *image) +@@ -93,7 +98,6 @@ static int machine_kexec_alloc_page_tables(struct kimage *image) + !image->arch.pmd0 || !image->arch.pmd1 || + #endif + !image->arch.pte0 || !image->arch.pte1) { +- machine_kexec_free_page_tables(image); + return -ENOMEM; + } + return 0; +diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c +index ca6e65250b1a..13d6b8ac0b0b 100644 +--- a/arch/x86/kernel/machine_kexec_64.c ++++ b/arch/x86/kernel/machine_kexec_64.c +@@ -37,8 +37,11 @@ static struct kexec_file_ops *kexec_file_loaders[] = { + static void free_transition_pgtable(struct kimage *image) + { + free_page((unsigned long)image->arch.pud); ++ image->arch.pud = NULL; + free_page((unsigned long)image->arch.pmd); ++ image->arch.pmd = NULL; + free_page((unsigned long)image->arch.pte); ++ image->arch.pte = NULL; + } + + static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) +@@ -79,7 +82,6 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) + set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC)); + return 0; + err: +- free_transition_pgtable(image); + return result; + } + +diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c +index 63146c378f1e..2b05f681a1fd 100644 +--- a/arch/x86/xen/mmu.c ++++ b/arch/x86/xen/mmu.c +@@ -1316,8 +1316,6 @@ void xen_flush_tlb_all(void) + struct mmuext_op *op; + struct multicall_space mcs; + +- trace_xen_mmu_flush_tlb_all(0); +- + preempt_disable(); + + mcs = xen_mc_entry(sizeof(*op)); +@@ -1335,8 +1333,6 @@ static void xen_flush_tlb(void) + struct mmuext_op *op; + struct multicall_space mcs; + +- trace_xen_mmu_flush_tlb(0); +- + preempt_disable(); + + mcs = xen_mc_entry(sizeof(*op)); +diff --git a/arch/xtensa/include/asm/futex.h b/arch/xtensa/include/asm/futex.h +index 72bfc1cbc2b5..5bfbc1c401d4 100644 +--- a/arch/xtensa/include/asm/futex.h ++++ b/arch/xtensa/include/asm/futex.h +@@ -44,18 +44,10 @@ + : "r" (uaddr), "I" (-EFAULT), "r" (oparg) \ + : "memory") + +-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, ++ u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; + + #if !XCHAL_HAVE_S32C1I + return -ENOSYS; +@@ -89,19 +81,10 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (ret) +- return ret; ++ if (!ret) ++ *oval = oldval; + +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: return (oldval == cmparg); +- case FUTEX_OP_CMP_NE: return (oldval != cmparg); +- case FUTEX_OP_CMP_LT: return (oldval < cmparg); +- case FUTEX_OP_CMP_GE: return (oldval >= cmparg); +- case FUTEX_OP_CMP_LE: return (oldval <= cmparg); +- case FUTEX_OP_CMP_GT: return (oldval > cmparg); +- } +- +- return -ENOSYS; ++ return ret; + } + + static inline int +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 7ff8b15a3422..88728d997088 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -1361,6 +1361,11 @@ static inline bool intel_pstate_platform_pwr_mgmt_exists(void) { return false; } + static inline bool intel_pstate_has_acpi_ppc(void) { return false; } + #endif /* CONFIG_ACPI */ + ++static const struct x86_cpu_id hwp_support_ids[] __initconst = { ++ { X86_VENDOR_INTEL, 6, X86_MODEL_ANY, X86_FEATURE_HWP }, ++ {} ++}; ++ + static int __init intel_pstate_init(void) + { + int cpu, rc = 0; +@@ -1370,17 +1375,16 @@ static int __init intel_pstate_init(void) + if (no_load) + return -ENODEV; + ++ if (x86_match_cpu(hwp_support_ids) && !no_hwp) { ++ copy_cpu_funcs(&core_params.funcs); ++ hwp_active++; ++ goto hwp_cpu_matched; ++ } ++ + id = x86_match_cpu(intel_pstate_cpu_ids); + if (!id) + return -ENODEV; + +- /* +- * The Intel pstate driver will be ignored if the platform +- * firmware has its own power management modes. +- */ +- if (intel_pstate_platform_pwr_mgmt_exists()) +- return -ENODEV; +- + cpu_def = (struct cpu_defaults *)id->driver_data; + + copy_pid_params(&cpu_def->pid_policy); +@@ -1389,17 +1393,20 @@ static int __init intel_pstate_init(void) + if (intel_pstate_msrs_not_valid()) + return -ENODEV; + ++hwp_cpu_matched: ++ /* ++ * The Intel pstate driver will be ignored if the platform ++ * firmware has its own power management modes. ++ */ ++ if (intel_pstate_platform_pwr_mgmt_exists()) ++ return -ENODEV; ++ + pr_info("Intel P-state driver initializing.\n"); + + all_cpu_data = vzalloc(sizeof(void *) * num_possible_cpus()); + if (!all_cpu_data) + return -ENOMEM; + +- if (static_cpu_has_safe(X86_FEATURE_HWP) && !no_hwp) { +- pr_info("intel_pstate: HWP enabled\n"); +- hwp_active++; +- } +- + if (!hwp_active && hwp_only) + goto out; + +@@ -1410,6 +1417,9 @@ static int __init intel_pstate_init(void) + intel_pstate_debug_expose_params(); + intel_pstate_sysfs_expose_params(); + ++ if (hwp_active) ++ pr_info("intel_pstate: HWP enabled\n"); ++ + return rc; + out: + get_online_cpus(); +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index c4b0ef65988c..57e6c45724e7 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -592,7 +592,7 @@ static int __init powernv_cpufreq_init(void) + int rc = 0; + + /* Don't probe on pseries (guest) platforms */ +- if (!firmware_has_feature(FW_FEATURE_OPALv3)) ++ if (!firmware_has_feature(FW_FEATURE_OPAL)) + return -ENODEV; + + /* Discover pstates from device tree and init */ +diff --git a/drivers/cpuidle/coupled.c b/drivers/cpuidle/coupled.c +index 344058f8501a..d5657d50ac40 100644 +--- a/drivers/cpuidle/coupled.c ++++ b/drivers/cpuidle/coupled.c +@@ -119,7 +119,6 @@ struct cpuidle_coupled { + + #define CPUIDLE_COUPLED_NOT_IDLE (-1) + +-static DEFINE_MUTEX(cpuidle_coupled_lock); + static DEFINE_PER_CPU(struct call_single_data, cpuidle_coupled_poke_cb); + + /* +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c +index d5c5a476360f..c44a843cb405 100644 +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -282,7 +282,7 @@ static int powernv_idle_probe(void) + if (cpuidle_disable != IDLE_NO_OVERRIDE) + return -ENODEV; + +- if (firmware_has_feature(FW_FEATURE_OPALv3)) { ++ if (firmware_has_feature(FW_FEATURE_OPAL)) { + cpuidle_state_table = powernv_states; + /* Device tree can indicate more idle states */ + max_idle_state = powernv_add_idle_states(); +diff --git a/drivers/gpio/gpio-rcar.c b/drivers/gpio/gpio-rcar.c +index 2a8122444614..9ba4aaa9f755 100644 +--- a/drivers/gpio/gpio-rcar.c ++++ b/drivers/gpio/gpio-rcar.c +@@ -200,6 +200,48 @@ static int gpio_rcar_irq_set_wake(struct irq_data *d, unsigned int on) + return 0; + } + ++static void gpio_rcar_irq_bus_lock(struct irq_data *d) ++{ ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ struct gpio_rcar_priv *p = container_of(gc, struct gpio_rcar_priv, ++ gpio_chip); ++ ++ pm_runtime_get_sync(&p->pdev->dev); ++} ++ ++static void gpio_rcar_irq_bus_sync_unlock(struct irq_data *d) ++{ ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ struct gpio_rcar_priv *p = container_of(gc, struct gpio_rcar_priv, ++ gpio_chip); ++ ++ pm_runtime_put(&p->pdev->dev); ++} ++ ++ ++static int gpio_rcar_irq_request_resources(struct irq_data *d) ++{ ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ struct gpio_rcar_priv *p = container_of(gc, struct gpio_rcar_priv, ++ gpio_chip); ++ int error; ++ ++ error = pm_runtime_get_sync(&p->pdev->dev); ++ if (error < 0) ++ return error; ++ ++ return 0; ++} ++ ++static void gpio_rcar_irq_release_resources(struct irq_data *d) ++{ ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ struct gpio_rcar_priv *p = container_of(gc, struct gpio_rcar_priv, ++ gpio_chip); ++ ++ pm_runtime_put(&p->pdev->dev); ++} ++ + static irqreturn_t gpio_rcar_irq_handler(int irq, void *dev_id) + { + struct gpio_rcar_priv *p = dev_id; +@@ -460,6 +502,10 @@ static int gpio_rcar_probe(struct platform_device *pdev) + irq_chip->irq_unmask = gpio_rcar_irq_enable; + irq_chip->irq_set_type = gpio_rcar_irq_set_type; + irq_chip->irq_set_wake = gpio_rcar_irq_set_wake; ++ irq_chip->irq_bus_lock = gpio_rcar_irq_bus_lock; ++ irq_chip->irq_bus_sync_unlock = gpio_rcar_irq_bus_sync_unlock; ++ irq_chip->irq_request_resources = gpio_rcar_irq_request_resources; ++ irq_chip->irq_release_resources = gpio_rcar_irq_release_resources; + irq_chip->flags = IRQCHIP_SET_TYPE_MASKED | IRQCHIP_MASK_ON_SUSPEND; + + ret = gpiochip_add(gpio_chip); +diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c +index bb9e9fc45e1b..82d23bd3a742 100644 +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -453,7 +453,7 @@ static void rlb_update_client(struct rlb_client_info *client_info) + { + int i; + +- if (!client_info->slave) ++ if (!client_info->slave || !is_valid_ether_addr(client_info->mac_dst)) + return; + + for (i = 0; i < RLB_ARP_BURST_SIZE; i++) { +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 3bba92fc9c1a..1325825d5225 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -8722,14 +8722,15 @@ static void tg3_free_consistent(struct tg3 *tp) + tg3_mem_rx_release(tp); + tg3_mem_tx_release(tp); + +- /* Protect tg3_get_stats64() from reading freed tp->hw_stats. */ +- tg3_full_lock(tp, 0); ++ /* tp->hw_stats can be referenced safely: ++ * 1. under rtnl_lock ++ * 2. or under tp->lock if TG3_FLAG_INIT_COMPLETE is set. ++ */ + if (tp->hw_stats) { + dma_free_coherent(&tp->pdev->dev, sizeof(struct tg3_hw_stats), + tp->hw_stats, tp->stats_mapping); + tp->hw_stats = NULL; + } +- tg3_full_unlock(tp); + } + + /* +@@ -14163,7 +14164,7 @@ static struct rtnl_link_stats64 *tg3_get_stats64(struct net_device *dev, + struct tg3 *tp = netdev_priv(dev); + + spin_lock_bh(&tp->lock); +- if (!tp->hw_stats) { ++ if (!tp->hw_stats || !tg3_flag(tp, INIT_COMPLETE)) { + *stats = tp->net_stats_prev; + spin_unlock_bh(&tp->lock); + return stats; +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index ddb5541882f5..bcfac000199e 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -967,6 +967,22 @@ static int mlx4_en_set_coalesce(struct net_device *dev, + if (!coal->tx_max_coalesced_frames_irq) + return -EINVAL; + ++ if (coal->tx_coalesce_usecs > MLX4_EN_MAX_COAL_TIME || ++ coal->rx_coalesce_usecs > MLX4_EN_MAX_COAL_TIME || ++ coal->rx_coalesce_usecs_low > MLX4_EN_MAX_COAL_TIME || ++ coal->rx_coalesce_usecs_high > MLX4_EN_MAX_COAL_TIME) { ++ netdev_info(dev, "%s: maximum coalesce time supported is %d usecs\n", ++ __func__, MLX4_EN_MAX_COAL_TIME); ++ return -ERANGE; ++ } ++ ++ if (coal->tx_max_coalesced_frames > MLX4_EN_MAX_COAL_PKTS || ++ coal->rx_max_coalesced_frames > MLX4_EN_MAX_COAL_PKTS) { ++ netdev_info(dev, "%s: maximum coalesced frames supported is %d\n", ++ __func__, MLX4_EN_MAX_COAL_PKTS); ++ return -ERANGE; ++ } ++ + priv->rx_frames = (coal->rx_max_coalesced_frames == + MLX4_EN_AUTO_CONF) ? + MLX4_EN_RX_COAL_TARGET : +diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +index 10aa6544cf4d..607daaffae98 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +@@ -140,6 +140,9 @@ enum { + #define MLX4_EN_TX_COAL_PKTS 16 + #define MLX4_EN_TX_COAL_TIME 0x10 + ++#define MLX4_EN_MAX_COAL_PKTS U16_MAX ++#define MLX4_EN_MAX_COAL_TIME U16_MAX ++ + #define MLX4_EN_RX_RATE_LOW 400000 + #define MLX4_EN_RX_COAL_TIME_LOW 0 + #define MLX4_EN_RX_RATE_HIGH 450000 +@@ -518,8 +521,8 @@ struct mlx4_en_priv { + u16 rx_usecs_low; + u32 pkt_rate_high; + u16 rx_usecs_high; +- u16 sample_interval; +- u16 adaptive_rx_coal; ++ u32 sample_interval; ++ u32 adaptive_rx_coal; + u32 msg_enable; + u32 loopback_ok; + u32 validate_loopback; +diff --git a/drivers/net/ethernet/realtek/8139too.c b/drivers/net/ethernet/realtek/8139too.c +index ef668d300800..d987d571fdd6 100644 +--- a/drivers/net/ethernet/realtek/8139too.c ++++ b/drivers/net/ethernet/realtek/8139too.c +@@ -2229,7 +2229,7 @@ static void rtl8139_poll_controller(struct net_device *dev) + struct rtl8139_private *tp = netdev_priv(dev); + const int irq = tp->pci_dev->irq; + +- disable_irq(irq); ++ disable_irq_nosync(irq); + rtl8139_interrupt(irq, dev); + enable_irq(irq); + } +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c +index a82c89af7124..8b4069ea52ce 100644 +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -4832,6 +4832,9 @@ static void rtl_pll_power_down(struct rtl8169_private *tp) + static void rtl_pll_power_up(struct rtl8169_private *tp) + { + rtl_generic_op(tp, tp->pll_power_ops.up); ++ ++ /* give MAC/PHY some time to resume */ ++ msleep(20); + } + + static void rtl_init_pll_power_ops(struct rtl8169_private *tp) +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index ab6051a43134..ccebf89aa1e4 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -3442,7 +3442,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np, + + len = (val & RCR_ENTRY_L2_LEN) >> + RCR_ENTRY_L2_LEN_SHIFT; +- len -= ETH_FCS_LEN; ++ append_size = len + ETH_HLEN + ETH_FCS_LEN; + + addr = (val & RCR_ENTRY_PKT_BUF_ADDR) << + RCR_ENTRY_PKT_BUF_ADDR_SHIFT; +@@ -3452,7 +3452,6 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np, + RCR_ENTRY_PKTBUFSZ_SHIFT]; + + off = addr & ~PAGE_MASK; +- append_size = rcr_size; + if (num_rcr == 1) { + int ptype; + +@@ -3465,7 +3464,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np, + else + skb_checksum_none_assert(skb); + } else if (!(val & RCR_ENTRY_MULTI)) +- append_size = len - skb->len; ++ append_size = append_size - skb->len; + + niu_rx_skb_append(skb, page, off, append_size, rcr_size); + if ((page->index + rp->rbr_block_size) - rcr_size == addr) { +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index a6f0a8f516d6..8aaa09b3c753 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -855,6 +855,18 @@ static int qmi_wwan_probe(struct usb_interface *intf, + id->driver_info = (unsigned long)&qmi_wwan_info; + } + ++ /* There are devices where the same interface number can be ++ * configured as different functions. We should only bind to ++ * vendor specific functions when matching on interface number ++ */ ++ if (id->match_flags & USB_DEVICE_ID_MATCH_INT_NUMBER && ++ desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) { ++ dev_dbg(&intf->dev, ++ "Rejecting interface number match for class %02x\n", ++ desc->bInterfaceClass); ++ return -ENODEV; ++ } ++ + /* Quectel EC20 quirk where we've QMI on interface 4 instead of 0 */ + if (quectel_ec20_detected(intf) && desc->bInterfaceNumber == 0) { + dev_dbg(&intf->dev, "Quectel EC20 quirk, skipping interface 0\n"); +diff --git a/drivers/s390/cio/qdio_setup.c b/drivers/s390/cio/qdio_setup.c +index 48b3866a9ded..35286907c636 100644 +--- a/drivers/s390/cio/qdio_setup.c ++++ b/drivers/s390/cio/qdio_setup.c +@@ -140,7 +140,7 @@ static int __qdio_allocate_qs(struct qdio_q **irq_ptr_qs, int nr_queues) + int i; + + for (i = 0; i < nr_queues; i++) { +- q = kmem_cache_alloc(qdio_q_cache, GFP_KERNEL); ++ q = kmem_cache_zalloc(qdio_q_cache, GFP_KERNEL); + if (!q) + return -ENOMEM; + +@@ -456,7 +456,6 @@ int qdio_setup_irq(struct qdio_initialize *init_data) + { + struct ciw *ciw; + struct qdio_irq *irq_ptr = init_data->cdev->private->qdio_data; +- int rc; + + memset(&irq_ptr->qib, 0, sizeof(irq_ptr->qib)); + memset(&irq_ptr->siga_flag, 0, sizeof(irq_ptr->siga_flag)); +@@ -493,16 +492,14 @@ int qdio_setup_irq(struct qdio_initialize *init_data) + ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_EQUEUE); + if (!ciw) { + DBF_ERROR("%4x NO EQ", irq_ptr->schid.sch_no); +- rc = -EINVAL; +- goto out_err; ++ return -EINVAL; + } + irq_ptr->equeue = *ciw; + + ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_AQUEUE); + if (!ciw) { + DBF_ERROR("%4x NO AQ", irq_ptr->schid.sch_no); +- rc = -EINVAL; +- goto out_err; ++ return -EINVAL; + } + irq_ptr->aqueue = *ciw; + +@@ -510,9 +507,6 @@ int qdio_setup_irq(struct qdio_initialize *init_data) + irq_ptr->orig_handler = init_data->cdev->handler; + init_data->cdev->handler = qdio_int_handler; + return 0; +-out_err: +- qdio_release_memory(irq_ptr); +- return rc; + } + + void qdio_print_subchannel_info(struct qdio_irq *irq_ptr, +diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c +index 34367d172961..4534a7ce77b8 100644 +--- a/drivers/s390/scsi/zfcp_dbf.c ++++ b/drivers/s390/scsi/zfcp_dbf.c +@@ -3,7 +3,7 @@ + * + * Debug traces for zfcp. + * +- * Copyright IBM Corp. 2002, 2017 ++ * Copyright IBM Corp. 2002, 2018 + */ + + #define KMSG_COMPONENT "zfcp" +@@ -287,6 +287,27 @@ void zfcp_dbf_rec_trig(char *tag, struct zfcp_adapter *adapter, + spin_unlock_irqrestore(&dbf->rec_lock, flags); + } + ++/** ++ * zfcp_dbf_rec_trig_lock - trace event related to triggered recovery with lock ++ * @tag: identifier for event ++ * @adapter: adapter on which the erp_action should run ++ * @port: remote port involved in the erp_action ++ * @sdev: scsi device involved in the erp_action ++ * @want: wanted erp_action ++ * @need: required erp_action ++ * ++ * The adapter->erp_lock must not be held. ++ */ ++void zfcp_dbf_rec_trig_lock(char *tag, struct zfcp_adapter *adapter, ++ struct zfcp_port *port, struct scsi_device *sdev, ++ u8 want, u8 need) ++{ ++ unsigned long flags; ++ ++ read_lock_irqsave(&adapter->erp_lock, flags); ++ zfcp_dbf_rec_trig(tag, adapter, port, sdev, want, need); ++ read_unlock_irqrestore(&adapter->erp_lock, flags); ++} + + /** + * zfcp_dbf_rec_run_lvl - trace event related to running recovery +diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h +index 21c8c689b02b..7a7984a50683 100644 +--- a/drivers/s390/scsi/zfcp_ext.h ++++ b/drivers/s390/scsi/zfcp_ext.h +@@ -3,7 +3,7 @@ + * + * External function declarations. + * +- * Copyright IBM Corp. 2002, 2016 ++ * Copyright IBM Corp. 2002, 2018 + */ + + #ifndef ZFCP_EXT_H +@@ -34,6 +34,9 @@ extern int zfcp_dbf_adapter_register(struct zfcp_adapter *); + extern void zfcp_dbf_adapter_unregister(struct zfcp_adapter *); + extern void zfcp_dbf_rec_trig(char *, struct zfcp_adapter *, + struct zfcp_port *, struct scsi_device *, u8, u8); ++extern void zfcp_dbf_rec_trig_lock(char *tag, struct zfcp_adapter *adapter, ++ struct zfcp_port *port, ++ struct scsi_device *sdev, u8 want, u8 need); + extern void zfcp_dbf_rec_run(char *, struct zfcp_erp_action *); + extern void zfcp_dbf_rec_run_lvl(int level, char *tag, + struct zfcp_erp_action *erp); +diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c +index a9b8104b982e..bb99db2948ab 100644 +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -3,7 +3,7 @@ + * + * Interface to Linux SCSI midlayer. + * +- * Copyright IBM Corp. 2002, 2017 ++ * Copyright IBM Corp. 2002, 2018 + */ + + #define KMSG_COMPONENT "zfcp" +@@ -616,9 +616,9 @@ static void zfcp_scsi_rport_register(struct zfcp_port *port) + ids.port_id = port->d_id; + ids.roles = FC_RPORT_ROLE_FCP_TARGET; + +- zfcp_dbf_rec_trig("scpaddy", port->adapter, port, NULL, +- ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD, +- ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD); ++ zfcp_dbf_rec_trig_lock("scpaddy", port->adapter, port, NULL, ++ ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD, ++ ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD); + rport = fc_remote_port_add(port->adapter->scsi_host, 0, &ids); + if (!rport) { + dev_err(&port->adapter->ccw_device->dev, +@@ -640,9 +640,9 @@ static void zfcp_scsi_rport_block(struct zfcp_port *port) + struct fc_rport *rport = port->rport; + + if (rport) { +- zfcp_dbf_rec_trig("scpdely", port->adapter, port, NULL, +- ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL, +- ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL); ++ zfcp_dbf_rec_trig_lock("scpdely", port->adapter, port, NULL, ++ ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL, ++ ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL); + fc_remote_port_delete(rport); + port->rport = NULL; + } +diff --git a/drivers/scsi/libsas/sas_scsi_host.c b/drivers/scsi/libsas/sas_scsi_host.c +index 519dac4e341e..9a8c2f97ed70 100644 +--- a/drivers/scsi/libsas/sas_scsi_host.c ++++ b/drivers/scsi/libsas/sas_scsi_host.c +@@ -222,6 +222,7 @@ out_done: + static void sas_eh_finish_cmd(struct scsi_cmnd *cmd) + { + struct sas_ha_struct *sas_ha = SHOST_TO_SAS_HA(cmd->device->host); ++ struct domain_device *dev = cmd_to_domain_dev(cmd); + struct sas_task *task = TO_SAS_TASK(cmd); + + /* At this point, we only get called following an actual abort +@@ -230,6 +231,14 @@ static void sas_eh_finish_cmd(struct scsi_cmnd *cmd) + */ + sas_end_task(cmd, task); + ++ if (dev_is_sata(dev)) { ++ /* defer commands to libata so that libata EH can ++ * handle ata qcs correctly ++ */ ++ list_move_tail(&cmd->eh_entry, &sas_ha->eh_ata_q); ++ return; ++ } ++ + /* now finish the command and move it on to the error + * handler done list, this also takes it off the + * error handler pending list. +@@ -237,22 +246,6 @@ static void sas_eh_finish_cmd(struct scsi_cmnd *cmd) + scsi_eh_finish_cmd(cmd, &sas_ha->eh_done_q); + } + +-static void sas_eh_defer_cmd(struct scsi_cmnd *cmd) +-{ +- struct domain_device *dev = cmd_to_domain_dev(cmd); +- struct sas_ha_struct *ha = dev->port->ha; +- struct sas_task *task = TO_SAS_TASK(cmd); +- +- if (!dev_is_sata(dev)) { +- sas_eh_finish_cmd(cmd); +- return; +- } +- +- /* report the timeout to libata */ +- sas_end_task(cmd, task); +- list_move_tail(&cmd->eh_entry, &ha->eh_ata_q); +-} +- + static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd *my_cmd) + { + struct scsi_cmnd *cmd, *n; +@@ -260,7 +253,7 @@ static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd + list_for_each_entry_safe(cmd, n, error_q, eh_entry) { + if (cmd->device->sdev_target == my_cmd->device->sdev_target && + cmd->device->lun == my_cmd->device->lun) +- sas_eh_defer_cmd(cmd); ++ sas_eh_finish_cmd(cmd); + } + } + +@@ -622,12 +615,12 @@ static void sas_eh_handle_sas_errors(struct Scsi_Host *shost, struct list_head * + case TASK_IS_DONE: + SAS_DPRINTK("%s: task 0x%p is done\n", __func__, + task); +- sas_eh_defer_cmd(cmd); ++ sas_eh_finish_cmd(cmd); + continue; + case TASK_IS_ABORTED: + SAS_DPRINTK("%s: task 0x%p is aborted\n", + __func__, task); +- sas_eh_defer_cmd(cmd); ++ sas_eh_finish_cmd(cmd); + continue; + case TASK_IS_AT_LU: + SAS_DPRINTK("task 0x%p is at LU: lu recover\n", task); +@@ -638,7 +631,7 @@ static void sas_eh_handle_sas_errors(struct Scsi_Host *shost, struct list_head * + "recovered\n", + SAS_ADDR(task->dev), + cmd->device->lun); +- sas_eh_defer_cmd(cmd); ++ sas_eh_finish_cmd(cmd); + sas_scsi_clear_queue_lu(work_q, cmd); + goto Again; + } +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index cb19c9ad1b57..841f3fbec77c 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1903,7 +1903,7 @@ retry: + num = (rem_sz > scatter_elem_sz_prev) ? + scatter_elem_sz_prev : rem_sz; + +- schp->pages[k] = alloc_pages(gfp_mask, order); ++ schp->pages[k] = alloc_pages(gfp_mask | __GFP_ZERO, order); + if (!schp->pages[k]) + goto out; + +diff --git a/drivers/spi/spi-pxa2xx.h b/drivers/spi/spi-pxa2xx.h +index 58efa98313aa..24c07fea9de2 100644 +--- a/drivers/spi/spi-pxa2xx.h ++++ b/drivers/spi/spi-pxa2xx.h +@@ -38,7 +38,7 @@ struct driver_data { + + /* SSP register addresses */ + void __iomem *ioaddr; +- u32 ssdr_physical; ++ phys_addr_t ssdr_physical; + + /* SSP masks*/ + u32 dma_cr1; +diff --git a/drivers/usb/usbip/stub.h b/drivers/usb/usbip/stub.h +index 266e2b0ce9a8..47ccd73a74f0 100644 +--- a/drivers/usb/usbip/stub.h ++++ b/drivers/usb/usbip/stub.h +@@ -88,6 +88,7 @@ struct bus_id_priv { + struct stub_device *sdev; + struct usb_device *udev; + char shutdown_busid; ++ spinlock_t busid_lock; + }; + + /* stub_priv is allocated from stub_priv_cache */ +@@ -98,6 +99,7 @@ extern struct usb_device_driver stub_driver; + + /* stub_main.c */ + struct bus_id_priv *get_busid_priv(const char *busid); ++void put_busid_priv(struct bus_id_priv *bid); + int del_match_busid(char *busid); + void stub_device_cleanup_urbs(struct stub_device *sdev); + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index 0931f3271119..4aad99a59958 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -314,9 +314,9 @@ static int stub_probe(struct usb_device *udev) + struct stub_device *sdev = NULL; + const char *udev_busid = dev_name(&udev->dev); + struct bus_id_priv *busid_priv; +- int rc; ++ int rc = 0; + +- dev_dbg(&udev->dev, "Enter\n"); ++ dev_dbg(&udev->dev, "Enter probe\n"); + + /* check we should claim or not by busid_table */ + busid_priv = get_busid_priv(udev_busid); +@@ -331,13 +331,15 @@ static int stub_probe(struct usb_device *udev) + * other matched drivers by the driver core. + * See driver_probe_device() in driver/base/dd.c + */ +- return -ENODEV; ++ rc = -ENODEV; ++ goto call_put_busid_priv; + } + + if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) { + dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n", + udev_busid); +- return -ENODEV; ++ rc = -ENODEV; ++ goto call_put_busid_priv; + } + + if (!strcmp(udev->bus->bus_name, "vhci_hcd")) { +@@ -345,13 +347,16 @@ static int stub_probe(struct usb_device *udev) + "%s is attached on vhci_hcd... skip!\n", + udev_busid); + +- return -ENODEV; ++ rc = -ENODEV; ++ goto call_put_busid_priv; + } + + /* ok, this is my device */ + sdev = stub_device_alloc(udev); +- if (!sdev) +- return -ENOMEM; ++ if (!sdev) { ++ rc = -ENOMEM; ++ goto call_put_busid_priv; ++ } + + dev_info(&udev->dev, + "usbip-host: register new device (bus %u dev %u)\n", +@@ -383,7 +388,9 @@ static int stub_probe(struct usb_device *udev) + } + busid_priv->status = STUB_BUSID_ALLOC; + +- return 0; ++ rc = 0; ++ goto call_put_busid_priv; ++ + err_files: + usb_hub_release_port(udev->parent, udev->portnum, + (struct usb_dev_state *) udev); +@@ -394,6 +401,9 @@ err_port: + + busid_priv->sdev = NULL; + stub_device_free(sdev); ++ ++call_put_busid_priv: ++ put_busid_priv(busid_priv); + return rc; + } + +@@ -419,7 +429,7 @@ static void stub_disconnect(struct usb_device *udev) + struct bus_id_priv *busid_priv; + int rc; + +- dev_dbg(&udev->dev, "Enter\n"); ++ dev_dbg(&udev->dev, "Enter disconnect\n"); + + busid_priv = get_busid_priv(udev_busid); + if (!busid_priv) { +@@ -432,7 +442,7 @@ static void stub_disconnect(struct usb_device *udev) + /* get stub_device */ + if (!sdev) { + dev_err(&udev->dev, "could not get device"); +- return; ++ goto call_put_busid_priv; + } + + dev_set_drvdata(&udev->dev, NULL); +@@ -447,12 +457,12 @@ static void stub_disconnect(struct usb_device *udev) + (struct usb_dev_state *) udev); + if (rc) { + dev_dbg(&udev->dev, "unable to release port\n"); +- return; ++ goto call_put_busid_priv; + } + + /* If usb reset is called from event handler */ + if (busid_priv->sdev->ud.eh == current) +- return; ++ goto call_put_busid_priv; + + /* shutdown the current connection */ + shutdown_busid(busid_priv); +@@ -463,12 +473,11 @@ static void stub_disconnect(struct usb_device *udev) + busid_priv->sdev = NULL; + stub_device_free(sdev); + +- if (busid_priv->status == STUB_BUSID_ALLOC) { ++ if (busid_priv->status == STUB_BUSID_ALLOC) + busid_priv->status = STUB_BUSID_ADDED; +- } else { +- busid_priv->status = STUB_BUSID_OTHER; +- del_match_busid((char *)udev_busid); +- } ++ ++call_put_busid_priv: ++ put_busid_priv(busid_priv); + } + + #ifdef CONFIG_PM +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c +index f761e02e75c9..fa90496ca7a8 100644 +--- a/drivers/usb/usbip/stub_main.c ++++ b/drivers/usb/usbip/stub_main.c +@@ -28,6 +28,7 @@ + #define DRIVER_DESC "USB/IP Host Driver" + + struct kmem_cache *stub_priv_cache; ++ + /* + * busid_tables defines matching busids that usbip can grab. A user can change + * dynamically what device is locally used and what device is exported to a +@@ -39,6 +40,8 @@ static spinlock_t busid_table_lock; + + static void init_busid_table(void) + { ++ int i; ++ + /* + * This also sets the bus_table[i].status to + * STUB_BUSID_OTHER, which is 0. +@@ -46,6 +49,9 @@ static void init_busid_table(void) + memset(busid_table, 0, sizeof(busid_table)); + + spin_lock_init(&busid_table_lock); ++ ++ for (i = 0; i < MAX_BUSID; i++) ++ spin_lock_init(&busid_table[i].busid_lock); + } + + /* +@@ -57,15 +63,20 @@ static int get_busid_idx(const char *busid) + int i; + int idx = -1; + +- for (i = 0; i < MAX_BUSID; i++) ++ for (i = 0; i < MAX_BUSID; i++) { ++ spin_lock(&busid_table[i].busid_lock); + if (busid_table[i].name[0]) + if (!strncmp(busid_table[i].name, busid, BUSID_SIZE)) { + idx = i; ++ spin_unlock(&busid_table[i].busid_lock); + break; + } ++ spin_unlock(&busid_table[i].busid_lock); ++ } + return idx; + } + ++/* Returns holding busid_lock. Should call put_busid_priv() to unlock */ + struct bus_id_priv *get_busid_priv(const char *busid) + { + int idx; +@@ -73,13 +84,22 @@ struct bus_id_priv *get_busid_priv(const char *busid) + + spin_lock(&busid_table_lock); + idx = get_busid_idx(busid); +- if (idx >= 0) ++ if (idx >= 0) { + bid = &(busid_table[idx]); ++ /* get busid_lock before returning */ ++ spin_lock(&bid->busid_lock); ++ } + spin_unlock(&busid_table_lock); + + return bid; + } + ++void put_busid_priv(struct bus_id_priv *bid) ++{ ++ if (bid) ++ spin_unlock(&bid->busid_lock); ++} ++ + static int add_match_busid(char *busid) + { + int i; +@@ -92,15 +112,19 @@ static int add_match_busid(char *busid) + goto out; + } + +- for (i = 0; i < MAX_BUSID; i++) ++ for (i = 0; i < MAX_BUSID; i++) { ++ spin_lock(&busid_table[i].busid_lock); + if (!busid_table[i].name[0]) { + strlcpy(busid_table[i].name, busid, BUSID_SIZE); + if ((busid_table[i].status != STUB_BUSID_ALLOC) && + (busid_table[i].status != STUB_BUSID_REMOV)) + busid_table[i].status = STUB_BUSID_ADDED; + ret = 0; ++ spin_unlock(&busid_table[i].busid_lock); + break; + } ++ spin_unlock(&busid_table[i].busid_lock); ++ } + + out: + spin_unlock(&busid_table_lock); +@@ -121,6 +145,8 @@ int del_match_busid(char *busid) + /* found */ + ret = 0; + ++ spin_lock(&busid_table[idx].busid_lock); ++ + if (busid_table[idx].status == STUB_BUSID_OTHER) + memset(busid_table[idx].name, 0, BUSID_SIZE); + +@@ -128,6 +154,7 @@ int del_match_busid(char *busid) + (busid_table[idx].status != STUB_BUSID_ADDED)) + busid_table[idx].status = STUB_BUSID_REMOV; + ++ spin_unlock(&busid_table[idx].busid_lock); + out: + spin_unlock(&busid_table_lock); + +@@ -140,9 +167,12 @@ static ssize_t show_match_busid(struct device_driver *drv, char *buf) + char *out = buf; + + spin_lock(&busid_table_lock); +- for (i = 0; i < MAX_BUSID; i++) ++ for (i = 0; i < MAX_BUSID; i++) { ++ spin_lock(&busid_table[i].busid_lock); + if (busid_table[i].name[0]) + out += sprintf(out, "%s ", busid_table[i].name); ++ spin_unlock(&busid_table[i].busid_lock); ++ } + spin_unlock(&busid_table_lock); + out += sprintf(out, "\n"); + +@@ -184,6 +214,51 @@ static ssize_t store_match_busid(struct device_driver *dev, const char *buf, + static DRIVER_ATTR(match_busid, S_IRUSR | S_IWUSR, show_match_busid, + store_match_busid); + ++static int do_rebind(char *busid, struct bus_id_priv *busid_priv) ++{ ++ int ret; ++ ++ /* device_attach() callers should hold parent lock for USB */ ++ if (busid_priv->udev->dev.parent) ++ device_lock(busid_priv->udev->dev.parent); ++ ret = device_attach(&busid_priv->udev->dev); ++ if (busid_priv->udev->dev.parent) ++ device_unlock(busid_priv->udev->dev.parent); ++ if (ret < 0) { ++ dev_err(&busid_priv->udev->dev, "rebind failed\n"); ++ return ret; ++ } ++ return 0; ++} ++ ++static void stub_device_rebind(void) ++{ ++#if IS_MODULE(CONFIG_USBIP_HOST) ++ struct bus_id_priv *busid_priv; ++ int i; ++ ++ /* update status to STUB_BUSID_OTHER so probe ignores the device */ ++ spin_lock(&busid_table_lock); ++ for (i = 0; i < MAX_BUSID; i++) { ++ if (busid_table[i].name[0] && ++ busid_table[i].shutdown_busid) { ++ busid_priv = &(busid_table[i]); ++ busid_priv->status = STUB_BUSID_OTHER; ++ } ++ } ++ spin_unlock(&busid_table_lock); ++ ++ /* now run rebind - no need to hold locks. driver files are removed */ ++ for (i = 0; i < MAX_BUSID; i++) { ++ if (busid_table[i].name[0] && ++ busid_table[i].shutdown_busid) { ++ busid_priv = &(busid_table[i]); ++ do_rebind(busid_table[i].name, busid_priv); ++ } ++ } ++#endif ++} ++ + static ssize_t rebind_store(struct device_driver *dev, const char *buf, + size_t count) + { +@@ -201,16 +276,17 @@ static ssize_t rebind_store(struct device_driver *dev, const char *buf, + if (!bid) + return -ENODEV; + +- /* device_attach() callers should hold parent lock for USB */ +- if (bid->udev->dev.parent) +- device_lock(bid->udev->dev.parent); +- ret = device_attach(&bid->udev->dev); +- if (bid->udev->dev.parent) +- device_unlock(bid->udev->dev.parent); +- if (ret < 0) { +- dev_err(&bid->udev->dev, "rebind failed\n"); ++ /* mark the device for deletion so probe ignores it during rescan */ ++ bid->status = STUB_BUSID_OTHER; ++ /* release the busid lock */ ++ put_busid_priv(bid); ++ ++ ret = do_rebind((char *) buf, bid); ++ if (ret < 0) + return ret; +- } ++ ++ /* delete device from busid_table */ ++ del_match_busid((char *) buf); + + return count; + } +@@ -333,6 +409,9 @@ static void __exit usbip_host_exit(void) + */ + usb_deregister_device_driver(&stub_driver); + ++ /* initiate scan to attach devices */ ++ stub_device_rebind(); ++ + kmem_cache_destroy(stub_priv_cache); + } + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index 0f2b7c622ce3..e2f5be261532 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -2497,10 +2497,8 @@ read_block_for_search(struct btrfs_trans_handle *trans, + if (p->reada) + reada_for_search(root, p, level, slot, key->objectid); + +- btrfs_release_path(p); +- + ret = -EAGAIN; +- tmp = read_tree_block(root, blocknr, 0); ++ tmp = read_tree_block(root, blocknr, gen); + if (!IS_ERR(tmp)) { + /* + * If the read above didn't mark this buffer up to date, +@@ -2512,6 +2510,8 @@ read_block_for_search(struct btrfs_trans_handle *trans, + ret = -EIO; + free_extent_buffer(tmp); + } ++ ++ btrfs_release_path(p); + return ret; + } + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index d6359af9789d..6ba022ed4a52 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4568,6 +4568,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans, + struct extent_map_tree *em_tree = &BTRFS_I(inode)->extent_tree; + u64 logged_isize = 0; + bool need_log_inode_item = true; ++ bool xattrs_logged = false; + + path = btrfs_alloc_path(); + if (!path) +@@ -4808,6 +4809,7 @@ next_slot: + err = btrfs_log_all_xattrs(trans, root, inode, path, dst_path); + if (err) + goto out_unlock; ++ xattrs_logged = true; + if (max_key.type >= BTRFS_EXTENT_DATA_KEY && !fast_search) { + btrfs_release_path(path); + btrfs_release_path(dst_path); +@@ -4820,6 +4822,11 @@ log_extents: + btrfs_release_path(dst_path); + if (need_log_inode_item) { + err = log_inode_item(trans, log, dst_path, inode); ++ if (!err && !xattrs_logged) { ++ err = btrfs_log_all_xattrs(trans, root, inode, path, ++ dst_path); ++ btrfs_release_path(path); ++ } + if (err) + goto out_unlock; + } +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 6d874b1cd53c..ed75d70b4bc2 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3850,6 +3850,15 @@ int btrfs_resume_balance_async(struct btrfs_fs_info *fs_info) + return 0; + } + ++ /* ++ * A ro->rw remount sequence should continue with the paused balance ++ * regardless of who pauses it, system or the user as of now, so set ++ * the resume flag. ++ */ ++ spin_lock(&fs_info->balance_lock); ++ fs_info->balance_ctl->flags |= BTRFS_BALANCE_RESUME; ++ spin_unlock(&fs_info->balance_lock); ++ + tsk = kthread_run(balance_kthread, fs_info, "btrfs-balance"); + return PTR_ERR_OR_ZERO(tsk); + } +diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c +index 0aa9bf6e6e53..f600c43f0047 100644 +--- a/fs/ext2/inode.c ++++ b/fs/ext2/inode.c +@@ -1175,21 +1175,11 @@ do_indirects: + + static void ext2_truncate_blocks(struct inode *inode, loff_t offset) + { +- /* +- * XXX: it seems like a bug here that we don't allow +- * IS_APPEND inode to have blocks-past-i_size trimmed off. +- * review and fix this. +- * +- * Also would be nice to be able to handle IO errors and such, +- * but that's probably too much to ask. +- */ + if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) || + S_ISLNK(inode->i_mode))) + return; + if (ext2_inode_is_fast_symlink(inode)) + return; +- if (IS_APPEND(inode) || IS_IMMUTABLE(inode)) +- return; + + dax_sem_down_write(EXT2_I(inode)); + __ext2_truncate_blocks(inode, offset); +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 7302d96ae8bf..fa40e756c501 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -585,6 +585,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) + return 0; + + out_put_hidden_dir: ++ cancel_delayed_work_sync(&sbi->sync_work); + iput(sbi->hidden_dir); + out_put_root: + dput(sb->s_root); +diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c +index a2edb0049eb5..f038d4ac9aec 100644 +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -271,6 +271,8 @@ static void lockd_down_net(struct svc_serv *serv, struct net *net) + if (ln->nlmsvc_users) { + if (--ln->nlmsvc_users == 0) { + nlm_shutdown_hosts_net(net); ++ cancel_delayed_work_sync(&ln->grace_period_end); ++ locks_end_grace(&ln->lockd_manager); + svc_shutdown_net(serv, net); + dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net); + } +diff --git a/fs/pipe.c b/fs/pipe.c +index 39eff9a67253..1e7263bb837a 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -616,6 +616,9 @@ struct pipe_inode_info *alloc_pipe_info(void) + unsigned long pipe_bufs = PIPE_DEF_BUFFERS; + struct user_struct *user = get_current_user(); + ++ if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE)) ++ pipe_bufs = pipe_max_size >> PAGE_SHIFT; ++ + if (!too_many_pipe_buffers_hard(user)) { + if (too_many_pipe_buffers_soft(user)) + pipe_bufs = 1; +diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c +index 9155a5a0d3b9..df4661abadc4 100644 +--- a/fs/proc/meminfo.c ++++ b/fs/proc/meminfo.c +@@ -57,11 +57,8 @@ static int meminfo_proc_show(struct seq_file *m, void *v) + /* + * Estimate the amount of memory available for userspace allocations, + * without causing swapping. +- * +- * Free memory cannot be taken below the low watermark, before the +- * system starts swapping. + */ +- available = i.freeram - wmark_low; ++ available = i.freeram - totalreserve_pages; + + /* + * Not all the page cache can be freed, otherwise the system will +diff --git a/include/asm-generic/futex.h b/include/asm-generic/futex.h +index bf2d34c9d804..f0d8b1c51343 100644 +--- a/include/asm-generic/futex.h ++++ b/include/asm-generic/futex.h +@@ -13,7 +13,7 @@ + */ + + /** +- * futex_atomic_op_inuser() - Atomic arithmetic operation with constant ++ * arch_futex_atomic_op_inuser() - Atomic arithmetic operation with constant + * argument and comparison of the previous + * futex value with another constant. + * +@@ -25,18 +25,11 @@ + * <0 - On error + */ + static inline int +-futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) ++arch_futex_atomic_op_inuser(int op, u32 oparg, int *oval, u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval, ret; + u32 tmp; + +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- + preempt_disable(); + pagefault_disable(); + +@@ -74,17 +67,9 @@ out_pagefault_enable: + pagefault_enable(); + preempt_enable(); + +- if (ret == 0) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (ret == 0) ++ *oval = oldval; ++ + return ret; + } + +@@ -126,18 +111,9 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + + #else + static inline int +-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++arch_futex_atomic_op_inuser(int op, u32 oparg, int *oval, u32 __user *uaddr) + { +- int op = (encoded_op >> 28) & 7; +- int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; + int oldval = 0, ret; +- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; +- +- if (! access_ok (VERIFY_WRITE, uaddr, sizeof(u32))) +- return -EFAULT; + + pagefault_disable(); + +@@ -153,17 +129,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) + + pagefault_enable(); + +- if (!ret) { +- switch (cmp) { +- case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break; +- case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break; +- case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break; +- case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break; +- case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break; +- case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break; +- default: ret = -ENOSYS; +- } +- } ++ if (!ret) ++ *oval = oldval; ++ + return ret; + } + +diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h +index c47c68e535e8..a16d1851cfb1 100644 +--- a/include/linux/dmaengine.h ++++ b/include/linux/dmaengine.h +@@ -767,6 +767,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_slave_single( + sg_dma_address(&sg) = buf; + sg_dma_len(&sg) = len; + ++ if (!chan || !chan->device || !chan->device->device_prep_slave_sg) ++ return NULL; ++ + return chan->device->device_prep_slave_sg(chan, &sg, 1, + dir, flags, NULL); + } +@@ -775,6 +778,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_slave_sg( + struct dma_chan *chan, struct scatterlist *sgl, unsigned int sg_len, + enum dma_transfer_direction dir, unsigned long flags) + { ++ if (!chan || !chan->device || !chan->device->device_prep_slave_sg) ++ return NULL; ++ + return chan->device->device_prep_slave_sg(chan, sgl, sg_len, + dir, flags, NULL); + } +@@ -786,6 +792,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_rio_sg( + enum dma_transfer_direction dir, unsigned long flags, + struct rio_dma_ext *rio_ext) + { ++ if (!chan || !chan->device || !chan->device->device_prep_slave_sg) ++ return NULL; ++ + return chan->device->device_prep_slave_sg(chan, sgl, sg_len, + dir, flags, rio_ext); + } +@@ -796,6 +805,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_dma_cyclic( + size_t period_len, enum dma_transfer_direction dir, + unsigned long flags) + { ++ if (!chan || !chan->device || !chan->device->device_prep_dma_cyclic) ++ return NULL; ++ + return chan->device->device_prep_dma_cyclic(chan, buf_addr, buf_len, + period_len, dir, flags); + } +@@ -804,6 +816,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_interleaved_dma( + struct dma_chan *chan, struct dma_interleaved_template *xt, + unsigned long flags) + { ++ if (!chan || !chan->device || !chan->device->device_prep_interleaved_dma) ++ return NULL; ++ + return chan->device->device_prep_interleaved_dma(chan, xt, flags); + } + +@@ -811,7 +826,7 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_dma_memset( + struct dma_chan *chan, dma_addr_t dest, int value, size_t len, + unsigned long flags) + { +- if (!chan || !chan->device) ++ if (!chan || !chan->device || !chan->device->device_prep_dma_memset) + return NULL; + + return chan->device->device_prep_dma_memset(chan, dest, value, +@@ -824,6 +839,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_dma_sg( + struct scatterlist *src_sg, unsigned int src_nents, + unsigned long flags) + { ++ if (!chan || !chan->device || !chan->device->device_prep_dma_sg) ++ return NULL; ++ + return chan->device->device_prep_dma_sg(chan, dst_sg, dst_nents, + src_sg, src_nents, flags); + } +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 47be3ad7d3e5..7af95b58ebf3 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -364,8 +364,8 @@ typedef struct { + u32 attributes; + u32 get_bar_attributes; + u32 set_bar_attributes; +- uint64_t romsize; +- void *romimage; ++ u64 romsize; ++ u32 romimage; + } efi_pci_io_protocol_32; + + typedef struct { +@@ -384,8 +384,8 @@ typedef struct { + u64 attributes; + u64 get_bar_attributes; + u64 set_bar_attributes; +- uint64_t romsize; +- void *romimage; ++ u64 romsize; ++ u64 romimage; + } efi_pci_io_protocol_64; + + typedef struct { +diff --git a/include/linux/signal.h b/include/linux/signal.h +index d80259afb9e5..bcc094cb697c 100644 +--- a/include/linux/signal.h ++++ b/include/linux/signal.h +@@ -97,6 +97,23 @@ static inline int sigisemptyset(sigset_t *set) + } + } + ++static inline int sigequalsets(const sigset_t *set1, const sigset_t *set2) ++{ ++ switch (_NSIG_WORDS) { ++ case 4: ++ return (set1->sig[3] == set2->sig[3]) && ++ (set1->sig[2] == set2->sig[2]) && ++ (set1->sig[1] == set2->sig[1]) && ++ (set1->sig[0] == set2->sig[0]); ++ case 2: ++ return (set1->sig[1] == set2->sig[1]) && ++ (set1->sig[0] == set2->sig[0]); ++ case 1: ++ return set1->sig[0] == set2->sig[0]; ++ } ++ return 0; ++} ++ + #define sigmask(sig) (1UL << ((sig) - 1)) + + #ifndef __HAVE_ARCH_SIG_SETOPS +diff --git a/include/trace/events/xen.h b/include/trace/events/xen.h +index bce990f5a35d..d6be935caa50 100644 +--- a/include/trace/events/xen.h ++++ b/include/trace/events/xen.h +@@ -377,22 +377,6 @@ DECLARE_EVENT_CLASS(xen_mmu_pgd, + DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_pin); + DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_unpin); + +-TRACE_EVENT(xen_mmu_flush_tlb_all, +- TP_PROTO(int x), +- TP_ARGS(x), +- TP_STRUCT__entry(__array(char, x, 0)), +- TP_fast_assign((void)x), +- TP_printk("%s", "") +- ); +- +-TRACE_EVENT(xen_mmu_flush_tlb, +- TP_PROTO(int x), +- TP_ARGS(x), +- TP_STRUCT__entry(__array(char, x, 0)), +- TP_fast_assign((void)x), +- TP_printk("%s", "") +- ); +- + TRACE_EVENT(xen_mmu_flush_tlb_single, + TP_PROTO(unsigned long addr), + TP_ARGS(addr), +diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h +index 1f0b4cf5dd03..f4227173b5d8 100644 +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -2195,6 +2195,8 @@ enum nl80211_attrs { + #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS + #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS + ++#define NL80211_WIPHY_NAME_MAXLEN 128 ++ + #define NL80211_MAX_SUPP_RATES 32 + #define NL80211_MAX_SUPP_HT_RATES 77 + #define NL80211_MAX_SUPP_REG_RULES 64 +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 4bdea31cf6ce..7444f95f3ee9 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1981,14 +1981,16 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, + if (!audit_enabled) + return; + ++ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); ++ if (!ab) ++ return; ++ ++ + uid = from_kuid(&init_user_ns, task_uid(current)); + oldloginuid = from_kuid(&init_user_ns, koldloginuid); + loginuid = from_kuid(&init_user_ns, kloginuid), + tty = audit_get_tty(current); + +- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); +- if (!ab) +- return; + audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid); + audit_log_task_context(ab); + audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d", +diff --git a/kernel/exit.c b/kernel/exit.c +index ffba5df4abd5..f20e6339761b 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1608,6 +1608,10 @@ SYSCALL_DEFINE4(wait4, pid_t, upid, int __user *, stat_addr, + __WNOTHREAD|__WCLONE|__WALL)) + return -EINVAL; + ++ /* -INT_MIN is not defined */ ++ if (upid == INT_MIN) ++ return -ESRCH; ++ + if (upid == -1) + type = PIDTYPE_MAX; + else if (upid < 0) { +diff --git a/kernel/futex.c b/kernel/futex.c +index a12aa6785361..a26d217c99fe 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -666,13 +666,14 @@ again: + * this reference was taken by ihold under the page lock + * pinning the inode in place so i_lock was unnecessary. The + * only way for this check to fail is if the inode was +- * truncated in parallel so warn for now if this happens. ++ * truncated in parallel which is almost certainly an ++ * application bug. In such a case, just retry. + * + * We are not calling into get_futex_key_refs() in file-backed + * cases, therefore a successful atomic_inc return below will + * guarantee that get_futex_key() will still imply smp_mb(); (B). + */ +- if (WARN_ON_ONCE(!atomic_inc_not_zero(&inode->i_count))) { ++ if (!atomic_inc_not_zero(&inode->i_count)) { + rcu_read_unlock(); + put_page(page_head); + +@@ -1452,6 +1453,45 @@ out: + return ret; + } + ++static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr) ++{ ++ unsigned int op = (encoded_op & 0x70000000) >> 28; ++ unsigned int cmp = (encoded_op & 0x0f000000) >> 24; ++ int oparg = sign_extend32((encoded_op & 0x00fff000) >> 12, 11); ++ int cmparg = sign_extend32(encoded_op & 0x00000fff, 11); ++ int oldval, ret; ++ ++ if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { ++ if (oparg < 0 || oparg > 31) ++ return -EINVAL; ++ oparg = 1 << oparg; ++ } ++ ++ if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) ++ return -EFAULT; ++ ++ ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr); ++ if (ret) ++ return ret; ++ ++ switch (cmp) { ++ case FUTEX_OP_CMP_EQ: ++ return oldval == cmparg; ++ case FUTEX_OP_CMP_NE: ++ return oldval != cmparg; ++ case FUTEX_OP_CMP_LT: ++ return oldval < cmparg; ++ case FUTEX_OP_CMP_GE: ++ return oldval >= cmparg; ++ case FUTEX_OP_CMP_LE: ++ return oldval <= cmparg; ++ case FUTEX_OP_CMP_GT: ++ return oldval > cmparg; ++ default: ++ return -ENOSYS; ++ } ++} ++ + /* + * Wake up all waiters hashed on the physical page that is mapped + * to this virtual address: +diff --git a/kernel/signal.c b/kernel/signal.c +index 4a548c6a4118..7d75bc2d042f 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2495,6 +2495,13 @@ void __set_current_blocked(const sigset_t *newset) + { + struct task_struct *tsk = current; + ++ /* ++ * In case the signal mask hasn't changed, there is nothing we need ++ * to do. The current->blocked shouldn't be modified by other task. ++ */ ++ if (sigequalsets(&tsk->blocked, newset)) ++ return; ++ + spin_lock_irq(&tsk->sighand->siglock); + __set_task_blocked(tsk, newset); + spin_unlock_irq(&tsk->sighand->siglock); +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index d2a20e83ebae..22d7454b387b 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -610,6 +610,14 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev) + now = ktime_get(); + /* Find all expired events */ + for_each_cpu(cpu, tick_broadcast_oneshot_mask) { ++ /* ++ * Required for !SMP because for_each_cpu() reports ++ * unconditionally CPU0 as set on UP kernels. ++ */ ++ if (!IS_ENABLED(CONFIG_SMP) && ++ cpumask_empty(tick_broadcast_oneshot_mask)) ++ break; ++ + td = &per_cpu(tick_cpu_device, cpu); + if (td->evtdev->next_event.tv64 <= now.tv64) { + cpumask_set_cpu(cpu, tmpmask); +diff --git a/mm/Kconfig b/mm/Kconfig +index 97a4e06b15c0..5753f69b23f4 100644 +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -628,6 +628,7 @@ config DEFERRED_STRUCT_PAGE_INIT + default n + depends on ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT + depends on MEMORY_HOTPLUG ++ depends on !NEED_PER_CPU_KM + help + Ordinarily all struct pages are initialised during early boot in a + single thread. On very large machines this can take a considerable +diff --git a/mm/filemap.c b/mm/filemap.c +index b15f1d8bba43..21e750b6e810 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -1581,6 +1581,15 @@ find_page: + index, last_index - index); + } + if (!PageUptodate(page)) { ++ /* ++ * See comment in do_read_cache_page on why ++ * wait_on_page_locked is used to avoid unnecessarily ++ * serialisations and why it's safe. ++ */ ++ wait_on_page_locked_killable(page); ++ if (PageUptodate(page)) ++ goto page_ok; ++ + if (inode->i_blkbits == PAGE_CACHE_SHIFT || + !mapping->a_ops->is_partially_uptodate) + goto page_not_up_to_date; +@@ -2215,7 +2224,7 @@ static struct page *wait_on_page_read(struct page *page) + return page; + } + +-static struct page *__read_cache_page(struct address_space *mapping, ++static struct page *do_read_cache_page(struct address_space *mapping, + pgoff_t index, + int (*filler)(void *, struct page *), + void *data, +@@ -2237,53 +2246,74 @@ repeat: + /* Presumably ENOMEM for radix tree node */ + return ERR_PTR(err); + } ++ ++filler: + err = filler(data, page); + if (err < 0) { + page_cache_release(page); +- page = ERR_PTR(err); +- } else { +- page = wait_on_page_read(page); ++ return ERR_PTR(err); + } +- } +- return page; +-} + +-static struct page *do_read_cache_page(struct address_space *mapping, +- pgoff_t index, +- int (*filler)(void *, struct page *), +- void *data, +- gfp_t gfp) +- +-{ +- struct page *page; +- int err; ++ page = wait_on_page_read(page); ++ if (IS_ERR(page)) ++ return page; ++ goto out; ++ } ++ if (PageUptodate(page)) ++ goto out; + +-retry: +- page = __read_cache_page(mapping, index, filler, data, gfp); +- if (IS_ERR(page)) +- return page; ++ /* ++ * Page is not up to date and may be locked due one of the following ++ * case a: Page is being filled and the page lock is held ++ * case b: Read/write error clearing the page uptodate status ++ * case c: Truncation in progress (page locked) ++ * case d: Reclaim in progress ++ * ++ * Case a, the page will be up to date when the page is unlocked. ++ * There is no need to serialise on the page lock here as the page ++ * is pinned so the lock gives no additional protection. Even if the ++ * the page is truncated, the data is still valid if PageUptodate as ++ * it's a race vs truncate race. ++ * Case b, the page will not be up to date ++ * Case c, the page may be truncated but in itself, the data may still ++ * be valid after IO completes as it's a read vs truncate race. The ++ * operation must restart if the page is not uptodate on unlock but ++ * otherwise serialising on page lock to stabilise the mapping gives ++ * no additional guarantees to the caller as the page lock is ++ * released before return. ++ * Case d, similar to truncation. If reclaim holds the page lock, it ++ * will be a race with remove_mapping that determines if the mapping ++ * is valid on unlock but otherwise the data is valid and there is ++ * no need to serialise with page lock. ++ * ++ * As the page lock gives no additional guarantee, we optimistically ++ * wait on the page to be unlocked and check if it's up to date and ++ * use the page if it is. Otherwise, the page lock is required to ++ * distinguish between the different cases. The motivation is that we ++ * avoid spurious serialisations and wakeups when multiple processes ++ * wait on the same page for IO to complete. ++ */ ++ wait_on_page_locked(page); + if (PageUptodate(page)) + goto out; + ++ /* Distinguish between all the cases under the safety of the lock */ + lock_page(page); ++ ++ /* Case c or d, restart the operation */ + if (!page->mapping) { + unlock_page(page); + page_cache_release(page); +- goto retry; ++ goto repeat; + } ++ ++ /* Someone else locked and filled the page in a very small window */ + if (PageUptodate(page)) { + unlock_page(page); + goto out; + } +- err = filler(data, page); +- if (err < 0) { +- page_cache_release(page); +- return ERR_PTR(err); +- } else { +- page = wait_on_page_read(page); +- if (IS_ERR(page)) +- return page; +- } ++ goto filler; ++ + out: + mark_page_accessed(page); + return page; +diff --git a/mm/util.c b/mm/util.c +index 818bbae84721..5fae5b9c2885 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -428,17 +428,25 @@ int get_cmdline(struct task_struct *task, char *buffer, int buflen) + int res = 0; + unsigned int len; + struct mm_struct *mm = get_task_mm(task); ++ unsigned long arg_start, arg_end, env_start, env_end; + if (!mm) + goto out; + if (!mm->arg_end) + goto out_mm; /* Shh! No looking before we're done */ + +- len = mm->arg_end - mm->arg_start; ++ down_read(&mm->mmap_sem); ++ arg_start = mm->arg_start; ++ arg_end = mm->arg_end; ++ env_start = mm->env_start; ++ env_end = mm->env_end; ++ up_read(&mm->mmap_sem); ++ ++ len = arg_end - arg_start; + + if (len > buflen) + len = buflen; + +- res = access_process_vm(task, mm->arg_start, buffer, len, 0); ++ res = access_process_vm(task, arg_start, buffer, len, 0); + + /* + * If the nul at the end of args has been overwritten, then +@@ -449,10 +457,10 @@ int get_cmdline(struct task_struct *task, char *buffer, int buflen) + if (len < res) { + res = len; + } else { +- len = mm->env_end - mm->env_start; ++ len = env_end - env_start; + if (len > buflen - res) + len = buflen - res; +- res += access_process_vm(task, mm->env_start, ++ res += access_process_vm(task, env_start, + buffer+res, len, 0); + res = strnlen(buffer, res); + } +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 930f7c67a9c1..12a69e6c10ba 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2057,10 +2057,16 @@ static void get_scan_count(struct lruvec *lruvec, int swappiness, + } + + /* +- * There is enough inactive page cache, do not reclaim +- * anything from the anonymous working set right now. ++ * If there is enough inactive page cache, i.e. if the size of the ++ * inactive list is greater than that of the active list *and* the ++ * inactive list actually has some pages to scan on this priority, we ++ * do not reclaim anything from the anonymous working set right now. ++ * Without the second condition we could end up never scanning an ++ * lruvec even if it has plenty of old anonymous pages unless the ++ * system is under heavy pressure. + */ +- if (!inactive_file_is_low(lruvec)) { ++ if (!inactive_file_is_low(lruvec) && ++ get_lru_size(lruvec, LRU_INACTIVE_FILE) >> sc->priority) { + scan_balance = SCAN_FILE; + goto out; + } +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index ec02f5869a78..3400b1e47668 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -456,8 +456,8 @@ int br_add_if(struct net_bridge *br, struct net_device *dev) + if (dev->netdev_ops->ndo_start_xmit == br_dev_xmit) + return -ELOOP; + +- /* Device is already being bridged */ +- if (br_port_exists(dev)) ++ /* Device has master upper dev */ ++ if (netdev_master_upper_dev_get(dev)) + return -EBUSY; + + /* No bridging devices that dislike that (e.g. wireless) */ +diff --git a/net/compat.c b/net/compat.c +index 0ccf3ecf6bbb..17e97b106458 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -358,7 +358,8 @@ static int compat_sock_setsockopt(struct socket *sock, int level, int optname, + if (optname == SO_ATTACH_FILTER) + return do_set_attach_filter(sock, level, optname, + optval, optlen); +- if (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO) ++ if (!COMPAT_USE_64BIT_TIME && ++ (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO)) + return do_set_sock_timeout(sock, level, optname, optval, optlen); + + return sock_setsockopt(sock, level, optname, optval, optlen); +@@ -423,7 +424,8 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, + static int compat_sock_getsockopt(struct socket *sock, int level, int optname, + char __user *optval, int __user *optlen) + { +- if (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO) ++ if (!COMPAT_USE_64BIT_TIME && ++ (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO)) + return do_get_sock_timeout(sock, level, optname, optval, optlen); + return sock_getsockopt(sock, level, optname, optval, optlen); + } +diff --git a/net/core/sock.c b/net/core/sock.c +index cd12cb6fe366..4238835a0e4e 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1474,7 +1474,7 @@ void sk_destruct(struct sock *sk) + + static void __sk_free(struct sock *sk) + { +- if (unlikely(sock_diag_has_destroy_listeners(sk) && sk->sk_net_refcnt)) ++ if (unlikely(sk->sk_net_refcnt && sock_diag_has_destroy_listeners(sk))) + sock_diag_broadcast_destroy(sk); + else + sk_destruct(sk); +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c +index 7753681195c1..86a2ed0fb219 100644 +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -126,6 +126,16 @@ static void ccid2_change_l_seq_window(struct sock *sk, u64 val) + DCCPF_SEQ_WMAX)); + } + ++static void dccp_tasklet_schedule(struct sock *sk) ++{ ++ struct tasklet_struct *t = &dccp_sk(sk)->dccps_xmitlet; ++ ++ if (!test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) { ++ sock_hold(sk); ++ __tasklet_schedule(t); ++ } ++} ++ + static void ccid2_hc_tx_rto_expire(unsigned long data) + { + struct sock *sk = (struct sock *)data; +@@ -166,7 +176,7 @@ static void ccid2_hc_tx_rto_expire(unsigned long data) + + /* if we were blocked before, we may now send cwnd=1 packet */ + if (sender_was_blocked) +- tasklet_schedule(&dccp_sk(sk)->dccps_xmitlet); ++ dccp_tasklet_schedule(sk); + /* restart backed-off timer */ + sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); + out: +@@ -706,7 +716,7 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + done: + /* check if incoming Acks allow pending packets to be sent */ + if (sender_was_blocked && !ccid2_cwnd_network_limited(hc)) +- tasklet_schedule(&dccp_sk(sk)->dccps_xmitlet); ++ dccp_tasklet_schedule(sk); + dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks); + } + +diff --git a/net/dccp/timer.c b/net/dccp/timer.c +index 3ef7acef3ce8..aa7c7dad7f96 100644 +--- a/net/dccp/timer.c ++++ b/net/dccp/timer.c +@@ -230,12 +230,12 @@ static void dccp_write_xmitlet(unsigned long data) + else + dccp_write_xmit(sk); + bh_unlock_sock(sk); ++ sock_put(sk); + } + + static void dccp_write_xmit_timer(unsigned long data) + { + dccp_write_xmitlet(data); +- sock_put((struct sock *)data); + } + + void dccp_init_xmit_timers(struct sock *sk) +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 09c73dd541c5..10286432f684 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1062,7 +1062,8 @@ alloc_new_skb: + if (copy > length) + copy = length; + +- if (!(rt->dst.dev->features&NETIF_F_SG)) { ++ if (!(rt->dst.dev->features&NETIF_F_SG) && ++ skb_tailroom(skb) >= copy) { + unsigned int off; + + off = skb->len; +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 37a3b05d175c..82c878224bfc 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -777,8 +777,10 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + ipc.addr = faddr = daddr; + + if (ipc.opt && ipc.opt->opt.srr) { +- if (!daddr) +- return -EINVAL; ++ if (!daddr) { ++ err = -EINVAL; ++ goto out_free; ++ } + faddr = ipc.opt->opt.faddr; + } + tos = get_rttos(&ipc, inet); +@@ -843,6 +845,7 @@ back_from_confirm: + + out: + ip_rt_put(rt); ++out_free: + if (free) + kfree(ipc.opt); + if (!err) { +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b531a0997664..a0f0a7db946b 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1108,7 +1108,7 @@ int tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + lock_sock(sk); + + flags = msg->msg_flags; +- if (flags & MSG_FASTOPEN) { ++ if ((flags & MSG_FASTOPEN) && !tp->repair) { + err = tcp_sendmsg_fastopen(sk, msg, &copied_syn, size); + if (err == -EINPROGRESS && copied_syn > 0) + goto out; +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 39c2919fe0d3..2854db094864 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2587,8 +2587,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb) + return -EBUSY; + + if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) { +- if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una)) +- BUG(); ++ if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) { ++ WARN_ON_ONCE(1); ++ return -EINVAL; ++ } + if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq)) + return -ENOMEM; + } +@@ -3117,6 +3119,7 @@ static void tcp_connect_init(struct sock *sk) + sock_reset_flag(sk, SOCK_DONE); + tp->snd_wnd = 0; + tcp_init_wl(tp, 0); ++ tcp_write_queue_purge(sk); + tp->snd_una = tp->write_seq; + tp->snd_sml = tp->write_seq; + tp->snd_up = tp->write_seq; +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index a98ae890adb9..6f929689fd03 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -991,8 +991,10 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + ipc.addr = faddr = daddr; + + if (ipc.opt && ipc.opt->opt.srr) { +- if (!daddr) +- return -EINVAL; ++ if (!daddr) { ++ err = -EINVAL; ++ goto out_free; ++ } + faddr = ipc.opt->opt.faddr; + connected = 0; + } +@@ -1105,6 +1107,7 @@ do_append_data: + + out: + ip_rt_put(rt); ++out_free: + if (free) + kfree(ipc.opt); + if (!err) +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index bfa710e8b615..74786783834b 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1529,7 +1529,8 @@ alloc_new_skb: + if (copy > length) + copy = length; + +- if (!(rt->dst.dev->features&NETIF_F_SG)) { ++ if (!(rt->dst.dev->features&NETIF_F_SG) && ++ skb_tailroom(skb) >= copy) { + unsigned int off; + + off = skb->len; +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index ae3438685caa..fb3248ff8b48 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -732,8 +732,6 @@ static int l2tp_nl_session_send(struct sk_buff *skb, u32 portid, u32 seq, int fl + + if ((session->ifname[0] && + nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) || +- (session->offset && +- nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) || + (session->cookie_len && + nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len, + &session->cookie[0])) || +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index 09f2f3471ad6..83e8a295c806 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -926,6 +926,9 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + if (size > llc->dev->mtu) + size = llc->dev->mtu; + copied = size - hdrlen; ++ rc = -EINVAL; ++ if (copied < 0) ++ goto release; + release_sock(sk); + skb = sock_alloc_send_skb(sk, size, noblock, &rc); + lock_sock(sk); +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 21e4d339217e..624c4719e404 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1141,13 +1141,10 @@ static void nlattr_set(struct nlattr *attr, u8 val, + + /* The nlattr stream should already have been validated */ + nla_for_each_nested(nla, attr, rem) { +- if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) { +- if (tbl[nla_type(nla)].next) +- tbl = tbl[nla_type(nla)].next; +- nlattr_set(nla, val, tbl); +- } else { ++ if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) ++ nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl); ++ else + memset(nla_data(nla), val, nla_len(nla)); +- } + + if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) + *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index f165514a4db5..392d4e2c0a24 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2771,13 +2771,15 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (skb == NULL) + goto out_unlock; + +- skb_set_network_header(skb, reserve); ++ skb_reset_network_header(skb); + + err = -EINVAL; + if (sock->type == SOCK_DGRAM) { + offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len); + if (unlikely(offset < 0)) + goto out_free; ++ } else if (reserve) { ++ skb_push(skb, reserve); + } + + /* Returns -EFAULT on error */ +diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c +index 3c6a47d66a04..117ed90c5f21 100644 +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -126,6 +126,28 @@ static bool fq_flow_is_detached(const struct fq_flow *f) + return f->next == &detached; + } + ++static bool fq_flow_is_throttled(const struct fq_flow *f) ++{ ++ return f->next == &throttled; ++} ++ ++static void fq_flow_add_tail(struct fq_flow_head *head, struct fq_flow *flow) ++{ ++ if (head->first) ++ head->last->next = flow; ++ else ++ head->first = flow; ++ head->last = flow; ++ flow->next = NULL; ++} ++ ++static void fq_flow_unset_throttled(struct fq_sched_data *q, struct fq_flow *f) ++{ ++ rb_erase(&f->rate_node, &q->delayed); ++ q->throttled_flows--; ++ fq_flow_add_tail(&q->old_flows, f); ++} ++ + static void fq_flow_set_throttled(struct fq_sched_data *q, struct fq_flow *f) + { + struct rb_node **p = &q->delayed.rb_node, *parent = NULL; +@@ -153,15 +175,6 @@ static void fq_flow_set_throttled(struct fq_sched_data *q, struct fq_flow *f) + + static struct kmem_cache *fq_flow_cachep __read_mostly; + +-static void fq_flow_add_tail(struct fq_flow_head *head, struct fq_flow *flow) +-{ +- if (head->first) +- head->last->next = flow; +- else +- head->first = flow; +- head->last = flow; +- flow->next = NULL; +-} + + /* limit number of collected flows per round */ + #define FQ_GC_MAX 8 +@@ -265,6 +278,8 @@ static struct fq_flow *fq_classify(struct sk_buff *skb, struct fq_sched_data *q) + f->socket_hash != sk->sk_hash)) { + f->credit = q->initial_quantum; + f->socket_hash = sk->sk_hash; ++ if (fq_flow_is_throttled(f)) ++ fq_flow_unset_throttled(q, f); + f->time_next_packet = 0ULL; + } + return f; +@@ -419,9 +434,7 @@ static void fq_check_throttled(struct fq_sched_data *q, u64 now) + q->time_next_delayed_flow = f->time_next_packet; + break; + } +- rb_erase(p, &q->delayed); +- q->throttled_flows--; +- fq_flow_add_tail(&q->old_flows, f); ++ fq_flow_unset_throttled(q, f); + } + } + +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index 559afd0ee7de..a40b8b0ef0d5 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1000,9 +1000,10 @@ static void sctp_assoc_bh_rcv(struct work_struct *work) + struct sctp_endpoint *ep; + struct sctp_chunk *chunk; + struct sctp_inq *inqueue; +- int state; + sctp_subtype_t subtype; ++ int first_time = 1; /* is this the first time through the loop */ + int error = 0; ++ int state; + + /* The association should be held so we should be safe. */ + ep = asoc->ep; +@@ -1013,6 +1014,30 @@ static void sctp_assoc_bh_rcv(struct work_struct *work) + state = asoc->state; + subtype = SCTP_ST_CHUNK(chunk->chunk_hdr->type); + ++ /* If the first chunk in the packet is AUTH, do special ++ * processing specified in Section 6.3 of SCTP-AUTH spec ++ */ ++ if (first_time && subtype.chunk == SCTP_CID_AUTH) { ++ struct sctp_chunkhdr *next_hdr; ++ ++ next_hdr = sctp_inq_peek(inqueue); ++ if (!next_hdr) ++ goto normal; ++ ++ /* If the next chunk is COOKIE-ECHO, skip the AUTH ++ * chunk while saving a pointer to it so we can do ++ * Authentication later (during cookie-echo ++ * processing). ++ */ ++ if (next_hdr->type == SCTP_CID_COOKIE_ECHO) { ++ chunk->auth_chunk = skb_clone(chunk->skb, ++ GFP_ATOMIC); ++ chunk->auth = 1; ++ continue; ++ } ++ } ++ ++normal: + /* SCTP-AUTH, Section 6.3: + * The receiver has a list of chunk types which it expects + * to be received only after an AUTH-chunk. This list has +@@ -1051,6 +1076,9 @@ static void sctp_assoc_bh_rcv(struct work_struct *work) + /* If there is an error on chunk, discard this packet. */ + if (error && chunk) + chunk->pdiscard = 1; ++ ++ if (first_time) ++ first_time = 0; + } + sctp_association_put(asoc); + } +diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c +index 7e8a16c77039..8d9b7ad25b65 100644 +--- a/net/sctp/inqueue.c ++++ b/net/sctp/inqueue.c +@@ -178,7 +178,7 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) + skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t)); + chunk->subh.v = NULL; /* Subheader is no longer valid. */ + +- if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) < ++ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <= + skb_tail_pointer(chunk->skb)) { + /* This is not a singleton */ + chunk->singleton = 0; +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 1cd7b7e33fa3..5ca8309ea7b1 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -863,6 +863,9 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1, + if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2)) + return 1; + ++ if (addr1->sa.sa_family == AF_INET && addr2->sa.sa_family == AF_INET) ++ return addr1->v4.sin_addr.s_addr == addr2->v4.sin_addr.s_addr; ++ + return __sctp_v6_cmp_addr(addr1, addr2); + } + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 29c7c43de108..df9ac3746c1b 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -144,10 +144,8 @@ static sctp_disposition_t sctp_sf_violation_chunk( + void *arg, + sctp_cmd_seq_t *commands); + +-static sctp_ierror_t sctp_sf_authenticate(struct net *net, +- const struct sctp_endpoint *ep, ++static sctp_ierror_t sctp_sf_authenticate( + const struct sctp_association *asoc, +- const sctp_subtype_t type, + struct sctp_chunk *chunk); + + static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net, +@@ -615,6 +613,38 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net, + return SCTP_DISPOSITION_CONSUME; + } + ++static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk, ++ const struct sctp_association *asoc) ++{ ++ struct sctp_chunk auth; ++ ++ if (!chunk->auth_chunk) ++ return true; ++ ++ /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo ++ * is supposed to be authenticated and we have to do delayed ++ * authentication. We've just recreated the association using ++ * the information in the cookie and now it's much easier to ++ * do the authentication. ++ */ ++ ++ /* Make sure that we and the peer are AUTH capable */ ++ if (!net->sctp.auth_enable || !asoc->peer.auth_capable) ++ return false; ++ ++ /* set-up our fake chunk so that we can process it */ ++ auth.skb = chunk->auth_chunk; ++ auth.asoc = chunk->asoc; ++ auth.sctp_hdr = chunk->sctp_hdr; ++ auth.chunk_hdr = (struct sctp_chunkhdr *) ++ skb_push(chunk->auth_chunk, ++ sizeof(struct sctp_chunkhdr)); ++ skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr)); ++ auth.transport = chunk->transport; ++ ++ return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR; ++} ++ + /* + * Respond to a normal COOKIE ECHO chunk. + * We are the side that is being asked for an association. +@@ -751,36 +781,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, + if (error) + goto nomem_init; + +- /* SCTP-AUTH: auth_chunk pointer is only set when the cookie-echo +- * is supposed to be authenticated and we have to do delayed +- * authentication. We've just recreated the association using +- * the information in the cookie and now it's much easier to +- * do the authentication. +- */ +- if (chunk->auth_chunk) { +- struct sctp_chunk auth; +- sctp_ierror_t ret; +- +- /* Make sure that we and the peer are AUTH capable */ +- if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { +- sctp_association_free(new_asoc); +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +- } +- +- /* set-up our fake chunk so that we can process it */ +- auth.skb = chunk->auth_chunk; +- auth.asoc = chunk->asoc; +- auth.sctp_hdr = chunk->sctp_hdr; +- auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk, +- sizeof(sctp_chunkhdr_t)); +- skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t)); +- auth.transport = chunk->transport; +- +- ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth); +- if (ret != SCTP_IERROR_NO_ERROR) { +- sctp_association_free(new_asoc); +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +- } ++ if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) { ++ sctp_association_free(new_asoc); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + } + + repl = sctp_make_cookie_ack(new_asoc, chunk); +@@ -1717,13 +1720,15 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net, + GFP_ATOMIC)) + goto nomem; + ++ if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) ++ return SCTP_DISPOSITION_DISCARD; ++ + /* Make sure no new addresses are being added during the + * restart. Though this is a pretty complicated attack + * since you'd have to get inside the cookie. + */ +- if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) { ++ if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) + return SCTP_DISPOSITION_CONSUME; +- } + + /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes + * the peer has restarted (Action A), it MUST NOT setup a new +@@ -1828,6 +1833,9 @@ static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net, + GFP_ATOMIC)) + goto nomem; + ++ if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) ++ return SCTP_DISPOSITION_DISCARD; ++ + /* Update the content of current association. */ + sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, +@@ -1920,6 +1928,9 @@ static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net, + * a COOKIE ACK. + */ + ++ if (!sctp_auth_chunk_verify(net, chunk, asoc)) ++ return SCTP_DISPOSITION_DISCARD; ++ + /* Don't accidentally move back into established state. */ + if (asoc->state < SCTP_STATE_ESTABLISHED) { + sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, +@@ -1959,7 +1970,7 @@ static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net, + } + } + +- repl = sctp_make_cookie_ack(new_asoc, chunk); ++ repl = sctp_make_cookie_ack(asoc, chunk); + if (!repl) + goto nomem; + +@@ -3985,10 +3996,8 @@ gen_shutdown: + * + * The return value is the disposition of the chunk. + */ +-static sctp_ierror_t sctp_sf_authenticate(struct net *net, +- const struct sctp_endpoint *ep, ++static sctp_ierror_t sctp_sf_authenticate( + const struct sctp_association *asoc, +- const sctp_subtype_t type, + struct sctp_chunk *chunk) + { + struct sctp_authhdr *auth_hdr; +@@ -4087,7 +4096,7 @@ sctp_disposition_t sctp_sf_eat_auth(struct net *net, + commands); + + auth_hdr = (struct sctp_authhdr *)chunk->skb->data; +- error = sctp_sf_authenticate(net, ep, asoc, type, chunk); ++ error = sctp_sf_authenticate(asoc, chunk); + switch (error) { + case SCTP_IERROR_AUTH_BAD_HMAC: + /* Generate the ERROR chunk and discard the rest +diff --git a/net/wireless/core.c b/net/wireless/core.c +index eeaf83acba1b..a1e909ae0f78 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -94,6 +94,9 @@ static int cfg80211_dev_check_name(struct cfg80211_registered_device *rdev, + + ASSERT_RTNL(); + ++ if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN) ++ return -EINVAL; ++ + /* prohibit calling the thing phy%d when %d is not its number */ + sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken); + if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) { +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 62d87f859566..d6a11af0bab1 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1159,6 +1159,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig) + + if (orig->aead) { + x->aead = xfrm_algo_aead_clone(orig->aead); ++ x->geniv = orig->geniv; + if (!x->aead) + goto error; + } +diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c +index 0608f216f359..ac0a40b9ba1e 100644 +--- a/sound/core/control_compat.c ++++ b/sound/core/control_compat.c +@@ -400,8 +400,7 @@ static int snd_ctl_elem_add_compat(struct snd_ctl_file *file, + if (copy_from_user(&data->id, &data32->id, sizeof(data->id)) || + copy_from_user(&data->type, &data32->type, 3 * sizeof(u32))) + goto error; +- if (get_user(data->owner, &data32->owner) || +- get_user(data->type, &data32->type)) ++ if (get_user(data->owner, &data32->owner)) + goto error; + switch (data->type) { + case SNDRV_CTL_ELEM_TYPE_BOOLEAN: +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 3be91696ac35..d0b55c866370 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2072,6 +2072,8 @@ static struct snd_pci_quirk power_save_blacklist[] = { + SND_PCI_QUIRK(0x1849, 0x0c0c, "Asrock B85M-ITX", 0), + /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */ + SND_PCI_QUIRK(0x1043, 0x8733, "Asus Prime X370-Pro", 0), ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1572975 */ ++ SND_PCI_QUIRK(0x17aa, 0x36a7, "Lenovo C50 All in one", 0), + /* https://bugzilla.kernel.org/show_bug.cgi?id=198611 */ + SND_PCI_QUIRK(0x17aa, 0x2227, "Lenovo X1 Carbon 3rd Gen", 0), + {} +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index c5447ff078b3..97d6a18e6956 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -904,6 +904,14 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval, + } + break; + ++ case USB_ID(0x0d8c, 0x0103): ++ if (!strcmp(kctl->id.name, "PCM Playback Volume")) { ++ usb_audio_info(chip, ++ "set volume quirk for CM102-A+/102S+\n"); ++ cval->min = -256; ++ } ++ break; ++ + case USB_ID(0x0471, 0x0101): + case USB_ID(0x0471, 0x0104): + case USB_ID(0x0471, 0x0105): diff --git a/patch/kernel/mvebu-default/04-patch-4.4.133-134.patch b/patch/kernel/mvebu-default/04-patch-4.4.133-134.patch new file mode 100644 index 0000000000..ae97679d09 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.133-134.patch @@ -0,0 +1,7578 @@ +diff --git a/Documentation/device-mapper/thin-provisioning.txt b/Documentation/device-mapper/thin-provisioning.txt +index 1699a55b7b70..ef639960b272 100644 +--- a/Documentation/device-mapper/thin-provisioning.txt ++++ b/Documentation/device-mapper/thin-provisioning.txt +@@ -112,9 +112,11 @@ $low_water_mark is expressed in blocks of size $data_block_size. If + free space on the data device drops below this level then a dm event + will be triggered which a userspace daemon should catch allowing it to + extend the pool device. Only one such event will be sent. +-Resuming a device with a new table itself triggers an event so the +-userspace daemon can use this to detect a situation where a new table +-already exceeds the threshold. ++ ++No special event is triggered if a just resumed device's free space is below ++the low water mark. However, resuming a device always triggers an ++event; a userspace daemon should verify that free space exceeds the low ++water mark when handling this event. + + A low water mark for the metadata device is maintained in the kernel and + will trigger a dm event if free space on the metadata device drops below +diff --git a/Makefile b/Makefile +index ac52ee65685b..119dbcb4f311 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 133 ++SUBLEVEL = 134 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/alpha/include/asm/xchg.h b/arch/alpha/include/asm/xchg.h +index 0ca9724597c1..7081e52291d0 100644 +--- a/arch/alpha/include/asm/xchg.h ++++ b/arch/alpha/include/asm/xchg.h +@@ -11,6 +11,10 @@ + * Atomic exchange. + * Since it can be used to implement critical sections + * it must clobber "memory" (also for interrupts in UP). ++ * ++ * The leading and the trailing memory barriers guarantee that these ++ * operations are fully ordered. ++ * + */ + + static inline unsigned long +@@ -18,6 +22,7 @@ ____xchg(_u8, volatile char *m, unsigned long val) + { + unsigned long ret, tmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %4,7,%3\n" + " insbl %1,%4,%1\n" +@@ -42,6 +47,7 @@ ____xchg(_u16, volatile short *m, unsigned long val) + { + unsigned long ret, tmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %4,7,%3\n" + " inswl %1,%4,%1\n" +@@ -66,6 +72,7 @@ ____xchg(_u32, volatile int *m, unsigned long val) + { + unsigned long dummy; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldl_l %0,%4\n" + " bis $31,%3,%1\n" +@@ -86,6 +93,7 @@ ____xchg(_u64, volatile long *m, unsigned long val) + { + unsigned long dummy; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldq_l %0,%4\n" + " bis $31,%3,%1\n" +@@ -127,10 +135,12 @@ ____xchg(, volatile void *ptr, unsigned long x, int size) + * store NEW in MEM. Return the initial value in MEM. Success is + * indicated by comparing RETURN with OLD. + * +- * The memory barrier should be placed in SMP only when we actually +- * make the change. If we don't change anything (so if the returned +- * prev is equal to old) then we aren't acquiring anything new and +- * we don't need any memory barrier as far I can tell. ++ * The leading and the trailing memory barriers guarantee that these ++ * operations are fully ordered. ++ * ++ * The trailing memory barrier is placed in SMP unconditionally, in ++ * order to guarantee that dependency ordering is preserved when a ++ * dependency is headed by an unsuccessful operation. + */ + + static inline unsigned long +@@ -138,6 +148,7 @@ ____cmpxchg(_u8, volatile char *m, unsigned char old, unsigned char new) + { + unsigned long prev, tmp, cmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %5,7,%4\n" + " insbl %1,%5,%1\n" +@@ -149,8 +160,8 @@ ____cmpxchg(_u8, volatile char *m, unsigned char old, unsigned char new) + " or %1,%2,%2\n" + " stq_c %2,0(%4)\n" + " beq %2,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -165,6 +176,7 @@ ____cmpxchg(_u16, volatile short *m, unsigned short old, unsigned short new) + { + unsigned long prev, tmp, cmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %5,7,%4\n" + " inswl %1,%5,%1\n" +@@ -176,8 +188,8 @@ ____cmpxchg(_u16, volatile short *m, unsigned short old, unsigned short new) + " or %1,%2,%2\n" + " stq_c %2,0(%4)\n" + " beq %2,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -192,6 +204,7 @@ ____cmpxchg(_u32, volatile int *m, int old, int new) + { + unsigned long prev, cmp; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldl_l %0,%5\n" + " cmpeq %0,%3,%1\n" +@@ -199,8 +212,8 @@ ____cmpxchg(_u32, volatile int *m, int old, int new) + " mov %4,%1\n" + " stl_c %1,%2\n" + " beq %1,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -215,6 +228,7 @@ ____cmpxchg(_u64, volatile long *m, unsigned long old, unsigned long new) + { + unsigned long prev, cmp; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldq_l %0,%5\n" + " cmpeq %0,%3,%1\n" +@@ -222,8 +236,8 @@ ____cmpxchg(_u64, volatile long *m, unsigned long old, unsigned long new) + " mov %4,%1\n" + " stq_c %1,%2\n" + " beq %1,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig +index 2d785f5a3041..c4ee25e88a7b 100644 +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -479,7 +479,6 @@ config ARC_CURR_IN_REG + + config ARC_EMUL_UNALIGNED + bool "Emulate unaligned memory access (userspace only)" +- default N + select SYSCTL_ARCH_UNALIGN_NO_WARN + select SYSCTL_ARCH_UNALIGN_ALLOW + depends on ISA_ARCOMPACT +diff --git a/arch/arm/boot/dts/socfpga.dtsi b/arch/arm/boot/dts/socfpga.dtsi +index 39c470e291f9..69381deeb703 100644 +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -738,7 +738,7 @@ + timer@fffec600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xfffec600 0x100>; +- interrupts = <1 13 0xf04>; ++ interrupts = <1 13 0xf01>; + clocks = <&mpu_periph_clk>; + }; + +diff --git a/arch/arm/include/asm/vdso.h b/arch/arm/include/asm/vdso.h +index d0295f1dd1a3..ff65b6d96c7e 100644 +--- a/arch/arm/include/asm/vdso.h ++++ b/arch/arm/include/asm/vdso.h +@@ -11,8 +11,6 @@ struct mm_struct; + + void arm_install_vdso(struct mm_struct *mm, unsigned long addr); + +-extern char vdso_start, vdso_end; +- + extern unsigned int vdso_total_pages; + + #else /* CONFIG_VDSO */ +diff --git a/arch/arm/kernel/vdso.c b/arch/arm/kernel/vdso.c +index 54a5aeab988d..2dee87273e51 100644 +--- a/arch/arm/kernel/vdso.c ++++ b/arch/arm/kernel/vdso.c +@@ -38,6 +38,8 @@ + + static struct page **vdso_text_pagelist; + ++extern char vdso_start[], vdso_end[]; ++ + /* Total number of pages needed for the data and text portions of the VDSO. */ + unsigned int vdso_total_pages __read_mostly; + +@@ -178,13 +180,13 @@ static int __init vdso_init(void) + unsigned int text_pages; + int i; + +- if (memcmp(&vdso_start, "\177ELF", 4)) { ++ if (memcmp(vdso_start, "\177ELF", 4)) { + pr_err("VDSO is not a valid ELF object!\n"); + return -ENOEXEC; + } + +- text_pages = (&vdso_end - &vdso_start) >> PAGE_SHIFT; +- pr_debug("vdso: %i text pages at base %p\n", text_pages, &vdso_start); ++ text_pages = (vdso_end - vdso_start) >> PAGE_SHIFT; ++ pr_debug("vdso: %i text pages at base %p\n", text_pages, vdso_start); + + /* Allocate the VDSO text pagelist */ + vdso_text_pagelist = kcalloc(text_pages, sizeof(struct page *), +@@ -199,7 +201,7 @@ static int __init vdso_init(void) + for (i = 0; i < text_pages; i++) { + struct page *page; + +- page = virt_to_page(&vdso_start + i * PAGE_SIZE); ++ page = virt_to_page(vdso_start + i * PAGE_SIZE); + vdso_text_pagelist[i] = page; + } + +@@ -210,7 +212,7 @@ static int __init vdso_init(void) + + cntvct_ok = cntvct_functional(); + +- patch_vdso(&vdso_start); ++ patch_vdso(vdso_start); + + return 0; + } +diff --git a/arch/arm/mach-omap1/clock.c b/arch/arm/mach-omap1/clock.c +index 4f5fd4a084c0..034b89499bd7 100644 +--- a/arch/arm/mach-omap1/clock.c ++++ b/arch/arm/mach-omap1/clock.c +@@ -1031,17 +1031,17 @@ static int clk_debugfs_register_one(struct clk *c) + return -ENOMEM; + c->dent = d; + +- d = debugfs_create_u8("usecount", S_IRUGO, c->dent, (u8 *)&c->usecount); ++ d = debugfs_create_u8("usecount", S_IRUGO, c->dent, &c->usecount); + if (!d) { + err = -ENOMEM; + goto err_out; + } +- d = debugfs_create_u32("rate", S_IRUGO, c->dent, (u32 *)&c->rate); ++ d = debugfs_create_ulong("rate", S_IRUGO, c->dent, &c->rate); + if (!d) { + err = -ENOMEM; + goto err_out; + } +- d = debugfs_create_x32("flags", S_IRUGO, c->dent, (u32 *)&c->flags); ++ d = debugfs_create_x8("flags", S_IRUGO, c->dent, &c->flags); + if (!d) { + err = -ENOMEM; + goto err_out; +diff --git a/arch/arm/mach-omap2/pm.c b/arch/arm/mach-omap2/pm.c +index 58920bc8807b..3d876bde8c85 100644 +--- a/arch/arm/mach-omap2/pm.c ++++ b/arch/arm/mach-omap2/pm.c +@@ -231,7 +231,7 @@ static void omap_pm_end(void) + cpu_idle_poll_ctrl(false); + } + +-static void omap_pm_finish(void) ++static void omap_pm_wake(void) + { + if (cpu_is_omap34xx()) + omap_prcm_irq_complete(); +@@ -241,7 +241,7 @@ static const struct platform_suspend_ops omap_pm_ops = { + .begin = omap_pm_begin, + .end = omap_pm_end, + .enter = omap_pm_enter, +- .finish = omap_pm_finish, ++ .wake = omap_pm_wake, + .valid = suspend_valid_only_mem, + }; + +diff --git a/arch/arm/mach-omap2/timer.c b/arch/arm/mach-omap2/timer.c +index 83fc403aec3c..1f774ec4ab27 100644 +--- a/arch/arm/mach-omap2/timer.c ++++ b/arch/arm/mach-omap2/timer.c +@@ -136,12 +136,6 @@ static struct clock_event_device clockevent_gpt = { + .tick_resume = omap2_gp_timer_shutdown, + }; + +-static struct property device_disabled = { +- .name = "status", +- .length = sizeof("disabled"), +- .value = "disabled", +-}; +- + static const struct of_device_id omap_timer_match[] __initconst = { + { .compatible = "ti,omap2420-timer", }, + { .compatible = "ti,omap3430-timer", }, +@@ -183,8 +177,17 @@ static struct device_node * __init omap_get_timer_dt(const struct of_device_id * + of_get_property(np, "ti,timer-secure", NULL))) + continue; + +- if (!of_device_is_compatible(np, "ti,omap-counter32k")) +- of_add_property(np, &device_disabled); ++ if (!of_device_is_compatible(np, "ti,omap-counter32k")) { ++ struct property *prop; ++ ++ prop = kzalloc(sizeof(*prop), GFP_KERNEL); ++ if (!prop) ++ return NULL; ++ prop->name = "status"; ++ prop->value = "disabled"; ++ prop->length = strlen(prop->value); ++ of_add_property(np, prop); ++ } + return np; + } + +diff --git a/arch/arm/plat-omap/dmtimer.c b/arch/arm/plat-omap/dmtimer.c +index 8ca94d379bc3..6f75c32dc3bf 100644 +--- a/arch/arm/plat-omap/dmtimer.c ++++ b/arch/arm/plat-omap/dmtimer.c +@@ -854,11 +854,8 @@ static int omap_dm_timer_probe(struct platform_device *pdev) + timer->irq = irq->start; + timer->pdev = pdev; + +- /* Skip pm_runtime_enable for OMAP1 */ +- if (!(timer->capability & OMAP_TIMER_NEEDS_RESET)) { +- pm_runtime_enable(dev); +- pm_runtime_irq_safe(dev); +- } ++ pm_runtime_enable(dev); ++ pm_runtime_irq_safe(dev); + + if (!timer->reserved) { + ret = pm_runtime_get_sync(dev); +diff --git a/arch/arm64/include/asm/spinlock.h b/arch/arm64/include/asm/spinlock.h +index 499e8de33a00..fbbd7fb83fd6 100644 +--- a/arch/arm64/include/asm/spinlock.h ++++ b/arch/arm64/include/asm/spinlock.h +@@ -94,8 +94,8 @@ static inline int arch_spin_trylock(arch_spinlock_t *lock) + " cbnz %w1, 1f\n" + " add %w1, %w0, %3\n" + " casa %w0, %w1, %2\n" +- " and %w1, %w1, #0xffff\n" +- " eor %w1, %w1, %w0, lsr #16\n" ++ " sub %w1, %w1, %3\n" ++ " eor %w1, %w1, %w0\n" + "1:") + : "=&r" (lockval), "=&r" (tmp), "+Q" (*lock) + : "I" (1 << TICKET_SHIFT) +diff --git a/arch/m68k/coldfire/device.c b/arch/m68k/coldfire/device.c +index 71ea4c02795d..8a2dc0af4cad 100644 +--- a/arch/m68k/coldfire/device.c ++++ b/arch/m68k/coldfire/device.c +@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 = { + .id = 0, + .num_resources = ARRAY_SIZE(mcf_fec0_resources), + .resource = mcf_fec0_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec0.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + + #ifdef MCFFEC_BASE1 +@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 = { + .id = 1, + .num_resources = ARRAY_SIZE(mcf_fec1_resources), + .resource = mcf_fec1_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec1.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + #endif /* MCFFEC_BASE1 */ + #endif /* CONFIG_FEC */ +diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c +index 10d0b2140375..63d35076722d 100644 +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -2240,7 +2240,7 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node, + + parent_irq = irq_of_parse_and_map(ciu_node, 0); + if (!parent_irq) { +- pr_err("ERROR: Couldn't acquire parent_irq for %s\n.", ++ pr_err("ERROR: Couldn't acquire parent_irq for %s\n", + ciu_node->name); + return -EINVAL; + } +@@ -2252,7 +2252,7 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node, + + addr = of_get_address(ciu_node, 0, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->raw_reg = (u64)phys_to_virt( +@@ -2260,7 +2260,7 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node, + + addr = of_get_address(ciu_node, 1, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->en_reg = (u64)phys_to_virt( +@@ -2268,7 +2268,7 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node, + + r = of_property_read_u32(ciu_node, "cavium,max-bits", &val); + if (r) { +- pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.", ++ pr_err("ERROR: Couldn't read cavium,max-bits from %s\n", + ciu_node->name); + return r; + } +@@ -2278,7 +2278,7 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node, + &octeon_irq_domain_cib_ops, + host_data); + if (!cib_domain) { +- pr_err("ERROR: Couldn't irq_domain_add_linear()\n."); ++ pr_err("ERROR: Couldn't irq_domain_add_linear()\n"); + return -ENOMEM; + } + +diff --git a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h +index aa3800c82332..d99ca862dae3 100644 +--- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h ++++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h +@@ -167,7 +167,7 @@ + #define AR71XX_AHB_DIV_MASK 0x7 + + #define AR724X_PLL_REG_CPU_CONFIG 0x00 +-#define AR724X_PLL_REG_PCIE_CONFIG 0x18 ++#define AR724X_PLL_REG_PCIE_CONFIG 0x10 + + #define AR724X_PLL_FB_SHIFT 0 + #define AR724X_PLL_FB_MASK 0x3ff +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index c3d2d2c05fdb..a9958b4d9194 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -483,7 +483,7 @@ static int fpr_get_msa(struct task_struct *target, + /* + * Copy the floating-point context to the supplied NT_PRFPREG buffer. + * Choose the appropriate helper for general registers, and then copy +- * the FCSR register separately. ++ * the FCSR and FIR registers separately. + */ + static int fpr_get(struct task_struct *target, + const struct user_regset *regset, +@@ -491,6 +491,7 @@ static int fpr_get(struct task_struct *target, + void *kbuf, void __user *ubuf) + { + const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); ++ const int fir_pos = fcr31_pos + sizeof(u32); + int err; + + if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) +@@ -503,6 +504,12 @@ static int fpr_get(struct task_struct *target, + err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, + &target->thread.fpu.fcr31, + fcr31_pos, fcr31_pos + sizeof(u32)); ++ if (err) ++ return err; ++ ++ err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, ++ &boot_cpu_data.fpu_id, ++ fir_pos, fir_pos + sizeof(u32)); + + return err; + } +@@ -551,7 +558,8 @@ static int fpr_set_msa(struct task_struct *target, + /* + * Copy the supplied NT_PRFPREG buffer to the floating-point context. + * Choose the appropriate helper for general registers, and then copy +- * the FCSR register separately. ++ * the FCSR register separately. Ignore the incoming FIR register ++ * contents though, as the register is read-only. + * + * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0', + * which is supposed to have been guaranteed by the kernel before +@@ -565,6 +573,7 @@ static int fpr_set(struct task_struct *target, + const void *kbuf, const void __user *ubuf) + { + const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); ++ const int fir_pos = fcr31_pos + sizeof(u32); + u32 fcr31; + int err; + +@@ -592,6 +601,11 @@ static int fpr_set(struct task_struct *target, + ptrace_setfcr31(target, fcr31); + } + ++ if (count > 0) ++ err = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, ++ fir_pos, ++ fir_pos + sizeof(u32)); ++ + return err; + } + +@@ -816,7 +830,7 @@ long arch_ptrace(struct task_struct *child, long request, + fregs = get_fpu_regs(child); + + #ifdef CONFIG_32BIT +- if (test_thread_flag(TIF_32BIT_FPREGS)) { ++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { + /* + * The odd registers are actually the high + * order bits of the values stored in the even +@@ -905,7 +919,7 @@ long arch_ptrace(struct task_struct *child, long request, + + init_fp_ctx(child); + #ifdef CONFIG_32BIT +- if (test_thread_flag(TIF_32BIT_FPREGS)) { ++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { + /* + * The odd registers are actually the high + * order bits of the values stored in the even +diff --git a/arch/mips/kernel/ptrace32.c b/arch/mips/kernel/ptrace32.c +index 283b5a1967d1..b4b7e02443e7 100644 +--- a/arch/mips/kernel/ptrace32.c ++++ b/arch/mips/kernel/ptrace32.c +@@ -97,7 +97,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + break; + } + fregs = get_fpu_regs(child); +- if (test_thread_flag(TIF_32BIT_FPREGS)) { ++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { + /* + * The odd registers are actually the high + * order bits of the values stored in the even +@@ -203,7 +203,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + sizeof(child->thread.fpu)); + child->thread.fpu.fcr31 = 0; + } +- if (test_thread_flag(TIF_32BIT_FPREGS)) { ++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { + /* + * The odd registers are actually the high + * order bits of the values stored in the even +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index a017b23ee4aa..8a95c3d76a9a 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -40,7 +40,7 @@ struct kvm_stats_debugfs_item debugfs_entries[] = { + { "cache", VCPU_STAT(cache_exits), KVM_STAT_VCPU }, + { "signal", VCPU_STAT(signal_exits), KVM_STAT_VCPU }, + { "interrupt", VCPU_STAT(int_exits), KVM_STAT_VCPU }, +- { "cop_unsuable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU }, ++ { "cop_unusable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU }, + { "tlbmod", VCPU_STAT(tlbmod_exits), KVM_STAT_VCPU }, + { "tlbmiss_ld", VCPU_STAT(tlbmiss_ld_exits), KVM_STAT_VCPU }, + { "tlbmiss_st", VCPU_STAT(tlbmiss_st_exits), KVM_STAT_VCPU }, +diff --git a/arch/mips/txx9/rbtx4939/setup.c b/arch/mips/txx9/rbtx4939/setup.c +index 37030409745c..586ca7ea3e7c 100644 +--- a/arch/mips/txx9/rbtx4939/setup.c ++++ b/arch/mips/txx9/rbtx4939/setup.c +@@ -186,7 +186,7 @@ static void __init rbtx4939_update_ioc_pen(void) + + #define RBTX4939_MAX_7SEGLEDS 8 + +-#if IS_ENABLED(CONFIG_LEDS_CLASS) ++#if IS_BUILTIN(CONFIG_LEDS_CLASS) + static u8 led_val[RBTX4939_MAX_7SEGLEDS]; + struct rbtx4939_led_data { + struct led_classdev cdev; +@@ -261,7 +261,7 @@ static inline void rbtx4939_led_setup(void) + + static void __rbtx4939_7segled_putc(unsigned int pos, unsigned char val) + { +-#if IS_ENABLED(CONFIG_LEDS_CLASS) ++#if IS_BUILTIN(CONFIG_LEDS_CLASS) + unsigned long flags; + local_irq_save(flags); + /* bit7: reserved for LED class */ +diff --git a/arch/powerpc/include/asm/irq_work.h b/arch/powerpc/include/asm/irq_work.h +index 744fd54de374..1bcc84903930 100644 +--- a/arch/powerpc/include/asm/irq_work.h ++++ b/arch/powerpc/include/asm/irq_work.h +@@ -5,5 +5,6 @@ static inline bool arch_irq_work_has_interrupt(void) + { + return true; + } ++extern void arch_irq_work_raise(void); + + #endif /* _ASM_POWERPC_IRQ_WORK_H */ +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 428563b195c3..767ac1572c02 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3002,15 +3002,17 @@ static int kvmppc_hv_setup_htab_rma(struct kvm_vcpu *vcpu) + goto up_out; + + psize = vma_kernel_pagesize(vma); +- porder = __ilog2(psize); + + up_read(¤t->mm->mmap_sem); + + /* We can handle 4k, 64k or 16M pages in the VRMA */ +- err = -EINVAL; +- if (!(psize == 0x1000 || psize == 0x10000 || +- psize == 0x1000000)) +- goto out_srcu; ++ if (psize >= 0x1000000) ++ psize = 0x1000000; ++ else if (psize >= 0x10000) ++ psize = 0x10000; ++ else ++ psize = 0x1000; ++ porder = __ilog2(psize); + + /* Update VRMASD field in the LPCR */ + senc = slb_pgsize_encoding(psize); +diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c +index 669a15e7fa76..3c4faa4c2742 100644 +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -551,7 +551,7 @@ static int numa_setup_cpu(unsigned long lcpu) + nid = of_node_to_nid_single(cpu); + + out_present: +- if (nid < 0 || !node_online(nid)) ++ if (nid < 0 || !node_possible(nid)) + nid = first_online_node; + + map_cpu_to_node(lcpu, nid); +@@ -951,6 +951,32 @@ static void __init setup_node_data(int nid, u64 start_pfn, u64 end_pfn) + NODE_DATA(nid)->node_spanned_pages = spanned_pages; + } + ++static void __init find_possible_nodes(void) ++{ ++ struct device_node *rtas; ++ u32 numnodes, i; ++ ++ if (min_common_depth <= 0) ++ return; ++ ++ rtas = of_find_node_by_path("/rtas"); ++ if (!rtas) ++ return; ++ ++ if (of_property_read_u32_index(rtas, ++ "ibm,max-associativity-domains", ++ min_common_depth, &numnodes)) ++ goto out; ++ ++ for (i = 0; i < numnodes; i++) { ++ if (!node_possible(i)) ++ node_set(i, node_possible_map); ++ } ++ ++out: ++ of_node_put(rtas); ++} ++ + void __init initmem_init(void) + { + int nid, cpu; +@@ -966,12 +992,15 @@ void __init initmem_init(void) + memblock_dump_all(); + + /* +- * Reduce the possible NUMA nodes to the online NUMA nodes, +- * since we do not support node hotplug. This ensures that we +- * lower the maximum NUMA node ID to what is actually present. ++ * Modify the set of possible NUMA nodes to reflect information ++ * available about the set of online nodes, and the set of nodes ++ * that we expect to make use of for this platform's affinity ++ * calculations. + */ + nodes_and(node_possible_map, node_possible_map, node_online_map); + ++ find_possible_nodes(); ++ + for_each_online_node(nid) { + unsigned long start_pfn, end_pfn; + +@@ -1304,6 +1333,40 @@ static long vphn_get_associativity(unsigned long cpu, + return rc; + } + ++static inline int find_and_online_cpu_nid(int cpu) ++{ ++ __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0}; ++ int new_nid; ++ ++ /* Use associativity from first thread for all siblings */ ++ vphn_get_associativity(cpu, associativity); ++ new_nid = associativity_to_nid(associativity); ++ if (new_nid < 0 || !node_possible(new_nid)) ++ new_nid = first_online_node; ++ ++ if (NODE_DATA(new_nid) == NULL) { ++#ifdef CONFIG_MEMORY_HOTPLUG ++ /* ++ * Need to ensure that NODE_DATA is initialized for a node from ++ * available memory (see memblock_alloc_try_nid). If unable to ++ * init the node, then default to nearest node that has memory ++ * installed. ++ */ ++ if (try_online_node(new_nid)) ++ new_nid = first_online_node; ++#else ++ /* ++ * Default to using the nearest node that has memory installed. ++ * Otherwise, it would be necessary to patch the kernel MM code ++ * to deal with more memoryless-node error conditions. ++ */ ++ new_nid = first_online_node; ++#endif ++ } ++ ++ return new_nid; ++} ++ + /* + * Update the CPU maps and sysfs entries for a single CPU when its NUMA + * characteristics change. This function doesn't perform any locking and is +@@ -1369,7 +1432,6 @@ int arch_update_cpu_topology(void) + { + unsigned int cpu, sibling, changed = 0; + struct topology_update_data *updates, *ud; +- __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0}; + cpumask_t updated_cpus; + struct device *dev; + int weight, new_nid, i = 0; +@@ -1404,11 +1466,7 @@ int arch_update_cpu_topology(void) + continue; + } + +- /* Use associativity from first thread for all siblings */ +- vphn_get_associativity(cpu, associativity); +- new_nid = associativity_to_nid(associativity); +- if (new_nid < 0 || !node_online(new_nid)) +- new_nid = first_online_node; ++ new_nid = find_and_online_cpu_nid(cpu); + + if (new_nid == numa_cpu_lookup_table[cpu]) { + cpumask_andnot(&cpu_associativity_changes_mask, +diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c +index 2d66a8446198..345e255c06a2 100644 +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, + BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); + PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); + break; ++ case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ ++ PPC_LWZ_OFFS(r_A, r_skb, K); ++ break; + case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ + PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); + break; +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index 4eba7c00ea1f..30e2e8efbe6b 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -448,6 +448,16 @@ static void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw) + /* invalid entry */ + continue; + ++ /* ++ * BHRB rolling buffer could very much contain the kernel ++ * addresses at this point. Check the privileges before ++ * exporting it to userspace (avoid exposure of regions ++ * where we could have speculative execution) ++ */ ++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && ++ is_kernel_addr(addr)) ++ continue; ++ + /* Branches are read most recent first (ie. mfbhrb 0 is + * the most recent branch). + * There are two types of valid entries: +@@ -1188,6 +1198,7 @@ static void power_pmu_disable(struct pmu *pmu) + */ + write_mmcr0(cpuhw, val); + mb(); ++ isync(); + + /* + * Disable instruction sampling if it was enabled +@@ -1196,12 +1207,26 @@ static void power_pmu_disable(struct pmu *pmu) + mtspr(SPRN_MMCRA, + cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE); + mb(); ++ isync(); + } + + cpuhw->disabled = 1; + cpuhw->n_added = 0; + + ebb_switch_out(mmcr0); ++ ++#ifdef CONFIG_PPC64 ++ /* ++ * These are readable by userspace, may contain kernel ++ * addresses and are not switched by context switch, so clear ++ * them now to avoid leaking anything to userspace in general ++ * including to another process. ++ */ ++ if (ppmu->flags & PPMU_ARCH_207S) { ++ mtspr(SPRN_SDAR, 0); ++ mtspr(SPRN_SIAR, 0); ++ } ++#endif + } + + local_irq_restore(flags); +diff --git a/arch/powerpc/sysdev/mpic.c b/arch/powerpc/sysdev/mpic.c +index 2a0452e364ba..d11f931cac69 100644 +--- a/arch/powerpc/sysdev/mpic.c ++++ b/arch/powerpc/sysdev/mpic.c +@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpumask) + int i; + u32 mask = 0; + +- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1) ++ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1) + mask |= (cpumask & 1) << get_hard_smp_processor_id(i); + return mask; + } +diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h +index 087fc9b972c5..9a56e738d645 100644 +--- a/arch/s390/include/asm/nospec-insn.h ++++ b/arch/s390/include/asm/nospec-insn.h +@@ -2,10 +2,15 @@ + #ifndef _ASM_S390_NOSPEC_ASM_H + #define _ASM_S390_NOSPEC_ASM_H + ++#include ++#include ++ + #ifdef __ASSEMBLY__ + + #ifdef CONFIG_EXPOLINE + ++_LC_BR_R1 = __LC_BR_R1 ++ + /* + * The expoline macros are used to create thunks in the same format + * as gcc generates them. The 'comdat' section flag makes sure that +@@ -101,13 +106,21 @@ + .endm + + .macro __THUNK_EX_BR reg,ruse ++ # Be very careful when adding instructions to this macro! ++ # The ALTERNATIVE replacement code has a .+10 which targets ++ # the "br \reg" after the code has been patched. + #ifdef CONFIG_HAVE_MARCH_Z10_FEATURES + exrl 0,555f + j . + #else ++ .ifc \reg,%r1 ++ ALTERNATIVE "ex %r0,_LC_BR_R1", ".insn ril,0xc60000000000,0,.+10", 35 ++ j . ++ .else + larl \ruse,555f + ex 0,0(\ruse) + j . ++ .endif + #endif + 555: br \reg + .endm +diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c +index dc6c9c604543..39572281e213 100644 +--- a/arch/s390/kernel/asm-offsets.c ++++ b/arch/s390/kernel/asm-offsets.c +@@ -170,6 +170,7 @@ int main(void) + OFFSET(__LC_MACHINE_FLAGS, _lowcore, machine_flags); + OFFSET(__LC_GMAP, _lowcore, gmap); + OFFSET(__LC_PASTE, _lowcore, paste); ++ OFFSET(__LC_BR_R1, _lowcore, br_r1_trampoline); + /* software defined ABI-relevant lowcore locations 0xe00 - 0xe20 */ + OFFSET(__LC_DUMP_REIPL, _lowcore, ipib); + /* hardware defined lowcore locations 0x1000 - 0x18ff */ +diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S +index e499370fbccb..6c1c7d399bf9 100644 +--- a/arch/s390/kernel/mcount.S ++++ b/arch/s390/kernel/mcount.S +@@ -8,12 +8,16 @@ + #include + #include + #include ++#include + #include + ++ GEN_BR_THUNK %r1 ++ GEN_BR_THUNK %r14 ++ + .section .kprobes.text, "ax" + + ENTRY(ftrace_stub) +- br %r14 ++ BR_EX %r14 + + #define STACK_FRAME_SIZE (STACK_FRAME_OVERHEAD + __PT_SIZE) + #define STACK_PTREGS (STACK_FRAME_OVERHEAD) +@@ -21,7 +25,7 @@ ENTRY(ftrace_stub) + #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) + + ENTRY(_mcount) +- br %r14 ++ BR_EX %r14 + + ENTRY(ftrace_caller) + .globl ftrace_regs_caller +@@ -49,7 +53,7 @@ ENTRY(ftrace_caller) + #endif + lgr %r3,%r14 + la %r5,STACK_PTREGS(%r15) +- basr %r14,%r1 ++ BASR_EX %r14,%r1 + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + # The j instruction gets runtime patched to a nop instruction. + # See ftrace_enable_ftrace_graph_caller. +@@ -64,7 +68,7 @@ ftrace_graph_caller_end: + #endif + lg %r1,(STACK_PTREGS_PSW+8)(%r15) + lmg %r2,%r15,(STACK_PTREGS_GPRS+2*8)(%r15) +- br %r1 ++ BR_EX %r1 + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + +@@ -77,6 +81,6 @@ ENTRY(return_to_handler) + aghi %r15,STACK_FRAME_OVERHEAD + lgr %r14,%r2 + lmg %r2,%r5,32(%r15) +- br %r14 ++ BR_EX %r14 + + #endif +diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S +index 13047a4facd2..5a9017ba26ab 100644 +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -255,7 +255,7 @@ debug_trap: + mov.l @r8, r8 + jsr @r8 + nop +- bra __restore_all ++ bra ret_from_exception + nop + CFI_ENDPROC + +diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h +index f2fbf9e16faf..29070c9a70f9 100644 +--- a/arch/sparc/include/asm/atomic_64.h ++++ b/arch/sparc/include/asm/atomic_64.h +@@ -74,7 +74,11 @@ ATOMIC_OP(xor) + #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0) + + #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) +-#define atomic_xchg(v, new) (xchg(&((v)->counter), new)) ++ ++static inline int atomic_xchg(atomic_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} + + static inline int __atomic_add_unless(atomic_t *v, int a, int u) + { +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index a3e1f8497f8c..deddc9b93299 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1368,7 +1368,7 @@ void setup_local_APIC(void) + * TODO: set up through-local-APIC from through-I/O-APIC? --macro + */ + value = apic_read(APIC_LVT0) & APIC_LVT_MASKED; +- if (!cpu && (pic_mode || !value)) { ++ if (!cpu && (pic_mode || !value || skip_ioapic_setup)) { + value = APIC_DM_EXTINT; + apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu); + } else { +diff --git a/arch/x86/kernel/devicetree.c b/arch/x86/kernel/devicetree.c +index 1f4acd68b98b..74b8dcd1bbdc 100644 +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -199,19 +200,22 @@ static struct of_ioapic_type of_ioapic_type[] = + static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, + unsigned int nr_irqs, void *arg) + { +- struct of_phandle_args *irq_data = (void *)arg; ++ struct irq_fwspec *fwspec = (struct irq_fwspec *)arg; + struct of_ioapic_type *it; + struct irq_alloc_info tmp; ++ int type_index; + +- if (WARN_ON(irq_data->args_count < 2)) ++ if (WARN_ON(fwspec->param_count < 2)) + return -EINVAL; +- if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type)) ++ ++ type_index = fwspec->param[1]; ++ if (type_index >= ARRAY_SIZE(of_ioapic_type)) + return -EINVAL; + +- it = &of_ioapic_type[irq_data->args[1]]; ++ it = &of_ioapic_type[type_index]; + ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity); + tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain)); +- tmp.ioapic_pin = irq_data->args[0]; ++ tmp.ioapic_pin = fwspec->param[0]; + + return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp); + } +@@ -276,14 +280,15 @@ static void __init x86_flattree_get_config(void) + + map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128); + +- initial_boot_params = dt = early_memremap(initial_dtb, map_len); +- size = of_get_flat_dt_size(); ++ dt = early_memremap(initial_dtb, map_len); ++ size = fdt_totalsize(dt); + if (map_len < size) { + early_memunmap(dt, map_len); +- initial_boot_params = dt = early_memremap(initial_dtb, size); ++ dt = early_memremap(initial_dtb, size); + map_len = size; + } + ++ early_init_dt_verify(dt); + unflatten_and_copy_device_tree(); + early_memunmap(dt, map_len); + } +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index 00c7878043ef..48ca93242bfd 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1344,6 +1344,7 @@ static void remove_siblinginfo(int cpu) + cpumask_clear(topology_core_cpumask(cpu)); + c->phys_proc_id = 0; + c->cpu_core_id = 0; ++ c->booted_cores = 0; + cpumask_clear_cpu(cpu, cpu_sibling_setup_mask); + } + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 1c96f09367ae..a1afd80a68aa 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -288,8 +288,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu) + if (!kvm_vcpu_has_lapic(vcpu)) + return; + ++ /* ++ * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) ++ * which doesn't have EOI register; Some buggy OSes (e.g. Windows with ++ * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC ++ * version first and level-triggered interrupts never get EOIed in ++ * IOAPIC. ++ */ + feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); +- if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31)))) ++ if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && ++ !ioapic_in_kernel(vcpu->kvm)) + v |= APIC_LVR_DIRECTED_EOI; + apic_set_reg(apic, APIC_LVR, v); + } +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 528b4352fa99..a750fc7c7458 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2319,6 +2319,8 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr, + return; + } + ++ WARN_ON_ONCE(vmx->emulation_required); ++ + if (kvm_exception_is_soft(nr)) { + vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, + vmx->vcpu.arch.event_exit_inst_len); +@@ -6037,12 +6039,12 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu) + goto out; + } + +- if (err != EMULATE_DONE) { +- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; +- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; +- vcpu->run->internal.ndata = 0; +- return 0; +- } ++ if (err != EMULATE_DONE) ++ goto emulation_error; ++ ++ if (vmx->emulation_required && !vmx->rmode.vm86_active && ++ vcpu->arch.exception.pending) ++ goto emulation_error; + + if (vcpu->arch.halt_request) { + vcpu->arch.halt_request = 0; +@@ -6058,6 +6060,12 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu) + + out: + return ret; ++ ++emulation_error: ++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; ++ vcpu->run->internal.ndata = 0; ++ return 0; + } + + static int __grow_ple_window(int val) +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index f37f0c72b22a..9cea09597d66 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3973,13 +3973,14 @@ long kvm_arch_vm_ioctl(struct file *filp, + mutex_unlock(&kvm->lock); + break; + case KVM_XEN_HVM_CONFIG: { ++ struct kvm_xen_hvm_config xhc; + r = -EFAULT; +- if (copy_from_user(&kvm->arch.xen_hvm_config, argp, +- sizeof(struct kvm_xen_hvm_config))) ++ if (copy_from_user(&xhc, argp, sizeof(xhc))) + goto out; + r = -EINVAL; +- if (kvm->arch.xen_hvm_config.flags) ++ if (xhc.flags) + goto out; ++ memcpy(&kvm->arch.xen_hvm_config, &xhc, sizeof(xhc)); + r = 0; + break; + } +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c +index c013326a0d7a..08e94b6139ab 100644 +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -1,5 +1,6 @@ + #include + #include ++#include + #include + #include + #include +@@ -600,6 +601,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot) + (mtrr != MTRR_TYPE_WRBACK)) + return 0; + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pud_present(*pud) && !pud_huge(*pud)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pud, pfn_pte( +@@ -628,6 +633,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot) + return 0; + } + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pmd_present(*pmd) && !pmd_huge(*pmd)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pmd, pfn_pte( +diff --git a/arch/x86/power/hibernate_32.c b/arch/x86/power/hibernate_32.c +index 291226b952a9..77ac4e4deb16 100644 +--- a/arch/x86/power/hibernate_32.c ++++ b/arch/x86/power/hibernate_32.c +@@ -142,7 +142,7 @@ static inline void resume_init_first_level_page_table(pgd_t *pg_dir) + #endif + } + +-int swsusp_arch_resume(void) ++asmlinkage int swsusp_arch_resume(void) + { + int error; + +diff --git a/arch/x86/power/hibernate_64.c b/arch/x86/power/hibernate_64.c +index 009947d419a6..0e0c773edffc 100644 +--- a/arch/x86/power/hibernate_64.c ++++ b/arch/x86/power/hibernate_64.c +@@ -78,7 +78,7 @@ static int set_up_temporary_mappings(void) + return 0; + } + +-int swsusp_arch_resume(void) ++asmlinkage int swsusp_arch_resume(void) + { + int error; + +diff --git a/drivers/acpi/acpi_pad.c b/drivers/acpi/acpi_pad.c +index 8ea8211b2d58..f8bb0e4d035a 100644 +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -108,6 +108,7 @@ static void round_robin_cpu(unsigned int tsk_index) + cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus); + if (cpumask_empty(tmp)) { + mutex_unlock(&round_robin_lock); ++ free_cpumask_var(tmp); + return; + } + for_each_cpu(cpu, tmp) { +@@ -125,6 +126,8 @@ static void round_robin_cpu(unsigned int tsk_index) + mutex_unlock(&round_robin_lock); + + set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu)); ++ ++ free_cpumask_var(tmp); + } + + static void exit_round_robin(unsigned int tsk_index) +diff --git a/drivers/acpi/acpica/evevent.c b/drivers/acpi/acpica/evevent.c +index bf6873f95e72..0b5eedb60d04 100644 +--- a/drivers/acpi/acpica/evevent.c ++++ b/drivers/acpi/acpica/evevent.c +@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void) + u32 fixed_status; + u32 fixed_enable; + u32 i; ++ acpi_status status; + + ACPI_FUNCTION_NAME(ev_fixed_event_detect); + +@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void) + * Read the fixed feature status and enable registers, as all the cases + * depend on their values. Ignore errors here. + */ +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); ++ status |= ++ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ if (ACPI_FAILURE(status)) { ++ return (int_status); ++ } + + ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS, + "Fixed Event Block: Enable %08X Status %08X\n", +diff --git a/drivers/acpi/acpica/nseval.c b/drivers/acpi/acpica/nseval.c +index 7eba578d36f3..10262cae8a19 100644 +--- a/drivers/acpi/acpica/nseval.c ++++ b/drivers/acpi/acpica/nseval.c +@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi_evaluate_info *info) + /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */ + + status = AE_OK; ++ } else if (ACPI_FAILURE(status)) { ++ ++ /* If return_object exists, delete it */ ++ ++ if (info->return_object) { ++ acpi_ut_remove_reference(info->return_object); ++ info->return_object = NULL; ++ } + } + + ACPI_DEBUG_PRINT((ACPI_DB_NAMES, +diff --git a/drivers/acpi/processor_perflib.c b/drivers/acpi/processor_perflib.c +index bb01dea39fdc..9825780a1cd2 100644 +--- a/drivers/acpi/processor_perflib.c ++++ b/drivers/acpi/processor_perflib.c +@@ -161,7 +161,7 @@ int acpi_processor_ppc_has_changed(struct acpi_processor *pr, int event_flag) + { + int ret; + +- if (ignore_ppc) { ++ if (ignore_ppc || !pr->performance) { + /* + * Only when it is notification event, the _OST object + * will be evaluated. Otherwise it is skipped. +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 60d6db82ce5a..f9b86a1d922d 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4187,6 +4187,10 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */ + { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, }, + ++ /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on ++ SD7SN6S256G and SD8SN8U256G */ ++ { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, }, ++ + /* devices which puke on READ_NATIVE_MAX */ + { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, }, + { "WDC WD3200JD-00KLB0", "WD-WCAMR1130137", ATA_HORKAGE_BROKEN_HPA }, +@@ -4247,6 +4251,8 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, + + /* devices that don't properly handle queued TRIM commands */ ++ { "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Crucial_CT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | +diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c +index 93362362aa55..8474a1b0740f 100644 +--- a/drivers/block/paride/pcd.c ++++ b/drivers/block/paride/pcd.c +@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_device *bdev, fmode_t mode) + struct pcd_unit *cd = bdev->bd_disk->private_data; + int ret; + ++ check_disk_change(bdev); ++ + mutex_lock(&pcd_mutex); + ret = cdrom_open(&cd->info, bdev, mode); + mutex_unlock(&pcd_mutex); +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 54cef3dc0beb..91676535a1a3 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -336,6 +336,9 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8723BU Bluetooth devices */ ++ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, ++ + /* Additional Realtek 8821AE Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, +@@ -343,6 +346,9 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8822BE Bluetooth devices */ ++ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK }, ++ + /* Silicon Wave based devices */ + { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE }, + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index b5f245d2875c..0151039bff05 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -1154,9 +1154,6 @@ int cdrom_open(struct cdrom_device_info *cdi, struct block_device *bdev, + + cd_dbg(CD_OPEN, "entering cdrom_open\n"); + +- /* open is event synchronization point, check events first */ +- check_disk_change(bdev); +- + /* if this was a O_NONBLOCK open and we should honor the flags, + * do a quick open without drive/disc integrity checks. */ + cdi->use_count++; +diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c +index 584bc3126403..e2808fefbb78 100644 +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -497,6 +497,9 @@ static struct cdrom_device_ops gdrom_ops = { + static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode) + { + int ret; ++ ++ check_disk_change(bdev); ++ + mutex_lock(&gdrom_mutex); + ret = cdrom_open(gd.cd_info, bdev, mode); + mutex_unlock(&gdrom_mutex); +diff --git a/drivers/char/hw_random/stm32-rng.c b/drivers/char/hw_random/stm32-rng.c +index 92a810648bd0..530aacca3eb8 100644 +--- a/drivers/char/hw_random/stm32-rng.c ++++ b/drivers/char/hw_random/stm32-rng.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #define RNG_CR 0x00 +@@ -46,6 +47,7 @@ struct stm32_rng_private { + struct hwrng rng; + void __iomem *base; + struct clk *clk; ++ struct reset_control *rst; + }; + + static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) +@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platform_device *ofdev) + if (IS_ERR(priv->clk)) + return PTR_ERR(priv->clk); + ++ priv->rst = devm_reset_control_get(&ofdev->dev, NULL); ++ if (!IS_ERR(priv->rst)) { ++ reset_control_assert(priv->rst); ++ udelay(2); ++ reset_control_deassert(priv->rst); ++ } ++ + dev_set_drvdata(dev, priv); + + priv->rng.name = dev_driver_string(dev), +diff --git a/drivers/char/ipmi/ipmi_powernv.c b/drivers/char/ipmi/ipmi_powernv.c +index 6e658aa114f1..a70518a4fcec 100644 +--- a/drivers/char/ipmi/ipmi_powernv.c ++++ b/drivers/char/ipmi/ipmi_powernv.c +@@ -251,8 +251,9 @@ static int ipmi_powernv_probe(struct platform_device *pdev) + ipmi->irq = opal_event_request(prop); + } + +- if (request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, +- "opal-ipmi", ipmi)) { ++ rc = request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, ++ "opal-ipmi", ipmi); ++ if (rc) { + dev_warn(dev, "Unable to request irq\n"); + goto err_dispose; + } +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index 83c206f0fc98..d6d166fe49a3 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -757,7 +757,7 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, + ssif_info->ssif_state = SSIF_NORMAL; + ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Error getting flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +@@ -779,7 +779,7 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, + if ((result < 0) || (len < 3) || (data[2] != 0)) { + /* Error clearing flags */ + pr_warn(PFX "Error clearing flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) { + pr_warn(PFX "Invalid response clearing flags: %x %x\n", +diff --git a/drivers/clk/rockchip/clk-mmc-phase.c b/drivers/clk/rockchip/clk-mmc-phase.c +index 33c20c6b45af..b840e4ace623 100644 +--- a/drivers/clk/rockchip/clk-mmc-phase.c ++++ b/drivers/clk/rockchip/clk-mmc-phase.c +@@ -60,6 +60,12 @@ static int rockchip_mmc_get_phase(struct clk_hw *hw) + u16 degrees; + u32 delay_num = 0; + ++ /* See the comment for rockchip_mmc_set_phase below */ ++ if (!rate) { ++ pr_err("%s: invalid clk rate\n", __func__); ++ return -EINVAL; ++ } ++ + raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); + + degrees = (raw_value & ROCKCHIP_MMC_DEGREE_MASK) * 90; +@@ -86,6 +92,23 @@ static int rockchip_mmc_set_phase(struct clk_hw *hw, int degrees) + u32 raw_value; + u32 delay; + ++ /* ++ * The below calculation is based on the output clock from ++ * MMC host to the card, which expects the phase clock inherits ++ * the clock rate from its parent, namely the output clock ++ * provider of MMC host. However, things may go wrong if ++ * (1) It is orphan. ++ * (2) It is assigned to the wrong parent. ++ * ++ * This check help debug the case (1), which seems to be the ++ * most likely problem we often face and which makes it difficult ++ * for people to debug unstable mmc tuning results. ++ */ ++ if (!rate) { ++ pr_err("%s: invalid clk rate\n", __func__); ++ return -EINVAL; ++ } ++ + nineties = degrees / 90; + remainder = (degrees % 90); + +diff --git a/drivers/clk/samsung/clk-exynos3250.c b/drivers/clk/samsung/clk-exynos3250.c +index fdd41b17a24f..294efaef5b82 100644 +--- a/drivers/clk/samsung/clk-exynos3250.c ++++ b/drivers/clk/samsung/clk-exynos3250.c +@@ -683,7 +683,7 @@ static struct samsung_pll_rate_table exynos3250_epll_rates[] = { + PLL_36XX_RATE(144000000, 96, 2, 3, 0), + PLL_36XX_RATE( 96000000, 128, 2, 4, 0), + PLL_36XX_RATE( 84000000, 112, 2, 4, 0), +- PLL_36XX_RATE( 80000004, 106, 2, 4, 43691), ++ PLL_36XX_RATE( 80000003, 106, 2, 4, 43691), + PLL_36XX_RATE( 73728000, 98, 2, 4, 19923), + PLL_36XX_RATE( 67737598, 270, 3, 5, 62285), + PLL_36XX_RATE( 65535999, 174, 2, 5, 49982), +@@ -719,7 +719,7 @@ static struct samsung_pll_rate_table exynos3250_vpll_rates[] = { + PLL_36XX_RATE(148352005, 98, 2, 3, 59070), + PLL_36XX_RATE(108000000, 144, 2, 4, 0), + PLL_36XX_RATE( 74250000, 99, 2, 4, 0), +- PLL_36XX_RATE( 74176002, 98, 3, 4, 59070), ++ PLL_36XX_RATE( 74176002, 98, 2, 4, 59070), + PLL_36XX_RATE( 54054000, 216, 3, 5, 14156), + PLL_36XX_RATE( 54000000, 144, 2, 5, 0), + { /* sentinel */ } +diff --git a/drivers/clk/samsung/clk-exynos5250.c b/drivers/clk/samsung/clk-exynos5250.c +index 5bebf8cb0d70..f0b564c7c9c1 100644 +--- a/drivers/clk/samsung/clk-exynos5250.c ++++ b/drivers/clk/samsung/clk-exynos5250.c +@@ -711,13 +711,13 @@ static struct samsung_pll_rate_table epll_24mhz_tbl[] __initdata = { + /* sorted in descending order */ + /* PLL_36XX_RATE(rate, m, p, s, k) */ + PLL_36XX_RATE(192000000, 64, 2, 2, 0), +- PLL_36XX_RATE(180633600, 90, 3, 2, 20762), ++ PLL_36XX_RATE(180633605, 90, 3, 2, 20762), + PLL_36XX_RATE(180000000, 90, 3, 2, 0), + PLL_36XX_RATE(73728000, 98, 2, 4, 19923), +- PLL_36XX_RATE(67737600, 90, 2, 4, 20762), ++ PLL_36XX_RATE(67737602, 90, 2, 4, 20762), + PLL_36XX_RATE(49152000, 98, 3, 4, 19923), +- PLL_36XX_RATE(45158400, 90, 3, 4, 20762), +- PLL_36XX_RATE(32768000, 131, 3, 5, 4719), ++ PLL_36XX_RATE(45158401, 90, 3, 4, 20762), ++ PLL_36XX_RATE(32768001, 131, 3, 5, 4719), + { }, + }; + +diff --git a/drivers/clk/samsung/clk-exynos5260.c b/drivers/clk/samsung/clk-exynos5260.c +index d1a29f6c1084..7027e77bf859 100644 +--- a/drivers/clk/samsung/clk-exynos5260.c ++++ b/drivers/clk/samsung/clk-exynos5260.c +@@ -65,7 +65,7 @@ static struct samsung_pll_rate_table pll2650_24mhz_tbl[] __initdata = { + PLL_36XX_RATE(480000000, 160, 2, 2, 0), + PLL_36XX_RATE(432000000, 144, 2, 2, 0), + PLL_36XX_RATE(400000000, 200, 3, 2, 0), +- PLL_36XX_RATE(394073130, 459, 7, 2, 49282), ++ PLL_36XX_RATE(394073128, 459, 7, 2, 49282), + PLL_36XX_RATE(333000000, 111, 2, 2, 0), + PLL_36XX_RATE(300000000, 100, 2, 2, 0), + PLL_36XX_RATE(266000000, 266, 3, 3, 0), +diff --git a/drivers/clk/samsung/clk-exynos5433.c b/drivers/clk/samsung/clk-exynos5433.c +index cee062c588de..91c89ac193b9 100644 +--- a/drivers/clk/samsung/clk-exynos5433.c ++++ b/drivers/clk/samsung/clk-exynos5433.c +@@ -747,7 +747,7 @@ static struct samsung_pll_rate_table exynos5443_pll_rates[] = { + PLL_35XX_RATE(800000000U, 400, 6, 1), + PLL_35XX_RATE(733000000U, 733, 12, 1), + PLL_35XX_RATE(700000000U, 175, 3, 1), +- PLL_35XX_RATE(667000000U, 222, 4, 1), ++ PLL_35XX_RATE(666000000U, 222, 4, 1), + PLL_35XX_RATE(633000000U, 211, 4, 1), + PLL_35XX_RATE(600000000U, 500, 5, 2), + PLL_35XX_RATE(552000000U, 460, 5, 2), +@@ -773,12 +773,12 @@ static struct samsung_pll_rate_table exynos5443_pll_rates[] = { + /* AUD_PLL */ + static struct samsung_pll_rate_table exynos5443_aud_pll_rates[] = { + PLL_36XX_RATE(400000000U, 200, 3, 2, 0), +- PLL_36XX_RATE(393216000U, 197, 3, 2, -25690), ++ PLL_36XX_RATE(393216003U, 197, 3, 2, -25690), + PLL_36XX_RATE(384000000U, 128, 2, 2, 0), +- PLL_36XX_RATE(368640000U, 246, 4, 2, -15729), +- PLL_36XX_RATE(361507200U, 181, 3, 2, -16148), +- PLL_36XX_RATE(338688000U, 113, 2, 2, -6816), +- PLL_36XX_RATE(294912000U, 98, 1, 3, 19923), ++ PLL_36XX_RATE(368639991U, 246, 4, 2, -15729), ++ PLL_36XX_RATE(361507202U, 181, 3, 2, -16148), ++ PLL_36XX_RATE(338687988U, 113, 2, 2, -6816), ++ PLL_36XX_RATE(294912002U, 98, 1, 3, 19923), + PLL_36XX_RATE(288000000U, 96, 1, 3, 0), + PLL_36XX_RATE(252000000U, 84, 1, 3, 0), + { /* sentinel */ } +diff --git a/drivers/clk/samsung/clk-s3c2410.c b/drivers/clk/samsung/clk-s3c2410.c +index 0945a8852299..69e3e848716a 100644 +--- a/drivers/clk/samsung/clk-s3c2410.c ++++ b/drivers/clk/samsung/clk-s3c2410.c +@@ -168,7 +168,7 @@ static struct samsung_pll_rate_table pll_s3c2410_12mhz_tbl[] __initdata = { + PLL_35XX_RATE(226000000, 105, 1, 1), + PLL_35XX_RATE(210000000, 132, 2, 1), + /* 2410 common */ +- PLL_35XX_RATE(203000000, 161, 3, 1), ++ PLL_35XX_RATE(202800000, 161, 3, 1), + PLL_35XX_RATE(192000000, 88, 1, 1), + PLL_35XX_RATE(186000000, 85, 1, 1), + PLL_35XX_RATE(180000000, 82, 1, 1), +@@ -178,18 +178,18 @@ static struct samsung_pll_rate_table pll_s3c2410_12mhz_tbl[] __initdata = { + PLL_35XX_RATE(147000000, 90, 2, 1), + PLL_35XX_RATE(135000000, 82, 2, 1), + PLL_35XX_RATE(124000000, 116, 1, 2), +- PLL_35XX_RATE(118000000, 150, 2, 2), ++ PLL_35XX_RATE(118500000, 150, 2, 2), + PLL_35XX_RATE(113000000, 105, 1, 2), +- PLL_35XX_RATE(101000000, 127, 2, 2), ++ PLL_35XX_RATE(101250000, 127, 2, 2), + PLL_35XX_RATE(90000000, 112, 2, 2), +- PLL_35XX_RATE(85000000, 105, 2, 2), ++ PLL_35XX_RATE(84750000, 105, 2, 2), + PLL_35XX_RATE(79000000, 71, 1, 2), +- PLL_35XX_RATE(68000000, 82, 2, 2), +- PLL_35XX_RATE(56000000, 142, 2, 3), ++ PLL_35XX_RATE(67500000, 82, 2, 2), ++ PLL_35XX_RATE(56250000, 142, 2, 3), + PLL_35XX_RATE(48000000, 120, 2, 3), +- PLL_35XX_RATE(51000000, 161, 3, 3), ++ PLL_35XX_RATE(50700000, 161, 3, 3), + PLL_35XX_RATE(45000000, 82, 1, 3), +- PLL_35XX_RATE(34000000, 82, 2, 3), ++ PLL_35XX_RATE(33750000, 82, 2, 3), + { /* sentinel */ }, + }; + +diff --git a/drivers/clocksource/fsl_ftm_timer.c b/drivers/clocksource/fsl_ftm_timer.c +index 517e1c7624d4..a00209702f39 100644 +--- a/drivers/clocksource/fsl_ftm_timer.c ++++ b/drivers/clocksource/fsl_ftm_timer.c +@@ -281,7 +281,7 @@ static int __init __ftm_clk_init(struct device_node *np, char *cnt_name, + + static unsigned long __init ftm_clk_init(struct device_node *np) + { +- unsigned long freq; ++ long freq; + + freq = __ftm_clk_init(np, "ftm-evt-counter-en", "ftm-evt"); + if (freq <= 0) +diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c +index 7c0bdfb1a2ca..0dcbf951ad1b 100644 +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -100,9 +100,19 @@ static int cppc_cpufreq_cpu_init(struct cpufreq_policy *policy) + policy->cpuinfo.max_freq = policy->max; + policy->shared_type = cpu->shared_type; + +- if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) ++ if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) { ++ int i; ++ + cpumask_copy(policy->cpus, cpu->shared_cpu_map); +- else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { ++ ++ for_each_cpu(i, policy->cpus) { ++ if (unlikely(i == policy->cpu)) ++ continue; ++ ++ memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps, ++ sizeof(cpu->perf_caps)); ++ } ++ } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { + /* Support only SW_ANY for now. */ + pr_debug("Unsupported CPU co-ord type\n"); + return -EFAULT; +@@ -166,8 +176,13 @@ static int __init cppc_cpufreq_init(void) + return ret; + + out: +- for_each_possible_cpu(i) +- kfree(all_cpu_data[i]); ++ for_each_possible_cpu(i) { ++ cpu = all_cpu_data[i]; ++ if (!cpu) ++ break; ++ free_cpumask_var(cpu->shared_cpu_map); ++ kfree(cpu); ++ } + + kfree(all_cpu_data); + return -ENODEV; +diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-core.c b/drivers/crypto/sunxi-ss/sun4i-ss-core.c +index 107cd2a41cae..24651d3217cd 100644 +--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c +@@ -422,6 +422,7 @@ static struct platform_driver sun4i_ss_driver = { + + module_platform_driver(sun4i_ss_driver); + ++MODULE_ALIAS("platform:sun4i-ss"); + MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator"); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Corentin LABBE "); +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 66d84bcf9bbf..8db791ef2027 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1533,7 +1533,7 @@ static void pl330_dotask(unsigned long data) + /* Returns 1 if state was updated, 0 otherwise */ + static int pl330_update(struct pl330_dmac *pl330) + { +- struct dma_pl330_desc *descdone, *tmp; ++ struct dma_pl330_desc *descdone; + unsigned long flags; + void __iomem *regs; + u32 val; +@@ -1611,7 +1611,9 @@ static int pl330_update(struct pl330_dmac *pl330) + } + + /* Now that we are in no hurry, do the callbacks */ +- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) { ++ while (!list_empty(&pl330->req_done)) { ++ descdone = list_first_entry(&pl330->req_done, ++ struct dma_pl330_desc, rqd); + list_del(&descdone->rqd); + spin_unlock_irqrestore(&pl330->lock, flags); + dma_pl330_rqcb(descdone, PL330_ERR_NONE); +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index 7820d07e7bee..2b36d1c63aa5 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -851,7 +851,7 @@ rcar_dmac_chan_prep_sg(struct rcar_dmac_chan *chan, struct scatterlist *sgl, + + rcar_dmac_chan_configure_desc(chan, desc); + +- max_chunk_size = (RCAR_DMATCR_MASK + 1) << desc->xfer_shift; ++ max_chunk_size = RCAR_DMATCR_MASK << desc->xfer_shift; + + /* + * Allocate and fill the transfer chunk descriptors. We own the only +diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c +index c2f5117fd8cb..5545a7f3a98f 100644 +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -1130,7 +1130,13 @@ static int context_add_buffer(struct context *ctx) + return -ENOMEM; + + offset = (void *)&desc->buffer - (void *)desc; +- desc->buffer_size = PAGE_SIZE - offset; ++ /* ++ * Some controllers, like JMicron ones, always issue 0x20-byte DMA reads ++ * for descriptors, even 0x10-byte ones. This can cause page faults when ++ * an IOMMU is in use and the oversized read crosses a page boundary. ++ * Work around this by always leaving at least 0x10 bytes of padding. ++ */ ++ desc->buffer_size = PAGE_SIZE - offset - 0x10; + desc->buffer_bus = bus_addr + offset; + desc->used = 0; + +diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c +index 0e08e665f715..053a23a7be94 100644 +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -18,7 +18,7 @@ EXPORT_SYMBOL_GPL(dmi_kobj); + * of and an antecedent to, SMBIOS, which stands for System + * Management BIOS. See further: http://www.dmtf.org/standards + */ +-static const char dmi_empty_string[] = " "; ++static const char dmi_empty_string[] = ""; + + static u32 dmi_ver __initdata; + static u32 dmi_len; +@@ -44,25 +44,21 @@ static int dmi_memdev_nr; + static const char * __init dmi_string_nosave(const struct dmi_header *dm, u8 s) + { + const u8 *bp = ((u8 *) dm) + dm->length; ++ const u8 *nsp; + + if (s) { +- s--; +- while (s > 0 && *bp) { ++ while (--s > 0 && *bp) + bp += strlen(bp) + 1; +- s--; +- } +- +- if (*bp != 0) { +- size_t len = strlen(bp)+1; +- size_t cmp_len = len > 8 ? 8 : len; + +- if (!memcmp(bp, dmi_empty_string, cmp_len)) +- return dmi_empty_string; ++ /* Strings containing only spaces are considered empty */ ++ nsp = bp; ++ while (*nsp == ' ') ++ nsp++; ++ if (*nsp != '\0') + return bp; +- } + } + +- return ""; ++ return dmi_empty_string; + } + + static const char * __init dmi_string(const struct dmi_header *dm, u8 s) +diff --git a/drivers/gpu/drm/exynos/regs-fimc.h b/drivers/gpu/drm/exynos/regs-fimc.h +index 30496134a3d0..d7cbe53c4c01 100644 +--- a/drivers/gpu/drm/exynos/regs-fimc.h ++++ b/drivers/gpu/drm/exynos/regs-fimc.h +@@ -569,7 +569,7 @@ + #define EXYNOS_CIIMGEFF_FIN_EMBOSSING (4 << 26) + #define EXYNOS_CIIMGEFF_FIN_SILHOUETTE (5 << 26) + #define EXYNOS_CIIMGEFF_FIN_MASK (7 << 26) +-#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff < 13) | (0xff < 0)) ++#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff << 13) | (0xff << 0)) + + /* Real input DMA size register */ + #define EXYNOS_CIREAL_ISIZE_AUTOLOAD_ENABLE (1 << 31) +diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +index b4de18e65db8..6296e9f270ca 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -208,6 +208,9 @@ static int virtio_gpu_getparam_ioctl(struct drm_device *dev, void *data, + case VIRTGPU_PARAM_3D_FEATURES: + value = vgdev->has_virgl_3d == true ? 1 : 0; + break; ++ case VIRTGPU_PARAM_CAPSET_QUERY_FIX: ++ value = 1; ++ break; + default: + return -EINVAL; + } +@@ -483,7 +486,7 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev, + { + struct virtio_gpu_device *vgdev = dev->dev_private; + struct drm_virtgpu_get_caps *args = data; +- int size; ++ unsigned size, host_caps_size; + int i; + int found_valid = -1; + int ret; +@@ -492,6 +495,10 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev, + if (vgdev->num_capsets == 0) + return -ENOSYS; + ++ /* don't allow userspace to pass 0 */ ++ if (args->size == 0) ++ return -EINVAL; ++ + spin_lock(&vgdev->display_info_lock); + for (i = 0; i < vgdev->num_capsets; i++) { + if (vgdev->capsets[i].id == args->cap_set_id) { +@@ -507,11 +514,9 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev, + return -EINVAL; + } + +- size = vgdev->capsets[found_valid].max_size; +- if (args->size > size) { +- spin_unlock(&vgdev->display_info_lock); +- return -EINVAL; +- } ++ host_caps_size = vgdev->capsets[found_valid].max_size; ++ /* only copy to user the minimum of the host caps size or the guest caps size */ ++ size = min(args->size, host_caps_size); + + list_for_each_entry(cache_ent, &vgdev->cap_cache, head) { + if (cache_ent->id == args->cap_set_id && +diff --git a/drivers/hid/hid-roccat-kovaplus.c b/drivers/hid/hid-roccat-kovaplus.c +index 966047711fbf..1073c0d1fae5 100644 +--- a/drivers/hid/hid-roccat-kovaplus.c ++++ b/drivers/hid/hid-roccat-kovaplus.c +@@ -37,6 +37,8 @@ static uint kovaplus_convert_event_cpi(uint value) + static void kovaplus_profile_activated(struct kovaplus_device *kovaplus, + uint new_profile_index) + { ++ if (new_profile_index >= ARRAY_SIZE(kovaplus->profile_settings)) ++ return; + kovaplus->actual_profile = new_profile_index; + kovaplus->actual_cpi = kovaplus->profile_settings[new_profile_index].cpi_startup_level; + kovaplus->actual_x_sensitivity = kovaplus->profile_settings[new_profile_index].sensitivity_x; +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index d7ebdf8651f5..d3c6115f16b9 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -1390,7 +1390,7 @@ static void nct6775_update_pwm(struct device *dev) + duty_is_dc = data->REG_PWM_MODE[i] && + (nct6775_read_value(data, data->REG_PWM_MODE[i]) + & data->PWM_MODE_MASK[i]); +- data->pwm_mode[i] = duty_is_dc; ++ data->pwm_mode[i] = !duty_is_dc; + + fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]); + for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) { +@@ -2267,7 +2267,7 @@ show_pwm_mode(struct device *dev, struct device_attribute *attr, char *buf) + struct nct6775_data *data = nct6775_update_device(dev); + struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr); + +- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]); ++ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]); + } + + static ssize_t +@@ -2288,9 +2288,9 @@ store_pwm_mode(struct device *dev, struct device_attribute *attr, + if (val > 1) + return -EINVAL; + +- /* Setting DC mode is not supported for all chips/channels */ ++ /* Setting DC mode (0) is not supported for all chips/channels */ + if (data->REG_PWM_MODE[nr] == 0) { +- if (val) ++ if (!val) + return -EINVAL; + return count; + } +@@ -2299,7 +2299,7 @@ store_pwm_mode(struct device *dev, struct device_attribute *attr, + data->pwm_mode[nr] = val; + reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]); + reg &= ~data->PWM_MODE_MASK[nr]; +- if (val) ++ if (!val) + reg |= data->PWM_MODE_MASK[nr]; + nct6775_write_value(data, data->REG_PWM_MODE[nr], reg); + mutex_unlock(&data->update_lock); +diff --git a/drivers/hwmon/pmbus/adm1275.c b/drivers/hwmon/pmbus/adm1275.c +index 18477dd1e243..c3f4c9ef6705 100644 +--- a/drivers/hwmon/pmbus/adm1275.c ++++ b/drivers/hwmon/pmbus/adm1275.c +@@ -141,7 +141,7 @@ static int adm1275_read_word_data(struct i2c_client *client, int page, int reg) + const struct adm1275_data *data = to_adm1275_data(info); + int ret = 0; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { +@@ -218,7 +218,7 @@ static int adm1275_write_word_data(struct i2c_client *client, int page, int reg, + const struct adm1275_data *data = to_adm1275_data(info); + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { +diff --git a/drivers/hwmon/pmbus/max8688.c b/drivers/hwmon/pmbus/max8688.c +index dd4883a19045..e951f9b87abb 100644 +--- a/drivers/hwmon/pmbus/max8688.c ++++ b/drivers/hwmon/pmbus/max8688.c +@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct i2c_client *client, int page, int reg) + { + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { +diff --git a/drivers/i2c/busses/i2c-mv64xxx.c b/drivers/i2c/busses/i2c-mv64xxx.c +index 43207f52e5a3..332d32c53c41 100644 +--- a/drivers/i2c/busses/i2c-mv64xxx.c ++++ b/drivers/i2c/busses/i2c-mv64xxx.c +@@ -856,12 +856,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_data *drv_data, + */ + if (of_device_is_compatible(np, "marvell,mv78230-i2c")) { + drv_data->offload_enabled = true; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) { + drv_data->offload_enabled = false; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c")) +diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c +index ef907fd5ba98..08a21d635d0d 100644 +--- a/drivers/ide/ide-cd.c ++++ b/drivers/ide/ide-cd.c +@@ -1593,6 +1593,8 @@ static int idecd_open(struct block_device *bdev, fmode_t mode) + struct cdrom_info *info; + int rc = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&ide_cd_mutex); + info = ide_cd_get(bdev->bd_disk); + if (!info) +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 2b9c00faca7d..795938edce3f 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1295,7 +1295,7 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) + return -EINVAL; + + optval = memdup_user((void __user *) (unsigned long) cmd.optval, +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index c5390f6f94c5..43d277a931c2 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -3161,12 +3161,9 @@ int mlx5_ib_dealloc_xrcd(struct ib_xrcd *xrcd) + int err; + + err = mlx5_core_xrcd_dealloc(dev->mdev, xrcdn); +- if (err) { ++ if (err) + mlx5_ib_warn(dev, "failed to dealloc xrcdn 0x%x\n", xrcdn); +- return err; +- } + + kfree(xrcd); +- + return 0; + } +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index 37b42447045d..fcb18b11db75 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -1953,6 +1953,9 @@ static struct net_device *ipoib_add_port(const char *format, + goto event_failed; + } + ++ /* call event handler to ensure pkey in sync */ ++ queue_work(ipoib_workqueue, &priv->flush_heavy); ++ + result = register_netdev(priv->dev); + if (result) { + printk(KERN_WARNING "%s: couldn't register ipoib port %d; error %d\n", +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c +index 3f1c4dea8866..9ab424b9b281 100644 +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -589,7 +589,7 @@ static void gic_send_sgi(u64 cluster_id, u16 tlist, unsigned int irq) + MPIDR_TO_SGI_AFFINITY(cluster_id, 1) | + tlist << ICC_SGI1R_TARGET_LIST_SHIFT); + +- pr_debug("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val); ++ pr_devel("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val); + gic_write_sgi1r(val); + } + +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c +index aa84fcfd59fc..16c3390e5d9f 100644 +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -285,8 +285,10 @@ do { \ + break; \ + \ + mutex_unlock(&(ca)->set->bucket_lock); \ +- if (kthread_should_stop()) \ ++ if (kthread_should_stop()) { \ ++ set_current_state(TASK_RUNNING); \ + return 0; \ ++ } \ + \ + try_to_freeze(); \ + schedule(); \ +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 02619cabda8b..7fe7df56fa33 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -904,7 +904,7 @@ void bcache_write_super(struct cache_set *); + + int bch_flash_dev_create(struct cache_set *c, uint64_t size); + +-int bch_cached_dev_attach(struct cached_dev *, struct cache_set *); ++int bch_cached_dev_attach(struct cached_dev *, struct cache_set *, uint8_t *); + void bch_cached_dev_detach(struct cached_dev *); + void bch_cached_dev_run(struct cached_dev *); + void bcache_device_stop(struct bcache_device *); +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index a5a6909280fe..4ed621ad27e4 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1869,14 +1869,17 @@ void bch_initial_gc_finish(struct cache_set *c) + */ + for_each_cache(ca, c, i) { + for_each_bucket(b, ca) { +- if (fifo_full(&ca->free[RESERVE_PRIO])) ++ if (fifo_full(&ca->free[RESERVE_PRIO]) && ++ fifo_full(&ca->free[RESERVE_BTREE])) + break; + + if (bch_can_invalidate_bucket(ca, b) && + !GC_MARK(b)) { + __bch_invalidate_one_bucket(ca, b); +- fifo_push(&ca->free[RESERVE_PRIO], +- b - ca->buckets); ++ if (!fifo_push(&ca->free[RESERVE_PRIO], ++ b - ca->buckets)) ++ fifo_push(&ca->free[RESERVE_BTREE], ++ b - ca->buckets); + } + } + } +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index e73aeb0e892c..e497bde96db3 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -633,11 +633,11 @@ static void do_bio_hook(struct search *s, struct bio *orig_bio) + static void search_free(struct closure *cl) + { + struct search *s = container_of(cl, struct search, cl); +- bio_complete(s); + + if (s->iop.bio) + bio_put(s->iop.bio); + ++ bio_complete(s); + closure_debug_destroy(cl); + mempool_free(s, s->d->c->search); + } +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index f636af441da6..ef28ddfff7c6 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -936,7 +936,8 @@ void bch_cached_dev_detach(struct cached_dev *dc) + cached_dev_put(dc); + } + +-int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c) ++int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c, ++ uint8_t *set_uuid) + { + uint32_t rtime = cpu_to_le32(get_seconds()); + struct uuid_entry *u; +@@ -945,7 +946,8 @@ int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c) + + bdevname(dc->bdev, buf); + +- if (memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16)) ++ if ((set_uuid && memcmp(set_uuid, c->sb.set_uuid, 16)) || ++ (!set_uuid && memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16))) + return -ENOENT; + + if (dc->disk.c) { +@@ -1189,7 +1191,7 @@ static void register_bdev(struct cache_sb *sb, struct page *sb_page, + + list_add(&dc->list, &uncached_devices); + list_for_each_entry(c, &bch_cache_sets, list) +- bch_cached_dev_attach(dc, c); ++ bch_cached_dev_attach(dc, c, NULL); + + if (BDEV_STATE(&dc->sb) == BDEV_STATE_NONE || + BDEV_STATE(&dc->sb) == BDEV_STATE_STALE) +@@ -1711,7 +1713,7 @@ static void run_cache_set(struct cache_set *c) + bcache_write_super(c); + + list_for_each_entry_safe(dc, t, &uncached_devices, list) +- bch_cached_dev_attach(dc, c); ++ bch_cached_dev_attach(dc, c, NULL); + + flash_devs_run(c); + +@@ -1828,6 +1830,7 @@ void bch_cache_release(struct kobject *kobj) + static int cache_alloc(struct cache_sb *sb, struct cache *ca) + { + size_t free; ++ size_t btree_buckets; + struct bucket *b; + + __module_get(THIS_MODULE); +@@ -1837,9 +1840,19 @@ static int cache_alloc(struct cache_sb *sb, struct cache *ca) + ca->journal.bio.bi_max_vecs = 8; + ca->journal.bio.bi_io_vec = ca->journal.bio.bi_inline_vecs; + ++ /* ++ * when ca->sb.njournal_buckets is not zero, journal exists, ++ * and in bch_journal_replay(), tree node may split, ++ * so bucket of RESERVE_BTREE type is needed, ++ * the worst situation is all journal buckets are valid journal, ++ * and all the keys need to replay, ++ * so the number of RESERVE_BTREE type buckets should be as much ++ * as journal buckets ++ */ ++ btree_buckets = ca->sb.njournal_buckets ?: 8; + free = roundup_pow_of_two(ca->sb.nbuckets) >> 10; + +- if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) || ++ if (!init_fifo(&ca->free[RESERVE_BTREE], btree_buckets, GFP_KERNEL) || + !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) || + !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) || + !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) || +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 4fbb5532f24c..5a5c1f1bd8a5 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -191,7 +191,7 @@ STORE(__cached_dev) + { + struct cached_dev *dc = container_of(kobj, struct cached_dev, + disk.kobj); +- ssize_t v = size; ++ ssize_t v; + struct cache_set *c; + struct kobj_uevent_env *env; + +@@ -263,17 +263,20 @@ STORE(__cached_dev) + } + + if (attr == &sysfs_attach) { +- if (bch_parse_uuid(buf, dc->sb.set_uuid) < 16) ++ uint8_t set_uuid[16]; ++ ++ if (bch_parse_uuid(buf, set_uuid) < 16) + return -EINVAL; + ++ v = -ENOENT; + list_for_each_entry(c, &bch_cache_sets, list) { +- v = bch_cached_dev_attach(dc, c); ++ v = bch_cached_dev_attach(dc, c, set_uuid); + if (!v) + return size; + } + + pr_err("Can't attach %s: cache set not found", buf); +- size = v; ++ return v; + } + + if (attr == &sysfs_detach && dc->disk.c) +diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c +index bbb1dc9e1639..f2c0000de613 100644 +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -425,19 +425,28 @@ static int bch_writeback_thread(void *arg) + + while (!kthread_should_stop()) { + down_write(&dc->writeback_lock); +- if (!atomic_read(&dc->has_dirty) || +- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && +- !dc->writeback_running)) { ++ set_current_state(TASK_INTERRUPTIBLE); ++ /* ++ * If the bache device is detaching, skip here and continue ++ * to perform writeback. Otherwise, if no dirty data on cache, ++ * or there is dirty data on cache but writeback is disabled, ++ * the writeback thread should sleep here and wait for others ++ * to wake up it. ++ */ ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + up_write(&dc->writeback_lock); +- set_current_state(TASK_INTERRUPTIBLE); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ set_current_state(TASK_RUNNING); + return 0; ++ } + + try_to_freeze(); + schedule(); + continue; + } ++ set_current_state(TASK_RUNNING); + + searched_full_index = refill_dirty(dc); + +@@ -447,6 +456,14 @@ static int bch_writeback_thread(void *arg) + cached_dev_put(dc); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN); + bch_write_bdev_super(dc, NULL); ++ /* ++ * If bcache device is detaching via sysfs interface, ++ * writeback thread should stop after there is no dirty ++ * data on cache. BCACHE_DEV_DETACHING flag is set in ++ * bch_cached_dev_detach(). ++ */ ++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) ++ break; + } + + up_write(&dc->writeback_lock); +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index f24a9e14021d..89dcbf2fa846 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1686,6 +1686,17 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev) + struct md_rdev *repl = + conf->mirrors[conf->raid_disks + number].rdev; + freeze_array(conf, 0); ++ if (atomic_read(&repl->nr_pending)) { ++ /* It means that some queued IO of retry_list ++ * hold repl. Thus, we cannot set replacement ++ * as NULL, avoiding rdev NULL pointer ++ * dereference in sync_request_write and ++ * handle_write_finished. ++ */ ++ err = -EBUSY; ++ unfreeze_array(conf); ++ goto abort; ++ } + clear_bit(Replacement, &repl->flags); + p->rdev = repl; + conf->mirrors[conf->raid_disks + number].rdev = NULL; +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index bf0410403a6f..7b6acedc89c1 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2630,7 +2630,8 @@ static void handle_write_completed(struct r10conf *conf, struct r10bio *r10_bio) + for (m = 0; m < conf->copies; m++) { + int dev = r10_bio->devs[m].devnum; + rdev = conf->mirrors[dev].rdev; +- if (r10_bio->devs[m].bio == NULL) ++ if (r10_bio->devs[m].bio == NULL || ++ r10_bio->devs[m].bio->bi_end_io == NULL) + continue; + if (!r10_bio->devs[m].bio->bi_error) { + rdev_clear_badblocks( +@@ -2645,7 +2646,8 @@ static void handle_write_completed(struct r10conf *conf, struct r10bio *r10_bio) + md_error(conf->mddev, rdev); + } + rdev = conf->mirrors[dev].replacement; +- if (r10_bio->devs[m].repl_bio == NULL) ++ if (r10_bio->devs[m].repl_bio == NULL || ++ r10_bio->devs[m].repl_bio->bi_end_io == NULL) + continue; + + if (!r10_bio->devs[m].repl_bio->bi_error) { +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index e2130fb4597d..d59b861764a1 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2028,15 +2028,16 @@ static int grow_one_stripe(struct r5conf *conf, gfp_t gfp) + static int grow_stripes(struct r5conf *conf, int num) + { + struct kmem_cache *sc; ++ size_t namelen = sizeof(conf->cache_name[0]); + int devs = max(conf->raid_disks, conf->previous_raid_disks); + + if (conf->mddev->gendisk) +- sprintf(conf->cache_name[0], ++ snprintf(conf->cache_name[0], namelen, + "raid%d-%s", conf->level, mdname(conf->mddev)); + else +- sprintf(conf->cache_name[0], ++ snprintf(conf->cache_name[0], namelen, + "raid%d-%p", conf->level, conf->mddev); +- sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); ++ snprintf(conf->cache_name[1], namelen, "%.27s-alt", conf->cache_name[0]); + + conf->active_name = 0; + sc = kmem_cache_create(conf->cache_name[conf->active_name], +diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c +index ea9abde902e9..209db65ab610 100644 +--- a/drivers/media/dvb-core/dmxdev.c ++++ b/drivers/media/dvb-core/dmxdev.c +@@ -1071,7 +1071,7 @@ static int dvb_demux_do_ioctl(struct file *file, + break; + + default: +- ret = -EINVAL; ++ ret = -ENOTTY; + break; + } + mutex_unlock(&dmxdev->mutex); +diff --git a/drivers/media/pci/cx23885/cx23885-cards.c b/drivers/media/pci/cx23885/cx23885-cards.c +index f384f295676e..679d122af63c 100644 +--- a/drivers/media/pci/cx23885/cx23885-cards.c ++++ b/drivers/media/pci/cx23885/cx23885-cards.c +@@ -2124,6 +2124,10 @@ void cx23885_card_setup(struct cx23885_dev *dev) + &dev->i2c_bus[2].i2c_adap, + "cx25840", 0x88 >> 1, NULL); + if (dev->sd_cx25840) { ++ /* set host data for clk_freq configuration */ ++ v4l2_set_subdev_hostdata(dev->sd_cx25840, ++ &dev->clk_freq); ++ + dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE; + v4l2_subdev_call(dev->sd_cx25840, core, load_fw); + } +diff --git a/drivers/media/pci/cx23885/cx23885-core.c b/drivers/media/pci/cx23885/cx23885-core.c +index e8f847226a19..6eb3be13b430 100644 +--- a/drivers/media/pci/cx23885/cx23885-core.c ++++ b/drivers/media/pci/cx23885/cx23885-core.c +@@ -872,6 +872,16 @@ static int cx23885_dev_setup(struct cx23885_dev *dev) + if (cx23885_boards[dev->board].clk_freq > 0) + dev->clk_freq = cx23885_boards[dev->board].clk_freq; + ++ if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE && ++ dev->pci->subsystem_device == 0x7137) { ++ /* Hauppauge ImpactVCBe device ID 0x7137 is populated ++ * with an 888, and a 25Mhz crystal, instead of the ++ * usual third overtone 50Mhz. The default clock rate must ++ * be overridden so the cx25840 is properly configured ++ */ ++ dev->clk_freq = 25000000; ++ } ++ + dev->pci_bus = dev->pci->bus->number; + dev->pci_slot = PCI_SLOT(dev->pci->devfn); + cx23885_irq_add(dev, 0x001f00); +diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c +index 0042803a9de7..54398d8a4696 100644 +--- a/drivers/media/pci/cx25821/cx25821-core.c ++++ b/drivers/media/pci/cx25821/cx25821-core.c +@@ -871,6 +871,10 @@ static int cx25821_dev_setup(struct cx25821_dev *dev) + dev->nr = ++cx25821_devcount; + sprintf(dev->name, "cx25821[%d]", dev->nr); + ++ if (dev->nr >= ARRAY_SIZE(card)) { ++ CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card)); ++ return -ENODEV; ++ } + if (dev->pci->device != 0x8210) { + pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n", + __func__, dev->pci->device); +@@ -886,9 +890,6 @@ static int cx25821_dev_setup(struct cx25821_dev *dev) + dev->channels[i].sram_channels = &cx25821_sram_channels[i]; + } + +- if (dev->nr > 1) +- CX25821_INFO("dev->nr > 1!"); +- + /* board config */ + dev->board = 1; /* card[dev->nr]; */ + dev->_max_num_decoders = MAX_DECODERS; +diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c +index 537b858cb94a..fa6af4a7dae1 100644 +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -1268,16 +1268,17 @@ static void __camif_subdev_try_format(struct camif_dev *camif, + { + const struct s3c_camif_variant *variant = camif->variant; + const struct vp_pix_limits *pix_lim; +- int i = ARRAY_SIZE(camif_mbus_formats); ++ unsigned int i; + + /* FIXME: constraints against codec or preview path ? */ + pix_lim = &variant->vp_pix_limits[VP_CODEC]; + +- while (i-- >= 0) ++ for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) + if (camif_mbus_formats[i] == mf->code) + break; + +- mf->code = camif_mbus_formats[i]; ++ if (i == ARRAY_SIZE(camif_mbus_formats)) ++ mf->code = camif_mbus_formats[0]; + + if (pad == CAMIF_SD_PAD_SINK) { + v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH, +diff --git a/drivers/media/usb/em28xx/em28xx.h b/drivers/media/usb/em28xx/em28xx.h +index 76bf8ba372b3..5b53e31ce262 100644 +--- a/drivers/media/usb/em28xx/em28xx.h ++++ b/drivers/media/usb/em28xx/em28xx.h +@@ -187,7 +187,7 @@ + USB 2.0 spec says bulk packet size is always 512 bytes + */ + #define EM28XX_BULK_PACKET_MULTIPLIER 384 +-#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384 ++#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94 + + #define EM28XX_INTERLACED_DEFAULT 1 + +diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c +index 02b5f69e1a42..14cf6dfc3b14 100644 +--- a/drivers/message/fusion/mptctl.c ++++ b/drivers/message/fusion/mptctl.c +@@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg) + __FILE__, __LINE__, iocnum); + return -ENODEV; + } ++ if (karg.hdr.id >= MPT_MAX_FC_DEVICES) ++ return -EINVAL; + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n", + ioc->name)); + +diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c +index f280744578e4..ffd448149796 100644 +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -32,6 +32,8 @@ struct sdhci_iproc_host { + const struct sdhci_iproc_data *data; + u32 shadow_cmd; + u32 shadow_blk; ++ bool is_cmd_shadowed; ++ bool is_blk_shadowed; + }; + + #define REG_OFFSET_IN_BITS(reg) ((reg) << 3 & 0x18) +@@ -47,8 +49,22 @@ static inline u32 sdhci_iproc_readl(struct sdhci_host *host, int reg) + + static u16 sdhci_iproc_readw(struct sdhci_host *host, int reg) + { +- u32 val = sdhci_iproc_readl(host, (reg & ~3)); +- u16 word = val >> REG_OFFSET_IN_BITS(reg) & 0xffff; ++ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); ++ struct sdhci_iproc_host *iproc_host = sdhci_pltfm_priv(pltfm_host); ++ u32 val; ++ u16 word; ++ ++ if ((reg == SDHCI_TRANSFER_MODE) && iproc_host->is_cmd_shadowed) { ++ /* Get the saved transfer mode */ ++ val = iproc_host->shadow_cmd; ++ } else if ((reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) && ++ iproc_host->is_blk_shadowed) { ++ /* Get the saved block info */ ++ val = iproc_host->shadow_blk; ++ } else { ++ val = sdhci_iproc_readl(host, (reg & ~3)); ++ } ++ word = val >> REG_OFFSET_IN_BITS(reg) & 0xffff; + return word; + } + +@@ -104,13 +120,15 @@ static void sdhci_iproc_writew(struct sdhci_host *host, u16 val, int reg) + + if (reg == SDHCI_COMMAND) { + /* Write the block now as we are issuing a command */ +- if (iproc_host->shadow_blk != 0) { ++ if (iproc_host->is_blk_shadowed) { + sdhci_iproc_writel(host, iproc_host->shadow_blk, + SDHCI_BLOCK_SIZE); +- iproc_host->shadow_blk = 0; ++ iproc_host->is_blk_shadowed = false; + } + oldval = iproc_host->shadow_cmd; +- } else if (reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) { ++ iproc_host->is_cmd_shadowed = false; ++ } else if ((reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) && ++ iproc_host->is_blk_shadowed) { + /* Block size and count are stored in shadow reg */ + oldval = iproc_host->shadow_blk; + } else { +@@ -122,9 +140,11 @@ static void sdhci_iproc_writew(struct sdhci_host *host, u16 val, int reg) + if (reg == SDHCI_TRANSFER_MODE) { + /* Save the transfer mode until the command is issued */ + iproc_host->shadow_cmd = newval; ++ iproc_host->is_cmd_shadowed = true; + } else if (reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) { + /* Save the block info until the command is issued */ + iproc_host->shadow_blk = newval; ++ iproc_host->is_blk_shadowed = true; + } else { + /* Command or other regular 32-bit write */ + sdhci_iproc_writel(host, newval, reg & ~3); +diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c +index a5e4b4b93d1b..ec3766264408 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -531,7 +531,8 @@ static void bgmac_dma_tx_ring_free(struct bgmac *bgmac, + int i; + + for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) { +- int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN; ++ u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1); ++ unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN; + + slot = &ring->slots[i]; + dev_kfree_skb(slot->skb); +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index a38a9cb3d544..9904d768a20a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -2925,6 +2925,9 @@ static int bnxt_hwrm_vnic_set_tpa(struct bnxt *bp, u16 vnic_id, u32 tpa_flags) + struct bnxt_vnic_info *vnic = &bp->vnic_info[vnic_id]; + struct hwrm_vnic_tpa_cfg_input req = {0}; + ++ if (vnic->fw_vnic_id == INVALID_HW_RING_ID) ++ return 0; ++ + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_VNIC_TPA_CFG, -1, -1); + + if (tpa_flags) { +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index b36643ef0593..0e3b2ebf87f1 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1726,6 +1726,8 @@ static int enic_open(struct net_device *netdev) + } + + for (i = 0; i < enic->rq_count; i++) { ++ /* enable rq before updating rq desc */ ++ vnic_rq_enable(&enic->rq[i]); + vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf); + /* Need at least one buffer on ring to get going */ + if (vnic_rq_desc_used(&enic->rq[i]) == 0) { +@@ -1737,8 +1739,6 @@ static int enic_open(struct net_device *netdev) + + for (i = 0; i < enic->wq_count; i++) + vnic_wq_enable(&enic->wq[i]); +- for (i = 0; i < enic->rq_count; i++) +- vnic_rq_enable(&enic->rq[i]); + + if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic)) + enic_dev_add_station_addr(enic); +@@ -1765,8 +1765,12 @@ static int enic_open(struct net_device *netdev) + return 0; + + err_out_free_rq: +- for (i = 0; i < enic->rq_count; i++) ++ for (i = 0; i < enic->rq_count; i++) { ++ err = vnic_rq_disable(&enic->rq[i]); ++ if (err) ++ return err; + vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); ++ } + enic_dev_notify_unset(enic); + err_out_free_intr: + enic_unset_affinity_hint(enic); +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index 901661149b44..2d61369f586f 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -3053,9 +3053,6 @@ static void gfar_process_frame(struct net_device *ndev, struct sk_buff *skb) + if (ndev->features & NETIF_F_RXCSUM) + gfar_rx_checksum(skb, fcb); + +- /* Tell the skb what kind of packet this is */ +- skb->protocol = eth_type_trans(skb, ndev); +- + /* There's need to check for NETIF_F_HW_VLAN_CTAG_RX here. + * Even if vlan rx accel is disabled, on some chips + * RXFCB_VLN is pseudo randomly set. +@@ -3126,13 +3123,15 @@ int gfar_clean_rx_ring(struct gfar_priv_rx_q *rx_queue, int rx_work_limit) + continue; + } + ++ gfar_process_frame(ndev, skb); ++ + /* Increment the number of packets */ + total_pkts++; + total_bytes += skb->len; + + skb_record_rx_queue(skb, rx_queue->qindex); + +- gfar_process_frame(ndev, skb); ++ skb->protocol = eth_type_trans(skb, ndev); + + /* Send the packet up the stack */ + napi_gro_receive(&rx_queue->grp->napi_rx, skb); +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c +index 1908a38e7f31..485b9cc53f8b 100644 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -1574,7 +1574,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) + * we have already determined whether we have link or not. + */ + if (!mac->autoneg) +- return -E1000_ERR_CONFIG; ++ return 1; + + /* Auto-Neg is enabled. Auto Speed Detection takes care + * of MAC speed/duplex configuration. So we only need to +diff --git a/drivers/net/ethernet/intel/e1000e/mac.c b/drivers/net/ethernet/intel/e1000e/mac.c +index 645ace74429e..fe133f33a6c6 100644 +--- a/drivers/net/ethernet/intel/e1000e/mac.c ++++ b/drivers/net/ethernet/intel/e1000e/mac.c +@@ -450,7 +450,7 @@ s32 e1000e_check_for_copper_link(struct e1000_hw *hw) + * we have already determined whether we have link or not. + */ + if (!mac->autoneg) +- return -E1000_ERR_CONFIG; ++ return 1; + + /* Auto-Neg is enabled. Auto Speed Detection takes care + * of MAC speed/duplex configuration. So we only need to +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 20d8806d2bff..6369d88b81c1 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -2330,8 +2330,8 @@ static int e1000_alloc_ring_dma(struct e1000_adapter *adapter, + { + struct pci_dev *pdev = adapter->pdev; + +- ring->desc = dma_alloc_coherent(&pdev->dev, ring->size, &ring->dma, +- GFP_KERNEL); ++ ring->desc = dma_zalloc_coherent(&pdev->dev, ring->size, &ring->dma, ++ GFP_KERNEL); + if (!ring->desc) + return -ENOMEM; + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 7430dd44019e..ea693bbf56d8 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -818,6 +818,7 @@ static void mvneta_port_up(struct mvneta_port *pp) + } + mvreg_write(pp, MVNETA_TXQ_CMD, q_map); + ++ q_map = 0; + /* Enable all initialized RXQs. */ + mvreg_write(pp, MVNETA_RXQ_CMD, BIT(rxq_def)); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 6c66d2979795..16bd585365a8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1623,7 +1623,7 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev) + + cmd->checksum_disabled = 1; + cmd->max_reg_cmds = (1 << cmd->log_sz) - 1; +- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1; ++ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1; + + cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16; + if (cmd->cmdif_rev > CMD_IF_REV) { +diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c +index cc106d892e29..b15e322b8bfe 100644 +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -1787,7 +1787,7 @@ static struct vnet *vnet_new(const u64 *local_mac, + dev->ethtool_ops = &vnet_ethtool_ops; + dev->watchdog_timeo = VNET_TX_TIMEOUT; + +- dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_GSO_SOFTWARE | ++ dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_ALL_TSO | + NETIF_F_HW_CSUM | NETIF_F_SG; + dev->features = dev->hw_features; + +diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c +index e83acc608678..dc934347ae28 100644 +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1203,6 +1203,23 @@ static void dp83640_remove(struct phy_device *phydev) + kfree(dp83640); + } + ++static int dp83640_soft_reset(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = genphy_soft_reset(phydev); ++ if (ret < 0) ++ return ret; ++ ++ /* From DP83640 datasheet: "Software driver code must wait 3 us ++ * following a software reset before allowing further serial MII ++ * operations with the DP83640." ++ */ ++ udelay(10); /* Taking udelay inaccuracy into account */ ++ ++ return 0; ++} ++ + static int dp83640_config_init(struct phy_device *phydev) + { + struct dp83640_private *dp83640 = phydev->priv; +@@ -1496,6 +1513,7 @@ static struct phy_driver dp83640_driver = { + .flags = PHY_HAS_INTERRUPT, + .probe = dp83640_probe, + .remove = dp83640_remove, ++ .soft_reset = dp83640_soft_reset, + .config_init = dp83640_config_init, + .config_aneg = genphy_config_aneg, + .read_status = genphy_read_status, +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 8aaa09b3c753..d72205f06a1d 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -637,6 +637,9 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ ++ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ ++ {QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */ ++ {QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */ + {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */ + {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */ + {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */ +@@ -713,6 +716,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ + {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ ++ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ +@@ -762,6 +766,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81b1, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */ + {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */ ++ {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ + {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */ + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index b2c1a435357f..2991d7155540 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1610,7 +1610,7 @@ static int r8152_tx_agg_fill(struct r8152 *tp, struct tx_agg *agg) + + tx_data += len; + agg->skb_len += len; +- agg->skb_num++; ++ agg->skb_num += skb_shinfo(skb)->gso_segs ?: 1; + + dev_kfree_skb_any(skb); + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index c5f375befd2f..7337e6c0e126 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -945,10 +945,11 @@ static int smsc75xx_set_features(struct net_device *netdev, + /* it's racing here! */ + + ret = smsc75xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); +- if (ret < 0) ++ if (ret < 0) { + netdev_warn(dev->net, "Error writing RFE_CTL\n"); +- +- return ret; ++ return ret; ++ } ++ return 0; + } + + static int smsc75xx_wait_ready(struct usbnet *dev, int in_pm) +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index d01285250204..2759d386ade7 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1912,8 +1912,8 @@ static int virtnet_probe(struct virtio_device *vdev) + + /* Assume link up if device can't report link status, + otherwise get link status from config. */ ++ netif_carrier_off(dev); + if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) { +- netif_carrier_off(dev); + schedule_work(&vi->config_work); + } else { + vi->status = VIRTIO_NET_S_LINK_UP; +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 0c8efdff4843..916b9b12edd2 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -6311,10 +6311,20 @@ static void ath10k_sta_rc_update(struct ieee80211_hw *hw, + { + struct ath10k *ar = hw->priv; + struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv; ++ struct ath10k_vif *arvif = (void *)vif->drv_priv; ++ struct ath10k_peer *peer; + u32 bw, smps; + + spin_lock_bh(&ar->data_lock); + ++ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr); ++ if (!peer) { ++ spin_unlock_bh(&ar->data_lock); ++ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n", ++ sta->addr, arvif->vdev_id); ++ return; ++ } ++ + ath10k_dbg(ar, ATH10K_DBG_MAC, + "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n", + sta->addr, changed, sta->bandwidth, sta->rx_nss, +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 8a9164da6c50..e8b770a95f7a 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2925,8 +2925,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info) + if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) { + u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]); + +- if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) ++ if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) { ++ kfree(hwname); + return -EINVAL; ++ } + param.regd = hwsim_world_regdom_custom[idx]; + } + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index fee4c01fbdfd..a0de2453fa09 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -342,6 +342,9 @@ static int xennet_open(struct net_device *dev) + unsigned int i = 0; + struct netfront_queue *queue = NULL; + ++ if (!np->queues) ++ return -ENODEV; ++ + for (i = 0; i < num_queues; ++i) { + queue = &np->queues[i]; + napi_enable(&queue->napi); +@@ -1363,18 +1366,8 @@ static int netfront_probe(struct xenbus_device *dev, + #ifdef CONFIG_SYSFS + info->netdev->sysfs_groups[0] = &xennet_dev_group; + #endif +- err = register_netdev(info->netdev); +- if (err) { +- pr_warn("%s: register_netdev err=%d\n", __func__, err); +- goto fail; +- } + + return 0; +- +- fail: +- xennet_free_netdev(netdev); +- dev_set_drvdata(&dev->dev, NULL); +- return err; + } + + static void xennet_end_access(int ref, void *page) +@@ -1743,8 +1736,6 @@ static void xennet_destroy_queues(struct netfront_info *info) + { + unsigned int i; + +- rtnl_lock(); +- + for (i = 0; i < info->netdev->real_num_tx_queues; i++) { + struct netfront_queue *queue = &info->queues[i]; + +@@ -1753,8 +1744,6 @@ static void xennet_destroy_queues(struct netfront_info *info) + netif_napi_del(&queue->napi); + } + +- rtnl_unlock(); +- + kfree(info->queues); + info->queues = NULL; + } +@@ -1770,8 +1759,6 @@ static int xennet_create_queues(struct netfront_info *info, + if (!info->queues) + return -ENOMEM; + +- rtnl_lock(); +- + for (i = 0; i < *num_queues; i++) { + struct netfront_queue *queue = &info->queues[i]; + +@@ -1780,7 +1767,7 @@ static int xennet_create_queues(struct netfront_info *info, + + ret = xennet_init_queue(queue); + if (ret < 0) { +- dev_warn(&info->netdev->dev, ++ dev_warn(&info->xbdev->dev, + "only created %d queues\n", i); + *num_queues = i; + break; +@@ -1794,10 +1781,8 @@ static int xennet_create_queues(struct netfront_info *info, + + netif_set_real_num_tx_queues(info->netdev, *num_queues); + +- rtnl_unlock(); +- + if (*num_queues == 0) { +- dev_err(&info->netdev->dev, "no queues\n"); ++ dev_err(&info->xbdev->dev, "no queues\n"); + return -EINVAL; + } + return 0; +@@ -1839,6 +1824,7 @@ static int talk_to_netback(struct xenbus_device *dev, + goto out; + } + ++ rtnl_lock(); + if (info->queues) + xennet_destroy_queues(info); + +@@ -1849,6 +1835,7 @@ static int talk_to_netback(struct xenbus_device *dev, + info->queues = NULL; + goto out; + } ++ rtnl_unlock(); + + /* Create shared ring, alloc event channel -- for each queue */ + for (i = 0; i < num_queues; ++i) { +@@ -1945,8 +1932,10 @@ abort_transaction_no_dev_fatal: + xenbus_transaction_end(xbt, 1); + destroy_ring: + xennet_disconnect_backend(info); ++ rtnl_lock(); + xennet_destroy_queues(info); + out: ++ rtnl_unlock(); + device_unregister(&dev->dev); + return err; + } +@@ -1982,6 +1971,15 @@ static int xennet_connect(struct net_device *dev) + netdev_update_features(dev); + rtnl_unlock(); + ++ if (dev->reg_state == NETREG_UNINITIALIZED) { ++ err = register_netdev(dev); ++ if (err) { ++ pr_warn("%s: register_netdev err=%d\n", __func__, err); ++ device_unregister(&np->xbdev->dev); ++ return err; ++ } ++ } ++ + /* + * All public and private state should now be sane. Get + * ready to start sending and receiving packets and give the driver +@@ -2172,10 +2170,14 @@ static int xennet_remove(struct xenbus_device *dev) + + xennet_disconnect_backend(info); + +- unregister_netdev(info->netdev); ++ if (info->netdev->reg_state == NETREG_REGISTERED) ++ unregister_netdev(info->netdev); + +- if (info->queues) ++ if (info->queues) { ++ rtnl_lock(); + xennet_destroy_queues(info); ++ rtnl_unlock(); ++ } + xennet_free_netdev(info->netdev); + + return 0; +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index 3bbdf60f8908..49f3fba75f4d 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -955,6 +955,9 @@ static int ntb_transport_init_queue(struct ntb_transport_ctx *nt, + mw_base = nt->mw_vec[mw_num].phys_addr; + mw_size = nt->mw_vec[mw_num].phys_size; + ++ if (max_mw_size && mw_size > max_mw_size) ++ mw_size = max_mw_size; ++ + tx_size = (unsigned int)mw_size / num_qps_mw; + qp_offset = tx_size * (qp_num / mw_count); + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 1c8aedf21370..e86fcc9e9852 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1583,7 +1583,7 @@ static int nvme_create_queue(struct nvme_queue *nvmeq, int qid) + nvmeq->cq_vector = qid - 1; + result = adapter_alloc_cq(dev, qid, nvmeq); + if (result < 0) +- return result; ++ goto release_vector; + + result = adapter_alloc_sq(dev, qid, nvmeq); + if (result < 0) +@@ -1597,9 +1597,12 @@ static int nvme_create_queue(struct nvme_queue *nvmeq, int qid) + return result; + + release_sq: ++ dev->online_queues--; + adapter_delete_sq(dev, qid); + release_cq: + adapter_delete_cq(dev, qid); ++ release_vector: ++ nvmeq->cq_vector = -1; + return result; + } + +diff --git a/drivers/parisc/lba_pci.c b/drivers/parisc/lba_pci.c +index 312cb5b74dec..1d288fa4f4d6 100644 +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -1365,9 +1365,27 @@ lba_hw_init(struct lba_device *d) + WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG); + } + +- /* Set HF mode as the default (vs. -1 mode). */ ++ ++ /* ++ * Hard Fail vs. Soft Fail on PCI "Master Abort". ++ * ++ * "Master Abort" means the MMIO transaction timed out - usually due to ++ * the device not responding to an MMIO read. We would like HF to be ++ * enabled to find driver problems, though it means the system will ++ * crash with a HPMC. ++ * ++ * In SoftFail mode "~0L" is returned as a result of a timeout on the ++ * pci bus. This is like how PCI busses on x86 and most other ++ * architectures behave. In order to increase compatibility with ++ * existing (x86) PCI hardware and existing Linux drivers we enable ++ * Soft Faul mode on PA-RISC now too. ++ */ + stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL); ++#if defined(ENABLE_HARDFAIL) + WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#else ++ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#endif + + /* + ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c +index 32bd8ab79d53..dd9ebdc968c8 100644 +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -1140,11 +1140,14 @@ static int pci_pm_runtime_suspend(struct device *dev) + int error; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * If pci_dev->driver is not set (unbound), we leave the device in D0, ++ * but it may go to D3cold when the bridge above it runtime suspends. ++ * Save its config space in case that happens. + */ +- if (!pci_dev->driver) ++ if (!pci_dev->driver) { ++ pci_save_state(pci_dev); + return 0; ++ } + + if (!pm || !pm->runtime_suspend) + return -ENOSYS; +@@ -1195,16 +1198,18 @@ static int pci_pm_runtime_resume(struct device *dev) + const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * Restoring config space is necessary even if the device is not bound ++ * to a driver because although we left it in D0, it may have gone to ++ * D3cold when the bridge above it runtime suspended. + */ ++ pci_restore_standard_config(pci_dev); ++ + if (!pci_dev->driver) + return 0; + + if (!pm || !pm->runtime_resume) + return -ENOSYS; + +- pci_restore_standard_config(pci_dev); + pci_fixup_device(pci_fixup_resume_early, pci_dev); + __pci_enable_wake(pci_dev, PCI_D0, true, false); + pci_fixup_device(pci_fixup_resume, pci_dev); +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 4eb1cf0ed00c..5697b32819cb 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3614,6 +3614,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9120, + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130, + quirk_dma_func1_alias); +@@ -3626,6 +3628,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x917a, + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); +diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c +index 499e437c7e91..f9d77b4c44ef 100644 +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -274,6 +274,7 @@ int of_regulator_match(struct device *dev, struct device_node *node, + dev_err(dev, + "failed to parse DT for regulator %s\n", + child->name); ++ of_node_put(child); + return -EINVAL; + } + match->of_node = of_node_get(child); +diff --git a/drivers/rtc/hctosys.c b/drivers/rtc/hctosys.c +index e1cfa06810ef..e79f2a181ad2 100644 +--- a/drivers/rtc/hctosys.c ++++ b/drivers/rtc/hctosys.c +@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void) + + tv64.tv_sec = rtc_tm_to_time64(&tm); + ++#if BITS_PER_LONG == 32 ++ if (tv64.tv_sec > INT_MAX) ++ goto err_read; ++#endif ++ + err = do_settimeofday64(&tv64); + + dev_info(rtc->dev.parent, +diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c +index afab89f5be48..a161fbf6f172 100644 +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct device *dev, struct rtc_time *tm) + { + struct snvs_rtc_data *data = dev_get_drvdata(dev); + unsigned long time; ++ int ret; + + rtc_tm_to_time(tm, &time); + + /* Disable RTC first */ +- snvs_rtc_enable(data, false); ++ ret = snvs_rtc_enable(data, false); ++ if (ret) ++ return ret; + + /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */ + regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH); + regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH)); + + /* Enable RTC again */ +- snvs_rtc_enable(data, true); ++ ret = snvs_rtc_enable(data, true); + +- return 0; ++ return ret; + } + + static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm) +@@ -287,7 +290,11 @@ static int snvs_rtc_probe(struct platform_device *pdev) + regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff); + + /* Enable RTC */ +- snvs_rtc_enable(data, true); ++ ret = snvs_rtc_enable(data, true); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to enable rtc %d\n", ret); ++ goto error_rtc_device_register; ++ } + + device_init_wakeup(&pdev->dev, true); + +diff --git a/drivers/rtc/rtc-tx4939.c b/drivers/rtc/rtc-tx4939.c +index 560d9a5e0225..a9528083061d 100644 +--- a/drivers/rtc/rtc-tx4939.c ++++ b/drivers/rtc/rtc-tx4939.c +@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct device *dev, struct rtc_time *tm) + for (i = 2; i < 6; i++) + buf[i] = __raw_readl(&rtcreg->dat); + spin_unlock_irq(&pdata->lock); +- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; ++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | ++ (buf[3] << 8) | buf[2]; + rtc_time_to_tm(sec, tm); + return rtc_valid_tm(tm); + } +@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm) + alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0; + alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0; + spin_unlock_irq(&pdata->lock); +- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; ++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | ++ (buf[3] << 8) | buf[2]; + rtc_time_to_tm(sec, &alrm->time); + return rtc_valid_tm(&alrm->time); + } +diff --git a/drivers/s390/cio/device_fsm.c b/drivers/s390/cio/device_fsm.c +index 92e03b42e661..3fc73b5894f0 100644 +--- a/drivers/s390/cio/device_fsm.c ++++ b/drivers/s390/cio/device_fsm.c +@@ -822,6 +822,7 @@ ccw_device_online_timeout(struct ccw_device *cdev, enum dev_event dev_event) + + ccw_device_set_timeout(cdev, 0); + cdev->private->iretry = 255; ++ cdev->private->async_kill_io_rc = -ETIMEDOUT; + ret = ccw_device_cancel_halt_clear(cdev); + if (ret == -EBUSY) { + ccw_device_set_timeout(cdev, 3*HZ); +@@ -898,7 +899,7 @@ ccw_device_killing_irq(struct ccw_device *cdev, enum dev_event dev_event) + /* OK, i/o is dead now. Call interrupt handler. */ + if (cdev->handler) + cdev->handler(cdev, cdev->private->intparm, +- ERR_PTR(-EIO)); ++ ERR_PTR(cdev->private->async_kill_io_rc)); + } + + static void +@@ -915,14 +916,16 @@ ccw_device_killing_timeout(struct ccw_device *cdev, enum dev_event dev_event) + ccw_device_online_verify(cdev, 0); + if (cdev->handler) + cdev->handler(cdev, cdev->private->intparm, +- ERR_PTR(-EIO)); ++ ERR_PTR(cdev->private->async_kill_io_rc)); + } + + void ccw_device_kill_io(struct ccw_device *cdev) + { + int ret; + ++ ccw_device_set_timeout(cdev, 0); + cdev->private->iretry = 255; ++ cdev->private->async_kill_io_rc = -EIO; + ret = ccw_device_cancel_halt_clear(cdev); + if (ret == -EBUSY) { + ccw_device_set_timeout(cdev, 3*HZ); +diff --git a/drivers/s390/cio/io_sch.h b/drivers/s390/cio/io_sch.h +index b108f4a5c7dd..b142c7a389b7 100644 +--- a/drivers/s390/cio/io_sch.h ++++ b/drivers/s390/cio/io_sch.h +@@ -155,6 +155,7 @@ struct ccw_device_private { + unsigned long intparm; /* user interruption parameter */ + struct qdio_irq *qdio_data; + struct irb irb; /* device status */ ++ int async_kill_io_rc; + struct senseid senseid; /* SenseID info */ + struct pgid pgid[8]; /* path group IDs per chpid*/ + struct ccw1 iccws[2]; /* ccws for SNID/SID/SPGID commands */ +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c +index 766a9176b4ad..cf531ad8b6ee 100644 +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -1321,9 +1321,10 @@ static int _aac_reset_adapter(struct aac_dev *aac, int forced) + host = aac->scsi_host_ptr; + scsi_block_requests(host); + aac_adapter_disable_int(aac); +- if (aac->thread->pid != current->pid) { ++ if (aac->thread && aac->thread->pid != current->pid) { + spin_unlock_irq(host->host_lock); + kthread_stop(aac->thread); ++ aac->thread = NULL; + jafo = 1; + } + +@@ -1392,6 +1393,7 @@ static int _aac_reset_adapter(struct aac_dev *aac, int forced) + aac->name); + if (IS_ERR(aac->thread)) { + retval = PTR_ERR(aac->thread); ++ aac->thread = NULL; + goto out; + } + } +diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c +index aa6eccb8940b..8da8b46da722 100644 +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -1085,6 +1085,7 @@ static void __aac_shutdown(struct aac_dev * aac) + up(&fib->event_wait); + } + kthread_stop(aac->thread); ++ aac->thread = NULL; + } + aac_send_shutdown(aac); + aac_adapter_disable_int(aac); +@@ -1189,8 +1190,10 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + * Map in the registers from the adapter. + */ + aac->base_size = AAC_MIN_FOOTPRINT_SIZE; +- if ((*aac_drivers[index].init)(aac)) ++ if ((*aac_drivers[index].init)(aac)) { ++ error = -ENODEV; + goto out_unmap; ++ } + + if (aac->sync_mode) { + if (aac_sync_mode) +diff --git a/drivers/scsi/arm/fas216.c b/drivers/scsi/arm/fas216.c +index decdc71b6b86..f6d7c4712e66 100644 +--- a/drivers/scsi/arm/fas216.c ++++ b/drivers/scsi/arm/fas216.c +@@ -2009,7 +2009,7 @@ static void fas216_rq_sns_done(FAS216_Info *info, struct scsi_cmnd *SCpnt, + * have valid data in the sense buffer that could + * confuse the higher levels. + */ +- memset(SCpnt->sense_buffer, 0, sizeof(SCpnt->sense_buffer)); ++ memset(SCpnt->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE); + //printk("scsi%d.%c: sense buffer: ", info->host->host_no, '0' + SCpnt->device->id); + //{ int i; for (i = 0; i < 32; i++) printk("%02x ", SCpnt->sense_buffer[i]); printk("\n"); } + /* +diff --git a/drivers/scsi/bnx2fc/bnx2fc_io.c b/drivers/scsi/bnx2fc/bnx2fc_io.c +index 0002caf687dd..eb3b5c0f299f 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_io.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_io.c +@@ -1858,6 +1858,7 @@ void bnx2fc_process_scsi_cmd_compl(struct bnx2fc_cmd *io_req, + /* we will not receive ABTS response for this IO */ + BNX2FC_IO_DBG(io_req, "Timer context finished processing " + "this scsi cmd\n"); ++ return; + } + + /* Cancel the timeout_work, as we received IO completion */ +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index 4639dac64e7f..f096766150bc 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -634,7 +634,12 @@ lpfc_issue_lip(struct Scsi_Host *shost) + LPFC_MBOXQ_t *pmboxq; + int mbxstatus = MBXERR_ERROR; + ++ /* ++ * If the link is offline, disabled or BLOCK_MGMT_IO ++ * it doesn't make any sense to allow issue_lip ++ */ + if ((vport->fc_flag & FC_OFFLINE_MODE) || ++ (phba->hba_flag & LINK_DISABLED) || + (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO)) + return -EPERM; + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index be901f6db6d3..4131addfb872 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -691,8 +691,9 @@ lpfc_work_done(struct lpfc_hba *phba) + (phba->hba_flag & HBA_SP_QUEUE_EVT)) { + if (pring->flag & LPFC_STOP_IOCB_EVENT) { + pring->flag |= LPFC_DEFERRED_RING_EVENT; +- /* Set the lpfc data pending flag */ +- set_bit(LPFC_DATA_READY, &phba->data_flags); ++ /* Preserve legacy behavior. */ ++ if (!(phba->hba_flag & HBA_SP_QUEUE_EVT)) ++ set_bit(LPFC_DATA_READY, &phba->data_flags); + } else { + if (phba->link_state >= LPFC_LINK_UP) { + pring->flag &= ~LPFC_DEFERRED_RING_EVENT; +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index ef43847153ea..3406586b9201 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -115,6 +115,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, union lpfc_wqe *wqe) + /* set consumption flag every once in a while */ + if (!((q->host_index + 1) % q->entry_repost)) + bf_set(wqe_wqec, &wqe->generic.wqe_com, 1); ++ else ++ bf_set(wqe_wqec, &wqe->generic.wqe_com, 0); + if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED) + bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id); + lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size); +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index b868ef3b2ca3..7d67a68bcc62 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -8637,7 +8637,7 @@ _scsih_probe(struct pci_dev *pdev, const struct pci_device_id *id) + snprintf(ioc->firmware_event_name, sizeof(ioc->firmware_event_name), + "fw_event_%s%d", ioc->driver_name, ioc->id); + ioc->firmware_event_thread = alloc_ordered_workqueue( +- ioc->firmware_event_name, WQ_MEM_RECLAIM); ++ ioc->firmware_event_name, 0); + if (!ioc->firmware_event_thread) { + pr_err(MPT3SAS_FMT "failure at %s:%d/%s()!\n", + ioc->name, __FILE__, __LINE__, __func__); +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index 1f6a3b86965f..440d79e6aea5 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -268,7 +268,8 @@ qla2x00_mbx_completion(scsi_qla_host_t *vha, uint16_t mb0) + struct device_reg_2xxx __iomem *reg = &ha->iobase->isp; + + /* Read all mbox registers? */ +- mboxes = (1 << ha->mbx_count) - 1; ++ WARN_ON_ONCE(ha->mbx_count > 32); ++ mboxes = (1ULL << ha->mbx_count) - 1; + if (!ha->mcp) + ql_dbg(ql_dbg_async, vha, 0x5001, "MBX pointer ERROR.\n"); + else +@@ -2495,7 +2496,8 @@ qla24xx_mbx_completion(scsi_qla_host_t *vha, uint16_t mb0) + struct device_reg_24xx __iomem *reg = &ha->iobase->isp24; + + /* Read all mbox registers? */ +- mboxes = (1 << ha->mbx_count) - 1; ++ WARN_ON_ONCE(ha->mbx_count > 32); ++ mboxes = (1ULL << ha->mbx_count) - 1; + if (!ha->mcp) + ql_dbg(ql_dbg_async, vha, 0x504e, "MBX pointer ERROR.\n"); + else +diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h +index a7cfc270bd08..ce1d063f3e83 100644 +--- a/drivers/scsi/qla4xxx/ql4_def.h ++++ b/drivers/scsi/qla4xxx/ql4_def.h +@@ -168,6 +168,8 @@ + #define DEV_DB_NON_PERSISTENT 0 + #define DEV_DB_PERSISTENT 1 + ++#define QL4_ISP_REG_DISCONNECT 0xffffffffU ++ + #define COPY_ISID(dst_isid, src_isid) { \ + int i, j; \ + for (i = 0, j = ISID_SIZE - 1; i < ISID_SIZE;) \ +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 01c3610a60cf..d8c03431d0aa 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -262,6 +262,24 @@ static struct iscsi_transport qla4xxx_iscsi_transport = { + + static struct scsi_transport_template *qla4xxx_scsi_transport; + ++static int qla4xxx_isp_check_reg(struct scsi_qla_host *ha) ++{ ++ u32 reg_val = 0; ++ int rval = QLA_SUCCESS; ++ ++ if (is_qla8022(ha)) ++ reg_val = readl(&ha->qla4_82xx_reg->host_status); ++ else if (is_qla8032(ha) || is_qla8042(ha)) ++ reg_val = qla4_8xxx_rd_direct(ha, QLA8XXX_PEG_ALIVE_COUNTER); ++ else ++ reg_val = readw(&ha->reg->ctrl_status); ++ ++ if (reg_val == QL4_ISP_REG_DISCONNECT) ++ rval = QLA_ERROR; ++ ++ return rval; ++} ++ + static int qla4xxx_send_ping(struct Scsi_Host *shost, uint32_t iface_num, + uint32_t iface_type, uint32_t payload_size, + uint32_t pid, struct sockaddr *dst_addr) +@@ -9196,10 +9214,17 @@ static int qla4xxx_eh_abort(struct scsi_cmnd *cmd) + struct srb *srb = NULL; + int ret = SUCCESS; + int wait = 0; ++ int rval; + + ql4_printk(KERN_INFO, ha, "scsi%ld:%d:%llu: Abort command issued cmd=%p, cdb=0x%x\n", + ha->host_no, id, lun, cmd, cmd->cmnd[0]); + ++ rval = qla4xxx_isp_check_reg(ha); ++ if (rval != QLA_SUCCESS) { ++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); ++ return FAILED; ++ } ++ + spin_lock_irqsave(&ha->hardware_lock, flags); + srb = (struct srb *) CMD_SP(cmd); + if (!srb) { +@@ -9251,6 +9276,7 @@ static int qla4xxx_eh_device_reset(struct scsi_cmnd *cmd) + struct scsi_qla_host *ha = to_qla_host(cmd->device->host); + struct ddb_entry *ddb_entry = cmd->device->hostdata; + int ret = FAILED, stat; ++ int rval; + + if (!ddb_entry) + return ret; +@@ -9270,6 +9296,12 @@ static int qla4xxx_eh_device_reset(struct scsi_cmnd *cmd) + cmd, jiffies, cmd->request->timeout / HZ, + ha->dpc_flags, cmd->result, cmd->allowed)); + ++ rval = qla4xxx_isp_check_reg(ha); ++ if (rval != QLA_SUCCESS) { ++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); ++ return FAILED; ++ } ++ + /* FIXME: wait for hba to go online */ + stat = qla4xxx_reset_lun(ha, ddb_entry, cmd->device->lun); + if (stat != QLA_SUCCESS) { +@@ -9313,6 +9345,7 @@ static int qla4xxx_eh_target_reset(struct scsi_cmnd *cmd) + struct scsi_qla_host *ha = to_qla_host(cmd->device->host); + struct ddb_entry *ddb_entry = cmd->device->hostdata; + int stat, ret; ++ int rval; + + if (!ddb_entry) + return FAILED; +@@ -9330,6 +9363,12 @@ static int qla4xxx_eh_target_reset(struct scsi_cmnd *cmd) + ha->host_no, cmd, jiffies, cmd->request->timeout / HZ, + ha->dpc_flags, cmd->result, cmd->allowed)); + ++ rval = qla4xxx_isp_check_reg(ha); ++ if (rval != QLA_SUCCESS) { ++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); ++ return FAILED; ++ } ++ + stat = qla4xxx_reset_target(ha, ddb_entry); + if (stat != QLA_SUCCESS) { + starget_printk(KERN_INFO, scsi_target(cmd->device), +@@ -9384,9 +9423,16 @@ static int qla4xxx_eh_host_reset(struct scsi_cmnd *cmd) + { + int return_status = FAILED; + struct scsi_qla_host *ha; ++ int rval; + + ha = to_qla_host(cmd->device->host); + ++ rval = qla4xxx_isp_check_reg(ha); ++ if (rval != QLA_SUCCESS) { ++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); ++ return FAILED; ++ } ++ + if ((is_qla8032(ha) || is_qla8042(ha)) && ql4xdontresethba) + qla4_83xx_set_idc_dontreset(ha); + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 8c9e4a3ec3fb..6fffb73766de 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2395,6 +2395,7 @@ sd_read_write_protect_flag(struct scsi_disk *sdkp, unsigned char *buffer) + int res; + struct scsi_device *sdp = sdkp->device; + struct scsi_mode_data data; ++ int disk_ro = get_disk_ro(sdkp->disk); + int old_wp = sdkp->write_prot; + + set_disk_ro(sdkp->disk, 0); +@@ -2435,7 +2436,7 @@ sd_read_write_protect_flag(struct scsi_disk *sdkp, unsigned char *buffer) + "Test WP failed, assume Write Enabled\n"); + } else { + sdkp->write_prot = ((data.device_specific & 0x80) != 0); +- set_disk_ro(sdkp->disk, sdkp->write_prot); ++ set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro); + if (sdkp->first_scan || old_wp != sdkp->write_prot) { + sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n", + sdkp->write_prot ? "on" : "off"); +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index 804586aeaffe..de53c9694b68 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -522,6 +522,8 @@ static int sr_block_open(struct block_device *bdev, fmode_t mode) + struct scsi_cd *cd; + int ret = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&sr_mutex); + cd = scsi_cd_get(bdev->bd_disk); + if (cd) { +@@ -582,18 +584,28 @@ out: + static unsigned int sr_block_check_events(struct gendisk *disk, + unsigned int clearing) + { +- struct scsi_cd *cd = scsi_cd(disk); ++ unsigned int ret = 0; ++ struct scsi_cd *cd; + +- if (atomic_read(&cd->device->disk_events_disable_depth)) ++ cd = scsi_cd_get(disk); ++ if (!cd) + return 0; + +- return cdrom_check_events(&cd->cdi, clearing); ++ if (!atomic_read(&cd->device->disk_events_disable_depth)) ++ ret = cdrom_check_events(&cd->cdi, clearing); ++ ++ scsi_cd_put(cd); ++ return ret; + } + + static int sr_block_revalidate_disk(struct gendisk *disk) + { +- struct scsi_cd *cd = scsi_cd(disk); + struct scsi_sense_hdr sshdr; ++ struct scsi_cd *cd; ++ ++ cd = scsi_cd_get(disk); ++ if (!cd) ++ return -ENXIO; + + /* if the unit is not ready, nothing more to do */ + if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr)) +@@ -602,6 +614,7 @@ static int sr_block_revalidate_disk(struct gendisk *disk) + sr_cd_check(&cd->cdi); + get_sectorsize(cd); + out: ++ scsi_cd_put(cd); + return 0; + } + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 351d81dc2200..44b7a69d022a 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1538,7 +1538,7 @@ static struct scsi_host_template scsi_driver = { + .eh_timed_out = storvsc_eh_timed_out, + .slave_alloc = storvsc_device_alloc, + .slave_configure = storvsc_device_configure, +- .cmd_per_lun = 255, ++ .cmd_per_lun = 2048, + .this_id = -1, + .use_clustering = ENABLE_CLUSTERING, + /* Make sure we dont get a sg segment crosses a page boundary */ +diff --git a/drivers/scsi/sym53c8xx_2/sym_hipd.c b/drivers/scsi/sym53c8xx_2/sym_hipd.c +index 6b349e301869..c6425e3df5a0 100644 +--- a/drivers/scsi/sym53c8xx_2/sym_hipd.c ++++ b/drivers/scsi/sym53c8xx_2/sym_hipd.c +@@ -536,7 +536,7 @@ sym_getsync(struct sym_hcb *np, u_char dt, u_char sfac, u_char *divp, u_char *fa + * Look for the greatest clock divisor that allows an + * input speed faster than the period. + */ +- while (div-- > 0) ++ while (--div > 0) + if (kpc >= (div_10M[div] << 2)) break; + + /* +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 096c867069e9..18f26cf1e24d 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -2923,6 +2923,8 @@ static int ufshcd_slave_alloc(struct scsi_device *sdev) + /* REPORT SUPPORTED OPERATION CODES is not supported */ + sdev->no_report_opcodes = 1; + ++ /* WRITE_SAME command is not supported */ ++ sdev->no_write_same = 1; + + ufshcd_set_queue_depth(sdev); + +diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c +index e06864f64beb..0f6bc6b8e4c6 100644 +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -1749,6 +1749,8 @@ static short rtl8192_usb_initendpoints(struct net_device *dev) + + priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL); + priv->oldaddr = kmalloc(16, GFP_KERNEL); ++ if (!priv->oldaddr) ++ return -ENOMEM; + oldaddr = priv->oldaddr; + align = ((long)oldaddr) & 3; + if (align) { +diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c +index 03ebe401fff7..040018d59608 100644 +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -597,6 +597,11 @@ static int arc_serial_probe(struct platform_device *pdev) + if (dev_id < 0) + dev_id = 0; + ++ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", dev_id); ++ return -EINVAL; ++ } ++ + uart = &arc_uart_ports[dev_id]; + port = &uart->port; + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 3d790033744e..01e2274b23f2 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1818,6 +1818,10 @@ static int lpuart_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); + return ret; + } ++ if (ret >= ARRAY_SIZE(lpuart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ret); ++ return -EINVAL; ++ } + sport->port.line = ret; + sport->lpuart32 = of_device_is_compatible(np, "fsl,ls1021a-lpuart"); + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index 98176d12b3e1..07ede982b472 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -1923,6 +1923,12 @@ static int serial_imx_probe(struct platform_device *pdev) + else if (ret < 0) + return ret; + ++ if (sport->port.line >= ARRAY_SIZE(imx_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ++ sport->port.line); ++ return -EINVAL; ++ } ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(base)) +diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c +index cd0414bbe094..daa4a65ef6ff 100644 +--- a/drivers/tty/serial/mxs-auart.c ++++ b/drivers/tty/serial/mxs-auart.c +@@ -1274,6 +1274,10 @@ static int mxs_auart_probe(struct platform_device *pdev) + s->port.line = pdev->id < 0 ? 0 : pdev->id; + else if (ret < 0) + return ret; ++ if (s->port.line >= ARRAY_SIZE(auart_port)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); ++ return -EINVAL; ++ } + + if (of_id) { + pdev->id_entry = of_id->data; +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index e6bc1a6be4a4..312343beb249 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1807,6 +1807,10 @@ static int s3c24xx_serial_probe(struct platform_device *pdev) + + dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index); + ++ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", index); ++ return -EINVAL; ++ } + ourport = &s3c24xx_serial_ports[index]; + + ourport->drv_data = s3c24xx_get_driver_data(pdev); +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 009e0dbc12d2..4f2f4aca8d2e 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1026,7 +1026,7 @@ static struct uart_port *cdns_uart_get_port(int id) + struct uart_port *port; + + /* Try the given port id if failed use default method */ +- if (cdns_uart_port[id].mapbase != 0) { ++ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) { + /* Find the next unused port */ + for (id = 0; id < CDNS_UART_NR_PORTS; id++) + if (cdns_uart_port[id].mapbase == 0) +diff --git a/drivers/usb/dwc2/core.h b/drivers/usb/dwc2/core.h +index a738a68d2292..a899d47c2a7c 100644 +--- a/drivers/usb/dwc2/core.h ++++ b/drivers/usb/dwc2/core.h +@@ -187,7 +187,7 @@ struct dwc2_hsotg_ep { + unsigned char dir_in; + unsigned char index; + unsigned char mc; +- unsigned char interval; ++ u16 interval; + + unsigned int halted:1; + unsigned int periodic:1; +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index 0abf73c91beb..98705b83d2dc 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -2424,12 +2424,6 @@ void dwc2_hsotg_core_init_disconnected(struct dwc2_hsotg *hsotg, + dwc2_writel(dwc2_hsotg_ep0_mps(hsotg->eps_out[0]->ep.maxpacket) | + DXEPCTL_USBACTEP, hsotg->regs + DIEPCTL0); + +- dwc2_hsotg_enqueue_setup(hsotg); +- +- dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n", +- dwc2_readl(hsotg->regs + DIEPCTL0), +- dwc2_readl(hsotg->regs + DOEPCTL0)); +- + /* clear global NAKs */ + val = DCTL_CGOUTNAK | DCTL_CGNPINNAK; + if (!is_usb_reset) +@@ -2440,6 +2434,12 @@ void dwc2_hsotg_core_init_disconnected(struct dwc2_hsotg *hsotg, + mdelay(3); + + hsotg->lx_state = DWC2_L0; ++ ++ dwc2_hsotg_enqueue_setup(hsotg); ++ ++ dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n", ++ dwc2_readl(hsotg->regs + DIEPCTL0), ++ dwc2_readl(hsotg->regs + DOEPCTL0)); + } + + static void dwc2_hsotg_core_disconnect(struct dwc2_hsotg *hsotg) +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 68d11d7d4028..8dfc94d389ea 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -202,6 +202,8 @@ + #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1) + + /* Global TX Fifo Size Register */ ++#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */ ++#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */ + #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff) + #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index f70dd3dd4393..eb445c2ab15e 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1328,7 +1328,7 @@ static int count_ext_compat(struct usb_configuration *c) + return res; + } + +-static void fill_ext_compat(struct usb_configuration *c, u8 *buf) ++static int fill_ext_compat(struct usb_configuration *c, u8 *buf) + { + int i, count; + +@@ -1355,10 +1355,12 @@ static void fill_ext_compat(struct usb_configuration *c, u8 *buf) + buf += 23; + } + count += 24; +- if (count >= 4096) +- return; ++ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ) ++ return count; + } + } ++ ++ return count; + } + + static int count_ext_prop(struct usb_configuration *c, int interface) +@@ -1403,25 +1405,20 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf) + struct usb_os_desc *d; + struct usb_os_desc_ext_prop *ext_prop; + int j, count, n, ret; +- u8 *start = buf; + + f = c->interface[interface]; ++ count = 10; /* header length */ + for (j = 0; j < f->os_desc_n; ++j) { + if (interface != f->os_desc_table[j].if_id) + continue; + d = f->os_desc_table[j].os_desc; + if (d) + list_for_each_entry(ext_prop, &d->ext_prop, entry) { +- /* 4kB minus header length */ +- n = buf - start; +- if (n >= 4086) +- return 0; +- +- count = ext_prop->data_len + ++ n = ext_prop->data_len + + ext_prop->name_len + 14; +- if (count > 4086 - n) +- return -EINVAL; +- usb_ext_prop_put_size(buf, count); ++ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ) ++ return count; ++ usb_ext_prop_put_size(buf, n); + usb_ext_prop_put_type(buf, ext_prop->type); + ret = usb_ext_prop_put_name(buf, ext_prop->name, + ext_prop->name_len); +@@ -1447,11 +1444,12 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf) + default: + return -EINVAL; + } +- buf += count; ++ buf += n; ++ count += n; + } + } + +- return 0; ++ return count; + } + + /* +@@ -1720,6 +1718,7 @@ unknown: + req->complete = composite_setup_complete; + buf = req->buf; + os_desc_cfg = cdev->os_desc_config; ++ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ); + memset(buf, 0, w_length); + buf[5] = 0x01; + switch (ctrl->bRequestType & USB_RECIP_MASK) { +@@ -1743,8 +1742,8 @@ unknown: + count += 16; /* header */ + put_unaligned_le32(count, buf); + buf += 16; +- fill_ext_compat(os_desc_cfg, buf); +- value = w_length; ++ value = fill_ext_compat(os_desc_cfg, buf); ++ value = min_t(u16, w_length, value); + } + break; + case USB_RECIP_INTERFACE: +@@ -1773,8 +1772,7 @@ unknown: + interface, buf); + if (value < 0) + return value; +- +- value = w_length; ++ value = min_t(u16, w_length, value); + } + break; + } +@@ -2038,8 +2036,8 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev, + goto end; + } + +- /* OS feature descriptor length <= 4kB */ +- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL); ++ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ, ++ GFP_KERNEL); + if (!cdev->os_desc_req->buf) { + ret = PTR_ERR(cdev->os_desc_req->buf); + kfree(cdev->os_desc_req); +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 7deebd0b21ae..4191feb765b1 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -649,11 +649,15 @@ static void ffs_user_copy_worker(struct work_struct *work) + bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; + + if (io_data->read && ret > 0) { ++ mm_segment_t oldfs = get_fs(); ++ ++ set_fs(USER_DS); + use_mm(io_data->mm); + ret = copy_to_iter(io_data->buf, ret, &io_data->data); + if (ret != io_data->req->actual && iov_iter_count(&io_data->data)) + ret = -EFAULT; + unuse_mm(io_data->mm); ++ set_fs(oldfs); + } + + io_data->kiocb->ki_complete(io_data->kiocb, ret, ret); +@@ -3033,7 +3037,7 @@ static int ffs_func_setup(struct usb_function *f, + __ffs_event_add(ffs, FUNCTIONFS_SETUP); + spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); + +- return 0; ++ return USB_GADGET_DELAYED_STATUS; + } + + static void ffs_func_suspend(struct usb_function *f) +diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c +index 12064d3bddf6..b5dab103be38 100644 +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -1052,6 +1052,8 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn) + dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); + return ret; + } ++ iad_desc.bFirstInterface = ret; ++ + std_ac_if_desc.bInterfaceNumber = ret; + agdev->ac_intf = ret; + agdev->ac_alt = 0; +diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c +index aac0ce8aeb0b..8991a4070792 100644 +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -1310,7 +1310,7 @@ static void udc_reset_ep_queue(struct fsl_udc *udc, u8 pipe) + { + struct fsl_ep *ep = get_ep_by_pipe(udc, pipe); + +- if (ep->name) ++ if (ep->ep.name) + nuke(ep, -ESHUTDOWN); + } + +@@ -1698,7 +1698,7 @@ static void dtd_complete_irq(struct fsl_udc *udc) + curr_ep = get_ep_by_pipe(udc, i); + + /* If the ep is configured */ +- if (curr_ep->name == NULL) { ++ if (!curr_ep->ep.name) { + WARNING("Invalid EP?"); + continue; + } +diff --git a/drivers/usb/gadget/udc/goku_udc.h b/drivers/usb/gadget/udc/goku_udc.h +index 86d2adafe149..64eb0f2b5ea0 100644 +--- a/drivers/usb/gadget/udc/goku_udc.h ++++ b/drivers/usb/gadget/udc/goku_udc.h +@@ -28,7 +28,7 @@ struct goku_udc_regs { + # define INT_EP1DATASET 0x00040 + # define INT_EP2DATASET 0x00080 + # define INT_EP3DATASET 0x00100 +-#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */ ++#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */ + # define INT_EP1NAK 0x00200 + # define INT_EP2NAK 0x00400 + # define INT_EP3NAK 0x00800 +diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c +index 9d1192aea9d0..602c6e42c34d 100644 +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -444,7 +444,8 @@ static int ohci_init (struct ohci_hcd *ohci) + struct usb_hcd *hcd = ohci_to_hcd(ohci); + + /* Accept arbitrarily long scatter-gather lists */ +- hcd->self.sg_tablesize = ~0; ++ if (!(hcd->driver->flags & HCD_LOCAL_MEM)) ++ hcd->self.sg_tablesize = ~0; + + if (distrust_firmware) + ohci->flags |= OHCI_QUIRK_HUB_POWER; +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index d9363713b7f1..e4cf3322bcb3 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -960,6 +960,8 @@ void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id) + if (dev->out_ctx) + xhci_free_container_ctx(xhci, dev->out_ctx); + ++ if (dev->udev && dev->udev->slot_id) ++ dev->udev->slot_id = 0; + kfree(xhci->devs[slot_id]); + xhci->devs[slot_id] = NULL; + } +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 06d83825923a..3a81b4c4d0dd 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -1775,6 +1775,7 @@ musb_vbus_show(struct device *dev, struct device_attribute *attr, char *buf) + int vbus; + u8 devctl; + ++ pm_runtime_get_sync(dev); + spin_lock_irqsave(&musb->lock, flags); + val = musb->a_wait_bcon; + vbus = musb_platform_get_vbus_status(musb); +@@ -1788,6 +1789,7 @@ musb_vbus_show(struct device *dev, struct device_attribute *attr, char *buf) + vbus = 0; + } + spin_unlock_irqrestore(&musb->lock, flags); ++ pm_runtime_put_sync(dev); + + return sprintf(buf, "Vbus %s, timeout %lu msec\n", + vbus ? "on" : "off", val); +@@ -2522,7 +2524,8 @@ static int musb_resume(struct device *dev) + pm_runtime_set_active(dev); + pm_runtime_enable(dev); + +- musb_start(musb); ++ musb_enable_interrupts(musb); ++ musb_platform_enable(musb); + + return 0; + } +diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c +index a350209ffbd3..31c301d6be62 100644 +--- a/drivers/video/fbdev/sbuslib.c ++++ b/drivers/video/fbdev/sbuslib.c +@@ -121,7 +121,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, + unsigned char __user *ured; + unsigned char __user *ugreen; + unsigned char __user *ublue; +- int index, count, i; ++ unsigned int index, count, i; + + if (get_user(index, &c->index) || + __get_user(count, &c->count) || +@@ -160,7 +160,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, + unsigned char __user *ugreen; + unsigned char __user *ublue; + struct fb_cmap *cmap = &info->cmap; +- int index, count, i; ++ unsigned int index, count, i; + u8 red, green, blue; + + if (get_user(index, &c->index) || +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index aa93df5833dc..2048aad91add 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -520,7 +520,8 @@ static ssize_t watchdog_write(struct file *file, const char __user *buf, + char c; + if (get_user(c, buf + i)) + return -EFAULT; +- expect_close = (c == 'V'); ++ if (c == 'V') ++ expect_close = true; + } + + /* Properly order writes across fork()ed processes */ +diff --git a/drivers/watchdog/sp5100_tco.h b/drivers/watchdog/sp5100_tco.h +index 2b28c00da0df..dfe20b81ced5 100644 +--- a/drivers/watchdog/sp5100_tco.h ++++ b/drivers/watchdog/sp5100_tco.h +@@ -54,7 +54,7 @@ + #define SB800_PM_WATCHDOG_CONFIG 0x4C + + #define SB800_PCI_WATCHDOG_DECODE_EN (1 << 0) +-#define SB800_PM_WATCHDOG_DISABLE (1 << 2) ++#define SB800_PM_WATCHDOG_DISABLE (1 << 1) + #define SB800_PM_WATCHDOG_SECOND_RES (3 << 0) + #define SB800_ACPI_MMIO_DECODE_EN (1 << 0) + #define SB800_ACPI_MMIO_SEL (1 << 1) +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 83ec7b89d308..468961c59fa5 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -764,8 +764,8 @@ out: + mutex_unlock(&irq_mapping_update_lock); + return irq; + error_irq: +- for (; i >= 0; i--) +- __unbind_from_irq(irq + i); ++ while (nvec--) ++ __unbind_from_irq(irq + nvec); + mutex_unlock(&irq_mapping_update_lock); + return ret; + } +diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c +index c49f79ed58c5..4b7ce442d8e5 100644 +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -328,7 +328,7 @@ static void gnttab_handle_deferred(unsigned long unused) + if (entry->page) { + pr_debug("freeing g.e. %#x (pfn %#lx)\n", + entry->ref, page_to_pfn(entry->page)); +- __free_page(entry->page); ++ put_page(entry->page); + } else + pr_info("freeing g.e. %#x\n", entry->ref); + kfree(entry); +@@ -384,7 +384,7 @@ void gnttab_end_foreign_access(grant_ref_t ref, int readonly, + if (gnttab_end_foreign_access_ref(ref, readonly)) { + put_free_entry(ref); + if (page != 0) +- free_page(page); ++ put_page(virt_to_page(page)); + } else + gnttab_add_deferred(ref, readonly, + page ? virt_to_page(page) : NULL); +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c +index f7b19c25c3a4..1889e928a0da 100644 +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -359,7 +359,7 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr, + * physical address */ + phys = xen_bus_to_phys(dev_addr); + +- if (((dev_addr + size - 1 > dma_mask)) || ++ if (((dev_addr + size - 1 <= dma_mask)) || + range_straddles_page_boundary(phys, size)) + xen_destroy_contiguous_region(phys, order); + +diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c +index 2e319d0c395d..84cc98f3cabe 100644 +--- a/drivers/xen/xen-acpi-processor.c ++++ b/drivers/xen/xen-acpi-processor.c +@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl, void *context, void **rv) + } + /* There are more ACPI Processor objects than in x2APIC or MADT. + * This can happen with incorrect ACPI SSDT declerations. */ +- if (acpi_id > nr_acpi_bits) { +- pr_debug("We only have %u, trying to set %u\n", +- nr_acpi_bits, acpi_id); ++ if (acpi_id >= nr_acpi_bits) { ++ pr_debug("max acpi id %u, trying to set %u\n", ++ nr_acpi_bits - 1, acpi_id); + return AE_OK; + } + /* OK, There is a ACPI Processor object */ +diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c +index 33a31cfef55d..c2d447687e33 100644 +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -470,8 +470,11 @@ int xenbus_probe_node(struct xen_bus_type *bus, + + /* Register with generic device framework. */ + err = device_register(&xendev->dev); +- if (err) ++ if (err) { ++ put_device(&xendev->dev); ++ xendev = NULL; + goto fail; ++ } + + return 0; + fail: +diff --git a/drivers/zorro/zorro.c b/drivers/zorro/zorro.c +index d295d9878dff..8ec79385d3cc 100644 +--- a/drivers/zorro/zorro.c ++++ b/drivers/zorro/zorro.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(struct platform_device *pdev) + z->dev.parent = &bus->dev; + z->dev.bus = &zorro_bus_type; + z->dev.id = i; ++ switch (z->rom.er_Type & ERT_TYPEMASK) { ++ case ERT_ZORROIII: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(32); ++ break; ++ ++ case ERT_ZORROII: ++ default: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(24); ++ break; ++ } ++ z->dev.dma_mask = &z->dev.coherent_dma_mask; + } + + /* ... then register them */ +diff --git a/fs/affs/namei.c b/fs/affs/namei.c +index 181e05b46e72..92448d0ad900 100644 +--- a/fs/affs/namei.c ++++ b/fs/affs/namei.c +@@ -224,9 +224,10 @@ affs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) + + affs_lock_dir(dir); + bh = affs_find_entry(dir, dentry); +- affs_unlock_dir(dir); +- if (IS_ERR(bh)) ++ if (IS_ERR(bh)) { ++ affs_unlock_dir(dir); + return ERR_CAST(bh); ++ } + if (bh) { + u32 ino = bh->b_blocknr; + +@@ -240,10 +241,13 @@ affs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) + } + affs_brelse(bh); + inode = affs_iget(sb, ino); +- if (IS_ERR(inode)) ++ if (IS_ERR(inode)) { ++ affs_unlock_dir(dir); + return ERR_CAST(inode); ++ } + } + d_add(dentry, inode); ++ affs_unlock_dir(dir); + return NULL; + } + +diff --git a/fs/aio.c b/fs/aio.c +index 88ede4a84ce0..4efaf29354a6 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1066,8 +1066,8 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id) + + ctx = rcu_dereference(table->table[id]); + if (ctx && ctx->user_id == ctx_id) { +- percpu_ref_get(&ctx->users); +- ret = ctx; ++ if (percpu_ref_tryget_live(&ctx->users)) ++ ret = ctx; + } + out: + rcu_read_unlock(); +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index e2f5be261532..38ee08675468 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -2769,6 +2769,8 @@ again: + * contention with the cow code + */ + if (cow) { ++ bool last_level = (level == (BTRFS_MAX_LEVEL - 1)); ++ + /* + * if we don't really need to cow this block + * then we don't want to set the path blocking, +@@ -2793,9 +2795,13 @@ again: + } + + btrfs_set_path_blocking(p); +- err = btrfs_cow_block(trans, root, b, +- p->nodes[level + 1], +- p->slots[level + 1], &b); ++ if (last_level) ++ err = btrfs_cow_block(trans, root, b, NULL, 0, ++ &b); ++ else ++ err = btrfs_cow_block(trans, root, b, ++ p->nodes[level + 1], ++ p->slots[level + 1], &b); + if (err) { + ret = err; + goto done; +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 85b207d19aa5..208b3f5ffb3f 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1196,7 +1196,7 @@ static struct btrfs_subvolume_writers *btrfs_alloc_subvolume_writers(void) + if (!writers) + return ERR_PTR(-ENOMEM); + +- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL); ++ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS); + if (ret < 0) { + kfree(writers); + return ERR_PTR(ret); +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 260f94b019c9..982a9d509817 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4392,6 +4392,7 @@ again: + if (wait_for_alloc) { + mutex_unlock(&fs_info->chunk_mutex); + wait_for_alloc = 0; ++ cond_resched(); + goto again; + } + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index d4a6eef31854..052973620595 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1861,10 +1861,19 @@ int btrfs_release_file(struct inode *inode, struct file *filp) + static int start_ordered_ops(struct inode *inode, loff_t start, loff_t end) + { + int ret; ++ struct blk_plug plug; + ++ /* ++ * This is only called in fsync, which would do synchronous writes, so ++ * a plug can merge adjacent IOs as much as possible. Esp. in case of ++ * multiple disks using raid profile, a large IO can be split to ++ * several segments of stripe length (currently 64K). ++ */ ++ blk_start_plug(&plug); + atomic_inc(&BTRFS_I(inode)->sync_writers); + ret = btrfs_fdatawrite_range(inode, start, end); + atomic_dec(&BTRFS_I(inode)->sync_writers); ++ blk_finish_plug(&plug); + + return ret; + } +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 81b5a461d94e..1f01a8172308 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -6413,8 +6413,7 @@ static int btrfs_mknod(struct inode *dir, struct dentry *dentry, + goto out_unlock_inode; + } else { + btrfs_update_inode(trans, root, inode); +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + } + + out_unlock: +@@ -6489,8 +6488,7 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry, + goto out_unlock_inode; + + BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops; +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + + out_unlock: + btrfs_end_transaction(trans, root); +@@ -6633,12 +6631,7 @@ static int btrfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) + if (err) + goto out_fail_inode; + +- d_instantiate(dentry, inode); +- /* +- * mkdir is special. We're unlocking after we call d_instantiate +- * to avoid a race with nfsd calling d_instantiate. +- */ +- unlock_new_inode(inode); ++ d_instantiate_new(dentry, inode); + drop_on_err = 0; + + out_fail: +@@ -9789,8 +9782,7 @@ static int btrfs_symlink(struct inode *dir, struct dentry *dentry, + goto out_unlock_inode; + } + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + + out_unlock: + btrfs_end_transaction(trans, root); +diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c +index 1a33d3eb36de..b9fa99577bf7 100644 +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -2160,11 +2160,21 @@ int raid56_parity_recover(struct btrfs_root *root, struct bio *bio, + } + + /* +- * reconstruct from the q stripe if they are +- * asking for mirror 3 ++ * Loop retry: ++ * for 'mirror == 2', reconstruct from all other stripes. ++ * for 'mirror_num > 2', select a stripe to fail on every retry. + */ +- if (mirror_num == 3) +- rbio->failb = rbio->real_stripes - 2; ++ if (mirror_num > 2) { ++ /* ++ * 'mirror == 3' is to fail the p stripe and ++ * reconstruct from the q stripe. 'mirror > 3' is to ++ * fail a data stripe and reconstruct from p+q stripe. ++ */ ++ rbio->failb = rbio->real_stripes - (mirror_num - 1); ++ ASSERT(rbio->failb > 0); ++ if (rbio->failb <= rbio->faila) ++ rbio->failb--; ++ } + + ret = lock_stripe_add(rbio); + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 19b56873b797..83c73738165e 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -4674,6 +4674,9 @@ static int send_hole(struct send_ctx *sctx, u64 end) + u64 len; + int ret = 0; + ++ if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA) ++ return send_update_extent(sctx, offset, end - offset); ++ + p = fs_path_alloc(); + if (!p) + return -ENOMEM; +diff --git a/fs/btrfs/tests/qgroup-tests.c b/fs/btrfs/tests/qgroup-tests.c +index 846d277b1901..2b2978c04e80 100644 +--- a/fs/btrfs/tests/qgroup-tests.c ++++ b/fs/btrfs/tests/qgroup-tests.c +@@ -70,7 +70,7 @@ static int insert_normal_tree_ref(struct btrfs_root *root, u64 bytenr, + btrfs_set_extent_generation(leaf, item, 1); + btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK); + block_info = (struct btrfs_tree_block_info *)(item + 1); +- btrfs_set_tree_block_level(leaf, block_info, 1); ++ btrfs_set_tree_block_level(leaf, block_info, 0); + iref = (struct btrfs_extent_inline_ref *)(block_info + 1); + if (parent > 0) { + btrfs_set_extent_inline_ref_type(leaf, iref, +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 6ba022ed4a52..738f5d6beb95 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2223,8 +2223,10 @@ again: + nritems = btrfs_header_nritems(path->nodes[0]); + if (path->slots[0] >= nritems) { + ret = btrfs_next_leaf(root, path); +- if (ret) ++ if (ret == 1) + break; ++ else if (ret < 0) ++ goto out; + } + btrfs_item_key_to_cpu(path->nodes[0], &found_key, + path->slots[0]); +@@ -3378,8 +3380,11 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans, + * from this directory and from this transaction + */ + ret = btrfs_next_leaf(root, path); +- if (ret == 1) { +- last_offset = (u64)-1; ++ if (ret) { ++ if (ret == 1) ++ last_offset = (u64)-1; ++ else ++ err = ret; + goto done; + } + btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]); +@@ -3830,6 +3835,7 @@ fill_holes: + ASSERT(ret == 0); + src = src_path->nodes[0]; + i = 0; ++ need_find_last_extent = true; + } + + btrfs_item_key_to_cpu(src, &key, i); +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index ed75d70b4bc2..b4d63a9842fa 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -5056,7 +5056,14 @@ int btrfs_num_copies(struct btrfs_fs_info *fs_info, u64 logical, u64 len) + else if (map->type & BTRFS_BLOCK_GROUP_RAID5) + ret = 2; + else if (map->type & BTRFS_BLOCK_GROUP_RAID6) +- ret = 3; ++ /* ++ * There could be two corrupted data stripes, we need ++ * to loop retry in order to rebuild the correct data. ++ * ++ * Fail a stripe at a time on every retry except the ++ * stripe under reconstruction. ++ */ ++ ret = map->num_stripes; + else + ret = 1; + free_extent_map(em); +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 0c92af11f4f4..8632380d2b94 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -6421,9 +6421,7 @@ SetEARetry: + pSMB->InformationLevel = + cpu_to_le16(SMB_SET_FILE_EA); + +- parm_data = +- (struct fealist *) (((char *) &pSMB->hdr.Protocol) + +- offset); ++ parm_data = (void *)pSMB + offsetof(struct smb_hdr, Protocol) + offset; + pSMB->ParameterOffset = cpu_to_le16(param_offset); + pSMB->DataOffset = cpu_to_le16(offset); + pSMB->SetupCount = 1; +diff --git a/fs/dcache.c b/fs/dcache.c +index 751a0d88f049..250c1222e30c 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1897,6 +1897,28 @@ struct dentry *d_instantiate_unique(struct dentry *entry, struct inode *inode) + + EXPORT_SYMBOL(d_instantiate_unique); + ++/* ++ * This should be equivalent to d_instantiate() + unlock_new_inode(), ++ * with lockdep-related part of unlock_new_inode() done before ++ * anything else. Use that instead of open-coding d_instantiate()/ ++ * unlock_new_inode() combinations. ++ */ ++void d_instantiate_new(struct dentry *entry, struct inode *inode) ++{ ++ BUG_ON(!hlist_unhashed(&entry->d_u.d_alias)); ++ BUG_ON(!inode); ++ lockdep_annotate_inode_mutex_key(inode); ++ security_d_instantiate(entry, inode); ++ spin_lock(&inode->i_lock); ++ __d_instantiate(entry, inode); ++ WARN_ON(!(inode->i_state & I_NEW)); ++ inode->i_state &= ~I_NEW; ++ smp_mb(); ++ wake_up_bit(&inode->i_state, __I_NEW); ++ spin_unlock(&inode->i_lock); ++} ++EXPORT_SYMBOL(d_instantiate_new); ++ + /** + * d_instantiate_no_diralias - instantiate a non-aliased dentry + * @entry: dentry to complete +diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c +index e2e47ba5d313..844d0c4da84f 100644 +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -287,8 +287,7 @@ ecryptfs_create(struct inode *directory_inode, struct dentry *ecryptfs_dentry, + iput(ecryptfs_inode); + goto out; + } +- unlock_new_inode(ecryptfs_inode); +- d_instantiate(ecryptfs_dentry, ecryptfs_inode); ++ d_instantiate_new(ecryptfs_dentry, ecryptfs_inode); + out: + return rc; + } +diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c +index 3267a80dbbe2..da3d40ef1668 100644 +--- a/fs/ext2/namei.c ++++ b/fs/ext2/namei.c +@@ -40,8 +40,7 @@ static inline int ext2_add_nondir(struct dentry *dentry, struct inode *inode) + { + int err = ext2_add_link(dentry, inode); + if (!err) { +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + return 0; + } + inode_dec_link_count(inode); +@@ -267,8 +266,7 @@ static int ext2_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode) + if (err) + goto out_fail; + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + out: + return err; + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 32960b3ecd4f..97472088d65a 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2429,8 +2429,7 @@ static int ext4_add_nondir(handle_t *handle, + int err = ext4_add_entry(handle, dentry, inode); + if (!err) { + ext4_mark_inode_dirty(handle, inode); +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + return 0; + } + drop_nlink(inode); +@@ -2669,8 +2668,7 @@ out_clear_inode: + err = ext4_mark_inode_dirty(handle, dir); + if (err) + goto out_clear_inode; +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + if (IS_DIRSYNC(dir)) + ext4_handle_sync(handle); + +diff --git a/fs/fscache/page.c b/fs/fscache/page.c +index 6b35fc4860a0..1de16a5a5c4e 100644 +--- a/fs/fscache/page.c ++++ b/fs/fscache/page.c +@@ -776,6 +776,7 @@ static void fscache_write_op(struct fscache_operation *_op) + + _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage)); + ++again: + spin_lock(&object->lock); + cookie = object->cookie; + +@@ -816,10 +817,6 @@ static void fscache_write_op(struct fscache_operation *_op) + goto superseded; + page = results[0]; + _debug("gang %d [%lx]", n, page->index); +- if (page->index >= op->store_limit) { +- fscache_stat(&fscache_n_store_pages_over_limit); +- goto superseded; +- } + + radix_tree_tag_set(&cookie->stores, page->index, + FSCACHE_COOKIE_STORING_TAG); +@@ -829,6 +826,9 @@ static void fscache_write_op(struct fscache_operation *_op) + spin_unlock(&cookie->stores_lock); + spin_unlock(&object->lock); + ++ if (page->index >= op->store_limit) ++ goto discard_page; ++ + fscache_stat(&fscache_n_store_pages); + fscache_stat(&fscache_n_cop_write_page); + ret = object->cache->ops->write_page(op, page); +@@ -844,6 +844,11 @@ static void fscache_write_op(struct fscache_operation *_op) + _leave(""); + return; + ++discard_page: ++ fscache_stat(&fscache_n_store_pages_over_limit); ++ fscache_end_page_write(object, page); ++ goto again; ++ + superseded: + /* this writer is going away and there aren't any more things to + * write */ +diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c +index 1543aa1b2a93..8744bd773823 100644 +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -806,7 +806,7 @@ static long __gfs2_fallocate(struct file *file, int mode, loff_t offset, loff_t + struct gfs2_inode *ip = GFS2_I(inode); + struct gfs2_alloc_parms ap = { .aflags = 0, }; + unsigned int data_blocks = 0, ind_blocks = 0, rblocks; +- loff_t bytes, max_bytes, max_blks = UINT_MAX; ++ loff_t bytes, max_bytes, max_blks; + int error; + const loff_t pos = offset; + const loff_t count = len; +@@ -858,7 +858,8 @@ static long __gfs2_fallocate(struct file *file, int mode, loff_t offset, loff_t + return error; + /* ap.allowed tells us how many blocks quota will allow + * us to write. Check if this reduces max_blks */ +- if (ap.allowed && ap.allowed < max_blks) ++ max_blks = UINT_MAX; ++ if (ap.allowed) + max_blks = ap.allowed; + + error = gfs2_inplace_reserve(ip, &ap); +diff --git a/fs/gfs2/quota.h b/fs/gfs2/quota.h +index ad04b3acae2b..a81ed38d8442 100644 +--- a/fs/gfs2/quota.h ++++ b/fs/gfs2/quota.h +@@ -43,6 +43,8 @@ static inline int gfs2_quota_lock_check(struct gfs2_inode *ip, + { + struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); + int ret; ++ ++ ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ + if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) + return 0; + ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); +diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c +index 30c4c9ebb693..e27317169697 100644 +--- a/fs/jffs2/dir.c ++++ b/fs/jffs2/dir.c +@@ -207,8 +207,7 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry, + __func__, inode->i_ino, inode->i_mode, inode->i_nlink, + f->inocache->pino_nlink, inode->i_mapping->nrpages); + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + return 0; + + fail: +@@ -428,8 +427,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char + mutex_unlock(&dir_f->sem); + jffs2_complete_reservation(c); + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + return 0; + + fail: +@@ -573,8 +571,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, umode_t mode + mutex_unlock(&dir_f->sem); + jffs2_complete_reservation(c); + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + return 0; + + fail: +@@ -745,8 +742,7 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, umode_t mode + mutex_unlock(&dir_f->sem); + jffs2_complete_reservation(c); + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + return 0; + + fail: +diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c +index 2caf1682036d..85e2594fe95c 100644 +--- a/fs/jffs2/fs.c ++++ b/fs/jffs2/fs.c +@@ -361,7 +361,6 @@ error_io: + ret = -EIO; + error: + mutex_unlock(&f->sem); +- jffs2_do_clear_inode(c, f); + iget_failed(inode); + return ERR_PTR(ret); + } +diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c +index 9d7551f5c32a..f217ae750adb 100644 +--- a/fs/jfs/namei.c ++++ b/fs/jfs/namei.c +@@ -178,8 +178,7 @@ static int jfs_create(struct inode *dip, struct dentry *dentry, umode_t mode, + unlock_new_inode(ip); + iput(ip); + } else { +- unlock_new_inode(ip); +- d_instantiate(dentry, ip); ++ d_instantiate_new(dentry, ip); + } + + out2: +@@ -313,8 +312,7 @@ static int jfs_mkdir(struct inode *dip, struct dentry *dentry, umode_t mode) + unlock_new_inode(ip); + iput(ip); + } else { +- unlock_new_inode(ip); +- d_instantiate(dentry, ip); ++ d_instantiate_new(dentry, ip); + } + + out2: +@@ -1058,8 +1056,7 @@ static int jfs_symlink(struct inode *dip, struct dentry *dentry, + unlock_new_inode(ip); + iput(ip); + } else { +- unlock_new_inode(ip); +- d_instantiate(dentry, ip); ++ d_instantiate_new(dentry, ip); + } + + out2: +@@ -1443,8 +1440,7 @@ static int jfs_mknod(struct inode *dir, struct dentry *dentry, + unlock_new_inode(ip); + iput(ip); + } else { +- unlock_new_inode(ip); +- d_instantiate(dentry, ip); ++ d_instantiate_new(dentry, ip); + } + + out1: +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 0f397e62de5a..41c8ddbc80dc 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1780,7 +1780,7 @@ static int nfs4_open_reclaim(struct nfs4_state_owner *sp, struct nfs4_state *sta + return ret; + } + +-static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, int err) ++static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, struct file_lock *fl, int err) + { + switch (err) { + default: +@@ -1827,7 +1827,11 @@ static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct + return -EAGAIN; + case -ENOMEM: + case -NFS4ERR_DENIED: +- /* kill_proc(fl->fl_pid, SIGLOST, 1); */ ++ if (fl) { ++ struct nfs4_lock_state *lsp = fl->fl_u.nfs4_fl.owner; ++ if (lsp) ++ set_bit(NFS_LOCK_LOST, &lsp->ls_flags); ++ } + return 0; + } + return err; +@@ -1863,7 +1867,7 @@ int nfs4_open_delegation_recall(struct nfs_open_context *ctx, + err = nfs4_open_recover_helper(opendata, FMODE_READ); + } + nfs4_opendata_put(opendata); +- return nfs4_handle_delegation_recall_error(server, state, stateid, err); ++ return nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err); + } + + static void nfs4_open_confirm_prepare(struct rpc_task *task, void *calldata) +@@ -6157,7 +6161,7 @@ int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, + if (err != 0) + return err; + err = _nfs4_do_setlk(state, F_SETLK, fl, NFS_LOCK_NEW); +- return nfs4_handle_delegation_recall_error(server, state, stateid, err); ++ return nfs4_handle_delegation_recall_error(server, state, stateid, fl, err); + } + + struct nfs_release_lockowner_data { +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 83fba40396ae..44f5cea49699 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1386,6 +1386,7 @@ static int nfs4_reclaim_locks(struct nfs4_state *state, const struct nfs4_state_ + struct inode *inode = state->inode; + struct nfs_inode *nfsi = NFS_I(inode); + struct file_lock *fl; ++ struct nfs4_lock_state *lsp; + int status = 0; + struct file_lock_context *flctx = inode->i_flctx; + struct list_head *list; +@@ -1426,7 +1427,9 @@ restart: + case -NFS4ERR_DENIED: + case -NFS4ERR_RECLAIM_BAD: + case -NFS4ERR_RECLAIM_CONFLICT: +- /* kill_proc(fl->fl_pid, SIGLOST, 1); */ ++ lsp = fl->fl_u.nfs4_fl.owner; ++ if (lsp) ++ set_bit(NFS_LOCK_LOST, &lsp->ls_flags); + status = 0; + } + spin_lock(&flctx->flc_lock); +diff --git a/fs/nfs/nfs4sysctl.c b/fs/nfs/nfs4sysctl.c +index 0fbd3ab1be22..44a7bbbf92f8 100644 +--- a/fs/nfs/nfs4sysctl.c ++++ b/fs/nfs/nfs4sysctl.c +@@ -31,7 +31,7 @@ static struct ctl_table nfs4_cb_sysctls[] = { + .data = &nfs_idmap_cache_timeout, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec_jiffies, ++ .proc_handler = proc_dointvec, + }, + { } + }; +diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c +index c9a1a491aa91..cd7f5b0abe84 100644 +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -50,8 +50,7 @@ static inline int nilfs_add_nondir(struct dentry *dentry, struct inode *inode) + { + int err = nilfs_add_link(dentry, inode); + if (!err) { +- d_instantiate(dentry, inode); +- unlock_new_inode(inode); ++ d_instantiate_new(dentry, inode); + return 0; + } + inode_dec_link_count(inode); +@@ -246,8 +245,7 @@ static int nilfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) + goto out_fail; + + nilfs_mark_inode_dirty(inode); +- d_instantiate(dentry, inode); +- unlock_new_inode(inode); ++ d_instantiate_new(dentry, inode); + out: + if (!err) + err = nilfs_transaction_commit(dir->i_sb); +diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c +index 164307b99405..1e0d8da0d3cd 100644 +--- a/fs/ocfs2/acl.c ++++ b/fs/ocfs2/acl.c +@@ -314,7 +314,9 @@ struct posix_acl *ocfs2_iop_get_acl(struct inode *inode, int type) + return ERR_PTR(ret); + } + ++ down_read(&OCFS2_I(inode)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(inode, type, di_bh); ++ up_read(&OCFS2_I(inode)->ip_xattr_sem); + + ocfs2_inode_unlock(inode, 0); + brelse(di_bh); +@@ -333,7 +335,9 @@ int ocfs2_acl_chmod(struct inode *inode, struct buffer_head *bh) + if (!(osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL)) + return 0; + ++ down_read(&OCFS2_I(inode)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh); ++ up_read(&OCFS2_I(inode)->ip_xattr_sem); + if (IS_ERR(acl) || !acl) + return PTR_ERR(acl); + ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode); +@@ -364,8 +368,10 @@ int ocfs2_init_acl(handle_t *handle, + + if (!S_ISLNK(inode->i_mode)) { + if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) { ++ down_read(&OCFS2_I(dir)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(dir, ACL_TYPE_DEFAULT, + dir_bh); ++ up_read(&OCFS2_I(dir)->ip_xattr_sem); + if (IS_ERR(acl)) + return PTR_ERR(acl); + } +diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c +index 2ee7fe747cea..c55a9c47ac17 100644 +--- a/fs/ocfs2/dlm/dlmdomain.c ++++ b/fs/ocfs2/dlm/dlmdomain.c +@@ -674,20 +674,6 @@ static void dlm_leave_domain(struct dlm_ctxt *dlm) + spin_unlock(&dlm->spinlock); + } + +-int dlm_shutting_down(struct dlm_ctxt *dlm) +-{ +- int ret = 0; +- +- spin_lock(&dlm_domain_lock); +- +- if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) +- ret = 1; +- +- spin_unlock(&dlm_domain_lock); +- +- return ret; +-} +- + void dlm_unregister_domain(struct dlm_ctxt *dlm) + { + int leave = 0; +diff --git a/fs/ocfs2/dlm/dlmdomain.h b/fs/ocfs2/dlm/dlmdomain.h +index fd6122a38dbd..8a9281411c18 100644 +--- a/fs/ocfs2/dlm/dlmdomain.h ++++ b/fs/ocfs2/dlm/dlmdomain.h +@@ -28,7 +28,30 @@ + extern spinlock_t dlm_domain_lock; + extern struct list_head dlm_domains; + +-int dlm_shutting_down(struct dlm_ctxt *dlm); ++static inline int dlm_joined(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_JOINED) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ ++static inline int dlm_shutting_down(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ + void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm, + int node_num); + +diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c +index 4a338803e7e9..88149b4387c2 100644 +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -1377,6 +1377,15 @@ int dlm_mig_lockres_handler(struct o2net_msg *msg, u32 len, void *data, + if (!dlm_grab(dlm)) + return -EINVAL; + ++ if (!dlm_joined(dlm)) { ++ mlog(ML_ERROR, "Domain %s not joined! " ++ "lockres %.*s, master %u\n", ++ dlm->name, mres->lockname_len, ++ mres->lockname, mres->master); ++ dlm_put(dlm); ++ return -EINVAL; ++ } ++ + BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION))); + + real_master = mres->master; +diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c +index 13534f4fe5b5..722eb5bc9b8f 100644 +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -666,23 +666,24 @@ static int __ocfs2_journal_access(handle_t *handle, + /* we can safely remove this assertion after testing. */ + if (!buffer_uptodate(bh)) { + mlog(ML_ERROR, "giving me a buffer that's not uptodate!\n"); +- mlog(ML_ERROR, "b_blocknr=%llu\n", +- (unsigned long long)bh->b_blocknr); ++ mlog(ML_ERROR, "b_blocknr=%llu, b_state=0x%lx\n", ++ (unsigned long long)bh->b_blocknr, bh->b_state); + + lock_buffer(bh); + /* +- * A previous attempt to write this buffer head failed. +- * Nothing we can do but to retry the write and hope for +- * the best. ++ * A previous transaction with a couple of buffer heads fail ++ * to checkpoint, so all the bhs are marked as BH_Write_EIO. ++ * For current transaction, the bh is just among those error ++ * bhs which previous transaction handle. We can't just clear ++ * its BH_Write_EIO and reuse directly, since other bhs are ++ * not written to disk yet and that will cause metadata ++ * inconsistency. So we should set fs read-only to avoid ++ * further damage. + */ + if (buffer_write_io_error(bh) && !buffer_uptodate(bh)) { +- clear_buffer_write_io_error(bh); +- set_buffer_uptodate(bh); +- } +- +- if (!buffer_uptodate(bh)) { + unlock_buffer(bh); +- return -EIO; ++ return ocfs2_error(osb->sb, "A previous attempt to " ++ "write this buffer head failed\n"); + } + unlock_buffer(bh); + } +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index 2de4c8a9340c..4f5141350af8 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -477,9 +477,8 @@ static int ocfs2_init_global_system_inodes(struct ocfs2_super *osb) + new = ocfs2_get_system_file_inode(osb, i, osb->slot_num); + if (!new) { + ocfs2_release_system_inodes(osb); +- status = -EINVAL; ++ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL; + mlog_errno(status); +- /* FIXME: Should ERROR_RO_FS */ + mlog(ML_ERROR, "Unable to load system inode %d, " + "possibly corrupt fs?", i); + goto bail; +@@ -508,7 +507,7 @@ static int ocfs2_init_local_system_inodes(struct ocfs2_super *osb) + new = ocfs2_get_system_file_inode(osb, i, osb->slot_num); + if (!new) { + ocfs2_release_system_inodes(osb); +- status = -EINVAL; ++ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL; + mlog(ML_ERROR, "status=%d, sysfile=%d, slot=%d\n", + status, i, osb->slot_num); + goto bail; +diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c +index 877830b05e12..4f0788232f2f 100644 +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -639,9 +639,11 @@ int ocfs2_calc_xattr_init(struct inode *dir, + si->value_len); + + if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) { ++ down_read(&OCFS2_I(dir)->ip_xattr_sem); + acl_len = ocfs2_xattr_get_nolock(dir, dir_bh, + OCFS2_XATTR_INDEX_POSIX_ACL_DEFAULT, + "", NULL, 0); ++ up_read(&OCFS2_I(dir)->ip_xattr_sem); + if (acl_len > 0) { + a_size = ocfs2_xattr_entry_real_size(0, acl_len); + if (S_ISDIR(mode)) +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 4a666ec7fb64..5f9cec2db6c3 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -94,6 +94,8 @@ + #include "internal.h" + #include "fd.h" + ++#include "../../lib/kstrtox.h" ++ + /* NOTE: + * Implementing inode permission operations in /proc is almost + * certainly an error. Permission checks need to happen during +@@ -1836,8 +1838,33 @@ end_instantiate: + static int dname_to_vma_addr(struct dentry *dentry, + unsigned long *start, unsigned long *end) + { +- if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) ++ const char *str = dentry->d_name.name; ++ unsigned long long sval, eval; ++ unsigned int len; ++ ++ len = _parse_integer(str, 16, &sval); ++ if (len & KSTRTOX_OVERFLOW) ++ return -EINVAL; ++ if (sval != (unsigned long)sval) + return -EINVAL; ++ str += len; ++ ++ if (*str != '-') ++ return -EINVAL; ++ str++; ++ ++ len = _parse_integer(str, 16, &eval); ++ if (len & KSTRTOX_OVERFLOW) ++ return -EINVAL; ++ if (eval != (unsigned long)eval) ++ return -EINVAL; ++ str += len; ++ ++ if (*str != '\0') ++ return -EINVAL; ++ ++ *start = sval; ++ *end = eval; + + return 0; + } +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index 4dbe1e2daeca..5e1054f028af 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -654,7 +654,10 @@ static bool proc_sys_link_fill_cache(struct file *file, + struct ctl_table *table) + { + bool ret = true; ++ + head = sysctl_head_grab(head); ++ if (IS_ERR(head)) ++ return false; + + if (S_ISLNK(table->mode)) { + /* It is not an error if we can not follow the link ignore it */ +diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c +index 3ebc70167e41..eb611bdd4725 100644 +--- a/fs/reiserfs/namei.c ++++ b/fs/reiserfs/namei.c +@@ -687,8 +687,7 @@ static int reiserfs_create(struct inode *dir, struct dentry *dentry, umode_t mod + reiserfs_update_inode_transaction(inode); + reiserfs_update_inode_transaction(dir); + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + retval = journal_end(&th); + + out_failed: +@@ -771,8 +770,7 @@ static int reiserfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode + goto out_failed; + } + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + retval = journal_end(&th); + + out_failed: +@@ -871,8 +869,7 @@ static int reiserfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode + /* the above add_entry did not update dir's stat data */ + reiserfs_update_sd(&th, dir); + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + retval = journal_end(&th); + out_failed: + reiserfs_write_unlock(dir->i_sb); +@@ -1186,8 +1183,7 @@ static int reiserfs_symlink(struct inode *parent_dir, + goto out_failed; + } + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + retval = journal_end(&th); + out_failed: + reiserfs_write_unlock(parent_dir->i_sb); +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index c97b5a8d1e24..f34c545f4e54 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -611,8 +611,7 @@ static int udf_add_nondir(struct dentry *dentry, struct inode *inode) + if (fibh.sbh != fibh.ebh) + brelse(fibh.ebh); + brelse(fibh.sbh); +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + + return 0; + } +@@ -722,8 +721,7 @@ static int udf_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) + inc_nlink(dir); + dir->i_ctime = dir->i_mtime = current_fs_time(dir->i_sb); + mark_inode_dirty(dir); +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + if (fibh.sbh != fibh.ebh) + brelse(fibh.ebh); + brelse(fibh.sbh); +diff --git a/fs/udf/super.c b/fs/udf/super.c +index ee09c97f3ab2..159977ec8e54 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -2073,8 +2073,9 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent) + bool lvid_open = false; + + uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT); +- uopt.uid = INVALID_UID; +- uopt.gid = INVALID_GID; ++ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */ ++ uopt.uid = make_kuid(current_user_ns(), overflowuid); ++ uopt.gid = make_kgid(current_user_ns(), overflowgid); + uopt.umask = 0; + uopt.fmode = UDF_INVALID_MODE; + uopt.dmode = UDF_INVALID_MODE; +diff --git a/fs/ufs/namei.c b/fs/ufs/namei.c +index 47966554317c..2ec7689c25cf 100644 +--- a/fs/ufs/namei.c ++++ b/fs/ufs/namei.c +@@ -38,8 +38,7 @@ static inline int ufs_add_nondir(struct dentry *dentry, struct inode *inode) + { + int err = ufs_add_link(dentry, inode); + if (!err) { +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + return 0; + } + inode_dec_link_count(inode); +@@ -191,8 +190,7 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode) + if (err) + goto out_fail; + +- unlock_new_inode(inode); +- d_instantiate(dentry, inode); ++ d_instantiate_new(dentry, inode); + return 0; + + out_fail: +diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c +index f949818fa1c7..fb9636cc927c 100644 +--- a/fs/xfs/libxfs/xfs_attr.c ++++ b/fs/xfs/libxfs/xfs_attr.c +@@ -130,9 +130,6 @@ xfs_attr_get( + if (XFS_FORCED_SHUTDOWN(ip->i_mount)) + return -EIO; + +- if (!xfs_inode_hasattr(ip)) +- return -ENOATTR; +- + error = xfs_attr_args_init(&args, ip, name, flags); + if (error) + return error; +@@ -417,9 +414,6 @@ xfs_attr_remove( + if (XFS_FORCED_SHUTDOWN(dp->i_mount)) + return -EIO; + +- if (!xfs_inode_hasattr(dp)) +- return -ENOATTR; +- + error = xfs_attr_args_init(&args, dp, name, flags); + if (error) + return error; +diff --git a/fs/xfs/xfs_discard.c b/fs/xfs/xfs_discard.c +index e85a9519a5ae..64ad05cb831a 100644 +--- a/fs/xfs/xfs_discard.c ++++ b/fs/xfs/xfs_discard.c +@@ -50,19 +50,19 @@ xfs_trim_extents( + + pag = xfs_perag_get(mp, agno); + +- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); +- if (error || !agbp) +- goto out_put_perag; +- +- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); +- + /* + * Force out the log. This means any transactions that might have freed +- * space before we took the AGF buffer lock are now on disk, and the ++ * space before we take the AGF buffer lock are now on disk, and the + * volatile disk cache is flushed. + */ + xfs_log_force(mp, XFS_LOG_SYNC); + ++ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); ++ if (error || !agbp) ++ goto out_put_perag; ++ ++ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); ++ + /* + * Look up the longest btree in the AGF and start with it. + */ +diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h +index 4814cf971048..25b793325b09 100644 +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -237,6 +237,21 @@ extern void pgtable_trans_huge_deposit(struct mm_struct *mm, pmd_t *pmdp, + extern pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp); + #endif + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* ++ * This is an implementation of pmdp_establish() that is only suitable for an ++ * architecture that doesn't have hardware dirty/accessed bits. In this case we ++ * can't race with CPU which sets these bits and non-atomic aproach is fine. ++ */ ++static inline pmd_t generic_pmdp_establish(struct vm_area_struct *vma, ++ unsigned long address, pmd_t *pmdp, pmd_t pmd) ++{ ++ pmd_t old_pmd = *pmdp; ++ set_pmd_at(vma->vm_mm, address, pmdp, pmd); ++ return old_pmd; ++} ++#endif ++ + #ifndef __HAVE_ARCH_PMDP_INVALIDATE + extern void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp); +diff --git a/include/linux/dcache.h b/include/linux/dcache.h +index d516847e0fae..11f4334ab177 100644 +--- a/include/linux/dcache.h ++++ b/include/linux/dcache.h +@@ -236,6 +236,7 @@ extern seqlock_t rename_lock; + * These are the low-level FS interfaces to the dcache.. + */ + extern void d_instantiate(struct dentry *, struct inode *); ++extern void d_instantiate_new(struct dentry *, struct inode *); + extern struct dentry * d_instantiate_unique(struct dentry *, struct inode *); + extern int d_instantiate_no_diralias(struct dentry *, struct inode *); + extern void __d_drop(struct dentry *dentry); +diff --git a/include/linux/suspend.h b/include/linux/suspend.h +index 8b6ec7ef0854..4a69bca7c6ab 100644 +--- a/include/linux/suspend.h ++++ b/include/linux/suspend.h +@@ -377,6 +377,8 @@ extern int swsusp_page_is_forbidden(struct page *); + extern void swsusp_set_page_free(struct page *); + extern void swsusp_unset_page_free(struct page *); + extern unsigned long get_safe_page(gfp_t gfp_mask); ++extern asmlinkage int swsusp_arch_suspend(void); ++extern asmlinkage int swsusp_arch_resume(void); + + extern void hibernation_set_ops(const struct platform_hibernation_ops *ops); + extern int hibernate(void); +diff --git a/include/linux/usb/composite.h b/include/linux/usb/composite.h +index 1074b8921a5d..69c728883266 100644 +--- a/include/linux/usb/composite.h ++++ b/include/linux/usb/composite.h +@@ -53,6 +53,9 @@ + /* big enough to hold our biggest descriptor */ + #define USB_COMP_EP0_BUFSIZ 1024 + ++/* OS feature descriptor length <= 4kB */ ++#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096 ++ + #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1) + struct usb_configuration; + +diff --git a/include/net/ip.h b/include/net/ip.h +index 639398af273b..0530bcdbc212 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -279,6 +279,13 @@ int ip_decrease_ttl(struct iphdr *iph) + return --iph->ttl; + } + ++static inline int ip_mtu_locked(const struct dst_entry *dst) ++{ ++ const struct rtable *rt = (const struct rtable *)dst; ++ ++ return rt->rt_mtu_locked || dst_metric_locked(dst, RTAX_MTU); ++} ++ + static inline + int ip_dont_fragment(const struct sock *sk, const struct dst_entry *dst) + { +@@ -286,7 +293,7 @@ int ip_dont_fragment(const struct sock *sk, const struct dst_entry *dst) + + return pmtudisc == IP_PMTUDISC_DO || + (pmtudisc == IP_PMTUDISC_WANT && +- !(dst_metric_locked(dst, RTAX_MTU))); ++ !ip_mtu_locked(dst)); + } + + static inline bool ip_sk_accept_pmtu(const struct sock *sk) +@@ -312,7 +319,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, + struct net *net = dev_net(dst->dev); + + if (net->ipv4.sysctl_ip_fwd_use_pmtu || +- dst_metric_locked(dst, RTAX_MTU) || ++ ip_mtu_locked(dst) || + !forwarding) + return dst_mtu(dst); + +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index bda1721e9622..3afb7c4c7098 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -56,6 +56,7 @@ struct fib_nh_exception { + int fnhe_genid; + __be32 fnhe_daddr; + u32 fnhe_pmtu; ++ bool fnhe_mtu_locked; + __be32 fnhe_gw; + unsigned long fnhe_expires; + struct rtable __rcu *fnhe_rth_input; +diff --git a/include/net/llc_conn.h b/include/net/llc_conn.h +index ea985aa7a6c5..df528a623548 100644 +--- a/include/net/llc_conn.h ++++ b/include/net/llc_conn.h +@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk); + + /* Access to a connection */ + int llc_conn_state_process(struct sock *sk, struct sk_buff *skb); +-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); ++int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); + void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb); + void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit); + void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit); +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 7a49a31f6ddc..ec11cb1c0d80 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -3898,7 +3898,7 @@ static inline int ieee80211_sta_ps_transition_ni(struct ieee80211_sta *sta, + * The TX headroom reserved by mac80211 for its own tx_status functions. + * This is enough for the radiotap header. + */ +-#define IEEE80211_TX_STATUS_HEADROOM 14 ++#define IEEE80211_TX_STATUS_HEADROOM ALIGN(14, 4) + + /** + * ieee80211_sta_set_buffered - inform mac80211 about driver-buffered frames +diff --git a/include/net/regulatory.h b/include/net/regulatory.h +index ebc5a2ed8631..f83cacce3308 100644 +--- a/include/net/regulatory.h ++++ b/include/net/regulatory.h +@@ -78,7 +78,7 @@ struct regulatory_request { + int wiphy_idx; + enum nl80211_reg_initiator initiator; + enum nl80211_user_reg_hint_type user_reg_hint_type; +- char alpha2[2]; ++ char alpha2[3]; + enum nl80211_dfs_regions dfs_region; + bool intersect; + bool processed; +diff --git a/include/net/route.h b/include/net/route.h +index a3b9ef74a389..d2a92d94ff72 100644 +--- a/include/net/route.h ++++ b/include/net/route.h +@@ -64,7 +64,8 @@ struct rtable { + __be32 rt_gateway; + + /* Miscellaneous cached information */ +- u32 rt_pmtu; ++ u32 rt_mtu_locked:1, ++ rt_pmtu:31; + + u32 rt_table_id; + +diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h +index 073b9ac245ba..e844556794dc 100644 +--- a/include/trace/events/timer.h ++++ b/include/trace/events/timer.h +@@ -125,6 +125,20 @@ DEFINE_EVENT(timer_class, timer_cancel, + TP_ARGS(timer) + ); + ++#define decode_clockid(type) \ ++ __print_symbolic(type, \ ++ { CLOCK_REALTIME, "CLOCK_REALTIME" }, \ ++ { CLOCK_MONOTONIC, "CLOCK_MONOTONIC" }, \ ++ { CLOCK_BOOTTIME, "CLOCK_BOOTTIME" }, \ ++ { CLOCK_TAI, "CLOCK_TAI" }) ++ ++#define decode_hrtimer_mode(mode) \ ++ __print_symbolic(mode, \ ++ { HRTIMER_MODE_ABS, "ABS" }, \ ++ { HRTIMER_MODE_REL, "REL" }, \ ++ { HRTIMER_MODE_ABS_PINNED, "ABS|PINNED" }, \ ++ { HRTIMER_MODE_REL_PINNED, "REL|PINNED" }) ++ + /** + * hrtimer_init - called when the hrtimer is initialized + * @hrtimer: pointer to struct hrtimer +@@ -151,10 +165,8 @@ TRACE_EVENT(hrtimer_init, + ), + + TP_printk("hrtimer=%p clockid=%s mode=%s", __entry->hrtimer, +- __entry->clockid == CLOCK_REALTIME ? +- "CLOCK_REALTIME" : "CLOCK_MONOTONIC", +- __entry->mode == HRTIMER_MODE_ABS ? +- "HRTIMER_MODE_ABS" : "HRTIMER_MODE_REL") ++ decode_clockid(__entry->clockid), ++ decode_hrtimer_mode(__entry->mode)) + ); + + /** +diff --git a/include/uapi/drm/virtgpu_drm.h b/include/uapi/drm/virtgpu_drm.h +index fc9e2d6e5e2f..232367124712 100644 +--- a/include/uapi/drm/virtgpu_drm.h ++++ b/include/uapi/drm/virtgpu_drm.h +@@ -60,6 +60,7 @@ struct drm_virtgpu_execbuffer { + }; + + #define VIRTGPU_PARAM_3D_FEATURES 1 /* do we have 3D features in the hw */ ++#define VIRTGPU_PARAM_CAPSET_QUERY_FIX 2 /* do we have the capset fix */ + + struct drm_virtgpu_getparam { + uint64_t param; +diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h +index ea9221b0331a..064d2026ab38 100644 +--- a/include/uapi/linux/if_ether.h ++++ b/include/uapi/linux/if_ether.h +@@ -29,6 +29,7 @@ + */ + + #define ETH_ALEN 6 /* Octets in one ethernet addr */ ++#define ETH_TLEN 2 /* Octets in ethernet type field */ + #define ETH_HLEN 14 /* Total octets in header. */ + #define ETH_ZLEN 60 /* Min. octets in frame sans FCS */ + #define ETH_DATA_LEN 1500 /* Max. octets in payload */ +diff --git a/ipc/shm.c b/ipc/shm.c +index a492dd81cf56..32974cfe5947 100644 +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -1113,14 +1113,17 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, + goto out; + else if ((addr = (ulong)shmaddr)) { + if (addr & (shmlba - 1)) { +- /* +- * Round down to the nearest multiple of shmlba. +- * For sane do_mmap_pgoff() parameters, avoid +- * round downs that trigger nil-page and MAP_FIXED. +- */ +- if ((shmflg & SHM_RND) && addr >= shmlba) +- addr &= ~(shmlba - 1); +- else ++ if (shmflg & SHM_RND) { ++ addr &= ~(shmlba - 1); /* round down */ ++ ++ /* ++ * Ensure that the round-down is non-nil ++ * when remapping. This can happen for ++ * cases when addr < shmlba. ++ */ ++ if (!addr && (shmflg & SHM_REMAP)) ++ goto out; ++ } else + #ifndef __ARCH_FORCE_SHMLBA + if (addr & ~PAGE_MASK) + #endif +diff --git a/kernel/audit.c b/kernel/audit.c +index 6881b485aa2a..bdf0cf463815 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -744,6 +744,8 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature + return; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); ++ if (!ab) ++ return; + audit_log_task_info(ab, current); + audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", + audit_feature_names[which], !!old_feature, !!new_feature, +diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c +index 4121345498e0..ebc52c7bd8a6 100644 +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1564,6 +1564,7 @@ static int kdb_md(int argc, const char **argv) + int symbolic = 0; + int valid = 0; + int phys = 0; ++ int raw = 0; + + kdbgetintenv("MDCOUNT", &mdcount); + kdbgetintenv("RADIX", &radix); +@@ -1573,9 +1574,10 @@ static int kdb_md(int argc, const char **argv) + repeat = mdcount * 16 / bytesperword; + + if (strcmp(argv[0], "mdr") == 0) { +- if (argc != 2) ++ if (argc == 2 || (argc == 0 && last_addr != 0)) ++ valid = raw = 1; ++ else + return KDB_ARGCOUNT; +- valid = 1; + } else if (isdigit(argv[0][2])) { + bytesperword = (int)(argv[0][2] - '0'); + if (bytesperword == 0) { +@@ -1611,7 +1613,10 @@ static int kdb_md(int argc, const char **argv) + radix = last_radix; + bytesperword = last_bytesperword; + repeat = last_repeat; +- mdcount = ((repeat * bytesperword) + 15) / 16; ++ if (raw) ++ mdcount = repeat; ++ else ++ mdcount = ((repeat * bytesperword) + 15) / 16; + } + + if (argc) { +@@ -1628,7 +1633,10 @@ static int kdb_md(int argc, const char **argv) + diag = kdbgetularg(argv[nextarg], &val); + if (!diag) { + mdcount = (int) val; +- repeat = mdcount * 16 / bytesperword; ++ if (raw) ++ repeat = mdcount; ++ else ++ repeat = mdcount * 16 / bytesperword; + } + } + if (argc >= nextarg+1) { +@@ -1638,8 +1646,15 @@ static int kdb_md(int argc, const char **argv) + } + } + +- if (strcmp(argv[0], "mdr") == 0) +- return kdb_mdr(addr, mdcount); ++ if (strcmp(argv[0], "mdr") == 0) { ++ int ret; ++ last_addr = addr; ++ ret = kdb_mdr(addr, mdcount); ++ last_addr += mdcount; ++ last_repeat = mdcount; ++ last_bytesperword = bytesperword; // to make REPEAT happy ++ return ret; ++ } + + switch (radix) { + case 10: +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 92d1f12f4407..990ac41d8a5f 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -419,9 +419,15 @@ static inline void __update_cgrp_time(struct perf_cgroup *cgrp) + + static inline void update_cgrp_time_from_cpuctx(struct perf_cpu_context *cpuctx) + { +- struct perf_cgroup *cgrp_out = cpuctx->cgrp; +- if (cgrp_out) +- __update_cgrp_time(cgrp_out); ++ struct perf_cgroup *cgrp = cpuctx->cgrp; ++ struct cgroup_subsys_state *css; ++ ++ if (cgrp) { ++ for (css = &cgrp->css; css; css = css->parent) { ++ cgrp = container_of(css, struct perf_cgroup, css); ++ __update_cgrp_time(cgrp); ++ } ++ } + } + + static inline void update_cgrp_time_from_event(struct perf_event *event) +@@ -449,6 +455,7 @@ perf_cgroup_set_timestamp(struct task_struct *task, + { + struct perf_cgroup *cgrp; + struct perf_cgroup_info *info; ++ struct cgroup_subsys_state *css; + + /* + * ctx->lock held by caller +@@ -459,8 +466,12 @@ perf_cgroup_set_timestamp(struct task_struct *task, + return; + + cgrp = perf_cgroup_from_task(task, ctx); +- info = this_cpu_ptr(cgrp->info); +- info->timestamp = ctx->timestamp; ++ ++ for (css = &cgrp->css; css; css = css->parent) { ++ cgrp = container_of(css, struct perf_cgroup, css); ++ info = this_cpu_ptr(cgrp->info); ++ info->timestamp = ctx->timestamp; ++ } + } + + #define PERF_CGROUP_SWOUT 0x1 /* cgroup switch out every event */ +@@ -5288,7 +5299,8 @@ static void perf_output_read_group(struct perf_output_handle *handle, + if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) + values[n++] = running; + +- if (leader != event) ++ if ((leader != event) && ++ (leader->state == PERF_EVENT_STATE_ACTIVE)) + leader->pmu->read(leader); + + values[n++] = perf_event_count(leader); +diff --git a/kernel/locking/qspinlock.c b/kernel/locking/qspinlock.c +index 8173bc7fec92..3b40c8809e52 100644 +--- a/kernel/locking/qspinlock.c ++++ b/kernel/locking/qspinlock.c +@@ -423,6 +423,14 @@ queue: + tail = encode_tail(smp_processor_id(), idx); + + node += idx; ++ ++ /* ++ * Ensure that we increment the head node->count before initialising ++ * the actual node. If the compiler is kind enough to reorder these ++ * stores, then an IRQ could overwrite our assignments. ++ */ ++ barrier(); ++ + node->locked = 0; + node->next = NULL; + pv_init_node(node); +diff --git a/kernel/power/power.h b/kernel/power/power.h +index caadb566e82b..25367fc0b152 100644 +--- a/kernel/power/power.h ++++ b/kernel/power/power.h +@@ -85,9 +85,6 @@ extern int in_suspend; + extern dev_t swsusp_resume_device; + extern sector_t swsusp_resume_block; + +-extern asmlinkage int swsusp_arch_suspend(void); +-extern asmlinkage int swsusp_arch_resume(void); +- + extern int create_basic_memory_bitmaps(void); + extern void free_basic_memory_bitmaps(void); + extern int hibernate_preallocate_memory(void); +diff --git a/kernel/relay.c b/kernel/relay.c +index 0b4570cfacae..f6d5f08bdfaa 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan) + { + struct rchan_buf *buf; + +- if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) ++ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *)) + return NULL; + + buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index 2ef31c93e195..801b4ec40702 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -822,6 +822,8 @@ static int do_sched_rt_period_timer(struct rt_bandwidth *rt_b, int overrun) + struct rq *rq = rq_of_rt_rq(rt_rq); + + raw_spin_lock(&rq->lock); ++ update_rq_clock(rq); ++ + if (rt_rq->rt_time) { + u64 runtime; + +diff --git a/kernel/signal.c b/kernel/signal.c +index 7d75bc2d042f..8bfbc47f0a23 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1392,6 +1392,10 @@ static int kill_something_info(int sig, struct siginfo *info, pid_t pid) + return ret; + } + ++ /* -INT_MIN is undefined. Exclude this case to avoid a UBSAN warning */ ++ if (pid == INT_MIN) ++ return -ESRCH; ++ + read_lock(&tasklist_lock); + if (pid != -1) { + ret = __kill_pgrp_info(sig, info, +diff --git a/kernel/sys.c b/kernel/sys.c +index 78947de6f969..6624919ef0e7 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -53,6 +53,8 @@ + #include + #include + ++#include ++ + #include + /* Move somewhere else to avoid recompiling? */ + #include +@@ -1311,6 +1313,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource, + if (resource >= RLIM_NLIMITS) + return -EINVAL; + ++ resource = array_index_nospec(resource, RLIM_NLIMITS); + task_lock(current->group_leader); + x = current->signal->rlim[resource]; + task_unlock(current->group_leader); +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 8df77ed6aa99..d8a2084b88db 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5199,7 +5199,7 @@ int workqueue_sysfs_register(struct workqueue_struct *wq) + + ret = device_register(&wq_dev->dev); + if (ret) { +- kfree(wq_dev); ++ put_device(&wq_dev->dev); + wq->wq_dev = NULL; + return ret; + } +diff --git a/lib/test_bpf.c b/lib/test_bpf.c +index b7908d949a5f..b1495f586f29 100644 +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -83,6 +83,7 @@ struct bpf_test { + __u32 result; + } test[MAX_SUBTESTS]; + int (*fill_helper)(struct bpf_test *self); ++ int expected_errcode; /* used when FLAG_EXPECTED_FAIL is set in the aux */ + __u8 frag_data[MAX_DATA]; + }; + +@@ -1780,7 +1781,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: div_k_0", +@@ -1790,7 +1793,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: unknown insn", +@@ -1801,7 +1806,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: out of range spill/fill", +@@ -1811,7 +1818,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "JUMPS + HOLES", +@@ -1903,6 +1912,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: LDX + RET X", +@@ -1913,6 +1924,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { /* Mainly checking JIT here. */ + "M[]: alt STX + LDX", +@@ -2087,6 +2100,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { /* Passes checker but fails during runtime. */ + "LD [SKF_AD_OFF-1]", +@@ -4462,6 +4477,7 @@ static struct bpf_test tests[] = { + { }, + { }, + .fill_helper = bpf_fill_maxinsns4, ++ .expected_errcode = -EINVAL, + }, + { /* Mainly checking JIT here. */ + "BPF_MAXINSNS: Very long jump", +@@ -4517,10 +4533,15 @@ static struct bpf_test tests[] = { + { + "BPF_MAXINSNS: Jump, gap, jump, ...", + { }, ++#ifdef CONFIG_BPF_JIT_ALWAYS_ON ++ CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, ++#else + CLASSIC | FLAG_NO_DATA, ++#endif + { }, + { { 0, 0xababcbac } }, + .fill_helper = bpf_fill_maxinsns11, ++ .expected_errcode = -ENOTSUPP, + }, + { + "BPF_MAXINSNS: ld_abs+get_processor_id", +@@ -5290,7 +5311,7 @@ static struct bpf_prog *generate_filter(int which, int *err) + + *err = bpf_prog_create(&fp, &fprog); + if (tests[which].aux & FLAG_EXPECTED_FAIL) { +- if (*err == -EINVAL) { ++ if (*err == tests[which].expected_errcode) { + pr_cont("PASS\n"); + /* Verifier rejected filter as expected. */ + *err = 0; +diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c +index bc0a8d8b8f42..ba9adce1422a 100644 +--- a/mm/kasan/kasan.c ++++ b/mm/kasan/kasan.c +@@ -548,5 +548,5 @@ static int __init kasan_memhotplug_init(void) + return 0; + } + +-module_init(kasan_memhotplug_init); ++core_initcall(kasan_memhotplug_init); + #endif +diff --git a/mm/kmemleak.c b/mm/kmemleak.c +index 1914ab9009d9..84c93879aa5d 100644 +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1524,8 +1524,7 @@ static void start_scan_thread(void) + } + + /* +- * Stop the automatic memory scanning thread. This function must be called +- * with the scan_mutex held. ++ * Stop the automatic memory scanning thread. + */ + static void stop_scan_thread(void) + { +@@ -1788,12 +1787,15 @@ static void kmemleak_do_cleanup(struct work_struct *work) + { + stop_scan_thread(); + ++ mutex_lock(&scan_mutex); + /* +- * Once the scan thread has stopped, it is safe to no longer track +- * object freeing. Ordering of the scan thread stopping and the memory +- * accesses below is guaranteed by the kthread_stop() function. ++ * Once it is made sure that kmemleak_scan has stopped, it is safe to no ++ * longer track object freeing. Ordering of the scan thread stopping and ++ * the memory accesses below is guaranteed by the kthread_stop() ++ * function. + */ + kmemleak_free_enabled = 0; ++ mutex_unlock(&scan_mutex); + + if (!kmemleak_found_leaks) + __kmemleak_do_cleanup(); +diff --git a/mm/ksm.c b/mm/ksm.c +index 2f028e6d0831..0b496edc704b 100644 +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -1494,8 +1494,22 @@ static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item) + tree_rmap_item = + unstable_tree_search_insert(rmap_item, page, &tree_page); + if (tree_rmap_item) { ++ bool split; ++ + kpage = try_to_merge_two_pages(rmap_item, page, + tree_rmap_item, tree_page); ++ /* ++ * If both pages we tried to merge belong to the same compound ++ * page, then we actually ended up increasing the reference ++ * count of the same compound page twice, and split_huge_page ++ * failed. ++ * Here we set a flag if that happened, and we use it later to ++ * try split_huge_page again. Since we call put_page right ++ * afterwards, the reference count will be correct and ++ * split_huge_page should succeed. ++ */ ++ split = PageTransCompound(page) ++ && compound_head(page) == compound_head(tree_page); + put_page(tree_page); + if (kpage) { + /* +@@ -1520,6 +1534,20 @@ static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item) + break_cow(tree_rmap_item); + break_cow(rmap_item); + } ++ } else if (split) { ++ /* ++ * We are here if we tried to merge two pages and ++ * failed because they both belonged to the same ++ * compound page. We will split the page now, but no ++ * merging will take place. ++ * We do not want to add the cost of a full lock; if ++ * the page is locked, it is better to skip it and ++ * perhaps try again later. ++ */ ++ if (!trylock_page(page)) ++ return; ++ split_huge_page(page); ++ unlock_page(page); + } + } + } +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index c947014d128a..b777590c3e13 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1232,6 +1232,7 @@ static int get_nodes(nodemask_t *nodes, const unsigned long __user *nmask, + unsigned long maxnode) + { + unsigned long k; ++ unsigned long t; + unsigned long nlongs; + unsigned long endmask; + +@@ -1248,13 +1249,19 @@ static int get_nodes(nodemask_t *nodes, const unsigned long __user *nmask, + else + endmask = (1UL << (maxnode % BITS_PER_LONG)) - 1; + +- /* When the user specified more nodes than supported just check +- if the non supported part is all zero. */ ++ /* ++ * When the user specified more nodes than supported just check ++ * if the non supported part is all zero. ++ * ++ * If maxnode have more longs than MAX_NUMNODES, check ++ * the bits in that area first. And then go through to ++ * check the rest bits which equal or bigger than MAX_NUMNODES. ++ * Otherwise, just check bits [MAX_NUMNODES, maxnode). ++ */ + if (nlongs > BITS_TO_LONGS(MAX_NUMNODES)) { + if (nlongs > PAGE_SIZE/sizeof(long)) + return -EINVAL; + for (k = BITS_TO_LONGS(MAX_NUMNODES); k < nlongs; k++) { +- unsigned long t; + if (get_user(t, nmask + k)) + return -EFAULT; + if (k == nlongs - 1) { +@@ -1267,6 +1274,16 @@ static int get_nodes(nodemask_t *nodes, const unsigned long __user *nmask, + endmask = ~0UL; + } + ++ if (maxnode > MAX_NUMNODES && MAX_NUMNODES % BITS_PER_LONG != 0) { ++ unsigned long valid_mask = endmask; ++ ++ valid_mask &= ~((1UL << (MAX_NUMNODES % BITS_PER_LONG)) - 1); ++ if (get_user(t, nmask + nlongs - 1)) ++ return -EFAULT; ++ if (t & valid_mask) ++ return -EINVAL; ++ } ++ + if (copy_from_user(nodes_addr(*nodes), nmask, nlongs*sizeof(unsigned long))) + return -EFAULT; + nodes_addr(*nodes)[nlongs-1] &= endmask; +@@ -1393,10 +1410,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, + goto out_put; + } + +- if (!nodes_subset(*new, node_states[N_MEMORY])) { +- err = -EINVAL; ++ task_nodes = cpuset_mems_allowed(current); ++ nodes_and(*new, *new, task_nodes); ++ if (nodes_empty(*new)) ++ goto out_put; ++ ++ nodes_and(*new, *new, node_states[N_MEMORY]); ++ if (nodes_empty(*new)) + goto out_put; +- } + + err = security_task_movememory(task); + if (err) +@@ -2121,6 +2142,9 @@ bool __mpol_equal(struct mempolicy *a, struct mempolicy *b) + case MPOL_INTERLEAVE: + return !!nodes_equal(a->v.nodes, b->v.nodes); + case MPOL_PREFERRED: ++ /* a's ->flags is the same as b's */ ++ if (a->flags & MPOL_F_LOCAL) ++ return true; + return a->v.preferred_node == b->v.preferred_node; + default: + BUG(); +diff --git a/mm/swapfile.c b/mm/swapfile.c +index c1a0f3dea8b5..674bf177ce44 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2258,6 +2258,10 @@ static unsigned long read_swap_header(struct swap_info_struct *p, + maxpages = swp_offset(pte_to_swp_entry( + swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; + last_page = swap_header->info.last_page; ++ if (!last_page) { ++ pr_warn("Empty swap-file\n"); ++ return 0; ++ } + if (last_page > maxpages) { + pr_warn("Truncating oversized swap area, only using %luk out of %luk\n", + maxpages << (PAGE_SHIFT - 10), +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 12a69e6c10ba..b58ca729f20a 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -1312,6 +1312,7 @@ int __isolate_lru_page(struct page *page, isolate_mode_t mode) + + if (PageDirty(page)) { + struct address_space *mapping; ++ bool migrate_dirty; + + /* ISOLATE_CLEAN means only clean pages */ + if (mode & ISOLATE_CLEAN) +@@ -1320,10 +1321,19 @@ int __isolate_lru_page(struct page *page, isolate_mode_t mode) + /* + * Only pages without mappings or that have a + * ->migratepage callback are possible to migrate +- * without blocking ++ * without blocking. However, we can be racing with ++ * truncation so it's necessary to lock the page ++ * to stabilise the mapping as truncation holds ++ * the page lock until after the page is removed ++ * from the page cache. + */ ++ if (!trylock_page(page)) ++ return ret; ++ + mapping = page_mapping(page); +- if (mapping && !mapping->a_ops->migratepage) ++ migrate_dirty = mapping && mapping->a_ops->migratepage; ++ unlock_page(page); ++ if (!migrate_dirty) + return ret; + } + } +@@ -3831,7 +3841,13 @@ int zone_reclaim(struct zone *zone, gfp_t gfp_mask, unsigned int order) + */ + int page_evictable(struct page *page) + { +- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ int ret; ++ ++ /* Prevent address_space of inode and swap cache from being freed */ ++ rcu_read_lock(); ++ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ rcu_read_unlock(); ++ return ret; + } + + #ifdef CONFIG_SHMEM +diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c +index 5f19133c5530..c2dff7c6e960 100644 +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -374,7 +374,7 @@ static void batadv_dbg_arp(struct batadv_priv *bat_priv, struct sk_buff *skb, + batadv_arp_hw_src(skb, hdr_size), &ip_src, + batadv_arp_hw_dst(skb, hdr_size), &ip_dst); + +- if (hdr_size == 0) ++ if (hdr_size < sizeof(struct batadv_unicast_packet)) + return; + + unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data; +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index 700c96c82a15..5d2f9d4879b2 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -278,7 +278,8 @@ batadv_frag_merge_packets(struct hlist_head *chain) + /* Move the existing MAC header to just before the payload. (Override + * the fragment header.) + */ +- skb_pull_rcsum(skb_out, hdr_size); ++ skb_pull(skb_out, hdr_size); ++ skb_out->ip_summed = CHECKSUM_NONE; + memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN); + skb_set_mac_header(skb_out, -ETH_HLEN); + skb_reset_network_header(skb_out); +diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c +index e6c8382c79ba..6abfba1e227f 100644 +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -798,6 +798,9 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, + + vid = batadv_get_vid(skb, 0); + ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ goto out; ++ + orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source, + ethhdr->h_dest, vid); + if (!orig_dst_node) +diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c +index eb76386f8d4b..8aa2d65df86f 100644 +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -428,8 +428,8 @@ static struct batadv_orig_node * + batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv, + struct ethhdr *ethhdr) + { +- return batadv_transtable_search(bat_priv, ethhdr->h_source, +- ethhdr->h_dest, BATADV_NO_FLAGS); ++ return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest, ++ BATADV_NO_FLAGS); + } + + /** +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 720f1a5b81ac..9f1fe6169bef 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -430,13 +430,7 @@ void batadv_interface_rx(struct net_device *soft_iface, + + /* skb->dev & skb->pkt_type are set here */ + skb->protocol = eth_type_trans(skb, soft_iface); +- +- /* should not be necessary anymore as we use skb_pull_rcsum() +- * TODO: please verify this and remove this TODO +- * -- Dec 21st 2009, Simon Wunderlich +- */ +- +- /* skb->ip_summed = CHECKSUM_UNNECESSARY; */ ++ skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); + + batadv_inc_counter(bat_priv, BATADV_CNT_RX); + batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES, +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 50b76011f470..51eab9b5baa1 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1614,7 +1614,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr, + int off = ebt_compat_match_offset(match, m->match_size); + compat_uint_t msize = m->match_size - off; + +- BUG_ON(off >= m->match_size); ++ if (WARN_ON(off >= m->match_size)) ++ return -EINVAL; + + if (copy_to_user(cm->u.name, match->name, + strlen(match->name) + 1) || put_user(msize, &cm->match_size)) +@@ -1641,7 +1642,8 @@ static int compat_target_to_user(struct ebt_entry_target *t, + int off = xt_compat_target_offset(target); + compat_uint_t tsize = t->target_size - off; + +- BUG_ON(off >= t->target_size); ++ if (WARN_ON(off >= t->target_size)) ++ return -EINVAL; + + if (copy_to_user(cm->u.name, target->name, + strlen(target->name) + 1) || put_user(tsize, &cm->match_size)) +@@ -1869,7 +1871,8 @@ static int ebt_buf_add(struct ebt_entries_buf_state *state, + if (state->buf_kern_start == NULL) + goto count_only; + +- BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len); ++ if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len)) ++ return -EINVAL; + + memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz); + +@@ -1882,7 +1885,8 @@ static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz) + { + char *b = state->buf_kern_start; + +- BUG_ON(b && state->buf_kern_offset > state->buf_kern_len); ++ if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len)) ++ return -EINVAL; + + if (b != NULL && sz > 0) + memset(b + state->buf_kern_offset, 0, sz); +@@ -1959,8 +1963,10 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, + pad = XT_ALIGN(size_kern) - size_kern; + + if (pad > 0 && dst) { +- BUG_ON(state->buf_kern_len <= pad); +- BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad); ++ if (WARN_ON(state->buf_kern_len <= pad)) ++ return -EINVAL; ++ if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad)) ++ return -EINVAL; + memset(dst + size_kern, 0, pad); + } + return off + match_size; +@@ -2011,7 +2017,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, + if (ret < 0) + return ret; + +- BUG_ON(ret < match32->match_size); ++ if (WARN_ON(ret < match32->match_size)) ++ return -EINVAL; + growth += ret - match32->match_size; + growth += ebt_compat_entry_padsize(); + +@@ -2081,8 +2088,12 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, + * offsets are relative to beginning of struct ebt_entry (i.e., 0). + */ + for (i = 0; i < 4 ; ++i) { +- if (offsets[i] >= *total) ++ if (offsets[i] > *total) ++ return -EINVAL; ++ ++ if (i < 3 && offsets[i] == *total) + return -EINVAL; ++ + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) +@@ -2121,7 +2132,8 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, + + startoff = state->buf_user_offset - startoff; + +- BUG_ON(*total < startoff); ++ if (WARN_ON(*total < startoff)) ++ return -EINVAL; + *total -= startoff; + return 0; + } +@@ -2249,7 +2261,8 @@ static int compat_do_replace(struct net *net, void __user *user, + state.buf_kern_len = size64; + + ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); +- BUG_ON(ret < 0); /* parses same data again */ ++ if (WARN_ON(ret < 0)) ++ goto out_unlock; + + vfree(entries_tmp); + tmp.entries_size = size64; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 5668dd3f9969..fa02c680eebc 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4295,13 +4295,18 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); + + static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + { ++ int mac_len; ++ + if (skb_cow(skb, skb_headroom(skb)) < 0) { + kfree_skb(skb); + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, +- 2 * ETH_ALEN); ++ mac_len = skb->data - skb_mac_header(skb); ++ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) { ++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), ++ mac_len - VLAN_HLEN - ETH_TLEN); ++ } + skb->mac_header += VLAN_HLEN; + return skb; + } +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index a03f834f16d5..fa79e8118b9b 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -366,8 +366,6 @@ static int vti_tunnel_init(struct net_device *dev) + memcpy(dev->dev_addr, &iph->saddr, 4); + memcpy(dev->broadcast, &iph->daddr, 4); + +- dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr); +- dev->mtu = ETH_DATA_LEN; + dev->flags = IFF_NOARP; + dev->addr_len = 4; + dev->features |= NETIF_F_LLTX; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index f0020260b0d4..3251dede1815 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -612,6 +612,7 @@ static inline u32 fnhe_hashfun(__be32 daddr) + static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe) + { + rt->rt_pmtu = fnhe->fnhe_pmtu; ++ rt->rt_mtu_locked = fnhe->fnhe_mtu_locked; + rt->dst.expires = fnhe->fnhe_expires; + + if (fnhe->fnhe_gw) { +@@ -622,7 +623,7 @@ static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnh + } + + static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, +- u32 pmtu, unsigned long expires) ++ u32 pmtu, bool lock, unsigned long expires) + { + struct fnhe_hash_bucket *hash; + struct fib_nh_exception *fnhe; +@@ -659,8 +660,10 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, + fnhe->fnhe_genid = genid; + if (gw) + fnhe->fnhe_gw = gw; +- if (pmtu) ++ if (pmtu) { + fnhe->fnhe_pmtu = pmtu; ++ fnhe->fnhe_mtu_locked = lock; ++ } + fnhe->fnhe_expires = max(1UL, expires); + /* Update all cached dsts too */ + rt = rcu_dereference(fnhe->fnhe_rth_input); +@@ -684,6 +687,7 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, + fnhe->fnhe_daddr = daddr; + fnhe->fnhe_gw = gw; + fnhe->fnhe_pmtu = pmtu; ++ fnhe->fnhe_mtu_locked = lock; + fnhe->fnhe_expires = expires; + + /* Exception created; mark the cached routes for the nexthop +@@ -765,7 +769,8 @@ static void __ip_do_redirect(struct rtable *rt, struct sk_buff *skb, struct flow + struct fib_nh *nh = &FIB_RES_NH(res); + + update_or_create_fnhe(nh, fl4->daddr, new_gw, +- 0, jiffies + ip_rt_gc_timeout); ++ 0, false, ++ jiffies + ip_rt_gc_timeout); + } + if (kill_route) + rt->dst.obsolete = DST_OBSOLETE_KILL; +@@ -977,15 +982,18 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) + { + struct dst_entry *dst = &rt->dst; + struct fib_result res; ++ bool lock = false; + +- if (dst_metric_locked(dst, RTAX_MTU)) ++ if (ip_mtu_locked(dst)) + return; + + if (ipv4_mtu(dst) < mtu) + return; + +- if (mtu < ip_rt_min_pmtu) ++ if (mtu < ip_rt_min_pmtu) { ++ lock = true; + mtu = ip_rt_min_pmtu; ++ } + + if (rt->rt_pmtu == mtu && + time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2)) +@@ -995,7 +1003,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) + if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) { + struct fib_nh *nh = &FIB_RES_NH(res); + +- update_or_create_fnhe(nh, fl4->daddr, 0, mtu, ++ update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock, + jiffies + ip_rt_mtu_expires); + } + rcu_read_unlock(); +@@ -1250,7 +1258,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst) + + mtu = READ_ONCE(dst->dev->mtu); + +- if (unlikely(dst_metric_locked(dst, RTAX_MTU))) { ++ if (unlikely(ip_mtu_locked(dst))) { + if (rt->rt_uses_gateway && mtu > 576) + mtu = 576; + } +@@ -1473,6 +1481,7 @@ static struct rtable *rt_dst_alloc(struct net_device *dev, + rt->rt_is_input = 0; + rt->rt_iif = 0; + rt->rt_pmtu = 0; ++ rt->rt_mtu_locked = 0; + rt->rt_gateway = 0; + rt->rt_uses_gateway = 0; + rt->rt_table_id = 0; +@@ -2393,6 +2402,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or + rt->rt_is_input = ort->rt_is_input; + rt->rt_iif = ort->rt_iif; + rt->rt_pmtu = ort->rt_pmtu; ++ rt->rt_mtu_locked = ort->rt_mtu_locked; + + rt->rt_genid = rt_genid_ipv4(net); + rt->rt_flags = ort->rt_flags; +@@ -2495,6 +2505,8 @@ static int rt_fill_info(struct net *net, __be32 dst, __be32 src, u32 table_id, + memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics)); + if (rt->rt_pmtu && expires) + metrics[RTAX_MTU - 1] = rt->rt_pmtu; ++ if (rt->rt_mtu_locked && expires) ++ metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU); + if (rtnetlink_put_metrics(skb, metrics) < 0) + goto nla_put_failure; + +diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c +index 2ab9bbb6faff..5ed6a89894fd 100644 +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -6,7 +6,7 @@ + * The algorithm is described in: + * "TCP-Illinois: A Loss and Delay-Based Congestion Control Algorithm + * for High-Speed Networks" +- * http://www.ifp.illinois.edu/~srikant/Papers/liubassri06perf.pdf ++ * http://tamerbasar.csl.illinois.edu/LiuBasarSrikantPerfEvalArtJun2008.pdf + * + * Implemented from description in paper and ns-2 simulation. + * Copyright (C) 2007 Stephen Hemminger +diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c +index 7b0edb37a115..fddae0164b91 100644 +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -97,6 +97,7 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev, + xdst->u.rt.rt_gateway = rt->rt_gateway; + xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway; + xdst->u.rt.rt_pmtu = rt->rt_pmtu; ++ xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked; + xdst->u.rt.rt_table_id = rt->rt_table_id; + INIT_LIST_HEAD(&xdst->u.rt.rt_uncached); + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 51f7c32f04d7..dec4e7bda5f3 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1574,6 +1574,13 @@ static int ipip6_newlink(struct net *src_net, struct net_device *dev, + if (err < 0) + return err; + ++ if (tb[IFLA_MTU]) { ++ u32 mtu = nla_get_u32(tb[IFLA_MTU]); ++ ++ if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len) ++ dev->mtu = mtu; ++ } ++ + #ifdef CONFIG_IPV6_SIT_6RD + if (ipip6_netlink_6rd_parms(data, &ip6rd)) + err = ipip6_tunnel_update_6rd(nt, &ip6rd); +diff --git a/net/llc/llc_c_ac.c b/net/llc/llc_c_ac.c +index f8d4ab8ca1a5..4b60f68cb492 100644 +--- a/net/llc/llc_c_ac.c ++++ b/net/llc/llc_c_ac.c +@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_0(struct sock *sk, struct sk_buff *skb) + llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { +- llc_conn_send_pdu(sk, skb); ++ rc = llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } + return rc; +@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk, + llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { +- llc_conn_send_pdu(sk, skb); ++ rc = llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } + return rc; +@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk, + int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb) + { + struct llc_sock *llc = llc_sk(sk); ++ int ret; + + if (llc->ack_must_be_send) { +- llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); ++ ret = llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); + llc->ack_must_be_send = 0 ; + llc->ack_pf = 0; +- } else +- llc_conn_ac_send_i_cmd_p_set_0(sk, skb); +- return 0; ++ } else { ++ ret = llc_conn_ac_send_i_cmd_p_set_0(sk, skb); ++ } ++ ++ return ret; + } + + /** +diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c +index d861b74ad068..79c346fd859b 100644 +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -30,7 +30,7 @@ + #endif + + static int llc_find_offset(int state, int ev_type); +-static void llc_conn_send_pdus(struct sock *sk); ++static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb); + static int llc_conn_service(struct sock *sk, struct sk_buff *skb); + static int llc_exec_conn_trans_actions(struct sock *sk, + struct llc_conn_state_trans *trans, +@@ -193,11 +193,11 @@ out_skb_put: + return rc; + } + +-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) ++int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) + { + /* queue PDU to send to MAC layer */ + skb_queue_tail(&sk->sk_write_queue, skb); +- llc_conn_send_pdus(sk); ++ return llc_conn_send_pdus(sk, skb); + } + + /** +@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit) + if (howmany_resend > 0) + llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; + /* any PDUs to re-send are queued up; start sending to MAC */ +- llc_conn_send_pdus(sk); ++ llc_conn_send_pdus(sk, NULL); + out:; + } + +@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit) + if (howmany_resend > 0) + llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; + /* any PDUs to re-send are queued up; start sending to MAC */ +- llc_conn_send_pdus(sk); ++ llc_conn_send_pdus(sk, NULL); + out:; + } + +@@ -340,12 +340,16 @@ out: + /** + * llc_conn_send_pdus - Sends queued PDUs + * @sk: active connection ++ * @hold_skb: the skb held by caller, or NULL if does not care + * +- * Sends queued pdus to MAC layer for transmission. ++ * Sends queued pdus to MAC layer for transmission. When @hold_skb is ++ * NULL, always return 0. Otherwise, return 0 if @hold_skb is sent ++ * successfully, or 1 for failure. + */ +-static void llc_conn_send_pdus(struct sock *sk) ++static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb) + { + struct sk_buff *skb; ++ int ret = 0; + + while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) { + struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb); +@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct sock *sk) + skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb); + if (!skb2) + break; +- skb = skb2; ++ dev_queue_xmit(skb2); ++ } else { ++ bool is_target = skb == hold_skb; ++ int rc; ++ ++ if (is_target) ++ skb_get(skb); ++ rc = dev_queue_xmit(skb); ++ if (is_target) ++ ret = rc; + } +- dev_queue_xmit(skb); + } ++ ++ return ret; + } + + /** +diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c +index b0380927f05f..3f33ec44bd28 100644 +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1469,6 +1469,16 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb, + iface = rcu_dereference(netlbl_unlhsh_def); + if (iface == NULL || !iface->valid) + goto unlabel_getattr_nolabel; ++ ++#if IS_ENABLED(CONFIG_IPV6) ++ /* When resolving a fallback label, check the sk_buff version as ++ * it is possible (e.g. SCTP) to have family = PF_INET6 while ++ * receiving ip_hdr(skb)->version = 4. ++ */ ++ if (family == PF_INET6 && ip_hdr(skb)->version == 4) ++ family = PF_INET; ++#endif /* IPv6 */ ++ + switch (family) { + case PF_INET: { + struct iphdr *hdr4; +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 3621a902cb6e..d25212b135ea 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, + + pr_debug("uri: %s, len: %zu\n", uri, uri_len); + ++ /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */ ++ if (WARN_ON_ONCE(uri_len > U8_MAX - 4)) ++ return NULL; ++ + sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL); + if (sdreq == NULL) + return NULL; +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index 12dfb457275d..32cb0c87e852 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -68,7 +68,8 @@ static const struct nla_policy nfc_genl_policy[NFC_ATTR_MAX + 1] = { + }; + + static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = { +- [NFC_SDP_ATTR_URI] = { .type = NLA_STRING }, ++ [NFC_SDP_ATTR_URI] = { .type = NLA_STRING, ++ .len = U8_MAX - 4 }, + [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 }, + }; + +diff --git a/net/rds/ib.c b/net/rds/ib.c +index f222885ac0c7..ed51ccc84b3a 100644 +--- a/net/rds/ib.c ++++ b/net/rds/ib.c +@@ -336,7 +336,8 @@ static int rds_ib_laddr_check(struct net *net, __be32 addr) + /* Create a CMA ID and try to bind it. This catches both + * IB and iWARP capable NICs. + */ +- cm_id = rdma_create_id(&init_net, NULL, NULL, RDMA_PS_TCP, IB_QPT_RC); ++ cm_id = rdma_create_id(&init_net, rds_rdma_cm_event_handler, ++ NULL, RDMA_PS_TCP, IB_QPT_RC); + if (IS_ERR(cm_id)) + return PTR_ERR(cm_id); + +diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c +index cbf4996dd9c1..ed29bad1f03a 100644 +--- a/scripts/kconfig/expr.c ++++ b/scripts/kconfig/expr.c +@@ -113,7 +113,7 @@ void expr_free(struct expr *e) + break; + case E_NOT: + expr_free(e->left.expr); +- return; ++ break; + case E_EQUAL: + case E_GEQ: + case E_GTH: +diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c +index b05cc3d4a9be..8360feaf51ce 100644 +--- a/scripts/kconfig/menu.c ++++ b/scripts/kconfig/menu.c +@@ -364,6 +364,7 @@ void menu_finalize(struct menu *parent) + menu->parent = parent; + last_menu = menu; + } ++ expr_free(basedep); + if (last_menu) { + parent->list = parent->next; + parent->next = last_menu->next; +diff --git a/scripts/kconfig/zconf.y b/scripts/kconfig/zconf.y +index 71bf8bff696a..5122ed2d839a 100644 +--- a/scripts/kconfig/zconf.y ++++ b/scripts/kconfig/zconf.y +@@ -107,7 +107,27 @@ static struct menu *current_menu, *current_entry; + %% + input: nl start | start; + +-start: mainmenu_stmt stmt_list | stmt_list; ++start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list; ++ ++/* mainmenu entry */ ++ ++mainmenu_stmt: T_MAINMENU prompt nl ++{ ++ menu_add_prompt(P_MENU, $2, NULL); ++}; ++ ++/* Default main menu, if there's no mainmenu entry */ ++ ++no_mainmenu_stmt: /* empty */ ++{ ++ /* ++ * Hack: Keep the main menu title on the heap so we can safely free it ++ * later regardless of whether it comes from the 'prompt' in ++ * mainmenu_stmt or here ++ */ ++ menu_add_prompt(P_MENU, strdup("Linux Kernel Configuration"), NULL); ++}; ++ + + stmt_list: + /* empty */ +@@ -344,13 +364,6 @@ if_block: + | if_block choice_stmt + ; + +-/* mainmenu entry */ +- +-mainmenu_stmt: T_MAINMENU prompt nl +-{ +- menu_add_prompt(P_MENU, $2, NULL); +-}; +- + /* menu entry */ + + menu: T_MENU prompt T_EOL +@@ -495,6 +508,7 @@ word_opt: /* empty */ { $$ = NULL; } + + void conf_parse(const char *name) + { ++ const char *tmp; + struct symbol *sym; + int i; + +@@ -502,7 +516,6 @@ void conf_parse(const char *name) + + sym_init(); + _menu_init(); +- rootmenu.prompt = menu_add_prompt(P_MENU, "Linux Kernel Configuration", NULL); + + if (getenv("ZCONF_DEBUG")) + zconfdebug = 1; +@@ -512,8 +525,10 @@ void conf_parse(const char *name) + if (!modules_sym) + modules_sym = sym_find( "n" ); + ++ tmp = rootmenu.prompt->text; + rootmenu.prompt->text = _(rootmenu.prompt->text); + rootmenu.prompt->text = sym_expand_string_value(rootmenu.prompt->text); ++ free((char*)tmp); + + menu_finalize(&rootmenu); + for_all_symbols(i, sym) { +diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig +index df303346029b..648a0461f8ed 100644 +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -10,6 +10,7 @@ config IMA + select CRYPTO_HASH_INFO + select TCG_TPM if HAS_IOMEM && !UML + select TCG_TIS if TCG_TPM && X86 ++ select TCG_CRB if TCG_TPM && ACPI + select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES + help + The Trusted Computing Group(TCG) runtime Integrity +diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c +index 6eb62936c672..a29209fa5674 100644 +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -78,6 +78,8 @@ int __init ima_init_crypto(void) + hash_algo_name[ima_hash_algo], rc); + return rc; + } ++ pr_info("Allocated hash algorithm: %s\n", ++ hash_algo_name[ima_hash_algo]); + return 0; + } + +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index 98289ba2a2e6..236dce30e517 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -16,6 +16,9 @@ + * implements the IMA hooks: ima_bprm_check, ima_file_mmap, + * and ima_file_check. + */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ + #include + #include + #include +@@ -353,6 +356,16 @@ static int __init init_ima(void) + + hash_setup(CONFIG_IMA_DEFAULT_HASH); + error = ima_init(); ++ ++ if (error && strcmp(hash_algo_name[ima_hash_algo], ++ CONFIG_IMA_DEFAULT_HASH) != 0) { ++ pr_info("Allocating %s failed, going to use default hash algorithm %s\n", ++ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); ++ hash_setup_done = 0; ++ hash_setup(CONFIG_IMA_DEFAULT_HASH); ++ error = ima_init(); ++ } ++ + if (!error) { + ima_initialized = 1; + ima_update_policy_flag(); +diff --git a/sound/core/vmaster.c b/sound/core/vmaster.c +index 6c58e6f73a01..7c6ef879c520 100644 +--- a/sound/core/vmaster.c ++++ b/sound/core/vmaster.c +@@ -68,10 +68,13 @@ static int slave_update(struct link_slave *slave) + return -ENOMEM; + uctl->id = slave->slave.id; + err = slave->slave.get(&slave->slave, uctl); ++ if (err < 0) ++ goto error; + for (ch = 0; ch < slave->info.count; ch++) + slave->vals[ch] = uctl->value.integer.value[ch]; ++ error: + kfree(uctl); +- return 0; ++ return err < 0 ? err : 0; + } + + /* get the slave ctl info and save the initial values */ +diff --git a/sound/pci/hda/Kconfig b/sound/pci/hda/Kconfig +index e94cfd5c69f7..ebec1a1ae543 100644 +--- a/sound/pci/hda/Kconfig ++++ b/sound/pci/hda/Kconfig +@@ -84,7 +84,6 @@ config SND_HDA_PATCH_LOADER + config SND_HDA_CODEC_REALTEK + tristate "Build Realtek HD-audio codec support" + select SND_HDA_GENERIC +- select INPUT + help + Say Y or M here to include Realtek HD-audio codec support in + snd-hda-intel driver, such as ALC880. +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6a789278970e..580b8943b965 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3495,6 +3495,7 @@ static void alc280_fixup_hp_gpio4(struct hda_codec *codec, + } + } + ++#if IS_REACHABLE(INPUT) + static void gpio2_mic_hotkey_event(struct hda_codec *codec, + struct hda_jack_callback *event) + { +@@ -3627,6 +3628,10 @@ static void alc233_fixup_lenovo_line2_mic_hotkey(struct hda_codec *codec, + spec->kb_dev = NULL; + } + } ++#else /* INPUT */ ++#define alc280_fixup_hp_gpio2_mic_hotkey NULL ++#define alc233_fixup_lenovo_line2_mic_hotkey NULL ++#endif /* INPUT */ + + static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) +diff --git a/sound/soc/au1x/ac97c.c b/sound/soc/au1x/ac97c.c +index 29a97d52e8ad..66d6c52e7761 100644 +--- a/sound/soc/au1x/ac97c.c ++++ b/sound/soc/au1x/ac97c.c +@@ -91,8 +91,8 @@ static unsigned short au1xac97c_ac97_read(struct snd_ac97 *ac97, + do { + mutex_lock(&ctx->lock); + +- tmo = 5; +- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--) ++ tmo = 6; ++ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo) + udelay(21); /* wait an ac97 frame time */ + if (!tmo) { + pr_debug("ac97rd timeout #1\n"); +@@ -105,7 +105,7 @@ static unsigned short au1xac97c_ac97_read(struct snd_ac97 *ac97, + * poll, Forrest, poll... + */ + tmo = 0x10000; +- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--) ++ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo) + asm volatile ("nop"); + data = RD(ctx, AC97_CMDRESP); + +diff --git a/sound/soc/samsung/i2s.c b/sound/soc/samsung/i2s.c +index fd6e247d9fd8..91bad6731c9d 100644 +--- a/sound/soc/samsung/i2s.c ++++ b/sound/soc/samsung/i2s.c +@@ -640,8 +640,12 @@ static int i2s_set_fmt(struct snd_soc_dai *dai, + tmp |= mod_slave; + break; + case SND_SOC_DAIFMT_CBS_CFS: +- /* Set default source clock in Master mode */ +- if (i2s->rclk_srcrate == 0) ++ /* ++ * Set default source clock in Master mode, only when the ++ * CLK_I2S_RCLK_SRC clock is not exposed so we ensure any ++ * clock configuration assigned in DT is not overwritten. ++ */ ++ if (i2s->rclk_srcrate == 0 && i2s->clk_data.clks == NULL) + i2s_set_sysclk(dai, SAMSUNG_I2S_RCLKSRC_0, + 0, SND_SOC_CLOCK_IN); + break; +@@ -856,6 +860,11 @@ static int config_setup(struct i2s_dai *i2s) + return 0; + + if (!(i2s->quirks & QUIRK_NO_MUXPSR)) { ++ struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC]; ++ ++ if (i2s->rclk_srcrate == 0 && rclksrc && !IS_ERR(rclksrc)) ++ i2s->rclk_srcrate = clk_get_rate(rclksrc); ++ + psr = i2s->rclk_srcrate / i2s->frmclk / rfs; + writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR); + dev_dbg(&i2s->pdev->dev, +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index e3f34a86413c..c1e76feb3529 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1188,6 +1188,9 @@ static struct snd_kcontrol_new *soc_tplg_dapm_widget_dmixer_create( + kfree(sm); + continue; + } ++ ++ /* create any TLV data */ ++ soc_tplg_create_tlv(tplg, &kc[i], &mc->hdr); + } + return kc; + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index e176bad19bcb..ca080a129b33 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -487,6 +487,24 @@ bpf_object__init_maps(struct bpf_object *obj, void *data, + return 0; + } + ++static bool section_have_execinstr(struct bpf_object *obj, int idx) ++{ ++ Elf_Scn *scn; ++ GElf_Shdr sh; ++ ++ scn = elf_getscn(obj->efile.elf, idx); ++ if (!scn) ++ return false; ++ ++ if (gelf_getshdr(scn, &sh) != &sh) ++ return false; ++ ++ if (sh.sh_flags & SHF_EXECINSTR) ++ return true; ++ ++ return false; ++} ++ + static int bpf_object__elf_collect(struct bpf_object *obj) + { + Elf *elf = obj->efile.elf; +@@ -567,6 +585,14 @@ static int bpf_object__elf_collect(struct bpf_object *obj) + } else if (sh.sh_type == SHT_REL) { + void *reloc = obj->efile.reloc; + int nr_reloc = obj->efile.nr_reloc + 1; ++ int sec = sh.sh_info; /* points to other section */ ++ ++ /* Only do relo for section with exec instructions */ ++ if (!section_have_execinstr(obj, sec)) { ++ pr_debug("skip relo %s(%d) for section(%d)\n", ++ name, idx, sec); ++ continue; ++ } + + reloc = realloc(reloc, + sizeof(*obj->efile.reloc) * nr_reloc); +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 68276f35e323..6e4a10fe9dd0 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -4905,21 +4905,22 @@ static void pretty_print(struct trace_seq *s, void *data, int size, struct event + else + ls = 2; + +- if (*(ptr+1) == 'F' || *(ptr+1) == 'f' || +- *(ptr+1) == 'S' || *(ptr+1) == 's') { ++ if (isalnum(ptr[1])) + ptr++; ++ ++ if (*ptr == 'F' || *ptr == 'f' || ++ *ptr == 'S' || *ptr == 's') { + show_func = *ptr; +- } else if (*(ptr+1) == 'M' || *(ptr+1) == 'm') { +- print_mac_arg(s, *(ptr+1), data, size, event, arg); +- ptr++; ++ } else if (*ptr == 'M' || *ptr == 'm') { ++ print_mac_arg(s, *ptr, data, size, event, arg); + arg = arg->next; + break; +- } else if (*(ptr+1) == 'I' || *(ptr+1) == 'i') { ++ } else if (*ptr == 'I' || *ptr == 'i') { + int n; + +- n = print_ip_arg(s, ptr+1, data, size, event, arg); ++ n = print_ip_arg(s, ptr, data, size, event, arg); + if (n > 0) { +- ptr += n; ++ ptr += n - 1; + arg = arg->next; + break; + } +diff --git a/tools/lib/traceevent/parse-filter.c b/tools/lib/traceevent/parse-filter.c +index 88cccea3ca99..64309d73921b 100644 +--- a/tools/lib/traceevent/parse-filter.c ++++ b/tools/lib/traceevent/parse-filter.c +@@ -1867,17 +1867,25 @@ static const char *get_field_str(struct filter_arg *arg, struct pevent_record *r + struct pevent *pevent; + unsigned long long addr; + const char *val = NULL; ++ unsigned int size; + char hex[64]; + + /* If the field is not a string convert it */ + if (arg->str.field->flags & FIELD_IS_STRING) { + val = record->data + arg->str.field->offset; ++ size = arg->str.field->size; ++ ++ if (arg->str.field->flags & FIELD_IS_DYNAMIC) { ++ addr = *(unsigned int *)val; ++ val = record->data + (addr & 0xffff); ++ size = addr >> 16; ++ } + + /* + * We need to copy the data since we can't be sure the field + * is null terminated. + */ +- if (*(val + arg->str.field->size - 1)) { ++ if (*(val + size - 1)) { + /* copy it */ + memcpy(arg->str.buffer, val, arg->str.field->size); + /* the buffer is already NULL terminated */ +diff --git a/tools/perf/tests/vmlinux-kallsyms.c b/tools/perf/tests/vmlinux-kallsyms.c +index d677e018e504..bf907c50fcae 100644 +--- a/tools/perf/tests/vmlinux-kallsyms.c ++++ b/tools/perf/tests/vmlinux-kallsyms.c +@@ -126,7 +126,7 @@ int test__vmlinux_matches_kallsyms(void) + + if (pair && UM(pair->start) == mem_start) { + next_pair: +- if (strcmp(sym->name, pair->name) == 0) { ++ if (arch__compare_symbol_names(sym->name, pair->name) == 0) { + /* + * kallsyms don't have the symbol end, so we + * set that by using the next symbol start - 1, +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 397fb4ed3c97..f0bd4825f95a 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -624,13 +624,13 @@ static void apply_config_terms(struct perf_evsel *evsel, + struct perf_evsel_config_term *term; + struct list_head *config_terms = &evsel->config_terms; + struct perf_event_attr *attr = &evsel->attr; +- struct callchain_param param; ++ /* callgraph default */ ++ struct callchain_param param = { ++ .record_mode = callchain_param.record_mode, ++ }; + u32 dump_size = 0; + char *callgraph_buf = NULL; + +- /* callgraph default */ +- param.record_mode = callchain_param.record_mode; +- + list_for_each_entry(term, config_terms, list) { + switch (term->type) { + case PERF_EVSEL__CONFIG_TERM_PERIOD: +diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c +index 4fd37d6708cb..f6720afa9f34 100644 +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -720,7 +720,7 @@ iter_prepare_cumulative_entry(struct hist_entry_iter *iter, + * cumulated only one time to prevent entries more than 100% + * overhead. + */ +- he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1)); ++ he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1)); + if (he_cache == NULL) + return -ENOMEM; + +@@ -881,8 +881,6 @@ int hist_entry_iter__add(struct hist_entry_iter *iter, struct addr_location *al, + if (err) + return err; + +- iter->max_stack = max_stack_depth; +- + err = iter->ops->prepare_entry(iter, al); + if (err) + goto out; +diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h +index a48a2078d288..46b7591acd9c 100644 +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -91,7 +91,6 @@ struct hist_entry_iter { + int curr; + + bool hide_unresolved; +- int max_stack; + + struct perf_evsel *evsel; + struct perf_sample *sample; +diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile +index 24ebd3e3eb7d..5d2e479430d1 100644 +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -90,6 +90,7 @@ ifdef INSTALL_PATH + for TARGET in $(TARGETS); do \ + echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \ + echo "echo ========================================" >> $(ALL_SCRIPT); \ ++ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \ + echo "cd $$TARGET" >> $(ALL_SCRIPT); \ + make -s --no-print-directory -C $$TARGET emit_tests >> $(ALL_SCRIPT); \ + echo "cd \$$ROOT" >> $(ALL_SCRIPT); \ +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc +new file mode 100644 +index 000000000000..5ba73035e1d9 +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc +@@ -0,0 +1,46 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe event string type argument ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++echo 0 > events/enable ++echo > kprobe_events ++ ++case `uname -m` in ++x86_64) ++ ARG2=%si ++ OFFS=8 ++;; ++i[3456]86) ++ ARG2=%cx ++ OFFS=4 ++;; ++aarch64) ++ ARG2=%x1 ++ OFFS=8 ++;; ++arm*) ++ ARG2=%r1 ++ OFFS=4 ++;; ++*) ++ echo "Please implement other architecture here" ++ exit_untested ++esac ++ ++: "Test get argument (1)" ++echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string" > kprobe_events ++echo 1 > events/kprobes/testprobe/enable ++! echo test >> kprobe_events ++tail -n 1 trace | grep -qe "testprobe.* arg1=\"test\"" ++ ++echo 0 > events/kprobes/testprobe/enable ++: "Test get argument (2)" ++echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string arg2=+0(+${OFFS}(${ARG2})):string" > kprobe_events ++echo 1 > events/kprobes/testprobe/enable ++! echo test1 test2 >> kprobe_events ++tail -n 1 trace | grep -qe "testprobe.* arg1=\"test1\" arg2=\"test2\"" ++ ++echo 0 > events/enable ++echo > kprobe_events +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc +new file mode 100644 +index 000000000000..231bcd2c4eb5 +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc +@@ -0,0 +1,97 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe event argument syntax ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++grep "x8/16/32/64" README > /dev/null || exit_unsupported # version issue ++ ++echo 0 > events/enable ++echo > kprobe_events ++ ++PROBEFUNC="vfs_read" ++GOODREG= ++BADREG= ++GOODSYM="_sdata" ++if ! grep -qw ${GOODSYM} /proc/kallsyms ; then ++ GOODSYM=$PROBEFUNC ++fi ++BADSYM="deaqswdefr" ++SYMADDR=0x`grep -w ${GOODSYM} /proc/kallsyms | cut -f 1 -d " "` ++GOODTYPE="x16" ++BADTYPE="y16" ++ ++case `uname -m` in ++x86_64|i[3456]86) ++ GOODREG=%ax ++ BADREG=%ex ++;; ++aarch64) ++ GOODREG=%x0 ++ BADREG=%ax ++;; ++arm*) ++ GOODREG=%r0 ++ BADREG=%ax ++;; ++esac ++ ++test_goodarg() # Good-args ++{ ++ while [ "$1" ]; do ++ echo "p ${PROBEFUNC} $1" > kprobe_events ++ shift 1 ++ done; ++} ++ ++test_badarg() # Bad-args ++{ ++ while [ "$1" ]; do ++ ! echo "p ${PROBEFUNC} $1" > kprobe_events ++ shift 1 ++ done; ++} ++ ++echo > kprobe_events ++ ++: "Register access" ++test_goodarg ${GOODREG} ++test_badarg ${BADREG} ++ ++: "Symbol access" ++test_goodarg "@${GOODSYM}" "@${SYMADDR}" "@${GOODSYM}+10" "@${GOODSYM}-10" ++test_badarg "@" "@${BADSYM}" "@${GOODSYM}*10" "@${GOODSYM}/10" \ ++ "@${GOODSYM}%10" "@${GOODSYM}&10" "@${GOODSYM}|10" ++ ++: "Stack access" ++test_goodarg "\$stack" "\$stack0" "\$stack1" ++test_badarg "\$stackp" "\$stack0+10" "\$stack1-10" ++ ++: "Retval access" ++echo "r ${PROBEFUNC} \$retval" > kprobe_events ++! echo "p ${PROBEFUNC} \$retval" > kprobe_events ++ ++: "Comm access" ++test_goodarg "\$comm" ++ ++: "Indirect memory access" ++test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \ ++ "+0(\$stack1)" "+10(@${GOODSYM}-10)" "+0(+10(+20(\$stack)))" ++test_badarg "+(${GOODREG})" "(${GOODREG}+10)" "-(${GOODREG})" "(${GOODREG})" \ ++ "+10(\$comm)" "+0(${GOODREG})+10" ++ ++: "Name assignment" ++test_goodarg "varname=${GOODREG}" ++test_badarg "varname=varname2=${GOODREG}" ++ ++: "Type syntax" ++test_goodarg "${GOODREG}:${GOODTYPE}" ++test_badarg "${GOODREG}::${GOODTYPE}" "${GOODREG}:${BADTYPE}" \ ++ "${GOODTYPE}:${GOODREG}" ++ ++: "Combination check" ++ ++test_goodarg "\$comm:string" "+0(\$stack):string" ++test_badarg "\$comm:x64" "\$stack:string" "${GOODREG}:string" ++ ++echo > kprobe_events +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc +new file mode 100644 +index 000000000000..4fda01a08da4 +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc +@@ -0,0 +1,43 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe events - probe points ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++TARGET_FUNC=create_trace_kprobe ++ ++dec_addr() { # hexaddr ++ printf "%d" "0x"`echo $1 | tail -c 8` ++} ++ ++set_offs() { # prev target next ++ A1=`dec_addr $1` ++ A2=`dec_addr $2` ++ A3=`dec_addr $3` ++ TARGET="0x$2" # an address ++ PREV=`expr $A1 - $A2` # offset to previous symbol ++ NEXT=+`expr $A3 - $A2` # offset to next symbol ++ OVERFLOW=+`printf "0x%x" ${PREV}` # overflow offset to previous symbol ++} ++ ++# We have to decode symbol addresses to get correct offsets. ++# If the offset is not an instruction boundary, it cause -EILSEQ. ++set_offs `grep -A1 -B1 ${TARGET_FUNC} /proc/kallsyms | cut -f 1 -d " " | xargs` ++ ++UINT_TEST=no ++# printf "%x" -1 returns (unsigned long)-1. ++if [ `printf "%x" -1 | wc -c` != 9 ]; then ++ UINT_TEST=yes ++fi ++ ++echo 0 > events/enable ++echo > kprobe_events ++echo "p:testprobe ${TARGET_FUNC}" > kprobe_events ++echo "p:testprobe ${TARGET}" > kprobe_events ++echo "p:testprobe ${TARGET_FUNC}${NEXT}" > kprobe_events ++! echo "p:testprobe ${TARGET_FUNC}${PREV}" > kprobe_events ++if [ "${UINT_TEST}" = yes ]; then ++! echo "p:testprobe ${TARGET_FUNC}${OVERFLOW}" > kprobe_events ++fi ++echo > kprobe_events ++clear_trace +diff --git a/tools/testing/selftests/memfd/config b/tools/testing/selftests/memfd/config +new file mode 100644 +index 000000000000..835c7f4dadcd +--- /dev/null ++++ b/tools/testing/selftests/memfd/config +@@ -0,0 +1 @@ ++CONFIG_FUSE_FS=m +diff --git a/tools/testing/selftests/net/psock_fanout.c b/tools/testing/selftests/net/psock_fanout.c +index 412459369686..9b654a070e7d 100644 +--- a/tools/testing/selftests/net/psock_fanout.c ++++ b/tools/testing/selftests/net/psock_fanout.c +@@ -97,6 +97,8 @@ static int sock_fanout_open(uint16_t typeflags, int num_packets) + + static void sock_fanout_set_ebpf(int fd) + { ++ static char log_buf[65536]; ++ + const int len_off = __builtin_offsetof(struct __sk_buff, len); + struct bpf_insn prog[] = { + { BPF_ALU64 | BPF_MOV | BPF_X, 6, 1, 0, 0 }, +@@ -109,7 +111,6 @@ static void sock_fanout_set_ebpf(int fd) + { BPF_ALU | BPF_MOV | BPF_K, 0, 0, 0, 0 }, + { BPF_JMP | BPF_EXIT, 0, 0, 0, 0 } + }; +- char log_buf[512]; + union bpf_attr attr; + int pfd; + +diff --git a/tools/testing/selftests/powerpc/mm/subpage_prot.c b/tools/testing/selftests/powerpc/mm/subpage_prot.c +index 440180ff8089..ca29f5872817 100644 +--- a/tools/testing/selftests/powerpc/mm/subpage_prot.c ++++ b/tools/testing/selftests/powerpc/mm/subpage_prot.c +@@ -135,6 +135,16 @@ static int run_test(void *addr, unsigned long size) + return 0; + } + ++static int syscall_available(void) ++{ ++ int rc; ++ ++ errno = 0; ++ rc = syscall(__NR_subpage_prot, 0, 0, 0); ++ ++ return rc == 0 || (errno != ENOENT && errno != ENOSYS); ++} ++ + int test_anon(void) + { + unsigned long align; +@@ -145,6 +155,8 @@ int test_anon(void) + void *mallocblock; + unsigned long mallocsize; + ++ SKIP_IF(!syscall_available()); ++ + if (getpagesize() != 0x10000) { + fprintf(stderr, "Kernel page size must be 64K!\n"); + return 1; +@@ -180,6 +192,8 @@ int test_file(void) + off_t filesize; + int fd; + ++ SKIP_IF(!syscall_available()); ++ + fd = open(file_name, O_RDWR); + if (fd == -1) { + perror("failed to open file"); +diff --git a/tools/thermal/tmon/sysfs.c b/tools/thermal/tmon/sysfs.c +index 1c12536f2081..18f523557983 100644 +--- a/tools/thermal/tmon/sysfs.c ++++ b/tools/thermal/tmon/sysfs.c +@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst) + int update_thermal_data() + { + int i; ++ int next_thermal_record = cur_thermal_record + 1; + char tz_name[256]; + static unsigned long samples; + +@@ -495,9 +496,9 @@ int update_thermal_data() + } + + /* circular buffer for keeping historic data */ +- if (cur_thermal_record >= NR_THERMAL_RECORDS) +- cur_thermal_record = 0; +- gettimeofday(&trec[cur_thermal_record].tv, NULL); ++ if (next_thermal_record >= NR_THERMAL_RECORDS) ++ next_thermal_record = 0; ++ gettimeofday(&trec[next_thermal_record].tv, NULL); + if (tmon_log) { + fprintf(tmon_log, "%lu ", ++samples); + fprintf(tmon_log, "%3.1f ", p_param.t_target); +@@ -507,11 +508,12 @@ int update_thermal_data() + snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE, + ptdata.tzi[i].instance); + sysfs_get_ulong(tz_name, "temp", +- &trec[cur_thermal_record].temp[i]); ++ &trec[next_thermal_record].temp[i]); + if (tmon_log) + fprintf(tmon_log, "%lu ", +- trec[cur_thermal_record].temp[i]/1000); ++ trec[next_thermal_record].temp[i] / 1000); + } ++ cur_thermal_record = next_thermal_record; + for (i = 0; i < ptdata.nr_cooling_dev; i++) { + char cdev_name[256]; + unsigned long val; +diff --git a/tools/thermal/tmon/tmon.c b/tools/thermal/tmon/tmon.c +index 9aa19652e8e8..b43138f8b862 100644 +--- a/tools/thermal/tmon/tmon.c ++++ b/tools/thermal/tmon/tmon.c +@@ -336,7 +336,6 @@ int main(int argc, char **argv) + show_data_w(); + show_cooling_device(); + } +- cur_thermal_record++; + time_elapsed += ticktime; + controller_handler(trec[0].temp[target_tz_index] / 1000, + &yk); diff --git a/patch/kernel/mvebu-default/04-patch-4.4.134-135.patch b/patch/kernel/mvebu-default/04-patch-4.4.134-135.patch new file mode 100644 index 0000000000..d31ea12373 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.134-135.patch @@ -0,0 +1,24 @@ +diff --git a/Makefile b/Makefile +index 119dbcb4f311..9b14a5a224c5 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 134 ++SUBLEVEL = 135 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index fa79e8118b9b..4b7c81f88abf 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -366,6 +366,7 @@ static int vti_tunnel_init(struct net_device *dev) + memcpy(dev->dev_addr, &iph->saddr, 4); + memcpy(dev->broadcast, &iph->daddr, 4); + ++ dev->mtu = ETH_DATA_LEN; + dev->flags = IFF_NOARP; + dev->addr_len = 4; + dev->features |= NETIF_F_LLTX; diff --git a/patch/kernel/mvebu-default/04-patch-4.4.135-136.patch b/patch/kernel/mvebu-default/04-patch-4.4.135-136.patch new file mode 100644 index 0000000000..66c803b259 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.135-136.patch @@ -0,0 +1,1421 @@ +diff --git a/Makefile b/Makefile +index 9b14a5a224c5..a05a7a005715 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 135 ++SUBLEVEL = 136 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/atomic_lse.h +index 197e06afbf71..e3438c623598 100644 +--- a/arch/arm64/include/asm/atomic_lse.h ++++ b/arch/arm64/include/asm/atomic_lse.h +@@ -114,7 +114,7 @@ static inline void atomic_and(int i, atomic_t *v) + /* LSE atomics */ + " mvn %w[i], %w[i]\n" + " stclr %w[i], %[v]") +- : [i] "+r" (w0), [v] "+Q" (v->counter) ++ : [i] "+&r" (w0), [v] "+Q" (v->counter) + : "r" (x1) + : "x30"); + } +@@ -131,7 +131,7 @@ static inline void atomic_sub(int i, atomic_t *v) + /* LSE atomics */ + " neg %w[i], %w[i]\n" + " stadd %w[i], %[v]") +- : [i] "+r" (w0), [v] "+Q" (v->counter) ++ : [i] "+&r" (w0), [v] "+Q" (v->counter) + : "r" (x1) + : "x30"); + } +@@ -151,7 +151,7 @@ static inline int atomic_sub_return##name(int i, atomic_t *v) \ + " neg %w[i], %w[i]\n" \ + " ldadd" #mb " %w[i], w30, %[v]\n" \ + " add %w[i], %w[i], w30") \ +- : [i] "+r" (w0), [v] "+Q" (v->counter) \ ++ : [i] "+&r" (w0), [v] "+Q" (v->counter) \ + : "r" (x1) \ + : "x30" , ##cl); \ + \ +@@ -255,7 +255,7 @@ static inline void atomic64_and(long i, atomic64_t *v) + /* LSE atomics */ + " mvn %[i], %[i]\n" + " stclr %[i], %[v]") +- : [i] "+r" (x0), [v] "+Q" (v->counter) ++ : [i] "+&r" (x0), [v] "+Q" (v->counter) + : "r" (x1) + : "x30"); + } +@@ -272,7 +272,7 @@ static inline void atomic64_sub(long i, atomic64_t *v) + /* LSE atomics */ + " neg %[i], %[i]\n" + " stadd %[i], %[v]") +- : [i] "+r" (x0), [v] "+Q" (v->counter) ++ : [i] "+&r" (x0), [v] "+Q" (v->counter) + : "r" (x1) + : "x30"); + } +@@ -292,7 +292,7 @@ static inline long atomic64_sub_return##name(long i, atomic64_t *v) \ + " neg %[i], %[i]\n" \ + " ldadd" #mb " %[i], x30, %[v]\n" \ + " add %[i], %[i], x30") \ +- : [i] "+r" (x0), [v] "+Q" (v->counter) \ ++ : [i] "+&r" (x0), [v] "+Q" (v->counter) \ + : "r" (x1) \ + : "x30" , ##cl); \ + \ +@@ -412,7 +412,7 @@ static inline long __cmpxchg_double##name(unsigned long old1, \ + " eor %[old1], %[old1], %[oldval1]\n" \ + " eor %[old2], %[old2], %[oldval2]\n" \ + " orr %[old1], %[old1], %[old2]") \ +- : [old1] "+r" (x0), [old2] "+r" (x1), \ ++ : [old1] "+&r" (x0), [old2] "+&r" (x1), \ + [v] "+Q" (*(unsigned long *)ptr) \ + : [new1] "r" (x2), [new2] "r" (x3), [ptr] "r" (x4), \ + [oldval1] "r" (oldval1), [oldval2] "r" (oldval2) \ +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index fcbc4e57d765..1ee603d07847 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -680,6 +680,10 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value) + if (value & ~known_bits) + return -EOPNOTSUPP; + ++ /* Setting FRE without FR is not supported. */ ++ if ((value & (PR_FP_MODE_FR | PR_FP_MODE_FRE)) == PR_FP_MODE_FRE) ++ return -EOPNOTSUPP; ++ + /* Avoid inadvertently triggering emulation */ + if ((value & PR_FP_MODE_FR) && raw_cpu_has_fpu && + !(raw_current_cpu_data.fpu_id & MIPS_FPIR_F64)) +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index a9958b4d9194..32fa3ae1a0a6 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -841,7 +841,7 @@ long arch_ptrace(struct task_struct *child, long request, + break; + } + #endif +- tmp = get_fpr32(&fregs[addr - FPR_BASE], 0); ++ tmp = get_fpr64(&fregs[addr - FPR_BASE], 0); + break; + case PC: + tmp = regs->cp0_epc; +diff --git a/arch/mips/kernel/ptrace32.c b/arch/mips/kernel/ptrace32.c +index b4b7e02443e7..d95117e71f69 100644 +--- a/arch/mips/kernel/ptrace32.c ++++ b/arch/mips/kernel/ptrace32.c +@@ -107,7 +107,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + addr & 1); + break; + } +- tmp = get_fpr32(&fregs[addr - FPR_BASE], 0); ++ tmp = get_fpr64(&fregs[addr - FPR_BASE], 0); + break; + case PC: + tmp = regs->cp0_epc; +diff --git a/arch/powerpc/kernel/cpu_setup_power.S b/arch/powerpc/kernel/cpu_setup_power.S +index 9c9b7411b28b..55eb3b752ca0 100644 +--- a/arch/powerpc/kernel/cpu_setup_power.S ++++ b/arch/powerpc/kernel/cpu_setup_power.S +@@ -27,6 +27,7 @@ _GLOBAL(__setup_cpu_power7) + beqlr + li r0,0 + mtspr SPRN_LPID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + bl __init_LPCR + bl __init_tlb_power7 +@@ -40,6 +41,7 @@ _GLOBAL(__restore_cpu_power7) + beqlr + li r0,0 + mtspr SPRN_LPID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + bl __init_LPCR + bl __init_tlb_power7 +@@ -55,6 +57,7 @@ _GLOBAL(__setup_cpu_power8) + beqlr + li r0,0 + mtspr SPRN_LPID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + ori r3, r3, LPCR_PECEDH + bl __init_LPCR +@@ -74,6 +77,7 @@ _GLOBAL(__restore_cpu_power8) + beqlr + li r0,0 + mtspr SPRN_LPID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + ori r3, r3, LPCR_PECEDH + bl __init_LPCR +diff --git a/arch/sh/kernel/sh_ksyms_32.c b/arch/sh/kernel/sh_ksyms_32.c +index d77f2f6c7ff0..0b30b9dfc87f 100644 +--- a/arch/sh/kernel/sh_ksyms_32.c ++++ b/arch/sh/kernel/sh_ksyms_32.c +@@ -34,6 +34,9 @@ DECLARE_EXPORT(__sdivsi3); + DECLARE_EXPORT(__lshrsi3); + DECLARE_EXPORT(__ashrsi3); + DECLARE_EXPORT(__ashlsi3); ++DECLARE_EXPORT(__lshrsi3_r0); ++DECLARE_EXPORT(__ashrsi3_r0); ++DECLARE_EXPORT(__ashlsi3_r0); + DECLARE_EXPORT(__ashiftrt_r4_6); + DECLARE_EXPORT(__ashiftrt_r4_7); + DECLARE_EXPORT(__ashiftrt_r4_8); +diff --git a/arch/sh/lib/ashlsi3.S b/arch/sh/lib/ashlsi3.S +index bd47e9b403a5..70a6434945ab 100644 +--- a/arch/sh/lib/ashlsi3.S ++++ b/arch/sh/lib/ashlsi3.S +@@ -54,21 +54,38 @@ Boston, MA 02110-1301, USA. */ + ! + ! (none) + ! ++! __ashlsi3_r0 ++! ++! Entry: ++! ++! r4: Value to shift ++! r0: Shifts ++! ++! Exit: ++! ++! r0: Result ++! ++! Destroys: ++! ++! (none) ++ ++ + .global __ashlsi3 ++ .global __ashlsi3_r0 + + .align 2 + __ashlsi3: +- mov #31,r0 +- and r0,r5 ++ mov r5,r0 ++ .align 2 ++__ashlsi3_r0: ++ and #31,r0 ++ mov.l r4,@-r15 ++ mov r0,r4 + mova ashlsi3_table,r0 +- mov.b @(r0,r5),r5 +-#ifdef __sh1__ +- add r5,r0 ++ mov.b @(r0,r4),r4 ++ add r4,r0 + jmp @r0 +-#else +- braf r5 +-#endif +- mov r4,r0 ++ mov.l @r15+,r0 + + .align 2 + ashlsi3_table: +diff --git a/arch/sh/lib/ashrsi3.S b/arch/sh/lib/ashrsi3.S +index 6f3cf46b77c2..602599d80209 100644 +--- a/arch/sh/lib/ashrsi3.S ++++ b/arch/sh/lib/ashrsi3.S +@@ -54,22 +54,37 @@ Boston, MA 02110-1301, USA. */ + ! + ! (none) + ! ++! __ashrsi3_r0 ++! ++! Entry: ++! ++! r4: Value to shift ++! r0: Shifts ++! ++! Exit: ++! ++! r0: Result ++! ++! Destroys: ++! ++! (none) + + .global __ashrsi3 ++ .global __ashrsi3_r0 + + .align 2 + __ashrsi3: +- mov #31,r0 +- and r0,r5 ++ mov r5,r0 ++ .align 2 ++__ashrsi3_r0: ++ and #31,r0 ++ mov.l r4,@-r15 ++ mov r0,r4 + mova ashrsi3_table,r0 +- mov.b @(r0,r5),r5 +-#ifdef __sh1__ +- add r5,r0 ++ mov.b @(r0,r4),r4 ++ add r4,r0 + jmp @r0 +-#else +- braf r5 +-#endif +- mov r4,r0 ++ mov.l @r15+,r0 + + .align 2 + ashrsi3_table: +diff --git a/arch/sh/lib/lshrsi3.S b/arch/sh/lib/lshrsi3.S +index 1e7aaa557130..f2a6959f526d 100644 +--- a/arch/sh/lib/lshrsi3.S ++++ b/arch/sh/lib/lshrsi3.S +@@ -53,22 +53,38 @@ Boston, MA 02110-1301, USA. */ + ! Destroys: + ! + ! (none) ++! ++! __lshrsi3_r0 ++! ++! Entry: ++! ++! r0: Value to shift ++! r5: Shifts ++! ++! Exit: ++! ++! r0: Result ++! ++! Destroys: ++! ++! (none) + ! + .global __lshrsi3 ++ .global __lshrsi3_r0 + + .align 2 + __lshrsi3: +- mov #31,r0 +- and r0,r5 ++ mov r5,r0 ++ .align 2 ++__lshrsi3_r0: ++ and #31,r0 ++ mov.l r4,@-r15 ++ mov r0,r4 + mova lshrsi3_table,r0 +- mov.b @(r0,r5),r5 +-#ifdef __sh1__ +- add r5,r0 ++ mov.b @(r0,r4),r4 ++ add r4,r0 + jmp @r0 +-#else +- braf r5 +-#endif +- mov r4,r0 ++ mov.l @r15+,r0 + + .align 2 + lshrsi3_table: +diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c +index f87a55d77094..9b3f2e212b37 100644 +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -908,7 +908,7 @@ static int register_services(struct ds_info *dp) + pbuf.req.handle = cp->handle; + pbuf.req.major = 1; + pbuf.req.minor = 0; +- strcpy(pbuf.req.svc_id, cp->service_id); ++ strcpy(pbuf.id_buf, cp->service_id); + + err = __ds_send(lp, &pbuf, msg_len); + if (err > 0) +diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c +index 56410ea75ac5..6682b3eec2b6 100644 +--- a/drivers/dma/sh/usb-dmac.c ++++ b/drivers/dma/sh/usb-dmac.c +@@ -448,7 +448,7 @@ usb_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + static int usb_dmac_chan_terminate_all(struct dma_chan *chan) + { + struct usb_dmac_chan *uchan = to_usb_dmac_chan(chan); +- struct usb_dmac_desc *desc; ++ struct usb_dmac_desc *desc, *_desc; + unsigned long flags; + LIST_HEAD(head); + LIST_HEAD(list); +@@ -459,7 +459,7 @@ static int usb_dmac_chan_terminate_all(struct dma_chan *chan) + if (uchan->desc) + uchan->desc = NULL; + list_splice_init(&uchan->desc_got, &list); +- list_for_each_entry(desc, &list, node) ++ list_for_each_entry_safe(desc, _desc, &list, node) + list_move_tail(&desc->node, &uchan->desc_freed); + spin_unlock_irqrestore(&uchan->vc.lock, flags); + vchan_dma_desc_free_list(&uchan->vc, &head); +diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c +index 7f39b8ad88ae..de6710fe3ff4 100644 +--- a/drivers/gpu/drm/i915/intel_lvds.c ++++ b/drivers/gpu/drm/i915/intel_lvds.c +@@ -768,6 +768,14 @@ static const struct dmi_system_id intel_no_lvds[] = { + DMI_EXACT_MATCH(DMI_BOARD_NAME, "D525MW"), + }, + }, ++ { ++ .callback = intel_no_lvds_dmi_callback, ++ .ident = "Radiant P845", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Radiant Systems Inc"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P845"), ++ }, ++ }, + + { } /* terminating entry */ + }; +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index d2dff159a471..99434f5be34c 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include "stm.h" + + #include +@@ -602,7 +603,7 @@ static void stm_device_release(struct device *dev) + { + struct stm_device *stm = to_stm_device(dev); + +- kfree(stm); ++ vfree(stm); + } + + int stm_register_device(struct device *parent, struct stm_data *stm_data, +@@ -619,7 +620,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, + return -EINVAL; + + nmasters = stm_data->sw_end - stm_data->sw_start; +- stm = kzalloc(sizeof(*stm) + nmasters * sizeof(void *), GFP_KERNEL); ++ stm = vzalloc(sizeof(*stm) + nmasters * sizeof(void *)); + if (!stm) + return -ENOMEM; + +@@ -656,7 +657,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, + err_device: + put_device(&stm->dev); + err_free: +- kfree(stm); ++ vfree(stm); + + return err; + } +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index 599c0d7bd906..6f89484765e3 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -33,7 +33,6 @@ + #include + #include + #include +-#include + + /* register offsets */ + #define ICSCR 0x00 /* slave ctrl */ +@@ -84,6 +83,7 @@ + + #define RCAR_BUS_PHASE_START (MDBS | MIE | ESG) + #define RCAR_BUS_PHASE_DATA (MDBS | MIE) ++#define RCAR_BUS_MASK_DATA (~(ESG | FSB) & 0xFF) + #define RCAR_BUS_PHASE_STOP (MDBS | MIE | FSB) + + #define RCAR_IRQ_SEND (MNR | MAL | MST | MAT | MDE) +@@ -94,7 +94,6 @@ + #define RCAR_IRQ_ACK_RECV (~(MAT | MDR) & 0xFF) + + #define ID_LAST_MSG (1 << 0) +-#define ID_IOERROR (1 << 1) + #define ID_DONE (1 << 2) + #define ID_ARBLOST (1 << 3) + #define ID_NACK (1 << 4) +@@ -108,10 +107,10 @@ enum rcar_i2c_type { + struct rcar_i2c_priv { + void __iomem *io; + struct i2c_adapter adap; +- struct i2c_msg *msg; ++ struct i2c_msg *msg; ++ int msgs_left; + struct clk *clk; + +- spinlock_t lock; + wait_queue_head_t wait; + + int pos; +@@ -144,9 +143,10 @@ static void rcar_i2c_init(struct rcar_i2c_priv *priv) + { + /* reset master mode */ + rcar_i2c_write(priv, ICMIER, 0); +- rcar_i2c_write(priv, ICMCR, 0); ++ rcar_i2c_write(priv, ICMCR, MDBS); + rcar_i2c_write(priv, ICMSR, 0); +- rcar_i2c_write(priv, ICMAR, 0); ++ /* start clock */ ++ rcar_i2c_write(priv, ICCCR, priv->icccr); + } + + static int rcar_i2c_bus_barrier(struct rcar_i2c_priv *priv) +@@ -257,16 +257,28 @@ static void rcar_i2c_prepare_msg(struct rcar_i2c_priv *priv) + { + int read = !!rcar_i2c_is_recv(priv); + ++ priv->pos = 0; ++ priv->flags = 0; ++ if (priv->msgs_left == 1) ++ rcar_i2c_flags_set(priv, ID_LAST_MSG); ++ + rcar_i2c_write(priv, ICMAR, (priv->msg->addr << 1) | read); + rcar_i2c_write(priv, ICMSR, 0); + rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_START); + rcar_i2c_write(priv, ICMIER, read ? RCAR_IRQ_RECV : RCAR_IRQ_SEND); + } + ++static void rcar_i2c_next_msg(struct rcar_i2c_priv *priv) ++{ ++ priv->msg++; ++ priv->msgs_left--; ++ rcar_i2c_prepare_msg(priv); ++} ++ + /* + * interrupt functions + */ +-static int rcar_i2c_irq_send(struct rcar_i2c_priv *priv, u32 msr) ++static void rcar_i2c_irq_send(struct rcar_i2c_priv *priv, u32 msr) + { + struct i2c_msg *msg = priv->msg; + +@@ -276,14 +288,7 @@ static int rcar_i2c_irq_send(struct rcar_i2c_priv *priv, u32 msr) + * Do nothing + */ + if (!(msr & MDE)) +- return 0; +- +- /* +- * If address transfer phase finished, +- * goto data phase. +- */ +- if (msr & MAT) +- rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_DATA); ++ return; + + if (priv->pos < msg->len) { + /* +@@ -305,29 +310,23 @@ static int rcar_i2c_irq_send(struct rcar_i2c_priv *priv, u32 msr) + * [ICRXTX] -> [SHIFT] -> [I2C bus] + */ + +- if (priv->flags & ID_LAST_MSG) ++ if (priv->flags & ID_LAST_MSG) { + /* + * If current msg is the _LAST_ msg, + * prepare stop condition here. + * ID_DONE will be set on STOP irq. + */ + rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_STOP); +- else +- /* +- * If current msg is _NOT_ last msg, +- * it doesn't call stop phase. +- * thus, there is no STOP irq. +- * return ID_DONE here. +- */ +- return ID_DONE; ++ } else { ++ rcar_i2c_next_msg(priv); ++ return; ++ } + } + + rcar_i2c_write(priv, ICMSR, RCAR_IRQ_ACK_SEND); +- +- return 0; + } + +-static int rcar_i2c_irq_recv(struct rcar_i2c_priv *priv, u32 msr) ++static void rcar_i2c_irq_recv(struct rcar_i2c_priv *priv, u32 msr) + { + struct i2c_msg *msg = priv->msg; + +@@ -337,14 +336,10 @@ static int rcar_i2c_irq_recv(struct rcar_i2c_priv *priv, u32 msr) + * Do nothing + */ + if (!(msr & MDR)) +- return 0; ++ return; + + if (msr & MAT) { +- /* +- * Address transfer phase finished, +- * but, there is no data at this point. +- * Do nothing. +- */ ++ /* Address transfer phase finished, but no data at this point. */ + } else if (priv->pos < msg->len) { + /* + * get received data +@@ -360,12 +355,11 @@ static int rcar_i2c_irq_recv(struct rcar_i2c_priv *priv, u32 msr) + */ + if (priv->pos + 1 >= msg->len) + rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_STOP); +- else +- rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_DATA); + +- rcar_i2c_write(priv, ICMSR, RCAR_IRQ_ACK_RECV); +- +- return 0; ++ if (priv->pos == msg->len && !(priv->flags & ID_LAST_MSG)) ++ rcar_i2c_next_msg(priv); ++ else ++ rcar_i2c_write(priv, ICMSR, RCAR_IRQ_ACK_RECV); + } + + static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) +@@ -426,22 +420,21 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) + static irqreturn_t rcar_i2c_irq(int irq, void *ptr) + { + struct rcar_i2c_priv *priv = ptr; +- irqreturn_t result = IRQ_HANDLED; +- u32 msr; +- +- /*-------------- spin lock -----------------*/ +- spin_lock(&priv->lock); ++ u32 msr, val; + +- if (rcar_i2c_slave_irq(priv)) +- goto exit; ++ /* Clear START or STOP as soon as we can */ ++ val = rcar_i2c_read(priv, ICMCR); ++ rcar_i2c_write(priv, ICMCR, val & RCAR_BUS_MASK_DATA); + + msr = rcar_i2c_read(priv, ICMSR); + + /* Only handle interrupts that are currently enabled */ + msr &= rcar_i2c_read(priv, ICMIER); + if (!msr) { +- result = IRQ_NONE; +- goto exit; ++ if (rcar_i2c_slave_irq(priv)) ++ return IRQ_HANDLED; ++ ++ return IRQ_NONE; + } + + /* Arbitration lost */ +@@ -452,8 +445,7 @@ static irqreturn_t rcar_i2c_irq(int irq, void *ptr) + + /* Nack */ + if (msr & MNR) { +- /* go to stop phase */ +- rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_STOP); ++ /* HW automatically sends STOP after received NACK */ + rcar_i2c_write(priv, ICMIER, RCAR_IRQ_STOP); + rcar_i2c_flags_set(priv, ID_NACK); + goto out; +@@ -461,14 +453,15 @@ static irqreturn_t rcar_i2c_irq(int irq, void *ptr) + + /* Stop */ + if (msr & MST) { ++ priv->msgs_left--; /* The last message also made it */ + rcar_i2c_flags_set(priv, ID_DONE); + goto out; + } + + if (rcar_i2c_is_recv(priv)) +- rcar_i2c_flags_set(priv, rcar_i2c_irq_recv(priv, msr)); ++ rcar_i2c_irq_recv(priv, msr); + else +- rcar_i2c_flags_set(priv, rcar_i2c_irq_send(priv, msr)); ++ rcar_i2c_irq_send(priv, msr); + + out: + if (rcar_i2c_flags_has(priv, ID_DONE)) { +@@ -477,11 +470,7 @@ out: + wake_up(&priv->wait); + } + +-exit: +- spin_unlock(&priv->lock); +- /*-------------- spin unlock -----------------*/ +- +- return result; ++ return IRQ_HANDLED; + } + + static int rcar_i2c_master_xfer(struct i2c_adapter *adap, +@@ -490,22 +479,11 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap, + { + struct rcar_i2c_priv *priv = i2c_get_adapdata(adap); + struct device *dev = rcar_i2c_priv_to_dev(priv); +- unsigned long flags; + int i, ret; +- long timeout; ++ long time_left; + + pm_runtime_get_sync(dev); + +- /*-------------- spin lock -----------------*/ +- spin_lock_irqsave(&priv->lock, flags); +- +- rcar_i2c_init(priv); +- /* start clock */ +- rcar_i2c_write(priv, ICCCR, priv->icccr); +- +- spin_unlock_irqrestore(&priv->lock, flags); +- /*-------------- spin unlock -----------------*/ +- + ret = rcar_i2c_bus_barrier(priv); + if (ret < 0) + goto out; +@@ -514,48 +492,28 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap, + /* This HW can't send STOP after address phase */ + if (msgs[i].len == 0) { + ret = -EOPNOTSUPP; +- break; +- } +- +- /*-------------- spin lock -----------------*/ +- spin_lock_irqsave(&priv->lock, flags); +- +- /* init each data */ +- priv->msg = &msgs[i]; +- priv->pos = 0; +- priv->flags = 0; +- if (i == num - 1) +- rcar_i2c_flags_set(priv, ID_LAST_MSG); +- +- rcar_i2c_prepare_msg(priv); +- +- spin_unlock_irqrestore(&priv->lock, flags); +- /*-------------- spin unlock -----------------*/ +- +- timeout = wait_event_timeout(priv->wait, +- rcar_i2c_flags_has(priv, ID_DONE), +- adap->timeout); +- if (!timeout) { +- ret = -ETIMEDOUT; +- break; +- } +- +- if (rcar_i2c_flags_has(priv, ID_NACK)) { +- ret = -ENXIO; +- break; +- } +- +- if (rcar_i2c_flags_has(priv, ID_ARBLOST)) { +- ret = -EAGAIN; +- break; +- } +- +- if (rcar_i2c_flags_has(priv, ID_IOERROR)) { +- ret = -EIO; +- break; ++ goto out; + } ++ } + +- ret = i + 1; /* The number of transfer */ ++ /* init data */ ++ priv->msg = msgs; ++ priv->msgs_left = num; ++ ++ rcar_i2c_prepare_msg(priv); ++ ++ time_left = wait_event_timeout(priv->wait, ++ rcar_i2c_flags_has(priv, ID_DONE), ++ num * adap->timeout); ++ if (!time_left) { ++ rcar_i2c_init(priv); ++ ret = -ETIMEDOUT; ++ } else if (rcar_i2c_flags_has(priv, ID_NACK)) { ++ ret = -ENXIO; ++ } else if (rcar_i2c_flags_has(priv, ID_ARBLOST)) { ++ ret = -EAGAIN; ++ } else { ++ ret = num - priv->msgs_left; /* The number of transfer */ + } + out: + pm_runtime_put(dev); +@@ -650,23 +608,27 @@ static int rcar_i2c_probe(struct platform_device *pdev) + return PTR_ERR(priv->clk); + } + ++ res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ priv->io = devm_ioremap_resource(dev, res); ++ if (IS_ERR(priv->io)) ++ return PTR_ERR(priv->io); ++ + bus_speed = 100000; /* default 100 kHz */ + of_property_read_u32(dev->of_node, "clock-frequency", &bus_speed); + + priv->devtype = (enum rcar_i2c_type)of_match_device(rcar_i2c_dt_ids, dev)->data; + ++ pm_runtime_enable(dev); ++ pm_runtime_get_sync(dev); + ret = rcar_i2c_clock_calculate(priv, bus_speed, dev); + if (ret < 0) +- return ret; ++ goto out_pm_put; + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- priv->io = devm_ioremap_resource(dev, res); +- if (IS_ERR(priv->io)) +- return PTR_ERR(priv->io); ++ rcar_i2c_init(priv); ++ pm_runtime_put(dev); + + irq = platform_get_irq(pdev, 0); + init_waitqueue_head(&priv->wait); +- spin_lock_init(&priv->lock); + + adap = &priv->adap; + adap->nr = pdev->id; +@@ -682,22 +644,26 @@ static int rcar_i2c_probe(struct platform_device *pdev) + dev_name(dev), priv); + if (ret < 0) { + dev_err(dev, "cannot get irq %d\n", irq); +- return ret; ++ goto out_pm_disable; + } + +- pm_runtime_enable(dev); + platform_set_drvdata(pdev, priv); + + ret = i2c_add_numbered_adapter(adap); + if (ret < 0) { + dev_err(dev, "reg adap failed: %d\n", ret); +- pm_runtime_disable(dev); +- return ret; ++ goto out_pm_disable; + } + + dev_info(dev, "probed\n"); + + return 0; ++ ++ out_pm_put: ++ pm_runtime_put(dev); ++ out_pm_disable: ++ pm_runtime_disable(dev); ++ return ret; + } + + static int rcar_i2c_remove(struct platform_device *pdev) +diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c +index c5b999f0c519..7ef9b13262a8 100644 +--- a/drivers/iio/buffer/kfifo_buf.c ++++ b/drivers/iio/buffer/kfifo_buf.c +@@ -24,6 +24,13 @@ static inline int __iio_allocate_kfifo(struct iio_kfifo *buf, + if ((length == 0) || (bytes_per_datum == 0)) + return -EINVAL; + ++ /* ++ * Make sure we don't overflow an unsigned int after kfifo rounds up to ++ * the next power of 2. ++ */ ++ if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum) ++ return -EINVAL; ++ + return __kfifo_alloc((struct __kfifo *)&buf->kf, length, + bytes_per_datum, GFP_KERNEL); + } +diff --git a/drivers/input/mouse/elan_i2c_smbus.c b/drivers/input/mouse/elan_i2c_smbus.c +index cb6aecbc1dc2..25dba1d7aa57 100644 +--- a/drivers/input/mouse/elan_i2c_smbus.c ++++ b/drivers/input/mouse/elan_i2c_smbus.c +@@ -130,7 +130,7 @@ static int elan_smbus_get_baseline_data(struct i2c_client *client, + bool max_baseline, u8 *value) + { + int error; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, + max_baseline ? +@@ -149,7 +149,7 @@ static int elan_smbus_get_version(struct i2c_client *client, + bool iap, u8 *version) + { + int error; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, + iap ? ETP_SMBUS_IAP_VERSION_CMD : +@@ -169,7 +169,7 @@ static int elan_smbus_get_sm_version(struct i2c_client *client, + u8 *ic_type, u8 *version) + { + int error; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, + ETP_SMBUS_SM_VERSION_CMD, val); +@@ -186,7 +186,7 @@ static int elan_smbus_get_sm_version(struct i2c_client *client, + static int elan_smbus_get_product_id(struct i2c_client *client, u16 *id) + { + int error; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, + ETP_SMBUS_UNIQUEID_CMD, val); +@@ -203,7 +203,7 @@ static int elan_smbus_get_checksum(struct i2c_client *client, + bool iap, u16 *csum) + { + int error; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, + iap ? ETP_SMBUS_FW_CHECKSUM_CMD : +@@ -223,7 +223,7 @@ static int elan_smbus_get_max(struct i2c_client *client, + unsigned int *max_x, unsigned int *max_y) + { + int error; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, ETP_SMBUS_RANGE_CMD, val); + if (error) { +@@ -241,7 +241,7 @@ static int elan_smbus_get_resolution(struct i2c_client *client, + u8 *hw_res_x, u8 *hw_res_y) + { + int error; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, + ETP_SMBUS_RESOLUTION_CMD, val); +@@ -261,7 +261,7 @@ static int elan_smbus_get_num_traces(struct i2c_client *client, + unsigned int *y_traces) + { + int error; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, + ETP_SMBUS_XY_TRACENUM_CMD, val); +@@ -288,7 +288,7 @@ static int elan_smbus_iap_get_mode(struct i2c_client *client, + { + int error; + u16 constant; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + error = i2c_smbus_read_block_data(client, ETP_SMBUS_IAP_CTRL_CMD, val); + if (error < 0) { +@@ -339,7 +339,7 @@ static int elan_smbus_prepare_fw_update(struct i2c_client *client) + int len; + int error; + enum tp_mode mode; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + u8 cmd[4] = {0x0F, 0x78, 0x00, 0x06}; + u16 password; + +@@ -413,7 +413,7 @@ static int elan_smbus_write_fw_block(struct i2c_client *client, + struct device *dev = &client->dev; + int error; + u16 result; +- u8 val[3]; ++ u8 val[I2C_SMBUS_BLOCK_MAX] = {0}; + + /* + * Due to the limitation of smbus protocol limiting +diff --git a/drivers/net/irda/w83977af_ir.c b/drivers/net/irda/w83977af_ir.c +index 4e3d2e7c697c..e8c3a8c32534 100644 +--- a/drivers/net/irda/w83977af_ir.c ++++ b/drivers/net/irda/w83977af_ir.c +@@ -518,7 +518,9 @@ static netdev_tx_t w83977af_hard_xmit(struct sk_buff *skb, + + mtt = irda_get_mtt(skb); + pr_debug("%s(%ld), mtt=%d\n", __func__ , jiffies, mtt); +- if (mtt) ++ if (mtt > 1000) ++ mdelay(mtt/1000); ++ else if (mtt) + udelay(mtt); + + /* Enable DMA interrupt */ +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/rf.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/rf.c +index 5624ade92cc0..c2a156a8acec 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/rf.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/rf.c +@@ -304,9 +304,6 @@ static void _rtl92c_get_txpower_writeval_by_regulatory(struct ieee80211_hw *hw, + writeVal = 0x00000000; + if (rtlpriv->dm.dynamic_txhighpower_lvl == TXHIGHPWRLEVEL_BT1) + writeVal = writeVal - 0x06060606; +- else if (rtlpriv->dm.dynamic_txhighpower_lvl == +- TXHIGHPWRLEVEL_BT2) +- writeVal = writeVal; + *(p_outwriteval + rf) = writeVal; + } + } +diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c +index e3cd3ece4412..c3d1891d2d3f 100644 +--- a/drivers/scsi/scsi_transport_srp.c ++++ b/drivers/scsi/scsi_transport_srp.c +@@ -52,6 +52,8 @@ struct srp_internal { + struct transport_container rport_attr_cont; + }; + ++static int scsi_is_srp_rport(const struct device *dev); ++ + #define to_srp_internal(tmpl) container_of(tmpl, struct srp_internal, t) + + #define dev_to_rport(d) container_of(d, struct srp_rport, dev) +@@ -61,9 +63,24 @@ static inline struct Scsi_Host *rport_to_shost(struct srp_rport *r) + return dev_to_shost(r->dev.parent); + } + ++static int find_child_rport(struct device *dev, void *data) ++{ ++ struct device **child = data; ++ ++ if (scsi_is_srp_rport(dev)) { ++ WARN_ON_ONCE(*child); ++ *child = dev; ++ } ++ return 0; ++} ++ + static inline struct srp_rport *shost_to_rport(struct Scsi_Host *shost) + { +- return transport_class_to_srp_rport(&shost->shost_gendev); ++ struct device *child = NULL; ++ ++ WARN_ON_ONCE(device_for_each_child(&shost->shost_gendev, &child, ++ find_child_rport) < 0); ++ return child ? dev_to_rport(child) : NULL; + } + + /** +@@ -637,7 +654,8 @@ static enum blk_eh_timer_return srp_timed_out(struct scsi_cmnd *scmd) + struct srp_rport *rport = shost_to_rport(shost); + + pr_debug("timeout for sdev %s\n", dev_name(&sdev->sdev_gendev)); +- return rport->fast_io_fail_tmo < 0 && rport->dev_loss_tmo < 0 && ++ return rport && rport->fast_io_fail_tmo < 0 && ++ rport->dev_loss_tmo < 0 && + i->f->reset_timer_if_blocked && scsi_device_blocked(sdev) ? + BLK_EH_RESET_TIMER : BLK_EH_NOT_HANDLED; + } +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 32cadca198b2..e7a051386b32 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -33,7 +33,7 @@ static int cp210x_open(struct tty_struct *tty, struct usb_serial_port *); + static void cp210x_close(struct usb_serial_port *); + static void cp210x_get_termios(struct tty_struct *, struct usb_serial_port *); + static void cp210x_get_termios_port(struct usb_serial_port *port, +- unsigned int *cflagp, unsigned int *baudp); ++ tcflag_t *cflagp, unsigned int *baudp); + static void cp210x_change_speed(struct tty_struct *, struct usb_serial_port *, + struct ktermios *); + static void cp210x_set_termios(struct tty_struct *, struct usb_serial_port *, +@@ -515,7 +515,7 @@ static void cp210x_get_termios(struct tty_struct *tty, + &tty->termios.c_cflag, &baud); + tty_encode_baud_rate(tty, baud, baud); + } else { +- unsigned int cflag; ++ tcflag_t cflag; + cflag = 0; + cp210x_get_termios_port(port, &cflag, &baud); + } +@@ -526,10 +526,11 @@ static void cp210x_get_termios(struct tty_struct *tty, + * This is the heart of cp210x_get_termios which always uses a &usb_serial_port. + */ + static void cp210x_get_termios_port(struct usb_serial_port *port, +- unsigned int *cflagp, unsigned int *baudp) ++ tcflag_t *cflagp, unsigned int *baudp) + { + struct device *dev = &port->dev; +- unsigned int cflag, modem_ctl[4]; ++ tcflag_t cflag; ++ unsigned int modem_ctl[4]; + unsigned int baud; + unsigned int bits; + +diff --git a/fs/aio.c b/fs/aio.c +index 4efaf29354a6..c283eb03cb38 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -628,9 +628,8 @@ static void free_ioctx_users(struct percpu_ref *ref) + while (!list_empty(&ctx->active_reqs)) { + req = list_first_entry(&ctx->active_reqs, + struct aio_kiocb, ki_list); +- +- list_del_init(&req->ki_list); + kiocb_cancel(req); ++ list_del_init(&req->ki_list); + } + + spin_unlock_irq(&ctx->ctx_lock); +diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c +index e1e7fe3b5424..b663b756f552 100644 +--- a/fs/xfs/libxfs/xfs_alloc.c ++++ b/fs/xfs/libxfs/xfs_alloc.c +@@ -1923,6 +1923,93 @@ xfs_alloc_space_available( + return true; + } + ++/* ++ * Check the agfl fields of the agf for inconsistency or corruption. The purpose ++ * is to detect an agfl header padding mismatch between current and early v5 ++ * kernels. This problem manifests as a 1-slot size difference between the ++ * on-disk flcount and the active [first, last] range of a wrapped agfl. This ++ * may also catch variants of agfl count corruption unrelated to padding. Either ++ * way, we'll reset the agfl and warn the user. ++ * ++ * Return true if a reset is required before the agfl can be used, false ++ * otherwise. ++ */ ++static bool ++xfs_agfl_needs_reset( ++ struct xfs_mount *mp, ++ struct xfs_agf *agf) ++{ ++ uint32_t f = be32_to_cpu(agf->agf_flfirst); ++ uint32_t l = be32_to_cpu(agf->agf_fllast); ++ uint32_t c = be32_to_cpu(agf->agf_flcount); ++ int agfl_size = XFS_AGFL_SIZE(mp); ++ int active; ++ ++ /* no agfl header on v4 supers */ ++ if (!xfs_sb_version_hascrc(&mp->m_sb)) ++ return false; ++ ++ /* ++ * The agf read verifier catches severe corruption of these fields. ++ * Repeat some sanity checks to cover a packed -> unpacked mismatch if ++ * the verifier allows it. ++ */ ++ if (f >= agfl_size || l >= agfl_size) ++ return true; ++ if (c > agfl_size) ++ return true; ++ ++ /* ++ * Check consistency between the on-disk count and the active range. An ++ * agfl padding mismatch manifests as an inconsistent flcount. ++ */ ++ if (c && l >= f) ++ active = l - f + 1; ++ else if (c) ++ active = agfl_size - f + l + 1; ++ else ++ active = 0; ++ ++ return active != c; ++} ++ ++/* ++ * Reset the agfl to an empty state. Ignore/drop any existing blocks since the ++ * agfl content cannot be trusted. Warn the user that a repair is required to ++ * recover leaked blocks. ++ * ++ * The purpose of this mechanism is to handle filesystems affected by the agfl ++ * header padding mismatch problem. A reset keeps the filesystem online with a ++ * relatively minor free space accounting inconsistency rather than suffer the ++ * inevitable crash from use of an invalid agfl block. ++ */ ++static void ++xfs_agfl_reset( ++ struct xfs_trans *tp, ++ struct xfs_buf *agbp, ++ struct xfs_perag *pag) ++{ ++ struct xfs_mount *mp = tp->t_mountp; ++ struct xfs_agf *agf = XFS_BUF_TO_AGF(agbp); ++ ++ ASSERT(pag->pagf_agflreset); ++ trace_xfs_agfl_reset(mp, agf, 0, _RET_IP_); ++ ++ xfs_warn(mp, ++ "WARNING: Reset corrupted AGFL on AG %u. %d blocks leaked. " ++ "Please unmount and run xfs_repair.", ++ pag->pag_agno, pag->pagf_flcount); ++ ++ agf->agf_flfirst = 0; ++ agf->agf_fllast = cpu_to_be32(XFS_AGFL_SIZE(mp) - 1); ++ agf->agf_flcount = 0; ++ xfs_alloc_log_agf(tp, agbp, XFS_AGF_FLFIRST | XFS_AGF_FLLAST | ++ XFS_AGF_FLCOUNT); ++ ++ pag->pagf_flcount = 0; ++ pag->pagf_agflreset = false; ++} ++ + /* + * Decide whether to use this allocation group for this allocation. + * If so, fix up the btree freelist's size. +@@ -1983,6 +2070,10 @@ xfs_alloc_fix_freelist( + } + } + ++ /* reset a padding mismatched agfl before final free space check */ ++ if (pag->pagf_agflreset) ++ xfs_agfl_reset(tp, agbp, pag); ++ + /* If there isn't enough total space or single-extent, reject it. */ + need = xfs_alloc_min_freelist(mp, pag); + if (!xfs_alloc_space_available(args, need, flags)) +@@ -2121,6 +2212,7 @@ xfs_alloc_get_freelist( + agf->agf_flfirst = 0; + + pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno)); ++ ASSERT(!pag->pagf_agflreset); + be32_add_cpu(&agf->agf_flcount, -1); + xfs_trans_agflist_delta(tp, -1); + pag->pagf_flcount--; +@@ -2226,6 +2318,7 @@ xfs_alloc_put_freelist( + agf->agf_fllast = 0; + + pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno)); ++ ASSERT(!pag->pagf_agflreset); + be32_add_cpu(&agf->agf_flcount, 1); + xfs_trans_agflist_delta(tp, 1); + pag->pagf_flcount++; +@@ -2417,6 +2510,7 @@ xfs_alloc_read_agf( + pag->pagb_count = 0; + pag->pagb_tree = RB_ROOT; + pag->pagf_init = 1; ++ pag->pagf_agflreset = xfs_agfl_needs_reset(mp, agf); + } + #ifdef DEBUG + else if (!XFS_FORCED_SHUTDOWN(mp)) { +diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h +index b57098481c10..ae3e52749f20 100644 +--- a/fs/xfs/xfs_mount.h ++++ b/fs/xfs/xfs_mount.h +@@ -278,6 +278,7 @@ typedef struct xfs_perag { + char pagi_inodeok; /* The agi is ok for inodes */ + __uint8_t pagf_levels[XFS_BTNUM_AGF]; + /* # of levels in bno & cnt btree */ ++ bool pagf_agflreset; /* agfl requires reset before use */ + __uint32_t pagf_flcount; /* count of blocks in freelist */ + xfs_extlen_t pagf_freeblks; /* total free blocks */ + xfs_extlen_t pagf_longest; /* longest free space */ +diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h +index 877079eb0f8f..cc6fa64821d2 100644 +--- a/fs/xfs/xfs_trace.h ++++ b/fs/xfs/xfs_trace.h +@@ -1485,7 +1485,7 @@ TRACE_EVENT(xfs_trans_commit_lsn, + __entry->lsn) + ); + +-TRACE_EVENT(xfs_agf, ++DECLARE_EVENT_CLASS(xfs_agf_class, + TP_PROTO(struct xfs_mount *mp, struct xfs_agf *agf, int flags, + unsigned long caller_ip), + TP_ARGS(mp, agf, flags, caller_ip), +@@ -1541,6 +1541,13 @@ TRACE_EVENT(xfs_agf, + __entry->longest, + (void *)__entry->caller_ip) + ); ++#define DEFINE_AGF_EVENT(name) \ ++DEFINE_EVENT(xfs_agf_class, name, \ ++ TP_PROTO(struct xfs_mount *mp, struct xfs_agf *agf, int flags, \ ++ unsigned long caller_ip), \ ++ TP_ARGS(mp, agf, flags, caller_ip)) ++DEFINE_AGF_EVENT(xfs_agf); ++DEFINE_AGF_EVENT(xfs_agfl_reset); + + TRACE_EVENT(xfs_free_extent, + TP_PROTO(struct xfs_mount *mp, xfs_agnumber_t agno, xfs_agblock_t agbno, +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 2260f92f1492..5b6df1a8dc74 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -324,7 +324,7 @@ struct tcp_sock { + + /* Receiver queue space */ + struct { +- int space; ++ u32 space; + u32 seq; + u32 time; + } rcvq_space; +diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h +index f4227173b5d8..d3aea4f10faf 100644 +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -2195,7 +2195,7 @@ enum nl80211_attrs { + #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS + #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS + +-#define NL80211_WIPHY_NAME_MAXLEN 128 ++#define NL80211_WIPHY_NAME_MAXLEN 64 + + #define NL80211_MAX_SUPP_RATES 32 + #define NL80211_MAX_SUPP_HT_RATES 77 +diff --git a/init/Kconfig b/init/Kconfig +index ef2f97dc6010..47b0bdcf33c2 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1308,6 +1308,17 @@ source "usr/Kconfig" + + endif + ++choice ++ prompt "Compiler optimization level" ++ default CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE ++ ++config CC_OPTIMIZE_FOR_PERFORMANCE ++ bool "Optimize for performance" ++ help ++ This is the default optimization level for the kernel, building ++ with the "-O2" compiler flag for best performance and most ++ helpful compile-time warnings. ++ + config CC_OPTIMIZE_FOR_SIZE + bool "Optimize for size" + help +@@ -1316,6 +1327,8 @@ config CC_OPTIMIZE_FOR_SIZE + + If unsure, say N. + ++endchoice ++ + config SYSCTL + bool + +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index 42a4009fd75a..2172dd61577e 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -469,9 +469,10 @@ clear_event_triggers(struct trace_array *tr) + struct trace_event_file *file; + + list_for_each_entry(file, &tr->events, list) { +- struct event_trigger_data *data; +- list_for_each_entry_rcu(data, &file->triggers, list) { ++ struct event_trigger_data *data, *n; ++ list_for_each_entry_safe(data, n, &file->triggers, list) { + trace_event_trigger_enable_disable(file, 0); ++ list_del_rcu(&data->list); + if (data->ops->free) + data->ops->free(data->ops, data); + } +diff --git a/mm/vmscan.c b/mm/vmscan.c +index b58ca729f20a..76853088f66b 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -1331,7 +1331,7 @@ int __isolate_lru_page(struct page *page, isolate_mode_t mode) + return ret; + + mapping = page_mapping(page); +- migrate_dirty = mapping && mapping->a_ops->migratepage; ++ migrate_dirty = !mapping || mapping->a_ops->migratepage; + unlock_page(page); + if (!migrate_dirty) + return ret; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index ed018760502e..23b95aead897 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -557,8 +557,8 @@ static inline void tcp_rcv_rtt_measure_ts(struct sock *sk, + void tcp_rcv_space_adjust(struct sock *sk) + { + struct tcp_sock *tp = tcp_sk(sk); ++ u32 copied; + int time; +- int copied; + + time = tcp_time_stamp - tp->rcvq_space.time; + if (time < (tp->rcv_rtt_est.rtt >> 3) || tp->rcv_rtt_est.rtt == 0) +@@ -580,12 +580,13 @@ void tcp_rcv_space_adjust(struct sock *sk) + + if (sysctl_tcp_moderate_rcvbuf && + !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) { +- int rcvwin, rcvmem, rcvbuf; ++ int rcvmem, rcvbuf; ++ u64 rcvwin; + + /* minimal window to cope with packet losses, assuming + * steady state. Add some cushion because of small variations. + */ +- rcvwin = (copied << 1) + 16 * tp->advmss; ++ rcvwin = ((u64)copied << 1) + 16 * tp->advmss; + + /* If rate increased by 25%, + * assume slow start, rcvwin = 3 * copied +@@ -605,7 +606,8 @@ void tcp_rcv_space_adjust(struct sock *sk) + while (tcp_win_from_space(rcvmem) < tp->advmss) + rcvmem += 128; + +- rcvbuf = min(rcvwin / tp->advmss * rcvmem, sysctl_tcp_rmem[2]); ++ do_div(rcvwin, tp->advmss); ++ rcvbuf = min_t(u64, rcvwin * rcvmem, sysctl_tcp_rmem[2]); + if (rcvbuf > sk->sk_rcvbuf) { + sk->sk_rcvbuf = rcvbuf; + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 8da7c91b725d..c36b98b07d6b 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -383,14 +383,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, + result = ima_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + if (result == 1) { +- bool digsig; +- + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) + return -EINVAL; +- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); +- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) +- return -EPERM; +- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ++ ima_reset_appraise_flags(d_backing_inode(dentry), ++ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + result = 0; + } + return result; +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index 23dca68ffe25..0a258c0602d1 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -1441,7 +1441,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, + scontext_len, &context, def_sid); + if (rc == -EINVAL && force) { + context.str = str; +- context.len = scontext_len; ++ context.len = strlen(str) + 1; + str = NULL; + } else if (rc) + goto out_unlock; +diff --git a/sound/soc/intel/common/sst-firmware.c b/sound/soc/intel/common/sst-firmware.c +index 1636a1eeb002..be1b69c63bdf 100644 +--- a/sound/soc/intel/common/sst-firmware.c ++++ b/sound/soc/intel/common/sst-firmware.c +@@ -260,7 +260,6 @@ int sst_dma_new(struct sst_dsp *sst) + struct sst_pdata *sst_pdata = sst->pdata; + struct sst_dma *dma; + struct resource mem; +- const char *dma_dev_name; + int ret = 0; + + if (sst->pdata->resindex_dma_base == -1) +@@ -271,7 +270,6 @@ int sst_dma_new(struct sst_dsp *sst) + * is attached to the ADSP IP. */ + switch (sst->pdata->dma_engine) { + case SST_DMA_TYPE_DW: +- dma_dev_name = "dw_dmac"; + break; + default: + dev_err(sst->dev, "error: invalid DMA engine %d\n", diff --git a/patch/kernel/mvebu-default/04-patch-4.4.136-137.patch b/patch/kernel/mvebu-default/04-patch-4.4.136-137.patch new file mode 100644 index 0000000000..6be99859e9 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.136-137.patch @@ -0,0 +1,625 @@ +diff --git a/Documentation/networking/netdev-FAQ.txt b/Documentation/networking/netdev-FAQ.txt +index 0fe1c6e0dbcd..bfc6b3e68cc4 100644 +--- a/Documentation/networking/netdev-FAQ.txt ++++ b/Documentation/networking/netdev-FAQ.txt +@@ -168,6 +168,15 @@ A: No. See above answer. In short, if you think it really belongs in + dash marker line as described in Documentation/SubmittingPatches to + temporarily embed that information into the patch that you send. + ++Q: Are all networking bug fixes backported to all stable releases? ++ ++A: Due to capacity, Dave could only take care of the backports for the last ++ 2 stable releases. For earlier stable releases, each stable branch maintainer ++ is supposed to take care of them. If you find any patch is missing from an ++ earlier stable branch, please notify stable@vger.kernel.org with either a ++ commit ID or a formal patch backported, and CC Dave and other relevant ++ networking developers. ++ + Q: Someone said that the comment style and coding convention is different + for the networking content. Is this true? + +diff --git a/Makefile b/Makefile +index a05a7a005715..44efd1252ab8 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 136 ++SUBLEVEL = 137 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c +index a0d9ac6b6cc9..e759100e41a7 100644 +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include "tpm.h" + #include "tpm_eventlog.h" + +@@ -324,8 +325,20 @@ static void tpm1_chip_unregister(struct tpm_chip *chip) + */ + int tpm_chip_register(struct tpm_chip *chip) + { ++#ifdef CONFIG_OF ++ struct device_node *np; ++#endif + int rc; + ++#ifdef CONFIG_OF ++ np = of_find_node_by_name(NULL, "vtpm"); ++ if (np) { ++ if (of_property_read_bool(np, "powered-while-suspended")) ++ chip->flags |= TPM_CHIP_FLAG_ALWAYS_POWERED; ++ } ++ of_node_put(np); ++#endif ++ + rc = tpm1_chip_register(chip); + if (rc) + return rc; +diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c +index 36afc1a21699..95a40ec854ad 100644 +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -787,6 +787,10 @@ int tpm_do_selftest(struct tpm_chip *chip) + loops = jiffies_to_msecs(duration) / delay_msec; + + rc = tpm_continue_selftest(chip); ++ if (rc == TPM_ERR_INVALID_POSTINIT) { ++ chip->flags |= TPM_CHIP_FLAG_ALWAYS_POWERED; ++ dev_info(&chip->dev, "TPM not ready (%d)\n", rc); ++ } + /* This may fail if there was no TPM driver during a suspend/resume + * cycle; some may return 10 (BAD_ORDINAL), others 28 (FAILEDSELFTEST) + */ +@@ -931,6 +935,9 @@ int tpm_pm_suspend(struct device *dev) + if (chip == NULL) + return -ENODEV; + ++ if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED) ++ return 0; ++ + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_shutdown(chip, TPM2_SU_STATE); + return 0; +diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h +index 772d99b3a8e4..36e1abda00f9 100644 +--- a/drivers/char/tpm/tpm.h ++++ b/drivers/char/tpm/tpm.h +@@ -168,6 +168,7 @@ struct tpm_vendor_specific { + enum tpm_chip_flags { + TPM_CHIP_FLAG_REGISTERED = BIT(0), + TPM_CHIP_FLAG_TPM2 = BIT(1), ++ TPM_CHIP_FLAG_ALWAYS_POWERED = BIT(5), + }; + + struct tpm_chip { +diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c +index 6b5625e66119..88ceac091454 100644 +--- a/drivers/gpu/drm/drm_fops.c ++++ b/drivers/gpu/drm/drm_fops.c +@@ -209,6 +209,7 @@ static int drm_open_helper(struct file *filp, struct drm_minor *minor) + return -ENOMEM; + + filp->private_data = priv; ++ filp->f_mode |= FMODE_UNSIGNED_OFFSET; + priv->filp = filp; + priv->uid = current_euid(); + priv->pid = get_pid(task_pid(current)); +diff --git a/drivers/isdn/hardware/eicon/diva.c b/drivers/isdn/hardware/eicon/diva.c +index d91dd580e978..37aaea88a6ad 100644 +--- a/drivers/isdn/hardware/eicon/diva.c ++++ b/drivers/isdn/hardware/eicon/diva.c +@@ -387,10 +387,10 @@ void divasa_xdi_driver_unload(void) + ** Receive and process command from user mode utility + */ + void *diva_xdi_open_adapter(void *os_handle, const void __user *src, +- int length, ++ int length, void *mptr, + divas_xdi_copy_from_user_fn_t cp_fn) + { +- diva_xdi_um_cfg_cmd_t msg; ++ diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr; + diva_os_xdi_adapter_t *a = NULL; + diva_os_spin_lock_magic_t old_irql; + struct list_head *tmp; +@@ -400,21 +400,21 @@ void *diva_xdi_open_adapter(void *os_handle, const void __user *src, + length, sizeof(diva_xdi_um_cfg_cmd_t))) + return NULL; + } +- if ((*cp_fn) (os_handle, &msg, src, sizeof(msg)) <= 0) { ++ if ((*cp_fn) (os_handle, msg, src, sizeof(*msg)) <= 0) { + DBG_ERR(("A: A(?) open, write error")) + return NULL; + } + diva_os_enter_spin_lock(&adapter_lock, &old_irql, "open_adapter"); + list_for_each(tmp, &adapter_queue) { + a = list_entry(tmp, diva_os_xdi_adapter_t, link); +- if (a->controller == (int)msg.adapter) ++ if (a->controller == (int)msg->adapter) + break; + a = NULL; + } + diva_os_leave_spin_lock(&adapter_lock, &old_irql, "open_adapter"); + + if (!a) { +- DBG_ERR(("A: A(%d) open, adapter not found", msg.adapter)) ++ DBG_ERR(("A: A(%d) open, adapter not found", msg->adapter)) + } + + return (a); +@@ -436,8 +436,10 @@ void diva_xdi_close_adapter(void *adapter, void *os_handle) + + int + diva_xdi_write(void *adapter, void *os_handle, const void __user *src, +- int length, divas_xdi_copy_from_user_fn_t cp_fn) ++ int length, void *mptr, ++ divas_xdi_copy_from_user_fn_t cp_fn) + { ++ diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr; + diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter; + void *data; + +@@ -458,7 +460,13 @@ diva_xdi_write(void *adapter, void *os_handle, const void __user *src, + return (-2); + } + +- length = (*cp_fn) (os_handle, data, src, length); ++ if (msg) { ++ *(diva_xdi_um_cfg_cmd_t *)data = *msg; ++ length = (*cp_fn) (os_handle, (char *)data + sizeof(*msg), ++ src + sizeof(*msg), length - sizeof(*msg)); ++ } else { ++ length = (*cp_fn) (os_handle, data, src, length); ++ } + if (length > 0) { + if ((*(a->interface.cmd_proc)) + (a, (diva_xdi_um_cfg_cmd_t *) data, length)) { +diff --git a/drivers/isdn/hardware/eicon/diva.h b/drivers/isdn/hardware/eicon/diva.h +index e979085d1b89..a0a607c0c32e 100644 +--- a/drivers/isdn/hardware/eicon/diva.h ++++ b/drivers/isdn/hardware/eicon/diva.h +@@ -19,10 +19,11 @@ int diva_xdi_read(void *adapter, void *os_handle, void __user *dst, + int max_length, divas_xdi_copy_to_user_fn_t cp_fn); + + int diva_xdi_write(void *adapter, void *os_handle, const void __user *src, +- int length, divas_xdi_copy_from_user_fn_t cp_fn); ++ int length, void *msg, ++ divas_xdi_copy_from_user_fn_t cp_fn); + + void *diva_xdi_open_adapter(void *os_handle, const void __user *src, +- int length, ++ int length, void *msg, + divas_xdi_copy_from_user_fn_t cp_fn); + + void diva_xdi_close_adapter(void *adapter, void *os_handle); +diff --git a/drivers/isdn/hardware/eicon/divasmain.c b/drivers/isdn/hardware/eicon/divasmain.c +index a2e0ed6c9a4d..91bd2ba0bdd8 100644 +--- a/drivers/isdn/hardware/eicon/divasmain.c ++++ b/drivers/isdn/hardware/eicon/divasmain.c +@@ -591,19 +591,22 @@ static int divas_release(struct inode *inode, struct file *file) + static ssize_t divas_write(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { ++ diva_xdi_um_cfg_cmd_t msg; + int ret = -EINVAL; + + if (!file->private_data) { + file->private_data = diva_xdi_open_adapter(file, buf, +- count, ++ count, &msg, + xdi_copy_from_user); +- } +- if (!file->private_data) { +- return (-ENODEV); ++ if (!file->private_data) ++ return (-ENODEV); ++ ret = diva_xdi_write(file->private_data, file, ++ buf, count, &msg, xdi_copy_from_user); ++ } else { ++ ret = diva_xdi_write(file->private_data, file, ++ buf, count, NULL, xdi_copy_from_user); + } + +- ret = diva_xdi_write(file->private_data, file, +- buf, count, xdi_copy_from_user); + switch (ret) { + case -1: /* Message should be removed from rx mailbox first */ + ret = -EBUSY; +@@ -622,11 +625,12 @@ static ssize_t divas_write(struct file *file, const char __user *buf, + static ssize_t divas_read(struct file *file, char __user *buf, + size_t count, loff_t *ppos) + { ++ diva_xdi_um_cfg_cmd_t msg; + int ret = -EINVAL; + + if (!file->private_data) { + file->private_data = diva_xdi_open_adapter(file, buf, +- count, ++ count, &msg, + xdi_copy_from_user); + } + if (!file->private_data) { +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c +index d946bba43726..87534c6efd66 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c +@@ -594,7 +594,7 @@ static void bnx2x_ets_e3b0_nig_disabled(const struct link_params *params, + * slots for the highest priority. + */ + REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS : +- NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100); ++ NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100); + /* Mapping between the CREDIT_WEIGHT registers and actual client + * numbers + */ +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 0e3b2ebf87f1..029fa5bee520 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2543,11 +2543,11 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + pci_set_master(pdev); + + /* Query PCI controller on system for DMA addressing +- * limitation for the device. Try 64-bit first, and ++ * limitation for the device. Try 47-bit first, and + * fail to 32-bit. + */ + +- err = pci_set_dma_mask(pdev, DMA_BIT_MASK(64)); ++ err = pci_set_dma_mask(pdev, DMA_BIT_MASK(47)); + if (err) { + err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)); + if (err) { +@@ -2561,10 +2561,10 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + goto err_out_release_regions; + } + } else { +- err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64)); ++ err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(47)); + if (err) { + dev_err(dev, "Unable to obtain %u-bit DMA " +- "for consistent allocations, aborting\n", 64); ++ "for consistent allocations, aborting\n", 47); + goto err_out_release_regions; + } + using_dac = 1; +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c +index 62f1a3433a62..d6d87dd8a28f 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -386,11 +386,11 @@ struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn) + struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table; + struct mlx4_qp *qp; + +- spin_lock(&qp_table->lock); ++ spin_lock_irq(&qp_table->lock); + + qp = __mlx4_qp_lookup(dev, qpn); + +- spin_unlock(&qp_table->lock); ++ spin_unlock_irq(&qp_table->lock); + return qp; + } + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +index 7ccdb46c6764..21e0af2620ee 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +@@ -43,7 +43,7 @@ + #define ILT_CFG_REG(cli, reg) PSWRQ2_REG_ ## cli ## _ ## reg ## _RT_OFFSET + + /* ILT entry structure */ +-#define ILT_ENTRY_PHY_ADDR_MASK 0x000FFFFFFFFFFFULL ++#define ILT_ENTRY_PHY_ADDR_MASK (~0ULL >> 12) + #define ILT_ENTRY_PHY_ADDR_SHIFT 0 + #define ILT_ENTRY_VALID_MASK 0x1ULL + #define ILT_ENTRY_VALID_SHIFT 52 +diff --git a/drivers/net/phy/bcm-cygnus.c b/drivers/net/phy/bcm-cygnus.c +index 49bbc6826883..9a7dca2bb618 100644 +--- a/drivers/net/phy/bcm-cygnus.c ++++ b/drivers/net/phy/bcm-cygnus.c +@@ -61,17 +61,17 @@ static int bcm_cygnus_afe_config(struct phy_device *phydev) + return rc; + + /* make rcal=100, since rdb default is 000 */ +- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB1, 0x10); ++ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB1, 0x10); + if (rc < 0) + return rc; + + /* CORE_EXPB0, Reset R_CAL/RC_CAL Engine */ +- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x10); ++ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x10); + if (rc < 0) + return rc; + + /* CORE_EXPB0, Disable Reset R_CAL/RC_CAL Engine */ +- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x00); ++ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x00); + + return 0; + } +diff --git a/drivers/net/phy/bcm-phy-lib.h b/drivers/net/phy/bcm-phy-lib.h +index b2091c88b44d..ce16b26d49ff 100644 +--- a/drivers/net/phy/bcm-phy-lib.h ++++ b/drivers/net/phy/bcm-phy-lib.h +@@ -14,11 +14,18 @@ + #ifndef _LINUX_BCM_PHY_LIB_H + #define _LINUX_BCM_PHY_LIB_H + ++#include + #include + + int bcm_phy_write_exp(struct phy_device *phydev, u16 reg, u16 val); + int bcm_phy_read_exp(struct phy_device *phydev, u16 reg); + ++static inline int bcm_phy_write_exp_sel(struct phy_device *phydev, ++ u16 reg, u16 val) ++{ ++ return bcm_phy_write_exp(phydev, reg | MII_BCM54XX_EXP_SEL_ER, val); ++} ++ + int bcm_phy_write_misc(struct phy_device *phydev, + u16 reg, u16 chl, u16 value); + int bcm_phy_read_misc(struct phy_device *phydev, +diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c +index 03d4809a9126..bffa70e46202 100644 +--- a/drivers/net/phy/bcm7xxx.c ++++ b/drivers/net/phy/bcm7xxx.c +@@ -48,10 +48,10 @@ + static void r_rc_cal_reset(struct phy_device *phydev) + { + /* Reset R_CAL/RC_CAL Engine */ +- bcm_phy_write_exp(phydev, 0x00b0, 0x0010); ++ bcm_phy_write_exp_sel(phydev, 0x00b0, 0x0010); + + /* Disable Reset R_AL/RC_CAL Engine */ +- bcm_phy_write_exp(phydev, 0x00b0, 0x0000); ++ bcm_phy_write_exp_sel(phydev, 0x00b0, 0x0000); + } + + static int bcm7xxx_28nm_b0_afe_config_init(struct phy_device *phydev) +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index e74709e4b5dd..49174837c2ba 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -983,7 +983,8 @@ static void team_port_disable(struct team *team, + static void ___team_compute_features(struct team *team) + { + struct team_port *port; +- u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL; ++ netdev_features_t vlan_features = TEAM_VLAN_FEATURES & ++ NETIF_F_ALL_FOR_ALL; + unsigned short max_hard_header_len = ETH_HLEN; + unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | + IFF_XMIT_DST_RELEASE_PERM; +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c +index 96a5028621c8..8edbccf06b7b 100644 +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -593,7 +593,7 @@ static const struct driver_info cdc_mbim_info_zlp = { + */ + static const struct driver_info cdc_mbim_info_ndp_to_end = { + .description = "CDC MBIM", +- .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN, ++ .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN | FLAG_SEND_ZLP, + .bind = cdc_mbim_bind, + .unbind = cdc_mbim_unbind, + .manage_power = cdc_mbim_manage_power, +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +index 83e5aa6a9f28..ad35e760ed3f 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +@@ -6167,7 +6167,7 @@ static void brcmf_cfg80211_reg_notifier(struct wiphy *wiphy, + req->alpha2[0], req->alpha2[1]); + + /* ignore non-ISO3166 country codes */ +- for (i = 0; i < sizeof(req->alpha2); i++) ++ for (i = 0; i < 2; i++) + if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') { + brcmf_err("not a ISO3166 code\n"); + return; +diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c +index f52c72a1a06f..73b725f965eb 100644 +--- a/fs/xfs/xfs_log.c ++++ b/fs/xfs/xfs_log.c +@@ -3323,8 +3323,6 @@ maybe_sleep: + */ + if (iclog->ic_state & XLOG_STATE_IOERROR) + return -EIO; +- if (log_flushed) +- *log_flushed = 1; + } else { + + no_sleep: +@@ -3432,8 +3430,6 @@ try_again: + + xlog_wait(&iclog->ic_prev->ic_write_wait, + &log->l_icloglock); +- if (log_flushed) +- *log_flushed = 1; + already_slept = 1; + goto try_again; + } +@@ -3467,9 +3463,6 @@ try_again: + */ + if (iclog->ic_state & XLOG_STATE_IOERROR) + return -EIO; +- +- if (log_flushed) +- *log_flushed = 1; + } else { /* just return */ + spin_unlock(&log->l_icloglock); + } +diff --git a/mm/mmap.c b/mm/mmap.c +index cc84b97ca250..39f5fbd07486 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1275,6 +1275,35 @@ static inline int mlock_future_check(struct mm_struct *mm, + return 0; + } + ++static inline u64 file_mmap_size_max(struct file *file, struct inode *inode) ++{ ++ if (S_ISREG(inode->i_mode)) ++ return MAX_LFS_FILESIZE; ++ ++ if (S_ISBLK(inode->i_mode)) ++ return MAX_LFS_FILESIZE; ++ ++ /* Special "we do even unsigned file positions" case */ ++ if (file->f_mode & FMODE_UNSIGNED_OFFSET) ++ return 0; ++ ++ /* Yes, random drivers might want more. But I'm tired of buggy drivers */ ++ return ULONG_MAX; ++} ++ ++static inline bool file_mmap_ok(struct file *file, struct inode *inode, ++ unsigned long pgoff, unsigned long len) ++{ ++ u64 maxsize = file_mmap_size_max(file, inode); ++ ++ if (maxsize && len > maxsize) ++ return false; ++ maxsize -= len; ++ if (pgoff > maxsize >> PAGE_SHIFT) ++ return false; ++ return true; ++} ++ + /* + * The caller must hold down_write(¤t->mm->mmap_sem). + */ +@@ -1340,6 +1369,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr, + if (file) { + struct inode *inode = file_inode(file); + ++ if (!file_mmap_ok(file, inode, pgoff, len)) ++ return -EOVERFLOW; ++ + switch (flags & MAP_TYPE) { + case MAP_SHARED: + if ((prot&PROT_WRITE) && !(file->f_mode&FMODE_WRITE)) +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 5b3d611d8b5f..2017ffa5197a 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1691,6 +1691,10 @@ static int do_setlink(const struct sk_buff *skb, + const struct net_device_ops *ops = dev->netdev_ops; + int err; + ++ err = validate_linkmsg(dev, tb); ++ if (err < 0) ++ return err; ++ + if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) { + struct net *net = rtnl_link_get_net(dev_net(dev), tb); + if (IS_ERR(net)) { +@@ -1982,10 +1986,6 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh) + goto errout; + } + +- err = validate_linkmsg(dev, tb); +- if (err < 0) +- goto errout; +- + err = do_setlink(skb, dev, ifm, tb, ifname, 0); + errout: + return err; +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index ff3b058cf58c..936dab12f99f 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -280,9 +280,7 @@ int dccp_disconnect(struct sock *sk, int flags) + + dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); +- ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; +- dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 44abc52bae13..9d144cbd4e62 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -979,6 +979,8 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg) + if (val == TCP_CA_UNSPEC) + return -EINVAL; + } else { ++ if (nla_len(nla) != sizeof(u32)) ++ return false; + val = nla_get_u32(nla); + } + if (type == RTAX_ADVMSS && val > 65535 - 40) +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 1b93ea766916..ce9a7fbb7c5f 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -493,8 +493,6 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + int err; + int copied; + +- WARN_ON_ONCE(sk->sk_family == AF_INET6); +- + err = -EAGAIN; + skb = sock_dequeue_err_skb(sk); + if (!skb) +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index e5846d1f9b55..9b92960f024d 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1787,7 +1787,8 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns + ret = 0; + if (!ip6mr_new_table(net, v)) + ret = -ENOMEM; +- raw6_sk(sk)->ip6mr_table = v; ++ else ++ raw6_sk(sk)->ip6mr_table = v; + rtnl_unlock(); + return ret; + } +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 392d4e2c0a24..3a63f33698d3 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2779,7 +2779,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (unlikely(offset < 0)) + goto out_free; + } else if (reserve) { +- skb_push(skb, reserve); ++ skb_reserve(skb, -reserve); + } + + /* Returns -EFAULT on error */ +@@ -4198,7 +4198,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + goto out; + if (po->tp_version >= TPACKET_V3 && + req->tp_block_size <= +- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv)) ++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr)) + goto out; + if (unlikely(req->tp_frame_size < po->tp_hdrlen + + po->tp_reserve)) +diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c +index dd243d2abd87..138d7f100f7e 100644 +--- a/scripts/kconfig/confdata.c ++++ b/scripts/kconfig/confdata.c +@@ -743,7 +743,7 @@ int conf_write(const char *name) + struct menu *menu; + const char *basename; + const char *str; +- char dirname[PATH_MAX+1], tmpname[PATH_MAX+1], newname[PATH_MAX+1]; ++ char dirname[PATH_MAX+1], tmpname[PATH_MAX+22], newname[PATH_MAX+8]; + char *env; + + dirname[0] = 0; diff --git a/patch/kernel/mvebu-default/04-patch-4.4.137-138.patch b/patch/kernel/mvebu-default/04-patch-4.4.137-138.patch new file mode 100644 index 0000000000..3fb7021777 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.137-138.patch @@ -0,0 +1,1561 @@ +diff --git a/Makefile b/Makefile +index 44efd1252ab8..1a8c0fc6b997 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 137 ++SUBLEVEL = 138 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/x86/crypto/chacha20_glue.c b/arch/x86/crypto/chacha20_glue.c +index 722bacea040e..8baaff5af0b5 100644 +--- a/arch/x86/crypto/chacha20_glue.c ++++ b/arch/x86/crypto/chacha20_glue.c +@@ -125,7 +125,7 @@ static struct crypto_alg alg = { + + static int __init chacha20_simd_mod_init(void) + { +- if (!cpu_has_ssse3) ++ if (!boot_cpu_has(X86_FEATURE_SSSE3)) + return -ENODEV; + + #ifdef CONFIG_AS_AVX2 +diff --git a/arch/x86/crypto/crc32c-intel_glue.c b/arch/x86/crypto/crc32c-intel_glue.c +index 81a595d75cf5..15f5c7675d42 100644 +--- a/arch/x86/crypto/crc32c-intel_glue.c ++++ b/arch/x86/crypto/crc32c-intel_glue.c +@@ -58,16 +58,11 @@ + asmlinkage unsigned int crc_pcl(const u8 *buffer, int len, + unsigned int crc_init); + static int crc32c_pcl_breakeven = CRC32C_PCL_BREAKEVEN_EAGERFPU; +-#if defined(X86_FEATURE_EAGER_FPU) + #define set_pcl_breakeven_point() \ + do { \ + if (!use_eager_fpu()) \ + crc32c_pcl_breakeven = CRC32C_PCL_BREAKEVEN_NOEAGERFPU; \ + } while (0) +-#else +-#define set_pcl_breakeven_point() \ +- (crc32c_pcl_breakeven = CRC32C_PCL_BREAKEVEN_NOEAGERFPU) +-#endif + #endif /* CONFIG_X86_64 */ + + static u32 crc32c_intel_le_hw_byte(u32 crc, unsigned char const *data, size_t length) +@@ -257,7 +252,7 @@ static int __init crc32c_intel_mod_init(void) + if (!x86_match_cpu(crc32c_cpu_id)) + return -ENODEV; + #ifdef CONFIG_X86_64 +- if (cpu_has_pclmulqdq) { ++ if (boot_cpu_has(X86_FEATURE_PCLMULQDQ)) { + alg.update = crc32c_pcl_intel_update; + alg.finup = crc32c_pcl_intel_finup; + alg.digest = crc32c_pcl_intel_digest; +diff --git a/arch/x86/include/asm/cmpxchg_32.h b/arch/x86/include/asm/cmpxchg_32.h +index f7e142926481..e4959d023af8 100644 +--- a/arch/x86/include/asm/cmpxchg_32.h ++++ b/arch/x86/include/asm/cmpxchg_32.h +@@ -109,6 +109,6 @@ static inline u64 __cmpxchg64_local(volatile u64 *ptr, u64 old, u64 new) + + #endif + +-#define system_has_cmpxchg_double() cpu_has_cx8 ++#define system_has_cmpxchg_double() boot_cpu_has(X86_FEATURE_CX8) + + #endif /* _ASM_X86_CMPXCHG_32_H */ +diff --git a/arch/x86/include/asm/cmpxchg_64.h b/arch/x86/include/asm/cmpxchg_64.h +index 1af94697aae5..caa23a34c963 100644 +--- a/arch/x86/include/asm/cmpxchg_64.h ++++ b/arch/x86/include/asm/cmpxchg_64.h +@@ -18,6 +18,6 @@ static inline void set_64bit(volatile u64 *ptr, u64 val) + cmpxchg_local((ptr), (o), (n)); \ + }) + +-#define system_has_cmpxchg_double() cpu_has_cx16 ++#define system_has_cmpxchg_double() boot_cpu_has(X86_FEATURE_CX16) + + #endif /* _ASM_X86_CMPXCHG_64_H */ +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index 641f0f2c2982..232621c5e859 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -104,7 +104,7 @@ + #define X86_FEATURE_EXTD_APICID ( 3*32+26) /* has extended APICID (8 bits) */ + #define X86_FEATURE_AMD_DCM ( 3*32+27) /* multi-node processor */ + #define X86_FEATURE_APERFMPERF ( 3*32+28) /* APERFMPERF */ +-#define X86_FEATURE_EAGER_FPU ( 3*32+29) /* "eagerfpu" Non lazy FPU restore */ ++/* free, was #define X86_FEATURE_EAGER_FPU ( 3*32+29) * "eagerfpu" Non lazy FPU restore */ + #define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */ + + /* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */ +@@ -368,58 +368,29 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + #define setup_force_cpu_bug(bit) setup_force_cpu_cap(bit) + + #define cpu_has_fpu boot_cpu_has(X86_FEATURE_FPU) +-#define cpu_has_de boot_cpu_has(X86_FEATURE_DE) + #define cpu_has_pse boot_cpu_has(X86_FEATURE_PSE) + #define cpu_has_tsc boot_cpu_has(X86_FEATURE_TSC) + #define cpu_has_pge boot_cpu_has(X86_FEATURE_PGE) + #define cpu_has_apic boot_cpu_has(X86_FEATURE_APIC) +-#define cpu_has_sep boot_cpu_has(X86_FEATURE_SEP) +-#define cpu_has_mtrr boot_cpu_has(X86_FEATURE_MTRR) +-#define cpu_has_mmx boot_cpu_has(X86_FEATURE_MMX) + #define cpu_has_fxsr boot_cpu_has(X86_FEATURE_FXSR) + #define cpu_has_xmm boot_cpu_has(X86_FEATURE_XMM) + #define cpu_has_xmm2 boot_cpu_has(X86_FEATURE_XMM2) +-#define cpu_has_xmm3 boot_cpu_has(X86_FEATURE_XMM3) +-#define cpu_has_ssse3 boot_cpu_has(X86_FEATURE_SSSE3) + #define cpu_has_aes boot_cpu_has(X86_FEATURE_AES) + #define cpu_has_avx boot_cpu_has(X86_FEATURE_AVX) + #define cpu_has_avx2 boot_cpu_has(X86_FEATURE_AVX2) +-#define cpu_has_ht boot_cpu_has(X86_FEATURE_HT) +-#define cpu_has_nx boot_cpu_has(X86_FEATURE_NX) +-#define cpu_has_xstore boot_cpu_has(X86_FEATURE_XSTORE) +-#define cpu_has_xstore_enabled boot_cpu_has(X86_FEATURE_XSTORE_EN) +-#define cpu_has_xcrypt boot_cpu_has(X86_FEATURE_XCRYPT) +-#define cpu_has_xcrypt_enabled boot_cpu_has(X86_FEATURE_XCRYPT_EN) +-#define cpu_has_ace2 boot_cpu_has(X86_FEATURE_ACE2) +-#define cpu_has_ace2_enabled boot_cpu_has(X86_FEATURE_ACE2_EN) +-#define cpu_has_phe boot_cpu_has(X86_FEATURE_PHE) +-#define cpu_has_phe_enabled boot_cpu_has(X86_FEATURE_PHE_EN) +-#define cpu_has_pmm boot_cpu_has(X86_FEATURE_PMM) +-#define cpu_has_pmm_enabled boot_cpu_has(X86_FEATURE_PMM_EN) +-#define cpu_has_ds boot_cpu_has(X86_FEATURE_DS) +-#define cpu_has_pebs boot_cpu_has(X86_FEATURE_PEBS) + #define cpu_has_clflush boot_cpu_has(X86_FEATURE_CLFLUSH) +-#define cpu_has_bts boot_cpu_has(X86_FEATURE_BTS) + #define cpu_has_gbpages boot_cpu_has(X86_FEATURE_GBPAGES) + #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) + #define cpu_has_pat boot_cpu_has(X86_FEATURE_PAT) +-#define cpu_has_xmm4_1 boot_cpu_has(X86_FEATURE_XMM4_1) +-#define cpu_has_xmm4_2 boot_cpu_has(X86_FEATURE_XMM4_2) + #define cpu_has_x2apic boot_cpu_has(X86_FEATURE_X2APIC) + #define cpu_has_xsave boot_cpu_has(X86_FEATURE_XSAVE) +-#define cpu_has_xsaveopt boot_cpu_has(X86_FEATURE_XSAVEOPT) + #define cpu_has_xsaves boot_cpu_has(X86_FEATURE_XSAVES) + #define cpu_has_osxsave boot_cpu_has(X86_FEATURE_OSXSAVE) + #define cpu_has_hypervisor boot_cpu_has(X86_FEATURE_HYPERVISOR) +-#define cpu_has_pclmulqdq boot_cpu_has(X86_FEATURE_PCLMULQDQ) +-#define cpu_has_perfctr_core boot_cpu_has(X86_FEATURE_PERFCTR_CORE) +-#define cpu_has_perfctr_nb boot_cpu_has(X86_FEATURE_PERFCTR_NB) +-#define cpu_has_perfctr_l2 boot_cpu_has(X86_FEATURE_PERFCTR_L2) +-#define cpu_has_cx8 boot_cpu_has(X86_FEATURE_CX8) +-#define cpu_has_cx16 boot_cpu_has(X86_FEATURE_CX16) +-#define cpu_has_eager_fpu boot_cpu_has(X86_FEATURE_EAGER_FPU) +-#define cpu_has_topoext boot_cpu_has(X86_FEATURE_TOPOEXT) +-#define cpu_has_bpext boot_cpu_has(X86_FEATURE_BPEXT) ++/* ++ * Do not add any more of those clumsy macros - use static_cpu_has_safe() for ++ * fast paths and boot_cpu_has() otherwise! ++ */ + + #if __GNUC__ >= 4 + extern void warn_pre_alternatives(void); +diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h +index 3c3550c3a4a3..146d838e6ee7 100644 +--- a/arch/x86/include/asm/fpu/internal.h ++++ b/arch/x86/include/asm/fpu/internal.h +@@ -42,6 +42,7 @@ extern void fpu__init_cpu_xstate(void); + extern void fpu__init_system(struct cpuinfo_x86 *c); + extern void fpu__init_check_bugs(void); + extern void fpu__resume_cpu(void); ++extern u64 fpu__get_supported_xfeatures_mask(void); + + /* + * Debugging facility: +@@ -57,7 +58,7 @@ extern void fpu__resume_cpu(void); + */ + static __always_inline __pure bool use_eager_fpu(void) + { +- return static_cpu_has_safe(X86_FEATURE_EAGER_FPU); ++ return true; + } + + static __always_inline __pure bool use_xsaveopt(void) +@@ -595,7 +596,8 @@ switch_fpu_prepare(struct fpu *old_fpu, struct fpu *new_fpu, int cpu) + * If the task has used the math, pre-load the FPU on xsave processors + * or if the past 5 consecutive context-switches used math. + */ +- fpu.preload = new_fpu->fpstate_active && ++ fpu.preload = static_cpu_has(X86_FEATURE_FPU) && ++ new_fpu->fpstate_active && + (use_eager_fpu() || new_fpu->counter > 5); + + if (old_fpu->fpregs_active) { +diff --git a/arch/x86/include/asm/fpu/xstate.h b/arch/x86/include/asm/fpu/xstate.h +index 3a6c89b70307..f23cd8c80b1c 100644 +--- a/arch/x86/include/asm/fpu/xstate.h ++++ b/arch/x86/include/asm/fpu/xstate.h +@@ -22,7 +22,7 @@ + #define XFEATURE_MASK_LAZY (XFEATURE_MASK_FP | \ + XFEATURE_MASK_SSE | \ + XFEATURE_MASK_YMM | \ +- XFEATURE_MASK_OPMASK | \ ++ XFEATURE_MASK_OPMASK | \ + XFEATURE_MASK_ZMM_Hi256 | \ + XFEATURE_MASK_Hi16_ZMM) + +diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h +index fc3c7e49c8e4..ae357d0afc91 100644 +--- a/arch/x86/include/asm/kvm_emulate.h ++++ b/arch/x86/include/asm/kvm_emulate.h +@@ -105,11 +105,12 @@ struct x86_emulate_ops { + * @addr: [IN ] Linear address from which to read. + * @val: [OUT] Value read from memory, zero-extended to 'u_long'. + * @bytes: [IN ] Number of bytes to read from memory. ++ * @system:[IN ] Whether the access is forced to be at CPL0. + */ + int (*read_std)(struct x86_emulate_ctxt *ctxt, + unsigned long addr, void *val, + unsigned int bytes, +- struct x86_exception *fault); ++ struct x86_exception *fault, bool system); + + /* + * read_phys: Read bytes of standard (non-emulated/special) memory. +@@ -127,10 +128,11 @@ struct x86_emulate_ops { + * @addr: [IN ] Linear address to which to write. + * @val: [OUT] Value write to memory, zero-extended to 'u_long'. + * @bytes: [IN ] Number of bytes to write to memory. ++ * @system:[IN ] Whether the access is forced to be at CPL0. + */ + int (*write_std)(struct x86_emulate_ctxt *ctxt, + unsigned long addr, void *val, unsigned int bytes, +- struct x86_exception *fault); ++ struct x86_exception *fault, bool system); + /* + * fetch: Read bytes of standard (non-emulated/special) memory. + * Used for instruction fetch. +diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h +index 222a6a3ca2b5..a438c5598a90 100644 +--- a/arch/x86/include/asm/smp.h ++++ b/arch/x86/include/asm/smp.h +@@ -21,15 +21,6 @@ + extern int smp_num_siblings; + extern unsigned int num_processors; + +-static inline bool cpu_has_ht_siblings(void) +-{ +- bool has_siblings = false; +-#ifdef CONFIG_SMP +- has_siblings = cpu_has_ht && smp_num_siblings > 1; +-#endif +- return has_siblings; +-} +- + DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_sibling_map); + DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_core_map); + /* cpus sharing the last level cache: */ +diff --git a/arch/x86/include/asm/xor_32.h b/arch/x86/include/asm/xor_32.h +index 5a08bc8bff33..c54beb44c4c1 100644 +--- a/arch/x86/include/asm/xor_32.h ++++ b/arch/x86/include/asm/xor_32.h +@@ -553,7 +553,7 @@ do { \ + if (cpu_has_xmm) { \ + xor_speed(&xor_block_pIII_sse); \ + xor_speed(&xor_block_sse_pf64); \ +- } else if (cpu_has_mmx) { \ ++ } else if (boot_cpu_has(X86_FEATURE_MMX)) { \ + xor_speed(&xor_block_pII_mmx); \ + xor_speed(&xor_block_p5_mmx); \ + } else { \ +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 4bf9e77f3e05..f4fb8f5b0be4 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -304,7 +304,7 @@ static void amd_get_topology(struct cpuinfo_x86 *c) + int cpu = smp_processor_id(); + + /* get information required for multi-node processors */ +- if (cpu_has_topoext) { ++ if (boot_cpu_has(X86_FEATURE_TOPOEXT)) { + u32 eax, ebx, ecx, edx; + + cpuid(0x8000001e, &eax, &ebx, &ecx, &edx); +@@ -954,7 +954,7 @@ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + + void set_dr_addr_mask(unsigned long mask, int dr) + { +- if (!cpu_has_bpext) ++ if (!boot_cpu_has(X86_FEATURE_BPEXT)) + return; + + switch (dr) { +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 8eabbafff213..0498ad3702f5 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1539,7 +1539,9 @@ void cpu_init(void) + + printk(KERN_INFO "Initializing CPU#%d\n", cpu); + +- if (cpu_feature_enabled(X86_FEATURE_VME) || cpu_has_tsc || cpu_has_de) ++ if (cpu_feature_enabled(X86_FEATURE_VME) || ++ cpu_has_tsc || ++ boot_cpu_has(X86_FEATURE_DE)) + cr4_clear_bits(X86_CR4_VME|X86_CR4_PVI|X86_CR4_TSD|X86_CR4_DE); + + load_current_idt(); +diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c +index 209ac1e7d1f0..565648bc1a0a 100644 +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -445,7 +445,8 @@ static void init_intel(struct cpuinfo_x86 *c) + + if (cpu_has_xmm2) + set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC); +- if (cpu_has_ds) { ++ ++ if (boot_cpu_has(X86_FEATURE_DS)) { + unsigned int l1; + rdmsr(MSR_IA32_MISC_ENABLE, l1, l2); + if (!(l1 & (1<<11))) +diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c +index b4ca91cf55b0..3fa72317ad78 100644 +--- a/arch/x86/kernel/cpu/intel_cacheinfo.c ++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c +@@ -591,7 +591,7 @@ cpuid4_cache_lookup_regs(int index, struct _cpuid4_info_regs *this_leaf) + unsigned edx; + + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) { +- if (cpu_has_topoext) ++ if (boot_cpu_has(X86_FEATURE_TOPOEXT)) + cpuid_count(0x8000001d, index, &eax.full, + &ebx.full, &ecx.full, &edx); + else +@@ -637,7 +637,7 @@ static int find_num_cache_leaves(struct cpuinfo_x86 *c) + void init_amd_cacheinfo(struct cpuinfo_x86 *c) + { + +- if (cpu_has_topoext) { ++ if (boot_cpu_has(X86_FEATURE_TOPOEXT)) { + num_cache_leaves = find_num_cache_leaves(c); + } else if (c->extended_cpuid_level >= 0x80000006) { + if (cpuid_edx(0x80000006) & 0xf000) +@@ -809,7 +809,7 @@ static int __cache_amd_cpumap_setup(unsigned int cpu, int index, + struct cacheinfo *this_leaf; + int i, sibling; + +- if (cpu_has_topoext) { ++ if (boot_cpu_has(X86_FEATURE_TOPOEXT)) { + unsigned int apicid, nshared, first, last; + + this_leaf = this_cpu_ci->info_list + index; +diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c +index b5624fafa44a..136ae86f4f5f 100644 +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -349,7 +349,7 @@ static void get_fixed_ranges(mtrr_type *frs) + + void mtrr_save_fixed_ranges(void *info) + { +- if (cpu_has_mtrr) ++ if (boot_cpu_has(X86_FEATURE_MTRR)) + get_fixed_ranges(mtrr_state.fixed_ranges); + } + +diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c +index fa77ac8291f0..f924f41af89a 100644 +--- a/arch/x86/kernel/cpu/mtrr/main.c ++++ b/arch/x86/kernel/cpu/mtrr/main.c +@@ -682,7 +682,7 @@ void __init mtrr_bp_init(void) + + phys_addr = 32; + +- if (cpu_has_mtrr) { ++ if (boot_cpu_has(X86_FEATURE_MTRR)) { + mtrr_if = &generic_mtrr_ops; + size_or_mask = SIZE_OR_MASK_BITS(36); + size_and_mask = 0x00f00000; +diff --git a/arch/x86/kernel/cpu/perf_event_amd.c b/arch/x86/kernel/cpu/perf_event_amd.c +index 1cee5d2d7ece..3ea177cb7366 100644 +--- a/arch/x86/kernel/cpu/perf_event_amd.c ++++ b/arch/x86/kernel/cpu/perf_event_amd.c +@@ -160,7 +160,7 @@ static inline int amd_pmu_addr_offset(int index, bool eventsel) + if (offset) + return offset; + +- if (!cpu_has_perfctr_core) ++ if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE)) + offset = index; + else + offset = index << 1; +@@ -652,7 +652,7 @@ static __initconst const struct x86_pmu amd_pmu = { + + static int __init amd_core_pmu_init(void) + { +- if (!cpu_has_perfctr_core) ++ if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE)) + return 0; + + switch (boot_cpu_data.x86) { +diff --git a/arch/x86/kernel/cpu/perf_event_amd_uncore.c b/arch/x86/kernel/cpu/perf_event_amd_uncore.c +index cc6cedb8f25d..49742746a6c9 100644 +--- a/arch/x86/kernel/cpu/perf_event_amd_uncore.c ++++ b/arch/x86/kernel/cpu/perf_event_amd_uncore.c +@@ -523,10 +523,10 @@ static int __init amd_uncore_init(void) + if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) + goto fail_nodev; + +- if (!cpu_has_topoext) ++ if (!boot_cpu_has(X86_FEATURE_TOPOEXT)) + goto fail_nodev; + +- if (cpu_has_perfctr_nb) { ++ if (boot_cpu_has(X86_FEATURE_PERFCTR_NB)) { + amd_uncore_nb = alloc_percpu(struct amd_uncore *); + if (!amd_uncore_nb) { + ret = -ENOMEM; +@@ -540,7 +540,7 @@ static int __init amd_uncore_init(void) + ret = 0; + } + +- if (cpu_has_perfctr_l2) { ++ if (boot_cpu_has(X86_FEATURE_PERFCTR_L2)) { + amd_uncore_l2 = alloc_percpu(struct amd_uncore *); + if (!amd_uncore_l2) { + ret = -ENOMEM; +@@ -583,10 +583,11 @@ fail_online: + + /* amd_uncore_nb/l2 should have been freed by cleanup_cpu_online */ + amd_uncore_nb = amd_uncore_l2 = NULL; +- if (cpu_has_perfctr_l2) ++ ++ if (boot_cpu_has(X86_FEATURE_PERFCTR_L2)) + perf_pmu_unregister(&amd_l2_pmu); + fail_l2: +- if (cpu_has_perfctr_nb) ++ if (boot_cpu_has(X86_FEATURE_PERFCTR_NB)) + perf_pmu_unregister(&amd_nb_pmu); + if (amd_uncore_l2) + free_percpu(amd_uncore_l2); +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index d25097c3fc1d..6aa0b519c851 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -114,6 +114,10 @@ void __kernel_fpu_begin(void) + kernel_fpu_disable(); + + if (fpu->fpregs_active) { ++ /* ++ * Ignore return value -- we don't care if reg state ++ * is clobbered. ++ */ + copy_fpregs_to_fpstate(fpu); + } else { + this_cpu_write(fpu_fpregs_owner_ctx, NULL); +@@ -189,8 +193,12 @@ void fpu__save(struct fpu *fpu) + + preempt_disable(); + if (fpu->fpregs_active) { +- if (!copy_fpregs_to_fpstate(fpu)) +- fpregs_deactivate(fpu); ++ if (!copy_fpregs_to_fpstate(fpu)) { ++ if (use_eager_fpu()) ++ copy_kernel_to_fpregs(&fpu->state); ++ else ++ fpregs_deactivate(fpu); ++ } + } + preempt_enable(); + } +@@ -259,7 +267,11 @@ static void fpu_copy(struct fpu *dst_fpu, struct fpu *src_fpu) + preempt_disable(); + if (!copy_fpregs_to_fpstate(dst_fpu)) { + memcpy(&src_fpu->state, &dst_fpu->state, xstate_size); +- fpregs_deactivate(src_fpu); ++ ++ if (use_eager_fpu()) ++ copy_kernel_to_fpregs(&src_fpu->state); ++ else ++ fpregs_deactivate(src_fpu); + } + preempt_enable(); + } +@@ -409,8 +421,10 @@ static inline void copy_init_fpstate_to_fpregs(void) + { + if (use_xsave()) + copy_kernel_to_xregs(&init_fpstate.xsave, -1); +- else ++ else if (static_cpu_has(X86_FEATURE_FXSR)) + copy_kernel_to_fxregs(&init_fpstate.fxsave); ++ else ++ copy_kernel_to_fregs(&init_fpstate.fsave); + } + + /* +@@ -423,7 +437,7 @@ void fpu__clear(struct fpu *fpu) + { + WARN_ON_FPU(fpu != ¤t->thread.fpu); /* Almost certainly an anomaly */ + +- if (!use_eager_fpu()) { ++ if (!use_eager_fpu() || !static_cpu_has(X86_FEATURE_FPU)) { + /* FPU state will be reallocated lazily at the first use. */ + fpu__drop(fpu); + } else { +diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c +index 1011c05b1bd5..954517285fa2 100644 +--- a/arch/x86/kernel/fpu/init.c ++++ b/arch/x86/kernel/fpu/init.c +@@ -3,8 +3,11 @@ + */ + #include + #include ++#include ++#include + + #include ++#include + + /* + * Initialize the TS bit in CR0 according to the style of context-switches +@@ -12,10 +15,7 @@ + */ + static void fpu__init_cpu_ctx_switch(void) + { +- if (!cpu_has_eager_fpu) +- stts(); +- else +- clts(); ++ clts(); + } + + /* +@@ -75,13 +75,15 @@ static void fpu__init_system_early_generic(struct cpuinfo_x86 *c) + cr0 &= ~(X86_CR0_TS | X86_CR0_EM); + write_cr0(cr0); + +- asm volatile("fninit ; fnstsw %0 ; fnstcw %1" +- : "+m" (fsw), "+m" (fcw)); ++ if (!test_bit(X86_FEATURE_FPU, (unsigned long *)cpu_caps_cleared)) { ++ asm volatile("fninit ; fnstsw %0 ; fnstcw %1" ++ : "+m" (fsw), "+m" (fcw)); + +- if (fsw == 0 && (fcw & 0x103f) == 0x003f) +- set_cpu_cap(c, X86_FEATURE_FPU); +- else +- clear_cpu_cap(c, X86_FEATURE_FPU); ++ if (fsw == 0 && (fcw & 0x103f) == 0x003f) ++ set_cpu_cap(c, X86_FEATURE_FPU); ++ else ++ clear_cpu_cap(c, X86_FEATURE_FPU); ++ } + + #ifndef CONFIG_MATH_EMULATION + if (!cpu_has_fpu) { +@@ -130,7 +132,7 @@ static void __init fpu__init_system_generic(void) + * Set up the legacy init FPU context. (xstate init might overwrite this + * with a more modern format, if the CPU supports it.) + */ +- fpstate_init_fxstate(&init_fpstate.fxsave); ++ fpstate_init(&init_fpstate); + + fpu__init_system_mxcsr(); + } +@@ -230,53 +232,16 @@ static void __init fpu__init_system_xstate_size_legacy(void) + } + + /* +- * FPU context switching strategies: +- * +- * Against popular belief, we don't do lazy FPU saves, due to the +- * task migration complications it brings on SMP - we only do +- * lazy FPU restores. +- * +- * 'lazy' is the traditional strategy, which is based on setting +- * CR0::TS to 1 during context-switch (instead of doing a full +- * restore of the FPU state), which causes the first FPU instruction +- * after the context switch (whenever it is executed) to fault - at +- * which point we lazily restore the FPU state into FPU registers. +- * +- * Tasks are of course under no obligation to execute FPU instructions, +- * so it can easily happen that another context-switch occurs without +- * a single FPU instruction being executed. If we eventually switch +- * back to the original task (that still owns the FPU) then we have +- * not only saved the restores along the way, but we also have the +- * FPU ready to be used for the original task. +- * +- * 'eager' switching is used on modern CPUs, there we switch the FPU +- * state during every context switch, regardless of whether the task +- * has used FPU instructions in that time slice or not. This is done +- * because modern FPU context saving instructions are able to optimize +- * state saving and restoration in hardware: they can detect both +- * unused and untouched FPU state and optimize accordingly. +- * +- * [ Note that even in 'lazy' mode we might optimize context switches +- * to use 'eager' restores, if we detect that a task is using the FPU +- * frequently. See the fpu->counter logic in fpu/internal.h for that. ] ++ * Find supported xfeatures based on cpu features and command-line input. ++ * This must be called after fpu__init_parse_early_param() is called and ++ * xfeatures_mask is enumerated. + */ +-static enum { AUTO, ENABLE, DISABLE } eagerfpu = AUTO; +- +-static int __init eager_fpu_setup(char *s) ++u64 __init fpu__get_supported_xfeatures_mask(void) + { +- if (!strcmp(s, "on")) +- eagerfpu = ENABLE; +- else if (!strcmp(s, "off")) +- eagerfpu = DISABLE; +- else if (!strcmp(s, "auto")) +- eagerfpu = AUTO; +- return 1; ++ return XCNTXT_MASK; + } +-__setup("eagerfpu=", eager_fpu_setup); + +-/* +- * Pick the FPU context switching strategy: +- */ ++/* Legacy code to initialize eager fpu mode. */ + static void __init fpu__init_system_ctx_switch(void) + { + static bool on_boot_cpu = 1; +@@ -286,25 +251,31 @@ static void __init fpu__init_system_ctx_switch(void) + + WARN_ON_FPU(current->thread.fpu.fpstate_active); + current_thread_info()->status = 0; ++} + +- /* Auto enable eagerfpu for xsaveopt */ +- if (cpu_has_xsaveopt && eagerfpu != DISABLE) +- eagerfpu = ENABLE; +- +- if (xfeatures_mask & XFEATURE_MASK_EAGER) { +- if (eagerfpu == DISABLE) { +- pr_err("x86/fpu: eagerfpu switching disabled, disabling the following xstate features: 0x%llx.\n", +- xfeatures_mask & XFEATURE_MASK_EAGER); +- xfeatures_mask &= ~XFEATURE_MASK_EAGER; +- } else { +- eagerfpu = ENABLE; +- } ++/* ++ * We parse fpu parameters early because fpu__init_system() is executed ++ * before parse_early_param(). ++ */ ++static void __init fpu__init_parse_early_param(void) ++{ ++ if (cmdline_find_option_bool(boot_command_line, "no387")) ++ setup_clear_cpu_cap(X86_FEATURE_FPU); ++ ++ if (cmdline_find_option_bool(boot_command_line, "nofxsr")) { ++ setup_clear_cpu_cap(X86_FEATURE_FXSR); ++ setup_clear_cpu_cap(X86_FEATURE_FXSR_OPT); ++ setup_clear_cpu_cap(X86_FEATURE_XMM); + } + +- if (eagerfpu == ENABLE) +- setup_force_cpu_cap(X86_FEATURE_EAGER_FPU); ++ if (cmdline_find_option_bool(boot_command_line, "noxsave")) ++ fpu__xstate_clear_all_cpu_caps(); ++ ++ if (cmdline_find_option_bool(boot_command_line, "noxsaveopt")) ++ setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT); + +- printk(KERN_INFO "x86/fpu: Using '%s' FPU context switches.\n", eagerfpu == ENABLE ? "eager" : "lazy"); ++ if (cmdline_find_option_bool(boot_command_line, "noxsaves")) ++ setup_clear_cpu_cap(X86_FEATURE_XSAVES); + } + + /* +@@ -313,6 +284,7 @@ static void __init fpu__init_system_ctx_switch(void) + */ + void __init fpu__init_system(struct cpuinfo_x86 *c) + { ++ fpu__init_parse_early_param(); + fpu__init_system_early_generic(c); + + /* +@@ -336,62 +308,3 @@ void __init fpu__init_system(struct cpuinfo_x86 *c) + + fpu__init_system_ctx_switch(); + } +- +-/* +- * Boot parameter to turn off FPU support and fall back to math-emu: +- */ +-static int __init no_387(char *s) +-{ +- setup_clear_cpu_cap(X86_FEATURE_FPU); +- return 1; +-} +-__setup("no387", no_387); +- +-/* +- * Disable all xstate CPU features: +- */ +-static int __init x86_noxsave_setup(char *s) +-{ +- if (strlen(s)) +- return 0; +- +- fpu__xstate_clear_all_cpu_caps(); +- +- return 1; +-} +-__setup("noxsave", x86_noxsave_setup); +- +-/* +- * Disable the XSAVEOPT instruction specifically: +- */ +-static int __init x86_noxsaveopt_setup(char *s) +-{ +- setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT); +- +- return 1; +-} +-__setup("noxsaveopt", x86_noxsaveopt_setup); +- +-/* +- * Disable the XSAVES instruction: +- */ +-static int __init x86_noxsaves_setup(char *s) +-{ +- setup_clear_cpu_cap(X86_FEATURE_XSAVES); +- +- return 1; +-} +-__setup("noxsaves", x86_noxsaves_setup); +- +-/* +- * Disable FX save/restore and SSE support: +- */ +-static int __init x86_nofxsr_setup(char *s) +-{ +- setup_clear_cpu_cap(X86_FEATURE_FXSR); +- setup_clear_cpu_cap(X86_FEATURE_FXSR_OPT); +- setup_clear_cpu_cap(X86_FEATURE_XMM); +- +- return 1; +-} +-__setup("nofxsr", x86_nofxsr_setup); +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index 70fc312221fc..3fa200ecca62 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -632,8 +632,7 @@ void __init fpu__init_system_xstate(void) + BUG(); + } + +- /* Support only the state known to the OS: */ +- xfeatures_mask = xfeatures_mask & XCNTXT_MASK; ++ xfeatures_mask &= fpu__get_supported_xfeatures_mask(); + + /* Enable xstate instructions to be able to continue with initialization: */ + fpu__init_cpu_xstate(); +diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c +index 50a3fad5b89f..2bcfb5f2bc44 100644 +--- a/arch/x86/kernel/hw_breakpoint.c ++++ b/arch/x86/kernel/hw_breakpoint.c +@@ -300,6 +300,10 @@ static int arch_build_bp_info(struct perf_event *bp) + return -EINVAL; + if (bp->attr.bp_addr & (bp->attr.bp_len - 1)) + return -EINVAL; ++ ++ if (!boot_cpu_has(X86_FEATURE_BPEXT)) ++ return -EOPNOTSUPP; ++ + /* + * It's impossible to use a range breakpoint to fake out + * user vs kernel detection because bp_len - 1 can't +@@ -307,8 +311,6 @@ static int arch_build_bp_info(struct perf_event *bp) + * breakpoints, then we'll have to check for kprobe-blacklisted + * addresses anywhere in the range. + */ +- if (!cpu_has_bpext) +- return -EOPNOTSUPP; + info->mask = bp->attr.bp_len - 1; + info->len = X86_BREAKPOINT_LEN_1; + } +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index 48ca93242bfd..1f7aefc7b0b4 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -295,7 +295,7 @@ do { \ + + static bool match_smt(struct cpuinfo_x86 *c, struct cpuinfo_x86 *o) + { +- if (cpu_has_topoext) { ++ if (boot_cpu_has(X86_FEATURE_TOPOEXT)) { + int cpu1 = c->cpu_index, cpu2 = o->cpu_index; + + if (c->phys_proc_id == o->phys_proc_id && +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index 1fbd2631be60..8c73bf1492b8 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -751,7 +751,6 @@ dotraplinkage void + do_device_not_available(struct pt_regs *regs, long error_code) + { + RCU_LOCKDEP_WARN(!rcu_is_watching(), "entry code didn't wake RCU"); +- BUG_ON(use_eager_fpu()); + + #ifdef CONFIG_MATH_EMULATION + if (read_cr0() & X86_CR0_EM) { +diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c +index af57736a0309..d6d64a519559 100644 +--- a/arch/x86/kernel/vm86_32.c ++++ b/arch/x86/kernel/vm86_32.c +@@ -357,8 +357,10 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus) + tss = &per_cpu(cpu_tss, get_cpu()); + /* make room for real-mode segments */ + tsk->thread.sp0 += 16; +- if (cpu_has_sep) ++ ++ if (static_cpu_has_safe(X86_FEATURE_SEP)) + tsk->thread.sysenter_cs = 0; ++ + load_sp0(tss, &tsk->thread); + put_cpu(); + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 8864fec63a20..f1507626ed36 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -790,6 +790,19 @@ static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) + return assign_eip_near(ctxt, ctxt->_eip + rel); + } + ++static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear, ++ void *data, unsigned size) ++{ ++ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true); ++} ++ ++static int linear_write_system(struct x86_emulate_ctxt *ctxt, ++ ulong linear, void *data, ++ unsigned int size) ++{ ++ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true); ++} ++ + static int segmented_read_std(struct x86_emulate_ctxt *ctxt, + struct segmented_address addr, + void *data, +@@ -801,7 +814,7 @@ static int segmented_read_std(struct x86_emulate_ctxt *ctxt, + rc = linearize(ctxt, addr, size, false, &linear); + if (rc != X86EMUL_CONTINUE) + return rc; +- return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception); ++ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false); + } + + static int segmented_write_std(struct x86_emulate_ctxt *ctxt, +@@ -815,7 +828,7 @@ static int segmented_write_std(struct x86_emulate_ctxt *ctxt, + rc = linearize(ctxt, addr, size, true, &linear); + if (rc != X86EMUL_CONTINUE) + return rc; +- return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception); ++ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false); + } + + /* +@@ -1488,8 +1501,7 @@ static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt, + return emulate_gp(ctxt, index << 3 | 0x2); + + addr = dt.address + index * 8; +- return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc, +- &ctxt->exception); ++ return linear_read_system(ctxt, addr, desc, sizeof *desc); + } + + static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt, +@@ -1552,8 +1564,7 @@ static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt, + if (rc != X86EMUL_CONTINUE) + return rc; + +- return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc), +- &ctxt->exception); ++ return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc)); + } + + /* allowed just for 8 bytes segments */ +@@ -1567,8 +1578,7 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt, + if (rc != X86EMUL_CONTINUE) + return rc; + +- return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc, +- &ctxt->exception); ++ return linear_write_system(ctxt, addr, desc, sizeof *desc); + } + + static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, +@@ -1729,8 +1739,7 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + return ret; + } + } else if (ctxt->mode == X86EMUL_MODE_PROT64) { +- ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3, +- sizeof(base3), &ctxt->exception); ++ ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3)); + if (ret != X86EMUL_CONTINUE) + return ret; + if (is_noncanonical_address(get_desc_base(&seg_desc) | +@@ -2043,11 +2052,11 @@ static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq) + eip_addr = dt.address + (irq << 2); + cs_addr = dt.address + (irq << 2) + 2; + +- rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception); ++ rc = linear_read_system(ctxt, cs_addr, &cs, 2); + if (rc != X86EMUL_CONTINUE) + return rc; + +- rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception); ++ rc = linear_read_system(ctxt, eip_addr, &eip, 2); + if (rc != X86EMUL_CONTINUE) + return rc; + +@@ -2891,12 +2900,12 @@ static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt, + #ifdef CONFIG_X86_64 + base |= ((u64)base3) << 32; + #endif +- r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL); ++ r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true); + if (r != X86EMUL_CONTINUE) + return false; + if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg)) + return false; +- r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL); ++ r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true); + if (r != X86EMUL_CONTINUE) + return false; + if ((perm >> bit_idx) & mask) +@@ -3025,35 +3034,30 @@ static int task_switch_16(struct x86_emulate_ctxt *ctxt, + u16 tss_selector, u16 old_tss_sel, + ulong old_tss_base, struct desc_struct *new_desc) + { +- const struct x86_emulate_ops *ops = ctxt->ops; + struct tss_segment_16 tss_seg; + int ret; + u32 new_tss_base = get_desc_base(new_desc); + +- ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + + save_state_to_tss16(ctxt, &tss_seg); + +- ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + +- ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + + if (old_tss_sel != 0xffff) { + tss_seg.prev_task_link = old_tss_sel; + +- ret = ops->write_std(ctxt, new_tss_base, +- &tss_seg.prev_task_link, +- sizeof tss_seg.prev_task_link, +- &ctxt->exception); ++ ret = linear_write_system(ctxt, new_tss_base, ++ &tss_seg.prev_task_link, ++ sizeof tss_seg.prev_task_link); + if (ret != X86EMUL_CONTINUE) + return ret; + } +@@ -3169,38 +3173,34 @@ static int task_switch_32(struct x86_emulate_ctxt *ctxt, + u16 tss_selector, u16 old_tss_sel, + ulong old_tss_base, struct desc_struct *new_desc) + { +- const struct x86_emulate_ops *ops = ctxt->ops; + struct tss_segment_32 tss_seg; + int ret; + u32 new_tss_base = get_desc_base(new_desc); + u32 eip_offset = offsetof(struct tss_segment_32, eip); + u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector); + +- ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + + save_state_to_tss32(ctxt, &tss_seg); + + /* Only GP registers and segment selectors are saved */ +- ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip, +- ldt_sel_offset - eip_offset, &ctxt->exception); ++ ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip, ++ ldt_sel_offset - eip_offset); + if (ret != X86EMUL_CONTINUE) + return ret; + +- ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + + if (old_tss_sel != 0xffff) { + tss_seg.prev_task_link = old_tss_sel; + +- ret = ops->write_std(ctxt, new_tss_base, +- &tss_seg.prev_task_link, +- sizeof tss_seg.prev_task_link, +- &ctxt->exception); ++ ret = linear_write_system(ctxt, new_tss_base, ++ &tss_seg.prev_task_link, ++ sizeof tss_seg.prev_task_link); + if (ret != X86EMUL_CONTINUE) + return ret; + } +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index a750fc7c7458..63c44a9bf6bb 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6692,8 +6692,7 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason, + vmcs_read32(VMX_INSTRUCTION_INFO), false, &gva)) + return 1; + +- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vmptr, +- sizeof(vmptr), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, &vmptr, sizeof(vmptr), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -7211,8 +7210,8 @@ static int handle_vmread(struct kvm_vcpu *vcpu) + vmx_instruction_info, true, &gva)) + return 1; + /* _system ok, as nested_vmx_check_permission verified cpl=0 */ +- kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva, +- &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL); ++ kvm_write_guest_virt_system(vcpu, gva, &field_value, ++ (is_long_mode(vcpu) ? 8 : 4), NULL); + } + + nested_vmx_succeed(vcpu); +@@ -7247,8 +7246,8 @@ static int handle_vmwrite(struct kvm_vcpu *vcpu) + if (get_vmx_mem_address(vcpu, exit_qualification, + vmx_instruction_info, false, &gva)) + return 1; +- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, +- &field_value, (is_64_bit_mode(vcpu) ? 8 : 4), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, &field_value, ++ (is_64_bit_mode(vcpu) ? 8 : 4), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -7338,9 +7337,9 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu) + vmx_instruction_info, true, &vmcs_gva)) + return 1; + /* ok to use *_system, as nested_vmx_check_permission verified cpl=0 */ +- if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva, +- (void *)&to_vmx(vcpu)->nested.current_vmptr, +- sizeof(u64), &e)) { ++ if (kvm_write_guest_virt_system(vcpu, vmcs_gva, ++ (void *)&to_vmx(vcpu)->nested.current_vmptr, ++ sizeof(u64), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -7394,8 +7393,7 @@ static int handle_invept(struct kvm_vcpu *vcpu) + if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION), + vmx_instruction_info, false, &gva)) + return 1; +- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &operand, +- sizeof(operand), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -7454,8 +7452,7 @@ static int handle_invvpid(struct kvm_vcpu *vcpu) + if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION), + vmx_instruction_info, false, &gva)) + return 1; +- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vpid, +- sizeof(u32), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, &vpid, sizeof(u32), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 9cea09597d66..53d43d22a84b 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4245,11 +4245,10 @@ static int kvm_fetch_guest_virt(struct x86_emulate_ctxt *ctxt, + return X86EMUL_CONTINUE; + } + +-int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt, ++int kvm_read_guest_virt(struct kvm_vcpu *vcpu, + gva_t addr, void *val, unsigned int bytes, + struct x86_exception *exception) + { +- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; + + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, +@@ -4257,12 +4256,17 @@ int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt, + } + EXPORT_SYMBOL_GPL(kvm_read_guest_virt); + +-static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt, +- gva_t addr, void *val, unsigned int bytes, +- struct x86_exception *exception) ++static int emulator_read_std(struct x86_emulate_ctxt *ctxt, ++ gva_t addr, void *val, unsigned int bytes, ++ struct x86_exception *exception, bool system) + { + struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); +- return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception); ++ u32 access = 0; ++ ++ if (!system && kvm_x86_ops->get_cpl(vcpu) == 3) ++ access |= PFERR_USER_MASK; ++ ++ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, exception); + } + + static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt, +@@ -4274,18 +4278,16 @@ static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt, + return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE; + } + +-int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, +- gva_t addr, void *val, +- unsigned int bytes, +- struct x86_exception *exception) ++static int kvm_write_guest_virt_helper(gva_t addr, void *val, unsigned int bytes, ++ struct kvm_vcpu *vcpu, u32 access, ++ struct x86_exception *exception) + { +- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + void *data = val; + int r = X86EMUL_CONTINUE; + + while (bytes) { + gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr, +- PFERR_WRITE_MASK, ++ access, + exception); + unsigned offset = addr & (PAGE_SIZE-1); + unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset); +@@ -4306,6 +4308,27 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + out: + return r; + } ++ ++static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val, ++ unsigned int bytes, struct x86_exception *exception, ++ bool system) ++{ ++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); ++ u32 access = PFERR_WRITE_MASK; ++ ++ if (!system && kvm_x86_ops->get_cpl(vcpu) == 3) ++ access |= PFERR_USER_MASK; ++ ++ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, ++ access, exception); ++} ++ ++int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val, ++ unsigned int bytes, struct x86_exception *exception) ++{ ++ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, ++ PFERR_WRITE_MASK, exception); ++} + EXPORT_SYMBOL_GPL(kvm_write_guest_virt_system); + + static int vcpu_mmio_gva_to_gpa(struct kvm_vcpu *vcpu, unsigned long gva, +@@ -5025,8 +5048,8 @@ static void emulator_set_hflags(struct x86_emulate_ctxt *ctxt, unsigned emul_fla + static const struct x86_emulate_ops emulate_ops = { + .read_gpr = emulator_read_gpr, + .write_gpr = emulator_write_gpr, +- .read_std = kvm_read_guest_virt_system, +- .write_std = kvm_write_guest_virt_system, ++ .read_std = emulator_read_std, ++ .write_std = emulator_write_std, + .read_phys = kvm_read_guest_phys_system, + .fetch = kvm_fetch_guest_virt, + .read_emulated = emulator_read_emulated, +diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h +index f2afa5fe48a6..53a750a10598 100644 +--- a/arch/x86/kvm/x86.h ++++ b/arch/x86/kvm/x86.h +@@ -164,11 +164,11 @@ int kvm_inject_realmode_interrupt(struct kvm_vcpu *vcpu, int irq, int inc_eip); + + void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr); + +-int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt, ++int kvm_read_guest_virt(struct kvm_vcpu *vcpu, + gva_t addr, void *val, unsigned int bytes, + struct x86_exception *exception); + +-int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, ++int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, + gva_t addr, void *val, unsigned int bytes, + struct x86_exception *exception); + +diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c +index 90555bf60aa4..92e2eacb3321 100644 +--- a/arch/x86/mm/setup_nx.c ++++ b/arch/x86/mm/setup_nx.c +@@ -31,7 +31,7 @@ early_param("noexec", noexec_setup); + + void x86_configure_nx(void) + { +- if (cpu_has_nx && !disable_nx) ++ if (boot_cpu_has(X86_FEATURE_NX) && !disable_nx) + __supported_pte_mask |= _PAGE_NX; + else + __supported_pte_mask &= ~_PAGE_NX; +@@ -39,7 +39,7 @@ void x86_configure_nx(void) + + void __init x86_report_nx(void) + { +- if (!cpu_has_nx) { ++ if (!boot_cpu_has(X86_FEATURE_NX)) { + printk(KERN_NOTICE "Notice: NX (Execute Disable) protection " + "missing in CPU!\n"); + } else { +diff --git a/drivers/char/hw_random/via-rng.c b/drivers/char/hw_random/via-rng.c +index 0c98a9d51a24..44ce80606944 100644 +--- a/drivers/char/hw_random/via-rng.c ++++ b/drivers/char/hw_random/via-rng.c +@@ -140,7 +140,7 @@ static int via_rng_init(struct hwrng *rng) + * RNG configuration like it used to be the case in this + * register */ + if ((c->x86 == 6) && (c->x86_model >= 0x0f)) { +- if (!cpu_has_xstore_enabled) { ++ if (!boot_cpu_has(X86_FEATURE_XSTORE_EN)) { + pr_err(PFX "can't enable hardware RNG " + "if XSTORE is not enabled\n"); + return -ENODEV; +@@ -200,8 +200,9 @@ static int __init mod_init(void) + { + int err; + +- if (!cpu_has_xstore) ++ if (!boot_cpu_has(X86_FEATURE_XSTORE)) + return -ENODEV; ++ + pr_info("VIA RNG detected\n"); + err = hwrng_register(&via_rng); + if (err) { +diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c +index da2d6777bd09..97a364694bfc 100644 +--- a/drivers/crypto/padlock-aes.c ++++ b/drivers/crypto/padlock-aes.c +@@ -515,7 +515,7 @@ static int __init padlock_init(void) + if (!x86_match_cpu(padlock_cpu_id)) + return -ENODEV; + +- if (!cpu_has_xcrypt_enabled) { ++ if (!boot_cpu_has(X86_FEATURE_XCRYPT_EN)) { + printk(KERN_NOTICE PFX "VIA PadLock detected, but not enabled. Hmm, strange...\n"); + return -ENODEV; + } +diff --git a/drivers/crypto/padlock-sha.c b/drivers/crypto/padlock-sha.c +index 4e154c9b9206..8c5f90647b7a 100644 +--- a/drivers/crypto/padlock-sha.c ++++ b/drivers/crypto/padlock-sha.c +@@ -540,7 +540,7 @@ static int __init padlock_init(void) + struct shash_alg *sha1; + struct shash_alg *sha256; + +- if (!x86_match_cpu(padlock_sha_ids) || !cpu_has_phe_enabled) ++ if (!x86_match_cpu(padlock_sha_ids) || !boot_cpu_has(X86_FEATURE_PHE_EN)) + return -ENODEV; + + /* Register the newly added algorithm module if on * +diff --git a/drivers/crypto/vmx/aes.c b/drivers/crypto/vmx/aes.c +index 263af709e536..b907e4b1bbe2 100644 +--- a/drivers/crypto/vmx/aes.c ++++ b/drivers/crypto/vmx/aes.c +@@ -53,8 +53,6 @@ static int p8_aes_init(struct crypto_tfm *tfm) + alg, PTR_ERR(fallback)); + return PTR_ERR(fallback); + } +- printk(KERN_INFO "Using '%s' as fallback implementation.\n", +- crypto_tfm_alg_driver_name((struct crypto_tfm *) fallback)); + + crypto_cipher_set_flags(fallback, + crypto_cipher_get_flags((struct +diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c +index 3f8bb9a40df1..9506e8693c81 100644 +--- a/drivers/crypto/vmx/aes_cbc.c ++++ b/drivers/crypto/vmx/aes_cbc.c +@@ -55,8 +55,6 @@ static int p8_aes_cbc_init(struct crypto_tfm *tfm) + alg, PTR_ERR(fallback)); + return PTR_ERR(fallback); + } +- printk(KERN_INFO "Using '%s' as fallback implementation.\n", +- crypto_tfm_alg_driver_name((struct crypto_tfm *) fallback)); + + crypto_blkcipher_set_flags( + fallback, +diff --git a/drivers/crypto/vmx/aes_ctr.c b/drivers/crypto/vmx/aes_ctr.c +index d83ab4bac8b1..7d070201b3d3 100644 +--- a/drivers/crypto/vmx/aes_ctr.c ++++ b/drivers/crypto/vmx/aes_ctr.c +@@ -53,8 +53,6 @@ static int p8_aes_ctr_init(struct crypto_tfm *tfm) + alg, PTR_ERR(fallback)); + return PTR_ERR(fallback); + } +- printk(KERN_INFO "Using '%s' as fallback implementation.\n", +- crypto_tfm_alg_driver_name((struct crypto_tfm *) fallback)); + + crypto_blkcipher_set_flags( + fallback, +diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c +index 9cb3a0b715e2..84b9389bf1ed 100644 +--- a/drivers/crypto/vmx/ghash.c ++++ b/drivers/crypto/vmx/ghash.c +@@ -64,8 +64,6 @@ static int p8_ghash_init_tfm(struct crypto_tfm *tfm) + alg, PTR_ERR(fallback)); + return PTR_ERR(fallback); + } +- printk(KERN_INFO "Using '%s' as fallback implementation.\n", +- crypto_tfm_alg_driver_name(crypto_shash_tfm(fallback))); + + crypto_shash_set_flags(fallback, + crypto_shash_get_flags((struct crypto_shash +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 759a39906a52..fe89fd56eabf 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -2117,6 +2117,8 @@ struct gpio_desc *__must_check gpiod_get_index(struct device *dev, + struct gpio_desc *desc = NULL; + int status; + enum gpio_lookup_flags lookupflags = 0; ++ /* Maybe we have a device name, maybe not */ ++ const char *devname = dev ? dev_name(dev) : "?"; + + dev_dbg(dev, "GPIO lookup for consumer %s\n", con_id); + +@@ -2145,8 +2147,11 @@ struct gpio_desc *__must_check gpiod_get_index(struct device *dev, + return desc; + } + +- /* If a connection label was passed use that, else use the device name as label */ +- status = gpiod_request(desc, con_id ? con_id : dev_name(dev)); ++ /* ++ * If a connection label was passed use that, else attempt to use ++ * the device name as label ++ */ ++ status = gpiod_request(desc, con_id ? con_id : devname); + if (status < 0) + return ERR_PTR(status); + +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 3851d5715772..aeb8250ab079 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1249,6 +1249,7 @@ static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN060B", 0 }, + { "ELAN060C", 0 }, + { "ELAN0611", 0 }, ++ { "ELAN0612", 0 }, + { "ELAN1000", 0 }, + { } + }; +diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c +index 4d113c9e4b77..7bf2597ce44c 100644 +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -425,6 +425,7 @@ MODULE_DEVICE_TABLE(i2c, goodix_ts_id); + #ifdef CONFIG_ACPI + static const struct acpi_device_id goodix_acpi_match[] = { + { "GDIX1001", 0 }, ++ { "GDIX1002", 0 }, + { } + }; + MODULE_DEVICE_TABLE(acpi, goodix_acpi_match); +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c +index e9b241b1c9dd..ac596928f6b4 100644 +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -753,7 +753,7 @@ static inline void set_irq_posting_cap(void) + * should have X86_FEATURE_CX16 support, this has been confirmed + * with Intel hardware guys. + */ +- if ( cpu_has_cx16 ) ++ if (boot_cpu_has(X86_FEATURE_CX16)) + intel_irq_remap_ops.capability |= 1 << IRQ_POSTING_CAP; + + for_each_iommu(iommu, drhd) +diff --git a/drivers/misc/vmw_balloon.c b/drivers/misc/vmw_balloon.c +index 1e688bfec567..fe90b7e04427 100644 +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -576,15 +576,9 @@ static void vmballoon_pop(struct vmballoon *b) + } + } + +- if (b->batch_page) { +- vunmap(b->batch_page); +- b->batch_page = NULL; +- } +- +- if (b->page) { +- __free_page(b->page); +- b->page = NULL; +- } ++ /* Clearing the batch_page unconditionally has no adverse effect */ ++ free_page((unsigned long)b->batch_page); ++ b->batch_page = NULL; + } + + /* +@@ -991,16 +985,13 @@ static const struct vmballoon_ops vmballoon_batched_ops = { + + static bool vmballoon_init_batching(struct vmballoon *b) + { +- b->page = alloc_page(VMW_PAGE_ALLOC_NOSLEEP); +- if (!b->page) +- return false; ++ struct page *page; + +- b->batch_page = vmap(&b->page, 1, VM_MAP, PAGE_KERNEL); +- if (!b->batch_page) { +- __free_page(b->page); ++ page = alloc_page(GFP_KERNEL | __GFP_ZERO); ++ if (!page) + return false; +- } + ++ b->batch_page = page_address(page); + return true; + } + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 312343beb249..4d532a085db9 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -860,15 +860,12 @@ static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p) + dma->rx_conf.direction = DMA_DEV_TO_MEM; + dma->rx_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; + dma->rx_conf.src_addr = p->port.mapbase + S3C2410_URXH; +- dma->rx_conf.src_maxburst = 16; ++ dma->rx_conf.src_maxburst = 1; + + dma->tx_conf.direction = DMA_MEM_TO_DEV; + dma->tx_conf.dst_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; + dma->tx_conf.dst_addr = p->port.mapbase + S3C2410_UTXH; +- if (dma_get_cache_alignment() >= 16) +- dma->tx_conf.dst_maxburst = 16; +- else +- dma->tx_conf.dst_maxburst = 1; ++ dma->tx_conf.dst_maxburst = 1; + + dma_cap_zero(mask); + dma_cap_set(DMA_SLAVE, mask); +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 208b3f5ffb3f..7efd70bfeaf7 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -923,7 +923,7 @@ static int check_async_write(struct inode *inode, unsigned long bio_flags) + if (bio_flags & EXTENT_BIO_TREE_LOG) + return 0; + #ifdef CONFIG_X86 +- if (cpu_has_xmm4_2) ++ if (static_cpu_has_safe(X86_FEATURE_XMM4_2)) + return 0; + #endif + return 1; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index da79e9d66e5b..240cbaee819f 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -926,9 +926,9 @@ static inline struct file *get_file(struct file *f) + /* Page cache limit. The filesystems should put that into their s_maxbytes + limits, otherwise bad things can happen in VM. */ + #if BITS_PER_LONG==32 +-#define MAX_LFS_FILESIZE (((loff_t)PAGE_CACHE_SIZE << (BITS_PER_LONG-1))-1) ++#define MAX_LFS_FILESIZE ((loff_t)ULONG_MAX << PAGE_SHIFT) + #elif BITS_PER_LONG==64 +-#define MAX_LFS_FILESIZE ((loff_t)0x7fffffffffffffffLL) ++#define MAX_LFS_FILESIZE ((loff_t)LLONG_MAX) + #endif + + #define FL_POSIX 1 +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 15150b412930..3ba903ff2bb0 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -437,6 +437,24 @@ static int verify_address_len(const void *p) + return 0; + } + ++static inline int sadb_key_len(const struct sadb_key *key) ++{ ++ int key_bytes = DIV_ROUND_UP(key->sadb_key_bits, 8); ++ ++ return DIV_ROUND_UP(sizeof(struct sadb_key) + key_bytes, ++ sizeof(uint64_t)); ++} ++ ++static int verify_key_len(const void *p) ++{ ++ const struct sadb_key *key = p; ++ ++ if (sadb_key_len(key) > key->sadb_key_len) ++ return -EINVAL; ++ ++ return 0; ++} ++ + static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx) + { + return DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) + +@@ -533,16 +551,25 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void * + return -EINVAL; + if (ext_hdrs[ext_type-1] != NULL) + return -EINVAL; +- if (ext_type == SADB_EXT_ADDRESS_SRC || +- ext_type == SADB_EXT_ADDRESS_DST || +- ext_type == SADB_EXT_ADDRESS_PROXY || +- ext_type == SADB_X_EXT_NAT_T_OA) { ++ switch (ext_type) { ++ case SADB_EXT_ADDRESS_SRC: ++ case SADB_EXT_ADDRESS_DST: ++ case SADB_EXT_ADDRESS_PROXY: ++ case SADB_X_EXT_NAT_T_OA: + if (verify_address_len(p)) + return -EINVAL; +- } +- if (ext_type == SADB_X_EXT_SEC_CTX) { ++ break; ++ case SADB_X_EXT_SEC_CTX: + if (verify_sec_ctx_len(p)) + return -EINVAL; ++ break; ++ case SADB_EXT_KEY_AUTH: ++ case SADB_EXT_KEY_ENCRYPT: ++ if (verify_key_len(p)) ++ return -EINVAL; ++ break; ++ default: ++ break; + } + ext_hdrs[ext_type-1] = (void *) p; + } +@@ -1111,14 +1138,12 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net, + key = ext_hdrs[SADB_EXT_KEY_AUTH - 1]; + if (key != NULL && + sa->sadb_sa_auth != SADB_X_AALG_NULL && +- ((key->sadb_key_bits+7) / 8 == 0 || +- (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t))) ++ key->sadb_key_bits == 0) + return ERR_PTR(-EINVAL); + key = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1]; + if (key != NULL && + sa->sadb_sa_encrypt != SADB_EALG_NULL && +- ((key->sadb_key_bits+7) / 8 == 0 || +- (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t))) ++ key->sadb_key_bits == 0) + return ERR_PTR(-EINVAL); + + x = xfrm_state_alloc(net); diff --git a/patch/kernel/mvebu-default/04-patch-4.4.138-139.patch b/patch/kernel/mvebu-default/04-patch-4.4.138-139.patch new file mode 100644 index 0000000000..a5150e7fc4 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.138-139.patch @@ -0,0 +1,2867 @@ +diff --git a/Documentation/printk-formats.txt b/Documentation/printk-formats.txt +index b784c270105f..ed6f6abaad57 100644 +--- a/Documentation/printk-formats.txt ++++ b/Documentation/printk-formats.txt +@@ -273,11 +273,10 @@ struct clk: + + %pC pll1 + %pCn pll1 +- %pCr 1560000000 + + For printing struct clk structures. '%pC' and '%pCn' print the name + (Common Clock Framework) or address (legacy clock framework) of the +- structure; '%pCr' prints the current clock rate. ++ structure. + + Passed by reference. + +diff --git a/Makefile b/Makefile +index 1a8c0fc6b997..20a11fd36656 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 138 ++SUBLEVEL = 139 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/include/asm/kgdb.h b/arch/arm/include/asm/kgdb.h +index 0a9d5dd93294..6949c7d4481c 100644 +--- a/arch/arm/include/asm/kgdb.h ++++ b/arch/arm/include/asm/kgdb.h +@@ -76,7 +76,7 @@ extern int kgdb_fault_expected; + + #define KGDB_MAX_NO_CPUS 1 + #define BUFMAX 400 +-#define NUMREGBYTES (DBG_MAX_REG_NUM << 2) ++#define NUMREGBYTES (GDB_MAX_REGS << 2) + #define NUMCRITREGBYTES (32 << 2) + + #define _R0 0 +diff --git a/arch/m68k/mm/kmap.c b/arch/m68k/mm/kmap.c +index 6e4955bc542b..fcd52cefee29 100644 +--- a/arch/m68k/mm/kmap.c ++++ b/arch/m68k/mm/kmap.c +@@ -88,7 +88,8 @@ static inline void free_io_area(void *addr) + for (p = &iolist ; (tmp = *p) ; p = &tmp->next) { + if (tmp->addr == addr) { + *p = tmp->next; +- __iounmap(tmp->addr, tmp->size); ++ /* remove gap added in get_io_area() */ ++ __iounmap(tmp->addr, tmp->size - IO_SIZE); + kfree(tmp); + return; + } +diff --git a/arch/mips/bcm47xx/setup.c b/arch/mips/bcm47xx/setup.c +index 6d38948f0f1e..4ca33175ec05 100644 +--- a/arch/mips/bcm47xx/setup.c ++++ b/arch/mips/bcm47xx/setup.c +@@ -249,6 +249,12 @@ static int __init bcm47xx_cpu_fixes(void) + */ + if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706) + cpu_wait = NULL; ++ ++ /* ++ * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail" ++ * Enable ExternalSync for sync instruction to take effect ++ */ ++ set_c0_config7(MIPS_CONF7_ES); + break; + #endif + } +diff --git a/arch/mips/include/asm/io.h b/arch/mips/include/asm/io.h +index d10fd80dbb7e..75fa296836fc 100644 +--- a/arch/mips/include/asm/io.h ++++ b/arch/mips/include/asm/io.h +@@ -411,6 +411,8 @@ static inline type pfx##in##bwlq##p(unsigned long port) \ + __val = *__addr; \ + slow; \ + \ ++ /* prevent prefetching of coherent DMA data prematurely */ \ ++ rmb(); \ + return pfx##ioswab##bwlq(__addr, __val); \ + } + +diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h +index e43aca183c99..15c183ce9d4f 100644 +--- a/arch/mips/include/asm/mipsregs.h ++++ b/arch/mips/include/asm/mipsregs.h +@@ -605,6 +605,8 @@ + #define MIPS_CONF7_WII (_ULCAST_(1) << 31) + + #define MIPS_CONF7_RPS (_ULCAST_(1) << 2) ++/* ExternalSync */ ++#define MIPS_CONF7_ES (_ULCAST_(1) << 8) + + #define MIPS_CONF7_IAR (_ULCAST_(1) << 10) + #define MIPS_CONF7_AR (_ULCAST_(1) << 16) +@@ -2012,6 +2014,7 @@ __BUILD_SET_C0(status) + __BUILD_SET_C0(cause) + __BUILD_SET_C0(config) + __BUILD_SET_C0(config5) ++__BUILD_SET_C0(config7) + __BUILD_SET_C0(intcontrol) + __BUILD_SET_C0(intctl) + __BUILD_SET_C0(srsmap) +diff --git a/arch/mips/kernel/mcount.S b/arch/mips/kernel/mcount.S +index 2f7c734771f4..0df911e772ae 100644 +--- a/arch/mips/kernel/mcount.S ++++ b/arch/mips/kernel/mcount.S +@@ -116,10 +116,20 @@ ftrace_stub: + NESTED(_mcount, PT_SIZE, ra) + PTR_LA t1, ftrace_stub + PTR_L t2, ftrace_trace_function /* Prepare t2 for (1) */ +- bne t1, t2, static_trace ++ beq t1, t2, fgraph_trace + nop + ++ MCOUNT_SAVE_REGS ++ ++ move a0, ra /* arg1: self return address */ ++ jalr t2 /* (1) call *ftrace_trace_function */ ++ move a1, AT /* arg2: parent's return address */ ++ ++ MCOUNT_RESTORE_REGS ++ ++fgraph_trace: + #ifdef CONFIG_FUNCTION_GRAPH_TRACER ++ PTR_LA t1, ftrace_stub + PTR_L t3, ftrace_graph_return + bne t1, t3, ftrace_graph_caller + nop +@@ -128,24 +138,11 @@ NESTED(_mcount, PT_SIZE, ra) + bne t1, t3, ftrace_graph_caller + nop + #endif +- b ftrace_stub +-#ifdef CONFIG_32BIT +- addiu sp, sp, 8 +-#else +- nop +-#endif + +-static_trace: +- MCOUNT_SAVE_REGS +- +- move a0, ra /* arg1: self return address */ +- jalr t2 /* (1) call *ftrace_trace_function */ +- move a1, AT /* arg2: parent's return address */ +- +- MCOUNT_RESTORE_REGS + #ifdef CONFIG_32BIT + addiu sp, sp, 8 + #endif ++ + .globl ftrace_stub + ftrace_stub: + RETURN_BACK +diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S +index 2837232bbffb..59be96917369 100644 +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -574,6 +574,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEGMENT) + * actually hit this code path. + */ + ++ isync + slbie r6 + slbie r6 /* Workaround POWER5 < DD2.1 issue */ + slbmte r7,r0 +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +index 26d091a1a54c..791d4c3329c3 100644 +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -1025,6 +1025,9 @@ void fadump_cleanup(void) + init_fadump_mem_struct(&fdm, + be64_to_cpu(fdm_active->cpu_state_data.destination_address)); + fadump_invalidate_dump(&fdm); ++ } else if (fw_dump.dump_registered) { ++ /* Un-register Firmware-assisted dump if it was registered. */ ++ fadump_unregister_dump(&fdm); + } + } + +diff --git a/arch/powerpc/kernel/hw_breakpoint.c b/arch/powerpc/kernel/hw_breakpoint.c +index fdf48785d3e9..56e4571e3a02 100644 +--- a/arch/powerpc/kernel/hw_breakpoint.c ++++ b/arch/powerpc/kernel/hw_breakpoint.c +@@ -174,8 +174,8 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp) + if (cpu_has_feature(CPU_FTR_DAWR)) { + length_max = 512 ; /* 64 doublewords */ + /* DAWR region can't cross 512 boundary */ +- if ((bp->attr.bp_addr >> 10) != +- ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10)) ++ if ((bp->attr.bp_addr >> 9) != ++ ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9)) + return -EINVAL; + } + if (info->len > +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +index b38fd081b222..3b63655efa3c 100644 +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -1004,6 +1004,7 @@ static int ptrace_set_debugreg(struct task_struct *task, unsigned long addr, + /* Create a new breakpoint request if one doesn't exist already */ + hw_breakpoint_init(&attr); + attr.bp_addr = hw_brk.address; ++ attr.bp_len = 8; + arch_bp_generic_fields(hw_brk.type, + &attr.bp_type); + +diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h +index 814ef83c6720..e3a6f66d288c 100644 +--- a/arch/x86/include/asm/barrier.h ++++ b/arch/x86/include/asm/barrier.h +@@ -38,7 +38,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, + { + unsigned long mask; + +- asm ("cmp %1,%2; sbb %0,%0;" ++ asm volatile ("cmp %1,%2; sbb %0,%0;" + :"=r" (mask) + :"r"(size),"r" (index) + :"cc"); +diff --git a/arch/xtensa/kernel/traps.c b/arch/xtensa/kernel/traps.c +index 42d441f7898b..1edce040f470 100644 +--- a/arch/xtensa/kernel/traps.c ++++ b/arch/xtensa/kernel/traps.c +@@ -309,7 +309,7 @@ do_unaligned_user (struct pt_regs *regs) + info.si_errno = 0; + info.si_code = BUS_ADRALN; + info.si_addr = (void *) regs->excvaddr; +- force_sig_info(SIGSEGV, &info, current); ++ force_sig_info(SIGBUS, &info, current); + + } + #endif +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index f9b86a1d922d..9afd06ee5b30 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4247,9 +4247,6 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NOLPM, }, + +- /* Sandisk devices which are known to not handle LPM well */ +- { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, +- + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index f3a65a3140d3..0ad96c647541 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -34,7 +34,7 @@ struct zpodd { + static int eject_tray(struct ata_device *dev) + { + struct ata_taskfile tf; +- const char cdb[] = { GPCMD_START_STOP_UNIT, ++ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT, + 0, 0, 0, + 0x02, /* LoEj */ + 0, 0, 0, 0, 0, 0, 0, +@@ -55,7 +55,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + unsigned int ret; + struct rm_feature_desc *desc = (void *)(buf + 8); + struct ata_taskfile tf; +- char cdb[] = { GPCMD_GET_CONFIGURATION, ++ static const char cdb[] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c +index 6eab52b92e01..c302f47f6323 100644 +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -1149,8 +1149,8 @@ static void eprom_get_byte(struct zatm_dev *zatm_dev, unsigned char *byte, + } + + +-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd, +- int offset, int swap) ++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset, ++ int swap) + { + unsigned char buf[ZEPROM_SIZE]; + struct zatm_dev *zatm_dev; +diff --git a/drivers/base/core.c b/drivers/base/core.c +index afe045792796..049ccc070ce5 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -759,7 +759,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj) + + dir = kzalloc(sizeof(*dir), GFP_KERNEL); + if (!dir) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + dir->class = class; + kobject_init(&dir->kobj, &class_dir_ktype); +@@ -769,7 +769,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj) + retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name); + if (retval < 0) { + kobject_put(&dir->kobj); +- return NULL; ++ return ERR_PTR(retval); + } + return &dir->kobj; + } +@@ -1076,6 +1076,10 @@ int device_add(struct device *dev) + + parent = get_device(dev->parent); + kobj = get_device_parent(dev, parent); ++ if (IS_ERR(kobj)) { ++ error = PTR_ERR(kobj); ++ goto parent_error; ++ } + if (kobj) + dev->kobj.parent = kobj; + +@@ -1174,6 +1178,7 @@ done: + kobject_del(&dev->kobj); + Error: + cleanup_glue_dir(dev, glue_dir); ++parent_error: + put_device(parent); + name_error: + kfree(dev->p); +@@ -1990,6 +1995,11 @@ int device_move(struct device *dev, struct device *new_parent, + device_pm_lock(); + new_parent = get_device(new_parent); + new_parent_kobj = get_device_parent(dev, new_parent); ++ if (IS_ERR(new_parent_kobj)) { ++ error = PTR_ERR(new_parent_kobj); ++ put_device(new_parent); ++ goto out; ++ } + + pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev), + __func__, new_parent ? dev_name(new_parent) : ""); +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 8a3bf0a8c31d..476d39c7ba20 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -939,6 +939,12 @@ static int qca_setup(struct hci_uart *hu) + } else if (ret == -ENOENT) { + /* No patch/nvm-config found, run with original fw/config */ + ret = 0; ++ } else if (ret == -EAGAIN) { ++ /* ++ * Userspace firmware loader will return -EAGAIN in case no ++ * patch/nvm-config is found, so run with original fw/config. ++ */ ++ ret = 0; + } + + /* Setup bdaddr */ +diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c +index feafdab734ae..4835b588b783 100644 +--- a/drivers/char/ipmi/ipmi_bt_sm.c ++++ b/drivers/char/ipmi/ipmi_bt_sm.c +@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct si_sm_data *bt, long time) + if (status & BT_H_BUSY) /* clear a leftover H_BUSY */ + BT_CONTROL(BT_H_BUSY); + ++ bt->timeout = bt->BT_CAP_req2rsp; ++ + /* Read BT capabilities if it hasn't been done yet */ + if (!bt->BT_CAP_outreqs) + BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN, + SI_SM_CALL_WITHOUT_DELAY); +- bt->timeout = bt->BT_CAP_req2rsp; + BT_SI_SM_RETURN(SI_SM_IDLE); + + case BT_STATE_XACTION_START: +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index ebed319657e7..68b604ad8413 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -603,6 +603,8 @@ static ssize_t store_##file_name \ + struct cpufreq_policy new_policy; \ + \ + memcpy(&new_policy, policy, sizeof(*policy)); \ ++ new_policy.min = policy->user_policy.min; \ ++ new_policy.max = policy->user_policy.max; \ + \ + ret = sscanf(buf, "%u", &new_policy.object); \ + if (ret != 1) \ +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c +index c44a843cb405..44ebda8bbc84 100644 +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -29,9 +29,31 @@ struct cpuidle_driver powernv_idle_driver = { + + static int max_idle_state; + static struct cpuidle_state *cpuidle_state_table; +-static u64 snooze_timeout; ++static u64 default_snooze_timeout; + static bool snooze_timeout_en; + ++static u64 get_snooze_timeout(struct cpuidle_device *dev, ++ struct cpuidle_driver *drv, ++ int index) ++{ ++ int i; ++ ++ if (unlikely(!snooze_timeout_en)) ++ return default_snooze_timeout; ++ ++ for (i = index + 1; i < drv->state_count; i++) { ++ struct cpuidle_state *s = &drv->states[i]; ++ struct cpuidle_state_usage *su = &dev->states_usage[i]; ++ ++ if (s->disabled || su->disable) ++ continue; ++ ++ return s->target_residency * tb_ticks_per_usec; ++ } ++ ++ return default_snooze_timeout; ++} ++ + static int snooze_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) +@@ -41,7 +63,7 @@ static int snooze_loop(struct cpuidle_device *dev, + local_irq_enable(); + set_thread_flag(TIF_POLLING_NRFLAG); + +- snooze_exit_time = get_tb() + snooze_timeout; ++ snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index); + ppc64_runlatch_off(); + while (!need_resched()) { + HMT_low(); +@@ -286,11 +308,9 @@ static int powernv_idle_probe(void) + cpuidle_state_table = powernv_states; + /* Device tree can indicate more idle states */ + max_idle_state = powernv_add_idle_states(); +- if (max_idle_state > 1) { ++ default_snooze_timeout = TICK_USEC * tb_ticks_per_usec; ++ if (max_idle_state > 1) + snooze_timeout_en = true; +- snooze_timeout = powernv_states[1].target_residency * +- tb_ticks_per_usec; +- } + } else + return -ENODEV; + +diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c +index 7ef9b13262a8..e44181f9eb36 100644 +--- a/drivers/iio/buffer/kfifo_buf.c ++++ b/drivers/iio/buffer/kfifo_buf.c +@@ -19,7 +19,7 @@ struct iio_kfifo { + #define iio_to_kfifo(r) container_of(r, struct iio_kfifo, buffer) + + static inline int __iio_allocate_kfifo(struct iio_kfifo *buf, +- int bytes_per_datum, int length) ++ size_t bytes_per_datum, unsigned int length) + { + if ((length == 0) || (bytes_per_datum == 0)) + return -EINVAL; +@@ -71,7 +71,7 @@ static int iio_set_bytes_per_datum_kfifo(struct iio_buffer *r, size_t bpd) + return 0; + } + +-static int iio_set_length_kfifo(struct iio_buffer *r, int length) ++static int iio_set_length_kfifo(struct iio_buffer *r, unsigned int length) + { + /* Avoid an invalid state */ + if (length < 2) +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index d862b9b7910e..199a9cdd0d12 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1780,7 +1780,6 @@ static void mlx4_ib_sqp_comp_worker(struct work_struct *work) + "buf:%lld\n", wc.wr_id); + break; + default: +- BUG_ON(1); + break; + } + } else { +diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h +index 7df16f74bb45..c6c75b99cf2c 100644 +--- a/drivers/infiniband/hw/qib/qib.h ++++ b/drivers/infiniband/hw/qib/qib.h +@@ -1451,8 +1451,7 @@ u64 qib_sps_ints(void); + /* + * dma_addr wrappers - all 0's invalid for hw + */ +-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long, +- size_t, int); ++int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr); + const char *qib_get_unit_name(int unit); + + /* +diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c +index 24f4a782e0f4..5908fd3af00d 100644 +--- a/drivers/infiniband/hw/qib/qib_file_ops.c ++++ b/drivers/infiniband/hw/qib/qib_file_ops.c +@@ -364,6 +364,8 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp, + goto done; + } + for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) { ++ dma_addr_t daddr; ++ + for (; ntids--; tid++) { + if (tid == tidcnt) + tid = 0; +@@ -380,12 +382,14 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp, + ret = -ENOMEM; + break; + } ++ ret = qib_map_page(dd->pcidev, pagep[i], &daddr); ++ if (ret) ++ break; ++ + tidlist[i] = tid + tidoff; + /* we "know" system pages and TID pages are same size */ + dd->pageshadow[ctxttid + tid] = pagep[i]; +- dd->physshadow[ctxttid + tid] = +- qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE, +- PCI_DMA_FROMDEVICE); ++ dd->physshadow[ctxttid + tid] = daddr; + /* + * don't need atomic or it's overhead + */ +diff --git a/drivers/infiniband/hw/qib/qib_user_pages.c b/drivers/infiniband/hw/qib/qib_user_pages.c +index 74f90b2619f6..ab1588ae1c85 100644 +--- a/drivers/infiniband/hw/qib/qib_user_pages.c ++++ b/drivers/infiniband/hw/qib/qib_user_pages.c +@@ -98,23 +98,27 @@ bail: + * + * I'm sure we won't be so lucky with other iommu's, so FIXME. + */ +-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page, +- unsigned long offset, size_t size, int direction) ++int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr) + { + dma_addr_t phys; + +- phys = pci_map_page(hwdev, page, offset, size, direction); ++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE); ++ if (pci_dma_mapping_error(hwdev, phys)) ++ return -ENOMEM; + +- if (phys == 0) { +- pci_unmap_page(hwdev, phys, size, direction); +- phys = pci_map_page(hwdev, page, offset, size, direction); ++ if (!phys) { ++ pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE); ++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, ++ PCI_DMA_FROMDEVICE); ++ if (pci_dma_mapping_error(hwdev, phys)) ++ return -ENOMEM; + /* + * FIXME: If we get 0 again, we should keep this page, + * map another, then free the 0 page. + */ + } +- +- return phys; ++ *daddr = phys; ++ return 0; + } + + /** +diff --git a/drivers/input/mouse/elan_i2c.h b/drivers/input/mouse/elan_i2c.h +index c0ec26118732..83dd0ce3ad2a 100644 +--- a/drivers/input/mouse/elan_i2c.h ++++ b/drivers/input/mouse/elan_i2c.h +@@ -27,6 +27,8 @@ + #define ETP_DISABLE_POWER 0x0001 + #define ETP_PRESSURE_OFFSET 25 + ++#define ETP_CALIBRATE_MAX_LEN 3 ++ + /* IAP Firmware handling */ + #define ETP_PRODUCT_ID_FORMAT_STRING "%d.0" + #define ETP_FW_NAME "elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin" +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index aeb8250ab079..97f6e05cffce 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -595,7 +595,7 @@ static ssize_t calibrate_store(struct device *dev, + int tries = 20; + int retval; + int error; +- u8 val[3]; ++ u8 val[ETP_CALIBRATE_MAX_LEN]; + + retval = mutex_lock_interruptible(&data->sysfs_mutex); + if (retval) +@@ -1250,6 +1250,7 @@ static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN060C", 0 }, + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, ++ { "ELAN0618", 0 }, + { "ELAN1000", 0 }, + { } + }; +diff --git a/drivers/input/mouse/elan_i2c_smbus.c b/drivers/input/mouse/elan_i2c_smbus.c +index 25dba1d7aa57..2ac85f5cbf31 100644 +--- a/drivers/input/mouse/elan_i2c_smbus.c ++++ b/drivers/input/mouse/elan_i2c_smbus.c +@@ -56,7 +56,7 @@ + static int elan_smbus_initialize(struct i2c_client *client) + { + u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 }; +- u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 }; ++ u8 values[I2C_SMBUS_BLOCK_MAX] = {0}; + int len, error; + + /* Get hello packet */ +@@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i2c_client *client) + static int elan_smbus_calibrate_result(struct i2c_client *client, u8 *val) + { + int error; ++ u8 buf[I2C_SMBUS_BLOCK_MAX] = {0}; ++ ++ BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf)); + + error = i2c_smbus_read_block_data(client, +- ETP_SMBUS_CALIBRATE_QUERY, val); ++ ETP_SMBUS_CALIBRATE_QUERY, buf); + if (error < 0) + return error; + ++ memcpy(val, buf, ETP_CALIBRATE_MAX_LEN); + return 0; + } + +@@ -466,6 +470,8 @@ static int elan_smbus_get_report(struct i2c_client *client, u8 *report) + { + int len; + ++ BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN); ++ + len = i2c_smbus_read_block_data(client, + ETP_SMBUS_PACKET_QUERY, + &report[ETP_SMBUS_REPORT_OFFSET]); +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 06ea28e5d7b4..174bb52c578b 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -804,7 +804,7 @@ static int elantech_packet_check_v4(struct psmouse *psmouse) + else if (ic_version == 7 && etd->samples[1] == 0x2A) + sanity_check = ((packet[3] & 0x1c) == 0x10); + else +- sanity_check = ((packet[0] & 0x0c) == 0x04 && ++ sanity_check = ((packet[0] & 0x08) == 0x00 && + (packet[3] & 0x1c) == 0x10); + + if (!sanity_check) +@@ -1177,6 +1177,12 @@ static const struct dmi_system_id elantech_dmi_has_middle_button[] = { + { } + }; + ++static const char * const middle_button_pnp_ids[] = { ++ "LEN2131", /* ThinkPad P52 w/ NFC */ ++ "LEN2132", /* ThinkPad P52 */ ++ NULL ++}; ++ + /* + * Set the appropriate event bits for the input subsystem + */ +@@ -1196,7 +1202,8 @@ static int elantech_set_input_params(struct psmouse *psmouse) + __clear_bit(EV_REL, dev->evbit); + + __set_bit(BTN_LEFT, dev->keybit); +- if (dmi_check_system(elantech_dmi_has_middle_button)) ++ if (dmi_check_system(elantech_dmi_has_middle_button) || ++ psmouse_matches_pnp_id(psmouse, middle_button_pnp_ids)) + __set_bit(BTN_MIDDLE, dev->keybit); + __set_bit(BTN_RIGHT, dev->keybit); + +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index a1cc797fe88f..315767e8ae4d 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -1299,6 +1299,8 @@ static void schedule_external_copy(struct thin_c *tc, dm_block_t virt_block, + + static void set_pool_mode(struct pool *pool, enum pool_mode new_mode); + ++static void requeue_bios(struct pool *pool); ++ + static void check_for_space(struct pool *pool) + { + int r; +@@ -1311,8 +1313,10 @@ static void check_for_space(struct pool *pool) + if (r) + return; + +- if (nr_free) ++ if (nr_free) { + set_pool_mode(pool, PM_WRITE); ++ requeue_bios(pool); ++ } + } + + /* +@@ -1389,7 +1393,10 @@ static int alloc_data_block(struct thin_c *tc, dm_block_t *result) + + r = dm_pool_alloc_data_block(pool->pmd, result); + if (r) { +- metadata_operation_failed(pool, "dm_pool_alloc_data_block", r); ++ if (r == -ENOSPC) ++ set_pool_mode(pool, PM_OUT_OF_DATA_SPACE); ++ else ++ metadata_operation_failed(pool, "dm_pool_alloc_data_block", r); + return r; + } + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 62c3328e2a1d..0663463df2f7 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2690,7 +2690,8 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len) + err = 0; + } + } else if (cmd_match(buf, "re-add")) { +- if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1)) { ++ if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) && ++ rdev->saved_raid_disk >= 0) { + /* clear_bit is performed _after_ all the devices + * have their local Faulty bit cleared. If any writes + * happen in the meantime in the local node, they +@@ -8153,6 +8154,7 @@ static int remove_and_add_spares(struct mddev *mddev, + if (mddev->pers->hot_remove_disk( + mddev, rdev) == 0) { + sysfs_unlink_rdev(mddev, rdev); ++ rdev->saved_raid_disk = rdev->raid_disk; + rdev->raid_disk = -1; + removed++; + } +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index e2a3833170e3..2c835e69c4df 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -230,8 +230,20 @@ static void dvb_frontend_add_event(struct dvb_frontend *fe, + wake_up_interruptible (&events->wait_queue); + } + ++static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv, ++ struct dvb_fe_events *events) ++{ ++ int ret; ++ ++ up(&fepriv->sem); ++ ret = events->eventw != events->eventr; ++ down(&fepriv->sem); ++ ++ return ret; ++} ++ + static int dvb_frontend_get_event(struct dvb_frontend *fe, +- struct dvb_frontend_event *event, int flags) ++ struct dvb_frontend_event *event, int flags) + { + struct dvb_frontend_private *fepriv = fe->frontend_priv; + struct dvb_fe_events *events = &fepriv->events; +@@ -249,13 +261,8 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe, + if (flags & O_NONBLOCK) + return -EWOULDBLOCK; + +- up(&fepriv->sem); +- +- ret = wait_event_interruptible (events->wait_queue, +- events->eventw != events->eventr); +- +- if (down_interruptible (&fepriv->sem)) +- return -ERESTARTSYS; ++ ret = wait_event_interruptible(events->wait_queue, ++ dvb_frontend_test_event(fepriv, events)); + + if (ret < 0) + return ret; +diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c +index 04ae21278440..77f54e4198d3 100644 +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -864,6 +864,9 @@ struct usb_device_id cx231xx_id_table[] = { + .driver_info = CX231XX_BOARD_CNXT_RDE_250}, + {USB_DEVICE(0x0572, 0x58A0), + .driver_info = CX231XX_BOARD_CNXT_RDU_250}, ++ /* AverMedia DVD EZMaker 7 */ ++ {USB_DEVICE(0x07ca, 0xc039), ++ .driver_info = CX231XX_BOARD_CNXT_VIDEO_GRABBER}, + {USB_DEVICE(0x2040, 0xb110), + .driver_info = CX231XX_BOARD_HAUPPAUGE_USB2_FM_PAL}, + {USB_DEVICE(0x2040, 0xb111), +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +index e0ae2f34623a..9292e35aef06 100644 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -864,7 +864,7 @@ static int put_v4l2_ext_controls32(struct file *file, + get_user(kcontrols, &kp->controls)) + return -EFAULT; + +- if (!count) ++ if (!count || count > (U32_MAX/sizeof(*ucontrols))) + return 0; + if (get_user(p, &up->controls)) + return -EFAULT; +diff --git a/drivers/mfd/intel-lpss.c b/drivers/mfd/intel-lpss.c +index fe89e5e337d5..ac867489b5a9 100644 +--- a/drivers/mfd/intel-lpss.c ++++ b/drivers/mfd/intel-lpss.c +@@ -269,11 +269,11 @@ static void intel_lpss_init_dev(const struct intel_lpss *lpss) + + intel_lpss_deassert_reset(lpss); + ++ intel_lpss_set_remap_addr(lpss); ++ + if (!intel_lpss_has_idma(lpss)) + return; + +- intel_lpss_set_remap_addr(lpss); +- + /* Make sure that SPI multiblock DMA transfers are re-enabled */ + if (lpss->type == LPSS_DEV_SPI) + writel(value, lpss->priv + LPSS_PRIV_SSP_REG); +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index 31448a2b39ae..c484ca8c909c 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -1878,7 +1878,7 @@ static int __xipram do_write_buffer(struct map_info *map, struct flchip *chip, + if (time_after(jiffies, timeo) && !chip_ready(map, adr)) + break; + +- if (chip_ready(map, adr)) { ++ if (chip_good(map, adr, datum)) { + xip_enable(map, chip, adr); + goto op_done; + } +@@ -2533,7 +2533,7 @@ static int cfi_atmel_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + + struct ppb_lock { + struct flchip *chip; +- loff_t offset; ++ unsigned long adr; + int locked; + }; + +@@ -2551,8 +2551,9 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map, + unsigned long timeo; + int ret; + ++ adr += chip->start; + mutex_lock(&chip->mutex); +- ret = get_chip(map, chip, adr + chip->start, FL_LOCKING); ++ ret = get_chip(map, chip, adr, FL_LOCKING); + if (ret) { + mutex_unlock(&chip->mutex); + return ret; +@@ -2570,8 +2571,8 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map, + + if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) { + chip->state = FL_LOCKING; +- map_write(map, CMD(0xA0), chip->start + adr); +- map_write(map, CMD(0x00), chip->start + adr); ++ map_write(map, CMD(0xA0), adr); ++ map_write(map, CMD(0x00), adr); + } else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) { + /* + * Unlocking of one specific sector is not supported, so we +@@ -2609,7 +2610,7 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map, + map_write(map, CMD(0x00), chip->start); + + chip->state = FL_READY; +- put_chip(map, chip, adr + chip->start); ++ put_chip(map, chip, adr); + mutex_unlock(&chip->mutex); + + return ret; +@@ -2666,9 +2667,9 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs, + * sectors shall be unlocked, so lets keep their locking + * status at "unlocked" (locked=0) for the final re-locking. + */ +- if ((adr < ofs) || (adr >= (ofs + len))) { ++ if ((offset < ofs) || (offset >= (ofs + len))) { + sect[sectors].chip = &cfi->chips[chipnum]; +- sect[sectors].offset = offset; ++ sect[sectors].adr = adr; + sect[sectors].locked = do_ppb_xxlock( + map, &cfi->chips[chipnum], adr, 0, + DO_XXLOCK_ONEBLOCK_GETLOCK); +@@ -2682,6 +2683,8 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs, + i++; + + if (adr >> cfi->chipshift) { ++ if (offset >= (ofs + len)) ++ break; + adr = 0; + chipnum++; + +@@ -2712,7 +2715,7 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs, + */ + for (i = 0; i < sectors; i++) { + if (sect[i].locked) +- do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0, ++ do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0, + DO_XXLOCK_ONEBLOCK_LOCK); + } + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index a2e6c7848b0a..c9f5ae424af7 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -1132,6 +1132,9 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway) + */ + get_device(&ubi->dev); + ++#ifdef CONFIG_MTD_UBI_FASTMAP ++ cancel_work_sync(&ubi->fm_work); ++#endif + ubi_debugfs_exit_dev(ubi); + uif_close(ubi); + +diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c +index 75286588b823..ca9746f41ff1 100644 +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -1479,6 +1479,7 @@ int ubi_thread(void *u) + } + + dbg_wl("background thread \"%s\" is killed", ubi->bgt_name); ++ ubi->thread_enabled = 0; + return 0; + } + +@@ -1488,9 +1489,6 @@ int ubi_thread(void *u) + */ + static void shutdown_work(struct ubi_device *ubi) + { +-#ifdef CONFIG_MTD_UBI_FASTMAP +- flush_work(&ubi->fm_work); +-#endif + while (!list_empty(&ubi->works)) { + struct ubi_work *wrk; + +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index 55e93b6b6d21..66560a8fcfa2 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1115,6 +1115,7 @@ static int bond_option_primary_set(struct bonding *bond, + slave->dev->name); + rcu_assign_pointer(bond->primary_slave, slave); + strcpy(bond->params.primary, slave->dev->name); ++ bond->force_primary = true; + bond_select_active_slave(bond); + goto out; + } +diff --git a/drivers/net/ethernet/natsemi/sonic.c b/drivers/net/ethernet/natsemi/sonic.c +index 1bd419dbda6d..0798b4adb039 100644 +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -71,7 +71,7 @@ static int sonic_open(struct net_device *dev) + for (i = 0; i < SONIC_NUM_RRS; i++) { + dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE), + SONIC_RBSIZE, DMA_FROM_DEVICE); +- if (!laddr) { ++ if (dma_mapping_error(lp->device, laddr)) { + while(i > 0) { /* free any that were mapped successfully */ + i--; + dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE); +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index c8e98c8e29fa..36e1377fc954 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1075,7 +1075,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign) + * accordingly. Otherwise, we should check here. + */ + if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) +- delayed_ndp_size = ctx->max_ndp_size; ++ delayed_ndp_size = ALIGN(ctx->max_ndp_size, ctx->tx_ndp_modulus); + else + delayed_ndp_size = 0; + +@@ -1208,7 +1208,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign) + /* If requested, put NDP at end of frame. */ + if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) { + nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data; +- cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_max); ++ cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_max - ctx->max_ndp_size); + nth16->wNdpIndex = cpu_to_le16(skb_out->len); + memcpy(skb_put(skb_out, ctx->max_ndp_size), ctx->delayed_ndp16, ctx->max_ndp_size); + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index d72205f06a1d..3b67140eed73 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -635,6 +635,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, ++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */ + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ + {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c +index 254b0ee37039..a71187c783b7 100644 +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -237,14 +237,18 @@ int nvdimm_revalidate_disk(struct gendisk *disk) + { + struct device *dev = disk->driverfs_dev; + struct nd_region *nd_region = to_nd_region(dev->parent); +- const char *pol = nd_region->ro ? "only" : "write"; ++ int disk_ro = get_disk_ro(disk); + +- if (nd_region->ro == get_disk_ro(disk)) ++ /* ++ * Upgrade to read-only if the region is read-only preserve as ++ * read-only if the disk is already read-only. ++ */ ++ if (disk_ro || nd_region->ro == disk_ro) + return 0; + +- dev_info(dev, "%s read-%s, marking %s read-%s\n", +- dev_name(&nd_region->dev), pol, disk->disk_name, pol); +- set_disk_ro(disk, nd_region->ro); ++ dev_info(dev, "%s read-only, marking %s read-only\n", ++ dev_name(&nd_region->dev), disk->disk_name); ++ set_disk_ro(disk, 1); + + return 0; + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index e16ea5717b7f..2a547ca3d443 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -156,20 +156,20 @@ static void __init of_unittest_dynamic(void) + /* Add a new property - should pass*/ + prop->name = "new-property"; + prop->value = "new-property-data"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n"); + + /* Try to add an existing property - should fail */ + prop++; + prop->name = "new-property"; + prop->value = "new-property-data-should-fail"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_add_property(np, prop) != 0, + "Adding an existing property should have failed\n"); + + /* Try to modify an existing property - should pass */ + prop->value = "modify-property-data-should-pass"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_update_property(np, prop) == 0, + "Updating an existing property should have passed\n"); + +@@ -177,7 +177,7 @@ static void __init of_unittest_dynamic(void) + prop++; + prop->name = "modify-property"; + prop->value = "modify-missing-property-data-should-pass"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_update_property(np, prop) == 0, + "Updating a missing property should have passed\n"); + +diff --git a/drivers/pci/hotplug/pciehp.h b/drivers/pci/hotplug/pciehp.h +index 62d6fe6c3714..cbe58480b474 100644 +--- a/drivers/pci/hotplug/pciehp.h ++++ b/drivers/pci/hotplug/pciehp.h +@@ -134,7 +134,7 @@ struct controller *pcie_init(struct pcie_device *dev); + int pcie_init_notification(struct controller *ctrl); + int pciehp_enable_slot(struct slot *p_slot); + int pciehp_disable_slot(struct slot *p_slot); +-void pcie_enable_notification(struct controller *ctrl); ++void pcie_reenable_notification(struct controller *ctrl); + int pciehp_power_on_slot(struct slot *slot); + void pciehp_power_off_slot(struct slot *slot); + void pciehp_get_power_status(struct slot *slot, u8 *status); +diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c +index 612b21a14df5..8f6ded43760a 100644 +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -295,7 +295,7 @@ static int pciehp_resume(struct pcie_device *dev) + ctrl = get_service_data(dev); + + /* reinitialize the chipset's event detection logic */ +- pcie_enable_notification(ctrl); ++ pcie_reenable_notification(ctrl); + + slot = ctrl->slot; + +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index 5c24e938042f..63c6c7fce3eb 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -628,7 +628,7 @@ static irqreturn_t pcie_isr(int irq, void *dev_id) + return IRQ_HANDLED; + } + +-void pcie_enable_notification(struct controller *ctrl) ++static void pcie_enable_notification(struct controller *ctrl) + { + u16 cmd, mask; + +@@ -666,6 +666,17 @@ void pcie_enable_notification(struct controller *ctrl) + pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd); + } + ++void pcie_reenable_notification(struct controller *ctrl) ++{ ++ /* ++ * Clear both Presence and Data Link Layer Changed to make sure ++ * those events still fire after we have re-enabled them. ++ */ ++ pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA, ++ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC); ++ pcie_enable_notification(ctrl); ++} ++ + static void pcie_disable_notification(struct controller *ctrl) + { + u16 mask; +diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c +index 4534a7ce77b8..b6caad0fee24 100644 +--- a/drivers/s390/scsi/zfcp_dbf.c ++++ b/drivers/s390/scsi/zfcp_dbf.c +@@ -625,6 +625,46 @@ void zfcp_dbf_scsi(char *tag, int level, struct scsi_cmnd *sc, + spin_unlock_irqrestore(&dbf->scsi_lock, flags); + } + ++/** ++ * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks. ++ * @tag: Identifier for event. ++ * @adapter: Pointer to zfcp adapter as context for this event. ++ * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF). ++ * @ret: Return value of calling function. ++ * ++ * This SCSI trace variant does not depend on any of: ++ * scsi_cmnd, zfcp_fsf_req, scsi_device. ++ */ ++void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter, ++ unsigned int scsi_id, int ret) ++{ ++ struct zfcp_dbf *dbf = adapter->dbf; ++ struct zfcp_dbf_scsi *rec = &dbf->scsi_buf; ++ unsigned long flags; ++ static int const level = 1; ++ ++ if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level))) ++ return; ++ ++ spin_lock_irqsave(&dbf->scsi_lock, flags); ++ memset(rec, 0, sizeof(*rec)); ++ ++ memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN); ++ rec->id = ZFCP_DBF_SCSI_CMND; ++ rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */ ++ rec->scsi_retries = ~0; ++ rec->scsi_allowed = ~0; ++ rec->fcp_rsp_info = ~0; ++ rec->scsi_id = scsi_id; ++ rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN; ++ rec->scsi_lun_64_hi = (u32)(ZFCP_DBF_INVALID_LUN >> 32); ++ rec->host_scribble = ~0; ++ memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE); ++ ++ debug_event(dbf->scsi, level, rec, sizeof(*rec)); ++ spin_unlock_irqrestore(&dbf->scsi_lock, flags); ++} ++ + static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size) + { + struct debug_info *d; +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c +index 3b23d6754598..2abcd331b05d 100644 +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -34,11 +34,28 @@ enum zfcp_erp_steps { + ZFCP_ERP_STEP_LUN_OPENING = 0x2000, + }; + ++/** ++ * enum zfcp_erp_act_type - Type of ERP action object. ++ * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery. ++ * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery. ++ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery. ++ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery. ++ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with ++ * either of the first four enum values. ++ * Used to indicate that an ERP action could not be ++ * set up despite a detected need for some recovery. ++ * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with ++ * either of the first four enum values. ++ * Used to indicate that ERP not needed because ++ * the object has ZFCP_STATUS_COMMON_ERP_FAILED. ++ */ + enum zfcp_erp_act_type { + ZFCP_ERP_ACTION_REOPEN_LUN = 1, + ZFCP_ERP_ACTION_REOPEN_PORT = 2, + ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3, + ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4, ++ ZFCP_ERP_ACTION_NONE = 0xc0, ++ ZFCP_ERP_ACTION_FAILED = 0xe0, + }; + + enum zfcp_erp_act_state { +@@ -125,6 +142,49 @@ static void zfcp_erp_action_dismiss_adapter(struct zfcp_adapter *adapter) + } + } + ++static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter, ++ struct zfcp_port *port, ++ struct scsi_device *sdev) ++{ ++ int need = want; ++ struct zfcp_scsi_dev *zsdev; ++ ++ switch (want) { ++ case ZFCP_ERP_ACTION_REOPEN_LUN: ++ zsdev = sdev_to_zfcp(sdev); ++ if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED) ++ need = 0; ++ break; ++ case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: ++ if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) ++ need = 0; ++ break; ++ case ZFCP_ERP_ACTION_REOPEN_PORT: ++ if (atomic_read(&port->status) & ++ ZFCP_STATUS_COMMON_ERP_FAILED) { ++ need = 0; ++ /* ensure propagation of failed status to new devices */ ++ zfcp_erp_set_port_status( ++ port, ZFCP_STATUS_COMMON_ERP_FAILED); ++ } ++ break; ++ case ZFCP_ERP_ACTION_REOPEN_ADAPTER: ++ if (atomic_read(&adapter->status) & ++ ZFCP_STATUS_COMMON_ERP_FAILED) { ++ need = 0; ++ /* ensure propagation of failed status to new devices */ ++ zfcp_erp_set_adapter_status( ++ adapter, ZFCP_STATUS_COMMON_ERP_FAILED); ++ } ++ break; ++ default: ++ need = 0; ++ break; ++ } ++ ++ return need; ++} ++ + static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter, + struct zfcp_port *port, + struct scsi_device *sdev) +@@ -248,16 +308,27 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter, + int retval = 1, need; + struct zfcp_erp_action *act; + +- if (!adapter->erp_thread) +- return -EIO; ++ need = zfcp_erp_handle_failed(want, adapter, port, sdev); ++ if (!need) { ++ need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */ ++ goto out; ++ } ++ ++ if (!adapter->erp_thread) { ++ need = ZFCP_ERP_ACTION_NONE; /* marker for trace */ ++ retval = -EIO; ++ goto out; ++ } + + need = zfcp_erp_required_act(want, adapter, port, sdev); + if (!need) + goto out; + + act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev); +- if (!act) ++ if (!act) { ++ need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */ + goto out; ++ } + atomic_or(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status); + ++adapter->erp_total_count; + list_add_tail(&act->list, &adapter->erp_ready_head); +@@ -268,18 +339,32 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter, + return retval; + } + ++void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter, ++ u64 port_name, u32 port_id) ++{ ++ unsigned long flags; ++ static /* don't waste stack */ struct zfcp_port tmpport; ++ ++ write_lock_irqsave(&adapter->erp_lock, flags); ++ /* Stand-in zfcp port with fields just good enough for ++ * zfcp_dbf_rec_trig() and zfcp_dbf_set_common(). ++ * Under lock because tmpport is static. ++ */ ++ atomic_set(&tmpport.status, -1); /* unknown */ ++ tmpport.wwpn = port_name; ++ tmpport.d_id = port_id; ++ zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL, ++ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, ++ ZFCP_ERP_ACTION_NONE); ++ write_unlock_irqrestore(&adapter->erp_lock, flags); ++} ++ + static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter, + int clear_mask, char *id) + { + zfcp_erp_adapter_block(adapter, clear_mask); + zfcp_scsi_schedule_rports_block(adapter); + +- /* ensure propagation of failed status to new devices */ +- if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) { +- zfcp_erp_set_adapter_status(adapter, +- ZFCP_STATUS_COMMON_ERP_FAILED); +- return -EIO; +- } + return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, + adapter, NULL, NULL, id, 0); + } +@@ -298,12 +383,8 @@ void zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter, int clear, char *id) + zfcp_scsi_schedule_rports_block(adapter); + + write_lock_irqsave(&adapter->erp_lock, flags); +- if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) +- zfcp_erp_set_adapter_status(adapter, +- ZFCP_STATUS_COMMON_ERP_FAILED); +- else +- zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter, +- NULL, NULL, id, 0); ++ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter, ++ NULL, NULL, id, 0); + write_unlock_irqrestore(&adapter->erp_lock, flags); + } + +@@ -344,9 +425,6 @@ static void _zfcp_erp_port_forced_reopen(struct zfcp_port *port, int clear, + zfcp_erp_port_block(port, clear); + zfcp_scsi_schedule_rport_block(port); + +- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) +- return; +- + zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, + port->adapter, port, NULL, id, 0); + } +@@ -372,12 +450,6 @@ static int _zfcp_erp_port_reopen(struct zfcp_port *port, int clear, char *id) + zfcp_erp_port_block(port, clear); + zfcp_scsi_schedule_rport_block(port); + +- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) { +- /* ensure propagation of failed status to new devices */ +- zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED); +- return -EIO; +- } +- + return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT, + port->adapter, port, NULL, id, 0); + } +@@ -417,9 +489,6 @@ static void _zfcp_erp_lun_reopen(struct scsi_device *sdev, int clear, char *id, + + zfcp_erp_lun_block(sdev, clear); + +- if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED) +- return; +- + zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter, + zfcp_sdev->port, sdev, id, act_status); + } +diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h +index 7a7984a50683..b326f05c7f89 100644 +--- a/drivers/s390/scsi/zfcp_ext.h ++++ b/drivers/s390/scsi/zfcp_ext.h +@@ -52,10 +52,15 @@ extern void zfcp_dbf_san_res(char *, struct zfcp_fsf_req *); + extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *); + extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *, + struct zfcp_fsf_req *); ++extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter, ++ unsigned int scsi_id, int ret); + + /* zfcp_erp.c */ + extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32); + extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32); ++extern void zfcp_erp_port_forced_no_port_dbf(char *id, ++ struct zfcp_adapter *adapter, ++ u64 port_name, u32 port_id); + extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *); + extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *); + extern void zfcp_erp_set_port_status(struct zfcp_port *, u32); +diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c +index bb99db2948ab..3afb200b2829 100644 +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -180,6 +180,7 @@ static int zfcp_scsi_eh_abort_handler(struct scsi_cmnd *scpnt) + if (abrt_req) + break; + ++ zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL); + zfcp_erp_wait(adapter); + ret = fc_block_scsi_eh(scpnt); + if (ret) { +@@ -276,6 +277,7 @@ static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags) + if (fsf_req) + break; + ++ zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL); + zfcp_erp_wait(adapter); + ret = fc_block_scsi_eh(scpnt); + if (ret) { +@@ -322,15 +324,16 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt) + { + struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device); + struct zfcp_adapter *adapter = zfcp_sdev->port->adapter; +- int ret; ++ int ret = SUCCESS, fc_ret; + + zfcp_erp_adapter_reopen(adapter, 0, "schrh_1"); + zfcp_erp_wait(adapter); +- ret = fc_block_scsi_eh(scpnt); +- if (ret) +- return ret; ++ fc_ret = fc_block_scsi_eh(scpnt); ++ if (fc_ret) ++ ret = fc_ret; + +- return SUCCESS; ++ zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret); ++ return ret; + } + + struct scsi_transport_template *zfcp_scsi_transport_template; +@@ -600,6 +603,11 @@ static void zfcp_scsi_terminate_rport_io(struct fc_rport *rport) + if (port) { + zfcp_erp_port_forced_reopen(port, 0, "sctrpi1"); + put_device(&port->dev); ++ } else { ++ zfcp_erp_port_forced_no_port_dbf( ++ "sctrpin", adapter, ++ rport->port_name /* zfcp_scsi_rport_register */, ++ rport->port_id /* zfcp_scsi_rport_register */); + } + } + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index aa18c729d23a..a9eb3cd453be 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -3261,7 +3261,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vha, fc_port_t *fcport) + return; + + if (fcport->fp_speed == PORT_SPEED_UNKNOWN || +- fcport->fp_speed > ha->link_data_rate) ++ fcport->fp_speed > ha->link_data_rate || ++ !ha->flags.gpsc_supported) + return; + + rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed, +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index dee1cb87d24f..04fd651f9e3e 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -707,8 +707,14 @@ static int spi_map_buf(struct spi_master *master, struct device *dev, + for (i = 0; i < sgs; i++) { + + if (vmalloced_buf) { +- min = min_t(size_t, +- len, desc_len - offset_in_page(buf)); ++ /* ++ * Next scatterlist entry size is the minimum between ++ * the desc_len and the remaining buffer length that ++ * fits in a page. ++ */ ++ min = min_t(size_t, desc_len, ++ min_t(size_t, len, ++ PAGE_SIZE - offset_in_page(buf))); + vm_page = vmalloc_to_page(buf); + if (!vm_page) { + sg_free_table(sgt); +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 8dd822feb972..b63920481b1d 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2419,13 +2419,12 @@ static void serial_console_write(struct console *co, const char *s, + unsigned long flags; + int locked = 1; + +- local_irq_save(flags); + if (port->sysrq) + locked = 0; + else if (oops_in_progress) +- locked = spin_trylock(&port->lock); ++ locked = spin_trylock_irqsave(&port->lock, flags); + else +- spin_lock(&port->lock); ++ spin_lock_irqsave(&port->lock, flags); + + /* first save the SCSCR then disable the interrupts */ + ctrl = serial_port_in(port, SCSCR); +@@ -2442,8 +2441,7 @@ static void serial_console_write(struct console *co, const char *s, + serial_port_out(port, SCSCR, ctrl); + + if (locked) +- spin_unlock(&port->lock); +- local_irq_restore(flags); ++ spin_unlock_irqrestore(&port->lock, flags); + } + + static int serial_console_setup(struct console *co, char *options) +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 6d84f6c8fbe6..4d86da0df131 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4442,7 +4442,9 @@ hub_port_init(struct usb_hub *hub, struct usb_device *udev, int port1, + * reset. But only on the first attempt, + * lest we get into a time out/reset loop + */ +- if (r == 0 || (r == -ETIMEDOUT && retries == 0)) ++ if (r == 0 || (r == -ETIMEDOUT && ++ retries == 0 && ++ udev->speed > USB_SPEED_FULL)) + break; + } + udev->descriptor.bMaxPacketSize0 = +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c +index 494823f21c28..7ec66f1db418 100644 +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -2580,8 +2580,11 @@ static int musb_bus_suspend(struct usb_hcd *hcd) + { + struct musb *musb = hcd_to_musb(hcd); + u8 devctl; ++ int ret; + +- musb_port_suspend(musb, true); ++ ret = musb_port_suspend(musb, true); ++ if (ret) ++ return ret; + + if (!is_host_active(musb)) + return 0; +diff --git a/drivers/usb/musb/musb_host.h b/drivers/usb/musb/musb_host.h +index 7bbf01bf4bb0..54d02ed032df 100644 +--- a/drivers/usb/musb/musb_host.h ++++ b/drivers/usb/musb/musb_host.h +@@ -92,7 +92,7 @@ extern void musb_host_rx(struct musb *, u8); + extern void musb_root_disconnect(struct musb *musb); + extern void musb_host_resume_root_hub(struct musb *musb); + extern void musb_host_poke_root_hub(struct musb *musb); +-extern void musb_port_suspend(struct musb *musb, bool do_suspend); ++extern int musb_port_suspend(struct musb *musb, bool do_suspend); + extern void musb_port_reset(struct musb *musb, bool do_reset); + extern void musb_host_finish_resume(struct work_struct *work); + #else +@@ -124,7 +124,10 @@ static inline void musb_root_disconnect(struct musb *musb) {} + static inline void musb_host_resume_root_hub(struct musb *musb) {} + static inline void musb_host_poll_rh_status(struct musb *musb) {} + static inline void musb_host_poke_root_hub(struct musb *musb) {} +-static inline void musb_port_suspend(struct musb *musb, bool do_suspend) {} ++static inline int musb_port_suspend(struct musb *musb, bool do_suspend) ++{ ++ return 0; ++} + static inline void musb_port_reset(struct musb *musb, bool do_reset) {} + static inline void musb_host_finish_resume(struct work_struct *work) {} + #endif +diff --git a/drivers/usb/musb/musb_virthub.c b/drivers/usb/musb/musb_virthub.c +index 92d5f718659b..ac5458a69de5 100644 +--- a/drivers/usb/musb/musb_virthub.c ++++ b/drivers/usb/musb/musb_virthub.c +@@ -74,14 +74,14 @@ void musb_host_finish_resume(struct work_struct *work) + spin_unlock_irqrestore(&musb->lock, flags); + } + +-void musb_port_suspend(struct musb *musb, bool do_suspend) ++int musb_port_suspend(struct musb *musb, bool do_suspend) + { + struct usb_otg *otg = musb->xceiv->otg; + u8 power; + void __iomem *mbase = musb->mregs; + + if (!is_host_active(musb)) +- return; ++ return 0; + + /* NOTE: this doesn't necessarily put PHY into low power mode, + * turning off its clock; that's a function of PHY integration and +@@ -92,16 +92,20 @@ void musb_port_suspend(struct musb *musb, bool do_suspend) + if (do_suspend) { + int retries = 10000; + +- power &= ~MUSB_POWER_RESUME; +- power |= MUSB_POWER_SUSPENDM; +- musb_writeb(mbase, MUSB_POWER, power); ++ if (power & MUSB_POWER_RESUME) ++ return -EBUSY; + +- /* Needed for OPT A tests */ +- power = musb_readb(mbase, MUSB_POWER); +- while (power & MUSB_POWER_SUSPENDM) { ++ if (!(power & MUSB_POWER_SUSPENDM)) { ++ power |= MUSB_POWER_SUSPENDM; ++ musb_writeb(mbase, MUSB_POWER, power); ++ ++ /* Needed for OPT A tests */ + power = musb_readb(mbase, MUSB_POWER); +- if (retries-- < 1) +- break; ++ while (power & MUSB_POWER_SUSPENDM) { ++ power = musb_readb(mbase, MUSB_POWER); ++ if (retries-- < 1) ++ break; ++ } + } + + dev_dbg(musb->controller, "Root port suspended, power %02x\n", power); +@@ -138,6 +142,7 @@ void musb_port_suspend(struct musb *musb, bool do_suspend) + schedule_delayed_work(&musb->finish_resume_work, + msecs_to_jiffies(USB_RESUME_TIMEOUT)); + } ++ return 0; + } + + void musb_port_reset(struct musb *musb, bool do_reset) +diff --git a/drivers/video/backlight/as3711_bl.c b/drivers/video/backlight/as3711_bl.c +index 734a9158946b..e55304d5cf07 100644 +--- a/drivers/video/backlight/as3711_bl.c ++++ b/drivers/video/backlight/as3711_bl.c +@@ -262,10 +262,10 @@ static int as3711_bl_register(struct platform_device *pdev, + static int as3711_backlight_parse_dt(struct device *dev) + { + struct as3711_bl_pdata *pdata = dev_get_platdata(dev); +- struct device_node *bl = +- of_find_node_by_name(dev->parent->of_node, "backlight"), *fb; ++ struct device_node *bl, *fb; + int ret; + ++ bl = of_get_child_by_name(dev->parent->of_node, "backlight"); + if (!bl) { + dev_dbg(dev, "backlight node not found\n"); + return -ENODEV; +@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(struct device *dev) + if (pdata->su1_max_uA <= 0) + ret = -EINVAL; + if (ret < 0) +- return ret; ++ goto err_put_bl; + } + + fb = of_parse_phandle(bl, "su2-dev", 0); +@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(struct device *dev) + if (pdata->su2_max_uA <= 0) + ret = -EINVAL; + if (ret < 0) +- return ret; ++ goto err_put_bl; + + if (of_find_property(bl, "su2-feedback-voltage", NULL)) { + pdata->su2_feedback = AS3711_SU2_VOLTAGE; +@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(struct device *dev) + pdata->su2_feedback = AS3711_SU2_CURR_AUTO; + count++; + } +- if (count != 1) +- return -EINVAL; ++ if (count != 1) { ++ ret = -EINVAL; ++ goto err_put_bl; ++ } + + count = 0; + if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) { +@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(struct device *dev) + pdata->su2_fbprot = AS3711_SU2_GPIO4; + count++; + } +- if (count != 1) +- return -EINVAL; ++ if (count != 1) { ++ ret = -EINVAL; ++ goto err_put_bl; ++ } + + count = 0; + if (of_find_property(bl, "su2-auto-curr1", NULL)) { +@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(struct device *dev) + * At least one su2-auto-curr* must be specified iff + * AS3711_SU2_CURR_AUTO is used + */ +- if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) +- return -EINVAL; ++ if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) { ++ ret = -EINVAL; ++ goto err_put_bl; ++ } + } + ++ of_node_put(bl); ++ + return 0; ++ ++err_put_bl: ++ of_node_put(bl); ++ ++ return ret; + } + + static int as3711_backlight_probe(struct platform_device *pdev) +diff --git a/drivers/video/backlight/max8925_bl.c b/drivers/video/backlight/max8925_bl.c +index 7b738d60ecc2..f3aa6088f1d9 100644 +--- a/drivers/video/backlight/max8925_bl.c ++++ b/drivers/video/backlight/max8925_bl.c +@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(struct platform_device *pdev) + if (!pdata) + return; + +- np = of_find_node_by_name(nproot, "backlight"); ++ np = of_get_child_by_name(nproot, "backlight"); + if (!np) { + dev_err(&pdev->dev, "failed to find backlight node\n"); + return; +@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(struct platform_device *pdev) + if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val)) + pdata->dual_string = val; + ++ of_node_put(np); ++ + pdev->dev.platform_data = pdata; + } + +diff --git a/drivers/video/backlight/tps65217_bl.c b/drivers/video/backlight/tps65217_bl.c +index 61d72bffd402..dc920e2aa094 100644 +--- a/drivers/video/backlight/tps65217_bl.c ++++ b/drivers/video/backlight/tps65217_bl.c +@@ -184,11 +184,11 @@ static struct tps65217_bl_pdata * + tps65217_bl_parse_dt(struct platform_device *pdev) + { + struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent); +- struct device_node *node = of_node_get(tps->dev->of_node); ++ struct device_node *node; + struct tps65217_bl_pdata *pdata, *err; + u32 val; + +- node = of_find_node_by_name(node, "backlight"); ++ node = of_get_child_by_name(tps->dev->of_node, "backlight"); + if (!node) + return ERR_PTR(-ENODEV); + +diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c +index 178ae93b7ebd..381236ff34d9 100644 +--- a/drivers/video/fbdev/uvesafb.c ++++ b/drivers/video/fbdev/uvesafb.c +@@ -1059,7 +1059,8 @@ static int uvesafb_setcmap(struct fb_cmap *cmap, struct fb_info *info) + info->cmap.len || cmap->start < info->cmap.start) + return -EINVAL; + +- entries = kmalloc(sizeof(*entries) * cmap->len, GFP_KERNEL); ++ entries = kmalloc_array(cmap->len, sizeof(*entries), ++ GFP_KERNEL); + if (!entries) + return -ENOMEM; + +diff --git a/drivers/w1/masters/mxc_w1.c b/drivers/w1/masters/mxc_w1.c +index a4621757a47f..dacb5919970c 100644 +--- a/drivers/w1/masters/mxc_w1.c ++++ b/drivers/w1/masters/mxc_w1.c +@@ -113,6 +113,10 @@ static int mxc_w1_probe(struct platform_device *pdev) + if (IS_ERR(mdev->clk)) + return PTR_ERR(mdev->clk); + ++ err = clk_prepare_enable(mdev->clk); ++ if (err) ++ return err; ++ + clkrate = clk_get_rate(mdev->clk); + if (clkrate < 10000000) + dev_warn(&pdev->dev, +@@ -126,12 +130,10 @@ static int mxc_w1_probe(struct platform_device *pdev) + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + mdev->regs = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(mdev->regs)) +- return PTR_ERR(mdev->regs); +- +- err = clk_prepare_enable(mdev->clk); +- if (err) +- return err; ++ if (IS_ERR(mdev->regs)) { ++ err = PTR_ERR(mdev->regs); ++ goto out_disable_clk; ++ } + + /* Software reset 1-Wire module */ + writeb(MXC_W1_RESET_RST, mdev->regs + MXC_W1_RESET); +@@ -147,8 +149,12 @@ static int mxc_w1_probe(struct platform_device *pdev) + + err = w1_add_master_device(&mdev->bus_master); + if (err) +- clk_disable_unprepare(mdev->clk); ++ goto out_disable_clk; + ++ return 0; ++ ++out_disable_clk: ++ clk_disable_unprepare(mdev->clk); + return err; + } + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 39886edfa222..88c1b8c01473 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -741,7 +741,7 @@ int w1_attach_slave_device(struct w1_master *dev, struct w1_reg_num *rn) + + /* slave modules need to be loaded in a context with unlocked mutex */ + mutex_unlock(&dev->mutex); +- request_module("w1-family-0x%02x", rn->family); ++ request_module("w1-family-0x%02X", rn->family); + mutex_lock(&dev->mutex); + + spin_lock(&w1_flock); +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 468961c59fa5..21d679f88dfa 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -637,8 +637,6 @@ static void __unbind_from_irq(unsigned int irq) + xen_irq_info_cleanup(info); + } + +- BUG_ON(info_for_irq(irq)->type == IRQT_UNBOUND); +- + xen_free_irq(irq); + } + +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index 78f005f37847..dd784bcf7c96 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -369,8 +369,13 @@ static Node *create_entry(const char __user *buffer, size_t count) + s = strchr(p, del); + if (!s) + goto einval; +- *s++ = '\0'; +- e->offset = simple_strtoul(p, &p, 10); ++ *s = '\0'; ++ if (p != s) { ++ int r = kstrtoint(p, 10, &e->offset); ++ if (r != 0 || e->offset < 0) ++ goto einval; ++ } ++ p = s; + if (*p++) + goto einval; + pr_debug("register: offset: %#x\n", e->offset); +@@ -410,7 +415,8 @@ static Node *create_entry(const char __user *buffer, size_t count) + if (e->mask && + string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) + goto einval; +- if (e->size + e->offset > BINPRM_BUF_SIZE) ++ if (e->size > BINPRM_BUF_SIZE || ++ BINPRM_BUF_SIZE - e->size < e->offset) + goto einval; + pr_debug("register: magic/mask length: %i\n", e->size); + if (USE_DEBUG) { +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 1f01a8172308..b895be3d4311 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1202,6 +1202,8 @@ static noinline int csum_exist_in_range(struct btrfs_root *root, + list_del(&sums->list); + kfree(sums); + } ++ if (ret < 0) ++ return ret; + return 1; + } + +@@ -1351,10 +1353,23 @@ next_slot: + goto out_check; + if (btrfs_extent_readonly(root, disk_bytenr)) + goto out_check; +- if (btrfs_cross_ref_exist(trans, root, ino, ++ ret = btrfs_cross_ref_exist(trans, root, ino, + found_key.offset - +- extent_offset, disk_bytenr)) ++ extent_offset, disk_bytenr); ++ if (ret) { ++ /* ++ * ret could be -EIO if the above fails to read ++ * metadata. ++ */ ++ if (ret < 0) { ++ if (cow_start != (u64)-1) ++ cur_offset = cow_start; ++ goto error; ++ } ++ ++ WARN_ON_ONCE(nolock); + goto out_check; ++ } + disk_bytenr += extent_offset; + disk_bytenr += cur_offset - found_key.offset; + num_bytes = min(end + 1, extent_end) - cur_offset; +@@ -1372,8 +1387,20 @@ next_slot: + * this ensure that csum for a given extent are + * either valid or do not exist. + */ +- if (csum_exist_in_range(root, disk_bytenr, num_bytes)) ++ ret = csum_exist_in_range(root, disk_bytenr, num_bytes); ++ if (ret) { ++ /* ++ * ret could be -EIO if the above fails to read ++ * metadata. ++ */ ++ if (ret < 0) { ++ if (cow_start != (u64)-1) ++ cur_offset = cow_start; ++ goto error; ++ } ++ WARN_ON_ONCE(nolock); + goto out_check; ++ } + nocow = 1; + } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) { + extent_end = found_key.offset + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 4e3c889c1876..6caeb946fc1d 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3923,11 +3923,6 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd, + if (!(src_file.file->f_mode & FMODE_READ)) + goto out_fput; + +- /* don't make the dst file partly checksummed */ +- if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) != +- (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) +- goto out_fput; +- + ret = -EISDIR; + if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode)) + goto out_fput; +@@ -3942,6 +3937,13 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd, + mutex_lock(&src->i_mutex); + } + ++ /* don't make the dst file partly checksummed */ ++ if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) != ++ (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + /* determine range to clone */ + ret = -EINVAL; + if (off + len > src->i_size || off + len < off) +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index b091d94ceef6..6dca9f937bf6 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -2513,7 +2513,7 @@ static int scrub_extent(struct scrub_ctx *sctx, u64 logical, u64 len, + have_csum = scrub_find_csum(sctx, logical, csum); + if (have_csum == 0) + ++sctx->stat.no_csum; +- if (sctx->is_dev_replace && !have_csum) { ++ if (0 && sctx->is_dev_replace && !have_csum) { + ret = copy_nocow_pages(sctx, logical, l, + mirror_num, + physical_for_dev_replace); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 56ce7fd0f0d0..30efeb656c1e 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3787,28 +3787,28 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length) + EXT4_BLOCK_SIZE_BITS(sb); + stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb); + +- /* If there are no blocks to remove, return now */ +- if (first_block >= stop_block) +- goto out_stop; ++ /* If there are blocks to remove, do it */ ++ if (stop_block > first_block) { + +- down_write(&EXT4_I(inode)->i_data_sem); +- ext4_discard_preallocations(inode); ++ down_write(&EXT4_I(inode)->i_data_sem); ++ ext4_discard_preallocations(inode); + +- ret = ext4_es_remove_extent(inode, first_block, +- stop_block - first_block); +- if (ret) { +- up_write(&EXT4_I(inode)->i_data_sem); +- goto out_stop; +- } ++ ret = ext4_es_remove_extent(inode, first_block, ++ stop_block - first_block); ++ if (ret) { ++ up_write(&EXT4_I(inode)->i_data_sem); ++ goto out_stop; ++ } + +- if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) +- ret = ext4_ext_remove_space(inode, first_block, +- stop_block - 1); +- else +- ret = ext4_ind_remove_space(handle, inode, first_block, +- stop_block); ++ if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) ++ ret = ext4_ext_remove_space(inode, first_block, ++ stop_block - 1); ++ else ++ ret = ext4_ind_remove_space(handle, inode, first_block, ++ stop_block); + +- up_write(&EXT4_I(inode)->i_data_sem); ++ up_write(&EXT4_I(inode)->i_data_sem); ++ } + if (IS_SYNC(inode)) + ext4_handle_sync(handle); + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 74516efd874c..d2421fd38833 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1903,7 +1903,7 @@ retry: + return 0; + + n_group = ext4_get_group_number(sb, n_blocks_count - 1); +- if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { ++ if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { + ext4_warning(sb, "resize would cause inodes_count overflow"); + return -EINVAL; + } +diff --git a/fs/fuse/control.c b/fs/fuse/control.c +index f863ac6647ac..89a4b231e79c 100644 +--- a/fs/fuse/control.c ++++ b/fs/fuse/control.c +@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent, + if (!dentry) + return NULL; + +- fc->ctl_dentry[fc->ctl_ndents++] = dentry; + inode = new_inode(fuse_control_sb); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + return NULL; ++ } + + inode->i_ino = get_next_ino(); + inode->i_mode = mode; +@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent, + set_nlink(inode, nlink); + inode->i_private = fc; + d_add(dentry, inode); ++ ++ fc->ctl_dentry[fc->ctl_ndents++] = dentry; ++ + return dentry; + } + +@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_conn *fc) + for (i = fc->ctl_ndents - 1; i >= 0; i--) { + struct dentry *dentry = fc->ctl_dentry[i]; + d_inode(dentry)->i_private = NULL; +- d_drop(dentry); ++ if (!i) { ++ /* Get rid of submounts: */ ++ d_invalidate(dentry); ++ } + dput(dentry); + } + drop_nlink(d_inode(fuse_control_sb->s_root)); +diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c +index 5068dbf80ff8..49b7b40f7598 100644 +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1609,8 +1609,19 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr, + return err; + + if (attr->ia_valid & ATTR_OPEN) { +- if (fc->atomic_o_trunc) ++ /* This is coming from open(..., ... | O_TRUNC); */ ++ WARN_ON(!(attr->ia_valid & ATTR_SIZE)); ++ WARN_ON(attr->ia_size != 0); ++ if (fc->atomic_o_trunc) { ++ /* ++ * No need to send request to userspace, since actual ++ * truncation has already been done by OPEN. But still ++ * need to truncate page cache. ++ */ ++ i_size_write(inode, 0); ++ truncate_pagecache(inode, 0); + return 0; ++ } + file = NULL; + } + +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c +index 0d5e8e59b390..f0b73e0c6d48 100644 +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1158,6 +1158,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) + err_put_conn: + fuse_bdi_destroy(fc); + fuse_conn_put(fc); ++ sb->s_fs_info = NULL; + err_fput: + fput(file); + err: +diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c +index 1ee62e62ea76..c99a887100db 100644 +--- a/fs/nfs/nfs4idmap.c ++++ b/fs/nfs/nfs4idmap.c +@@ -343,7 +343,7 @@ static ssize_t nfs_idmap_lookup_name(__u32 id, const char *type, char *buf, + int id_len; + ssize_t ret; + +- id_len = snprintf(id_str, sizeof(id_str), "%u", id); ++ id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str)); + ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap); + if (ret < 0) + return -EINVAL; +@@ -626,7 +626,8 @@ static int nfs_idmap_read_and_verify_message(struct idmap_msg *im, + if (strcmp(upcall->im_name, im->im_name) != 0) + break; + /* Note: here we store the NUL terminator too */ +- len = sprintf(id_str, "%d", im->im_id) + 1; ++ len = 1 + nfs_map_numeric_to_string(im->im_id, id_str, ++ sizeof(id_str)); + ret = nfs_idmap_instantiate(key, authkey, id_str, len); + break; + case IDMAP_CONV_IDTONAME: +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 544672b440de..57e3262ec57a 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3595,7 +3595,8 @@ nfsd4_encode_readdir(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd4 + nfserr = nfserr_resource; + goto err_no_verf; + } +- maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX); ++ maxcount = svc_max_payload(resp->rqstp); ++ maxcount = min_t(u32, readdir->rd_maxcount, maxcount); + /* + * Note the rfc defines rd_maxcount as the size of the + * READDIR4resok structure, which includes the verifier above +@@ -3609,7 +3610,7 @@ nfsd4_encode_readdir(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd4 + + /* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */ + if (!readdir->rd_dircount) +- readdir->rd_dircount = INT_MAX; ++ readdir->rd_dircount = svc_max_payload(resp->rqstp); + + readdir->xdr = xdr; + readdir->rd_maxcount = maxcount; +diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c +index 0b9da5b6e0f9..22dba8837a86 100644 +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -1107,7 +1107,7 @@ static int recomp_data_node(const struct ubifs_info *c, + int err, len, compr_type, out_len; + + out_len = le32_to_cpu(dn->size); +- buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS); ++ buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS); + if (!buf) + return -ENOMEM; + +diff --git a/fs/udf/directory.c b/fs/udf/directory.c +index c763fda257bf..637114e8c7fd 100644 +--- a/fs/udf/directory.c ++++ b/fs/udf/directory.c +@@ -150,6 +150,9 @@ struct fileIdentDesc *udf_fileident_read(struct inode *dir, loff_t *nf_pos, + sizeof(struct fileIdentDesc)); + } + } ++ /* Got last entry outside of dir size - fs is corrupted! */ ++ if (*nf_pos > dir->i_size) ++ return NULL; + return fi; + } + +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index fe14382f9664..1383e1c03ff2 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -882,8 +882,8 @@ static inline unsigned int blk_max_size_offset(struct request_queue *q, + if (!q->limits.chunk_sectors) + return q->limits.max_sectors; + +- return q->limits.chunk_sectors - +- (offset & (q->limits.chunk_sectors - 1)); ++ return min(q->limits.max_sectors, (unsigned int)(q->limits.chunk_sectors - ++ (offset & (q->limits.chunk_sectors - 1)))); + } + + static inline unsigned int blk_rq_get_max_sectors(struct request *rq) +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 6fc9a6dd5ed2..0db1fa621d8a 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -111,7 +111,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); + #define unlikely_notrace(x) __builtin_expect(!!(x), 0) + + #define __branch_check__(x, expect) ({ \ +- int ______r; \ ++ long ______r; \ + static struct ftrace_branch_data \ + __attribute__((__aligned__(4))) \ + __attribute__((section("_ftrace_annotated_branch"))) \ +diff --git a/include/linux/iio/buffer.h b/include/linux/iio/buffer.h +index 1600c55828e0..93a774ce4922 100644 +--- a/include/linux/iio/buffer.h ++++ b/include/linux/iio/buffer.h +@@ -49,7 +49,7 @@ struct iio_buffer_access_funcs { + int (*request_update)(struct iio_buffer *buffer); + + int (*set_bytes_per_datum)(struct iio_buffer *buffer, size_t bpd); +- int (*set_length)(struct iio_buffer *buffer, int length); ++ int (*set_length)(struct iio_buffer *buffer, unsigned int length); + + void (*release)(struct iio_buffer *buffer); + +@@ -78,8 +78,8 @@ struct iio_buffer_access_funcs { + * @watermark: [INTERN] number of datums to wait for poll/read. + */ + struct iio_buffer { +- int length; +- int bytes_per_datum; ++ unsigned int length; ++ size_t bytes_per_datum; + struct attribute_group *scan_el_attrs; + long *scan_mask; + bool scan_timestamp; +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 1878d0a96333..876688b5a356 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -878,7 +878,7 @@ struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst, + u16 conn_timeout, u8 role); + struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, + u8 dst_type, u8 sec_level, u16 conn_timeout, +- u8 role); ++ u8 role, bdaddr_t *direct_rpa); + struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, + u8 sec_level, u8 auth_type); + struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, +diff --git a/kernel/time/time.c b/kernel/time/time.c +index 86751c68e08d..de70ac1f84d0 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -28,6 +28,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -258,9 +259,10 @@ unsigned int jiffies_to_msecs(const unsigned long j) + return (j + (HZ / MSEC_PER_SEC) - 1)/(HZ / MSEC_PER_SEC); + #else + # if BITS_PER_LONG == 32 +- return (HZ_TO_MSEC_MUL32 * j) >> HZ_TO_MSEC_SHR32; ++ return (HZ_TO_MSEC_MUL32 * j + (1ULL << HZ_TO_MSEC_SHR32) - 1) >> ++ HZ_TO_MSEC_SHR32; + # else +- return (j * HZ_TO_MSEC_NUM) / HZ_TO_MSEC_DEN; ++ return DIV_ROUND_UP(j * HZ_TO_MSEC_NUM, HZ_TO_MSEC_DEN); + # endif + #endif + } +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index f9cee8e1233c..646009db4198 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -1345,9 +1345,6 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec, + return string(buf, end, NULL, spec); + + switch (fmt[1]) { +- case 'r': +- return number(buf, end, clk_get_rate(clk), spec); +- + case 'n': + default: + #ifdef CONFIG_COMMON_CLK +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 24e9410923d0..80be0ee17ff3 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -708,7 +708,8 @@ done: + } + + static void hci_req_add_le_create_conn(struct hci_request *req, +- struct hci_conn *conn) ++ struct hci_conn *conn, ++ bdaddr_t *direct_rpa) + { + struct hci_cp_le_create_conn cp; + struct hci_dev *hdev = conn->hdev; +@@ -716,11 +717,23 @@ static void hci_req_add_le_create_conn(struct hci_request *req, + + memset(&cp, 0, sizeof(cp)); + +- /* Update random address, but set require_privacy to false so +- * that we never connect with an non-resolvable address. ++ /* If direct address was provided we use it instead of current ++ * address. + */ +- if (hci_update_random_address(req, false, &own_addr_type)) +- return; ++ if (direct_rpa) { ++ if (bacmp(&req->hdev->random_addr, direct_rpa)) ++ hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6, ++ direct_rpa); ++ ++ /* direct address is always RPA */ ++ own_addr_type = ADDR_LE_DEV_RANDOM; ++ } else { ++ /* Update random address, but set require_privacy to false so ++ * that we never connect with an non-resolvable address. ++ */ ++ if (hci_update_random_address(req, false, &own_addr_type)) ++ return; ++ } + + /* Set window to be the same value as the interval to enable + * continuous scanning. +@@ -782,7 +795,7 @@ static void hci_req_directed_advertising(struct hci_request *req, + + struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, + u8 dst_type, u8 sec_level, u16 conn_timeout, +- u8 role) ++ u8 role, bdaddr_t *direct_rpa) + { + struct hci_conn_params *params; + struct hci_conn *conn, *conn_unfinished; +@@ -913,7 +926,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, + hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); + } + +- hci_req_add_le_create_conn(&req, conn); ++ hci_req_add_le_create_conn(&req, conn, direct_rpa); + + create_conn: + err = hci_req_run(&req, create_le_conn_complete); +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index d57c11c1c6b5..d40d32a2c12d 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4632,7 +4632,8 @@ static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, + /* This function requires the caller holds hdev->lock */ + static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, + bdaddr_t *addr, +- u8 addr_type, u8 adv_type) ++ u8 addr_type, u8 adv_type, ++ bdaddr_t *direct_rpa) + { + struct hci_conn *conn; + struct hci_conn_params *params; +@@ -4683,7 +4684,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, + } + + conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, +- HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER); ++ HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER, ++ direct_rpa); + if (!IS_ERR(conn)) { + /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned + * by higher layer that tried to connect, if no then +@@ -4780,8 +4782,13 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, + bdaddr_type = irk->addr_type; + } + +- /* Check if we have been requested to connect to this device */ +- conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type); ++ /* Check if we have been requested to connect to this device. ++ * ++ * direct_addr is set only for directed advertising reports (it is NULL ++ * for advertising reports) and is already verified to be RPA above. ++ */ ++ conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, ++ direct_addr); + if (conn && type == LE_ADV_IND) { + /* Store report for later inclusion by + * mgmt_device_connected +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 51eab9b5baa1..9f70c267a7a5 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1912,7 +1912,8 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, + int off, pad = 0; + unsigned int size_kern, match_size = mwt->match_size; + +- strlcpy(name, mwt->u.name, sizeof(name)); ++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0) ++ return -EINVAL; + + if (state->buf_kern_start) + dst = state->buf_kern_start + state->buf_kern_offset; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 23b95aead897..a9041915afc0 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -612,7 +612,7 @@ void tcp_rcv_space_adjust(struct sock *sk) + sk->sk_rcvbuf = rcvbuf; + + /* Make the window clamp follow along. */ +- tp->window_clamp = rcvwin; ++ tp->window_clamp = tcp_win_from_space(rcvbuf); + } + } + tp->rcvq_space.space = copied; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 61c93a93f228..eeda67c3dd11 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1627,6 +1627,10 @@ process: + reqsk_put(req); + goto discard_it; + } ++ if (tcp_checksum_complete(skb)) { ++ reqsk_put(req); ++ goto csum_error; ++ } + if (unlikely(sk->sk_state != TCP_LISTEN)) { + inet_csk_reqsk_queue_drop_and_put(sk, req); + goto lookup; +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 74cbcc4b399c..90abe88e1b40 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1415,6 +1415,10 @@ process: + reqsk_put(req); + goto discard_it; + } ++ if (tcp_checksum_complete(skb)) { ++ reqsk_put(req); ++ goto csum_error; ++ } + if (unlikely(sk->sk_state != TCP_LISTEN)) { + inet_csk_reqsk_queue_drop_and_put(sk, req); + goto lookup; +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index c074771a10f7..1ca0c2f3d92b 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -121,7 +121,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) + struct flowi6 *fl6 = &fl->u.ip6; + int onlyproto = 0; + const struct ipv6hdr *hdr = ipv6_hdr(skb); +- u16 offset = sizeof(*hdr); ++ u32 offset = sizeof(*hdr); + struct ipv6_opt_hdr *exthdr; + const unsigned char *nh = skb_network_header(skb); + u16 nhoff = IP6CB(skb)->nhoff; +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index c0656510c4dc..3167ec76903a 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2349,8 +2349,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + struct ipvs_sync_daemon_cfg cfg; + + memset(&cfg, 0, sizeof(cfg)); +- strlcpy(cfg.mcast_ifn, dm->mcast_ifn, +- sizeof(cfg.mcast_ifn)); ++ ret = -EINVAL; ++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn, ++ sizeof(cfg.mcast_ifn)) <= 0) ++ goto out_dec; + cfg.syncid = dm->syncid; + ret = start_sync_thread(ipvs, &cfg, dm->state); + } else { +@@ -2388,12 +2390,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + } + } + ++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) && ++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) == ++ IP_VS_SCHEDNAME_MAXLEN) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */ + if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP && + usvc.protocol != IPPROTO_SCTP) { +- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n", ++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n", + usvc.protocol, &usvc.addr.ip, +- ntohs(usvc.port), usvc.sched_name); ++ ntohs(usvc.port)); + ret = -EFAULT; + goto out_unlock; + } +@@ -2822,7 +2831,7 @@ static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = { + static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = { + [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 }, + [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING, +- .len = IP_VS_IFNAME_MAXLEN }, ++ .len = IP_VS_IFNAME_MAXLEN - 1 }, + [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 }, + [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 }, + [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 }, +@@ -2840,7 +2849,7 @@ static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = { + [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 }, + [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 }, + [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING, +- .len = IP_VS_SCHEDNAME_MAXLEN }, ++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 }, + [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING, + .len = IP_VS_PENAME_MAXLEN }, + [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY, +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index d95cb69460f0..f9a13b67df5e 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -626,6 +626,11 @@ static void xfrm_hash_rebuild(struct work_struct *work) + + /* re-insert all policies by order of creation */ + list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) { ++ if (policy->walk.dead || ++ xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) { ++ /* skip socket policies */ ++ continue; ++ } + newpos = NULL; + chain = policy_hash_bysel(net, &policy->selector, + policy->family, +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index 9c6e10fb479f..273364c39171 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -547,8 +547,10 @@ int snd_hda_attach_pcm_stream(struct hda_bus *_bus, struct hda_codec *codec, + return err; + strlcpy(pcm->name, cpcm->name, sizeof(pcm->name)); + apcm = kzalloc(sizeof(*apcm), GFP_KERNEL); +- if (apcm == NULL) ++ if (apcm == NULL) { ++ snd_device_free(chip->card, pcm); + return -ENOMEM; ++ } + apcm->chip = chip; + apcm->pcm = pcm; + apcm->codec = codec; +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 9fae1d248318..cb19af145f46 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -851,6 +851,8 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN), +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 580b8943b965..d706a416b587 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2447,6 +2447,7 @@ static const struct snd_pci_quirk alc262_fixup_tbl[] = { + SND_PCI_QUIRK(0x10cf, 0x1397, "Fujitsu Lifebook S7110", ALC262_FIXUP_FSC_S7110), + SND_PCI_QUIRK(0x10cf, 0x142d, "Fujitsu Lifebook E8410", ALC262_FIXUP_BENQ), + SND_PCI_QUIRK(0x10f1, 0x2915, "Tyan Thunder n6650W", ALC262_FIXUP_TYAN), ++ SND_PCI_QUIRK(0x1734, 0x1141, "FSC ESPRIMO U9210", ALC262_FIXUP_FSC_H270), + SND_PCI_QUIRK(0x1734, 0x1147, "FSC Celsius H270", ALC262_FIXUP_FSC_H270), + SND_PCI_QUIRK(0x17aa, 0x384e, "Lenovo 3000", ALC262_FIXUP_LENOVO_3000), + SND_PCI_QUIRK(0x17ff, 0x0560, "Benq ED8", ALC262_FIXUP_BENQ), +diff --git a/sound/soc/cirrus/edb93xx.c b/sound/soc/cirrus/edb93xx.c +index 85962657aabe..517963ef4847 100644 +--- a/sound/soc/cirrus/edb93xx.c ++++ b/sound/soc/cirrus/edb93xx.c +@@ -67,7 +67,7 @@ static struct snd_soc_dai_link edb93xx_dai = { + .cpu_dai_name = "ep93xx-i2s", + .codec_name = "spi0.0", + .codec_dai_name = "cs4271-hifi", +- .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF | ++ .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF | + SND_SOC_DAIFMT_CBS_CFS, + .ops = &edb93xx_ops, + }; +diff --git a/sound/soc/cirrus/ep93xx-i2s.c b/sound/soc/cirrus/ep93xx-i2s.c +index 934f8aefdd90..0dc3852c4621 100644 +--- a/sound/soc/cirrus/ep93xx-i2s.c ++++ b/sound/soc/cirrus/ep93xx-i2s.c +@@ -51,7 +51,9 @@ + #define EP93XX_I2S_WRDLEN_24 (1 << 0) + #define EP93XX_I2S_WRDLEN_32 (2 << 0) + +-#define EP93XX_I2S_LINCTRLDATA_R_JUST (1 << 2) /* Right justify */ ++#define EP93XX_I2S_RXLINCTRLDATA_R_JUST BIT(1) /* Right justify */ ++ ++#define EP93XX_I2S_TXLINCTRLDATA_R_JUST BIT(2) /* Right justify */ + + #define EP93XX_I2S_CLKCFG_LRS (1 << 0) /* lrclk polarity */ + #define EP93XX_I2S_CLKCFG_CKP (1 << 1) /* Bit clock polarity */ +@@ -170,25 +172,25 @@ static int ep93xx_i2s_set_dai_fmt(struct snd_soc_dai *cpu_dai, + unsigned int fmt) + { + struct ep93xx_i2s_info *info = snd_soc_dai_get_drvdata(cpu_dai); +- unsigned int clk_cfg, lin_ctrl; ++ unsigned int clk_cfg; ++ unsigned int txlin_ctrl = 0; ++ unsigned int rxlin_ctrl = 0; + + clk_cfg = ep93xx_i2s_read_reg(info, EP93XX_I2S_RXCLKCFG); +- lin_ctrl = ep93xx_i2s_read_reg(info, EP93XX_I2S_RXLINCTRLDATA); + + switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { + case SND_SOC_DAIFMT_I2S: + clk_cfg |= EP93XX_I2S_CLKCFG_REL; +- lin_ctrl &= ~EP93XX_I2S_LINCTRLDATA_R_JUST; + break; + + case SND_SOC_DAIFMT_LEFT_J: + clk_cfg &= ~EP93XX_I2S_CLKCFG_REL; +- lin_ctrl &= ~EP93XX_I2S_LINCTRLDATA_R_JUST; + break; + + case SND_SOC_DAIFMT_RIGHT_J: + clk_cfg &= ~EP93XX_I2S_CLKCFG_REL; +- lin_ctrl |= EP93XX_I2S_LINCTRLDATA_R_JUST; ++ rxlin_ctrl |= EP93XX_I2S_RXLINCTRLDATA_R_JUST; ++ txlin_ctrl |= EP93XX_I2S_TXLINCTRLDATA_R_JUST; + break; + + default: +@@ -213,32 +215,32 @@ static int ep93xx_i2s_set_dai_fmt(struct snd_soc_dai *cpu_dai, + switch (fmt & SND_SOC_DAIFMT_INV_MASK) { + case SND_SOC_DAIFMT_NB_NF: + /* Negative bit clock, lrclk low on left word */ +- clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL); ++ clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS); + break; + + case SND_SOC_DAIFMT_NB_IF: + /* Negative bit clock, lrclk low on right word */ + clk_cfg &= ~EP93XX_I2S_CLKCFG_CKP; +- clk_cfg |= EP93XX_I2S_CLKCFG_REL; ++ clk_cfg |= EP93XX_I2S_CLKCFG_LRS; + break; + + case SND_SOC_DAIFMT_IB_NF: + /* Positive bit clock, lrclk low on left word */ + clk_cfg |= EP93XX_I2S_CLKCFG_CKP; +- clk_cfg &= ~EP93XX_I2S_CLKCFG_REL; ++ clk_cfg &= ~EP93XX_I2S_CLKCFG_LRS; + break; + + case SND_SOC_DAIFMT_IB_IF: + /* Positive bit clock, lrclk low on right word */ +- clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL; ++ clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS; + break; + } + + /* Write new register values */ + ep93xx_i2s_write_reg(info, EP93XX_I2S_RXCLKCFG, clk_cfg); + ep93xx_i2s_write_reg(info, EP93XX_I2S_TXCLKCFG, clk_cfg); +- ep93xx_i2s_write_reg(info, EP93XX_I2S_RXLINCTRLDATA, lin_ctrl); +- ep93xx_i2s_write_reg(info, EP93XX_I2S_TXLINCTRLDATA, lin_ctrl); ++ ep93xx_i2s_write_reg(info, EP93XX_I2S_RXLINCTRLDATA, rxlin_ctrl); ++ ep93xx_i2s_write_reg(info, EP93XX_I2S_TXLINCTRLDATA, txlin_ctrl); + return 0; + } + +diff --git a/sound/soc/cirrus/snappercl15.c b/sound/soc/cirrus/snappercl15.c +index 98089df08df6..c6737a573bc0 100644 +--- a/sound/soc/cirrus/snappercl15.c ++++ b/sound/soc/cirrus/snappercl15.c +@@ -72,7 +72,7 @@ static struct snd_soc_dai_link snappercl15_dai = { + .codec_dai_name = "tlv320aic23-hifi", + .codec_name = "tlv320aic23-codec.0-001a", + .platform_name = "ep93xx-i2s", +- .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF | ++ .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF | + SND_SOC_DAIFMT_CBS_CFS, + .ops = &snappercl15_ops, + }; +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 6a438a361592..9e784cc3e5d2 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -425,6 +425,8 @@ err_data: + static void dapm_kcontrol_free(struct snd_kcontrol *kctl) + { + struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl); ++ ++ list_del(&data->paths); + kfree(data->wlist); + kfree(data); + } +diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c +index 425df5c86c9c..425597186677 100644 +--- a/tools/perf/util/dso.c ++++ b/tools/perf/util/dso.c +@@ -249,6 +249,8 @@ int __kmod_path__parse(struct kmod_path *m, const char *path, + if ((strncmp(name, "[kernel.kallsyms]", 17) == 0) || + (strncmp(name, "[guest.kernel.kallsyms", 22) == 0) || + (strncmp(name, "[vdso]", 6) == 0) || ++ (strncmp(name, "[vdso32]", 8) == 0) || ++ (strncmp(name, "[vdsox32]", 9) == 0) || + (strncmp(name, "[vsyscall]", 10) == 0)) { + m->kmod = false; + +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index 0b540b84f8b7..dc17c881275d 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -111,6 +111,7 @@ struct intel_pt_decoder { + bool have_cyc; + bool fixup_last_mtc; + bool have_last_ip; ++ enum intel_pt_param_flags flags; + uint64_t pos; + uint64_t last_ip; + uint64_t ip; +@@ -213,6 +214,8 @@ struct intel_pt_decoder *intel_pt_decoder_new(struct intel_pt_params *params) + decoder->data = params->data; + decoder->return_compression = params->return_compression; + ++ decoder->flags = params->flags; ++ + decoder->period = params->period; + decoder->period_type = params->period_type; + +@@ -1010,6 +1013,15 @@ out_no_progress: + return err; + } + ++static inline bool intel_pt_fup_with_nlip(struct intel_pt_decoder *decoder, ++ struct intel_pt_insn *intel_pt_insn, ++ uint64_t ip, int err) ++{ ++ return decoder->flags & INTEL_PT_FUP_WITH_NLIP && !err && ++ intel_pt_insn->branch == INTEL_PT_BR_INDIRECT && ++ ip == decoder->ip + intel_pt_insn->length; ++} ++ + static int intel_pt_walk_fup(struct intel_pt_decoder *decoder) + { + struct intel_pt_insn intel_pt_insn; +@@ -1022,7 +1034,8 @@ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder) + err = intel_pt_walk_insn(decoder, &intel_pt_insn, ip); + if (err == INTEL_PT_RETURN) + return 0; +- if (err == -EAGAIN) { ++ if (err == -EAGAIN || ++ intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) { + if (decoder->set_fup_tx_flags) { + decoder->set_fup_tx_flags = false; + decoder->tx_flags = decoder->fup_tx_flags; +@@ -1032,7 +1045,7 @@ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder) + decoder->state.flags = decoder->fup_tx_flags; + return 0; + } +- return err; ++ return -EAGAIN; + } + decoder->set_fup_tx_flags = false; + if (err) +@@ -1268,7 +1281,6 @@ static int intel_pt_overflow(struct intel_pt_decoder *decoder) + { + intel_pt_log("ERROR: Buffer overflow\n"); + intel_pt_clear_tx_flags(decoder); +- decoder->have_tma = false; + decoder->cbr = 0; + decoder->timestamp_insn_cnt = 0; + decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC; +@@ -1487,7 +1499,6 @@ static int intel_pt_walk_fup_tip(struct intel_pt_decoder *decoder) + case INTEL_PT_PSB: + case INTEL_PT_TSC: + case INTEL_PT_TMA: +- case INTEL_PT_CBR: + case INTEL_PT_MODE_TSX: + case INTEL_PT_BAD: + case INTEL_PT_PSBEND: +@@ -1496,6 +1507,10 @@ static int intel_pt_walk_fup_tip(struct intel_pt_decoder *decoder) + decoder->pkt_step = 0; + return -ENOENT; + ++ case INTEL_PT_CBR: ++ intel_pt_calc_cbr(decoder); ++ break; ++ + case INTEL_PT_OVF: + return intel_pt_overflow(decoder); + +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h +index 89a3eda6a318..e420bd3be159 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h +@@ -53,6 +53,14 @@ enum { + INTEL_PT_ERR_MAX, + }; + ++enum intel_pt_param_flags { ++ /* ++ * FUP packet can contain next linear instruction pointer instead of ++ * current linear instruction pointer. ++ */ ++ INTEL_PT_FUP_WITH_NLIP = 1 << 0, ++}; ++ + struct intel_pt_state { + enum intel_pt_sample_type type; + int err; +@@ -91,6 +99,7 @@ struct intel_pt_params { + unsigned int mtc_period; + uint32_t tsc_ctc_ratio_n; + uint32_t tsc_ctc_ratio_d; ++ enum intel_pt_param_flags flags; + }; + + struct intel_pt_decoder; +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c +index 7528ae4f7e28..e5c6caf913f3 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c +@@ -281,7 +281,7 @@ static int intel_pt_get_cyc(unsigned int byte, const unsigned char *buf, + if (len < offs) + return INTEL_PT_NEED_MORE_BYTES; + byte = buf[offs++]; +- payload |= (byte >> 1) << shift; ++ payload |= ((uint64_t)byte >> 1) << shift; + } + + packet->type = INTEL_PT_CYC; +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index 3693cb26ec66..c8f2d084a8ce 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -676,6 +676,7 @@ static struct intel_pt_queue *intel_pt_alloc_queue(struct intel_pt *pt, + unsigned int queue_nr) + { + struct intel_pt_params params = { .get_trace = 0, }; ++ struct perf_env *env = pt->machine->env; + struct intel_pt_queue *ptq; + + ptq = zalloc(sizeof(struct intel_pt_queue)); +@@ -753,6 +754,9 @@ static struct intel_pt_queue *intel_pt_alloc_queue(struct intel_pt *pt, + } + } + ++ if (env->cpuid && !strncmp(env->cpuid, "GenuineIntel,6,92,", 18)) ++ params.flags |= INTEL_PT_FUP_WITH_NLIP; ++ + ptq->decoder = intel_pt_decoder_new(¶ms); + if (!ptq->decoder) + goto out_free; +@@ -1246,6 +1250,7 @@ static int intel_pt_sample(struct intel_pt_queue *ptq) + + if (intel_pt_is_switch_ip(ptq, state->to_ip)) { + switch (ptq->switch_state) { ++ case INTEL_PT_SS_NOT_TRACING: + case INTEL_PT_SS_UNKNOWN: + case INTEL_PT_SS_EXPECTING_SWITCH_IP: + err = intel_pt_next_tid(pt, ptq); diff --git a/patch/kernel/mvebu-default/04-patch-4.4.139-140.patch b/patch/kernel/mvebu-default/04-patch-4.4.139-140.patch new file mode 100644 index 0000000000..875775e6f4 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.139-140.patch @@ -0,0 +1,1754 @@ +diff --git a/Makefile b/Makefile +index 20a11fd36656..b842298a5970 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 139 ++SUBLEVEL = 140 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/boot/dts/imx6q.dtsi b/arch/arm/boot/dts/imx6q.dtsi +index 399103b8e2c9..c81fb8fdc41f 100644 +--- a/arch/arm/boot/dts/imx6q.dtsi ++++ b/arch/arm/boot/dts/imx6q.dtsi +@@ -95,7 +95,7 @@ + clocks = <&clks IMX6Q_CLK_ECSPI5>, + <&clks IMX6Q_CLK_ECSPI5>; + clock-names = "ipg", "per"; +- dmas = <&sdma 11 7 1>, <&sdma 12 7 2>; ++ dmas = <&sdma 11 8 1>, <&sdma 12 8 2>; + dma-names = "rx", "tx"; + status = "disabled"; + }; +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index 5416d5d68308..4cad1adff16b 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -1170,7 +1170,7 @@ cleanup_critical: + jl 0f + clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end + jl .Lcleanup_load_fpu_regs +-0: BR_EX %r14 ++0: BR_EX %r14,%r11 + + .align 8 + .Lcleanup_table: +@@ -1200,7 +1200,7 @@ cleanup_critical: + ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE + lctlg %c1,%c1,__LC_USER_ASCE # load primary asce + larl %r9,sie_exit # skip forward to sie_exit +- BR_EX %r14 ++ BR_EX %r14,%r11 + #endif + + .Lcleanup_system_call: +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index 6edb9530d7e9..ddc9b8125918 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -980,11 +980,12 @@ void do_machine_check(struct pt_regs *regs, long error_code) + int i; + int worst = 0; + int severity; ++ + /* + * Establish sequential order between the CPUs entering the machine + * check handler. + */ +- int order; ++ int order = -1; + /* + * If no_way_out gets set, there is no safe way to recover from this + * MCE. If mca_cfg.tolerant is cranked up, we'll try anyway. +@@ -1000,7 +1001,12 @@ void do_machine_check(struct pt_regs *regs, long error_code) + char *msg = "Unknown"; + u64 recover_paddr = ~0ull; + int flags = MF_ACTION_REQUIRED; +- int lmce = 0; ++ ++ /* ++ * MCEs are always local on AMD. Same is determined by MCG_STATUS_LMCES ++ * on Intel. ++ */ ++ int lmce = 1; + + /* If this CPU is offline, just bail out. */ + if (cpu_is_offline(smp_processor_id())) { +@@ -1039,17 +1045,23 @@ void do_machine_check(struct pt_regs *regs, long error_code) + kill_it = 1; + + /* +- * Check if this MCE is signaled to only this logical processor ++ * Check if this MCE is signaled to only this logical processor, ++ * on Intel only. + */ +- if (m.mcgstatus & MCG_STATUS_LMCES) +- lmce = 1; +- else { +- /* +- * Go through all the banks in exclusion of the other CPUs. +- * This way we don't report duplicated events on shared banks +- * because the first one to see it will clear it. +- * If this is a Local MCE, then no need to perform rendezvous. +- */ ++ if (m.cpuvendor == X86_VENDOR_INTEL) ++ lmce = m.mcgstatus & MCG_STATUS_LMCES; ++ ++ /* ++ * Local machine check may already know that we have to panic. ++ * Broadcast machine check begins rendezvous in mce_start() ++ * Go through all banks in exclusion of the other CPUs. This way we ++ * don't report duplicated events on shared banks because the first one ++ * to see it will clear it. ++ */ ++ if (lmce) { ++ if (no_way_out) ++ mce_panic("Fatal local machine check", &m, msg); ++ } else { + order = mce_start(&no_way_out); + } + +@@ -1128,12 +1140,17 @@ void do_machine_check(struct pt_regs *regs, long error_code) + no_way_out = worst >= MCE_PANIC_SEVERITY; + } else { + /* +- * Local MCE skipped calling mce_reign() +- * If we found a fatal error, we need to panic here. ++ * If there was a fatal machine check we should have ++ * already called mce_panic earlier in this function. ++ * Since we re-read the banks, we might have found ++ * something new. Check again to see if we found a ++ * fatal error. We call "mce_severity()" again to ++ * make sure we have the right "msg". + */ +- if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) +- mce_panic("Machine check from unknown source", +- NULL, NULL); ++ if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) { ++ mce_severity(&m, cfg->tolerant, &msg, true); ++ mce_panic("Local fatal machine check!", &m, msg); ++ } + } + + /* +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index df9be5b91270..1f5c47a49e35 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -411,25 +411,38 @@ void free_insn_page(void *page) + module_memfree(page); + } + ++/* Prepare reljump right after instruction to boost */ ++static void prepare_boost(struct kprobe *p, int length) ++{ ++ if (can_boost(p->ainsn.insn, p->addr) && ++ MAX_INSN_SIZE - length >= RELATIVEJUMP_SIZE) { ++ /* ++ * These instructions can be executed directly if it ++ * jumps back to correct address. ++ */ ++ synthesize_reljump(p->ainsn.insn + length, p->addr + length); ++ p->ainsn.boostable = 1; ++ } else { ++ p->ainsn.boostable = -1; ++ } ++} ++ + static int arch_copy_kprobe(struct kprobe *p) + { +- int ret; ++ int len; + + set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1); + + /* Copy an instruction with recovering if other optprobe modifies it.*/ +- ret = __copy_instruction(p->ainsn.insn, p->addr); +- if (!ret) ++ len = __copy_instruction(p->ainsn.insn, p->addr); ++ if (!len) + return -EINVAL; + + /* + * __copy_instruction can modify the displacement of the instruction, + * but it doesn't affect boostable check. + */ +- if (can_boost(p->ainsn.insn, p->addr)) +- p->ainsn.boostable = 0; +- else +- p->ainsn.boostable = -1; ++ prepare_boost(p, len); + + set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1); + +@@ -894,21 +907,6 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs, + break; + } + +- if (p->ainsn.boostable == 0) { +- if ((regs->ip > copy_ip) && +- (regs->ip - copy_ip) + 5 < MAX_INSN_SIZE) { +- /* +- * These instructions can be executed directly if it +- * jumps back to correct address. +- */ +- synthesize_reljump((void *)regs->ip, +- (void *)orig_ip + (regs->ip - copy_ip)); +- p->ainsn.boostable = 1; +- } else { +- p->ainsn.boostable = -1; +- } +- } +- + regs->ip += orig_ip - copy_ip; + + no_change: +diff --git a/arch/x86/lib/cmdline.c b/arch/x86/lib/cmdline.c +index a744506856b1..88ce150186c6 100644 +--- a/arch/x86/lib/cmdline.c ++++ b/arch/x86/lib/cmdline.c +@@ -21,12 +21,14 @@ static inline int myisspace(u8 c) + * @option: option string to look for + * + * Returns the position of that @option (starts counting with 1) +- * or 0 on not found. ++ * or 0 on not found. @option will only be found if it is found ++ * as an entire word in @cmdline. For instance, if @option="car" ++ * then a cmdline which contains "cart" will not match. + */ + int cmdline_find_option_bool(const char *cmdline, const char *option) + { + char c; +- int len, pos = 0, wstart = 0; ++ int pos = 0, wstart = 0; + const char *opptr = NULL; + enum { + st_wordstart = 0, /* Start of word/after whitespace */ +@@ -37,11 +39,14 @@ int cmdline_find_option_bool(const char *cmdline, const char *option) + if (!cmdline) + return -1; /* No command line */ + +- len = min_t(int, strlen(cmdline), COMMAND_LINE_SIZE); +- if (!len) ++ if (!strlen(cmdline)) + return 0; + +- while (len--) { ++ /* ++ * This 'pos' check ensures we do not overrun ++ * a non-NULL-terminated 'cmdline' ++ */ ++ while (pos < COMMAND_LINE_SIZE) { + c = *(char *)cmdline++; + pos++; + +@@ -58,17 +63,26 @@ int cmdline_find_option_bool(const char *cmdline, const char *option) + /* fall through */ + + case st_wordcmp: +- if (!*opptr) ++ if (!*opptr) { ++ /* ++ * We matched all the way to the end of the ++ * option we were looking for. If the ++ * command-line has a space _or_ ends, then ++ * we matched! ++ */ + if (!c || myisspace(c)) + return wstart; + else + state = st_wordskip; +- else if (!c) ++ } else if (!c) { ++ /* ++ * Hit the NULL terminator on the end of ++ * cmdline. ++ */ + return 0; +- else if (c != *opptr++) ++ } else if (c != *opptr++) { + state = st_wordskip; +- else if (!len) /* last word and is matching */ +- return wstart; ++ } + break; + + case st_wordskip: +diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c +index 5578c1477ba6..8bfd4fd7e9ec 100644 +--- a/drivers/block/drbd/drbd_worker.c ++++ b/drivers/block/drbd/drbd_worker.c +@@ -256,8 +256,8 @@ void drbd_request_endio(struct bio *bio) + } else + what = COMPLETED_OK; + +- bio_put(req->private_bio); + req->private_bio = ERR_PTR(bio->bi_error); ++ bio_put(bio); + + /* not req_mod(), we need irqsave here! */ + spin_lock_irqsave(&device->resource->req_lock, flags); +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index 2886b645ced7..6c60f4b63d21 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1152,6 +1152,8 @@ copy_rest: + goto out; + if (list->tail > list->head) { + len = list->tail - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1161,6 +1163,8 @@ copy_rest: + list->head += len; + } else { + len = HID_DEBUG_BUFSIZE - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1168,7 +1172,9 @@ copy_rest: + } + list->head = 0; + ret += len; +- goto copy_rest; ++ count -= len; ++ if (count > 0) ++ goto copy_rest; + } + + } +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index 4c3ed078c6b9..a5fed668fde1 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -413,7 +413,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) + return; + } + +- if ((ret_size > size) || (ret_size <= 2)) { ++ if ((ret_size > size) || (ret_size < 2)) { + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", + __func__, size, ret_size); + return; +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 700145b15088..b59b15d4caa9 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include "usbhid.h" + + #ifdef CONFIG_USB_DYNAMIC_MINORS +@@ -478,10 +479,14 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + if (uref->usage_index >= field->maxusage) + goto inval; ++ uref->usage_index = array_index_nospec(uref->usage_index, ++ field->maxusage); + + uref->usage_code = field->usage[uref->usage_index].hid; + +@@ -508,6 +513,8 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + +@@ -761,6 +768,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + if (finfo.field_index >= report->maxfield) + break; ++ finfo.field_index = array_index_nospec(finfo.field_index, ++ report->maxfield); + + field = report->field[finfo.field_index]; + memset(&finfo, 0, sizeof(finfo)); +@@ -801,6 +810,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + if (cinfo.index >= hid->maxcollection) + break; ++ cinfo.index = array_index_nospec(cinfo.index, ++ hid->maxcollection); + + cinfo.type = hid->collection[cinfo.index].type; + cinfo.usage = hid->collection[cinfo.index].usage; +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index 6f89484765e3..dfe1a53ce4ad 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -484,6 +484,8 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap, + + pm_runtime_get_sync(dev); + ++ rcar_i2c_init(priv); ++ + ret = rcar_i2c_bus_barrier(priv); + if (ret < 0) + goto out; +@@ -624,7 +626,6 @@ static int rcar_i2c_probe(struct platform_device *pdev) + if (ret < 0) + goto out_pm_put; + +- rcar_i2c_init(priv); + pm_runtime_put(dev); + + irq = platform_get_irq(pdev, 0); +diff --git a/drivers/media/i2c/cx25840/cx25840-core.c b/drivers/media/i2c/cx25840/cx25840-core.c +index a47ab1947cc4..17d217c3585a 100644 +--- a/drivers/media/i2c/cx25840/cx25840-core.c ++++ b/drivers/media/i2c/cx25840/cx25840-core.c +@@ -467,8 +467,13 @@ static void cx23885_initialize(struct i2c_client *client) + { + DEFINE_WAIT(wait); + struct cx25840_state *state = to_state(i2c_get_clientdata(client)); ++ u32 clk_freq = 0; + struct workqueue_struct *q; + ++ /* cx23885 sets hostdata to clk_freq pointer */ ++ if (v4l2_get_subdev_hostdata(&state->sd)) ++ clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd)); ++ + /* + * Come out of digital power down + * The CX23888, at least, needs this, otherwise registers aside from +@@ -504,8 +509,13 @@ static void cx23885_initialize(struct i2c_client *client) + * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz + * 572.73 MHz before post divide + */ +- /* HVR1850 or 50MHz xtal */ +- cx25840_write(client, 0x2, 0x71); ++ if (clk_freq == 25000000) { ++ /* 888/ImpactVCBe or 25Mhz xtal */ ++ ; /* nothing to do */ ++ } else { ++ /* HVR1850 or 50MHz xtal */ ++ cx25840_write(client, 0x2, 0x71); ++ } + cx25840_write4(client, 0x11c, 0x01d1744c); + cx25840_write4(client, 0x118, 0x00000416); + cx25840_write4(client, 0x404, 0x0010253e); +@@ -548,9 +558,15 @@ static void cx23885_initialize(struct i2c_client *client) + /* HVR1850 */ + switch (state->id) { + case CX23888_AV: +- /* 888/HVR1250 specific */ +- cx25840_write4(client, 0x10c, 0x13333333); +- cx25840_write4(client, 0x108, 0x00000515); ++ if (clk_freq == 25000000) { ++ /* 888/ImpactVCBe or 25MHz xtal */ ++ cx25840_write4(client, 0x10c, 0x01b6db7b); ++ cx25840_write4(client, 0x108, 0x00000512); ++ } else { ++ /* 888/HVR1250 or 50MHz xtal */ ++ cx25840_write4(client, 0x10c, 0x13333333); ++ cx25840_write4(client, 0x108, 0x00000515); ++ } + break; + default: + cx25840_write4(client, 0x10c, 0x002be2c9); +@@ -577,7 +593,7 @@ static void cx23885_initialize(struct i2c_client *client) + * 368.64 MHz before post divide + * 122.88 MHz / 0xa = 12.288 MHz + */ +- /* HVR1850 or 50MHz xtal */ ++ /* HVR1850 or 50MHz xtal or 25MHz xtal */ + cx25840_write4(client, 0x114, 0x017dbf48); + cx25840_write4(client, 0x110, 0x000a030e); + break; +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index c484ca8c909c..fb5a3052f144 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -42,7 +42,7 @@ + #define AMD_BOOTLOC_BUG + #define FORCE_WORD_WRITE 0 + +-#define MAX_WORD_RETRIES 3 ++#define MAX_RETRIES 3 + + #define SST49LF004B 0x0060 + #define SST49LF040B 0x0050 +@@ -1645,7 +1645,7 @@ static int __xipram do_write_oneword(struct map_info *map, struct flchip *chip, + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- if (++retry_cnt <= MAX_WORD_RETRIES) ++ if (++retry_cnt <= MAX_RETRIES) + goto retry; + + ret = -EIO; +@@ -2104,7 +2104,7 @@ retry: + map_write(map, CMD(0xF0), chip->start); + /* FIXME - should have reset delay before continuing */ + +- if (++retry_cnt <= MAX_WORD_RETRIES) ++ if (++retry_cnt <= MAX_RETRIES) + goto retry; + + ret = -EIO; +@@ -2239,6 +2239,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + unsigned long int adr; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr = cfi->addr_unlock1; + +@@ -2256,6 +2257,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2292,12 +2294,13 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + chip->erase_suspended = 0; + } + +- if (chip_ready(map, adr)) ++ if (chip_good(map, adr, map_word_ff(map))) + break; + + if (time_after(jiffies, timeo)) { + printk(KERN_WARNING "MTD %s(): software timeout\n", + __func__ ); ++ ret = -EIO; + break; + } + +@@ -2305,12 +2308,15 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + UDELAY(map, chip, adr, 1000000/HZ); + } + /* Did we succeed? */ +- if (!chip_good(map, adr, map_word_ff(map))) { ++ if (ret) { + /* reset on all failures. */ + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- ret = -EIO; ++ if (++retry_cnt <= MAX_RETRIES) { ++ ret = 0; ++ goto retry; ++ } + } + + chip->state = FL_READY; +@@ -2329,6 +2335,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + unsigned long timeo = jiffies + HZ; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr += chip->start; + +@@ -2346,6 +2353,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2382,7 +2390,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + chip->erase_suspended = 0; + } + +- if (chip_ready(map, adr)) { ++ if (chip_good(map, adr, map_word_ff(map))) { + xip_enable(map, chip, adr); + break; + } +@@ -2391,6 +2399,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + xip_enable(map, chip, adr); + printk(KERN_WARNING "MTD %s(): software timeout\n", + __func__ ); ++ ret = -EIO; + break; + } + +@@ -2398,12 +2407,15 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + UDELAY(map, chip, adr, 1000000/HZ); + } + /* Did we succeed? */ +- if (!chip_good(map, adr, map_word_ff(map))) { ++ if (ret) { + /* reset on all failures. */ + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- ret = -EIO; ++ if (++retry_cnt <= MAX_RETRIES) { ++ ret = 0; ++ goto retry; ++ } + } + + chip->state = FL_READY; +diff --git a/drivers/mtd/nand/mxc_nand.c b/drivers/mtd/nand/mxc_nand.c +index 136e73a3e07e..53fe795fd716 100644 +--- a/drivers/mtd/nand/mxc_nand.c ++++ b/drivers/mtd/nand/mxc_nand.c +@@ -49,7 +49,7 @@ + #define NFC_V1_V2_CONFIG (host->regs + 0x0a) + #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c) + #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e) +-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10) ++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10) + #define NFC_V1_V2_WRPROT (host->regs + 0x12) + #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14) + #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16) +@@ -1034,6 +1034,9 @@ static void preset_v2(struct mtd_info *mtd) + writew(config1, NFC_V1_V2_CONFIG1); + /* preset operation */ + ++ /* spare area size in 16-bit half-words */ ++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA); ++ + /* Unlock the internal RAM Buffer */ + writew(0x2, NFC_V1_V2_CONFIG); + +diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c +index 4dd0391d2942..c4a25c858c07 100644 +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -350,6 +350,82 @@ out_unlock: + return err; + } + ++#ifdef CONFIG_MTD_UBI_FASTMAP ++/** ++ * check_mapping - check and fixup a mapping ++ * @ubi: UBI device description object ++ * @vol: volume description object ++ * @lnum: logical eraseblock number ++ * @pnum: physical eraseblock number ++ * ++ * Checks whether a given mapping is valid. Fastmap cannot track LEB unmap ++ * operations, if such an operation is interrupted the mapping still looks ++ * good, but upon first read an ECC is reported to the upper layer. ++ * Normaly during the full-scan at attach time this is fixed, for Fastmap ++ * we have to deal with it while reading. ++ * If the PEB behind a LEB shows this symthom we change the mapping to ++ * %UBI_LEB_UNMAPPED and schedule the PEB for erasure. ++ * ++ * Returns 0 on success, negative error code in case of failure. ++ */ ++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum, ++ int *pnum) ++{ ++ int err; ++ struct ubi_vid_hdr *vid_hdr; ++ ++ if (!ubi->fast_attach) ++ return 0; ++ ++ vid_hdr = ubi_zalloc_vid_hdr(ubi, GFP_NOFS); ++ if (!vid_hdr) ++ return -ENOMEM; ++ ++ err = ubi_io_read_vid_hdr(ubi, *pnum, vid_hdr, 0); ++ if (err > 0 && err != UBI_IO_BITFLIPS) { ++ int torture = 0; ++ ++ switch (err) { ++ case UBI_IO_FF: ++ case UBI_IO_FF_BITFLIPS: ++ case UBI_IO_BAD_HDR: ++ case UBI_IO_BAD_HDR_EBADMSG: ++ break; ++ default: ++ ubi_assert(0); ++ } ++ ++ if (err == UBI_IO_BAD_HDR_EBADMSG || err == UBI_IO_FF_BITFLIPS) ++ torture = 1; ++ ++ down_read(&ubi->fm_eba_sem); ++ vol->eba_tbl[lnum] = UBI_LEB_UNMAPPED; ++ up_read(&ubi->fm_eba_sem); ++ ubi_wl_put_peb(ubi, vol->vol_id, lnum, *pnum, torture); ++ ++ *pnum = UBI_LEB_UNMAPPED; ++ } else if (err < 0) { ++ ubi_err(ubi, "unable to read VID header back from PEB %i: %i", ++ *pnum, err); ++ ++ goto out_free; ++ } ++ ++ err = 0; ++ ++out_free: ++ ubi_free_vid_hdr(ubi, vid_hdr); ++ ++ return err; ++} ++#else ++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum, ++ int *pnum) ++{ ++ return 0; ++} ++#endif ++ + /** + * ubi_eba_read_leb - read data. + * @ubi: UBI device description object +@@ -381,7 +457,13 @@ int ubi_eba_read_leb(struct ubi_device *ubi, struct ubi_volume *vol, int lnum, + return err; + + pnum = vol->eba_tbl[lnum]; +- if (pnum < 0) { ++ if (pnum >= 0) { ++ err = check_mapping(ubi, vol, lnum, &pnum); ++ if (err < 0) ++ goto out_unlock; ++ } ++ ++ if (pnum == UBI_LEB_UNMAPPED) { + /* + * The logical eraseblock is not mapped, fill the whole buffer + * with 0xFF bytes. The exception is static volumes for which +@@ -696,6 +778,14 @@ int ubi_eba_write_leb(struct ubi_device *ubi, struct ubi_volume *vol, int lnum, + return err; + + pnum = vol->eba_tbl[lnum]; ++ if (pnum >= 0) { ++ err = check_mapping(ubi, vol, lnum, &pnum); ++ if (err < 0) { ++ leb_write_unlock(ubi, vol_id, lnum); ++ return err; ++ } ++ } ++ + if (pnum >= 0) { + dbg_eba("write %d bytes at offset %d of LEB %d:%d, PEB %d", + len, offset, vol_id, lnum, pnum); +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index d26cb37b1fbd..b32c47fe926d 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -1166,6 +1166,7 @@ static void *ath10k_htt_rx_h_find_rfc1042(struct ath10k *ar, + size_t hdr_len, crypto_len; + void *rfc1042; + bool is_first, is_last, is_amsdu; ++ int bytes_aligned = ar->hw_params.decap_align_bytes; + + rxd = (void *)msdu->data - sizeof(*rxd); + hdr = (void *)rxd->rx_hdr_status; +@@ -1182,8 +1183,8 @@ static void *ath10k_htt_rx_h_find_rfc1042(struct ath10k *ar, + hdr_len = ieee80211_hdrlen(hdr->frame_control); + crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype); + +- rfc1042 += round_up(hdr_len, 4) + +- round_up(crypto_len, 4); ++ rfc1042 += round_up(hdr_len, bytes_aligned) + ++ round_up(crypto_len, bytes_aligned); + } + + if (is_amsdu) +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index e86fcc9e9852..01f47b68b6e7 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1589,11 +1589,11 @@ static int nvme_create_queue(struct nvme_queue *nvmeq, int qid) + if (result < 0) + goto release_cq; + ++ nvme_init_queue(nvmeq, qid); + result = queue_request_irq(dev, nvmeq, nvmeq->irqname); + if (result < 0) + goto release_sq; + +- nvme_init_queue(nvmeq, qid); + return result; + + release_sq: +@@ -1797,6 +1797,7 @@ static int nvme_configure_admin_queue(struct nvme_dev *dev) + goto free_nvmeq; + + nvmeq->cq_vector = 0; ++ nvme_init_queue(nvmeq, 0); + result = queue_request_irq(dev, nvmeq, nvmeq->irqname); + if (result) { + nvmeq->cq_vector = -1; +@@ -3165,7 +3166,6 @@ static void nvme_probe_work(struct work_struct *work) + goto disable; + } + +- nvme_init_queue(dev->queues[0], 0); + result = nvme_alloc_admin_tags(dev); + if (result) + goto disable; +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 841f3fbec77c..4302880a20b3 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -51,6 +51,7 @@ static int sg_version_num = 30536; /* 2 digits for each component */ + #include + #include + #include ++#include /* for sg_check_file_access() */ + + #include "scsi.h" + #include +@@ -221,6 +222,33 @@ static void sg_device_destroy(struct kref *kref); + sdev_prefix_printk(prefix, (sdp)->device, \ + (sdp)->disk->disk_name, fmt, ##a) + ++/* ++ * The SCSI interfaces that use read() and write() as an asynchronous variant of ++ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways ++ * to trigger read() and write() calls from various contexts with elevated ++ * privileges. This can lead to kernel memory corruption (e.g. if these ++ * interfaces are called through splice()) and privilege escalation inside ++ * userspace (e.g. if a process with access to such a device passes a file ++ * descriptor to a SUID binary as stdin/stdout/stderr). ++ * ++ * This function provides protection for the legacy API by restricting the ++ * calling context. ++ */ ++static int sg_check_file_access(struct file *filp, const char *caller) ++{ ++ if (filp->f_cred != current_real_cred()) { ++ pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EPERM; ++ } ++ if (unlikely(segment_eq(get_fs(), KERNEL_DS))) { ++ pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EACCES; ++ } ++ return 0; ++} ++ + static int sg_allow_access(struct file *filp, unsigned char *cmd) + { + struct sg_fd *sfp = filp->private_data; +@@ -405,6 +433,14 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos) + struct sg_header *old_hdr = NULL; + int retval = 0; + ++ /* ++ * This could cause a response to be stranded. Close the associated ++ * file descriptor to free up any resources being held. ++ */ ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; ++ + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; + SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, +@@ -592,9 +628,11 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) + struct sg_header old_hdr; + sg_io_hdr_t *hp; + unsigned char cmnd[SG_MAX_CDB_SIZE]; ++ int retval; + +- if (unlikely(segment_eq(get_fs(), KERNEL_DS))) +- return -EINVAL; ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; + + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; +diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c +index ca15a87f6fd3..13a9b4c42b26 100644 +--- a/drivers/staging/android/ion/ion_heap.c ++++ b/drivers/staging/android/ion/ion_heap.c +@@ -38,7 +38,7 @@ void *ion_heap_map_kernel(struct ion_heap *heap, + struct page **tmp = pages; + + if (!pages) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + if (buffer->flags & ION_FLAG_CACHED) + pgprot = PAGE_KERNEL; +diff --git a/drivers/staging/comedi/drivers/quatech_daqp_cs.c b/drivers/staging/comedi/drivers/quatech_daqp_cs.c +index e9e43139157d..769a94015117 100644 +--- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c ++++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c +@@ -642,7 +642,7 @@ static int daqp_ao_insn_write(struct comedi_device *dev, + /* Make sure D/A update mode is direct update */ + outb(0, dev->iobase + DAQP_AUX_REG); + +- for (i = 0; i > insn->n; i++) { ++ for (i = 0; i < insn->n; i++) { + unsigned val = data[i]; + int ret; + +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index 190e5dc15738..b1ec202099b2 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -128,6 +128,8 @@ struct n_tty_data { + struct mutex output_lock; + }; + ++#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1)) ++ + static inline size_t read_cnt(struct n_tty_data *ldata) + { + return ldata->read_head - ldata->read_tail; +@@ -145,6 +147,7 @@ static inline unsigned char *read_buf_addr(struct n_tty_data *ldata, size_t i) + + static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i) + { ++ smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */ + return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)]; + } + +@@ -322,9 +325,7 @@ static inline void put_tty_queue(unsigned char c, struct n_tty_data *ldata) + static void reset_buffer_flags(struct n_tty_data *ldata) + { + ldata->read_head = ldata->canon_head = ldata->read_tail = 0; +- ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0; + ldata->commit_head = 0; +- ldata->echo_mark = 0; + ldata->line_start = 0; + + ldata->erasing = 0; +@@ -645,12 +646,19 @@ static size_t __process_echoes(struct tty_struct *tty) + old_space = space = tty_write_room(tty); + + tail = ldata->echo_tail; +- while (ldata->echo_commit != tail) { ++ while (MASK(ldata->echo_commit) != MASK(tail)) { + c = echo_buf(ldata, tail); + if (c == ECHO_OP_START) { + unsigned char op; + int no_space_left = 0; + ++ /* ++ * Since add_echo_byte() is called without holding ++ * output_lock, we might see only portion of multi-byte ++ * operation. ++ */ ++ if (MASK(ldata->echo_commit) == MASK(tail + 1)) ++ goto not_yet_stored; + /* + * If the buffer byte is the start of a multi-byte + * operation, get the next byte, which is either the +@@ -662,6 +670,8 @@ static size_t __process_echoes(struct tty_struct *tty) + unsigned int num_chars, num_bs; + + case ECHO_OP_ERASE_TAB: ++ if (MASK(ldata->echo_commit) == MASK(tail + 2)) ++ goto not_yet_stored; + num_chars = echo_buf(ldata, tail + 2); + + /* +@@ -756,7 +766,8 @@ static size_t __process_echoes(struct tty_struct *tty) + /* If the echo buffer is nearly full (so that the possibility exists + * of echo overrun before the next commit), then discard enough + * data at the tail to prevent a subsequent overrun */ +- while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { ++ while (ldata->echo_commit > tail && ++ ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { + if (echo_buf(ldata, tail) == ECHO_OP_START) { + if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB) + tail += 3; +@@ -766,6 +777,7 @@ static size_t __process_echoes(struct tty_struct *tty) + tail++; + } + ++ not_yet_stored: + ldata->echo_tail = tail; + return old_space - space; + } +@@ -776,6 +788,7 @@ static void commit_echoes(struct tty_struct *tty) + size_t nr, old, echoed; + size_t head; + ++ mutex_lock(&ldata->output_lock); + head = ldata->echo_head; + ldata->echo_mark = head; + old = ldata->echo_commit - ldata->echo_tail; +@@ -784,10 +797,12 @@ static void commit_echoes(struct tty_struct *tty) + * is over the threshold (and try again each time another + * block is accumulated) */ + nr = head - ldata->echo_tail; +- if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK)) ++ if (nr < ECHO_COMMIT_WATERMARK || ++ (nr % ECHO_BLOCK > old % ECHO_BLOCK)) { ++ mutex_unlock(&ldata->output_lock); + return; ++ } + +- mutex_lock(&ldata->output_lock); + ldata->echo_commit = head; + echoed = __process_echoes(tty); + mutex_unlock(&ldata->output_lock); +@@ -838,7 +853,9 @@ static void flush_echoes(struct tty_struct *tty) + + static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata) + { +- *echo_buf_addr(ldata, ldata->echo_head++) = c; ++ *echo_buf_addr(ldata, ldata->echo_head) = c; ++ smp_wmb(); /* Matches smp_rmb() in echo_buf(). */ ++ ldata->echo_head++; + } + + /** +@@ -1006,14 +1023,15 @@ static void eraser(unsigned char c, struct tty_struct *tty) + } + + seen_alnums = 0; +- while (ldata->read_head != ldata->canon_head) { ++ while (MASK(ldata->read_head) != MASK(ldata->canon_head)) { + head = ldata->read_head; + + /* erase a single possibly multibyte character */ + do { + head--; + c = read_buf(ldata, head); +- } while (is_continuation(c, tty) && head != ldata->canon_head); ++ } while (is_continuation(c, tty) && ++ MASK(head) != MASK(ldata->canon_head)); + + /* do not partially erase */ + if (is_continuation(c, tty)) +@@ -1055,7 +1073,7 @@ static void eraser(unsigned char c, struct tty_struct *tty) + * This info is used to go back the correct + * number of columns. + */ +- while (tail != ldata->canon_head) { ++ while (MASK(tail) != MASK(ldata->canon_head)) { + tail--; + c = read_buf(ldata, tail); + if (c == '\t') { +@@ -1332,7 +1350,7 @@ n_tty_receive_char_special(struct tty_struct *tty, unsigned char c) + finish_erasing(ldata); + echo_char(c, tty); + echo_char_raw('\n', ldata); +- while (tail != ldata->read_head) { ++ while (MASK(tail) != MASK(ldata->read_head)) { + echo_char(read_buf(ldata, tail), tty); + tail++; + } +@@ -1917,31 +1935,22 @@ static int n_tty_open(struct tty_struct *tty) + struct n_tty_data *ldata; + + /* Currently a malloc failure here can panic */ +- ldata = vmalloc(sizeof(*ldata)); ++ ldata = vzalloc(sizeof(*ldata)); + if (!ldata) +- goto err; ++ return -ENOMEM; + + ldata->overrun_time = jiffies; + mutex_init(&ldata->atomic_read_lock); + mutex_init(&ldata->output_lock); + + tty->disc_data = ldata; +- reset_buffer_flags(tty->disc_data); +- ldata->column = 0; +- ldata->canon_column = 0; + ldata->minimum_to_wake = 1; +- ldata->num_overrun = 0; +- ldata->no_room = 0; +- ldata->lnext = 0; + tty->closing = 0; + /* indicate buffer work may resume */ + clear_bit(TTY_LDISC_HALTED, &tty->flags); + n_tty_set_termios(tty, NULL); + tty_unthrottle(tty); +- + return 0; +-err: +- return -ENOMEM; + } + + static inline int input_available_p(struct tty_struct *tty, int poll) +@@ -2479,7 +2488,7 @@ static unsigned long inq_canon(struct n_tty_data *ldata) + tail = ldata->read_tail; + nr = head - tail; + /* Skip EOF-chars.. */ +- while (head != tail) { ++ while (MASK(head) != MASK(tail)) { + if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) && + read_buf(ldata, tail) == __DISABLED_CHAR) + nr--; +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index edd8ef4ee502..7ed30d0b5273 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1698,6 +1698,9 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */ + .driver_info = SINGLE_RX_URB, + }, ++ { USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */ ++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ ++ }, + { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index e7a051386b32..73835027a7cc 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -91,6 +91,9 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */ + { USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */ + { USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */ ++ { USB_DEVICE(0x10C4, 0x817C) }, /* CESINEL MEDCAL N Power Quality Monitor */ ++ { USB_DEVICE(0x10C4, 0x817D) }, /* CESINEL MEDCAL NT Power Quality Monitor */ ++ { USB_DEVICE(0x10C4, 0x817E) }, /* CESINEL MEDCAL S Power Quality Monitor */ + { USB_DEVICE(0x10C4, 0x818B) }, /* AVIT Research USB to TTL */ + { USB_DEVICE(0x10C4, 0x819F) }, /* MJS USB Toslink Switcher */ + { USB_DEVICE(0x10C4, 0x81A6) }, /* ThinkOptics WavIt */ +@@ -108,6 +111,9 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */ + { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */ + { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */ ++ { USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */ ++ { USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */ ++ { USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */ + { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */ + { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */ + { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ +@@ -120,7 +126,9 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */ + { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ + { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ ++ { USB_DEVICE(0x10C4, 0x851E) }, /* CESINEL MEDCAL PT Network Analyzer */ + { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */ ++ { USB_DEVICE(0x10C4, 0x85B8) }, /* CESINEL ReCon T Energy Logger */ + { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ + { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ + { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ +@@ -130,17 +138,23 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */ + { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ + { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ ++ { USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */ ++ { USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */ + { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */ + { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */ + { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */ + { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */ ++ { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */ + { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */ + { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */ + { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */ + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ ++ { USB_DEVICE(0x10C4, 0xEA63) }, /* Silicon Labs Windows Update (CP2101-4/CP2102N) */ + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */ ++ { USB_DEVICE(0x10C4, 0xEA7A) }, /* Silicon Labs Windows Update (CP2105) */ ++ { USB_DEVICE(0x10C4, 0xEA7B) }, /* Silicon Labs Windows Update (CP2108) */ + { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */ + { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */ + { USB_DEVICE(0x10C4, 0xF003) }, /* Elan Digital Systems USBpulse100 */ +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 8632380d2b94..63aea21e6298 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -150,8 +150,14 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command) + * greater than cifs socket timeout which is 7 seconds + */ + while (server->tcpStatus == CifsNeedReconnect) { +- wait_event_interruptible_timeout(server->response_q, +- (server->tcpStatus != CifsNeedReconnect), 10 * HZ); ++ rc = wait_event_interruptible_timeout(server->response_q, ++ (server->tcpStatus != CifsNeedReconnect), ++ 10 * HZ); ++ if (rc < 0) { ++ cifs_dbg(FYI, "%s: aborting reconnect due to a received" ++ " signal by the process\n", __func__); ++ return -ERESTARTSYS; ++ } + + /* are we still trying to reconnect? */ + if (server->tcpStatus != CifsNeedReconnect) +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 807e989f436a..5f5ba807b414 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -158,7 +158,7 @@ out: + static int + smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + { +- int rc = 0; ++ int rc; + struct nls_table *nls_codepage; + struct cifs_ses *ses; + struct TCP_Server_Info *server; +@@ -169,10 +169,10 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + * for those three - in the calling routine. + */ + if (tcon == NULL) +- return rc; ++ return 0; + + if (smb2_command == SMB2_TREE_CONNECT) +- return rc; ++ return 0; + + if (tcon->tidStatus == CifsExiting) { + /* +@@ -215,8 +215,14 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + return -EAGAIN; + } + +- wait_event_interruptible_timeout(server->response_q, +- (server->tcpStatus != CifsNeedReconnect), 10 * HZ); ++ rc = wait_event_interruptible_timeout(server->response_q, ++ (server->tcpStatus != CifsNeedReconnect), ++ 10 * HZ); ++ if (rc < 0) { ++ cifs_dbg(FYI, "%s: aborting reconnect due to a received" ++ " signal by the process\n", __func__); ++ return -ERESTARTSYS; ++ } + + /* are we still trying to reconnect? */ + if (server->tcpStatus != CifsNeedReconnect) +@@ -234,7 +240,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + } + + if (!tcon->ses->need_reconnect && !tcon->need_reconnect) +- return rc; ++ return 0; + + nls_codepage = load_nls_default(); + +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index c57a94f1c198..092da164bdc0 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -183,7 +183,6 @@ static int ext4_init_block_bitmap(struct super_block *sb, + unsigned int bit, bit_max; + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t start, tmp; +- int flex_bg = 0; + struct ext4_group_info *grp; + + J_ASSERT_BH(bh, buffer_locked(bh)); +@@ -216,22 +215,19 @@ static int ext4_init_block_bitmap(struct super_block *sb, + + start = ext4_group_first_block_no(sb, block_group); + +- if (ext4_has_feature_flex_bg(sb)) +- flex_bg = 1; +- + /* Set bits for block and inode bitmaps, and inode table */ + tmp = ext4_block_bitmap(sb, gdp); +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + + tmp = ext4_inode_bitmap(sb, gdp); +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + + tmp = ext4_inode_table(sb, gdp); + for (; tmp < ext4_inode_table(sb, gdp) + + sbi->s_itb_per_group; tmp++) { +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + } + +@@ -454,7 +450,16 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + goto verify; + } + ext4_lock_group(sb, block_group); +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { ++ if (block_group == 0) { ++ ext4_unlock_group(sb, block_group); ++ unlock_buffer(bh); ++ ext4_error(sb, "Block bitmap for bg 0 marked " ++ "uninitialized"); ++ err = -EFSCORRUPTED; ++ goto out; ++ } + err = ext4_init_block_bitmap(sb, bh, block_group, desc); + set_bitmap_uptodate(bh); + set_buffer_uptodate(bh); +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index c8ad14c697c4..f5d9f82b173a 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1468,11 +1468,6 @@ static inline struct timespec ext4_current_time(struct inode *inode) + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) + { + return ino == EXT4_ROOT_INO || +- ino == EXT4_USR_QUOTA_INO || +- ino == EXT4_GRP_QUOTA_INO || +- ino == EXT4_BOOT_LOADER_INO || +- ino == EXT4_JOURNAL_INO || +- ino == EXT4_RESIZE_INO || + (ino >= EXT4_FIRST_INO(sb) && + ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); + } +diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h +index 3c9381547094..2d8e73793512 100644 +--- a/fs/ext4/ext4_extents.h ++++ b/fs/ext4/ext4_extents.h +@@ -103,6 +103,7 @@ struct ext4_extent_header { + }; + + #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) ++#define EXT4_MAX_EXTENT_DEPTH 5 + + #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ + (sizeof(struct ext4_extent_header) + \ +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 4705c21f9d03..1708597659a1 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -876,6 +876,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, + + eh = ext_inode_hdr(inode); + depth = ext_depth(inode); ++ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { ++ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", ++ depth); ++ ret = -EFSCORRUPTED; ++ goto err; ++ } + + if (path) { + ext4_ext_drop_refs(path); +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 9fe55b7d4c2c..48d818eba9c3 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -152,7 +152,16 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + } + + ext4_lock_group(sb, block_group); +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) { ++ if (block_group == 0) { ++ ext4_unlock_group(sb, block_group); ++ unlock_buffer(bh); ++ ext4_error(sb, "Inode bitmap for bg 0 marked " ++ "uninitialized"); ++ err = -EFSCORRUPTED; ++ goto out; ++ } + memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), + sb->s_blocksize * 8, bh->b_data); +@@ -919,7 +928,8 @@ got: + + /* recheck and clear flag under lock if we still need to */ + ext4_lock_group(sb, group); +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); + ext4_free_group_clusters_set(sb, gdp, + ext4_free_clusters_after_init(sb, group, gdp)); +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 3006b81c107f..e72f53a89764 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -434,6 +434,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle, + + memset((void *)ext4_raw_inode(&is.iloc)->i_block, + 0, EXT4_MIN_INLINE_DATA_SIZE); ++ memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE); + + if (ext4_has_feature_extents(inode->i_sb)) { + if (S_ISDIR(inode->i_mode) || +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 30efeb656c1e..b507de0e4bbf 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -380,9 +380,9 @@ static int __check_block_validity(struct inode *inode, const char *func, + if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk, + map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, +- "lblock %lu mapped to illegal pblock " ++ "lblock %lu mapped to illegal pblock %llu " + "(length %d)", (unsigned long) map->m_lblk, +- map->m_len); ++ map->m_pblk, map->m_len); + return -EFSCORRUPTED; + } + return 0; +@@ -3991,7 +3991,8 @@ static int __ext4_get_inode_loc(struct inode *inode, + int inodes_per_block, inode_offset; + + iloc->bh = NULL; +- if (!ext4_valid_inum(sb, inode->i_ino)) ++ if (inode->i_ino < EXT4_ROOT_INO || ++ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) + return -EFSCORRUPTED; + + iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index d98ff184d94a..75f79ff29ce0 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2445,7 +2445,8 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group, + * initialize bb_free to be able to skip + * empty groups without initialization + */ +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + meta_group_info[i]->bb_free = + ext4_free_clusters_after_init(sb, group, desc); + } else { +@@ -2966,7 +2967,8 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, + #endif + ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start, + ac->ac_b_ex.fe_len); +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); + ext4_free_group_clusters_set(sb, gdp, + ext4_free_clusters_after_init(sb, +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 0e0438b5ddbe..49af3c50b263 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2102,6 +2102,7 @@ static int ext4_check_descriptors(struct super_block *sb, + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); + ext4_fsblk_t last_block; ++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; + ext4_fsblk_t block_bitmap; + ext4_fsblk_t inode_bitmap; + ext4_fsblk_t inode_table; +@@ -2134,6 +2135,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!(sb->s_flags & MS_RDONLY)) + return 0; + } ++ if (block_bitmap >= sb_block + 1 && ++ block_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Block bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; ++ } + if (block_bitmap < first_block || block_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u not in group " +@@ -2148,6 +2157,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!(sb->s_flags & MS_RDONLY)) + return 0; + } ++ if (inode_bitmap >= sb_block + 1 && ++ inode_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; ++ } + if (inode_bitmap < first_block || inode_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u not in group " +@@ -2162,6 +2179,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!(sb->s_flags & MS_RDONLY)) + return 0; + } ++ if (inode_table >= sb_block + 1 && ++ inode_table <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode table for group %u overlaps " ++ "block group descriptors", i); ++ if (!(sb->s_flags & MS_RDONLY)) ++ return 0; ++ } + if (inode_table < first_block || + inode_table + sbi->s_itb_per_group - 1 > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -2842,13 +2867,22 @@ static ext4_group_t ext4_has_uninit_itable(struct super_block *sb) + ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count; + struct ext4_group_desc *gdp = NULL; + ++ if (!ext4_has_group_desc_csum(sb)) ++ return ngroups; ++ + for (group = 0; group < ngroups; group++) { + gdp = ext4_get_group_desc(sb, group, NULL); + if (!gdp) + continue; + +- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))) ++ if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)) ++ continue; ++ if (group != 0) + break; ++ ext4_error(sb, "Inode table for bg 0 marked as " ++ "needing zeroing"); ++ if (sb->s_flags & MS_RDONLY) ++ return ngroups; + } + + return group; +@@ -3451,6 +3485,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + le32_to_cpu(es->s_log_block_size)); + goto failed_mount; + } ++ if (le32_to_cpu(es->s_log_cluster_size) > ++ (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { ++ ext4_msg(sb, KERN_ERR, ++ "Invalid log cluster size: %u", ++ le32_to_cpu(es->s_log_cluster_size)); ++ goto failed_mount; ++ } + + if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) { + ext4_msg(sb, KERN_ERR, +@@ -3515,6 +3556,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + } else { + sbi->s_inode_size = le16_to_cpu(es->s_inode_size); + sbi->s_first_ino = le32_to_cpu(es->s_first_ino); ++ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { ++ ext4_msg(sb, KERN_ERR, "invalid first ino: %u", ++ sbi->s_first_ino); ++ goto failed_mount; ++ } + if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || + (!is_power_of_2(sbi->s_inode_size)) || + (sbi->s_inode_size > blocksize)) { +@@ -3591,13 +3637,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + "block size (%d)", clustersize, blocksize); + goto failed_mount; + } +- if (le32_to_cpu(es->s_log_cluster_size) > +- (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { +- ext4_msg(sb, KERN_ERR, +- "Invalid log cluster size: %u", +- le32_to_cpu(es->s_log_cluster_size)); +- goto failed_mount; +- } + sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) - + le32_to_cpu(es->s_log_block_size); + sbi->s_clusters_per_group = +@@ -3618,10 +3657,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + } + } else { + if (clustersize != blocksize) { +- ext4_warning(sb, "fragment/cluster size (%d) != " +- "block size (%d)", clustersize, +- blocksize); +- clustersize = blocksize; ++ ext4_msg(sb, KERN_ERR, ++ "fragment/cluster size (%d) != " ++ "block size (%d)", clustersize, blocksize); ++ goto failed_mount; + } + if (sbi->s_blocks_per_group > blocksize * 8) { + ext4_msg(sb, KERN_ERR, +@@ -3675,6 +3714,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + ext4_blocks_count(es)); + goto failed_mount; + } ++ if ((es->s_first_data_block == 0) && (es->s_log_block_size == 0) && ++ (sbi->s_cluster_ratio == 1)) { ++ ext4_msg(sb, KERN_WARNING, "bad geometry: first data " ++ "block is 0 with a 1k block and cluster size"); ++ goto failed_mount; ++ } ++ + blocks_count = (ext4_blocks_count(es) - + le32_to_cpu(es->s_first_data_block) + + EXT4_BLOCKS_PER_GROUP(sb) - 1); +@@ -3710,6 +3756,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + ret = -ENOMEM; + goto failed_mount; + } ++ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) != ++ le32_to_cpu(es->s_inodes_count)) { ++ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu", ++ le32_to_cpu(es->s_inodes_count), ++ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group)); ++ ret = -EINVAL; ++ goto failed_mount; ++ } + + bgl_lock_init(sbi->s_blockgroup_lock); + +@@ -4388,6 +4442,14 @@ static int ext4_commit_super(struct super_block *sb, int sync) + + if (!sbh || block_device_ejected(sb)) + return error; ++ ++ /* ++ * The superblock bh should be mapped, but it might not be if the ++ * device was hot-removed. Not much we can do but fail the I/O. ++ */ ++ if (!buffer_mapped(sbh)) ++ return error; ++ + if (buffer_write_io_error(sbh)) { + /* + * Oh, dear. A previous attempt to write the +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index f3a31f55f372..bce343febb9e 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1363,6 +1363,13 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + if (jh->b_transaction == transaction && + jh->b_jlist != BJ_Metadata) { + jbd_lock_bh_state(bh); ++ if (jh->b_transaction == transaction && ++ jh->b_jlist != BJ_Metadata) ++ pr_err("JBD2: assertion failure: h_type=%u " ++ "h_line_no=%u block_no=%llu jlist=%u\n", ++ handle->h_type, handle->h_line_no, ++ (unsigned long long) bh->b_blocknr, ++ jh->b_jlist); + J_ASSERT_JH(jh, jh->b_transaction != transaction || + jh->b_jlist == BJ_Metadata); + jbd_unlock_bh_state(bh); +@@ -1382,11 +1389,11 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + * of the transaction. This needs to be done + * once a transaction -bzzz + */ +- jh->b_modified = 1; + if (handle->h_buffer_credits <= 0) { + ret = -ENOSPC; + goto out_unlock_bh; + } ++ jh->b_modified = 1; + handle->h_buffer_credits--; + } + +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c +index 7fd6f5a26143..e212ec4cfb4e 100644 +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -768,6 +768,7 @@ print_graph_entry_leaf(struct trace_iterator *iter, + struct ftrace_graph_ret *graph_ret; + struct ftrace_graph_ent *call; + unsigned long long duration; ++ int cpu = iter->cpu; + int i; + + graph_ret = &ret_entry->ret; +@@ -776,7 +777,6 @@ print_graph_entry_leaf(struct trace_iterator *iter, + + if (data) { + struct fgraph_cpu_data *cpu_data; +- int cpu = iter->cpu; + + cpu_data = per_cpu_ptr(data->cpu_data, cpu); + +@@ -806,6 +806,9 @@ print_graph_entry_leaf(struct trace_iterator *iter, + + trace_seq_printf(s, "%ps();\n", (void *)call->func); + ++ print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET, ++ cpu, iter->ent->pid, flags); ++ + return trace_handle_return(s); + } + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 7294301d8495..a813b03021b7 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2038,6 +2038,7 @@ static void __init gather_bootmem_prealloc(void) + */ + if (hstate_is_gigantic(h)) + adjust_managed_page_count(page, 1 << h->order); ++ cond_resched(); + } + } + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index a4c9cd80c7b6..fd75e27c9b40 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3109,8 +3109,6 @@ retry: + * the allocation is high priority and these type of + * allocations are system rather than user orientated + */ +- ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); +- + page = __alloc_pages_high_priority(gfp_mask, order, ac); + + if (page) { +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 9d144cbd4e62..03ebff3950d8 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -980,7 +980,7 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg) + return -EINVAL; + } else { + if (nla_len(nla) != sizeof(u32)) +- return false; ++ return -EINVAL; + val = nla_get_u32(nla); + } + if (type == RTAX_ADVMSS && val > 65535 - 40) +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index 2c89f90cd7bc..f94a2e1172f0 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -422,14 +422,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write, + rcu_assign_pointer(net->nf.nf_loggers[tindex], logger); + mutex_unlock(&nf_log_mutex); + } else { ++ struct ctl_table tmp = *table; ++ ++ tmp.data = buf; + mutex_lock(&nf_log_mutex); + logger = nft_log_dereference(net->nf.nf_loggers[tindex]); + if (!logger) +- table->data = "NONE"; ++ strlcpy(buf, "NONE", sizeof(buf)); + else +- table->data = logger->name; +- r = proc_dostring(table, write, buffer, lenp, ppos); ++ strlcpy(buf, logger->name, sizeof(buf)); + mutex_unlock(&nf_log_mutex); ++ r = proc_dostring(&tmp, write, buffer, lenp, ppos); + } + + return r; +diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c +index f3695a497408..99bc2f87a974 100644 +--- a/net/netfilter/nf_tables_core.c ++++ b/net/netfilter/nf_tables_core.c +@@ -167,7 +167,8 @@ next_rule: + + switch (regs.verdict.code) { + case NFT_JUMP: +- BUG_ON(stackptr >= NFT_JUMP_STACK_SIZE); ++ if (WARN_ON_ONCE(stackptr >= NFT_JUMP_STACK_SIZE)) ++ return NF_DROP; + jumpstack[stackptr].chain = chain; + jumpstack[stackptr].rule = rule; + jumpstack[stackptr].rulenum = rulenum; diff --git a/patch/kernel/mvebu-default/04-patch-4.4.140-141.patch b/patch/kernel/mvebu-default/04-patch-4.4.140-141.patch new file mode 100644 index 0000000000..971434cc04 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.140-141.patch @@ -0,0 +1,2838 @@ +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index 4df6bd7d01ed..e60d0b5809c1 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -652,7 +652,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + + clearcpuid=BITNUM [X86] + Disable CPUID feature X for the kernel. See +- arch/x86/include/asm/cpufeature.h for the valid bit ++ arch/x86/include/asm/cpufeatures.h for the valid bit + numbers. Note the Linux specific bits are not necessarily + stable over kernel options, but the vendor specific + ones should be. +diff --git a/Makefile b/Makefile +index b842298a5970..3fc39e41dbde 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 140 ++SUBLEVEL = 141 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/mips/mm/ioremap.c b/arch/mips/mm/ioremap.c +index 8d5008cbdc0f..a853a83f2944 100644 +--- a/arch/mips/mm/ioremap.c ++++ b/arch/mips/mm/ioremap.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -97,6 +98,20 @@ static int remap_area_pages(unsigned long address, phys_addr_t phys_addr, + return error; + } + ++static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages, ++ void *arg) ++{ ++ unsigned long i; ++ ++ for (i = 0; i < nr_pages; i++) { ++ if (pfn_valid(start_pfn + i) && ++ !PageReserved(pfn_to_page(start_pfn + i))) ++ return 1; ++ } ++ ++ return 0; ++} ++ + /* + * Generic mapping function (not visible outside): + */ +@@ -115,8 +130,8 @@ static int remap_area_pages(unsigned long address, phys_addr_t phys_addr, + + void __iomem * __ioremap(phys_addr_t phys_addr, phys_addr_t size, unsigned long flags) + { ++ unsigned long offset, pfn, last_pfn; + struct vm_struct * area; +- unsigned long offset; + phys_addr_t last_addr; + void * addr; + +@@ -136,18 +151,16 @@ void __iomem * __ioremap(phys_addr_t phys_addr, phys_addr_t size, unsigned long + return (void __iomem *) CKSEG1ADDR(phys_addr); + + /* +- * Don't allow anybody to remap normal RAM that we're using.. ++ * Don't allow anybody to remap RAM that may be allocated by the page ++ * allocator, since that could lead to races & data clobbering. + */ +- if (phys_addr < virt_to_phys(high_memory)) { +- char *t_addr, *t_end; +- struct page *page; +- +- t_addr = __va(phys_addr); +- t_end = t_addr + (size - 1); +- +- for(page = virt_to_page(t_addr); page <= virt_to_page(t_end); page++) +- if(!PageReserved(page)) +- return NULL; ++ pfn = PFN_DOWN(phys_addr); ++ last_pfn = PFN_DOWN(last_addr); ++ if (walk_system_ram_range(pfn, last_pfn - pfn + 1, NULL, ++ __ioremap_check_ram) == 1) { ++ WARN_ONCE(1, "ioremap on RAM at %pa - %pa\n", ++ &phys_addr, &last_addr); ++ return NULL; + } + + /* +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index eab1ef25eecd..d9afe6d40550 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -346,6 +346,17 @@ config X86_FEATURE_NAMES + + If in doubt, say Y. + ++config X86_FAST_FEATURE_TESTS ++ bool "Fast CPU feature tests" if EMBEDDED ++ default y ++ ---help--- ++ Some fast-paths in the kernel depend on the capabilities of the CPU. ++ Say Y here for the kernel to patch in the appropriate code at runtime ++ based on the capabilities of the CPU. The infrastructure for patching ++ code at runtime takes up some additional space; space-constrained ++ embedded systems may wish to say N here to produce smaller, slightly ++ slower code. ++ + config X86_X2APIC + bool "Support x2apic" + depends on X86_LOCAL_APIC && X86_64 && (IRQ_REMAP || HYPERVISOR_GUEST) +diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug +index da00fe1f48f4..2aa212fb0faf 100644 +--- a/arch/x86/Kconfig.debug ++++ b/arch/x86/Kconfig.debug +@@ -367,16 +367,6 @@ config DEBUG_IMR_SELFTEST + + If unsure say N here. + +-config X86_DEBUG_STATIC_CPU_HAS +- bool "Debug alternatives" +- depends on DEBUG_KERNEL +- ---help--- +- This option causes additional code to be generated which +- fails if static_cpu_has() is used before alternatives have +- run. +- +- If unsure, say N. +- + config X86_DEBUG_FPU + bool "Debug the x86 FPU code" + depends on DEBUG_KERNEL +diff --git a/arch/x86/boot/cpuflags.h b/arch/x86/boot/cpuflags.h +index ea97697e51e4..4cb404fd45ce 100644 +--- a/arch/x86/boot/cpuflags.h ++++ b/arch/x86/boot/cpuflags.h +@@ -1,7 +1,7 @@ + #ifndef BOOT_CPUFLAGS_H + #define BOOT_CPUFLAGS_H + +-#include ++#include + #include + + struct cpu_features { +diff --git a/arch/x86/boot/mkcpustr.c b/arch/x86/boot/mkcpustr.c +index 637097e66a62..f72498dc90d2 100644 +--- a/arch/x86/boot/mkcpustr.c ++++ b/arch/x86/boot/mkcpustr.c +@@ -17,7 +17,7 @@ + + #include "../include/asm/required-features.h" + #include "../include/asm/disabled-features.h" +-#include "../include/asm/cpufeature.h" ++#include "../include/asm/cpufeatures.h" + #include "../kernel/cpu/capflags.c" + + int main(void) +diff --git a/arch/x86/crypto/crc32-pclmul_glue.c b/arch/x86/crypto/crc32-pclmul_glue.c +index 07d2c6c86a54..27226df3f7d8 100644 +--- a/arch/x86/crypto/crc32-pclmul_glue.c ++++ b/arch/x86/crypto/crc32-pclmul_glue.c +@@ -33,7 +33,7 @@ + #include + #include + +-#include ++#include + #include + #include + +diff --git a/arch/x86/crypto/crc32c-intel_glue.c b/arch/x86/crypto/crc32c-intel_glue.c +index 15f5c7675d42..715399b14ed7 100644 +--- a/arch/x86/crypto/crc32c-intel_glue.c ++++ b/arch/x86/crypto/crc32c-intel_glue.c +@@ -30,7 +30,7 @@ + #include + #include + +-#include ++#include + #include + #include + +diff --git a/arch/x86/crypto/crct10dif-pclmul_glue.c b/arch/x86/crypto/crct10dif-pclmul_glue.c +index a3fcfc97a311..cd4df9322501 100644 +--- a/arch/x86/crypto/crct10dif-pclmul_glue.c ++++ b/arch/x86/crypto/crct10dif-pclmul_glue.c +@@ -30,7 +30,7 @@ + #include + #include + #include +-#include ++#include + #include + + asmlinkage __u16 crc_t10dif_pcl(__u16 crc, const unsigned char *buf, +diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c +index b5eb1cca70a0..071582a3b5c0 100644 +--- a/arch/x86/entry/common.c ++++ b/arch/x86/entry/common.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #define CREATE_TRACE_POINTS + #include +diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S +index d437f3871e53..49a8c9f7a379 100644 +--- a/arch/x86/entry/entry_32.S ++++ b/arch/x86/entry/entry_32.S +@@ -40,7 +40,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +diff --git a/arch/x86/entry/vdso/vdso32-setup.c b/arch/x86/entry/vdso/vdso32-setup.c +index a7508d7e20b7..3f9d1a83891a 100644 +--- a/arch/x86/entry/vdso/vdso32-setup.c ++++ b/arch/x86/entry/vdso/vdso32-setup.c +@@ -11,7 +11,6 @@ + #include + #include + +-#include + #include + #include + +diff --git a/arch/x86/entry/vdso/vdso32/system_call.S b/arch/x86/entry/vdso/vdso32/system_call.S +index 3a1d9297074b..0109ac6cb79c 100644 +--- a/arch/x86/entry/vdso/vdso32/system_call.S ++++ b/arch/x86/entry/vdso/vdso32/system_call.S +@@ -3,7 +3,7 @@ + */ + + #include +-#include ++#include + #include + + /* +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index b8f69e264ac4..6b46648588d8 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + #if defined(CONFIG_X86_64) + unsigned int __read_mostly vdso64_enabled = 1; +@@ -254,7 +255,7 @@ static void vgetcpu_cpu_init(void *arg) + #ifdef CONFIG_NUMA + node = cpu_to_node(cpu); + #endif +- if (cpu_has(&cpu_data(cpu), X86_FEATURE_RDTSCP)) ++ if (static_cpu_has(X86_FEATURE_RDTSCP)) + write_rdtscp_aux((node << 12) | cpu); + + /* +diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h +index 215ea9214215..002fcd901f07 100644 +--- a/arch/x86/include/asm/alternative.h ++++ b/arch/x86/include/asm/alternative.h +@@ -153,12 +153,6 @@ static inline int alternatives_text_reserved(void *start, void *end) + ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \ + ".popsection\n" + +-/* +- * This must be included *after* the definition of ALTERNATIVE due to +- * +- */ +-#include +- + /* + * Alternative instructions for different CPU types or capabilities. + * +diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h +index 163769d82475..fd810a57ab1b 100644 +--- a/arch/x86/include/asm/apic.h ++++ b/arch/x86/include/asm/apic.h +@@ -6,7 +6,6 @@ + + #include + #include +-#include + #include + #include + #include +diff --git a/arch/x86/include/asm/arch_hweight.h b/arch/x86/include/asm/arch_hweight.h +index 44f825c80ed5..e7cd63175de4 100644 +--- a/arch/x86/include/asm/arch_hweight.h ++++ b/arch/x86/include/asm/arch_hweight.h +@@ -1,6 +1,8 @@ + #ifndef _ASM_X86_HWEIGHT_H + #define _ASM_X86_HWEIGHT_H + ++#include ++ + #ifdef CONFIG_64BIT + /* popcnt %edi, %eax */ + #define POPCNT32 ".byte 0xf3,0x0f,0xb8,0xc7" +diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h +index ae5fb83e6d91..3e8674288198 100644 +--- a/arch/x86/include/asm/atomic.h ++++ b/arch/x86/include/asm/atomic.h +@@ -3,7 +3,6 @@ + + #include + #include +-#include + #include + #include + #include +diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h +index a11c30b77fb5..a984111135b1 100644 +--- a/arch/x86/include/asm/atomic64_32.h ++++ b/arch/x86/include/asm/atomic64_32.h +@@ -3,7 +3,6 @@ + + #include + #include +-#include + //#include + + /* An 64bit atomic type */ +diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h +index ad19841eddfe..9733361fed6f 100644 +--- a/arch/x86/include/asm/cmpxchg.h ++++ b/arch/x86/include/asm/cmpxchg.h +@@ -2,6 +2,7 @@ + #define ASM_X86_CMPXCHG_H + + #include ++#include + #include /* Provides LOCK_PREFIX */ + + /* +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index 232621c5e859..dd0089841a0f 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -1,294 +1,35 @@ +-/* +- * Defines x86 CPU feature bits +- */ + #ifndef _ASM_X86_CPUFEATURE_H + #define _ASM_X86_CPUFEATURE_H + +-#ifndef _ASM_X86_REQUIRED_FEATURES_H +-#include +-#endif +- +-#ifndef _ASM_X86_DISABLED_FEATURES_H +-#include +-#endif +- +-#define NCAPINTS 14 /* N 32-bit words worth of info */ +-#define NBUGINTS 1 /* N 32-bit bug flags */ +- +-/* +- * Note: If the comment begins with a quoted string, that string is used +- * in /proc/cpuinfo instead of the macro name. If the string is "", +- * this feature bit is not displayed in /proc/cpuinfo at all. +- */ +- +-/* Intel-defined CPU features, CPUID level 0x00000001 (edx), word 0 */ +-#define X86_FEATURE_FPU ( 0*32+ 0) /* Onboard FPU */ +-#define X86_FEATURE_VME ( 0*32+ 1) /* Virtual Mode Extensions */ +-#define X86_FEATURE_DE ( 0*32+ 2) /* Debugging Extensions */ +-#define X86_FEATURE_PSE ( 0*32+ 3) /* Page Size Extensions */ +-#define X86_FEATURE_TSC ( 0*32+ 4) /* Time Stamp Counter */ +-#define X86_FEATURE_MSR ( 0*32+ 5) /* Model-Specific Registers */ +-#define X86_FEATURE_PAE ( 0*32+ 6) /* Physical Address Extensions */ +-#define X86_FEATURE_MCE ( 0*32+ 7) /* Machine Check Exception */ +-#define X86_FEATURE_CX8 ( 0*32+ 8) /* CMPXCHG8 instruction */ +-#define X86_FEATURE_APIC ( 0*32+ 9) /* Onboard APIC */ +-#define X86_FEATURE_SEP ( 0*32+11) /* SYSENTER/SYSEXIT */ +-#define X86_FEATURE_MTRR ( 0*32+12) /* Memory Type Range Registers */ +-#define X86_FEATURE_PGE ( 0*32+13) /* Page Global Enable */ +-#define X86_FEATURE_MCA ( 0*32+14) /* Machine Check Architecture */ +-#define X86_FEATURE_CMOV ( 0*32+15) /* CMOV instructions */ +- /* (plus FCMOVcc, FCOMI with FPU) */ +-#define X86_FEATURE_PAT ( 0*32+16) /* Page Attribute Table */ +-#define X86_FEATURE_PSE36 ( 0*32+17) /* 36-bit PSEs */ +-#define X86_FEATURE_PN ( 0*32+18) /* Processor serial number */ +-#define X86_FEATURE_CLFLUSH ( 0*32+19) /* CLFLUSH instruction */ +-#define X86_FEATURE_DS ( 0*32+21) /* "dts" Debug Store */ +-#define X86_FEATURE_ACPI ( 0*32+22) /* ACPI via MSR */ +-#define X86_FEATURE_MMX ( 0*32+23) /* Multimedia Extensions */ +-#define X86_FEATURE_FXSR ( 0*32+24) /* FXSAVE/FXRSTOR, CR4.OSFXSR */ +-#define X86_FEATURE_XMM ( 0*32+25) /* "sse" */ +-#define X86_FEATURE_XMM2 ( 0*32+26) /* "sse2" */ +-#define X86_FEATURE_SELFSNOOP ( 0*32+27) /* "ss" CPU self snoop */ +-#define X86_FEATURE_HT ( 0*32+28) /* Hyper-Threading */ +-#define X86_FEATURE_ACC ( 0*32+29) /* "tm" Automatic clock control */ +-#define X86_FEATURE_IA64 ( 0*32+30) /* IA-64 processor */ +-#define X86_FEATURE_PBE ( 0*32+31) /* Pending Break Enable */ +- +-/* AMD-defined CPU features, CPUID level 0x80000001, word 1 */ +-/* Don't duplicate feature flags which are redundant with Intel! */ +-#define X86_FEATURE_SYSCALL ( 1*32+11) /* SYSCALL/SYSRET */ +-#define X86_FEATURE_MP ( 1*32+19) /* MP Capable. */ +-#define X86_FEATURE_NX ( 1*32+20) /* Execute Disable */ +-#define X86_FEATURE_MMXEXT ( 1*32+22) /* AMD MMX extensions */ +-#define X86_FEATURE_FXSR_OPT ( 1*32+25) /* FXSAVE/FXRSTOR optimizations */ +-#define X86_FEATURE_GBPAGES ( 1*32+26) /* "pdpe1gb" GB pages */ +-#define X86_FEATURE_RDTSCP ( 1*32+27) /* RDTSCP */ +-#define X86_FEATURE_LM ( 1*32+29) /* Long Mode (x86-64) */ +-#define X86_FEATURE_3DNOWEXT ( 1*32+30) /* AMD 3DNow! extensions */ +-#define X86_FEATURE_3DNOW ( 1*32+31) /* 3DNow! */ +- +-/* Transmeta-defined CPU features, CPUID level 0x80860001, word 2 */ +-#define X86_FEATURE_RECOVERY ( 2*32+ 0) /* CPU in recovery mode */ +-#define X86_FEATURE_LONGRUN ( 2*32+ 1) /* Longrun power control */ +-#define X86_FEATURE_LRTI ( 2*32+ 3) /* LongRun table interface */ +- +-/* Other features, Linux-defined mapping, word 3 */ +-/* This range is used for feature bits which conflict or are synthesized */ +-#define X86_FEATURE_CXMMX ( 3*32+ 0) /* Cyrix MMX extensions */ +-#define X86_FEATURE_K6_MTRR ( 3*32+ 1) /* AMD K6 nonstandard MTRRs */ +-#define X86_FEATURE_CYRIX_ARR ( 3*32+ 2) /* Cyrix ARRs (= MTRRs) */ +-#define X86_FEATURE_CENTAUR_MCR ( 3*32+ 3) /* Centaur MCRs (= MTRRs) */ +-/* cpu types for specific tunings: */ +-#define X86_FEATURE_K8 ( 3*32+ 4) /* "" Opteron, Athlon64 */ +-#define X86_FEATURE_K7 ( 3*32+ 5) /* "" Athlon */ +-#define X86_FEATURE_P3 ( 3*32+ 6) /* "" P3 */ +-#define X86_FEATURE_P4 ( 3*32+ 7) /* "" P4 */ +-#define X86_FEATURE_CONSTANT_TSC ( 3*32+ 8) /* TSC ticks at a constant rate */ +-#define X86_FEATURE_UP ( 3*32+ 9) /* smp kernel running on up */ +-/* free, was #define X86_FEATURE_FXSAVE_LEAK ( 3*32+10) * "" FXSAVE leaks FOP/FIP/FOP */ +-#define X86_FEATURE_ARCH_PERFMON ( 3*32+11) /* Intel Architectural PerfMon */ +-#define X86_FEATURE_PEBS ( 3*32+12) /* Precise-Event Based Sampling */ +-#define X86_FEATURE_BTS ( 3*32+13) /* Branch Trace Store */ +-#define X86_FEATURE_SYSCALL32 ( 3*32+14) /* "" syscall in ia32 userspace */ +-#define X86_FEATURE_SYSENTER32 ( 3*32+15) /* "" sysenter in ia32 userspace */ +-#define X86_FEATURE_REP_GOOD ( 3*32+16) /* rep microcode works well */ +-#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */ +-#define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */ +-/* free, was #define X86_FEATURE_11AP ( 3*32+19) * "" Bad local APIC aka 11AP */ +-#define X86_FEATURE_NOPL ( 3*32+20) /* The NOPL (0F 1F) instructions */ +-#define X86_FEATURE_ALWAYS ( 3*32+21) /* "" Always-present feature */ +-#define X86_FEATURE_XTOPOLOGY ( 3*32+22) /* cpu topology enum extensions */ +-#define X86_FEATURE_TSC_RELIABLE ( 3*32+23) /* TSC is known to be reliable */ +-#define X86_FEATURE_NONSTOP_TSC ( 3*32+24) /* TSC does not stop in C states */ +-/* free, was #define X86_FEATURE_CLFLUSH_MONITOR ( 3*32+25) * "" clflush reqd with monitor */ +-#define X86_FEATURE_EXTD_APICID ( 3*32+26) /* has extended APICID (8 bits) */ +-#define X86_FEATURE_AMD_DCM ( 3*32+27) /* multi-node processor */ +-#define X86_FEATURE_APERFMPERF ( 3*32+28) /* APERFMPERF */ +-/* free, was #define X86_FEATURE_EAGER_FPU ( 3*32+29) * "eagerfpu" Non lazy FPU restore */ +-#define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */ +- +-/* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */ +-#define X86_FEATURE_XMM3 ( 4*32+ 0) /* "pni" SSE-3 */ +-#define X86_FEATURE_PCLMULQDQ ( 4*32+ 1) /* PCLMULQDQ instruction */ +-#define X86_FEATURE_DTES64 ( 4*32+ 2) /* 64-bit Debug Store */ +-#define X86_FEATURE_MWAIT ( 4*32+ 3) /* "monitor" Monitor/Mwait support */ +-#define X86_FEATURE_DSCPL ( 4*32+ 4) /* "ds_cpl" CPL Qual. Debug Store */ +-#define X86_FEATURE_VMX ( 4*32+ 5) /* Hardware virtualization */ +-#define X86_FEATURE_SMX ( 4*32+ 6) /* Safer mode */ +-#define X86_FEATURE_EST ( 4*32+ 7) /* Enhanced SpeedStep */ +-#define X86_FEATURE_TM2 ( 4*32+ 8) /* Thermal Monitor 2 */ +-#define X86_FEATURE_SSSE3 ( 4*32+ 9) /* Supplemental SSE-3 */ +-#define X86_FEATURE_CID ( 4*32+10) /* Context ID */ +-#define X86_FEATURE_SDBG ( 4*32+11) /* Silicon Debug */ +-#define X86_FEATURE_FMA ( 4*32+12) /* Fused multiply-add */ +-#define X86_FEATURE_CX16 ( 4*32+13) /* CMPXCHG16B */ +-#define X86_FEATURE_XTPR ( 4*32+14) /* Send Task Priority Messages */ +-#define X86_FEATURE_PDCM ( 4*32+15) /* Performance Capabilities */ +-#define X86_FEATURE_PCID ( 4*32+17) /* Process Context Identifiers */ +-#define X86_FEATURE_DCA ( 4*32+18) /* Direct Cache Access */ +-#define X86_FEATURE_XMM4_1 ( 4*32+19) /* "sse4_1" SSE-4.1 */ +-#define X86_FEATURE_XMM4_2 ( 4*32+20) /* "sse4_2" SSE-4.2 */ +-#define X86_FEATURE_X2APIC ( 4*32+21) /* x2APIC */ +-#define X86_FEATURE_MOVBE ( 4*32+22) /* MOVBE instruction */ +-#define X86_FEATURE_POPCNT ( 4*32+23) /* POPCNT instruction */ +-#define X86_FEATURE_TSC_DEADLINE_TIMER ( 4*32+24) /* Tsc deadline timer */ +-#define X86_FEATURE_AES ( 4*32+25) /* AES instructions */ +-#define X86_FEATURE_XSAVE ( 4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */ +-#define X86_FEATURE_OSXSAVE ( 4*32+27) /* "" XSAVE enabled in the OS */ +-#define X86_FEATURE_AVX ( 4*32+28) /* Advanced Vector Extensions */ +-#define X86_FEATURE_F16C ( 4*32+29) /* 16-bit fp conversions */ +-#define X86_FEATURE_RDRAND ( 4*32+30) /* The RDRAND instruction */ +-#define X86_FEATURE_HYPERVISOR ( 4*32+31) /* Running on a hypervisor */ +- +-/* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */ +-#define X86_FEATURE_XSTORE ( 5*32+ 2) /* "rng" RNG present (xstore) */ +-#define X86_FEATURE_XSTORE_EN ( 5*32+ 3) /* "rng_en" RNG enabled */ +-#define X86_FEATURE_XCRYPT ( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */ +-#define X86_FEATURE_XCRYPT_EN ( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */ +-#define X86_FEATURE_ACE2 ( 5*32+ 8) /* Advanced Cryptography Engine v2 */ +-#define X86_FEATURE_ACE2_EN ( 5*32+ 9) /* ACE v2 enabled */ +-#define X86_FEATURE_PHE ( 5*32+10) /* PadLock Hash Engine */ +-#define X86_FEATURE_PHE_EN ( 5*32+11) /* PHE enabled */ +-#define X86_FEATURE_PMM ( 5*32+12) /* PadLock Montgomery Multiplier */ +-#define X86_FEATURE_PMM_EN ( 5*32+13) /* PMM enabled */ +- +-/* More extended AMD flags: CPUID level 0x80000001, ecx, word 6 */ +-#define X86_FEATURE_LAHF_LM ( 6*32+ 0) /* LAHF/SAHF in long mode */ +-#define X86_FEATURE_CMP_LEGACY ( 6*32+ 1) /* If yes HyperThreading not valid */ +-#define X86_FEATURE_SVM ( 6*32+ 2) /* Secure virtual machine */ +-#define X86_FEATURE_EXTAPIC ( 6*32+ 3) /* Extended APIC space */ +-#define X86_FEATURE_CR8_LEGACY ( 6*32+ 4) /* CR8 in 32-bit mode */ +-#define X86_FEATURE_ABM ( 6*32+ 5) /* Advanced bit manipulation */ +-#define X86_FEATURE_SSE4A ( 6*32+ 6) /* SSE-4A */ +-#define X86_FEATURE_MISALIGNSSE ( 6*32+ 7) /* Misaligned SSE mode */ +-#define X86_FEATURE_3DNOWPREFETCH ( 6*32+ 8) /* 3DNow prefetch instructions */ +-#define X86_FEATURE_OSVW ( 6*32+ 9) /* OS Visible Workaround */ +-#define X86_FEATURE_IBS ( 6*32+10) /* Instruction Based Sampling */ +-#define X86_FEATURE_XOP ( 6*32+11) /* extended AVX instructions */ +-#define X86_FEATURE_SKINIT ( 6*32+12) /* SKINIT/STGI instructions */ +-#define X86_FEATURE_WDT ( 6*32+13) /* Watchdog timer */ +-#define X86_FEATURE_LWP ( 6*32+15) /* Light Weight Profiling */ +-#define X86_FEATURE_FMA4 ( 6*32+16) /* 4 operands MAC instructions */ +-#define X86_FEATURE_TCE ( 6*32+17) /* translation cache extension */ +-#define X86_FEATURE_NODEID_MSR ( 6*32+19) /* NodeId MSR */ +-#define X86_FEATURE_TBM ( 6*32+21) /* trailing bit manipulations */ +-#define X86_FEATURE_TOPOEXT ( 6*32+22) /* topology extensions CPUID leafs */ +-#define X86_FEATURE_PERFCTR_CORE ( 6*32+23) /* core performance counter extensions */ +-#define X86_FEATURE_PERFCTR_NB ( 6*32+24) /* NB performance counter extensions */ +-#define X86_FEATURE_BPEXT (6*32+26) /* data breakpoint extension */ +-#define X86_FEATURE_PERFCTR_L2 ( 6*32+28) /* L2 performance counter extensions */ +-#define X86_FEATURE_MWAITX ( 6*32+29) /* MWAIT extension (MONITORX/MWAITX) */ +- +-/* +- * Auxiliary flags: Linux defined - For features scattered in various +- * CPUID levels like 0x6, 0xA etc, word 7 +- */ +-#define X86_FEATURE_IDA ( 7*32+ 0) /* Intel Dynamic Acceleration */ +-#define X86_FEATURE_ARAT ( 7*32+ 1) /* Always Running APIC Timer */ +-#define X86_FEATURE_CPB ( 7*32+ 2) /* AMD Core Performance Boost */ +-#define X86_FEATURE_EPB ( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */ +-#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 4) /* Effectively INVPCID && CR4.PCIDE=1 */ +-#define X86_FEATURE_PLN ( 7*32+ 5) /* Intel Power Limit Notification */ +-#define X86_FEATURE_PTS ( 7*32+ 6) /* Intel Package Thermal Status */ +-#define X86_FEATURE_DTHERM ( 7*32+ 7) /* Digital Thermal Sensor */ +-#define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */ +-#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ +-#define X86_FEATURE_HWP ( 7*32+ 10) /* "hwp" Intel HWP */ +-#define X86_FEATURE_HWP_NOTIFY ( 7*32+ 11) /* Intel HWP_NOTIFY */ +-#define X86_FEATURE_HWP_ACT_WINDOW ( 7*32+ 12) /* Intel HWP_ACT_WINDOW */ +-#define X86_FEATURE_HWP_EPP ( 7*32+13) /* Intel HWP_EPP */ +-#define X86_FEATURE_HWP_PKG_REQ ( 7*32+14) /* Intel HWP_PKG_REQ */ +-#define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */ +-#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* Fill RSB on context switches */ +- +-#define X86_FEATURE_RETPOLINE ( 7*32+29) /* Generic Retpoline mitigation for Spectre variant 2 */ +-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* AMD Retpoline mitigation for Spectre variant 2 */ +-/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */ +-#define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */ +- +-/* Virtualization flags: Linux defined, word 8 */ +-#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ +-#define X86_FEATURE_VNMI ( 8*32+ 1) /* Intel Virtual NMI */ +-#define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */ +-#define X86_FEATURE_EPT ( 8*32+ 3) /* Intel Extended Page Table */ +-#define X86_FEATURE_VPID ( 8*32+ 4) /* Intel Virtual Processor ID */ +-#define X86_FEATURE_NPT ( 8*32+ 5) /* AMD Nested Page Table support */ +-#define X86_FEATURE_LBRV ( 8*32+ 6) /* AMD LBR Virtualization support */ +-#define X86_FEATURE_SVML ( 8*32+ 7) /* "svm_lock" AMD SVM locking MSR */ +-#define X86_FEATURE_NRIPS ( 8*32+ 8) /* "nrip_save" AMD SVM next_rip save */ +-#define X86_FEATURE_TSCRATEMSR ( 8*32+ 9) /* "tsc_scale" AMD TSC scaling support */ +-#define X86_FEATURE_VMCBCLEAN ( 8*32+10) /* "vmcb_clean" AMD VMCB clean bits support */ +-#define X86_FEATURE_FLUSHBYASID ( 8*32+11) /* AMD flush-by-ASID support */ +-#define X86_FEATURE_DECODEASSISTS ( 8*32+12) /* AMD Decode Assists support */ +-#define X86_FEATURE_PAUSEFILTER ( 8*32+13) /* AMD filtered pause intercept */ +-#define X86_FEATURE_PFTHRESHOLD ( 8*32+14) /* AMD pause filter threshold */ +-#define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer vmmcall to vmcall */ +-#define X86_FEATURE_XENPV ( 8*32+16) /* "" Xen paravirtual guest */ +- +- +-/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */ +-#define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/ +-#define X86_FEATURE_TSC_ADJUST ( 9*32+ 1) /* TSC adjustment MSR 0x3b */ +-#define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */ +-#define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */ +-#define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */ +-#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */ +-#define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */ +-#define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */ +-#define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */ +-#define X86_FEATURE_RTM ( 9*32+11) /* Restricted Transactional Memory */ +-#define X86_FEATURE_CQM ( 9*32+12) /* Cache QoS Monitoring */ +-#define X86_FEATURE_MPX ( 9*32+14) /* Memory Protection Extension */ +-#define X86_FEATURE_AVX512F ( 9*32+16) /* AVX-512 Foundation */ +-#define X86_FEATURE_RDSEED ( 9*32+18) /* The RDSEED instruction */ +-#define X86_FEATURE_ADX ( 9*32+19) /* The ADCX and ADOX instructions */ +-#define X86_FEATURE_SMAP ( 9*32+20) /* Supervisor Mode Access Prevention */ +-#define X86_FEATURE_PCOMMIT ( 9*32+22) /* PCOMMIT instruction */ +-#define X86_FEATURE_CLFLUSHOPT ( 9*32+23) /* CLFLUSHOPT instruction */ +-#define X86_FEATURE_CLWB ( 9*32+24) /* CLWB instruction */ +-#define X86_FEATURE_AVX512PF ( 9*32+26) /* AVX-512 Prefetch */ +-#define X86_FEATURE_AVX512ER ( 9*32+27) /* AVX-512 Exponential and Reciprocal */ +-#define X86_FEATURE_AVX512CD ( 9*32+28) /* AVX-512 Conflict Detection */ +-#define X86_FEATURE_SHA_NI ( 9*32+29) /* SHA1/SHA256 Instruction Extensions */ +- +-/* Extended state features, CPUID level 0x0000000d:1 (eax), word 10 */ +-#define X86_FEATURE_XSAVEOPT (10*32+ 0) /* XSAVEOPT */ +-#define X86_FEATURE_XSAVEC (10*32+ 1) /* XSAVEC */ +-#define X86_FEATURE_XGETBV1 (10*32+ 2) /* XGETBV with ECX = 1 */ +-#define X86_FEATURE_XSAVES (10*32+ 3) /* XSAVES/XRSTORS */ +- +-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (edx), word 11 */ +-#define X86_FEATURE_CQM_LLC (11*32+ 1) /* LLC QoS if 1 */ +- +-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (edx), word 12 */ +-#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring if 1 */ +- +-/* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */ +-#define X86_FEATURE_CLZERO (13*32+0) /* CLZERO instruction */ +- +-/* +- * BUG word(s) +- */ +-#define X86_BUG(x) (NCAPINTS*32 + (x)) +- +-#define X86_BUG_F00F X86_BUG(0) /* Intel F00F */ +-#define X86_BUG_FDIV X86_BUG(1) /* FPU FDIV */ +-#define X86_BUG_COMA X86_BUG(2) /* Cyrix 6x86 coma */ +-#define X86_BUG_AMD_TLB_MMATCH X86_BUG(3) /* "tlb_mmatch" AMD Erratum 383 */ +-#define X86_BUG_AMD_APIC_C1E X86_BUG(4) /* "apic_c1e" AMD Erratum 400 */ +-#define X86_BUG_11AP X86_BUG(5) /* Bad local APIC aka 11AP */ +-#define X86_BUG_FXSAVE_LEAK X86_BUG(6) /* FXSAVE leaks FOP/FIP/FOP */ +-#define X86_BUG_CLFLUSH_MONITOR X86_BUG(7) /* AAI65, CLFLUSH required before MONITOR */ +-#define X86_BUG_SYSRET_SS_ATTRS X86_BUG(8) /* SYSRET doesn't fix up SS attrs */ +-#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ +-#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ +-#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ ++#include + + #if defined(__KERNEL__) && !defined(__ASSEMBLY__) + + #include + #include + ++enum cpuid_leafs ++{ ++ CPUID_1_EDX = 0, ++ CPUID_8000_0001_EDX, ++ CPUID_8086_0001_EDX, ++ CPUID_LNX_1, ++ CPUID_1_ECX, ++ CPUID_C000_0001_EDX, ++ CPUID_8000_0001_ECX, ++ CPUID_LNX_2, ++ CPUID_LNX_3, ++ CPUID_7_0_EBX, ++ CPUID_D_1_EAX, ++ CPUID_F_0_EDX, ++ CPUID_F_1_EDX, ++ CPUID_8000_0008_EBX, ++ CPUID_6_EAX, ++ CPUID_8000_000A_EDX, ++ CPUID_7_ECX, ++ CPUID_8000_0007_EBX, ++}; ++ + #ifdef CONFIG_X86_FEATURE_NAMES + extern const char * const x86_cap_flags[NCAPINTS*32]; + extern const char * const x86_power_flags[32]; +@@ -308,29 +49,59 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + #define test_cpu_cap(c, bit) \ + test_bit(bit, (unsigned long *)((c)->x86_capability)) + +-#define REQUIRED_MASK_BIT_SET(bit) \ +- ( (((bit)>>5)==0 && (1UL<<((bit)&31) & REQUIRED_MASK0)) || \ +- (((bit)>>5)==1 && (1UL<<((bit)&31) & REQUIRED_MASK1)) || \ +- (((bit)>>5)==2 && (1UL<<((bit)&31) & REQUIRED_MASK2)) || \ +- (((bit)>>5)==3 && (1UL<<((bit)&31) & REQUIRED_MASK3)) || \ +- (((bit)>>5)==4 && (1UL<<((bit)&31) & REQUIRED_MASK4)) || \ +- (((bit)>>5)==5 && (1UL<<((bit)&31) & REQUIRED_MASK5)) || \ +- (((bit)>>5)==6 && (1UL<<((bit)&31) & REQUIRED_MASK6)) || \ +- (((bit)>>5)==7 && (1UL<<((bit)&31) & REQUIRED_MASK7)) || \ +- (((bit)>>5)==8 && (1UL<<((bit)&31) & REQUIRED_MASK8)) || \ +- (((bit)>>5)==9 && (1UL<<((bit)&31) & REQUIRED_MASK9)) ) +- +-#define DISABLED_MASK_BIT_SET(bit) \ +- ( (((bit)>>5)==0 && (1UL<<((bit)&31) & DISABLED_MASK0)) || \ +- (((bit)>>5)==1 && (1UL<<((bit)&31) & DISABLED_MASK1)) || \ +- (((bit)>>5)==2 && (1UL<<((bit)&31) & DISABLED_MASK2)) || \ +- (((bit)>>5)==3 && (1UL<<((bit)&31) & DISABLED_MASK3)) || \ +- (((bit)>>5)==4 && (1UL<<((bit)&31) & DISABLED_MASK4)) || \ +- (((bit)>>5)==5 && (1UL<<((bit)&31) & DISABLED_MASK5)) || \ +- (((bit)>>5)==6 && (1UL<<((bit)&31) & DISABLED_MASK6)) || \ +- (((bit)>>5)==7 && (1UL<<((bit)&31) & DISABLED_MASK7)) || \ +- (((bit)>>5)==8 && (1UL<<((bit)&31) & DISABLED_MASK8)) || \ +- (((bit)>>5)==9 && (1UL<<((bit)&31) & DISABLED_MASK9)) ) ++/* ++ * There are 32 bits/features in each mask word. The high bits ++ * (selected with (bit>>5) give us the word number and the low 5 ++ * bits give us the bit/feature number inside the word. ++ * (1UL<<((bit)&31) gives us a mask for the feature_bit so we can ++ * see if it is set in the mask word. ++ */ ++#define CHECK_BIT_IN_MASK_WORD(maskname, word, bit) \ ++ (((bit)>>5)==(word) && (1UL<<((bit)&31) & maskname##word )) ++ ++#define REQUIRED_MASK_BIT_SET(feature_bit) \ ++ ( CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 0, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 1, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 2, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 3, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 4, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 5, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 6, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 7, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 8, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 9, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 10, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 11, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 12, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 13, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 14, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 15, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 16, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 17, feature_bit) || \ ++ REQUIRED_MASK_CHECK || \ ++ BUILD_BUG_ON_ZERO(NCAPINTS != 18)) ++ ++#define DISABLED_MASK_BIT_SET(feature_bit) \ ++ ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 0, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 1, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 2, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 3, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 4, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 5, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 6, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 7, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 8, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 9, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 10, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 11, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 12, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 13, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 14, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 15, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 16, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 17, feature_bit) || \ ++ DISABLED_MASK_CHECK || \ ++ BUILD_BUG_ON_ZERO(NCAPINTS != 18)) + + #define cpu_has(c, bit) \ + (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \ +@@ -349,8 +120,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + * is not relevant. + */ + #define cpu_feature_enabled(bit) \ +- (__builtin_constant_p(bit) && DISABLED_MASK_BIT_SET(bit) ? 0 : \ +- cpu_has(&boot_cpu_data, bit)) ++ (__builtin_constant_p(bit) && DISABLED_MASK_BIT_SET(bit) ? 0 : static_cpu_has(bit)) + + #define boot_cpu_has(bit) cpu_has(&boot_cpu_data, bit) + +@@ -388,106 +158,19 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + #define cpu_has_osxsave boot_cpu_has(X86_FEATURE_OSXSAVE) + #define cpu_has_hypervisor boot_cpu_has(X86_FEATURE_HYPERVISOR) + /* +- * Do not add any more of those clumsy macros - use static_cpu_has_safe() for ++ * Do not add any more of those clumsy macros - use static_cpu_has() for + * fast paths and boot_cpu_has() otherwise! + */ + +-#if __GNUC__ >= 4 +-extern void warn_pre_alternatives(void); +-extern bool __static_cpu_has_safe(u16 bit); +- ++#if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_X86_FAST_FEATURE_TESTS) + /* + * Static testing of CPU features. Used the same as boot_cpu_has(). +- * These are only valid after alternatives have run, but will statically +- * patch the target code for additional performance. ++ * These will statically patch the target code for additional ++ * performance. + */ +-static __always_inline __pure bool __static_cpu_has(u16 bit) +-{ +-#ifdef CC_HAVE_ASM_GOTO +- +-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS +- +- /* +- * Catch too early usage of this before alternatives +- * have run. +- */ +- asm_volatile_goto("1: jmp %l[t_warn]\n" +- "2:\n" +- ".section .altinstructions,\"a\"\n" +- " .long 1b - .\n" +- " .long 0\n" /* no replacement */ +- " .word %P0\n" /* 1: do replace */ +- " .byte 2b - 1b\n" /* source len */ +- " .byte 0\n" /* replacement len */ +- " .byte 0\n" /* pad len */ +- ".previous\n" +- /* skipping size check since replacement size = 0 */ +- : : "i" (X86_FEATURE_ALWAYS) : : t_warn); +- +-#endif +- +- asm_volatile_goto("1: jmp %l[t_no]\n" +- "2:\n" +- ".section .altinstructions,\"a\"\n" +- " .long 1b - .\n" +- " .long 0\n" /* no replacement */ +- " .word %P0\n" /* feature bit */ +- " .byte 2b - 1b\n" /* source len */ +- " .byte 0\n" /* replacement len */ +- " .byte 0\n" /* pad len */ +- ".previous\n" +- /* skipping size check since replacement size = 0 */ +- : : "i" (bit) : : t_no); +- return true; +- t_no: +- return false; +- +-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS +- t_warn: +- warn_pre_alternatives(); +- return false; +-#endif +- +-#else /* CC_HAVE_ASM_GOTO */ +- +- u8 flag; +- /* Open-coded due to __stringify() in ALTERNATIVE() */ +- asm volatile("1: movb $0,%0\n" +- "2:\n" +- ".section .altinstructions,\"a\"\n" +- " .long 1b - .\n" +- " .long 3f - .\n" +- " .word %P1\n" /* feature bit */ +- " .byte 2b - 1b\n" /* source len */ +- " .byte 4f - 3f\n" /* replacement len */ +- " .byte 0\n" /* pad len */ +- ".previous\n" +- ".section .discard,\"aw\",@progbits\n" +- " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ +- ".previous\n" +- ".section .altinstr_replacement,\"ax\"\n" +- "3: movb $1,%0\n" +- "4:\n" +- ".previous\n" +- : "=qm" (flag) : "i" (bit)); +- return flag; +- +-#endif /* CC_HAVE_ASM_GOTO */ +-} +- +-#define static_cpu_has(bit) \ +-( \ +- __builtin_constant_p(boot_cpu_has(bit)) ? \ +- boot_cpu_has(bit) : \ +- __builtin_constant_p(bit) ? \ +- __static_cpu_has(bit) : \ +- boot_cpu_has(bit) \ +-) +- +-static __always_inline __pure bool _static_cpu_has_safe(u16 bit) ++static __always_inline __pure bool _static_cpu_has(u16 bit) + { +-#ifdef CC_HAVE_ASM_GOTO +- asm_volatile_goto("1: jmp %l[t_dynamic]\n" ++ asm_volatile_goto("1: jmp 6f\n" + "2:\n" + ".skip -(((5f-4f) - (2b-1b)) > 0) * " + "((5f-4f) - (2b-1b)),0x90\n" +@@ -512,66 +195,34 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) + " .byte 0\n" /* repl len */ + " .byte 0\n" /* pad len */ + ".previous\n" +- : : "i" (bit), "i" (X86_FEATURE_ALWAYS) +- : : t_dynamic, t_no); ++ ".section .altinstr_aux,\"ax\"\n" ++ "6:\n" ++ " testb %[bitnum],%[cap_byte]\n" ++ " jnz %l[t_yes]\n" ++ " jmp %l[t_no]\n" ++ ".previous\n" ++ : : "i" (bit), "i" (X86_FEATURE_ALWAYS), ++ [bitnum] "i" (1 << (bit & 7)), ++ [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3]) ++ : : t_yes, t_no); ++ t_yes: + return true; + t_no: + return false; +- t_dynamic: +- return __static_cpu_has_safe(bit); +-#else +- u8 flag; +- /* Open-coded due to __stringify() in ALTERNATIVE() */ +- asm volatile("1: movb $2,%0\n" +- "2:\n" +- ".section .altinstructions,\"a\"\n" +- " .long 1b - .\n" /* src offset */ +- " .long 3f - .\n" /* repl offset */ +- " .word %P2\n" /* always replace */ +- " .byte 2b - 1b\n" /* source len */ +- " .byte 4f - 3f\n" /* replacement len */ +- " .byte 0\n" /* pad len */ +- ".previous\n" +- ".section .discard,\"aw\",@progbits\n" +- " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ +- ".previous\n" +- ".section .altinstr_replacement,\"ax\"\n" +- "3: movb $0,%0\n" +- "4:\n" +- ".previous\n" +- ".section .altinstructions,\"a\"\n" +- " .long 1b - .\n" /* src offset */ +- " .long 5f - .\n" /* repl offset */ +- " .word %P1\n" /* feature bit */ +- " .byte 4b - 3b\n" /* src len */ +- " .byte 6f - 5f\n" /* repl len */ +- " .byte 0\n" /* pad len */ +- ".previous\n" +- ".section .discard,\"aw\",@progbits\n" +- " .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */ +- ".previous\n" +- ".section .altinstr_replacement,\"ax\"\n" +- "5: movb $1,%0\n" +- "6:\n" +- ".previous\n" +- : "=qm" (flag) +- : "i" (bit), "i" (X86_FEATURE_ALWAYS)); +- return (flag == 2 ? __static_cpu_has_safe(bit) : flag); +-#endif /* CC_HAVE_ASM_GOTO */ + } + +-#define static_cpu_has_safe(bit) \ ++#define static_cpu_has(bit) \ + ( \ + __builtin_constant_p(boot_cpu_has(bit)) ? \ + boot_cpu_has(bit) : \ +- _static_cpu_has_safe(bit) \ ++ _static_cpu_has(bit) \ + ) + #else + /* +- * gcc 3.x is too stupid to do the static test; fall back to dynamic. ++ * Fall back to dynamic for gcc versions which don't support asm goto. Should be ++ * a minority now anyway. + */ + #define static_cpu_has(bit) boot_cpu_has(bit) +-#define static_cpu_has_safe(bit) boot_cpu_has(bit) + #endif + + #define cpu_has_bug(c, bit) cpu_has(c, (bit)) +@@ -579,7 +230,6 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) + #define clear_cpu_bug(c, bit) clear_cpu_cap(c, (bit)) + + #define static_cpu_has_bug(bit) static_cpu_has((bit)) +-#define static_cpu_has_bug_safe(bit) static_cpu_has_safe((bit)) + #define boot_cpu_has_bug(bit) cpu_has_bug(&boot_cpu_data, (bit)) + + #define MAX_CPU_FEATURES (NCAPINTS * 32) +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +new file mode 100644 +index 000000000000..205ce70c1d6c +--- /dev/null ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -0,0 +1,306 @@ ++#ifndef _ASM_X86_CPUFEATURES_H ++#define _ASM_X86_CPUFEATURES_H ++ ++#ifndef _ASM_X86_REQUIRED_FEATURES_H ++#include ++#endif ++ ++#ifndef _ASM_X86_DISABLED_FEATURES_H ++#include ++#endif ++ ++/* ++ * Defines x86 CPU feature bits ++ */ ++#define NCAPINTS 18 /* N 32-bit words worth of info */ ++#define NBUGINTS 1 /* N 32-bit bug flags */ ++ ++/* ++ * Note: If the comment begins with a quoted string, that string is used ++ * in /proc/cpuinfo instead of the macro name. If the string is "", ++ * this feature bit is not displayed in /proc/cpuinfo at all. ++ */ ++ ++/* Intel-defined CPU features, CPUID level 0x00000001 (edx), word 0 */ ++#define X86_FEATURE_FPU ( 0*32+ 0) /* Onboard FPU */ ++#define X86_FEATURE_VME ( 0*32+ 1) /* Virtual Mode Extensions */ ++#define X86_FEATURE_DE ( 0*32+ 2) /* Debugging Extensions */ ++#define X86_FEATURE_PSE ( 0*32+ 3) /* Page Size Extensions */ ++#define X86_FEATURE_TSC ( 0*32+ 4) /* Time Stamp Counter */ ++#define X86_FEATURE_MSR ( 0*32+ 5) /* Model-Specific Registers */ ++#define X86_FEATURE_PAE ( 0*32+ 6) /* Physical Address Extensions */ ++#define X86_FEATURE_MCE ( 0*32+ 7) /* Machine Check Exception */ ++#define X86_FEATURE_CX8 ( 0*32+ 8) /* CMPXCHG8 instruction */ ++#define X86_FEATURE_APIC ( 0*32+ 9) /* Onboard APIC */ ++#define X86_FEATURE_SEP ( 0*32+11) /* SYSENTER/SYSEXIT */ ++#define X86_FEATURE_MTRR ( 0*32+12) /* Memory Type Range Registers */ ++#define X86_FEATURE_PGE ( 0*32+13) /* Page Global Enable */ ++#define X86_FEATURE_MCA ( 0*32+14) /* Machine Check Architecture */ ++#define X86_FEATURE_CMOV ( 0*32+15) /* CMOV instructions */ ++ /* (plus FCMOVcc, FCOMI with FPU) */ ++#define X86_FEATURE_PAT ( 0*32+16) /* Page Attribute Table */ ++#define X86_FEATURE_PSE36 ( 0*32+17) /* 36-bit PSEs */ ++#define X86_FEATURE_PN ( 0*32+18) /* Processor serial number */ ++#define X86_FEATURE_CLFLUSH ( 0*32+19) /* CLFLUSH instruction */ ++#define X86_FEATURE_DS ( 0*32+21) /* "dts" Debug Store */ ++#define X86_FEATURE_ACPI ( 0*32+22) /* ACPI via MSR */ ++#define X86_FEATURE_MMX ( 0*32+23) /* Multimedia Extensions */ ++#define X86_FEATURE_FXSR ( 0*32+24) /* FXSAVE/FXRSTOR, CR4.OSFXSR */ ++#define X86_FEATURE_XMM ( 0*32+25) /* "sse" */ ++#define X86_FEATURE_XMM2 ( 0*32+26) /* "sse2" */ ++#define X86_FEATURE_SELFSNOOP ( 0*32+27) /* "ss" CPU self snoop */ ++#define X86_FEATURE_HT ( 0*32+28) /* Hyper-Threading */ ++#define X86_FEATURE_ACC ( 0*32+29) /* "tm" Automatic clock control */ ++#define X86_FEATURE_IA64 ( 0*32+30) /* IA-64 processor */ ++#define X86_FEATURE_PBE ( 0*32+31) /* Pending Break Enable */ ++ ++/* AMD-defined CPU features, CPUID level 0x80000001, word 1 */ ++/* Don't duplicate feature flags which are redundant with Intel! */ ++#define X86_FEATURE_SYSCALL ( 1*32+11) /* SYSCALL/SYSRET */ ++#define X86_FEATURE_MP ( 1*32+19) /* MP Capable. */ ++#define X86_FEATURE_NX ( 1*32+20) /* Execute Disable */ ++#define X86_FEATURE_MMXEXT ( 1*32+22) /* AMD MMX extensions */ ++#define X86_FEATURE_FXSR_OPT ( 1*32+25) /* FXSAVE/FXRSTOR optimizations */ ++#define X86_FEATURE_GBPAGES ( 1*32+26) /* "pdpe1gb" GB pages */ ++#define X86_FEATURE_RDTSCP ( 1*32+27) /* RDTSCP */ ++#define X86_FEATURE_LM ( 1*32+29) /* Long Mode (x86-64) */ ++#define X86_FEATURE_3DNOWEXT ( 1*32+30) /* AMD 3DNow! extensions */ ++#define X86_FEATURE_3DNOW ( 1*32+31) /* 3DNow! */ ++ ++/* Transmeta-defined CPU features, CPUID level 0x80860001, word 2 */ ++#define X86_FEATURE_RECOVERY ( 2*32+ 0) /* CPU in recovery mode */ ++#define X86_FEATURE_LONGRUN ( 2*32+ 1) /* Longrun power control */ ++#define X86_FEATURE_LRTI ( 2*32+ 3) /* LongRun table interface */ ++ ++/* Other features, Linux-defined mapping, word 3 */ ++/* This range is used for feature bits which conflict or are synthesized */ ++#define X86_FEATURE_CXMMX ( 3*32+ 0) /* Cyrix MMX extensions */ ++#define X86_FEATURE_K6_MTRR ( 3*32+ 1) /* AMD K6 nonstandard MTRRs */ ++#define X86_FEATURE_CYRIX_ARR ( 3*32+ 2) /* Cyrix ARRs (= MTRRs) */ ++#define X86_FEATURE_CENTAUR_MCR ( 3*32+ 3) /* Centaur MCRs (= MTRRs) */ ++/* cpu types for specific tunings: */ ++#define X86_FEATURE_K8 ( 3*32+ 4) /* "" Opteron, Athlon64 */ ++#define X86_FEATURE_K7 ( 3*32+ 5) /* "" Athlon */ ++#define X86_FEATURE_P3 ( 3*32+ 6) /* "" P3 */ ++#define X86_FEATURE_P4 ( 3*32+ 7) /* "" P4 */ ++#define X86_FEATURE_CONSTANT_TSC ( 3*32+ 8) /* TSC ticks at a constant rate */ ++#define X86_FEATURE_UP ( 3*32+ 9) /* smp kernel running on up */ ++/* free, was #define X86_FEATURE_FXSAVE_LEAK ( 3*32+10) * "" FXSAVE leaks FOP/FIP/FOP */ ++#define X86_FEATURE_ARCH_PERFMON ( 3*32+11) /* Intel Architectural PerfMon */ ++#define X86_FEATURE_PEBS ( 3*32+12) /* Precise-Event Based Sampling */ ++#define X86_FEATURE_BTS ( 3*32+13) /* Branch Trace Store */ ++#define X86_FEATURE_SYSCALL32 ( 3*32+14) /* "" syscall in ia32 userspace */ ++#define X86_FEATURE_SYSENTER32 ( 3*32+15) /* "" sysenter in ia32 userspace */ ++#define X86_FEATURE_REP_GOOD ( 3*32+16) /* rep microcode works well */ ++#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */ ++#define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */ ++/* free, was #define X86_FEATURE_11AP ( 3*32+19) * "" Bad local APIC aka 11AP */ ++#define X86_FEATURE_NOPL ( 3*32+20) /* The NOPL (0F 1F) instructions */ ++#define X86_FEATURE_ALWAYS ( 3*32+21) /* "" Always-present feature */ ++#define X86_FEATURE_XTOPOLOGY ( 3*32+22) /* cpu topology enum extensions */ ++#define X86_FEATURE_TSC_RELIABLE ( 3*32+23) /* TSC is known to be reliable */ ++#define X86_FEATURE_NONSTOP_TSC ( 3*32+24) /* TSC does not stop in C states */ ++/* free, was #define X86_FEATURE_CLFLUSH_MONITOR ( 3*32+25) * "" clflush reqd with monitor */ ++#define X86_FEATURE_EXTD_APICID ( 3*32+26) /* has extended APICID (8 bits) */ ++#define X86_FEATURE_AMD_DCM ( 3*32+27) /* multi-node processor */ ++#define X86_FEATURE_APERFMPERF ( 3*32+28) /* APERFMPERF */ ++/* free, was #define X86_FEATURE_EAGER_FPU ( 3*32+29) * "eagerfpu" Non lazy FPU restore */ ++#define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */ ++ ++/* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */ ++#define X86_FEATURE_XMM3 ( 4*32+ 0) /* "pni" SSE-3 */ ++#define X86_FEATURE_PCLMULQDQ ( 4*32+ 1) /* PCLMULQDQ instruction */ ++#define X86_FEATURE_DTES64 ( 4*32+ 2) /* 64-bit Debug Store */ ++#define X86_FEATURE_MWAIT ( 4*32+ 3) /* "monitor" Monitor/Mwait support */ ++#define X86_FEATURE_DSCPL ( 4*32+ 4) /* "ds_cpl" CPL Qual. Debug Store */ ++#define X86_FEATURE_VMX ( 4*32+ 5) /* Hardware virtualization */ ++#define X86_FEATURE_SMX ( 4*32+ 6) /* Safer mode */ ++#define X86_FEATURE_EST ( 4*32+ 7) /* Enhanced SpeedStep */ ++#define X86_FEATURE_TM2 ( 4*32+ 8) /* Thermal Monitor 2 */ ++#define X86_FEATURE_SSSE3 ( 4*32+ 9) /* Supplemental SSE-3 */ ++#define X86_FEATURE_CID ( 4*32+10) /* Context ID */ ++#define X86_FEATURE_SDBG ( 4*32+11) /* Silicon Debug */ ++#define X86_FEATURE_FMA ( 4*32+12) /* Fused multiply-add */ ++#define X86_FEATURE_CX16 ( 4*32+13) /* CMPXCHG16B */ ++#define X86_FEATURE_XTPR ( 4*32+14) /* Send Task Priority Messages */ ++#define X86_FEATURE_PDCM ( 4*32+15) /* Performance Capabilities */ ++#define X86_FEATURE_PCID ( 4*32+17) /* Process Context Identifiers */ ++#define X86_FEATURE_DCA ( 4*32+18) /* Direct Cache Access */ ++#define X86_FEATURE_XMM4_1 ( 4*32+19) /* "sse4_1" SSE-4.1 */ ++#define X86_FEATURE_XMM4_2 ( 4*32+20) /* "sse4_2" SSE-4.2 */ ++#define X86_FEATURE_X2APIC ( 4*32+21) /* x2APIC */ ++#define X86_FEATURE_MOVBE ( 4*32+22) /* MOVBE instruction */ ++#define X86_FEATURE_POPCNT ( 4*32+23) /* POPCNT instruction */ ++#define X86_FEATURE_TSC_DEADLINE_TIMER ( 4*32+24) /* Tsc deadline timer */ ++#define X86_FEATURE_AES ( 4*32+25) /* AES instructions */ ++#define X86_FEATURE_XSAVE ( 4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */ ++#define X86_FEATURE_OSXSAVE ( 4*32+27) /* "" XSAVE enabled in the OS */ ++#define X86_FEATURE_AVX ( 4*32+28) /* Advanced Vector Extensions */ ++#define X86_FEATURE_F16C ( 4*32+29) /* 16-bit fp conversions */ ++#define X86_FEATURE_RDRAND ( 4*32+30) /* The RDRAND instruction */ ++#define X86_FEATURE_HYPERVISOR ( 4*32+31) /* Running on a hypervisor */ ++ ++/* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */ ++#define X86_FEATURE_XSTORE ( 5*32+ 2) /* "rng" RNG present (xstore) */ ++#define X86_FEATURE_XSTORE_EN ( 5*32+ 3) /* "rng_en" RNG enabled */ ++#define X86_FEATURE_XCRYPT ( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */ ++#define X86_FEATURE_XCRYPT_EN ( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */ ++#define X86_FEATURE_ACE2 ( 5*32+ 8) /* Advanced Cryptography Engine v2 */ ++#define X86_FEATURE_ACE2_EN ( 5*32+ 9) /* ACE v2 enabled */ ++#define X86_FEATURE_PHE ( 5*32+10) /* PadLock Hash Engine */ ++#define X86_FEATURE_PHE_EN ( 5*32+11) /* PHE enabled */ ++#define X86_FEATURE_PMM ( 5*32+12) /* PadLock Montgomery Multiplier */ ++#define X86_FEATURE_PMM_EN ( 5*32+13) /* PMM enabled */ ++ ++/* More extended AMD flags: CPUID level 0x80000001, ecx, word 6 */ ++#define X86_FEATURE_LAHF_LM ( 6*32+ 0) /* LAHF/SAHF in long mode */ ++#define X86_FEATURE_CMP_LEGACY ( 6*32+ 1) /* If yes HyperThreading not valid */ ++#define X86_FEATURE_SVM ( 6*32+ 2) /* Secure virtual machine */ ++#define X86_FEATURE_EXTAPIC ( 6*32+ 3) /* Extended APIC space */ ++#define X86_FEATURE_CR8_LEGACY ( 6*32+ 4) /* CR8 in 32-bit mode */ ++#define X86_FEATURE_ABM ( 6*32+ 5) /* Advanced bit manipulation */ ++#define X86_FEATURE_SSE4A ( 6*32+ 6) /* SSE-4A */ ++#define X86_FEATURE_MISALIGNSSE ( 6*32+ 7) /* Misaligned SSE mode */ ++#define X86_FEATURE_3DNOWPREFETCH ( 6*32+ 8) /* 3DNow prefetch instructions */ ++#define X86_FEATURE_OSVW ( 6*32+ 9) /* OS Visible Workaround */ ++#define X86_FEATURE_IBS ( 6*32+10) /* Instruction Based Sampling */ ++#define X86_FEATURE_XOP ( 6*32+11) /* extended AVX instructions */ ++#define X86_FEATURE_SKINIT ( 6*32+12) /* SKINIT/STGI instructions */ ++#define X86_FEATURE_WDT ( 6*32+13) /* Watchdog timer */ ++#define X86_FEATURE_LWP ( 6*32+15) /* Light Weight Profiling */ ++#define X86_FEATURE_FMA4 ( 6*32+16) /* 4 operands MAC instructions */ ++#define X86_FEATURE_TCE ( 6*32+17) /* translation cache extension */ ++#define X86_FEATURE_NODEID_MSR ( 6*32+19) /* NodeId MSR */ ++#define X86_FEATURE_TBM ( 6*32+21) /* trailing bit manipulations */ ++#define X86_FEATURE_TOPOEXT ( 6*32+22) /* topology extensions CPUID leafs */ ++#define X86_FEATURE_PERFCTR_CORE ( 6*32+23) /* core performance counter extensions */ ++#define X86_FEATURE_PERFCTR_NB ( 6*32+24) /* NB performance counter extensions */ ++#define X86_FEATURE_BPEXT (6*32+26) /* data breakpoint extension */ ++#define X86_FEATURE_PERFCTR_L2 ( 6*32+28) /* L2 performance counter extensions */ ++#define X86_FEATURE_MWAITX ( 6*32+29) /* MWAIT extension (MONITORX/MWAITX) */ ++ ++/* ++ * Auxiliary flags: Linux defined - For features scattered in various ++ * CPUID levels like 0x6, 0xA etc, word 7. ++ * ++ * Reuse free bits when adding new feature flags! ++ */ ++ ++#define X86_FEATURE_CPB ( 7*32+ 2) /* AMD Core Performance Boost */ ++#define X86_FEATURE_EPB ( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */ ++#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 4) /* Effectively INVPCID && CR4.PCIDE=1 */ ++ ++#define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */ ++#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ ++ ++#define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */ ++#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* Fill RSB on context switches */ ++ ++#define X86_FEATURE_RETPOLINE ( 7*32+29) /* Generic Retpoline mitigation for Spectre variant 2 */ ++#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* AMD Retpoline mitigation for Spectre variant 2 */ ++/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */ ++#define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */ ++ ++/* Virtualization flags: Linux defined, word 8 */ ++#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ ++#define X86_FEATURE_VNMI ( 8*32+ 1) /* Intel Virtual NMI */ ++#define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */ ++#define X86_FEATURE_EPT ( 8*32+ 3) /* Intel Extended Page Table */ ++#define X86_FEATURE_VPID ( 8*32+ 4) /* Intel Virtual Processor ID */ ++ ++#define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer vmmcall to vmcall */ ++#define X86_FEATURE_XENPV ( 8*32+16) /* "" Xen paravirtual guest */ ++ ++ ++/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */ ++#define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/ ++#define X86_FEATURE_TSC_ADJUST ( 9*32+ 1) /* TSC adjustment MSR 0x3b */ ++#define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */ ++#define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */ ++#define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */ ++#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */ ++#define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */ ++#define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */ ++#define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */ ++#define X86_FEATURE_RTM ( 9*32+11) /* Restricted Transactional Memory */ ++#define X86_FEATURE_CQM ( 9*32+12) /* Cache QoS Monitoring */ ++#define X86_FEATURE_MPX ( 9*32+14) /* Memory Protection Extension */ ++#define X86_FEATURE_AVX512F ( 9*32+16) /* AVX-512 Foundation */ ++#define X86_FEATURE_RDSEED ( 9*32+18) /* The RDSEED instruction */ ++#define X86_FEATURE_ADX ( 9*32+19) /* The ADCX and ADOX instructions */ ++#define X86_FEATURE_SMAP ( 9*32+20) /* Supervisor Mode Access Prevention */ ++#define X86_FEATURE_PCOMMIT ( 9*32+22) /* PCOMMIT instruction */ ++#define X86_FEATURE_CLFLUSHOPT ( 9*32+23) /* CLFLUSHOPT instruction */ ++#define X86_FEATURE_CLWB ( 9*32+24) /* CLWB instruction */ ++#define X86_FEATURE_AVX512PF ( 9*32+26) /* AVX-512 Prefetch */ ++#define X86_FEATURE_AVX512ER ( 9*32+27) /* AVX-512 Exponential and Reciprocal */ ++#define X86_FEATURE_AVX512CD ( 9*32+28) /* AVX-512 Conflict Detection */ ++#define X86_FEATURE_SHA_NI ( 9*32+29) /* SHA1/SHA256 Instruction Extensions */ ++ ++/* Extended state features, CPUID level 0x0000000d:1 (eax), word 10 */ ++#define X86_FEATURE_XSAVEOPT (10*32+ 0) /* XSAVEOPT */ ++#define X86_FEATURE_XSAVEC (10*32+ 1) /* XSAVEC */ ++#define X86_FEATURE_XGETBV1 (10*32+ 2) /* XGETBV with ECX = 1 */ ++#define X86_FEATURE_XSAVES (10*32+ 3) /* XSAVES/XRSTORS */ ++ ++/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (edx), word 11 */ ++#define X86_FEATURE_CQM_LLC (11*32+ 1) /* LLC QoS if 1 */ ++ ++/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (edx), word 12 */ ++#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring if 1 */ ++ ++/* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */ ++#define X86_FEATURE_CLZERO (13*32+0) /* CLZERO instruction */ ++ ++/* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */ ++#define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ ++#define X86_FEATURE_IDA (14*32+ 1) /* Intel Dynamic Acceleration */ ++#define X86_FEATURE_ARAT (14*32+ 2) /* Always Running APIC Timer */ ++#define X86_FEATURE_PLN (14*32+ 4) /* Intel Power Limit Notification */ ++#define X86_FEATURE_PTS (14*32+ 6) /* Intel Package Thermal Status */ ++#define X86_FEATURE_HWP (14*32+ 7) /* Intel Hardware P-states */ ++#define X86_FEATURE_HWP_NOTIFY (14*32+ 8) /* HWP Notification */ ++#define X86_FEATURE_HWP_ACT_WINDOW (14*32+ 9) /* HWP Activity Window */ ++#define X86_FEATURE_HWP_EPP (14*32+10) /* HWP Energy Perf. Preference */ ++#define X86_FEATURE_HWP_PKG_REQ (14*32+11) /* HWP Package Level Request */ ++ ++/* AMD SVM Feature Identification, CPUID level 0x8000000a (edx), word 15 */ ++#define X86_FEATURE_NPT (15*32+ 0) /* Nested Page Table support */ ++#define X86_FEATURE_LBRV (15*32+ 1) /* LBR Virtualization support */ ++#define X86_FEATURE_SVML (15*32+ 2) /* "svm_lock" SVM locking MSR */ ++#define X86_FEATURE_NRIPS (15*32+ 3) /* "nrip_save" SVM next_rip save */ ++#define X86_FEATURE_TSCRATEMSR (15*32+ 4) /* "tsc_scale" TSC scaling support */ ++#define X86_FEATURE_VMCBCLEAN (15*32+ 5) /* "vmcb_clean" VMCB clean bits support */ ++#define X86_FEATURE_FLUSHBYASID (15*32+ 6) /* flush-by-ASID support */ ++#define X86_FEATURE_DECODEASSISTS (15*32+ 7) /* Decode Assists support */ ++#define X86_FEATURE_PAUSEFILTER (15*32+10) /* filtered pause intercept */ ++#define X86_FEATURE_PFTHRESHOLD (15*32+12) /* pause filter threshold */ ++ ++/* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */ ++#define X86_FEATURE_PKU (16*32+ 3) /* Protection Keys for Userspace */ ++#define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection Keys Enable */ ++ ++/* AMD-defined CPU features, CPUID level 0x80000007 (ebx), word 17 */ ++#define X86_FEATURE_OVERFLOW_RECOV (17*32+0) /* MCA overflow recovery support */ ++#define X86_FEATURE_SUCCOR (17*32+1) /* Uncorrectable error containment and recovery */ ++#define X86_FEATURE_SMCA (17*32+3) /* Scalable MCA */ ++ ++/* ++ * BUG word(s) ++ */ ++#define X86_BUG(x) (NCAPINTS*32 + (x)) ++ ++#define X86_BUG_F00F X86_BUG(0) /* Intel F00F */ ++#define X86_BUG_FDIV X86_BUG(1) /* FPU FDIV */ ++#define X86_BUG_COMA X86_BUG(2) /* Cyrix 6x86 coma */ ++#define X86_BUG_AMD_TLB_MMATCH X86_BUG(3) /* "tlb_mmatch" AMD Erratum 383 */ ++#define X86_BUG_AMD_APIC_C1E X86_BUG(4) /* "apic_c1e" AMD Erratum 400 */ ++#define X86_BUG_11AP X86_BUG(5) /* Bad local APIC aka 11AP */ ++#define X86_BUG_FXSAVE_LEAK X86_BUG(6) /* FXSAVE leaks FOP/FIP/FOP */ ++#define X86_BUG_CLFLUSH_MONITOR X86_BUG(7) /* AAI65, CLFLUSH required before MONITOR */ ++#define X86_BUG_SYSRET_SS_ATTRS X86_BUG(8) /* SYSRET doesn't fix up SS attrs */ ++#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ ++#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ ++#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ ++ ++#endif /* _ASM_X86_CPUFEATURES_H */ +diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h +index 8b17c2ad1048..21c5ac15657b 100644 +--- a/arch/x86/include/asm/disabled-features.h ++++ b/arch/x86/include/asm/disabled-features.h +@@ -30,6 +30,14 @@ + # define DISABLE_PCID (1<<(X86_FEATURE_PCID & 31)) + #endif /* CONFIG_X86_64 */ + ++#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS ++# define DISABLE_PKU 0 ++# define DISABLE_OSPKE 0 ++#else ++# define DISABLE_PKU (1<<(X86_FEATURE_PKU & 31)) ++# define DISABLE_OSPKE (1<<(X86_FEATURE_OSPKE & 31)) ++#endif /* CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS */ ++ + /* + * Make sure to add features to the correct mask + */ +@@ -43,5 +51,14 @@ + #define DISABLED_MASK7 0 + #define DISABLED_MASK8 0 + #define DISABLED_MASK9 (DISABLE_MPX) ++#define DISABLED_MASK10 0 ++#define DISABLED_MASK11 0 ++#define DISABLED_MASK12 0 ++#define DISABLED_MASK13 0 ++#define DISABLED_MASK14 0 ++#define DISABLED_MASK15 0 ++#define DISABLED_MASK16 (DISABLE_PKU|DISABLE_OSPKE) ++#define DISABLED_MASK17 0 ++#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18) + + #endif /* _ASM_X86_DISABLED_FEATURES_H */ +diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h +index 146d838e6ee7..ec2aedb6f92a 100644 +--- a/arch/x86/include/asm/fpu/internal.h ++++ b/arch/x86/include/asm/fpu/internal.h +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + /* + * High level FPU state handling functions: +@@ -63,17 +64,17 @@ static __always_inline __pure bool use_eager_fpu(void) + + static __always_inline __pure bool use_xsaveopt(void) + { +- return static_cpu_has_safe(X86_FEATURE_XSAVEOPT); ++ return static_cpu_has(X86_FEATURE_XSAVEOPT); + } + + static __always_inline __pure bool use_xsave(void) + { +- return static_cpu_has_safe(X86_FEATURE_XSAVE); ++ return static_cpu_has(X86_FEATURE_XSAVE); + } + + static __always_inline __pure bool use_fxsr(void) + { +- return static_cpu_has_safe(X86_FEATURE_FXSR); ++ return static_cpu_has(X86_FEATURE_FXSR); + } + + /* +@@ -225,18 +226,67 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu) + #define XRSTOR ".byte " REX_PREFIX "0x0f,0xae,0x2f" + #define XRSTORS ".byte " REX_PREFIX "0x0f,0xc7,0x1f" + +-/* xstate instruction fault handler: */ +-#define xstate_fault(__err) \ +- \ +- ".section .fixup,\"ax\"\n" \ +- \ +- "3: movl $-2,%[_err]\n" \ +- " jmp 2b\n" \ +- \ +- ".previous\n" \ +- \ +- _ASM_EXTABLE(1b, 3b) \ +- : [_err] "=r" (__err) ++#define XSTATE_OP(op, st, lmask, hmask, err) \ ++ asm volatile("1:" op "\n\t" \ ++ "xor %[err], %[err]\n" \ ++ "2:\n\t" \ ++ ".pushsection .fixup,\"ax\"\n\t" \ ++ "3: movl $-2,%[err]\n\t" \ ++ "jmp 2b\n\t" \ ++ ".popsection\n\t" \ ++ _ASM_EXTABLE(1b, 3b) \ ++ : [err] "=r" (err) \ ++ : "D" (st), "m" (*st), "a" (lmask), "d" (hmask) \ ++ : "memory") ++ ++/* ++ * If XSAVES is enabled, it replaces XSAVEOPT because it supports a compact ++ * format and supervisor states in addition to modified optimization in ++ * XSAVEOPT. ++ * ++ * Otherwise, if XSAVEOPT is enabled, XSAVEOPT replaces XSAVE because XSAVEOPT ++ * supports modified optimization which is not supported by XSAVE. ++ * ++ * We use XSAVE as a fallback. ++ * ++ * The 661 label is defined in the ALTERNATIVE* macros as the address of the ++ * original instruction which gets replaced. We need to use it here as the ++ * address of the instruction where we might get an exception at. ++ */ ++#define XSTATE_XSAVE(st, lmask, hmask, err) \ ++ asm volatile(ALTERNATIVE_2(XSAVE, \ ++ XSAVEOPT, X86_FEATURE_XSAVEOPT, \ ++ XSAVES, X86_FEATURE_XSAVES) \ ++ "\n" \ ++ "xor %[err], %[err]\n" \ ++ "3:\n" \ ++ ".pushsection .fixup,\"ax\"\n" \ ++ "4: movl $-2, %[err]\n" \ ++ "jmp 3b\n" \ ++ ".popsection\n" \ ++ _ASM_EXTABLE(661b, 4b) \ ++ : [err] "=r" (err) \ ++ : "D" (st), "m" (*st), "a" (lmask), "d" (hmask) \ ++ : "memory") ++ ++/* ++ * Use XRSTORS to restore context if it is enabled. XRSTORS supports compact ++ * XSAVE area format. ++ */ ++#define XSTATE_XRESTORE(st, lmask, hmask, err) \ ++ asm volatile(ALTERNATIVE(XRSTOR, \ ++ XRSTORS, X86_FEATURE_XSAVES) \ ++ "\n" \ ++ "xor %[err], %[err]\n" \ ++ "3:\n" \ ++ ".pushsection .fixup,\"ax\"\n" \ ++ "4: movl $-2, %[err]\n" \ ++ "jmp 3b\n" \ ++ ".popsection\n" \ ++ _ASM_EXTABLE(661b, 4b) \ ++ : [err] "=r" (err) \ ++ : "D" (st), "m" (*st), "a" (lmask), "d" (hmask) \ ++ : "memory") + + /* + * This function is called only during boot time when x86 caps are not set +@@ -247,22 +297,14 @@ static inline void copy_xregs_to_kernel_booting(struct xregs_state *xstate) + u64 mask = -1; + u32 lmask = mask; + u32 hmask = mask >> 32; +- int err = 0; ++ int err; + + WARN_ON(system_state != SYSTEM_BOOTING); + +- if (boot_cpu_has(X86_FEATURE_XSAVES)) +- asm volatile("1:"XSAVES"\n\t" +- "2:\n\t" +- xstate_fault(err) +- : "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err) +- : "memory"); ++ if (static_cpu_has(X86_FEATURE_XSAVES)) ++ XSTATE_OP(XSAVES, xstate, lmask, hmask, err); + else +- asm volatile("1:"XSAVE"\n\t" +- "2:\n\t" +- xstate_fault(err) +- : "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err) +- : "memory"); ++ XSTATE_OP(XSAVE, xstate, lmask, hmask, err); + + /* We should never fault when copying to a kernel buffer: */ + WARN_ON_FPU(err); +@@ -277,22 +319,14 @@ static inline void copy_kernel_to_xregs_booting(struct xregs_state *xstate) + u64 mask = -1; + u32 lmask = mask; + u32 hmask = mask >> 32; +- int err = 0; ++ int err; + + WARN_ON(system_state != SYSTEM_BOOTING); + +- if (boot_cpu_has(X86_FEATURE_XSAVES)) +- asm volatile("1:"XRSTORS"\n\t" +- "2:\n\t" +- xstate_fault(err) +- : "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err) +- : "memory"); ++ if (static_cpu_has(X86_FEATURE_XSAVES)) ++ XSTATE_OP(XRSTORS, xstate, lmask, hmask, err); + else +- asm volatile("1:"XRSTOR"\n\t" +- "2:\n\t" +- xstate_fault(err) +- : "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err) +- : "memory"); ++ XSTATE_OP(XRSTOR, xstate, lmask, hmask, err); + + /* We should never fault when copying from a kernel buffer: */ + WARN_ON_FPU(err); +@@ -306,33 +340,11 @@ static inline void copy_xregs_to_kernel(struct xregs_state *xstate) + u64 mask = -1; + u32 lmask = mask; + u32 hmask = mask >> 32; +- int err = 0; ++ int err; + + WARN_ON(!alternatives_patched); + +- /* +- * If xsaves is enabled, xsaves replaces xsaveopt because +- * it supports compact format and supervisor states in addition to +- * modified optimization in xsaveopt. +- * +- * Otherwise, if xsaveopt is enabled, xsaveopt replaces xsave +- * because xsaveopt supports modified optimization which is not +- * supported by xsave. +- * +- * If none of xsaves and xsaveopt is enabled, use xsave. +- */ +- alternative_input_2( +- "1:"XSAVE, +- XSAVEOPT, +- X86_FEATURE_XSAVEOPT, +- XSAVES, +- X86_FEATURE_XSAVES, +- [xstate] "D" (xstate), "a" (lmask), "d" (hmask) : +- "memory"); +- asm volatile("2:\n\t" +- xstate_fault(err) +- : "0" (err) +- : "memory"); ++ XSTATE_XSAVE(xstate, lmask, hmask, err); + + /* We should never fault when copying to a kernel buffer: */ + WARN_ON_FPU(err); +@@ -345,23 +357,9 @@ static inline void copy_kernel_to_xregs(struct xregs_state *xstate, u64 mask) + { + u32 lmask = mask; + u32 hmask = mask >> 32; +- int err = 0; ++ int err; + +- /* +- * Use xrstors to restore context if it is enabled. xrstors supports +- * compacted format of xsave area which is not supported by xrstor. +- */ +- alternative_input( +- "1: " XRSTOR, +- XRSTORS, +- X86_FEATURE_XSAVES, +- "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask) +- : "memory"); +- +- asm volatile("2:\n" +- xstate_fault(err) +- : "0" (err) +- : "memory"); ++ XSTATE_XRESTORE(xstate, lmask, hmask, err); + + /* We should never fault when copying from a kernel buffer: */ + WARN_ON_FPU(err); +@@ -389,12 +387,10 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf) + if (unlikely(err)) + return -EFAULT; + +- __asm__ __volatile__(ASM_STAC "\n" +- "1:"XSAVE"\n" +- "2: " ASM_CLAC "\n" +- xstate_fault(err) +- : "D" (buf), "a" (-1), "d" (-1), "0" (err) +- : "memory"); ++ stac(); ++ XSTATE_OP(XSAVE, buf, -1, -1, err); ++ clac(); ++ + return err; + } + +@@ -406,14 +402,12 @@ static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask) + struct xregs_state *xstate = ((__force struct xregs_state *)buf); + u32 lmask = mask; + u32 hmask = mask >> 32; +- int err = 0; +- +- __asm__ __volatile__(ASM_STAC "\n" +- "1:"XRSTOR"\n" +- "2: " ASM_CLAC "\n" +- xstate_fault(err) +- : "D" (xstate), "a" (lmask), "d" (hmask), "0" (err) +- : "memory"); /* memory required? */ ++ int err; ++ ++ stac(); ++ XSTATE_OP(XRSTOR, xstate, lmask, hmask, err); ++ clac(); ++ + return err; + } + +@@ -467,7 +461,7 @@ static inline void copy_kernel_to_fpregs(union fpregs_state *fpstate) + * pending. Clear the x87 state here by setting it to fixed values. + * "m" is a random variable that should be in L1. + */ +- if (unlikely(static_cpu_has_bug_safe(X86_BUG_FXSAVE_LEAK))) { ++ if (unlikely(static_cpu_has_bug(X86_BUG_FXSAVE_LEAK))) { + asm volatile( + "fnclex\n\t" + "emms\n\t" +diff --git a/arch/x86/include/asm/irq_work.h b/arch/x86/include/asm/irq_work.h +index 78162f8e248b..d0afb05c84fc 100644 +--- a/arch/x86/include/asm/irq_work.h ++++ b/arch/x86/include/asm/irq_work.h +@@ -1,7 +1,7 @@ + #ifndef _ASM_IRQ_WORK_H + #define _ASM_IRQ_WORK_H + +-#include ++#include + + static inline bool arch_irq_work_has_interrupt(void) + { +diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h +index c70689b5e5aa..0deeb2d26df7 100644 +--- a/arch/x86/include/asm/mwait.h ++++ b/arch/x86/include/asm/mwait.h +@@ -3,6 +3,8 @@ + + #include + ++#include ++ + #define MWAIT_SUBSTATE_MASK 0xf + #define MWAIT_CSTATE_MASK 0xf + #define MWAIT_SUBSTATE_SIZE 4 +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index 249f1c769f21..8b910416243c 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -5,7 +5,7 @@ + + #include + #include +-#include ++#include + + /* + * Fill the CPU return stack buffer. +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index 9e77cea2a8ef..8e415cf65457 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -13,7 +13,7 @@ struct vm86; + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -24,7 +24,6 @@ struct vm86; + #include + + #include +-#include + #include + #include + #include +diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h +index 5c6e4fb370f5..fac9a5c0abe9 100644 +--- a/arch/x86/include/asm/required-features.h ++++ b/arch/x86/include/asm/required-features.h +@@ -92,5 +92,14 @@ + #define REQUIRED_MASK7 0 + #define REQUIRED_MASK8 0 + #define REQUIRED_MASK9 0 ++#define REQUIRED_MASK10 0 ++#define REQUIRED_MASK11 0 ++#define REQUIRED_MASK12 0 ++#define REQUIRED_MASK13 0 ++#define REQUIRED_MASK14 0 ++#define REQUIRED_MASK15 0 ++#define REQUIRED_MASK16 0 ++#define REQUIRED_MASK17 0 ++#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18) + + #endif /* _ASM_X86_REQUIRED_FEATURES_H */ +diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h +index ba665ebd17bb..db333300bd4b 100644 +--- a/arch/x86/include/asm/smap.h ++++ b/arch/x86/include/asm/smap.h +@@ -15,7 +15,7 @@ + + #include + #include +-#include ++#include + + /* "Raw" instruction opcodes */ + #define __ASM_CLAC .byte 0x0f,0x01,0xca +diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h +index a438c5598a90..04d6eef5f8a5 100644 +--- a/arch/x86/include/asm/smp.h ++++ b/arch/x86/include/asm/smp.h +@@ -16,7 +16,6 @@ + #endif + #include + #include +-#include + + extern int smp_num_siblings; + extern unsigned int num_processors; +diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h +index 9b028204685d..18c9aaa8c043 100644 +--- a/arch/x86/include/asm/thread_info.h ++++ b/arch/x86/include/asm/thread_info.h +@@ -49,7 +49,7 @@ + */ + #ifndef __ASSEMBLY__ + struct task_struct; +-#include ++#include + #include + + struct thread_info { +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index a691b66cc40a..e2a89d2577fb 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -5,6 +5,7 @@ + #include + + #include ++#include + #include + #include + +diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h +index f2f9b39b274a..d83a55b95a48 100644 +--- a/arch/x86/include/asm/uaccess_64.h ++++ b/arch/x86/include/asm/uaccess_64.h +@@ -8,7 +8,7 @@ + #include + #include + #include +-#include ++#include + #include + + /* +diff --git a/arch/x86/kernel/apic/apic_numachip.c b/arch/x86/kernel/apic/apic_numachip.c +index 2bd2292a316d..bac0805ea1d9 100644 +--- a/arch/x86/kernel/apic/apic_numachip.c ++++ b/arch/x86/kernel/apic/apic_numachip.c +@@ -30,7 +30,7 @@ static unsigned int numachip1_get_apic_id(unsigned long x) + unsigned long value; + unsigned int id = (x >> 24) & 0xff; + +- if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) { ++ if (static_cpu_has(X86_FEATURE_NODEID_MSR)) { + rdmsrl(MSR_FAM10H_NODE_ID, value); + id |= (value << 2) & 0xff00; + } +@@ -178,7 +178,7 @@ static void fixup_cpu_id(struct cpuinfo_x86 *c, int node) + this_cpu_write(cpu_llc_id, node); + + /* Account for nodes per socket in multi-core-module processors */ +- if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) { ++ if (static_cpu_has(X86_FEATURE_NODEID_MSR)) { + rdmsrl(MSR_FAM10H_NODE_ID, val); + nodes = ((val >> 3) & 7) + 1; + } +diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile +index 8f184615053b..924b65794abd 100644 +--- a/arch/x86/kernel/cpu/Makefile ++++ b/arch/x86/kernel/cpu/Makefile +@@ -62,7 +62,7 @@ ifdef CONFIG_X86_FEATURE_NAMES + quiet_cmd_mkcapflags = MKCAP $@ + cmd_mkcapflags = $(CONFIG_SHELL) $(srctree)/$(src)/mkcapflags.sh $< $@ + +-cpufeature = $(src)/../../include/asm/cpufeature.h ++cpufeature = $(src)/../../include/asm/cpufeatures.h + + targets += capflags.c + $(obj)/capflags.c: $(cpufeature) $(src)/mkcapflags.sh FORCE +diff --git a/arch/x86/kernel/cpu/centaur.c b/arch/x86/kernel/cpu/centaur.c +index d8fba5c15fbd..6608c03c2126 100644 +--- a/arch/x86/kernel/cpu/centaur.c ++++ b/arch/x86/kernel/cpu/centaur.c +@@ -1,7 +1,7 @@ + #include + #include + +-#include ++#include + #include + #include + #include +@@ -43,7 +43,7 @@ static void init_c3(struct cpuinfo_x86 *c) + /* store Centaur Extended Feature Flags as + * word 5 of the CPU capability bit array + */ +- c->x86_capability[5] = cpuid_edx(0xC0000001); ++ c->x86_capability[CPUID_C000_0001_EDX] = cpuid_edx(0xC0000001); + } + #ifdef CONFIG_X86_32 + /* Cyrix III family needs CX8 & PGE explicitly enabled. */ +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 0498ad3702f5..814276d0eed1 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -676,50 +676,48 @@ static void apply_forced_caps(struct cpuinfo_x86 *c) + + void get_cpu_cap(struct cpuinfo_x86 *c) + { +- u32 tfms, xlvl; +- u32 ebx; ++ u32 eax, ebx, ecx, edx; + + /* Intel-defined flags: level 0x00000001 */ + if (c->cpuid_level >= 0x00000001) { +- u32 capability, excap; ++ cpuid(0x00000001, &eax, &ebx, &ecx, &edx); + +- cpuid(0x00000001, &tfms, &ebx, &excap, &capability); +- c->x86_capability[0] = capability; +- c->x86_capability[4] = excap; ++ c->x86_capability[CPUID_1_ECX] = ecx; ++ c->x86_capability[CPUID_1_EDX] = edx; + } + + /* Additional Intel-defined flags: level 0x00000007 */ + if (c->cpuid_level >= 0x00000007) { +- u32 eax, ebx, ecx, edx; +- + cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx); + +- c->x86_capability[9] = ebx; ++ c->x86_capability[CPUID_7_0_EBX] = ebx; ++ ++ c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006); ++ c->x86_capability[CPUID_7_ECX] = ecx; + } + + /* Extended state features: level 0x0000000d */ + if (c->cpuid_level >= 0x0000000d) { +- u32 eax, ebx, ecx, edx; +- + cpuid_count(0x0000000d, 1, &eax, &ebx, &ecx, &edx); + +- c->x86_capability[10] = eax; ++ c->x86_capability[CPUID_D_1_EAX] = eax; + } + + /* Additional Intel-defined flags: level 0x0000000F */ + if (c->cpuid_level >= 0x0000000F) { +- u32 eax, ebx, ecx, edx; + + /* QoS sub-leaf, EAX=0Fh, ECX=0 */ + cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx); +- c->x86_capability[11] = edx; ++ c->x86_capability[CPUID_F_0_EDX] = edx; ++ + if (cpu_has(c, X86_FEATURE_CQM_LLC)) { + /* will be overridden if occupancy monitoring exists */ + c->x86_cache_max_rmid = ebx; + + /* QoS sub-leaf, EAX=0Fh, ECX=1 */ + cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx); +- c->x86_capability[12] = edx; ++ c->x86_capability[CPUID_F_1_EDX] = edx; ++ + if (cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) { + c->x86_cache_max_rmid = ecx; + c->x86_cache_occ_scale = ebx; +@@ -731,30 +729,39 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + } + + /* AMD-defined flags: level 0x80000001 */ +- xlvl = cpuid_eax(0x80000000); +- c->extended_cpuid_level = xlvl; ++ eax = cpuid_eax(0x80000000); ++ c->extended_cpuid_level = eax; ++ ++ if ((eax & 0xffff0000) == 0x80000000) { ++ if (eax >= 0x80000001) { ++ cpuid(0x80000001, &eax, &ebx, &ecx, &edx); + +- if ((xlvl & 0xffff0000) == 0x80000000) { +- if (xlvl >= 0x80000001) { +- c->x86_capability[1] = cpuid_edx(0x80000001); +- c->x86_capability[6] = cpuid_ecx(0x80000001); ++ c->x86_capability[CPUID_8000_0001_ECX] = ecx; ++ c->x86_capability[CPUID_8000_0001_EDX] = edx; + } + } + ++ if (c->extended_cpuid_level >= 0x80000007) { ++ cpuid(0x80000007, &eax, &ebx, &ecx, &edx); ++ ++ c->x86_capability[CPUID_8000_0007_EBX] = ebx; ++ c->x86_power = edx; ++ } ++ + if (c->extended_cpuid_level >= 0x80000008) { +- u32 eax = cpuid_eax(0x80000008); ++ cpuid(0x80000008, &eax, &ebx, &ecx, &edx); + + c->x86_virt_bits = (eax >> 8) & 0xff; + c->x86_phys_bits = eax & 0xff; +- c->x86_capability[13] = cpuid_ebx(0x80000008); ++ c->x86_capability[CPUID_8000_0008_EBX] = ebx; + } + #ifdef CONFIG_X86_32 + else if (cpu_has(c, X86_FEATURE_PAE) || cpu_has(c, X86_FEATURE_PSE36)) + c->x86_phys_bits = 36; + #endif + +- if (c->extended_cpuid_level >= 0x80000007) +- c->x86_power = cpuid_edx(0x80000007); ++ if (c->extended_cpuid_level >= 0x8000000a) ++ c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a); + + init_scattered_cpuid_features(c); + } +@@ -1574,20 +1581,6 @@ void cpu_init(void) + } + #endif + +-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS +-void warn_pre_alternatives(void) +-{ +- WARN(1, "You're using static_cpu_has before alternatives have run!\n"); +-} +-EXPORT_SYMBOL_GPL(warn_pre_alternatives); +-#endif +- +-inline bool __static_cpu_has_safe(u16 bit) +-{ +- return boot_cpu_has(bit); +-} +-EXPORT_SYMBOL_GPL(__static_cpu_has_safe); +- + static void bsp_resume(void) + { + if (this_cpu->c_bsp_resume) +diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c +index aaf152e79637..15e47c1cd412 100644 +--- a/arch/x86/kernel/cpu/cyrix.c ++++ b/arch/x86/kernel/cpu/cyrix.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + #include "cpu.h" + +diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c +index 565648bc1a0a..9299e3bdfad6 100644 +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -8,7 +8,7 @@ + #include + #include + +-#include ++#include + #include + #include + #include +diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c +index 3fa72317ad78..3557b3ceab14 100644 +--- a/arch/x86/kernel/cpu/intel_cacheinfo.c ++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c +@@ -14,7 +14,7 @@ + #include + #include + +-#include ++#include + #include + #include + +diff --git a/arch/x86/kernel/cpu/match.c b/arch/x86/kernel/cpu/match.c +index afa9f0d487ea..fbb5e90557a5 100644 +--- a/arch/x86/kernel/cpu/match.c ++++ b/arch/x86/kernel/cpu/match.c +@@ -1,5 +1,5 @@ + #include +-#include ++#include + #include + #include + #include +diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh +index 3f20710a5b23..6988c74409a8 100644 +--- a/arch/x86/kernel/cpu/mkcapflags.sh ++++ b/arch/x86/kernel/cpu/mkcapflags.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + # +-# Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeature.h ++# Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h + # + + IN=$1 +@@ -49,8 +49,8 @@ dump_array() + trap 'rm "$OUT"' EXIT + + ( +- echo "#ifndef _ASM_X86_CPUFEATURE_H" +- echo "#include " ++ echo "#ifndef _ASM_X86_CPUFEATURES_H" ++ echo "#include " + echo "#endif" + echo "" + +diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c +index f924f41af89a..49bd700d9b7f 100644 +--- a/arch/x86/kernel/cpu/mtrr/main.c ++++ b/arch/x86/kernel/cpu/mtrr/main.c +@@ -47,7 +47,7 @@ + #include + #include + +-#include ++#include + #include + #include + #include +diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c +index 608fb26c7254..8cb57df9398d 100644 +--- a/arch/x86/kernel/cpu/scattered.c ++++ b/arch/x86/kernel/cpu/scattered.c +@@ -31,32 +31,12 @@ void init_scattered_cpuid_features(struct cpuinfo_x86 *c) + const struct cpuid_bit *cb; + + static const struct cpuid_bit cpuid_bits[] = { +- { X86_FEATURE_DTHERM, CR_EAX, 0, 0x00000006, 0 }, +- { X86_FEATURE_IDA, CR_EAX, 1, 0x00000006, 0 }, +- { X86_FEATURE_ARAT, CR_EAX, 2, 0x00000006, 0 }, +- { X86_FEATURE_PLN, CR_EAX, 4, 0x00000006, 0 }, +- { X86_FEATURE_PTS, CR_EAX, 6, 0x00000006, 0 }, +- { X86_FEATURE_HWP, CR_EAX, 7, 0x00000006, 0 }, +- { X86_FEATURE_HWP_NOTIFY, CR_EAX, 8, 0x00000006, 0 }, +- { X86_FEATURE_HWP_ACT_WINDOW, CR_EAX, 9, 0x00000006, 0 }, +- { X86_FEATURE_HWP_EPP, CR_EAX,10, 0x00000006, 0 }, +- { X86_FEATURE_HWP_PKG_REQ, CR_EAX,11, 0x00000006, 0 }, + { X86_FEATURE_INTEL_PT, CR_EBX,25, 0x00000007, 0 }, + { X86_FEATURE_APERFMPERF, CR_ECX, 0, 0x00000006, 0 }, + { X86_FEATURE_EPB, CR_ECX, 3, 0x00000006, 0 }, + { X86_FEATURE_HW_PSTATE, CR_EDX, 7, 0x80000007, 0 }, + { X86_FEATURE_CPB, CR_EDX, 9, 0x80000007, 0 }, + { X86_FEATURE_PROC_FEEDBACK, CR_EDX,11, 0x80000007, 0 }, +- { X86_FEATURE_NPT, CR_EDX, 0, 0x8000000a, 0 }, +- { X86_FEATURE_LBRV, CR_EDX, 1, 0x8000000a, 0 }, +- { X86_FEATURE_SVML, CR_EDX, 2, 0x8000000a, 0 }, +- { X86_FEATURE_NRIPS, CR_EDX, 3, 0x8000000a, 0 }, +- { X86_FEATURE_TSCRATEMSR, CR_EDX, 4, 0x8000000a, 0 }, +- { X86_FEATURE_VMCBCLEAN, CR_EDX, 5, 0x8000000a, 0 }, +- { X86_FEATURE_FLUSHBYASID, CR_EDX, 6, 0x8000000a, 0 }, +- { X86_FEATURE_DECODEASSISTS, CR_EDX, 7, 0x8000000a, 0 }, +- { X86_FEATURE_PAUSEFILTER, CR_EDX,10, 0x8000000a, 0 }, +- { X86_FEATURE_PFTHRESHOLD, CR_EDX,12, 0x8000000a, 0 }, + { 0, 0, 0, 0, 0 } + }; + +diff --git a/arch/x86/kernel/cpu/transmeta.c b/arch/x86/kernel/cpu/transmeta.c +index 3fa0e5ad86b4..a19a663282b5 100644 +--- a/arch/x86/kernel/cpu/transmeta.c ++++ b/arch/x86/kernel/cpu/transmeta.c +@@ -1,6 +1,6 @@ + #include + #include +-#include ++#include + #include + #include "cpu.h" + +@@ -12,7 +12,7 @@ static void early_init_transmeta(struct cpuinfo_x86 *c) + xlvl = cpuid_eax(0x80860000); + if ((xlvl & 0xffff0000) == 0x80860000) { + if (xlvl >= 0x80860001) +- c->x86_capability[2] = cpuid_edx(0x80860001); ++ c->x86_capability[CPUID_8086_0001_EDX] = cpuid_edx(0x80860001); + } + } + +@@ -82,7 +82,7 @@ static void init_transmeta(struct cpuinfo_x86 *c) + /* Unhide possibly hidden capability flags */ + rdmsr(0x80860004, cap_mask, uk); + wrmsr(0x80860004, ~0, uk); +- c->x86_capability[0] = cpuid_edx(0x00000001); ++ c->x86_capability[CPUID_1_EDX] = cpuid_edx(0x00000001); + wrmsr(0x80860004, cap_mask, uk); + + /* All Transmeta CPUs have a constant TSC */ +diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c +index 52a2526c3fbe..19bc19d5e174 100644 +--- a/arch/x86/kernel/e820.c ++++ b/arch/x86/kernel/e820.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + /* + * The e820 map is the map that gets modified e.g. with command line parameters +diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S +index 70284d38fdc2..1c0b49fd6365 100644 +--- a/arch/x86/kernel/head_32.S ++++ b/arch/x86/kernel/head_32.S +@@ -19,7 +19,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S +index 4034e905741a..734ba1d0f686 100644 +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -76,9 +76,7 @@ startup_64: + subq $_text - __START_KERNEL_map, %rbp + + /* Is the address not 2M aligned? */ +- movq %rbp, %rax +- andl $~PMD_PAGE_MASK, %eax +- testl %eax, %eax ++ testl $~PMD_PAGE_MASK, %ebp + jnz bad_address + + /* +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c +index f48eb8eeefe2..3fdc1e53aaac 100644 +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -12,6 +12,7 @@ + #include + #include + ++#include + #include + #include + #include +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 113e70784854..f95ac5d435aa 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -40,7 +40,7 @@ + #include + #include + +-#include ++#include + #include + + static struct class *msr_class; +diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c +index c6aace2bbe08..b8105289c60b 100644 +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -290,7 +290,7 @@ static int uprobe_init_insn(struct arch_uprobe *auprobe, struct insn *insn, bool + insn_init(insn, auprobe->insn, sizeof(auprobe->insn), x86_64); + /* has the side-effect of processing the entire instruction */ + insn_get_length(insn); +- if (WARN_ON_ONCE(!insn_complete(insn))) ++ if (!insn_complete(insn)) + return -ENOEXEC; + + if (is_prefix_bad(insn)) +diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S +index 4cf401f581e7..b7c9db5deebe 100644 +--- a/arch/x86/kernel/verify_cpu.S ++++ b/arch/x86/kernel/verify_cpu.S +@@ -30,7 +30,7 @@ + * appropriately. Either display a message or halt. + */ + +-#include ++#include + #include + + verify_cpu: +diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c +index d6d64a519559..7f4839ef3608 100644 +--- a/arch/x86/kernel/vm86_32.c ++++ b/arch/x86/kernel/vm86_32.c +@@ -358,7 +358,7 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus) + /* make room for real-mode segments */ + tsk->thread.sp0 += 16; + +- if (static_cpu_has_safe(X86_FEATURE_SEP)) ++ if (static_cpu_has(X86_FEATURE_SEP)) + tsk->thread.sysenter_cs = 0; + + load_sp0(tss, &tsk->thread); +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index e065065a4dfb..a703842b54de 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -202,6 +202,17 @@ SECTIONS + :init + #endif + ++ /* ++ * Section for code used exclusively before alternatives are run. All ++ * references to such code must be patched out by alternatives, normally ++ * by using X86_FEATURE_ALWAYS CPU feature bit. ++ * ++ * See static_cpu_has() for an example. ++ */ ++ .altinstr_aux : AT(ADDR(.altinstr_aux) - LOAD_OFFSET) { ++ *(.altinstr_aux) ++ } ++ + INIT_DATA_SECTION(16) + + .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) { +diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S +index a2fe51b00cce..65be7cfaf947 100644 +--- a/arch/x86/lib/clear_page_64.S ++++ b/arch/x86/lib/clear_page_64.S +@@ -1,5 +1,5 @@ + #include +-#include ++#include + #include + + /* +diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S +index 009f98216b7e..24ef1c2104d4 100644 +--- a/arch/x86/lib/copy_page_64.S ++++ b/arch/x86/lib/copy_page_64.S +@@ -1,7 +1,7 @@ + /* Written 2003 by Andi Kleen, based on a kernel by Evandro Menezes */ + + #include +-#include ++#include + #include + + /* +diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S +index 423644c230e7..accf7f2f557f 100644 +--- a/arch/x86/lib/copy_user_64.S ++++ b/arch/x86/lib/copy_user_64.S +@@ -10,7 +10,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S +index 16698bba87de..a0de849435ad 100644 +--- a/arch/x86/lib/memcpy_64.S ++++ b/arch/x86/lib/memcpy_64.S +@@ -1,7 +1,7 @@ + /* Copyright 2002 Andi Kleen */ + + #include +-#include ++#include + #include + + /* +diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S +index ca2afdd6d98e..90ce01bee00c 100644 +--- a/arch/x86/lib/memmove_64.S ++++ b/arch/x86/lib/memmove_64.S +@@ -6,7 +6,7 @@ + * - Copyright 2011 Fenghua Yu + */ + #include +-#include ++#include + #include + + #undef memmove +diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S +index 2661fad05827..c9c81227ea37 100644 +--- a/arch/x86/lib/memset_64.S ++++ b/arch/x86/lib/memset_64.S +@@ -1,7 +1,7 @@ + /* Copyright 2002 Andi Kleen, SuSE Labs */ + + #include +-#include ++#include + #include + + .weak memset +diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S +index 3d06b482ebc7..7bbb853e36bd 100644 +--- a/arch/x86/lib/retpoline.S ++++ b/arch/x86/lib/retpoline.S +@@ -3,7 +3,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c +index 92e2eacb3321..f65a33f505b6 100644 +--- a/arch/x86/mm/setup_nx.c ++++ b/arch/x86/mm/setup_nx.c +@@ -4,6 +4,7 @@ + + #include + #include ++#include + + static int disable_nx; + +diff --git a/arch/x86/oprofile/op_model_amd.c b/arch/x86/oprofile/op_model_amd.c +index 50d86c0e9ba4..660a83c8287b 100644 +--- a/arch/x86/oprofile/op_model_amd.c ++++ b/arch/x86/oprofile/op_model_amd.c +@@ -24,7 +24,6 @@ + #include + #include + #include +-#include + + #include "op_x86_model.h" + #include "op_counter.h" +diff --git a/arch/x86/um/asm/barrier.h b/arch/x86/um/asm/barrier.h +index 755481f14d90..764ac2fc53fe 100644 +--- a/arch/x86/um/asm/barrier.h ++++ b/arch/x86/um/asm/barrier.h +@@ -3,7 +3,7 @@ + + #include + #include +-#include ++#include + #include + #include + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 5a6a01135470..34fdaa6e99ba 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1229,6 +1229,59 @@ static bool ahci_broken_suspend(struct pci_dev *pdev) + return strcmp(buf, dmi->driver_data) < 0; + } + ++static bool ahci_broken_lpm(struct pci_dev *pdev) ++{ ++ static const struct dmi_system_id sysids[] = { ++ /* Various Lenovo 50 series have LPM issues with older BIOSen */ ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad X250"), ++ }, ++ .driver_data = "20180406", /* 1.31 */ ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L450"), ++ }, ++ .driver_data = "20180420", /* 1.28 */ ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T450s"), ++ }, ++ .driver_data = "20180315", /* 1.33 */ ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W541"), ++ }, ++ /* ++ * Note date based on release notes, 2.35 has been ++ * reported to be good, but I've been unable to get ++ * a hold of the reporter to get the DMI BIOS date. ++ * TODO: fix this. ++ */ ++ .driver_data = "20180310", /* 2.35 */ ++ }, ++ { } /* terminate list */ ++ }; ++ const struct dmi_system_id *dmi = dmi_first_match(sysids); ++ int year, month, date; ++ char buf[9]; ++ ++ if (!dmi) ++ return false; ++ ++ dmi_get_date(DMI_BIOS_DATE, &year, &month, &date); ++ snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date); ++ ++ return strcmp(buf, dmi->driver_data) < 0; ++} ++ + static bool ahci_broken_online(struct pci_dev *pdev) + { + #define ENCODE_BUSDEVFN(bus, slot, func) \ +@@ -1588,6 +1641,12 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + "quirky BIOS, skipping spindown on poweroff\n"); + } + ++ if (ahci_broken_lpm(pdev)) { ++ pi.flags |= ATA_FLAG_NO_LPM; ++ dev_warn(&pdev->dev, ++ "BIOS update required for Link Power Management support\n"); ++ } ++ + if (ahci_broken_suspend(pdev)) { + hpriv->flags |= AHCI_HFLAG_NO_SUSPEND; + dev_warn(&pdev->dev, +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 9afd06ee5b30..ba514fa733de 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2209,6 +2209,9 @@ int ata_dev_configure(struct ata_device *dev) + (id[ATA_ID_SATA_CAPABILITY] & 0xe) == 0x2) + dev->horkage |= ATA_HORKAGE_NOLPM; + ++ if (ap->flags & ATA_FLAG_NO_LPM) ++ dev->horkage |= ATA_HORKAGE_NOLPM; ++ + if (dev->horkage & ATA_HORKAGE_NOLPM) { + ata_dev_warn(dev, "LPM support broken, forcing max_power\n"); + dev->link->ap->target_lpm_policy = ATA_LPM_MAX_POWER; +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index b316ab7e8996..60e2c9faa95f 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -512,6 +512,9 @@ + #define USB_VENDOR_ID_IRTOUCHSYSTEMS 0x6615 + #define USB_DEVICE_ID_IRTOUCH_INFRARED_USB 0x0070 + ++#define USB_VENDOR_ID_INNOMEDIA 0x1292 ++#define USB_DEVICE_ID_INNEX_GENESIS_ATARI 0x4745 ++ + #define USB_VENDOR_ID_ITE 0x048d + #define USB_DEVICE_ID_ITE_LENOVO_YOGA 0x8386 + #define USB_DEVICE_ID_ITE_LENOVO_YOGA2 0x8350 +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index ce1543d69acb..c9a11315493b 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -152,6 +152,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_MULTIPLE_1781, USB_DEVICE_ID_RAPHNET_4NES4SNES_OLD, HID_QUIRK_MULTI_INPUT }, + { USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_2NES2SNES, HID_QUIRK_MULTI_INPUT }, + { USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_4NES4SNES, HID_QUIRK_MULTI_INPUT }, ++ { USB_VENDOR_ID_INNOMEDIA, USB_DEVICE_ID_INNEX_GENESIS_ATARI, HID_QUIRK_MULTI_INPUT }, + + { 0, 0 } + }; +diff --git a/drivers/infiniband/Kconfig b/drivers/infiniband/Kconfig +index aa26f3c3416b..c151bb625179 100644 +--- a/drivers/infiniband/Kconfig ++++ b/drivers/infiniband/Kconfig +@@ -33,6 +33,18 @@ config INFINIBAND_USER_ACCESS + libibverbs, libibcm and a hardware driver library from + . + ++config INFINIBAND_USER_ACCESS_UCM ++ bool "Userspace CM (UCM, DEPRECATED)" ++ depends on BROKEN ++ depends on INFINIBAND_USER_ACCESS ++ help ++ The UCM module has known security flaws, which no one is ++ interested to fix. The user-space part of this code was ++ dropped from the upstream a long time ago. ++ ++ This option is DEPRECATED and planned to be removed. ++ ++ + config INFINIBAND_USER_MEM + bool + depends on INFINIBAND_USER_ACCESS != n +diff --git a/drivers/infiniband/core/Makefile b/drivers/infiniband/core/Makefile +index d43a8994ac5c..737612a442be 100644 +--- a/drivers/infiniband/core/Makefile ++++ b/drivers/infiniband/core/Makefile +@@ -5,8 +5,8 @@ obj-$(CONFIG_INFINIBAND) += ib_core.o ib_mad.o ib_sa.o \ + ib_cm.o iw_cm.o ib_addr.o \ + $(infiniband-y) + obj-$(CONFIG_INFINIBAND_USER_MAD) += ib_umad.o +-obj-$(CONFIG_INFINIBAND_USER_ACCESS) += ib_uverbs.o ib_ucm.o \ +- $(user_access-y) ++obj-$(CONFIG_INFINIBAND_USER_ACCESS) += ib_uverbs.o $(user_access-y) ++obj-$(CONFIG_INFINIBAND_USER_ACCESS_UCM) += ib_ucm.o $(user_access-y) + + ib_core-y := packer.o ud_header.o verbs.o sysfs.o \ + device.o fmr_pool.o cache.o netlink.o \ +diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c +index e1629ab58db7..8218d714fa01 100644 +--- a/drivers/infiniband/hw/cxgb4/mem.c ++++ b/drivers/infiniband/hw/cxgb4/mem.c +@@ -926,7 +926,7 @@ static int c4iw_set_page(struct ib_mr *ibmr, u64 addr) + { + struct c4iw_mr *mhp = to_c4iw_mr(ibmr); + +- if (unlikely(mhp->mpl_len == mhp->max_mpl_len)) ++ if (unlikely(mhp->mpl_len == mhp->attr.pbl_size)) + return -ENOMEM; + + mhp->mpl[mhp->mpl_len++] = addr; +diff --git a/drivers/misc/ibmasm/ibmasmfs.c b/drivers/misc/ibmasm/ibmasmfs.c +index e8b933111e0d..92109cadc3fc 100644 +--- a/drivers/misc/ibmasm/ibmasmfs.c ++++ b/drivers/misc/ibmasm/ibmasmfs.c +@@ -507,35 +507,14 @@ static int remote_settings_file_close(struct inode *inode, struct file *file) + static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset) + { + void __iomem *address = (void __iomem *)file->private_data; +- unsigned char *page; +- int retval; + int len = 0; + unsigned int value; +- +- if (*offset < 0) +- return -EINVAL; +- if (count == 0 || count > 1024) +- return 0; +- if (*offset != 0) +- return 0; +- +- page = (unsigned char *)__get_free_page(GFP_KERNEL); +- if (!page) +- return -ENOMEM; ++ char lbuf[20]; + + value = readl(address); +- len = sprintf(page, "%d\n", value); +- +- if (copy_to_user(buf, page, len)) { +- retval = -EFAULT; +- goto exit; +- } +- *offset += len; +- retval = len; ++ len = snprintf(lbuf, sizeof(lbuf), "%d\n", value); + +-exit: +- free_page((unsigned long)page); +- return retval; ++ return simple_read_from_buffer(buf, count, offset, lbuf, len); + } + + static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset) +diff --git a/drivers/misc/vmw_balloon.c b/drivers/misc/vmw_balloon.c +index fe90b7e04427..5e047bfc0cc4 100644 +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -467,7 +467,7 @@ static int vmballoon_send_batched_lock(struct vmballoon *b, + unsigned int num_pages, bool is_2m_pages, unsigned int *target) + { + unsigned long status; +- unsigned long pfn = page_to_pfn(b->page); ++ unsigned long pfn = PHYS_PFN(virt_to_phys(b->batch_page)); + + STATS_INC(b->stats.lock[is_2m_pages]); + +@@ -515,7 +515,7 @@ static bool vmballoon_send_batched_unlock(struct vmballoon *b, + unsigned int num_pages, bool is_2m_pages, unsigned int *target) + { + unsigned long status; +- unsigned long pfn = page_to_pfn(b->page); ++ unsigned long pfn = PHYS_PFN(virt_to_phys(b->batch_page)); + + STATS_INC(b->stats.unlock[is_2m_pages]); + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 40ce175655e6..99f67764765f 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -231,6 +231,10 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Corsair K70 RGB */ + { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, + ++ /* Corsair Strafe */ ++ { USB_DEVICE(0x1b1c, 0x1b15), .driver_info = USB_QUIRK_DELAY_INIT | ++ USB_QUIRK_DELAY_CTRL_MSG }, ++ + /* Corsair Strafe RGB */ + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | + USB_QUIRK_DELAY_CTRL_MSG }, +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index e4cf3322bcb3..0ec809a35a3f 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -638,7 +638,7 @@ struct xhci_ring *xhci_stream_id_to_ring( + if (!ep->stream_info) + return NULL; + +- if (stream_id > ep->stream_info->num_streams) ++ if (stream_id >= ep->stream_info->num_streams) + return NULL; + return ep->stream_info->stream_rings[stream_id]; + } +diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c +index 343fa6ff9f4b..512c84adcace 100644 +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -414,8 +414,7 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, + loff_t *ppos) + { + struct usb_yurex *dev; +- int retval = 0; +- int bytes_read = 0; ++ int len = 0; + char in_buffer[20]; + unsigned long flags; + +@@ -423,26 +422,16 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, + + mutex_lock(&dev->io_mutex); + if (!dev->interface) { /* already disconnected */ +- retval = -ENODEV; +- goto exit; ++ mutex_unlock(&dev->io_mutex); ++ return -ENODEV; + } + + spin_lock_irqsave(&dev->lock, flags); +- bytes_read = snprintf(in_buffer, 20, "%lld\n", dev->bbu); ++ len = snprintf(in_buffer, 20, "%lld\n", dev->bbu); + spin_unlock_irqrestore(&dev->lock, flags); +- +- if (*ppos < bytes_read) { +- if (copy_to_user(buffer, in_buffer + *ppos, bytes_read - *ppos)) +- retval = -EFAULT; +- else { +- retval = bytes_read - *ppos; +- *ppos += bytes_read; +- } +- } +- +-exit: + mutex_unlock(&dev->io_mutex); +- return retval; ++ ++ return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); + } + + static ssize_t yurex_write(struct file *file, const char __user *user_buffer, +diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c +index 71133d96f97d..f73ea14e8173 100644 +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -118,7 +118,7 @@ static int ch341_control_in(struct usb_device *dev, + r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, + value, index, buf, bufsize, DEFAULT_TIMEOUT); +- if (r < bufsize) { ++ if (r < (int)bufsize) { + if (r >= 0) { + dev_err(&dev->dev, + "short control message received (%d < %u)\n", +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 73835027a7cc..97382301c393 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -145,6 +145,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */ + { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */ + { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */ ++ { USB_DEVICE(0x10C4, 0x89FB) }, /* Qivicon ZigBee USB Radio Stick */ + { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */ + { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */ + { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */ +diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c +index 6b0942428917..8a4047de43dc 100644 +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -373,8 +373,10 @@ static int keyspan_pda_get_modem_info(struct usb_serial *serial, + 3, /* get pins */ + USB_TYPE_VENDOR|USB_RECIP_INTERFACE|USB_DIR_IN, + 0, 0, data, 1, 2000); +- if (rc >= 0) ++ if (rc == 1) + *value = *data; ++ else if (rc >= 0) ++ rc = -EIO; + + kfree(data); + return rc; +diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c +index ed883a7ad533..58ba6904a087 100644 +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -482,6 +482,9 @@ static void mos7840_control_callback(struct urb *urb) + } + + dev_dbg(dev, "%s urb buffer size is %d\n", __func__, urb->actual_length); ++ if (urb->actual_length < 1) ++ goto out; ++ + dev_dbg(dev, "%s mos7840_port->MsrLsr is %d port %d\n", __func__, + mos7840_port->MsrLsr, mos7840_port->port_num); + data = urb->transfer_buffer; +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 7efd70bfeaf7..d106b981d86f 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -923,7 +923,7 @@ static int check_async_write(struct inode *inode, unsigned long bio_flags) + if (bio_flags & EXTENT_BIO_TREE_LOG) + return 0; + #ifdef CONFIG_X86 +- if (static_cpu_has_safe(X86_FEATURE_XMM4_2)) ++ if (static_cpu_has(X86_FEATURE_XMM4_2)) + return 0; + #endif + return 1; +diff --git a/fs/inode.c b/fs/inode.c +index b95615f3fc50..a39c2724d8a0 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1937,8 +1937,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, + inode->i_uid = current_fsuid(); + if (dir && dir->i_mode & S_ISGID) { + inode->i_gid = dir->i_gid; ++ ++ /* Directories are special, and always inherit S_ISGID */ + if (S_ISDIR(mode)) + mode |= S_ISGID; ++ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && ++ !in_group_p(inode->i_gid) && ++ !capable_wrt_inode_uidgid(dir, CAP_FSETID)) ++ mode &= ~S_ISGID; + } else + inode->i_gid = current_fsgid(); + inode->i_mode = mode; +diff --git a/include/linux/libata.h b/include/linux/libata.h +index b20a2752f934..6428ac4746de 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -210,6 +210,7 @@ enum { + ATA_FLAG_SLAVE_POSS = (1 << 0), /* host supports slave dev */ + /* (doesn't imply presence) */ + ATA_FLAG_SATA = (1 << 1), ++ ATA_FLAG_NO_LPM = (1 << 2), /* host not happy with LPM */ + ATA_FLAG_NO_LOG_PAGE = (1 << 5), /* do not issue log page read */ + ATA_FLAG_NO_ATAPI = (1 << 6), /* No ATAPI support */ + ATA_FLAG_PIO_DMA = (1 << 7), /* PIO cmds via DMA */ +diff --git a/kernel/power/user.c b/kernel/power/user.c +index 526e8911460a..f83c1876b39c 100644 +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -184,6 +184,11 @@ static ssize_t snapshot_write(struct file *filp, const char __user *buf, + res = PAGE_SIZE - pg_offp; + } + ++ if (!data_of(data->handle)) { ++ res = -EINVAL; ++ goto unlock; ++ } ++ + res = simple_write_to_buffer(data_of(data->handle), res, &pg_offp, + buf, count); + if (res > 0) +diff --git a/lib/atomic64_test.c b/lib/atomic64_test.c +index 83c33a5bcffb..de67fea3cf46 100644 +--- a/lib/atomic64_test.c ++++ b/lib/atomic64_test.c +@@ -16,6 +16,10 @@ + #include + #include + ++#ifdef CONFIG_X86 ++#include /* for boot_cpu_has below */ ++#endif ++ + #define TEST(bit, op, c_op, val) \ + do { \ + atomic##bit##_set(&v, v0); \ +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 9f70c267a7a5..665fd87cc105 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -701,6 +701,8 @@ ebt_check_entry(struct ebt_entry *e, struct net *net, + } + i = 0; + ++ memset(&mtpar, 0, sizeof(mtpar)); ++ memset(&tgpar, 0, sizeof(tgpar)); + mtpar.net = tgpar.net = net; + mtpar.table = tgpar.table = name; + mtpar.entryinfo = tgpar.entryinfo = e; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index dac62b5e7fe3..9363c1a70f16 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -663,6 +663,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name, + return -ENOMEM; + + j = 0; ++ memset(&mtpar, 0, sizeof(mtpar)); + mtpar.net = net; + mtpar.table = name; + mtpar.entryinfo = &e->ip; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 795c343347ec..6cb9e35d23ac 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -676,6 +676,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, + return -ENOMEM; + + j = 0; ++ memset(&mtpar, 0, sizeof(mtpar)); + mtpar.net = net; + mtpar.table = name; + mtpar.entryinfo = &e->ipv6; +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 7edcfda288c4..54cde78c2718 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1106,6 +1106,9 @@ nfqnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb, + static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = { + [NFQA_CFG_CMD] = { .len = sizeof(struct nfqnl_msg_config_cmd) }, + [NFQA_CFG_PARAMS] = { .len = sizeof(struct nfqnl_msg_config_params) }, ++ [NFQA_CFG_QUEUE_MAXLEN] = { .type = NLA_U32 }, ++ [NFQA_CFG_MASK] = { .type = NLA_U32 }, ++ [NFQA_CFG_FLAGS] = { .type = NLA_U32 }, + }; + + static const struct nf_queue_handler nfqh = { +diff --git a/tools/build/Build.include b/tools/build/Build.include +index 4d000bc959b4..1c570528baf7 100644 +--- a/tools/build/Build.include ++++ b/tools/build/Build.include +@@ -62,8 +62,8 @@ dep-cmd = $(if $(wildcard $(fixdep)), + $(fixdep) $(depfile) $@ '$(make-cmd)' > $(dot-target).tmp; \ + rm -f $(depfile); \ + mv -f $(dot-target).tmp $(dot-target).cmd, \ +- printf '\# cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \ +- printf '\# using basic dep data\n\n' >> $(dot-target).cmd; \ ++ printf '$(pound) cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \ ++ printf '$(pound) using basic dep data\n\n' >> $(dot-target).cmd; \ + cat $(depfile) >> $(dot-target).cmd; \ + printf '%s\n' 'cmd_$@ := $(make-cmd)' >> $(dot-target).cmd) + diff --git a/patch/kernel/mvebu-default/04-patch-4.4.141-142.patch b/patch/kernel/mvebu-default/04-patch-4.4.141-142.patch new file mode 100644 index 0000000000..dc7dd1ece7 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.141-142.patch @@ -0,0 +1,186 @@ +diff --git a/Makefile b/Makefile +index 3fc39e41dbde..75d6176c8786 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 141 ++SUBLEVEL = 142 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 814276d0eed1..736e2843139b 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -686,13 +686,14 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + c->x86_capability[CPUID_1_EDX] = edx; + } + ++ /* Thermal and Power Management Leaf: level 0x00000006 (eax) */ ++ if (c->cpuid_level >= 0x00000006) ++ c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006); ++ + /* Additional Intel-defined flags: level 0x00000007 */ + if (c->cpuid_level >= 0x00000007) { + cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx); +- + c->x86_capability[CPUID_7_0_EBX] = ebx; +- +- c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006); + c->x86_capability[CPUID_7_ECX] = ecx; + } + +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index 1db6d73c8dd2..31a981d6229d 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -7,6 +7,7 @@ quote := " + squote := ' + empty := + space := $(empty) $(empty) ++pound := \# + + ### + # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o +@@ -236,11 +237,11 @@ endif + + # Replace >$< with >$$< to preserve $ when reloading the .cmd file + # (needed for make) +-# Replace >#< with >\#< to avoid starting a comment in the .cmd file ++# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file + # (needed for make) + # Replace >'< with >'\''< to be able to enclose the whole string in '...' + # (needed for the shell) +-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1))))) ++make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1))))) + + # Find any prerequisites that is newer than target or that does not exist. + # PHONY targets skipped in both cases. +diff --git a/tools/arch/x86/include/asm/unistd_32.h b/tools/arch/x86/include/asm/unistd_32.h +new file mode 100644 +index 000000000000..cf33ab09273d +--- /dev/null ++++ b/tools/arch/x86/include/asm/unistd_32.h +@@ -0,0 +1,9 @@ ++#ifndef __NR_perf_event_open ++# define __NR_perf_event_open 336 ++#endif ++#ifndef __NR_futex ++# define __NR_futex 240 ++#endif ++#ifndef __NR_gettid ++# define __NR_gettid 224 ++#endif +diff --git a/tools/arch/x86/include/asm/unistd_64.h b/tools/arch/x86/include/asm/unistd_64.h +new file mode 100644 +index 000000000000..2c9835695b56 +--- /dev/null ++++ b/tools/arch/x86/include/asm/unistd_64.h +@@ -0,0 +1,9 @@ ++#ifndef __NR_perf_event_open ++# define __NR_perf_event_open 298 ++#endif ++#ifndef __NR_futex ++# define __NR_futex 202 ++#endif ++#ifndef __NR_gettid ++# define __NR_gettid 186 ++#endif +diff --git a/tools/build/Build.include b/tools/build/Build.include +index 1c570528baf7..0340d8a51dab 100644 +--- a/tools/build/Build.include ++++ b/tools/build/Build.include +@@ -12,6 +12,7 @@ + # Convenient variables + comma := , + squote := ' ++pound := \# + + ### + # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o +@@ -43,11 +44,11 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\ + ### + # Replace >$< with >$$< to preserve $ when reloading the .cmd file + # (needed for make) +-# Replace >#< with >\#< to avoid starting a comment in the .cmd file ++# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file + # (needed for make) + # Replace >'< with >'\''< to be able to enclose the whole string in '...' + # (needed for the shell) +-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1))))) ++make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1))))) + + ### + # Find any prerequisites that is newer than target or that does not exist. +diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile +index de89ec574361..b92c952b01ef 100644 +--- a/tools/perf/config/Makefile ++++ b/tools/perf/config/Makefile +@@ -200,6 +200,7 @@ CFLAGS += -I$(src-perf)/arch/$(ARCH)/include + CFLAGS += -I$(srctree)/tools/include/ + CFLAGS += -I$(srctree)/arch/$(ARCH)/include/uapi + CFLAGS += -I$(srctree)/arch/$(ARCH)/include ++CFLAGS += -I$(srctree)/tools/arch/$(ARCH)/include + CFLAGS += -I$(srctree)/include/uapi + CFLAGS += -I$(srctree)/include + +diff --git a/tools/perf/perf-sys.h b/tools/perf/perf-sys.h +index 83a25cef82fd..5cee8a3d0455 100644 +--- a/tools/perf/perf-sys.h ++++ b/tools/perf/perf-sys.h +@@ -11,29 +11,11 @@ + #if defined(__i386__) + #define cpu_relax() asm volatile("rep; nop" ::: "memory"); + #define CPUINFO_PROC {"model name"} +-#ifndef __NR_perf_event_open +-# define __NR_perf_event_open 336 +-#endif +-#ifndef __NR_futex +-# define __NR_futex 240 +-#endif +-#ifndef __NR_gettid +-# define __NR_gettid 224 +-#endif + #endif + + #if defined(__x86_64__) + #define cpu_relax() asm volatile("rep; nop" ::: "memory"); + #define CPUINFO_PROC {"model name"} +-#ifndef __NR_perf_event_open +-# define __NR_perf_event_open 298 +-#endif +-#ifndef __NR_futex +-# define __NR_futex 202 +-#endif +-#ifndef __NR_gettid +-# define __NR_gettid 186 +-#endif + #endif + + #ifdef __powerpc__ +diff --git a/tools/perf/util/include/asm/unistd_32.h b/tools/perf/util/include/asm/unistd_32.h +deleted file mode 100644 +index 8b137891791f..000000000000 +--- a/tools/perf/util/include/asm/unistd_32.h ++++ /dev/null +@@ -1 +0,0 @@ +- +diff --git a/tools/perf/util/include/asm/unistd_64.h b/tools/perf/util/include/asm/unistd_64.h +deleted file mode 100644 +index 8b137891791f..000000000000 +--- a/tools/perf/util/include/asm/unistd_64.h ++++ /dev/null +@@ -1 +0,0 @@ +- +diff --git a/tools/scripts/Makefile.include b/tools/scripts/Makefile.include +index 19edc1a7a232..7ea4438b801d 100644 +--- a/tools/scripts/Makefile.include ++++ b/tools/scripts/Makefile.include +@@ -92,3 +92,5 @@ ifneq ($(silent),1) + QUIET_INSTALL = @printf ' INSTALL %s\n' $1; + endif + endif ++ ++pound := \# diff --git a/patch/kernel/mvebu-default/04-patch-4.4.142-143.patch b/patch/kernel/mvebu-default/04-patch-4.4.142-143.patch new file mode 100644 index 0000000000..3040a38248 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.142-143.patch @@ -0,0 +1,1006 @@ +diff --git a/Makefile b/Makefile +index 75d6176c8786..54690fee0485 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 142 ++SUBLEVEL = 143 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 1ee603d07847..354b99f56c1e 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -629,21 +629,48 @@ unsigned long arch_align_stack(unsigned long sp) + return sp & ALMASK; + } + ++static DEFINE_PER_CPU(struct call_single_data, backtrace_csd); ++static struct cpumask backtrace_csd_busy; ++ + static void arch_dump_stack(void *info) + { + struct pt_regs *regs; ++ static arch_spinlock_t lock = __ARCH_SPIN_LOCK_UNLOCKED; + ++ arch_spin_lock(&lock); + regs = get_irq_regs(); + + if (regs) + show_regs(regs); ++ else ++ dump_stack(); ++ arch_spin_unlock(&lock); + +- dump_stack(); ++ cpumask_clear_cpu(smp_processor_id(), &backtrace_csd_busy); + } + + void arch_trigger_all_cpu_backtrace(bool include_self) + { +- smp_call_function(arch_dump_stack, NULL, 1); ++ struct call_single_data *csd; ++ int cpu; ++ ++ for_each_cpu(cpu, cpu_online_mask) { ++ /* ++ * If we previously sent an IPI to the target CPU & it hasn't ++ * cleared its bit in the busy cpumask then it didn't handle ++ * our previous IPI & it's not safe for us to reuse the ++ * call_single_data_t. ++ */ ++ if (cpumask_test_and_set_cpu(cpu, &backtrace_csd_busy)) { ++ pr_warn("Unable to send backtrace IPI to CPU%u - perhaps it hung?\n", ++ cpu); ++ continue; ++ } ++ ++ csd = &per_cpu(backtrace_csd, cpu); ++ csd->func = arch_dump_stack; ++ smp_call_function_single_async(cpu, csd); ++ } + } + + int mips_get_process_fp_mode(struct task_struct *task) +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index 31ca2edd7218..1b901218e3ae 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -344,6 +344,7 @@ static void __show_regs(const struct pt_regs *regs) + void show_regs(struct pt_regs *regs) + { + __show_regs((struct pt_regs *)regs); ++ dump_stack(); + } + + void show_registers(struct pt_regs *regs) +diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h +index 1c79c8add0eb..21e84a31d211 100644 +--- a/arch/x86/include/asm/asm.h ++++ b/arch/x86/include/asm/asm.h +@@ -44,6 +44,65 @@ + #define _ASM_SI __ASM_REG(si) + #define _ASM_DI __ASM_REG(di) + ++#ifndef __x86_64__ ++/* 32 bit */ ++ ++#define _ASM_ARG1 _ASM_AX ++#define _ASM_ARG2 _ASM_DX ++#define _ASM_ARG3 _ASM_CX ++ ++#define _ASM_ARG1L eax ++#define _ASM_ARG2L edx ++#define _ASM_ARG3L ecx ++ ++#define _ASM_ARG1W ax ++#define _ASM_ARG2W dx ++#define _ASM_ARG3W cx ++ ++#define _ASM_ARG1B al ++#define _ASM_ARG2B dl ++#define _ASM_ARG3B cl ++ ++#else ++/* 64 bit */ ++ ++#define _ASM_ARG1 _ASM_DI ++#define _ASM_ARG2 _ASM_SI ++#define _ASM_ARG3 _ASM_DX ++#define _ASM_ARG4 _ASM_CX ++#define _ASM_ARG5 r8 ++#define _ASM_ARG6 r9 ++ ++#define _ASM_ARG1Q rdi ++#define _ASM_ARG2Q rsi ++#define _ASM_ARG3Q rdx ++#define _ASM_ARG4Q rcx ++#define _ASM_ARG5Q r8 ++#define _ASM_ARG6Q r9 ++ ++#define _ASM_ARG1L edi ++#define _ASM_ARG2L esi ++#define _ASM_ARG3L edx ++#define _ASM_ARG4L ecx ++#define _ASM_ARG5L r8d ++#define _ASM_ARG6L r9d ++ ++#define _ASM_ARG1W di ++#define _ASM_ARG2W si ++#define _ASM_ARG3W dx ++#define _ASM_ARG4W cx ++#define _ASM_ARG5W r8w ++#define _ASM_ARG6W r9w ++ ++#define _ASM_ARG1B dil ++#define _ASM_ARG2B sil ++#define _ASM_ARG3B dl ++#define _ASM_ARG4B cl ++#define _ASM_ARG5B r8b ++#define _ASM_ARG6B r9b ++ ++#endif ++ + /* Exception table entry */ + #ifdef __ASSEMBLY__ + # define _ASM_EXTABLE(from,to) \ +diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c +index c302f47f6323..94712e1c5cf9 100644 +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -1481,6 +1481,8 @@ static int zatm_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg) + return -EFAULT; + if (pool < 0 || pool > ZATM_LAST_POOL) + return -EINVAL; ++ pool = array_index_nospec(pool, ++ ZATM_LAST_POOL + 1); + if (copy_from_user(&info, + &((struct zatm_pool_req __user *) arg)->info, + sizeof(info))) return -EFAULT; +diff --git a/drivers/crypto/amcc/crypto4xx_core.c b/drivers/crypto/amcc/crypto4xx_core.c +index 58a630e55d5d..78d0722feacb 100644 +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -207,7 +207,7 @@ static u32 crypto4xx_build_pdr(struct crypto4xx_device *dev) + dev->pdr_pa); + return -ENOMEM; + } +- memset(dev->pdr, 0, sizeof(struct ce_pd) * PPC4XX_NUM_PD); ++ memset(dev->pdr, 0, sizeof(struct ce_pd) * PPC4XX_NUM_PD); + dev->shadow_sa_pool = dma_alloc_coherent(dev->core_dev->device, + 256 * PPC4XX_NUM_PD, + &dev->shadow_sa_pool_pa, +@@ -240,13 +240,15 @@ static u32 crypto4xx_build_pdr(struct crypto4xx_device *dev) + + static void crypto4xx_destroy_pdr(struct crypto4xx_device *dev) + { +- if (dev->pdr != NULL) ++ if (dev->pdr) + dma_free_coherent(dev->core_dev->device, + sizeof(struct ce_pd) * PPC4XX_NUM_PD, + dev->pdr, dev->pdr_pa); ++ + if (dev->shadow_sa_pool) + dma_free_coherent(dev->core_dev->device, 256 * PPC4XX_NUM_PD, + dev->shadow_sa_pool, dev->shadow_sa_pool_pa); ++ + if (dev->shadow_sr_pool) + dma_free_coherent(dev->core_dev->device, + sizeof(struct sa_state_record) * PPC4XX_NUM_PD, +@@ -416,12 +418,12 @@ static u32 crypto4xx_build_sdr(struct crypto4xx_device *dev) + + static void crypto4xx_destroy_sdr(struct crypto4xx_device *dev) + { +- if (dev->sdr != NULL) ++ if (dev->sdr) + dma_free_coherent(dev->core_dev->device, + sizeof(struct ce_sd) * PPC4XX_NUM_SD, + dev->sdr, dev->sdr_pa); + +- if (dev->scatter_buffer_va != NULL) ++ if (dev->scatter_buffer_va) + dma_free_coherent(dev->core_dev->device, + dev->scatter_buffer_size * PPC4XX_NUM_SD, + dev->scatter_buffer_va, +@@ -1029,12 +1031,10 @@ int crypto4xx_register_alg(struct crypto4xx_device *sec_dev, + break; + } + +- if (rc) { +- list_del(&alg->entry); ++ if (rc) + kfree(alg); +- } else { ++ else + list_add_tail(&alg->entry, &sec_dev->alg_list); +- } + } + + return 0; +@@ -1188,7 +1188,7 @@ static int crypto4xx_probe(struct platform_device *ofdev) + + rc = crypto4xx_build_gdr(core_dev->dev); + if (rc) +- goto err_build_gdr; ++ goto err_build_pdr; + + rc = crypto4xx_build_sdr(core_dev->dev); + if (rc) +@@ -1230,12 +1230,11 @@ err_iomap: + err_request_irq: + irq_dispose_mapping(core_dev->irq); + tasklet_kill(&core_dev->tasklet); +- crypto4xx_destroy_sdr(core_dev->dev); + err_build_sdr: ++ crypto4xx_destroy_sdr(core_dev->dev); + crypto4xx_destroy_gdr(core_dev->dev); +-err_build_gdr: +- crypto4xx_destroy_pdr(core_dev->dev); + err_build_pdr: ++ crypto4xx_destroy_pdr(core_dev->dev); + kfree(core_dev->dev); + err_alloc_dev: + kfree(core_dev); +diff --git a/drivers/net/ethernet/broadcom/bcm63xx_enet.c b/drivers/net/ethernet/broadcom/bcm63xx_enet.c +index 8b1929e9f698..ec5834087e4b 100644 +--- a/drivers/net/ethernet/broadcom/bcm63xx_enet.c ++++ b/drivers/net/ethernet/broadcom/bcm63xx_enet.c +@@ -1063,7 +1063,8 @@ static int bcm_enet_open(struct net_device *dev) + val = enet_readl(priv, ENET_CTL_REG); + val |= ENET_CTL_ENABLE_MASK; + enet_writel(priv, val, ENET_CTL_REG); +- enet_dma_writel(priv, ENETDMA_CFG_EN_MASK, ENETDMA_CFG_REG); ++ if (priv->dma_has_sram) ++ enet_dma_writel(priv, ENETDMA_CFG_EN_MASK, ENETDMA_CFG_REG); + enet_dmac_writel(priv, priv->dma_chan_en_mask, + ENETDMAC_CHANCFG, priv->rx_chan); + +@@ -1787,7 +1788,9 @@ static int bcm_enet_probe(struct platform_device *pdev) + ret = PTR_ERR(priv->mac_clk); + goto out; + } +- clk_prepare_enable(priv->mac_clk); ++ ret = clk_prepare_enable(priv->mac_clk); ++ if (ret) ++ goto out_put_clk_mac; + + /* initialize default and fetch platform data */ + priv->rx_ring_size = BCMENET_DEF_RX_DESC; +@@ -1819,9 +1822,11 @@ static int bcm_enet_probe(struct platform_device *pdev) + if (IS_ERR(priv->phy_clk)) { + ret = PTR_ERR(priv->phy_clk); + priv->phy_clk = NULL; +- goto out_put_clk_mac; ++ goto out_disable_clk_mac; + } +- clk_prepare_enable(priv->phy_clk); ++ ret = clk_prepare_enable(priv->phy_clk); ++ if (ret) ++ goto out_put_clk_phy; + } + + /* do minimal hardware init to be able to probe mii bus */ +@@ -1921,13 +1926,16 @@ out_free_mdio: + out_uninit_hw: + /* turn off mdc clock */ + enet_writel(priv, 0, ENET_MIISC_REG); +- if (priv->phy_clk) { ++ if (priv->phy_clk) + clk_disable_unprepare(priv->phy_clk); ++ ++out_put_clk_phy: ++ if (priv->phy_clk) + clk_put(priv->phy_clk); +- } + +-out_put_clk_mac: ++out_disable_clk_mac: + clk_disable_unprepare(priv->mac_clk); ++out_put_clk_mac: + clk_put(priv->mac_clk); + out: + free_netdev(dev); +@@ -2772,7 +2780,9 @@ static int bcm_enetsw_probe(struct platform_device *pdev) + ret = PTR_ERR(priv->mac_clk); + goto out_unmap; + } +- clk_enable(priv->mac_clk); ++ ret = clk_prepare_enable(priv->mac_clk); ++ if (ret) ++ goto out_put_clk; + + priv->rx_chan = 0; + priv->tx_chan = 1; +@@ -2793,7 +2803,7 @@ static int bcm_enetsw_probe(struct platform_device *pdev) + + ret = register_netdev(dev); + if (ret) +- goto out_put_clk; ++ goto out_disable_clk; + + netif_carrier_off(dev); + platform_set_drvdata(pdev, dev); +@@ -2802,6 +2812,9 @@ static int bcm_enetsw_probe(struct platform_device *pdev) + + return 0; + ++out_disable_clk: ++ clk_disable_unprepare(priv->mac_clk); ++ + out_put_clk: + clk_put(priv->mac_clk); + +@@ -2833,6 +2846,9 @@ static int bcm_enetsw_remove(struct platform_device *pdev) + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + release_mem_region(res->start, resource_size(res)); + ++ clk_disable_unprepare(priv->mac_clk); ++ clk_put(priv->mac_clk); ++ + free_netdev(dev); + return 0; + } +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index 8f7aa53a4c4b..7ae8374bff13 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -50,6 +50,7 @@ + #include + #include + #include ++#include + #include + + #include "common.h" +@@ -2256,6 +2257,7 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + + if (t.qset_idx >= nqsets) + return -EINVAL; ++ t.qset_idx = array_index_nospec(t.qset_idx, nqsets); + + q = &adapter->params.sge.qset[q1 + t.qset_idx]; + t.rspq_size = q->rspq_size; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 16bd585365a8..9ac14df0ca3b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -643,6 +643,7 @@ static void cmd_work_handler(struct work_struct *work) + struct semaphore *sem; + unsigned long flags; + int alloc_ret; ++ int cmd_mode; + + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); +@@ -688,6 +689,7 @@ static void cmd_work_handler(struct work_struct *work) + set_signature(ent, !cmd->checksum_disabled); + dump_command(dev, ent, 1); + ent->ts1 = ktime_get_ns(); ++ cmd_mode = cmd->mode; + + /* ring doorbell after the descriptor is valid */ + mlx5_core_dbg(dev, "writing 0x%x to command doorbell\n", 1 << ent->idx); +@@ -695,7 +697,7 @@ static void cmd_work_handler(struct work_struct *work) + iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell); + mmiowb(); + /* if not in polling don't use ent after this point */ +- if (cmd->mode == CMD_MODE_POLLING) { ++ if (cmd_mode == CMD_MODE_POLLING) { + poll_timeout(ent); + /* make sure we read the descriptor after ownership is SW */ + rmb(); +@@ -1126,7 +1128,7 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf, + { + struct mlx5_core_dev *dev = filp->private_data; + struct mlx5_cmd_debug *dbg = &dev->cmd.dbg; +- char outlen_str[8]; ++ char outlen_str[8] = {0}; + int outlen; + void *ptr; + int err; +@@ -1141,8 +1143,6 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf, + if (copy_from_user(outlen_str, buf, count)) + return -EFAULT; + +- outlen_str[7] = 0; +- + err = sscanf(outlen_str, "%d", &outlen); + if (err < 0) + return err; +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index 174f7341c5c3..688b6da5a9bb 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include "qed.h" + #include "qed_sp.h" +@@ -634,6 +635,14 @@ static int qed_slowpath_setup_int(struct qed_dev *cdev, + /* We want a minimum of one slowpath and one fastpath vector per hwfn */ + cdev->int_params.in.min_msix_cnt = cdev->num_hwfns * 2; + ++ if (is_kdump_kernel()) { ++ DP_INFO(cdev, ++ "Kdump kernel: Limit the max number of requested MSI-X vectors to %hd\n", ++ cdev->int_params.in.min_msix_cnt); ++ cdev->int_params.in.num_vectors = ++ cdev->int_params.in.min_msix_cnt; ++ } ++ + rc = qed_set_int_mode(cdev, false); + if (rc) { + DP_ERR(cdev, "qed_slowpath_setup_int ERR\n"); +diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c +index e23a642357e7..eb4d8df49399 100644 +--- a/drivers/net/ethernet/sun/sungem.c ++++ b/drivers/net/ethernet/sun/sungem.c +@@ -60,8 +60,7 @@ + #include + #include "sungem.h" + +-/* Stripping FCS is causing problems, disabled for now */ +-#undef STRIP_FCS ++#define STRIP_FCS + + #define DEFAULT_MSG (NETIF_MSG_DRV | \ + NETIF_MSG_PROBE | \ +@@ -435,7 +434,7 @@ static int gem_rxmac_reset(struct gem *gp) + writel(desc_dma & 0xffffffff, gp->regs + RXDMA_DBLOW); + writel(RX_RING_SIZE - 4, gp->regs + RXDMA_KICK); + val = (RXDMA_CFG_BASE | (RX_OFFSET << 10) | +- ((14 / 2) << 13) | RXDMA_CFG_FTHRESH_128); ++ (ETH_HLEN << 13) | RXDMA_CFG_FTHRESH_128); + writel(val, gp->regs + RXDMA_CFG); + if (readl(gp->regs + GREG_BIFCFG) & GREG_BIFCFG_M66EN) + writel(((5 & RXDMA_BLANK_IPKTS) | +@@ -760,7 +759,6 @@ static int gem_rx(struct gem *gp, int work_to_do) + struct net_device *dev = gp->dev; + int entry, drops, work_done = 0; + u32 done; +- __sum16 csum; + + if (netif_msg_rx_status(gp)) + printk(KERN_DEBUG "%s: rx interrupt, done: %d, rx_new: %d\n", +@@ -855,9 +853,13 @@ static int gem_rx(struct gem *gp, int work_to_do) + skb = copy_skb; + } + +- csum = (__force __sum16)htons((status & RXDCTRL_TCPCSUM) ^ 0xffff); +- skb->csum = csum_unfold(csum); +- skb->ip_summed = CHECKSUM_COMPLETE; ++ if (likely(dev->features & NETIF_F_RXCSUM)) { ++ __sum16 csum; ++ ++ csum = (__force __sum16)htons((status & RXDCTRL_TCPCSUM) ^ 0xffff); ++ skb->csum = csum_unfold(csum); ++ skb->ip_summed = CHECKSUM_COMPLETE; ++ } + skb->protocol = eth_type_trans(skb, gp->dev); + + napi_gro_receive(&gp->napi, skb); +@@ -1755,7 +1757,7 @@ static void gem_init_dma(struct gem *gp) + writel(0, gp->regs + TXDMA_KICK); + + val = (RXDMA_CFG_BASE | (RX_OFFSET << 10) | +- ((14 / 2) << 13) | RXDMA_CFG_FTHRESH_128); ++ (ETH_HLEN << 13) | RXDMA_CFG_FTHRESH_128); + writel(val, gp->regs + RXDMA_CFG); + + writel(desc_dma >> 32, gp->regs + RXDMA_DBHI); +@@ -2973,8 +2975,8 @@ static int gem_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + pci_set_drvdata(pdev, dev); + + /* We can do scatter/gather and HW checksum */ +- dev->hw_features = NETIF_F_SG | NETIF_F_HW_CSUM; +- dev->features |= dev->hw_features | NETIF_F_RXCSUM; ++ dev->hw_features = NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_RXCSUM; ++ dev->features = dev->hw_features; + if (pci_using_dac) + dev->features |= NETIF_F_HIGHDMA; + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 2991d7155540..2bb336cb13ee 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3139,7 +3139,8 @@ static int rtl8152_close(struct net_device *netdev) + #ifdef CONFIG_PM_SLEEP + unregister_pm_notifier(&tp->pm_notifier); + #endif +- napi_disable(&tp->napi); ++ if (!test_bit(RTL8152_UNPLUG, &tp->flags)) ++ napi_disable(&tp->napi); + clear_bit(WORK_ENABLE, &tp->flags); + usb_kill_urb(tp->intr_urb); + cancel_delayed_work_sync(&tp->schedule); +diff --git a/drivers/net/wireless/realtek/rtlwifi/core.c b/drivers/net/wireless/realtek/rtlwifi/core.c +index 8b537a5a4b01..8006f0972ad1 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/core.c ++++ b/drivers/net/wireless/realtek/rtlwifi/core.c +@@ -135,7 +135,6 @@ found_alt: + firmware->size); + rtlpriv->rtlhal.wowlan_fwsize = firmware->size; + } +- rtlpriv->rtlhal.fwsize = firmware->size; + release_firmware(firmware); + } + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 44a5a8777053..645b2197930e 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -955,7 +955,8 @@ err_used: + if (ubufs) + vhost_net_ubuf_put_wait_and_free(ubufs); + err_ubufs: +- sockfd_put(sock); ++ if (sock) ++ sockfd_put(sock); + err_vq: + mutex_unlock(&vq->mutex); + err: +diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c +index 72afdca3cea7..3c45a9301a09 100644 +--- a/fs/ocfs2/cluster/nodemanager.c ++++ b/fs/ocfs2/cluster/nodemanager.c +@@ -40,6 +40,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = { + "panic", /* O2NM_FENCE_PANIC */ + }; + ++static inline void o2nm_lock_subsystem(void); ++static inline void o2nm_unlock_subsystem(void); ++ + struct o2nm_node *o2nm_get_node_by_num(u8 node_num) + { + struct o2nm_node *node = NULL; +@@ -181,7 +184,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node) + { + /* through the first node_set .parent + * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */ +- return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent); ++ if (node->nd_item.ci_parent) ++ return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent); ++ else ++ return NULL; + } + + enum { +@@ -194,7 +200,7 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page, + size_t count) + { + struct o2nm_node *node = to_o2nm_node(item); +- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); ++ struct o2nm_cluster *cluster; + unsigned long tmp; + char *p = (char *)page; + int ret = 0; +@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page, + !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes)) + return -EINVAL; /* XXX */ + ++ o2nm_lock_subsystem(); ++ cluster = to_o2nm_cluster_from_node(node); ++ if (!cluster) { ++ o2nm_unlock_subsystem(); ++ return -EINVAL; ++ } ++ + write_lock(&cluster->cl_nodes_lock); + if (cluster->cl_nodes[tmp]) + ret = -EEXIST; +@@ -226,6 +239,8 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page, + set_bit(tmp, cluster->cl_nodes_bitmap); + } + write_unlock(&cluster->cl_nodes_lock); ++ o2nm_unlock_subsystem(); ++ + if (ret) + return ret; + +@@ -269,7 +284,7 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item, + size_t count) + { + struct o2nm_node *node = to_o2nm_node(item); +- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); ++ struct o2nm_cluster *cluster; + int ret, i; + struct rb_node **p, *parent; + unsigned int octets[4]; +@@ -286,6 +301,13 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item, + be32_add_cpu(&ipv4_addr, octets[i] << (i * 8)); + } + ++ o2nm_lock_subsystem(); ++ cluster = to_o2nm_cluster_from_node(node); ++ if (!cluster) { ++ o2nm_unlock_subsystem(); ++ return -EINVAL; ++ } ++ + ret = 0; + write_lock(&cluster->cl_nodes_lock); + if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent)) +@@ -298,6 +320,8 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item, + rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree); + } + write_unlock(&cluster->cl_nodes_lock); ++ o2nm_unlock_subsystem(); ++ + if (ret) + return ret; + +@@ -315,7 +339,7 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page, + size_t count) + { + struct o2nm_node *node = to_o2nm_node(item); +- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node); ++ struct o2nm_cluster *cluster; + unsigned long tmp; + char *p = (char *)page; + ssize_t ret; +@@ -333,17 +357,26 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page, + !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes)) + return -EINVAL; /* XXX */ + ++ o2nm_lock_subsystem(); ++ cluster = to_o2nm_cluster_from_node(node); ++ if (!cluster) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + /* the only failure case is trying to set a new local node + * when a different one is already set */ + if (tmp && tmp == cluster->cl_has_local && +- cluster->cl_local_node != node->nd_num) +- return -EBUSY; ++ cluster->cl_local_node != node->nd_num) { ++ ret = -EBUSY; ++ goto out; ++ } + + /* bring up the rx thread if we're setting the new local node. */ + if (tmp && !cluster->cl_has_local) { + ret = o2net_start_listening(node); + if (ret) +- return ret; ++ goto out; + } + + if (!tmp && cluster->cl_has_local && +@@ -358,7 +391,11 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page, + cluster->cl_local_node = node->nd_num; + } + +- return count; ++ ret = count; ++ ++out: ++ o2nm_unlock_subsystem(); ++ return ret; + } + + CONFIGFS_ATTR(o2nm_node_, num); +@@ -750,6 +787,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = { + }, + }; + ++static inline void o2nm_lock_subsystem(void) ++{ ++ mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex); ++} ++ ++static inline void o2nm_unlock_subsystem(void) ++{ ++ mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex); ++} ++ + int o2nm_depend_item(struct config_item *item) + { + return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item); +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 665fd87cc105..8b8a43fda6ca 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -404,6 +404,12 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, + watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0); + if (IS_ERR(watcher)) + return PTR_ERR(watcher); ++ ++ if (watcher->family != NFPROTO_BRIDGE) { ++ module_put(watcher->me); ++ return -ENOENT; ++ } ++ + w->u.watcher = watcher; + + par->target = watcher; +@@ -724,6 +730,13 @@ ebt_check_entry(struct ebt_entry *e, struct net *net, + goto cleanup_watchers; + } + ++ /* Reject UNSPEC, xtables verdicts/return values are incompatible */ ++ if (target->family != NFPROTO_BRIDGE) { ++ module_put(target->me); ++ ret = -ENOENT; ++ goto cleanup_watchers; ++ } ++ + t->u.target = target; + if (t->u.target == &ebt_standard_target) { + if (gap < sizeof(struct ebt_standard_target)) { +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index 119c04317d48..03fcf3ee1534 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -599,7 +599,7 @@ static void ccid3_hc_rx_send_feedback(struct sock *sk, + { + struct ccid3_hc_rx_sock *hc = ccid3_hc_rx_sk(sk); + struct dccp_sock *dp = dccp_sk(sk); +- ktime_t now = ktime_get_real(); ++ ktime_t now = ktime_get(); + s64 delta = 0; + + switch (fbtype) { +@@ -624,15 +624,14 @@ static void ccid3_hc_rx_send_feedback(struct sock *sk, + case CCID3_FBACK_PERIODIC: + delta = ktime_us_delta(now, hc->rx_tstamp_last_feedback); + if (delta <= 0) +- DCCP_BUG("delta (%ld) <= 0", (long)delta); +- else +- hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta); ++ delta = 1; ++ hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta); + break; + default: + return; + } + +- ccid3_pr_debug("Interval %ldusec, X_recv=%u, 1/p=%u\n", (long)delta, ++ ccid3_pr_debug("Interval %lldusec, X_recv=%u, 1/p=%u\n", delta, + hc->rx_x_recv, hc->rx_pinv); + + hc->rx_tstamp_last_feedback = now; +@@ -679,7 +678,8 @@ static int ccid3_hc_rx_insert_options(struct sock *sk, struct sk_buff *skb) + static u32 ccid3_first_li(struct sock *sk) + { + struct ccid3_hc_rx_sock *hc = ccid3_hc_rx_sk(sk); +- u32 x_recv, p, delta; ++ u32 x_recv, p; ++ s64 delta; + u64 fval; + + if (hc->rx_rtt == 0) { +@@ -687,7 +687,9 @@ static u32 ccid3_first_li(struct sock *sk) + hc->rx_rtt = DCCP_FALLBACK_RTT; + } + +- delta = ktime_to_us(net_timedelta(hc->rx_tstamp_last_feedback)); ++ delta = ktime_us_delta(ktime_get(), hc->rx_tstamp_last_feedback); ++ if (delta <= 0) ++ delta = 1; + x_recv = scaled_div32(hc->rx_bytes_recv, delta); + if (x_recv == 0) { /* would also trigger divide-by-zero */ + DCCP_WARN("X_recv==0\n"); +diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c +index e26df2764e83..1689c7bdf1c9 100644 +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -87,35 +87,39 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) + opt++; + kdebug("options: '%s'", opt); + do { ++ int opt_len, opt_nlen; + const char *eq; +- int opt_len, opt_nlen, opt_vlen, tmp; ++ char optval[128]; + + next_opt = memchr(opt, '#', end - opt) ?: end; + opt_len = next_opt - opt; +- if (opt_len <= 0 || opt_len > 128) { ++ if (opt_len <= 0 || opt_len > sizeof(optval)) { + pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", + opt_len); + return -EINVAL; + } + +- eq = memchr(opt, '=', opt_len) ?: end; +- opt_nlen = eq - opt; +- eq++; +- opt_vlen = next_opt - eq; /* will be -1 if no value */ ++ eq = memchr(opt, '=', opt_len); ++ if (eq) { ++ opt_nlen = eq - opt; ++ eq++; ++ memcpy(optval, eq, next_opt - eq); ++ optval[next_opt - eq] = '\0'; ++ } else { ++ opt_nlen = opt_len; ++ optval[0] = '\0'; ++ } + +- tmp = opt_vlen >= 0 ? opt_vlen : 0; +- kdebug("option '%*.*s' val '%*.*s'", +- opt_nlen, opt_nlen, opt, tmp, tmp, eq); ++ kdebug("option '%*.*s' val '%s'", ++ opt_nlen, opt_nlen, opt, optval); + + /* see if it's an error number representing a DNS error + * that's to be recorded as the result in this key */ + if (opt_nlen == sizeof(DNS_ERRORNO_OPTION) - 1 && + memcmp(opt, DNS_ERRORNO_OPTION, opt_nlen) == 0) { + kdebug("dns error number option"); +- if (opt_vlen <= 0) +- goto bad_option_value; + +- ret = kstrtoul(eq, 10, &derrno); ++ ret = kstrtoul(optval, 10, &derrno); + if (ret < 0) + goto bad_option_value; + +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 70fb352e317f..75abf978ef30 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -213,8 +213,9 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write, + { + struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; + struct tcp_fastopen_context *ctxt; +- int ret; + u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ ++ __le32 key[4]; ++ int ret, i; + + tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); + if (!tbl.data) +@@ -223,11 +224,14 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write, + rcu_read_lock(); + ctxt = rcu_dereference(tcp_fastopen_ctx); + if (ctxt) +- memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); ++ memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); + else +- memset(user_key, 0, sizeof(user_key)); ++ memset(key, 0, sizeof(key)); + rcu_read_unlock(); + ++ for (i = 0; i < ARRAY_SIZE(key); i++) ++ user_key[i] = le32_to_cpu(key[i]); ++ + snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", + user_key[0], user_key[1], user_key[2], user_key[3]); + ret = proc_dostring(&tbl, write, buffer, lenp, ppos); +@@ -243,12 +247,16 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write, + * first invocation of tcp_fastopen_cookie_gen + */ + tcp_fastopen_init_key_once(false); +- tcp_fastopen_reset_cipher(user_key, TCP_FASTOPEN_KEY_LENGTH); ++ ++ for (i = 0; i < ARRAY_SIZE(user_key); i++) ++ key[i] = cpu_to_le32(user_key[i]); ++ ++ tcp_fastopen_reset_cipher(key, TCP_FASTOPEN_KEY_LENGTH); + } + + bad_key: + pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", +- user_key[0], user_key[1], user_key[2], user_key[3], ++ user_key[0], user_key[1], user_key[2], user_key[3], + (char *)tbl.data, ret); + kfree(tbl.data); + return ret; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index a9041915afc0..4350ee058441 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3218,6 +3218,15 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets, + + if (tcp_is_reno(tp)) { + tcp_remove_reno_sacks(sk, pkts_acked); ++ ++ /* If any of the cumulatively ACKed segments was ++ * retransmitted, non-SACK case cannot confirm that ++ * progress was due to original transmission due to ++ * lack of TCPCB_SACKED_ACKED bits even if some of ++ * the packets may have been never retransmitted. ++ */ ++ if (flag & FLAG_RETRANS_DATA_ACKED) ++ flag &= ~FLAG_ORIG_SACK_ACKED; + } else { + int delta; + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index dec4e7bda5f3..11282ffca567 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -692,7 +692,6 @@ static int ipip6_rcv(struct sk_buff *skb) + + if (iptunnel_pull_header(skb, 0, htons(ETH_P_IPV6))) + goto out; +- iph = ip_hdr(skb); + + err = IP_ECN_decapsulate(iph, skb); + if (unlikely(err)) { +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index d25212b135ea..04f060488686 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -754,11 +754,14 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, + pr_debug("Fragment %zd bytes remaining %zd", + frag_len, remaining_len); + +- pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, MSG_DONTWAIT, ++ pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, 0, + frag_len + LLCP_HEADER_SIZE, &err); + if (pdu == NULL) { +- pr_err("Could not allocate PDU\n"); +- continue; ++ pr_err("Could not allocate PDU (error=%d)\n", err); ++ len -= remaining_len; ++ if (len == 0) ++ len = err; ++ break; + } + + pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI); +diff --git a/net/rds/loop.c b/net/rds/loop.c +index 6b12b68541ae..05cab8c5a379 100644 +--- a/net/rds/loop.c ++++ b/net/rds/loop.c +@@ -191,4 +191,5 @@ struct rds_transport rds_loop_transport = { + .inc_copy_to_user = rds_message_inc_copy_to_user, + .inc_free = rds_loop_inc_free, + .t_name = "loopback", ++ .t_type = RDS_TRANS_LOOP, + }; +diff --git a/net/rds/rds.h b/net/rds/rds.h +index 4588860f4c3b..254f1345cf7e 100644 +--- a/net/rds/rds.h ++++ b/net/rds/rds.h +@@ -401,6 +401,11 @@ struct rds_notifier { + int n_status; + }; + ++/* Available as part of RDS core, so doesn't need to participate ++ * in get_preferred transport etc ++ */ ++#define RDS_TRANS_LOOP 3 ++ + /** + * struct rds_transport - transport specific behavioural hooks + * +diff --git a/net/rds/recv.c b/net/rds/recv.c +index 0514af3ab378..6275de19689c 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -76,6 +76,11 @@ static void rds_recv_rcvbuf_delta(struct rds_sock *rs, struct sock *sk, + return; + + rs->rs_rcv_bytes += delta; ++ ++ /* loop transport doesn't send/recv congestion updates */ ++ if (rs->rs_transport->t_type == RDS_TRANS_LOOP) ++ return; ++ + now_congested = rs->rs_rcv_bytes > rds_sk_rcvbuf(rs); + + rdsdebug("rs %p (%pI4:%u) recv bytes %d buf %d " +diff --git a/net/sched/sch_blackhole.c b/net/sched/sch_blackhole.c +index 3fee70d9814f..562edd50fa94 100644 +--- a/net/sched/sch_blackhole.c ++++ b/net/sched/sch_blackhole.c +@@ -20,7 +20,7 @@ + static int blackhole_enqueue(struct sk_buff *skb, struct Qdisc *sch) + { + qdisc_drop(skb, sch); +- return NET_XMIT_SUCCESS; ++ return NET_XMIT_SUCCESS | __NET_XMIT_BYPASS; + } + + static struct sk_buff *blackhole_dequeue(struct Qdisc *sch) diff --git a/patch/kernel/mvebu-default/04-patch-4.4.143-144.patch b/patch/kernel/mvebu-default/04-patch-4.4.143-144.patch new file mode 100644 index 0000000000..d0155cc705 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.143-144.patch @@ -0,0 +1,4228 @@ +diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu +index ea6a043f5beb..50f95689ab38 100644 +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu +@@ -276,6 +276,7 @@ What: /sys/devices/system/cpu/vulnerabilities + /sys/devices/system/cpu/vulnerabilities/meltdown + /sys/devices/system/cpu/vulnerabilities/spectre_v1 + /sys/devices/system/cpu/vulnerabilities/spectre_v2 ++ /sys/devices/system/cpu/vulnerabilities/spec_store_bypass + Date: January 2018 + Contact: Linux kernel mailing list + Description: Information about CPU vulnerabilities +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index e60d0b5809c1..3fd53e193b7f 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -2460,6 +2460,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + allow data leaks with this option, which is equivalent + to spectre_v2=off. + ++ nospec_store_bypass_disable ++ [HW] Disable all mitigations for the Speculative Store Bypass vulnerability ++ + noxsave [BUGS=X86] Disables x86 extended register state save + and restore using xsave. The kernel will fallback to + enabling legacy floating-point and sse state. +@@ -3623,6 +3626,48 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + Not specifying this option is equivalent to + spectre_v2=auto. + ++ spec_store_bypass_disable= ++ [HW] Control Speculative Store Bypass (SSB) Disable mitigation ++ (Speculative Store Bypass vulnerability) ++ ++ Certain CPUs are vulnerable to an exploit against a ++ a common industry wide performance optimization known ++ as "Speculative Store Bypass" in which recent stores ++ to the same memory location may not be observed by ++ later loads during speculative execution. The idea ++ is that such stores are unlikely and that they can ++ be detected prior to instruction retirement at the ++ end of a particular speculation execution window. ++ ++ In vulnerable processors, the speculatively forwarded ++ store can be used in a cache side channel attack, for ++ example to read memory to which the attacker does not ++ directly have access (e.g. inside sandboxed code). ++ ++ This parameter controls whether the Speculative Store ++ Bypass optimization is used. ++ ++ on - Unconditionally disable Speculative Store Bypass ++ off - Unconditionally enable Speculative Store Bypass ++ auto - Kernel detects whether the CPU model contains an ++ implementation of Speculative Store Bypass and ++ picks the most appropriate mitigation. If the ++ CPU is not vulnerable, "off" is selected. If the ++ CPU is vulnerable the default mitigation is ++ architecture and Kconfig dependent. See below. ++ prctl - Control Speculative Store Bypass per thread ++ via prctl. Speculative Store Bypass is enabled ++ for a process by default. The state of the control ++ is inherited on fork. ++ seccomp - Same as "prctl" above, but all seccomp threads ++ will disable SSB unless they explicitly opt out. ++ ++ Not specifying this option is equivalent to ++ spec_store_bypass_disable=auto. ++ ++ Default mitigations: ++ X86: If CONFIG_SECCOMP=y "seccomp", otherwise "prctl" ++ + spia_io_base= [HW,MTD] + spia_fio_base= + spia_pedr= +diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt +new file mode 100644 +index 000000000000..32f3d55c54b7 +--- /dev/null ++++ b/Documentation/spec_ctrl.txt +@@ -0,0 +1,94 @@ ++=================== ++Speculation Control ++=================== ++ ++Quite some CPUs have speculation-related misfeatures which are in ++fact vulnerabilities causing data leaks in various forms even across ++privilege domains. ++ ++The kernel provides mitigation for such vulnerabilities in various ++forms. Some of these mitigations are compile-time configurable and some ++can be supplied on the kernel command line. ++ ++There is also a class of mitigations which are very expensive, but they can ++be restricted to a certain set of processes or tasks in controlled ++environments. The mechanism to control these mitigations is via ++:manpage:`prctl(2)`. ++ ++There are two prctl options which are related to this: ++ ++ * PR_GET_SPECULATION_CTRL ++ ++ * PR_SET_SPECULATION_CTRL ++ ++PR_GET_SPECULATION_CTRL ++----------------------- ++ ++PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature ++which is selected with arg2 of prctl(2). The return value uses bits 0-3 with ++the following meaning: ++ ++==== ===================== =================================================== ++Bit Define Description ++==== ===================== =================================================== ++0 PR_SPEC_PRCTL Mitigation can be controlled per task by ++ PR_SET_SPECULATION_CTRL. ++1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is ++ disabled. ++2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is ++ enabled. ++3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A ++ subsequent prctl(..., PR_SPEC_ENABLE) will fail. ++==== ===================== =================================================== ++ ++If all bits are 0 the CPU is not affected by the speculation misfeature. ++ ++If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is ++available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation ++misfeature will fail. ++ ++PR_SET_SPECULATION_CTRL ++----------------------- ++ ++PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which ++is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand ++in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or ++PR_SPEC_FORCE_DISABLE. ++ ++Common error codes ++------------------ ++======= ================================================================= ++Value Meaning ++======= ================================================================= ++EINVAL The prctl is not implemented by the architecture or unused ++ prctl(2) arguments are not 0. ++ ++ENODEV arg2 is selecting a not supported speculation misfeature. ++======= ================================================================= ++ ++PR_SET_SPECULATION_CTRL error codes ++----------------------------------- ++======= ================================================================= ++Value Meaning ++======= ================================================================= ++0 Success ++ ++ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor ++ PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE. ++ ++ENXIO Control of the selected speculation misfeature is not possible. ++ See PR_GET_SPECULATION_CTRL. ++ ++EPERM Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller ++ tried to enable it again. ++======= ================================================================= ++ ++Speculation misfeature controls ++------------------------------- ++- PR_SPEC_STORE_BYPASS: Speculative Store Bypass ++ ++ Invocations: ++ * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); +diff --git a/Makefile b/Makefile +index 54690fee0485..63f3e2438a26 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 143 ++SUBLEVEL = 144 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arc/include/asm/page.h b/arch/arc/include/asm/page.h +index 429957f1c236..8f1145ed0046 100644 +--- a/arch/arc/include/asm/page.h ++++ b/arch/arc/include/asm/page.h +@@ -102,7 +102,7 @@ typedef pte_t * pgtable_t; + #define virt_addr_valid(kaddr) pfn_valid(__pa(kaddr) >> PAGE_SHIFT) + + /* Default Permissions for stack/heaps pages (Non Executable) */ +-#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE) ++#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) + + #define WANT_PAGE_VIRTUAL 1 + +diff --git a/arch/arc/include/asm/pgtable.h b/arch/arc/include/asm/pgtable.h +index e5fec320f158..c07d7b0a4058 100644 +--- a/arch/arc/include/asm/pgtable.h ++++ b/arch/arc/include/asm/pgtable.h +@@ -372,7 +372,7 @@ void update_mmu_cache(struct vm_area_struct *vma, unsigned long address, + + /* Decode a PTE containing swap "identifier "into constituents */ + #define __swp_type(pte_lookalike) (((pte_lookalike).val) & 0x1f) +-#define __swp_offset(pte_lookalike) ((pte_lookalike).val << 13) ++#define __swp_offset(pte_lookalike) ((pte_lookalike).val >> 13) + + /* NOPs, to keep generic kernel happy */ + #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) }) +diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S +index d03bf0e28b8b..48c27c3fdfdb 100644 +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -79,24 +79,33 @@ ENTRY(entry_SYSENTER_compat) + ASM_CLAC /* Clear AC after saving FLAGS */ + + pushq $__USER32_CS /* pt_regs->cs */ +- xorq %r8,%r8 +- pushq %r8 /* pt_regs->ip = 0 (placeholder) */ ++ pushq $0 /* pt_regs->ip = 0 (placeholder) */ + pushq %rax /* pt_regs->orig_ax */ + pushq %rdi /* pt_regs->di */ + pushq %rsi /* pt_regs->si */ + pushq %rdx /* pt_regs->dx */ + pushq %rcx /* pt_regs->cx */ + pushq $-ENOSYS /* pt_regs->ax */ +- pushq %r8 /* pt_regs->r8 = 0 */ +- pushq %r8 /* pt_regs->r9 = 0 */ +- pushq %r8 /* pt_regs->r10 = 0 */ +- pushq %r8 /* pt_regs->r11 = 0 */ ++ pushq $0 /* pt_regs->r8 = 0 */ ++ xorq %r8, %r8 /* nospec r8 */ ++ pushq $0 /* pt_regs->r9 = 0 */ ++ xorq %r9, %r9 /* nospec r9 */ ++ pushq $0 /* pt_regs->r10 = 0 */ ++ xorq %r10, %r10 /* nospec r10 */ ++ pushq $0 /* pt_regs->r11 = 0 */ ++ xorq %r11, %r11 /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp (will be overwritten) */ +- pushq %r8 /* pt_regs->r12 = 0 */ +- pushq %r8 /* pt_regs->r13 = 0 */ +- pushq %r8 /* pt_regs->r14 = 0 */ +- pushq %r8 /* pt_regs->r15 = 0 */ ++ xorl %ebp, %ebp /* nospec rbp */ ++ pushq $0 /* pt_regs->r12 = 0 */ ++ xorq %r12, %r12 /* nospec r12 */ ++ pushq $0 /* pt_regs->r13 = 0 */ ++ xorq %r13, %r13 /* nospec r13 */ ++ pushq $0 /* pt_regs->r14 = 0 */ ++ xorq %r14, %r14 /* nospec r14 */ ++ pushq $0 /* pt_regs->r15 = 0 */ ++ xorq %r15, %r15 /* nospec r15 */ + cld + + /* +@@ -185,17 +194,26 @@ ENTRY(entry_SYSCALL_compat) + pushq %rdx /* pt_regs->dx */ + pushq %rbp /* pt_regs->cx (stashed in bp) */ + pushq $-ENOSYS /* pt_regs->ax */ +- xorq %r8,%r8 +- pushq %r8 /* pt_regs->r8 = 0 */ +- pushq %r8 /* pt_regs->r9 = 0 */ +- pushq %r8 /* pt_regs->r10 = 0 */ +- pushq %r8 /* pt_regs->r11 = 0 */ ++ pushq $0 /* pt_regs->r8 = 0 */ ++ xorq %r8, %r8 /* nospec r8 */ ++ pushq $0 /* pt_regs->r9 = 0 */ ++ xorq %r9, %r9 /* nospec r9 */ ++ pushq $0 /* pt_regs->r10 = 0 */ ++ xorq %r10, %r10 /* nospec r10 */ ++ pushq $0 /* pt_regs->r11 = 0 */ ++ xorq %r11, %r11 /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp (will be overwritten) */ +- pushq %r8 /* pt_regs->r12 = 0 */ +- pushq %r8 /* pt_regs->r13 = 0 */ +- pushq %r8 /* pt_regs->r14 = 0 */ +- pushq %r8 /* pt_regs->r15 = 0 */ ++ xorl %ebp, %ebp /* nospec rbp */ ++ pushq $0 /* pt_regs->r12 = 0 */ ++ xorq %r12, %r12 /* nospec r12 */ ++ pushq $0 /* pt_regs->r13 = 0 */ ++ xorq %r13, %r13 /* nospec r13 */ ++ pushq $0 /* pt_regs->r14 = 0 */ ++ xorq %r14, %r14 /* nospec r14 */ ++ pushq $0 /* pt_regs->r15 = 0 */ ++ xorq %r15, %r15 /* nospec r15 */ + + /* + * User mode is traced as though IRQs are on, and SYSENTER +@@ -292,17 +310,26 @@ ENTRY(entry_INT80_compat) + pushq %rdx /* pt_regs->dx */ + pushq %rcx /* pt_regs->cx */ + pushq $-ENOSYS /* pt_regs->ax */ +- xorq %r8,%r8 +- pushq %r8 /* pt_regs->r8 = 0 */ +- pushq %r8 /* pt_regs->r9 = 0 */ +- pushq %r8 /* pt_regs->r10 = 0 */ +- pushq %r8 /* pt_regs->r11 = 0 */ ++ pushq $0 /* pt_regs->r8 = 0 */ ++ xorq %r8, %r8 /* nospec r8 */ ++ pushq $0 /* pt_regs->r9 = 0 */ ++ xorq %r9, %r9 /* nospec r9 */ ++ pushq $0 /* pt_regs->r10 = 0 */ ++ xorq %r10, %r10 /* nospec r10 */ ++ pushq $0 /* pt_regs->r11 = 0 */ ++ xorq %r11, %r11 /* nospec r11 */ + pushq %rbx /* pt_regs->rbx */ ++ xorl %ebx, %ebx /* nospec rbx */ + pushq %rbp /* pt_regs->rbp */ ++ xorl %ebp, %ebp /* nospec rbp */ + pushq %r12 /* pt_regs->r12 */ ++ xorq %r12, %r12 /* nospec r12 */ + pushq %r13 /* pt_regs->r13 */ ++ xorq %r13, %r13 /* nospec r13 */ + pushq %r14 /* pt_regs->r14 */ ++ xorq %r14, %r14 /* nospec r14 */ + pushq %r15 /* pt_regs->r15 */ ++ xorq %r15, %r15 /* nospec r15 */ + cld + + /* +diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h +index 20370c6db74b..3d1ec41ae09a 100644 +--- a/arch/x86/include/asm/apm.h ++++ b/arch/x86/include/asm/apm.h +@@ -6,6 +6,8 @@ + #ifndef _ASM_X86_MACH_DEFAULT_APM_H + #define _ASM_X86_MACH_DEFAULT_APM_H + ++#include ++ + #ifdef APM_ZERO_SEGS + # define APM_DO_ZERO_SEGS \ + "pushl %%ds\n\t" \ +@@ -31,6 +33,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in, + * N.B. We do NOT need a cld after the BIOS call + * because we always save and restore the flags. + */ ++ firmware_restrict_branch_speculation_start(); + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +@@ -43,6 +46,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in, + "=S" (*esi) + : "a" (func), "b" (ebx_in), "c" (ecx_in) + : "memory", "cc"); ++ firmware_restrict_branch_speculation_end(); + } + + static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in, +@@ -55,6 +59,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in, + * N.B. We do NOT need a cld after the BIOS call + * because we always save and restore the flags. + */ ++ firmware_restrict_branch_speculation_start(); + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +@@ -67,6 +72,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in, + "=S" (si) + : "a" (func), "b" (ebx_in), "c" (ecx_in) + : "memory", "cc"); ++ firmware_restrict_branch_speculation_end(); + return error; + } + +diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h +index e3a6f66d288c..7f5dcb64cedb 100644 +--- a/arch/x86/include/asm/barrier.h ++++ b/arch/x86/include/asm/barrier.h +@@ -40,7 +40,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, + + asm volatile ("cmp %1,%2; sbb %0,%0;" + :"=r" (mask) +- :"r"(size),"r" (index) ++ :"g"(size),"r" (index) + :"cc"); + return mask; + } +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index dd0089841a0f..d72c1db64679 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -28,6 +28,7 @@ enum cpuid_leafs + CPUID_8000_000A_EDX, + CPUID_7_ECX, + CPUID_8000_0007_EBX, ++ CPUID_7_EDX, + }; + + #ifdef CONFIG_X86_FEATURE_NAMES +@@ -78,8 +79,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 15, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 16, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 17, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 18, feature_bit) || \ + REQUIRED_MASK_CHECK || \ +- BUILD_BUG_ON_ZERO(NCAPINTS != 18)) ++ BUILD_BUG_ON_ZERO(NCAPINTS != 19)) + + #define DISABLED_MASK_BIT_SET(feature_bit) \ + ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 0, feature_bit) || \ +@@ -100,8 +102,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 15, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 16, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 17, feature_bit) || \ ++ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 18, feature_bit) || \ + DISABLED_MASK_CHECK || \ +- BUILD_BUG_ON_ZERO(NCAPINTS != 18)) ++ BUILD_BUG_ON_ZERO(NCAPINTS != 19)) + + #define cpu_has(c, bit) \ + (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \ +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 205ce70c1d6c..f4b175db70f4 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -12,7 +12,7 @@ + /* + * Defines x86 CPU feature bits + */ +-#define NCAPINTS 18 /* N 32-bit words worth of info */ ++#define NCAPINTS 19 /* N 32-bit words worth of info */ + #define NBUGINTS 1 /* N 32-bit bug flags */ + + /* +@@ -194,13 +194,28 @@ + #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ + + #define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */ +-#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* Fill RSB on context switches */ ++#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ ++ ++#define X86_FEATURE_RETPOLINE ( 7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */ ++#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */ ++ ++#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ ++#define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */ + +-#define X86_FEATURE_RETPOLINE ( 7*32+29) /* Generic Retpoline mitigation for Spectre variant 2 */ +-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* AMD Retpoline mitigation for Spectre variant 2 */ + /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */ + #define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */ + ++#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/ ++#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ ++#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ ++#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ ++ ++#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ ++#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ ++#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */ ++ ++ + /* Virtualization flags: Linux defined, word 8 */ + #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ + #define X86_FEATURE_VNMI ( 8*32+ 1) /* Intel Virtual NMI */ +@@ -251,6 +266,10 @@ + + /* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */ + #define X86_FEATURE_CLZERO (13*32+0) /* CLZERO instruction */ ++#define X86_FEATURE_AMD_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */ ++#define X86_FEATURE_AMD_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */ ++#define X86_FEATURE_AMD_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */ ++#define X86_FEATURE_VIRT_SSBD (13*32+25) /* Virtualized Speculative Store Bypass Disable */ + + /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */ + #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ +@@ -285,6 +304,15 @@ + #define X86_FEATURE_SUCCOR (17*32+1) /* Uncorrectable error containment and recovery */ + #define X86_FEATURE_SMCA (17*32+3) /* Scalable MCA */ + ++ ++/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */ ++#define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */ ++#define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ ++#define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ ++#define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ ++#define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ ++#define X86_FEATURE_SPEC_CTRL_SSBD (18*32+31) /* "" Speculative Store Bypass Disable */ ++ + /* + * BUG word(s) + */ +@@ -302,5 +330,6 @@ + #define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ + #define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ + #define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ ++#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ + + #endif /* _ASM_X86_CPUFEATURES_H */ +diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h +index 21c5ac15657b..1f8cca459c6c 100644 +--- a/arch/x86/include/asm/disabled-features.h ++++ b/arch/x86/include/asm/disabled-features.h +@@ -59,6 +59,7 @@ + #define DISABLED_MASK15 0 + #define DISABLED_MASK16 (DISABLE_PKU|DISABLE_OSPKE) + #define DISABLED_MASK17 0 +-#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18) ++#define DISABLED_MASK18 0 ++#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19) + + #endif /* _ASM_X86_DISABLED_FEATURES_H */ +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index 0010c78c4998..7e5a2ffb6938 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -3,6 +3,7 @@ + + #include + #include ++#include + + /* + * We map the EFI regions needed for runtime services non-contiguously, +@@ -39,8 +40,10 @@ extern unsigned long asmlinkage efi_call_phys(void *, ...); + ({ \ + efi_status_t __s; \ + kernel_fpu_begin(); \ ++ firmware_restrict_branch_speculation_start(); \ + __s = ((efi_##f##_t __attribute__((regparm(0)))*) \ + efi.systab->runtime->f)(args); \ ++ firmware_restrict_branch_speculation_end(); \ + kernel_fpu_end(); \ + __s; \ + }) +@@ -49,8 +52,10 @@ extern unsigned long asmlinkage efi_call_phys(void *, ...); + #define __efi_call_virt(f, args...) \ + ({ \ + kernel_fpu_begin(); \ ++ firmware_restrict_branch_speculation_start(); \ + ((efi_##f##_t __attribute__((regparm(0)))*) \ + efi.systab->runtime->f)(args); \ ++ firmware_restrict_branch_speculation_end(); \ + kernel_fpu_end(); \ + }) + +@@ -71,7 +76,9 @@ extern u64 asmlinkage efi_call(void *fp, ...); + efi_sync_low_kernel_mappings(); \ + preempt_disable(); \ + __kernel_fpu_begin(); \ ++ firmware_restrict_branch_speculation_start(); \ + __s = efi_call((void *)efi.systab->runtime->f, __VA_ARGS__); \ ++ firmware_restrict_branch_speculation_end(); \ + __kernel_fpu_end(); \ + preempt_enable(); \ + __s; \ +diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h +index 6999f7d01a0d..e13ff5a14633 100644 +--- a/arch/x86/include/asm/intel-family.h ++++ b/arch/x86/include/asm/intel-family.h +@@ -12,6 +12,7 @@ + */ + + #define INTEL_FAM6_CORE_YONAH 0x0E ++ + #define INTEL_FAM6_CORE2_MEROM 0x0F + #define INTEL_FAM6_CORE2_MEROM_L 0x16 + #define INTEL_FAM6_CORE2_PENRYN 0x17 +@@ -20,6 +21,7 @@ + #define INTEL_FAM6_NEHALEM 0x1E + #define INTEL_FAM6_NEHALEM_EP 0x1A + #define INTEL_FAM6_NEHALEM_EX 0x2E ++ + #define INTEL_FAM6_WESTMERE 0x25 + #define INTEL_FAM6_WESTMERE2 0x1F + #define INTEL_FAM6_WESTMERE_EP 0x2C +@@ -36,9 +38,9 @@ + #define INTEL_FAM6_HASWELL_GT3E 0x46 + + #define INTEL_FAM6_BROADWELL_CORE 0x3D +-#define INTEL_FAM6_BROADWELL_XEON_D 0x56 + #define INTEL_FAM6_BROADWELL_GT3E 0x47 + #define INTEL_FAM6_BROADWELL_X 0x4F ++#define INTEL_FAM6_BROADWELL_XEON_D 0x56 + + #define INTEL_FAM6_SKYLAKE_MOBILE 0x4E + #define INTEL_FAM6_SKYLAKE_DESKTOP 0x5E +@@ -56,13 +58,15 @@ + #define INTEL_FAM6_ATOM_SILVERMONT1 0x37 /* BayTrail/BYT / Valleyview */ + #define INTEL_FAM6_ATOM_SILVERMONT2 0x4D /* Avaton/Rangely */ + #define INTEL_FAM6_ATOM_AIRMONT 0x4C /* CherryTrail / Braswell */ +-#define INTEL_FAM6_ATOM_MERRIFIELD1 0x4A /* Tangier */ +-#define INTEL_FAM6_ATOM_MERRIFIELD2 0x5A /* Annidale */ ++#define INTEL_FAM6_ATOM_MERRIFIELD 0x4A /* Tangier */ ++#define INTEL_FAM6_ATOM_MOOREFIELD 0x5A /* Annidale */ + #define INTEL_FAM6_ATOM_GOLDMONT 0x5C + #define INTEL_FAM6_ATOM_DENVERTON 0x5F /* Goldmont Microserver */ ++#define INTEL_FAM6_ATOM_GEMINI_LAKE 0x7A + + /* Xeon Phi */ + + #define INTEL_FAM6_XEON_PHI_KNL 0x57 /* Knights Landing */ ++#define INTEL_FAM6_XEON_PHI_KNM 0x85 /* Knights Mill */ + + #endif /* _ASM_X86_INTEL_FAMILY_H */ +diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h +index b77f5edb03b0..0056bc945cd1 100644 +--- a/arch/x86/include/asm/irqflags.h ++++ b/arch/x86/include/asm/irqflags.h +@@ -8,7 +8,7 @@ + * Interrupt control: + */ + +-static inline unsigned long native_save_fl(void) ++extern inline unsigned long native_save_fl(void) + { + unsigned long flags; + +diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h +index 7680b76adafc..3359dfedc7ee 100644 +--- a/arch/x86/include/asm/mmu.h ++++ b/arch/x86/include/asm/mmu.h +@@ -3,12 +3,18 @@ + + #include + #include ++#include + + /* +- * The x86 doesn't have a mmu context, but +- * we put the segment information here. ++ * x86 has arch-specific MMU state beyond what lives in mm_struct. + */ + typedef struct { ++ /* ++ * ctx_id uniquely identifies this mm_struct. A ctx_id will never ++ * be reused, and zero is not a valid ctx_id. ++ */ ++ u64 ctx_id; ++ + #ifdef CONFIG_MODIFY_LDT_SYSCALL + struct ldt_struct *ldt; + #endif +@@ -24,6 +30,11 @@ typedef struct { + atomic_t perf_rdpmc_allowed; /* nonzero if rdpmc is allowed */ + } mm_context_t; + ++#define INIT_MM_CONTEXT(mm) \ ++ .context = { \ ++ .ctx_id = 1, \ ++ } ++ + void leave_mm(int cpu); + + #endif /* _ASM_X86_MMU_H */ +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index 9bfc5fd77015..effc12767cbf 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -11,6 +11,9 @@ + #include + #include + #include ++ ++extern atomic64_t last_mm_ctx_id; ++ + #ifndef CONFIG_PARAVIRT + static inline void paravirt_activate_mm(struct mm_struct *prev, + struct mm_struct *next) +@@ -52,15 +55,15 @@ struct ldt_struct { + /* + * Used for LDT copy/destruction. + */ +-int init_new_context(struct task_struct *tsk, struct mm_struct *mm); +-void destroy_context(struct mm_struct *mm); ++int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm); ++void destroy_context_ldt(struct mm_struct *mm); + #else /* CONFIG_MODIFY_LDT_SYSCALL */ +-static inline int init_new_context(struct task_struct *tsk, +- struct mm_struct *mm) ++static inline int init_new_context_ldt(struct task_struct *tsk, ++ struct mm_struct *mm) + { + return 0; + } +-static inline void destroy_context(struct mm_struct *mm) {} ++static inline void destroy_context_ldt(struct mm_struct *mm) {} + #endif + + static inline void load_mm_ldt(struct mm_struct *mm) +@@ -102,6 +105,18 @@ static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) + this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY); + } + ++static inline int init_new_context(struct task_struct *tsk, ++ struct mm_struct *mm) ++{ ++ mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id); ++ init_new_context_ldt(tsk, mm); ++ return 0; ++} ++static inline void destroy_context(struct mm_struct *mm) ++{ ++ destroy_context_ldt(mm); ++} ++ + extern void switch_mm(struct mm_struct *prev, struct mm_struct *next, + struct task_struct *tsk); + +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h +index b8911aecf035..caa00191e565 100644 +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -32,6 +32,15 @@ + #define EFER_FFXSR (1<<_EFER_FFXSR) + + /* Intel MSRs. Some also available on other CPUs */ ++#define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ ++#define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ ++#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */ ++#define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */ ++#define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ ++ ++#define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ ++#define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */ ++ + #define MSR_IA32_PERFCTR0 0x000000c1 + #define MSR_IA32_PERFCTR1 0x000000c2 + #define MSR_FSB_FREQ 0x000000cd +@@ -45,6 +54,16 @@ + #define SNB_C3_AUTO_UNDEMOTE (1UL << 28) + + #define MSR_MTRRcap 0x000000fe ++ ++#define MSR_IA32_ARCH_CAPABILITIES 0x0000010a ++#define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ ++#define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ ++#define ARCH_CAP_SSB_NO (1 << 4) /* ++ * Not susceptible to Speculative Store Bypass ++ * attack, so no Speculative Store Bypass ++ * control required. ++ */ ++ + #define MSR_IA32_BBL_CR_CTL 0x00000119 + #define MSR_IA32_BBL_CR_CTL3 0x0000011e + +@@ -132,6 +151,7 @@ + + /* DEBUGCTLMSR bits (others vary by model): */ + #define DEBUGCTLMSR_LBR (1UL << 0) /* last branch recording */ ++#define DEBUGCTLMSR_BTF_SHIFT 1 + #define DEBUGCTLMSR_BTF (1UL << 1) /* single-step on branches */ + #define DEBUGCTLMSR_TR (1UL << 6) + #define DEBUGCTLMSR_BTS (1UL << 7) +@@ -308,6 +328,8 @@ + #define MSR_AMD64_IBSOPDATA4 0xc001103d + #define MSR_AMD64_IBS_REG_COUNT_MAX 8 /* includes MSR_AMD64_IBSBRTARGET */ + ++#define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f ++ + /* Fam 16h MSRs */ + #define MSR_F16H_L2I_PERF_CTL 0xc0010230 + #define MSR_F16H_L2I_PERF_CTR 0xc0010231 +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index 8b910416243c..b4c74c24c890 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + /* + * Fill the CPU return stack buffer. +@@ -171,6 +172,14 @@ enum spectre_v2_mitigation { + SPECTRE_V2_IBRS, + }; + ++/* The Speculative Store Bypass disable variants */ ++enum ssb_mitigation { ++ SPEC_STORE_BYPASS_NONE, ++ SPEC_STORE_BYPASS_DISABLE, ++ SPEC_STORE_BYPASS_PRCTL, ++ SPEC_STORE_BYPASS_SECCOMP, ++}; ++ + extern char __indirect_thunk_start[]; + extern char __indirect_thunk_end[]; + +@@ -194,6 +203,51 @@ static inline void vmexit_fill_RSB(void) + #endif + } + ++static __always_inline ++void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature) ++{ ++ asm volatile(ALTERNATIVE("", "wrmsr", %c[feature]) ++ : : "c" (msr), ++ "a" ((u32)val), ++ "d" ((u32)(val >> 32)), ++ [feature] "i" (feature) ++ : "memory"); ++} ++ ++static inline void indirect_branch_prediction_barrier(void) ++{ ++ u64 val = PRED_CMD_IBPB; ++ ++ alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB); ++} ++ ++/* The Intel SPEC CTRL MSR base value cache */ ++extern u64 x86_spec_ctrl_base; ++ ++/* ++ * With retpoline, we must use IBRS to restrict branch prediction ++ * before calling into firmware. ++ * ++ * (Implemented as CPP macros due to header hell.) ++ */ ++#define firmware_restrict_branch_speculation_start() \ ++do { \ ++ u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS; \ ++ \ ++ preempt_disable(); \ ++ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ ++ X86_FEATURE_USE_IBRS_FW); \ ++} while (0) ++ ++#define firmware_restrict_branch_speculation_end() \ ++do { \ ++ u64 val = x86_spec_ctrl_base; \ ++ \ ++ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ ++ X86_FEATURE_USE_IBRS_FW); \ ++ preempt_enable(); \ ++} while (0) ++ + #endif /* __ASSEMBLY__ */ + + /* +diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h +index fac9a5c0abe9..6847d85400a8 100644 +--- a/arch/x86/include/asm/required-features.h ++++ b/arch/x86/include/asm/required-features.h +@@ -100,6 +100,7 @@ + #define REQUIRED_MASK15 0 + #define REQUIRED_MASK16 0 + #define REQUIRED_MASK17 0 +-#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18) ++#define REQUIRED_MASK18 0 ++#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19) + + #endif /* _ASM_X86_REQUIRED_FEATURES_H */ +diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h +new file mode 100644 +index 000000000000..ae7c2c5cd7f0 +--- /dev/null ++++ b/arch/x86/include/asm/spec-ctrl.h +@@ -0,0 +1,80 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ASM_X86_SPECCTRL_H_ ++#define _ASM_X86_SPECCTRL_H_ ++ ++#include ++#include ++ ++/* ++ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR ++ * the guest has, while on VMEXIT we restore the host view. This ++ * would be easier if SPEC_CTRL were architecturally maskable or ++ * shadowable for guests but this is not (currently) the case. ++ * Takes the guest view of SPEC_CTRL MSR as a parameter and also ++ * the guest's version of VIRT_SPEC_CTRL, if emulated. ++ */ ++extern void x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool guest); ++ ++/** ++ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest ++ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL ++ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL ++ * (may get translated to MSR_AMD64_LS_CFG bits) ++ * ++ * Avoids writing to the MSR if the content/bits are the same ++ */ ++static inline ++void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) ++{ ++ x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true); ++} ++ ++/** ++ * x86_spec_ctrl_restore_host - Restore host speculation control registers ++ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL ++ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL ++ * (may get translated to MSR_AMD64_LS_CFG bits) ++ * ++ * Avoids writing to the MSR if the content/bits are the same ++ */ ++static inline ++void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) ++{ ++ x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false); ++} ++ ++/* AMD specific Speculative Store Bypass MSR data */ ++extern u64 x86_amd_ls_cfg_base; ++extern u64 x86_amd_ls_cfg_ssbd_mask; ++ ++static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn) ++{ ++ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); ++ return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); ++} ++ ++static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl) ++{ ++ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); ++ return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); ++} ++ ++static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn) ++{ ++ return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL; ++} ++ ++#ifdef CONFIG_SMP ++extern void speculative_store_bypass_ht_init(void); ++#else ++static inline void speculative_store_bypass_ht_init(void) { } ++#endif ++ ++extern void speculative_store_bypass_update(unsigned long tif); ++ ++static inline void speculative_store_bypass_update_current(void) ++{ ++ speculative_store_bypass_update(current_thread_info()->flags); ++} ++ ++#endif +diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h +index 18c9aaa8c043..a96e88b243ef 100644 +--- a/arch/x86/include/asm/thread_info.h ++++ b/arch/x86/include/asm/thread_info.h +@@ -92,6 +92,7 @@ struct thread_info { + #define TIF_SIGPENDING 2 /* signal pending */ + #define TIF_NEED_RESCHED 3 /* rescheduling necessary */ + #define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/ ++#define TIF_SSBD 5 /* Reduced data speculation */ + #define TIF_SYSCALL_EMU 6 /* syscall emulation active */ + #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ + #define TIF_SECCOMP 8 /* secure computing */ +@@ -114,8 +115,9 @@ struct thread_info { + #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) + #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) + #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) +-#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) + #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) ++#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) ++#define _TIF_SSBD (1 << TIF_SSBD) + #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU) + #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) + #define _TIF_SECCOMP (1 << TIF_SECCOMP) +@@ -147,7 +149,7 @@ struct thread_info { + + /* flags to check in __switch_to() */ + #define _TIF_WORK_CTXSW \ +- (_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP) ++ (_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD) + + #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY) + #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW) +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index e2a89d2577fb..72cfe3e53af1 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -68,6 +68,8 @@ static inline void invpcid_flush_all_nonglobals(void) + struct tlb_state { + struct mm_struct *active_mm; + int state; ++ /* last user mm's ctx id */ ++ u64 last_ctx_id; + + /* + * Access to this CR4 shadow and to H/W CR4 is protected by +@@ -109,6 +111,16 @@ static inline void cr4_clear_bits(unsigned long mask) + } + } + ++static inline void cr4_toggle_bits(unsigned long mask) ++{ ++ unsigned long cr4; ++ ++ cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ cr4 ^= mask; ++ this_cpu_write(cpu_tlbstate.cr4, cr4); ++ __write_cr4(cr4); ++} ++ + /* Read the CR4 shadow. */ + static inline unsigned long cr4_read_shadow(void) + { +diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile +index b1b78ffe01d0..7947cee61f61 100644 +--- a/arch/x86/kernel/Makefile ++++ b/arch/x86/kernel/Makefile +@@ -41,6 +41,7 @@ obj-y += alternative.o i8253.o pci-nommu.o hw_breakpoint.o + obj-y += tsc.o tsc_msr.o io_delay.o rtc.o + obj-y += pci-iommu_table.o + obj-y += resource.o ++obj-y += irqflags.o + + obj-y += process.o + obj-y += fpu/ +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index f4fb8f5b0be4..9f6151884249 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -519,6 +520,26 @@ static void bsp_init_amd(struct cpuinfo_x86 *c) + + if (cpu_has(c, X86_FEATURE_MWAITX)) + use_mwaitx_delay(); ++ ++ if (c->x86 >= 0x15 && c->x86 <= 0x17) { ++ unsigned int bit; ++ ++ switch (c->x86) { ++ case 0x15: bit = 54; break; ++ case 0x16: bit = 33; break; ++ case 0x17: bit = 10; break; ++ default: return; ++ } ++ /* ++ * Try to cache the base value so further operations can ++ * avoid RMW. If that faults, do not enable SSBD. ++ */ ++ if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) { ++ setup_force_cpu_cap(X86_FEATURE_LS_CFG_SSBD); ++ setup_force_cpu_cap(X86_FEATURE_SSBD); ++ x86_amd_ls_cfg_ssbd_mask = 1ULL << bit; ++ } ++ } + } + + static void early_init_amd(struct cpuinfo_x86 *c) +@@ -692,6 +713,17 @@ static void init_amd_bd(struct cpuinfo_x86 *c) + } + } + ++static void init_amd_zn(struct cpuinfo_x86 *c) ++{ ++ set_cpu_cap(c, X86_FEATURE_ZEN); ++ /* ++ * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects ++ * all up to and including B1. ++ */ ++ if (c->x86_model <= 1 && c->x86_mask <= 1) ++ set_cpu_cap(c, X86_FEATURE_CPB); ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + u32 dummy; +@@ -722,6 +754,7 @@ static void init_amd(struct cpuinfo_x86 *c) + case 0x10: init_amd_gh(c); break; + case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; ++ case 0x17: init_amd_zn(c); break; + } + + /* Enable workaround for FXSAVE leak */ +@@ -791,8 +824,9 @@ static void init_amd(struct cpuinfo_x86 *c) + if (cpu_has(c, X86_FEATURE_3DNOW) || cpu_has(c, X86_FEATURE_LM)) + set_cpu_cap(c, X86_FEATURE_3DNOWPREFETCH); + +- /* AMD CPUs don't reset SS attributes on SYSRET */ +- set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); ++ /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */ ++ if (!cpu_has(c, X86_FEATURE_XENPV)) ++ set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); + } + + #ifdef CONFIG_X86_32 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 2bbc74f8a4a8..12a8867071f3 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -11,8 +11,10 @@ + #include + #include + #include ++#include ++#include + +-#include ++#include + #include + #include + #include +@@ -26,6 +28,27 @@ + #include + + static void __init spectre_v2_select_mitigation(void); ++static void __init ssb_select_mitigation(void); ++ ++/* ++ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any ++ * writes to SPEC_CTRL contain whatever reserved bits have been set. ++ */ ++u64 x86_spec_ctrl_base; ++EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); ++ ++/* ++ * The vendor and possibly platform specific bits which can be modified in ++ * x86_spec_ctrl_base. ++ */ ++static u64 x86_spec_ctrl_mask = SPEC_CTRL_IBRS; ++ ++/* ++ * AMD specific MSR info for Speculative Store Bypass control. ++ * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu(). ++ */ ++u64 x86_amd_ls_cfg_base; ++u64 x86_amd_ls_cfg_ssbd_mask; + + void __init check_bugs(void) + { +@@ -36,9 +59,27 @@ void __init check_bugs(void) + print_cpu_info(&boot_cpu_data); + } + ++ /* ++ * Read the SPEC_CTRL MSR to account for reserved bits which may ++ * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD ++ * init code as it is not enumerated and depends on the family. ++ */ ++ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) ++ rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ ++ /* Allow STIBP in MSR_SPEC_CTRL if supported */ ++ if (boot_cpu_has(X86_FEATURE_STIBP)) ++ x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; ++ + /* Select the proper spectre mitigation before patching alternatives */ + spectre_v2_select_mitigation(); + ++ /* ++ * Select proper mitigation for any exposure to the Speculative Store ++ * Bypass vulnerability. ++ */ ++ ssb_select_mitigation(); ++ + #ifdef CONFIG_X86_32 + /* + * Check whether we are able to run this kernel safely on SMP. +@@ -94,6 +135,73 @@ static const char *spectre_v2_strings[] = { + + static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; + ++void ++x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) ++{ ++ u64 msrval, guestval, hostval = x86_spec_ctrl_base; ++ struct thread_info *ti = current_thread_info(); ++ ++ /* Is MSR_SPEC_CTRL implemented ? */ ++ if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { ++ /* ++ * Restrict guest_spec_ctrl to supported values. Clear the ++ * modifiable bits in the host base value and or the ++ * modifiable bits from the guest value. ++ */ ++ guestval = hostval & ~x86_spec_ctrl_mask; ++ guestval |= guest_spec_ctrl & x86_spec_ctrl_mask; ++ ++ /* SSBD controlled in MSR_SPEC_CTRL */ ++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) ++ hostval |= ssbd_tif_to_spec_ctrl(ti->flags); ++ ++ if (hostval != guestval) { ++ msrval = setguest ? guestval : hostval; ++ wrmsrl(MSR_IA32_SPEC_CTRL, msrval); ++ } ++ } ++ ++ /* ++ * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update ++ * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported. ++ */ ++ if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) && ++ !static_cpu_has(X86_FEATURE_VIRT_SSBD)) ++ return; ++ ++ /* ++ * If the host has SSBD mitigation enabled, force it in the host's ++ * virtual MSR value. If its not permanently enabled, evaluate ++ * current's TIF_SSBD thread flag. ++ */ ++ if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE)) ++ hostval = SPEC_CTRL_SSBD; ++ else ++ hostval = ssbd_tif_to_spec_ctrl(ti->flags); ++ ++ /* Sanitize the guest value */ ++ guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD; ++ ++ if (hostval != guestval) { ++ unsigned long tif; ++ ++ tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) : ++ ssbd_spec_ctrl_to_tif(hostval); ++ ++ speculative_store_bypass_update(tif); ++ } ++} ++EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl); ++ ++static void x86_amd_ssb_disable(void) ++{ ++ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; ++ ++ if (boot_cpu_has(X86_FEATURE_VIRT_SSBD)) ++ wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD); ++ else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) ++ wrmsrl(MSR_AMD64_LS_CFG, msrval); ++} + + #ifdef RETPOLINE + static bool spectre_v2_bad_module; +@@ -162,8 +270,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) + if (cmdline_find_option_bool(boot_command_line, "nospectre_v2")) + return SPECTRE_V2_CMD_NONE; + else { +- ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, +- sizeof(arg)); ++ ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg)); + if (ret < 0) + return SPECTRE_V2_CMD_AUTO; + +@@ -184,8 +291,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) + cmd == SPECTRE_V2_CMD_RETPOLINE_AMD || + cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && + !IS_ENABLED(CONFIG_RETPOLINE)) { +- pr_err("%s selected but not compiled in. Switching to AUTO select\n", +- mitigation_options[i].option); ++ pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + +@@ -255,14 +361,14 @@ static void __init spectre_v2_select_mitigation(void) + goto retpoline_auto; + break; + } +- pr_err("kernel not compiled with retpoline; no mitigation available!"); ++ pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!"); + return; + + retpoline_auto: + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) { + retpoline_amd: + if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { +- pr_err("LFENCE not serializing. Switching to generic retpoline\n"); ++ pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n"); + goto retpoline_generic; + } + mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD : +@@ -280,7 +386,7 @@ retpoline_auto: + pr_info("%s\n", spectre_v2_strings[mode]); + + /* +- * If neither SMEP or KPTI are available, there is a risk of ++ * If neither SMEP nor PTI are available, there is a risk of + * hitting userspace addresses in the RSB after a context switch + * from a shallow call stack to a deeper one. To prevent this fill + * the entire RSB, even when using IBRS. +@@ -294,38 +400,309 @@ retpoline_auto: + if ((!boot_cpu_has(X86_FEATURE_KAISER) && + !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); +- pr_info("Filling RSB on context switch\n"); ++ pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); ++ } ++ ++ /* Initialize Indirect Branch Prediction Barrier if supported */ ++ if (boot_cpu_has(X86_FEATURE_IBPB)) { ++ setup_force_cpu_cap(X86_FEATURE_USE_IBPB); ++ pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n"); ++ } ++ ++ /* ++ * Retpoline means the kernel is safe because it has no indirect ++ * branches. But firmware isn't, so use IBRS to protect that. ++ */ ++ if (boot_cpu_has(X86_FEATURE_IBRS)) { ++ setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); ++ pr_info("Enabling Restricted Speculation for firmware calls\n"); ++ } ++} ++ ++#undef pr_fmt ++#define pr_fmt(fmt) "Speculative Store Bypass: " fmt ++ ++static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE; ++ ++/* The kernel command line selection */ ++enum ssb_mitigation_cmd { ++ SPEC_STORE_BYPASS_CMD_NONE, ++ SPEC_STORE_BYPASS_CMD_AUTO, ++ SPEC_STORE_BYPASS_CMD_ON, ++ SPEC_STORE_BYPASS_CMD_PRCTL, ++ SPEC_STORE_BYPASS_CMD_SECCOMP, ++}; ++ ++static const char *ssb_strings[] = { ++ [SPEC_STORE_BYPASS_NONE] = "Vulnerable", ++ [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled", ++ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl", ++ [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp", ++}; ++ ++static const struct { ++ const char *option; ++ enum ssb_mitigation_cmd cmd; ++} ssb_mitigation_options[] = { ++ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ ++ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ ++ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ ++ { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ ++ { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */ ++}; ++ ++static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) ++{ ++ enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO; ++ char arg[20]; ++ int ret, i; ++ ++ if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) { ++ return SPEC_STORE_BYPASS_CMD_NONE; ++ } else { ++ ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable", ++ arg, sizeof(arg)); ++ if (ret < 0) ++ return SPEC_STORE_BYPASS_CMD_AUTO; ++ ++ for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) { ++ if (!match_option(arg, ret, ssb_mitigation_options[i].option)) ++ continue; ++ ++ cmd = ssb_mitigation_options[i].cmd; ++ break; ++ } ++ ++ if (i >= ARRAY_SIZE(ssb_mitigation_options)) { ++ pr_err("unknown option (%s). Switching to AUTO select\n", arg); ++ return SPEC_STORE_BYPASS_CMD_AUTO; ++ } ++ } ++ ++ return cmd; ++} ++ ++static enum ssb_mitigation __init __ssb_select_mitigation(void) ++{ ++ enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; ++ enum ssb_mitigation_cmd cmd; ++ ++ if (!boot_cpu_has(X86_FEATURE_SSBD)) ++ return mode; ++ ++ cmd = ssb_parse_cmdline(); ++ if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) && ++ (cmd == SPEC_STORE_BYPASS_CMD_NONE || ++ cmd == SPEC_STORE_BYPASS_CMD_AUTO)) ++ return mode; ++ ++ switch (cmd) { ++ case SPEC_STORE_BYPASS_CMD_AUTO: ++ case SPEC_STORE_BYPASS_CMD_SECCOMP: ++ /* ++ * Choose prctl+seccomp as the default mode if seccomp is ++ * enabled. ++ */ ++ if (IS_ENABLED(CONFIG_SECCOMP)) ++ mode = SPEC_STORE_BYPASS_SECCOMP; ++ else ++ mode = SPEC_STORE_BYPASS_PRCTL; ++ break; ++ case SPEC_STORE_BYPASS_CMD_ON: ++ mode = SPEC_STORE_BYPASS_DISABLE; ++ break; ++ case SPEC_STORE_BYPASS_CMD_PRCTL: ++ mode = SPEC_STORE_BYPASS_PRCTL; ++ break; ++ case SPEC_STORE_BYPASS_CMD_NONE: ++ break; ++ } ++ ++ /* ++ * We have three CPU feature flags that are in play here: ++ * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. ++ * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass ++ * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation ++ */ ++ if (mode == SPEC_STORE_BYPASS_DISABLE) { ++ setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); ++ /* ++ * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses ++ * a completely different MSR and bit dependent on family. ++ */ ++ switch (boot_cpu_data.x86_vendor) { ++ case X86_VENDOR_INTEL: ++ x86_spec_ctrl_base |= SPEC_CTRL_SSBD; ++ x86_spec_ctrl_mask |= SPEC_CTRL_SSBD; ++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ break; ++ case X86_VENDOR_AMD: ++ x86_amd_ssb_disable(); ++ break; ++ } + } ++ ++ return mode; ++} ++ ++static void ssb_select_mitigation(void) ++{ ++ ssb_mode = __ssb_select_mitigation(); ++ ++ if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) ++ pr_info("%s\n", ssb_strings[ssb_mode]); + } + + #undef pr_fmt ++#define pr_fmt(fmt) "Speculation prctl: " fmt ++ ++static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) ++{ ++ bool update; ++ ++ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL && ++ ssb_mode != SPEC_STORE_BYPASS_SECCOMP) ++ return -ENXIO; ++ ++ switch (ctrl) { ++ case PR_SPEC_ENABLE: ++ /* If speculation is force disabled, enable is not allowed */ ++ if (task_spec_ssb_force_disable(task)) ++ return -EPERM; ++ task_clear_spec_ssb_disable(task); ++ update = test_and_clear_tsk_thread_flag(task, TIF_SSBD); ++ break; ++ case PR_SPEC_DISABLE: ++ task_set_spec_ssb_disable(task); ++ update = !test_and_set_tsk_thread_flag(task, TIF_SSBD); ++ break; ++ case PR_SPEC_FORCE_DISABLE: ++ task_set_spec_ssb_disable(task); ++ task_set_spec_ssb_force_disable(task); ++ update = !test_and_set_tsk_thread_flag(task, TIF_SSBD); ++ break; ++ default: ++ return -ERANGE; ++ } ++ ++ /* ++ * If being set on non-current task, delay setting the CPU ++ * mitigation until it is next scheduled. ++ */ ++ if (task == current && update) ++ speculative_store_bypass_update_current(); ++ ++ return 0; ++} ++ ++int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, ++ unsigned long ctrl) ++{ ++ switch (which) { ++ case PR_SPEC_STORE_BYPASS: ++ return ssb_prctl_set(task, ctrl); ++ default: ++ return -ENODEV; ++ } ++} ++ ++#ifdef CONFIG_SECCOMP ++void arch_seccomp_spec_mitigate(struct task_struct *task) ++{ ++ if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) ++ ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); ++} ++#endif ++ ++static int ssb_prctl_get(struct task_struct *task) ++{ ++ switch (ssb_mode) { ++ case SPEC_STORE_BYPASS_DISABLE: ++ return PR_SPEC_DISABLE; ++ case SPEC_STORE_BYPASS_SECCOMP: ++ case SPEC_STORE_BYPASS_PRCTL: ++ if (task_spec_ssb_force_disable(task)) ++ return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; ++ if (task_spec_ssb_disable(task)) ++ return PR_SPEC_PRCTL | PR_SPEC_DISABLE; ++ return PR_SPEC_PRCTL | PR_SPEC_ENABLE; ++ default: ++ if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) ++ return PR_SPEC_ENABLE; ++ return PR_SPEC_NOT_AFFECTED; ++ } ++} ++ ++int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) ++{ ++ switch (which) { ++ case PR_SPEC_STORE_BYPASS: ++ return ssb_prctl_get(task); ++ default: ++ return -ENODEV; ++ } ++} ++ ++void x86_spec_ctrl_setup_ap(void) ++{ ++ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) ++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ ++ if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) ++ x86_amd_ssb_disable(); ++} + + #ifdef CONFIG_SYSFS +-ssize_t cpu_show_meltdown(struct device *dev, +- struct device_attribute *attr, char *buf) ++ ++static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, ++ char *buf, unsigned int bug) + { +- if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN)) ++ if (!boot_cpu_has_bug(bug)) + return sprintf(buf, "Not affected\n"); +- if (boot_cpu_has(X86_FEATURE_KAISER)) +- return sprintf(buf, "Mitigation: PTI\n"); ++ ++ switch (bug) { ++ case X86_BUG_CPU_MELTDOWN: ++ if (boot_cpu_has(X86_FEATURE_KAISER)) ++ return sprintf(buf, "Mitigation: PTI\n"); ++ ++ break; ++ ++ case X86_BUG_SPECTRE_V1: ++ return sprintf(buf, "Mitigation: __user pointer sanitization\n"); ++ ++ case X86_BUG_SPECTRE_V2: ++ return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ++ boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", ++ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", ++ spectre_v2_module_string()); ++ ++ case X86_BUG_SPEC_STORE_BYPASS: ++ return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); ++ ++ default: ++ break; ++ } ++ + return sprintf(buf, "Vulnerable\n"); + } + +-ssize_t cpu_show_spectre_v1(struct device *dev, +- struct device_attribute *attr, char *buf) ++ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) + { +- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1)) +- return sprintf(buf, "Not affected\n"); +- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); ++ return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN); + } + +-ssize_t cpu_show_spectre_v2(struct device *dev, +- struct device_attribute *attr, char *buf) ++ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) + { +- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) +- return sprintf(buf, "Not affected\n"); ++ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1); ++} + +- return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled], +- spectre_v2_module_string()); ++ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2); ++} ++ ++ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS); + } + #endif +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 736e2843139b..3d21b28f9826 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -43,6 +43,8 @@ + #include + #include + #include ++#include ++#include + + #ifdef CONFIG_X86_LOCAL_APIC + #include +@@ -674,6 +676,40 @@ static void apply_forced_caps(struct cpuinfo_x86 *c) + } + } + ++static void init_speculation_control(struct cpuinfo_x86 *c) ++{ ++ /* ++ * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support, ++ * and they also have a different bit for STIBP support. Also, ++ * a hypervisor might have set the individual AMD bits even on ++ * Intel CPUs, for finer-grained selection of what's available. ++ */ ++ if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { ++ set_cpu_cap(c, X86_FEATURE_IBRS); ++ set_cpu_cap(c, X86_FEATURE_IBPB); ++ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); ++ } ++ ++ if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) ++ set_cpu_cap(c, X86_FEATURE_STIBP); ++ ++ if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD)) ++ set_cpu_cap(c, X86_FEATURE_SSBD); ++ ++ if (cpu_has(c, X86_FEATURE_AMD_IBRS)) { ++ set_cpu_cap(c, X86_FEATURE_IBRS); ++ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); ++ } ++ ++ if (cpu_has(c, X86_FEATURE_AMD_IBPB)) ++ set_cpu_cap(c, X86_FEATURE_IBPB); ++ ++ if (cpu_has(c, X86_FEATURE_AMD_STIBP)) { ++ set_cpu_cap(c, X86_FEATURE_STIBP); ++ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); ++ } ++} ++ + void get_cpu_cap(struct cpuinfo_x86 *c) + { + u32 eax, ebx, ecx, edx; +@@ -695,6 +731,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx); + c->x86_capability[CPUID_7_0_EBX] = ebx; + c->x86_capability[CPUID_7_ECX] = ecx; ++ c->x86_capability[CPUID_7_EDX] = edx; + } + + /* Extended state features: level 0x0000000d */ +@@ -765,6 +802,14 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a); + + init_scattered_cpuid_features(c); ++ init_speculation_control(c); ++ ++ /* ++ * Clear/Set all flags overridden by options, after probe. ++ * This needs to happen each time we re-probe, which may happen ++ * several times during CPU initialization. ++ */ ++ apply_forced_caps(c); + } + + static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) +@@ -793,6 +838,75 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) + #endif + } + ++static const __initconst struct x86_cpu_id cpu_no_speculation[] = { ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW, X86_FEATURE_ANY }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW, X86_FEATURE_ANY }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT, X86_FEATURE_ANY }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL, X86_FEATURE_ANY }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW, X86_FEATURE_ANY }, ++ { X86_VENDOR_CENTAUR, 5 }, ++ { X86_VENDOR_INTEL, 5 }, ++ { X86_VENDOR_NSC, 5 }, ++ { X86_VENDOR_ANY, 4 }, ++ {} ++}; ++ ++static const __initconst struct x86_cpu_id cpu_no_meltdown[] = { ++ { X86_VENDOR_AMD }, ++ {} ++}; ++ ++static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = { ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT2 }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MERRIFIELD }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_CORE_YONAH }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM }, ++ { X86_VENDOR_CENTAUR, 5, }, ++ { X86_VENDOR_INTEL, 5, }, ++ { X86_VENDOR_NSC, 5, }, ++ { X86_VENDOR_AMD, 0x12, }, ++ { X86_VENDOR_AMD, 0x11, }, ++ { X86_VENDOR_AMD, 0x10, }, ++ { X86_VENDOR_AMD, 0xf, }, ++ { X86_VENDOR_ANY, 4, }, ++ {} ++}; ++ ++static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) ++{ ++ u64 ia32_cap = 0; ++ ++ if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) ++ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); ++ ++ if (!x86_match_cpu(cpu_no_spec_store_bypass) && ++ !(ia32_cap & ARCH_CAP_SSB_NO)) ++ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); ++ ++ if (x86_match_cpu(cpu_no_speculation)) ++ return; ++ ++ setup_force_cpu_bug(X86_BUG_SPECTRE_V1); ++ setup_force_cpu_bug(X86_BUG_SPECTRE_V2); ++ ++ if (x86_match_cpu(cpu_no_meltdown)) ++ return; ++ ++ /* Rogue Data Cache Load? No! */ ++ if (ia32_cap & ARCH_CAP_RDCL_NO) ++ return; ++ ++ setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); ++} ++ + /* + * Do minimum CPU detection early. + * Fields really needed: vendor, cpuid_level, family, model, mask, +@@ -839,11 +953,7 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) + + setup_force_cpu_cap(X86_FEATURE_ALWAYS); + +- if (c->x86_vendor != X86_VENDOR_AMD) +- setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); +- +- setup_force_cpu_bug(X86_BUG_SPECTRE_V1); +- setup_force_cpu_bug(X86_BUG_SPECTRE_V2); ++ cpu_set_bug_bits(c); + + fpu__init_system(c); + +@@ -1132,6 +1242,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c) + enable_sep_cpu(); + #endif + mtrr_ap_init(); ++ x86_spec_ctrl_setup_ap(); + } + + struct msr_range { +diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h +index 2584265d4745..3b19d82f7932 100644 +--- a/arch/x86/kernel/cpu/cpu.h ++++ b/arch/x86/kernel/cpu/cpu.h +@@ -46,4 +46,7 @@ extern const struct cpu_dev *const __x86_cpu_dev_start[], + + extern void get_cpu_cap(struct cpuinfo_x86 *c); + extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c); ++ ++extern void x86_spec_ctrl_setup_ap(void); ++ + #endif /* ARCH_X86_CPU_H */ +diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c +index 9299e3bdfad6..4dce22d3cb06 100644 +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + #ifdef CONFIG_X86_64 + #include +@@ -25,6 +26,62 @@ + #include + #endif + ++/* ++ * Early microcode releases for the Spectre v2 mitigation were broken. ++ * Information taken from; ++ * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf ++ * - https://kb.vmware.com/s/article/52345 ++ * - Microcode revisions observed in the wild ++ * - Release note from 20180108 microcode release ++ */ ++struct sku_microcode { ++ u8 model; ++ u8 stepping; ++ u32 microcode; ++}; ++static const struct sku_microcode spectre_bad_microcodes[] = { ++ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x80 }, ++ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x80 }, ++ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x80 }, ++ { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x80 }, ++ { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x80 }, ++ { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e }, ++ { INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c }, ++ { INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 }, ++ { INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b }, ++ { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 }, ++ { INTEL_FAM6_BROADWELL_XEON_D, 0x03, 0x07000011 }, ++ { INTEL_FAM6_BROADWELL_X, 0x01, 0x0b000025 }, ++ { INTEL_FAM6_HASWELL_ULT, 0x01, 0x21 }, ++ { INTEL_FAM6_HASWELL_GT3E, 0x01, 0x18 }, ++ { INTEL_FAM6_HASWELL_CORE, 0x03, 0x23 }, ++ { INTEL_FAM6_HASWELL_X, 0x02, 0x3b }, ++ { INTEL_FAM6_HASWELL_X, 0x04, 0x10 }, ++ { INTEL_FAM6_IVYBRIDGE_X, 0x04, 0x42a }, ++ /* Observed in the wild */ ++ { INTEL_FAM6_SANDYBRIDGE_X, 0x06, 0x61b }, ++ { INTEL_FAM6_SANDYBRIDGE_X, 0x07, 0x712 }, ++}; ++ ++static bool bad_spectre_microcode(struct cpuinfo_x86 *c) ++{ ++ int i; ++ ++ /* ++ * We know that the hypervisor lie to us on the microcode version so ++ * we may as well hope that it is running the correct version. ++ */ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ return false; ++ ++ for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) { ++ if (c->x86_model == spectre_bad_microcodes[i].model && ++ c->x86_mask == spectre_bad_microcodes[i].stepping) ++ return (c->microcode <= spectre_bad_microcodes[i].microcode); ++ } ++ return false; ++} ++ + static void early_init_intel(struct cpuinfo_x86 *c) + { + u64 misc_enable; +@@ -51,6 +108,22 @@ static void early_init_intel(struct cpuinfo_x86 *c) + rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode); + } + ++ /* Now if any of them are set, check the blacklist and clear the lot */ ++ if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) || ++ cpu_has(c, X86_FEATURE_INTEL_STIBP) || ++ cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) || ++ cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) { ++ pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n"); ++ setup_clear_cpu_cap(X86_FEATURE_IBRS); ++ setup_clear_cpu_cap(X86_FEATURE_IBPB); ++ setup_clear_cpu_cap(X86_FEATURE_STIBP); ++ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); ++ setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL); ++ setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); ++ setup_clear_cpu_cap(X86_FEATURE_SSBD); ++ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL_SSBD); ++ } ++ + /* + * Atom erratum AAE44/AAF40/AAG38/AAH41: + * +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index ddc9b8125918..7b8c8c838191 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -2294,9 +2294,6 @@ static ssize_t store_int_with_restart(struct device *s, + if (check_interval == old_check_interval) + return ret; + +- if (check_interval < 1) +- check_interval = 1; +- + mutex_lock(&mce_sysfs_mutex); + mce_restart(); + mutex_unlock(&mce_sysfs_mutex); +diff --git a/arch/x86/kernel/irqflags.S b/arch/x86/kernel/irqflags.S +new file mode 100644 +index 000000000000..3817eb748eb4 +--- /dev/null ++++ b/arch/x86/kernel/irqflags.S +@@ -0,0 +1,26 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++#include ++#include ++#include ++ ++/* ++ * unsigned long native_save_fl(void) ++ */ ++ENTRY(native_save_fl) ++ pushf ++ pop %_ASM_AX ++ ret ++ENDPROC(native_save_fl) ++EXPORT_SYMBOL(native_save_fl) ++ ++/* ++ * void native_restore_fl(unsigned long flags) ++ * %eax/%rdi: flags ++ */ ++ENTRY(native_restore_fl) ++ push %_ASM_ARG1 ++ popf ++ ret ++ENDPROC(native_restore_fl) ++EXPORT_SYMBOL(native_restore_fl) +diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c +index bc429365b72a..8bc68cfc0d33 100644 +--- a/arch/x86/kernel/ldt.c ++++ b/arch/x86/kernel/ldt.c +@@ -119,7 +119,7 @@ static void free_ldt_struct(struct ldt_struct *ldt) + * we do not have to muck with descriptors here, that is + * done in switch_mm() as needed. + */ +-int init_new_context(struct task_struct *tsk, struct mm_struct *mm) ++int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm) + { + struct ldt_struct *new_ldt; + struct mm_struct *old_mm; +@@ -160,7 +160,7 @@ out_unlock: + * + * 64bit: Don't touch the LDT register - we're already in the next thread. + */ +-void destroy_context(struct mm_struct *mm) ++void destroy_context_ldt(struct mm_struct *mm) + { + free_ldt_struct(mm->context.ldt); + mm->context.ldt = NULL; +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 7c5c5dc90ffa..e18c8798c3a2 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + /* + * per-CPU TSS segments. Threads are completely 'soft' on Linux, +@@ -130,11 +131,6 @@ void flush_thread(void) + fpu__clear(&tsk->thread.fpu); + } + +-static void hard_disable_TSC(void) +-{ +- cr4_set_bits(X86_CR4_TSD); +-} +- + void disable_TSC(void) + { + preempt_disable(); +@@ -143,15 +139,10 @@ void disable_TSC(void) + * Must flip the CPU state synchronously with + * TIF_NOTSC in the current running context. + */ +- hard_disable_TSC(); ++ cr4_set_bits(X86_CR4_TSD); + preempt_enable(); + } + +-static void hard_enable_TSC(void) +-{ +- cr4_clear_bits(X86_CR4_TSD); +-} +- + static void enable_TSC(void) + { + preempt_disable(); +@@ -160,7 +151,7 @@ static void enable_TSC(void) + * Must flip the CPU state synchronously with + * TIF_NOTSC in the current running context. + */ +- hard_enable_TSC(); ++ cr4_clear_bits(X86_CR4_TSD); + preempt_enable(); + } + +@@ -188,48 +179,199 @@ int set_tsc_mode(unsigned int val) + return 0; + } + +-void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, +- struct tss_struct *tss) ++static inline void switch_to_bitmap(struct tss_struct *tss, ++ struct thread_struct *prev, ++ struct thread_struct *next, ++ unsigned long tifp, unsigned long tifn) + { +- struct thread_struct *prev, *next; +- +- prev = &prev_p->thread; +- next = &next_p->thread; +- +- if (test_tsk_thread_flag(prev_p, TIF_BLOCKSTEP) ^ +- test_tsk_thread_flag(next_p, TIF_BLOCKSTEP)) { +- unsigned long debugctl = get_debugctlmsr(); +- +- debugctl &= ~DEBUGCTLMSR_BTF; +- if (test_tsk_thread_flag(next_p, TIF_BLOCKSTEP)) +- debugctl |= DEBUGCTLMSR_BTF; +- +- update_debugctlmsr(debugctl); +- } +- +- if (test_tsk_thread_flag(prev_p, TIF_NOTSC) ^ +- test_tsk_thread_flag(next_p, TIF_NOTSC)) { +- /* prev and next are different */ +- if (test_tsk_thread_flag(next_p, TIF_NOTSC)) +- hard_disable_TSC(); +- else +- hard_enable_TSC(); +- } +- +- if (test_tsk_thread_flag(next_p, TIF_IO_BITMAP)) { ++ if (tifn & _TIF_IO_BITMAP) { + /* + * Copy the relevant range of the IO bitmap. + * Normally this is 128 bytes or less: + */ + memcpy(tss->io_bitmap, next->io_bitmap_ptr, + max(prev->io_bitmap_max, next->io_bitmap_max)); +- } else if (test_tsk_thread_flag(prev_p, TIF_IO_BITMAP)) { ++ } else if (tifp & _TIF_IO_BITMAP) { + /* + * Clear any possible leftover bits: + */ + memset(tss->io_bitmap, 0xff, prev->io_bitmap_max); + } ++} ++ ++#ifdef CONFIG_SMP ++ ++struct ssb_state { ++ struct ssb_state *shared_state; ++ raw_spinlock_t lock; ++ unsigned int disable_state; ++ unsigned long local_state; ++}; ++ ++#define LSTATE_SSB 0 ++ ++static DEFINE_PER_CPU(struct ssb_state, ssb_state); ++ ++void speculative_store_bypass_ht_init(void) ++{ ++ struct ssb_state *st = this_cpu_ptr(&ssb_state); ++ unsigned int this_cpu = smp_processor_id(); ++ unsigned int cpu; ++ ++ st->local_state = 0; ++ ++ /* ++ * Shared state setup happens once on the first bringup ++ * of the CPU. It's not destroyed on CPU hotunplug. ++ */ ++ if (st->shared_state) ++ return; ++ ++ raw_spin_lock_init(&st->lock); ++ ++ /* ++ * Go over HT siblings and check whether one of them has set up the ++ * shared state pointer already. ++ */ ++ for_each_cpu(cpu, topology_sibling_cpumask(this_cpu)) { ++ if (cpu == this_cpu) ++ continue; ++ ++ if (!per_cpu(ssb_state, cpu).shared_state) ++ continue; ++ ++ /* Link it to the state of the sibling: */ ++ st->shared_state = per_cpu(ssb_state, cpu).shared_state; ++ return; ++ } ++ ++ /* ++ * First HT sibling to come up on the core. Link shared state of ++ * the first HT sibling to itself. The siblings on the same core ++ * which come up later will see the shared state pointer and link ++ * themself to the state of this CPU. ++ */ ++ st->shared_state = st; ++} ++ ++/* ++ * Logic is: First HT sibling enables SSBD for both siblings in the core ++ * and last sibling to disable it, disables it for the whole core. This how ++ * MSR_SPEC_CTRL works in "hardware": ++ * ++ * CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL ++ */ ++static __always_inline void amd_set_core_ssb_state(unsigned long tifn) ++{ ++ struct ssb_state *st = this_cpu_ptr(&ssb_state); ++ u64 msr = x86_amd_ls_cfg_base; ++ ++ if (!static_cpu_has(X86_FEATURE_ZEN)) { ++ msr |= ssbd_tif_to_amd_ls_cfg(tifn); ++ wrmsrl(MSR_AMD64_LS_CFG, msr); ++ return; ++ } ++ ++ if (tifn & _TIF_SSBD) { ++ /* ++ * Since this can race with prctl(), block reentry on the ++ * same CPU. ++ */ ++ if (__test_and_set_bit(LSTATE_SSB, &st->local_state)) ++ return; ++ ++ msr |= x86_amd_ls_cfg_ssbd_mask; ++ ++ raw_spin_lock(&st->shared_state->lock); ++ /* First sibling enables SSBD: */ ++ if (!st->shared_state->disable_state) ++ wrmsrl(MSR_AMD64_LS_CFG, msr); ++ st->shared_state->disable_state++; ++ raw_spin_unlock(&st->shared_state->lock); ++ } else { ++ if (!__test_and_clear_bit(LSTATE_SSB, &st->local_state)) ++ return; ++ ++ raw_spin_lock(&st->shared_state->lock); ++ st->shared_state->disable_state--; ++ if (!st->shared_state->disable_state) ++ wrmsrl(MSR_AMD64_LS_CFG, msr); ++ raw_spin_unlock(&st->shared_state->lock); ++ } ++} ++#else ++static __always_inline void amd_set_core_ssb_state(unsigned long tifn) ++{ ++ u64 msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); ++ ++ wrmsrl(MSR_AMD64_LS_CFG, msr); ++} ++#endif ++ ++static __always_inline void amd_set_ssb_virt_state(unsigned long tifn) ++{ ++ /* ++ * SSBD has the same definition in SPEC_CTRL and VIRT_SPEC_CTRL, ++ * so ssbd_tif_to_spec_ctrl() just works. ++ */ ++ wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn)); ++} ++ ++static __always_inline void intel_set_ssb_state(unsigned long tifn) ++{ ++ u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); ++ ++ wrmsrl(MSR_IA32_SPEC_CTRL, msr); ++} ++ ++static __always_inline void __speculative_store_bypass_update(unsigned long tifn) ++{ ++ if (static_cpu_has(X86_FEATURE_VIRT_SSBD)) ++ amd_set_ssb_virt_state(tifn); ++ else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) ++ amd_set_core_ssb_state(tifn); ++ else ++ intel_set_ssb_state(tifn); ++} ++ ++void speculative_store_bypass_update(unsigned long tif) ++{ ++ preempt_disable(); ++ __speculative_store_bypass_update(tif); ++ preempt_enable(); ++} ++ ++void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, ++ struct tss_struct *tss) ++{ ++ struct thread_struct *prev, *next; ++ unsigned long tifp, tifn; ++ ++ prev = &prev_p->thread; ++ next = &next_p->thread; ++ ++ tifn = READ_ONCE(task_thread_info(next_p)->flags); ++ tifp = READ_ONCE(task_thread_info(prev_p)->flags); ++ switch_to_bitmap(tss, prev, next, tifp, tifn); ++ + propagate_user_return_notify(prev_p, next_p); ++ ++ if ((tifp & _TIF_BLOCKSTEP || tifn & _TIF_BLOCKSTEP) && ++ arch_has_block_step()) { ++ unsigned long debugctl, msk; ++ ++ rdmsrl(MSR_IA32_DEBUGCTLMSR, debugctl); ++ debugctl &= ~DEBUGCTLMSR_BTF; ++ msk = tifn & _TIF_BLOCKSTEP; ++ debugctl |= (msk >> TIF_BLOCKSTEP) << DEBUGCTLMSR_BTF_SHIFT; ++ wrmsrl(MSR_IA32_DEBUGCTLMSR, debugctl); ++ } ++ ++ if ((tifp ^ tifn) & _TIF_NOTSC) ++ cr4_toggle_bits(X86_CR4_TSD); ++ ++ if ((tifp ^ tifn) & _TIF_SSBD) ++ __speculative_store_bypass_update(tifn); + } + + /* +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index 1f7aefc7b0b4..c017f1c71560 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -75,6 +75,7 @@ + #include + #include + #include ++#include + + /* Number of siblings per CPU package */ + int smp_num_siblings = 1; +@@ -217,6 +218,8 @@ static void notrace start_secondary(void *unused) + */ + check_tsc_sync_target(); + ++ speculative_store_bypass_ht_init(); ++ + /* + * Lock vector_lock and initialize the vectors on this cpu + * before setting the cpu online. We must set it online with +@@ -1209,6 +1212,8 @@ void __init native_smp_prepare_cpus(unsigned int max_cpus) + set_mtrr_aps_delayed_init(); + + smp_quirk_init_udelay(); ++ ++ speculative_store_bypass_ht_init(); + } + + void arch_enable_nonboot_cpus_begin(void) +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 42654375b73f..df7827a981dd 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -37,7 +37,7 @@ + #include + #include + #include +-#include ++#include + + #include + #include "trace.h" +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 63c44a9bf6bb..18143886b186 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -48,7 +48,7 @@ + #include + #include + #include +-#include ++#include + + #include "trace.h" + #include "pmu.h" +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 7cad01af6dcd..6d683bbb3502 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -10,6 +10,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -29,6 +30,8 @@ + * Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi + */ + ++atomic64_t last_mm_ctx_id = ATOMIC64_INIT(1); ++ + struct flush_tlb_info { + struct mm_struct *flush_mm; + unsigned long flush_start; +@@ -104,6 +107,36 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, + unsigned cpu = smp_processor_id(); + + if (likely(prev != next)) { ++ u64 last_ctx_id = this_cpu_read(cpu_tlbstate.last_ctx_id); ++ ++ /* ++ * Avoid user/user BTB poisoning by flushing the branch ++ * predictor when switching between processes. This stops ++ * one process from doing Spectre-v2 attacks on another. ++ * ++ * As an optimization, flush indirect branches only when ++ * switching into processes that disable dumping. This ++ * protects high value processes like gpg, without having ++ * too high performance overhead. IBPB is *expensive*! ++ * ++ * This will not flush branches when switching into kernel ++ * threads. It will also not flush if we switch to idle ++ * thread and back to the same process. It will flush if we ++ * switch to a different non-dumpable process. ++ */ ++ if (tsk && tsk->mm && ++ tsk->mm->context.ctx_id != last_ctx_id && ++ get_dumpable(tsk->mm) != SUID_DUMP_USER) ++ indirect_branch_prediction_barrier(); ++ ++ /* ++ * Record last user mm's context id, so we can avoid ++ * flushing branch buffer with IBPB if we switch back ++ * to the same user. ++ */ ++ if (next != &init_mm) ++ this_cpu_write(cpu_tlbstate.last_ctx_id, next->context.ctx_id); ++ + this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); + this_cpu_write(cpu_tlbstate.active_mm, next); + cpumask_set_cpu(cpu, mm_cpumask(next)); +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index a0ac0f9c307f..f5a8cd96bae4 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + + /* + * We allocate runtime services regions bottom-up, starting from -4G, i.e. +@@ -347,6 +348,7 @@ extern efi_status_t efi64_thunk(u32, ...); + \ + efi_sync_low_kernel_mappings(); \ + local_irq_save(flags); \ ++ firmware_restrict_branch_speculation_start(); \ + \ + efi_scratch.prev_cr3 = read_cr3(); \ + write_cr3((unsigned long)efi_scratch.efi_pgt); \ +@@ -357,6 +359,7 @@ extern efi_status_t efi64_thunk(u32, ...); + \ + write_cr3(efi_scratch.prev_cr3); \ + __flush_tlb_all(); \ ++ firmware_restrict_branch_speculation_end(); \ + local_irq_restore(flags); \ + \ + __s; \ +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index cbef64b508e1..82fd84d5e1aa 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -460,6 +460,12 @@ static void __init xen_init_cpuid_mask(void) + cpuid_leaf1_ecx_set_mask = (1 << (X86_FEATURE_MWAIT % 32)); + } + ++static void __init xen_init_capabilities(void) ++{ ++ if (xen_pv_domain()) ++ setup_force_cpu_cap(X86_FEATURE_XENPV); ++} ++ + static void xen_set_debugreg(int reg, unsigned long val) + { + HYPERVISOR_set_debugreg(reg, val); +@@ -1587,6 +1593,7 @@ asmlinkage __visible void __init xen_start_kernel(void) + + xen_init_irq_ops(); + xen_init_cpuid_mask(); ++ xen_init_capabilities(); + + #ifdef CONFIG_X86_LOCAL_APIC + /* +@@ -1883,14 +1890,6 @@ bool xen_hvm_need_lapic(void) + } + EXPORT_SYMBOL_GPL(xen_hvm_need_lapic); + +-static void xen_set_cpu_features(struct cpuinfo_x86 *c) +-{ +- if (xen_pv_domain()) { +- clear_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); +- set_cpu_cap(c, X86_FEATURE_XENPV); +- } +-} +- + const struct hypervisor_x86 x86_hyper_xen = { + .name = "Xen", + .detect = xen_platform, +@@ -1898,7 +1897,6 @@ const struct hypervisor_x86 x86_hyper_xen = { + .init_platform = xen_hvm_guest_init, + #endif + .x2apic_available = xen_x2apic_para_available, +- .set_cpu_features = xen_set_cpu_features, + }; + EXPORT_SYMBOL(x86_hyper_xen); + +diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c +index 3f4ebf0261f2..29e50d1229bc 100644 +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -28,6 +28,7 @@ + #include + #include + ++#include + #include + #include + +@@ -87,6 +88,8 @@ static void cpu_bringup(void) + cpu_data(cpu).x86_max_cores = 1; + set_cpu_sibling_map(cpu); + ++ speculative_store_bypass_ht_init(); ++ + xen_setup_cpu_clockevents(); + + notify_cpu_starting(cpu); +@@ -357,6 +360,8 @@ static void __init xen_smp_prepare_cpus(unsigned int max_cpus) + } + set_cpu_sibling_map(0); + ++ speculative_store_bypass_ht_init(); ++ + xen_pmu_init(0); + + if (xen_smp_intr_init(0)) +diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c +index 7f664c416faf..4ecd0de08557 100644 +--- a/arch/x86/xen/suspend.c ++++ b/arch/x86/xen/suspend.c +@@ -1,11 +1,14 @@ + #include + #include ++#include + + #include + #include + #include + #include + ++#include ++#include + #include + #include + #include +@@ -68,6 +71,8 @@ static void xen_pv_post_suspend(int suspend_cancelled) + xen_mm_unpin_all(); + } + ++static DEFINE_PER_CPU(u64, spec_ctrl); ++ + void xen_arch_pre_suspend(void) + { + if (xen_pv_domain()) +@@ -84,6 +89,9 @@ void xen_arch_post_suspend(int cancelled) + + static void xen_vcpu_notify_restore(void *data) + { ++ if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) ++ wrmsrl(MSR_IA32_SPEC_CTRL, this_cpu_read(spec_ctrl)); ++ + /* Boot processor notified via generic timekeeping_resume() */ + if (smp_processor_id() == 0) + return; +@@ -93,7 +101,15 @@ static void xen_vcpu_notify_restore(void *data) + + static void xen_vcpu_notify_suspend(void *data) + { ++ u64 tmp; ++ + tick_suspend_local(); ++ ++ if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) { ++ rdmsrl(MSR_IA32_SPEC_CTRL, tmp); ++ this_cpu_write(spec_ctrl, tmp); ++ wrmsrl(MSR_IA32_SPEC_CTRL, 0); ++ } + } + + void xen_arch_resume(void) +diff --git a/block/blk-core.c b/block/blk-core.c +index f5f1a55703ae..50d77c90070d 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -651,21 +651,17 @@ EXPORT_SYMBOL(blk_alloc_queue); + int blk_queue_enter(struct request_queue *q, gfp_t gfp) + { + while (true) { +- int ret; +- + if (percpu_ref_tryget_live(&q->q_usage_counter)) + return 0; + + if (!gfpflags_allow_blocking(gfp)) + return -EBUSY; + +- ret = wait_event_interruptible(q->mq_freeze_wq, +- !atomic_read(&q->mq_freeze_depth) || +- blk_queue_dying(q)); ++ wait_event(q->mq_freeze_wq, ++ !atomic_read(&q->mq_freeze_depth) || ++ blk_queue_dying(q)); + if (blk_queue_dying(q)) + return -ENODEV; +- if (ret) +- return ret; + } + } + +diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c +index 3db71afbba93..143edea1076f 100644 +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -518,14 +518,22 @@ ssize_t __weak cpu_show_spectre_v2(struct device *dev, + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_spec_store_bypass(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); ++static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, + &dev_attr_spectre_v1.attr, + &dev_attr_spectre_v2.attr, ++ &dev_attr_spec_store_bypass.attr, + NULL + }; + +diff --git a/drivers/clk/tegra/clk-tegra30.c b/drivers/clk/tegra/clk-tegra30.c +index 8c41c6fcb9ee..acf83569f86f 100644 +--- a/drivers/clk/tegra/clk-tegra30.c ++++ b/drivers/clk/tegra/clk-tegra30.c +@@ -333,11 +333,11 @@ static struct pdiv_map pllu_p[] = { + }; + + static struct tegra_clk_pll_freq_table pll_u_freq_table[] = { +- { 12000000, 480000000, 960, 12, 0, 12}, +- { 13000000, 480000000, 960, 13, 0, 12}, +- { 16800000, 480000000, 400, 7, 0, 5}, +- { 19200000, 480000000, 200, 4, 0, 3}, +- { 26000000, 480000000, 960, 26, 0, 12}, ++ { 12000000, 480000000, 960, 12, 2, 12 }, ++ { 13000000, 480000000, 960, 13, 2, 12 }, ++ { 16800000, 480000000, 400, 7, 2, 5 }, ++ { 19200000, 480000000, 200, 4, 2, 3 }, ++ { 26000000, 480000000, 960, 26, 2, 12 }, + { 0, 0, 0, 0, 0, 0 }, + }; + +@@ -1372,6 +1372,7 @@ static struct tegra_clk_init_table init_table[] __initdata = { + {TEGRA30_CLK_GR2D, TEGRA30_CLK_PLL_C, 300000000, 0}, + {TEGRA30_CLK_GR3D, TEGRA30_CLK_PLL_C, 300000000, 0}, + {TEGRA30_CLK_GR3D2, TEGRA30_CLK_PLL_C, 300000000, 0}, ++ { TEGRA30_CLK_PLL_U, TEGRA30_CLK_CLK_MAX, 480000000, 0 }, + {TEGRA30_CLK_CLK_MAX, TEGRA30_CLK_CLK_MAX, 0, 0}, /* This MUST be the last entry. */ + }; + +diff --git a/drivers/mtd/ubi/attach.c b/drivers/mtd/ubi/attach.c +index c1aaf0336cf2..5cde3ad1665e 100644 +--- a/drivers/mtd/ubi/attach.c ++++ b/drivers/mtd/ubi/attach.c +@@ -174,6 +174,40 @@ static int add_corrupted(struct ubi_attach_info *ai, int pnum, int ec) + return 0; + } + ++/** ++ * add_fastmap - add a Fastmap related physical eraseblock. ++ * @ai: attaching information ++ * @pnum: physical eraseblock number the VID header came from ++ * @vid_hdr: the volume identifier header ++ * @ec: erase counter of the physical eraseblock ++ * ++ * This function allocates a 'struct ubi_ainf_peb' object for a Fastamp ++ * physical eraseblock @pnum and adds it to the 'fastmap' list. ++ * Such blocks can be Fastmap super and data blocks from both the most ++ * recent Fastmap we're attaching from or from old Fastmaps which will ++ * be erased. ++ */ ++static int add_fastmap(struct ubi_attach_info *ai, int pnum, ++ struct ubi_vid_hdr *vid_hdr, int ec) ++{ ++ struct ubi_ainf_peb *aeb; ++ ++ aeb = kmem_cache_alloc(ai->aeb_slab_cache, GFP_KERNEL); ++ if (!aeb) ++ return -ENOMEM; ++ ++ aeb->pnum = pnum; ++ aeb->vol_id = be32_to_cpu(vidh->vol_id); ++ aeb->sqnum = be64_to_cpu(vidh->sqnum); ++ aeb->ec = ec; ++ list_add(&aeb->u.list, &ai->fastmap); ++ ++ dbg_bld("add to fastmap list: PEB %d, vol_id %d, sqnum: %llu", pnum, ++ aeb->vol_id, aeb->sqnum); ++ ++ return 0; ++} ++ + /** + * validate_vid_hdr - check volume identifier header. + * @ubi: UBI device description object +@@ -803,13 +837,26 @@ out_unlock: + return err; + } + ++static bool vol_ignored(int vol_id) ++{ ++ switch (vol_id) { ++ case UBI_LAYOUT_VOLUME_ID: ++ return true; ++ } ++ ++#ifdef CONFIG_MTD_UBI_FASTMAP ++ return ubi_is_fm_vol(vol_id); ++#else ++ return false; ++#endif ++} ++ + /** + * scan_peb - scan and process UBI headers of a PEB. + * @ubi: UBI device description object + * @ai: attaching information + * @pnum: the physical eraseblock number +- * @vid: The volume ID of the found volume will be stored in this pointer +- * @sqnum: The sqnum of the found volume will be stored in this pointer ++ * @fast: true if we're scanning for a Fastmap + * + * This function reads UBI headers of PEB @pnum, checks them, and adds + * information about this PEB to the corresponding list or RB-tree in the +@@ -817,9 +864,9 @@ out_unlock: + * successfully handled and a negative error code in case of failure. + */ + static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai, +- int pnum, int *vid, unsigned long long *sqnum) ++ int pnum, bool fast) + { +- long long uninitialized_var(ec); ++ long long ec; + int err, bitflips = 0, vol_id = -1, ec_err = 0; + + dbg_bld("scan PEB %d", pnum); +@@ -935,6 +982,20 @@ static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai, + */ + ai->maybe_bad_peb_count += 1; + case UBI_IO_BAD_HDR: ++ /* ++ * If we're facing a bad VID header we have to drop *all* ++ * Fastmap data structures we find. The most recent Fastmap ++ * could be bad and therefore there is a chance that we attach ++ * from an old one. On a fine MTD stack a PEB must not render ++ * bad all of a sudden, but the reality is different. ++ * So, let's be paranoid and help finding the root cause by ++ * falling back to scanning mode instead of attaching with a ++ * bad EBA table and cause data corruption which is hard to ++ * analyze. ++ */ ++ if (fast) ++ ai->force_full_scan = 1; ++ + if (ec_err) + /* + * Both headers are corrupted. There is a possibility +@@ -991,21 +1052,15 @@ static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai, + } + + vol_id = be32_to_cpu(vidh->vol_id); +- if (vid) +- *vid = vol_id; +- if (sqnum) +- *sqnum = be64_to_cpu(vidh->sqnum); +- if (vol_id > UBI_MAX_VOLUMES && vol_id != UBI_LAYOUT_VOLUME_ID) { ++ if (vol_id > UBI_MAX_VOLUMES && !vol_ignored(vol_id)) { + int lnum = be32_to_cpu(vidh->lnum); + + /* Unsupported internal volume */ + switch (vidh->compat) { + case UBI_COMPAT_DELETE: +- if (vol_id != UBI_FM_SB_VOLUME_ID +- && vol_id != UBI_FM_DATA_VOLUME_ID) { +- ubi_msg(ubi, "\"delete\" compatible internal volume %d:%d found, will remove it", +- vol_id, lnum); +- } ++ ubi_msg(ubi, "\"delete\" compatible internal volume %d:%d found, will remove it", ++ vol_id, lnum); ++ + err = add_to_list(ai, pnum, vol_id, lnum, + ec, 1, &ai->erase); + if (err) +@@ -1037,7 +1092,12 @@ static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai, + if (ec_err) + ubi_warn(ubi, "valid VID header but corrupted EC header at PEB %d", + pnum); +- err = ubi_add_to_av(ubi, ai, pnum, ec, vidh, bitflips); ++ ++ if (ubi_is_fm_vol(vol_id)) ++ err = add_fastmap(ai, pnum, vidh, ec); ++ else ++ err = ubi_add_to_av(ubi, ai, pnum, ec, vidh, bitflips); ++ + if (err) + return err; + +@@ -1186,6 +1246,10 @@ static void destroy_ai(struct ubi_attach_info *ai) + list_del(&aeb->u.list); + kmem_cache_free(ai->aeb_slab_cache, aeb); + } ++ list_for_each_entry_safe(aeb, aeb_tmp, &ai->fastmap, u.list) { ++ list_del(&aeb->u.list); ++ kmem_cache_free(ai->aeb_slab_cache, aeb); ++ } + + /* Destroy the volume RB-tree */ + rb = ai->volumes.rb_node; +@@ -1245,7 +1309,7 @@ static int scan_all(struct ubi_device *ubi, struct ubi_attach_info *ai, + cond_resched(); + + dbg_gen("process PEB %d", pnum); +- err = scan_peb(ubi, ai, pnum, NULL, NULL); ++ err = scan_peb(ubi, ai, pnum, false); + if (err < 0) + goto out_vidh; + } +@@ -1311,6 +1375,7 @@ static struct ubi_attach_info *alloc_ai(void) + INIT_LIST_HEAD(&ai->free); + INIT_LIST_HEAD(&ai->erase); + INIT_LIST_HEAD(&ai->alien); ++ INIT_LIST_HEAD(&ai->fastmap); + ai->volumes = RB_ROOT; + ai->aeb_slab_cache = kmem_cache_create("ubi_aeb_slab_cache", + sizeof(struct ubi_ainf_peb), +@@ -1337,52 +1402,58 @@ static struct ubi_attach_info *alloc_ai(void) + */ + static int scan_fast(struct ubi_device *ubi, struct ubi_attach_info **ai) + { +- int err, pnum, fm_anchor = -1; +- unsigned long long max_sqnum = 0; ++ int err, pnum; ++ struct ubi_attach_info *scan_ai; + + err = -ENOMEM; + ++ scan_ai = alloc_ai(); ++ if (!scan_ai) ++ goto out; ++ + ech = kzalloc(ubi->ec_hdr_alsize, GFP_KERNEL); + if (!ech) +- goto out; ++ goto out_ai; + + vidh = ubi_zalloc_vid_hdr(ubi, GFP_KERNEL); + if (!vidh) + goto out_ech; + + for (pnum = 0; pnum < UBI_FM_MAX_START; pnum++) { +- int vol_id = -1; +- unsigned long long sqnum = -1; + cond_resched(); + + dbg_gen("process PEB %d", pnum); +- err = scan_peb(ubi, *ai, pnum, &vol_id, &sqnum); ++ err = scan_peb(ubi, scan_ai, pnum, true); + if (err < 0) + goto out_vidh; +- +- if (vol_id == UBI_FM_SB_VOLUME_ID && sqnum > max_sqnum) { +- max_sqnum = sqnum; +- fm_anchor = pnum; +- } + } + + ubi_free_vid_hdr(ubi, vidh); + kfree(ech); + +- if (fm_anchor < 0) +- return UBI_NO_FASTMAP; ++ if (scan_ai->force_full_scan) ++ err = UBI_NO_FASTMAP; ++ else ++ err = ubi_scan_fastmap(ubi, *ai, scan_ai); + +- destroy_ai(*ai); +- *ai = alloc_ai(); +- if (!*ai) +- return -ENOMEM; ++ if (err) { ++ /* ++ * Didn't attach via fastmap, do a full scan but reuse what ++ * we've aready scanned. ++ */ ++ destroy_ai(*ai); ++ *ai = scan_ai; ++ } else ++ destroy_ai(scan_ai); + +- return ubi_scan_fastmap(ubi, *ai, fm_anchor); ++ return err; + + out_vidh: + ubi_free_vid_hdr(ubi, vidh); + out_ech: + kfree(ech); ++out_ai: ++ destroy_ai(scan_ai); + out: + return err; + } +diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c +index c4a25c858c07..03cf0553ec1b 100644 +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -1178,6 +1178,8 @@ int ubi_eba_copy_leb(struct ubi_device *ubi, int from, int to, + struct ubi_volume *vol; + uint32_t crc; + ++ ubi_assert(rwsem_is_locked(&ubi->fm_eba_sem)); ++ + vol_id = be32_to_cpu(vid_hdr->vol_id); + lnum = be32_to_cpu(vid_hdr->lnum); + +@@ -1346,9 +1348,7 @@ int ubi_eba_copy_leb(struct ubi_device *ubi, int from, int to, + } + + ubi_assert(vol->eba_tbl[lnum] == from); +- down_read(&ubi->fm_eba_sem); + vol->eba_tbl[lnum] = to; +- up_read(&ubi->fm_eba_sem); + + out_unlock_buf: + mutex_unlock(&ubi->buf_mutex); +diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c +index ed62f1efe6eb..69dd21679a30 100644 +--- a/drivers/mtd/ubi/fastmap-wl.c ++++ b/drivers/mtd/ubi/fastmap-wl.c +@@ -262,6 +262,8 @@ static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi) + struct ubi_fm_pool *pool = &ubi->fm_wl_pool; + int pnum; + ++ ubi_assert(rwsem_is_locked(&ubi->fm_eba_sem)); ++ + if (pool->used == pool->size) { + /* We cannot update the fastmap here because this + * function is called in atomic context. +@@ -303,7 +305,7 @@ int ubi_ensure_anchor_pebs(struct ubi_device *ubi) + + wrk->anchor = 1; + wrk->func = &wear_leveling_worker; +- schedule_ubi_work(ubi, wrk); ++ __schedule_ubi_work(ubi, wrk); + return 0; + } + +@@ -344,7 +346,7 @@ int ubi_wl_put_fm_peb(struct ubi_device *ubi, struct ubi_wl_entry *fm_e, + spin_unlock(&ubi->wl_lock); + + vol_id = lnum ? UBI_FM_DATA_VOLUME_ID : UBI_FM_SB_VOLUME_ID; +- return schedule_erase(ubi, e, vol_id, lnum, torture); ++ return schedule_erase(ubi, e, vol_id, lnum, torture, true); + } + + /** +diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c +index bba7dd1b5ebf..72e89b352034 100644 +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -326,6 +326,7 @@ static int update_vol(struct ubi_device *ubi, struct ubi_attach_info *ai, + aeb->pnum = new_aeb->pnum; + aeb->copy_flag = new_vh->copy_flag; + aeb->scrub = new_aeb->scrub; ++ aeb->sqnum = new_aeb->sqnum; + kmem_cache_free(ai->aeb_slab_cache, new_aeb); + + /* new_aeb is older */ +@@ -850,28 +851,58 @@ fail: + return ret; + } + ++/** ++ * find_fm_anchor - find the most recent Fastmap superblock (anchor) ++ * @ai: UBI attach info to be filled ++ */ ++static int find_fm_anchor(struct ubi_attach_info *ai) ++{ ++ int ret = -1; ++ struct ubi_ainf_peb *aeb; ++ unsigned long long max_sqnum = 0; ++ ++ list_for_each_entry(aeb, &ai->fastmap, u.list) { ++ if (aeb->vol_id == UBI_FM_SB_VOLUME_ID && aeb->sqnum > max_sqnum) { ++ max_sqnum = aeb->sqnum; ++ ret = aeb->pnum; ++ } ++ } ++ ++ return ret; ++} ++ + /** + * ubi_scan_fastmap - scan the fastmap. + * @ubi: UBI device object + * @ai: UBI attach info to be filled +- * @fm_anchor: The fastmap starts at this PEB ++ * @scan_ai: UBI attach info from the first 64 PEBs, ++ * used to find the most recent Fastmap data structure + * + * Returns 0 on success, UBI_NO_FASTMAP if no fastmap was found, + * UBI_BAD_FASTMAP if one was found but is not usable. + * < 0 indicates an internal error. + */ + int ubi_scan_fastmap(struct ubi_device *ubi, struct ubi_attach_info *ai, +- int fm_anchor) ++ struct ubi_attach_info *scan_ai) + { + struct ubi_fm_sb *fmsb, *fmsb2; + struct ubi_vid_hdr *vh; + struct ubi_ec_hdr *ech; + struct ubi_fastmap_layout *fm; +- int i, used_blocks, pnum, ret = 0; ++ struct ubi_ainf_peb *tmp_aeb, *aeb; ++ int i, used_blocks, pnum, fm_anchor, ret = 0; + size_t fm_size; + __be32 crc, tmp_crc; + unsigned long long sqnum = 0; + ++ fm_anchor = find_fm_anchor(scan_ai); ++ if (fm_anchor < 0) ++ return UBI_NO_FASTMAP; ++ ++ /* Move all (possible) fastmap blocks into our new attach structure. */ ++ list_for_each_entry_safe(aeb, tmp_aeb, &scan_ai->fastmap, u.list) ++ list_move_tail(&aeb->u.list, &ai->fastmap); ++ + down_write(&ubi->fm_protect); + memset(ubi->fm_buf, 0, ubi->fm_size); + +@@ -1484,22 +1515,30 @@ int ubi_update_fastmap(struct ubi_device *ubi) + struct ubi_wl_entry *tmp_e; + + down_write(&ubi->fm_protect); ++ down_write(&ubi->work_sem); ++ down_write(&ubi->fm_eba_sem); + + ubi_refill_pools(ubi); + + if (ubi->ro_mode || ubi->fm_disabled) { ++ up_write(&ubi->fm_eba_sem); ++ up_write(&ubi->work_sem); + up_write(&ubi->fm_protect); + return 0; + } + + ret = ubi_ensure_anchor_pebs(ubi); + if (ret) { ++ up_write(&ubi->fm_eba_sem); ++ up_write(&ubi->work_sem); + up_write(&ubi->fm_protect); + return ret; + } + + new_fm = kzalloc(sizeof(*new_fm), GFP_KERNEL); + if (!new_fm) { ++ up_write(&ubi->fm_eba_sem); ++ up_write(&ubi->work_sem); + up_write(&ubi->fm_protect); + return -ENOMEM; + } +@@ -1608,16 +1647,14 @@ int ubi_update_fastmap(struct ubi_device *ubi) + new_fm->e[0] = tmp_e; + } + +- down_write(&ubi->work_sem); +- down_write(&ubi->fm_eba_sem); + ret = ubi_write_fastmap(ubi, new_fm); +- up_write(&ubi->fm_eba_sem); +- up_write(&ubi->work_sem); + + if (ret) + goto err; + + out_unlock: ++ up_write(&ubi->fm_eba_sem); ++ up_write(&ubi->work_sem); + up_write(&ubi->fm_protect); + kfree(old_fm); + return ret; +diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h +index de1ea2e4c37d..05d9ec66437c 100644 +--- a/drivers/mtd/ubi/ubi.h ++++ b/drivers/mtd/ubi/ubi.h +@@ -699,6 +699,8 @@ struct ubi_ainf_volume { + * @erase: list of physical eraseblocks which have to be erased + * @alien: list of physical eraseblocks which should not be used by UBI (e.g., + * those belonging to "preserve"-compatible internal volumes) ++ * @fastmap: list of physical eraseblocks which relate to fastmap (e.g., ++ * eraseblocks of the current and not yet erased old fastmap blocks) + * @corr_peb_count: count of PEBs in the @corr list + * @empty_peb_count: count of PEBs which are presumably empty (contain only + * 0xFF bytes) +@@ -709,6 +711,8 @@ struct ubi_ainf_volume { + * @vols_found: number of volumes found + * @highest_vol_id: highest volume ID + * @is_empty: flag indicating whether the MTD device is empty or not ++ * @force_full_scan: flag indicating whether we need to do a full scan and drop ++ all existing Fastmap data structures + * @min_ec: lowest erase counter value + * @max_ec: highest erase counter value + * @max_sqnum: highest sequence number value +@@ -727,6 +731,7 @@ struct ubi_attach_info { + struct list_head free; + struct list_head erase; + struct list_head alien; ++ struct list_head fastmap; + int corr_peb_count; + int empty_peb_count; + int alien_peb_count; +@@ -735,6 +740,7 @@ struct ubi_attach_info { + int vols_found; + int highest_vol_id; + int is_empty; ++ int force_full_scan; + int min_ec; + int max_ec; + unsigned long long max_sqnum; +@@ -907,7 +913,7 @@ int ubi_compare_lebs(struct ubi_device *ubi, const struct ubi_ainf_peb *aeb, + size_t ubi_calc_fm_size(struct ubi_device *ubi); + int ubi_update_fastmap(struct ubi_device *ubi); + int ubi_scan_fastmap(struct ubi_device *ubi, struct ubi_attach_info *ai, +- int fm_anchor); ++ struct ubi_attach_info *scan_ai); + #else + static inline int ubi_update_fastmap(struct ubi_device *ubi) { return 0; } + #endif +@@ -1101,4 +1107,42 @@ static inline int idx2vol_id(const struct ubi_device *ubi, int idx) + return idx; + } + ++/** ++ * ubi_is_fm_vol - check whether a volume ID is a Fastmap volume. ++ * @vol_id: volume ID ++ */ ++static inline bool ubi_is_fm_vol(int vol_id) ++{ ++ switch (vol_id) { ++ case UBI_FM_SB_VOLUME_ID: ++ case UBI_FM_DATA_VOLUME_ID: ++ return true; ++ } ++ ++ return false; ++} ++ ++/** ++ * ubi_find_fm_block - check whether a PEB is part of the current Fastmap. ++ * @ubi: UBI device description object ++ * @pnum: physical eraseblock to look for ++ * ++ * This function returns a wear leveling object if @pnum relates to the current ++ * fastmap, @NULL otherwise. ++ */ ++static inline struct ubi_wl_entry *ubi_find_fm_block(const struct ubi_device *ubi, ++ int pnum) ++{ ++ int i; ++ ++ if (ubi->fm) { ++ for (i = 0; i < ubi->fm->used_blocks; i++) { ++ if (ubi->fm->e[i]->pnum == pnum) ++ return ubi->fm->e[i]; ++ } ++ } ++ ++ return NULL; ++} ++ + #endif /* !__UBI_UBI_H__ */ +diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c +index ca9746f41ff1..b3c1b8106a68 100644 +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -580,7 +580,7 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk, + * failure. + */ + static int schedule_erase(struct ubi_device *ubi, struct ubi_wl_entry *e, +- int vol_id, int lnum, int torture) ++ int vol_id, int lnum, int torture, bool nested) + { + struct ubi_work *wl_wrk; + +@@ -599,7 +599,10 @@ static int schedule_erase(struct ubi_device *ubi, struct ubi_wl_entry *e, + wl_wrk->lnum = lnum; + wl_wrk->torture = torture; + +- schedule_ubi_work(ubi, wl_wrk); ++ if (nested) ++ __schedule_ubi_work(ubi, wl_wrk); ++ else ++ schedule_ubi_work(ubi, wl_wrk); + return 0; + } + +@@ -658,6 +661,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + if (!vid_hdr) + return -ENOMEM; + ++ down_read(&ubi->fm_eba_sem); + mutex_lock(&ubi->move_mutex); + spin_lock(&ubi->wl_lock); + ubi_assert(!ubi->move_from && !ubi->move_to); +@@ -884,6 +888,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + + dbg_wl("done"); + mutex_unlock(&ubi->move_mutex); ++ up_read(&ubi->fm_eba_sem); + return 0; + + /* +@@ -925,6 +930,7 @@ out_not_moved: + } + + mutex_unlock(&ubi->move_mutex); ++ up_read(&ubi->fm_eba_sem); + return 0; + + out_error: +@@ -946,6 +952,7 @@ out_error: + out_ro: + ubi_ro_mode(ubi); + mutex_unlock(&ubi->move_mutex); ++ up_read(&ubi->fm_eba_sem); + ubi_assert(err != 0); + return err < 0 ? err : -EIO; + +@@ -953,6 +960,7 @@ out_cancel: + ubi->wl_scheduled = 0; + spin_unlock(&ubi->wl_lock); + mutex_unlock(&ubi->move_mutex); ++ up_read(&ubi->fm_eba_sem); + ubi_free_vid_hdr(ubi, vid_hdr); + return 0; + } +@@ -1075,7 +1083,7 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk) + int err1; + + /* Re-schedule the LEB for erasure */ +- err1 = schedule_erase(ubi, e, vol_id, lnum, 0); ++ err1 = schedule_erase(ubi, e, vol_id, lnum, 0, false); + if (err1) { + wl_entry_destroy(ubi, e); + err = err1; +@@ -1256,7 +1264,7 @@ retry: + } + spin_unlock(&ubi->wl_lock); + +- err = schedule_erase(ubi, e, vol_id, lnum, torture); ++ err = schedule_erase(ubi, e, vol_id, lnum, torture, false); + if (err) { + spin_lock(&ubi->wl_lock); + wl_tree_add(e, &ubi->used); +@@ -1500,6 +1508,46 @@ static void shutdown_work(struct ubi_device *ubi) + } + } + ++/** ++ * erase_aeb - erase a PEB given in UBI attach info PEB ++ * @ubi: UBI device description object ++ * @aeb: UBI attach info PEB ++ * @sync: If true, erase synchronously. Otherwise schedule for erasure ++ */ ++static int erase_aeb(struct ubi_device *ubi, struct ubi_ainf_peb *aeb, bool sync) ++{ ++ struct ubi_wl_entry *e; ++ int err; ++ ++ e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL); ++ if (!e) ++ return -ENOMEM; ++ ++ e->pnum = aeb->pnum; ++ e->ec = aeb->ec; ++ ubi->lookuptbl[e->pnum] = e; ++ ++ if (sync) { ++ err = sync_erase(ubi, e, false); ++ if (err) ++ goto out_free; ++ ++ wl_tree_add(e, &ubi->free); ++ ubi->free_count++; ++ } else { ++ err = schedule_erase(ubi, e, aeb->vol_id, aeb->lnum, 0, false); ++ if (err) ++ goto out_free; ++ } ++ ++ return 0; ++ ++out_free: ++ wl_entry_destroy(ubi, e); ++ ++ return err; ++} ++ + /** + * ubi_wl_init - initialize the WL sub-system using attaching information. + * @ubi: UBI device description object +@@ -1537,17 +1585,9 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai) + list_for_each_entry_safe(aeb, tmp, &ai->erase, u.list) { + cond_resched(); + +- e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL); +- if (!e) +- goto out_free; +- +- e->pnum = aeb->pnum; +- e->ec = aeb->ec; +- ubi->lookuptbl[e->pnum] = e; +- if (schedule_erase(ubi, e, aeb->vol_id, aeb->lnum, 0)) { +- wl_entry_destroy(ubi, e); ++ err = erase_aeb(ubi, aeb, false); ++ if (err) + goto out_free; +- } + + found_pebs++; + } +@@ -1598,19 +1638,49 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai) + } + } + +- dbg_wl("found %i PEBs", found_pebs); ++ list_for_each_entry(aeb, &ai->fastmap, u.list) { ++ cond_resched(); + +- if (ubi->fm) { +- ubi_assert(ubi->good_peb_count == +- found_pebs + ubi->fm->used_blocks); ++ e = ubi_find_fm_block(ubi, aeb->pnum); + +- for (i = 0; i < ubi->fm->used_blocks; i++) { +- e = ubi->fm->e[i]; ++ if (e) { ++ ubi_assert(!ubi->lookuptbl[e->pnum]); + ubi->lookuptbl[e->pnum] = e; ++ } else { ++ bool sync = false; ++ ++ /* ++ * Usually old Fastmap PEBs are scheduled for erasure ++ * and we don't have to care about them but if we face ++ * an power cut before scheduling them we need to ++ * take care of them here. ++ */ ++ if (ubi->lookuptbl[aeb->pnum]) ++ continue; ++ ++ /* ++ * The fastmap update code might not find a free PEB for ++ * writing the fastmap anchor to and then reuses the ++ * current fastmap anchor PEB. When this PEB gets erased ++ * and a power cut happens before it is written again we ++ * must make sure that the fastmap attach code doesn't ++ * find any outdated fastmap anchors, hence we erase the ++ * outdated fastmap anchor PEBs synchronously here. ++ */ ++ if (aeb->vol_id == UBI_FM_SB_VOLUME_ID) ++ sync = true; ++ ++ err = erase_aeb(ubi, aeb, sync); ++ if (err) ++ goto out_free; + } ++ ++ found_pebs++; + } +- else +- ubi_assert(ubi->good_peb_count == found_pebs); ++ ++ dbg_wl("found %i PEBs", found_pebs); ++ ++ ubi_assert(ubi->good_peb_count == found_pebs); + + reserved_pebs = WL_RESERVED_PEBS; + ubi_fastmap_init(ubi, &reserved_pebs); +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 1325825d5225..ce3a56bea6e6 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -9278,6 +9278,15 @@ static int tg3_chip_reset(struct tg3 *tp) + + tg3_restore_clk(tp); + ++ /* Increase the core clock speed to fix tx timeout issue for 5762 ++ * with 100Mbps link speed. ++ */ ++ if (tg3_asic_rev(tp) == ASIC_REV_5762) { ++ val = tr32(TG3_CPMU_CLCK_ORIDE_ENABLE); ++ tw32(TG3_CPMU_CLCK_ORIDE_ENABLE, val | ++ TG3_CPMU_MAC_ORIDE_ENABLE); ++ } ++ + /* Reprobe ASF enable state. */ + tg3_flag_clear(tp, ENABLE_ASF); + tp->phy_flags &= ~(TG3_PHYFLG_1G_ON_VAUX_OK | +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 8179727d3423..1f2f25a71d18 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1265,11 +1265,8 @@ static int gen10g_resume(struct phy_device *phydev) + + static int __set_phy_supported(struct phy_device *phydev, u32 max_speed) + { +- /* The default values for phydev->supported are provided by the PHY +- * driver "features" member, we want to reset to sane defaults first +- * before supporting higher speeds. +- */ +- phydev->supported &= PHY_DEFAULT_FEATURES; ++ phydev->supported &= ~(PHY_1000BT_FEATURES | PHY_100BT_FEATURES | ++ PHY_10BT_FEATURES); + + switch (max_speed) { + default: +diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c +index da7bae991552..d877ff124365 100644 +--- a/drivers/ptp/ptp_chardev.c ++++ b/drivers/ptp/ptp_chardev.c +@@ -88,6 +88,7 @@ int ptp_set_pinfunc(struct ptp_clock *ptp, unsigned int pin, + case PTP_PF_PHYSYNC: + if (chan != 0) + return -EINVAL; ++ break; + default: + return -EINVAL; + } +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index f2e9f59c90d6..2d837b6bd495 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -887,6 +887,41 @@ static void xhci_disable_port_wake_on_bits(struct xhci_hcd *xhci) + spin_unlock_irqrestore(&xhci->lock, flags); + } + ++static bool xhci_pending_portevent(struct xhci_hcd *xhci) ++{ ++ __le32 __iomem **port_array; ++ int port_index; ++ u32 status; ++ u32 portsc; ++ ++ status = readl(&xhci->op_regs->status); ++ if (status & STS_EINT) ++ return true; ++ /* ++ * Checking STS_EINT is not enough as there is a lag between a change ++ * bit being set and the Port Status Change Event that it generated ++ * being written to the Event Ring. See note in xhci 1.1 section 4.19.2. ++ */ ++ ++ port_index = xhci->num_usb2_ports; ++ port_array = xhci->usb2_ports; ++ while (port_index--) { ++ portsc = readl(port_array[port_index]); ++ if (portsc & PORT_CHANGE_MASK || ++ (portsc & PORT_PLS_MASK) == XDEV_RESUME) ++ return true; ++ } ++ port_index = xhci->num_usb3_ports; ++ port_array = xhci->usb3_ports; ++ while (port_index--) { ++ portsc = readl(port_array[port_index]); ++ if (portsc & PORT_CHANGE_MASK || ++ (portsc & PORT_PLS_MASK) == XDEV_RESUME) ++ return true; ++ } ++ return false; ++} ++ + /* + * Stop HC (not bus-specific) + * +@@ -983,7 +1018,7 @@ EXPORT_SYMBOL_GPL(xhci_suspend); + */ + int xhci_resume(struct xhci_hcd *xhci, bool hibernated) + { +- u32 command, temp = 0, status; ++ u32 command, temp = 0; + struct usb_hcd *hcd = xhci_to_hcd(xhci); + struct usb_hcd *secondary_hcd; + int retval = 0; +@@ -1105,8 +1140,7 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated) + done: + if (retval == 0) { + /* Resume root hubs only when have pending events. */ +- status = readl(&xhci->op_regs->status); +- if (status & STS_EINT) { ++ if (xhci_pending_portevent(xhci)) { + usb_hcd_resume_root_hub(xhci->shared_hcd); + usb_hcd_resume_root_hub(hcd); + } +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 1715705acc59..84d8871755b7 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -382,6 +382,10 @@ struct xhci_op_regs { + #define PORT_PLC (1 << 22) + /* port configure error change - port failed to configure its link partner */ + #define PORT_CEC (1 << 23) ++#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \ ++ PORT_RC | PORT_PLC | PORT_CEC) ++ ++ + /* Cold Attach Status - xHC can set this bit to report device attached during + * Sx state. Warm port reset should be perfomed to clear this bit and move port + * to connected state. +diff --git a/fs/fat/inode.c b/fs/fat/inode.c +index cf644d52c0cf..c81cfb79a339 100644 +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -613,13 +613,21 @@ static void fat_set_state(struct super_block *sb, + brelse(bh); + } + ++static void fat_reset_iocharset(struct fat_mount_options *opts) ++{ ++ if (opts->iocharset != fat_default_iocharset) { ++ /* Note: opts->iocharset can be NULL here */ ++ kfree(opts->iocharset); ++ opts->iocharset = fat_default_iocharset; ++ } ++} ++ + static void delayed_free(struct rcu_head *p) + { + struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu); + unload_nls(sbi->nls_disk); + unload_nls(sbi->nls_io); +- if (sbi->options.iocharset != fat_default_iocharset) +- kfree(sbi->options.iocharset); ++ fat_reset_iocharset(&sbi->options); + kfree(sbi); + } + +@@ -1034,7 +1042,7 @@ static int parse_options(struct super_block *sb, char *options, int is_vfat, + opts->fs_fmask = opts->fs_dmask = current_umask(); + opts->allow_utime = -1; + opts->codepage = fat_default_codepage; +- opts->iocharset = fat_default_iocharset; ++ fat_reset_iocharset(opts); + if (is_vfat) { + opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95; + opts->rodir = 0; +@@ -1184,8 +1192,7 @@ static int parse_options(struct super_block *sb, char *options, int is_vfat, + + /* vfat specific */ + case Opt_charset: +- if (opts->iocharset != fat_default_iocharset) +- kfree(opts->iocharset); ++ fat_reset_iocharset(opts); + iocharset = match_strdup(&args[0]); + if (!iocharset) + return -ENOMEM; +@@ -1776,8 +1783,7 @@ out_fail: + iput(fat_inode); + unload_nls(sbi->nls_io); + unload_nls(sbi->nls_disk); +- if (sbi->options.iocharset != fat_default_iocharset) +- kfree(sbi->options.iocharset); ++ fat_reset_iocharset(&sbi->options); + sb->s_fs_info = NULL; + kfree(sbi); + return error; +diff --git a/fs/proc/array.c b/fs/proc/array.c +index b6c00ce0e29e..cb71cbae606d 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -79,6 +79,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -332,6 +333,31 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p) + #ifdef CONFIG_SECCOMP + seq_printf(m, "Seccomp:\t%d\n", p->seccomp.mode); + #endif ++ seq_printf(m, "\nSpeculation_Store_Bypass:\t"); ++ switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) { ++ case -EINVAL: ++ seq_printf(m, "unknown"); ++ break; ++ case PR_SPEC_NOT_AFFECTED: ++ seq_printf(m, "not vulnerable"); ++ break; ++ case PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE: ++ seq_printf(m, "thread force mitigated"); ++ break; ++ case PR_SPEC_PRCTL | PR_SPEC_DISABLE: ++ seq_printf(m, "thread mitigated"); ++ break; ++ case PR_SPEC_PRCTL | PR_SPEC_ENABLE: ++ seq_printf(m, "thread vulnerable"); ++ break; ++ case PR_SPEC_DISABLE: ++ seq_printf(m, "globally mitigated"); ++ break; ++ default: ++ seq_printf(m, "vulnerable"); ++ break; ++ } ++ seq_putc(m, '\n'); + } + + static inline void task_context_switch_counts(struct seq_file *m, +diff --git a/include/linux/cpu.h b/include/linux/cpu.h +index 7e04bcd9af8e..2f9d12022100 100644 +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -46,6 +46,8 @@ extern ssize_t cpu_show_spectre_v1(struct device *dev, + struct device_attribute *attr, char *buf); + extern ssize_t cpu_show_spectre_v2(struct device *dev, + struct device_attribute *attr, char *buf); ++extern ssize_t cpu_show_spec_store_bypass(struct device *dev, ++ struct device_attribute *attr, char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, +diff --git a/include/linux/nospec.h b/include/linux/nospec.h +index e791ebc65c9c..0c5ef54fd416 100644 +--- a/include/linux/nospec.h ++++ b/include/linux/nospec.h +@@ -7,6 +7,8 @@ + #define _LINUX_NOSPEC_H + #include + ++struct task_struct; ++ + /** + * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise + * @index: array element index +@@ -55,4 +57,12 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, + \ + (typeof(_i)) (_i & _mask); \ + }) ++ ++/* Speculation control prctl */ ++int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which); ++int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, ++ unsigned long ctrl); ++/* Speculation control for seccomp enforced mitigation */ ++void arch_seccomp_spec_mitigate(struct task_struct *task); ++ + #endif /* _LINUX_NOSPEC_H */ +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 90bea398e5e0..725498cc5d30 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -2167,6 +2167,8 @@ static inline void memalloc_noio_restore(unsigned int flags) + #define PFA_NO_NEW_PRIVS 0 /* May not gain new privileges. */ + #define PFA_SPREAD_PAGE 1 /* Spread page cache over cpuset */ + #define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */ ++#define PFA_SPEC_SSB_DISABLE 4 /* Speculative Store Bypass disabled */ ++#define PFA_SPEC_SSB_FORCE_DISABLE 5 /* Speculative Store Bypass force disabled*/ + + + #define TASK_PFA_TEST(name, func) \ +@@ -2190,6 +2192,13 @@ TASK_PFA_TEST(SPREAD_SLAB, spread_slab) + TASK_PFA_SET(SPREAD_SLAB, spread_slab) + TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab) + ++TASK_PFA_TEST(SPEC_SSB_DISABLE, spec_ssb_disable) ++TASK_PFA_SET(SPEC_SSB_DISABLE, spec_ssb_disable) ++TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable) ++ ++TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) ++TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) ++ + /* + * task->jobctl flags + */ +diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h +index 2296e6b2f690..5a53d34bba26 100644 +--- a/include/linux/seccomp.h ++++ b/include/linux/seccomp.h +@@ -3,7 +3,8 @@ + + #include + +-#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC) ++#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ ++ SECCOMP_FILTER_FLAG_SPEC_ALLOW) + + #ifdef CONFIG_SECCOMP + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index a6da214d0584..c28bd8be290a 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -514,6 +514,7 @@ static inline bool skb_mstamp_after(const struct skb_mstamp *t1, + * @hash: the packet hash + * @queue_mapping: Queue mapping for multiqueue devices + * @xmit_more: More SKBs are pending for this queue ++ * @pfmemalloc: skbuff was allocated from PFMEMALLOC reserves + * @ndisc_nodetype: router type (from link layer) + * @ooo_okay: allow the mapping of a socket to a queue to be changed + * @l4_hash: indicate hash is a canonical 4-tuple hash over transport +@@ -594,8 +595,8 @@ struct sk_buff { + fclone:2, + peeked:1, + head_frag:1, +- xmit_more:1; +- /* one bit hole */ ++ xmit_more:1, ++ pfmemalloc:1; + kmemcheck_bitfield_end(flags1); + + /* fields enclosed in headers_start/headers_end are copied +@@ -615,19 +616,18 @@ struct sk_buff { + + __u8 __pkt_type_offset[0]; + __u8 pkt_type:3; +- __u8 pfmemalloc:1; + __u8 ignore_df:1; + __u8 nfctinfo:3; +- + __u8 nf_trace:1; ++ + __u8 ip_summed:2; + __u8 ooo_okay:1; + __u8 l4_hash:1; + __u8 sw_hash:1; + __u8 wifi_acked_valid:1; + __u8 wifi_acked:1; +- + __u8 no_fcs:1; ++ + /* Indicates the inner headers are valid in the skbuff. */ + __u8 encapsulation:1; + __u8 encap_hdr_csum:1; +@@ -635,11 +635,11 @@ struct sk_buff { + __u8 csum_complete_sw:1; + __u8 csum_level:2; + __u8 csum_bad:1; +- + #ifdef CONFIG_IPV6_NDISC_NODETYPE + __u8 ndisc_nodetype:2; + #endif + __u8 ipvs_property:1; ++ + __u8 inner_protocol_type:1; + __u8 remcsum_offload:1; + /* 3 or 5 bit hole */ +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 84f0d0602433..0e01d570fa22 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -762,7 +762,7 @@ static inline __be32 ip6_make_flowlabel(struct net *net, struct sk_buff *skb, + * to minimize possbility that any useful information to an + * attacker is leaked. Only lower 20 bits are relevant. + */ +- rol32(hash, 16); ++ hash = rol32(hash, 16); + + flowlabel = (__force __be32)hash & IPV6_FLOWLABEL_MASK; + +diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h +index a8d0759a9e40..64776b72e1eb 100644 +--- a/include/uapi/linux/prctl.h ++++ b/include/uapi/linux/prctl.h +@@ -197,4 +197,16 @@ struct prctl_mm_map { + # define PR_CAP_AMBIENT_LOWER 3 + # define PR_CAP_AMBIENT_CLEAR_ALL 4 + ++/* Per task speculation control */ ++#define PR_GET_SPECULATION_CTRL 52 ++#define PR_SET_SPECULATION_CTRL 53 ++/* Speculation control variants */ ++# define PR_SPEC_STORE_BYPASS 0 ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++# define PR_SPEC_NOT_AFFECTED 0 ++# define PR_SPEC_PRCTL (1UL << 0) ++# define PR_SPEC_ENABLE (1UL << 1) ++# define PR_SPEC_DISABLE (1UL << 2) ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++ + #endif /* _LINUX_PRCTL_H */ +diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h +index 0f238a43ff1e..e4acb615792b 100644 +--- a/include/uapi/linux/seccomp.h ++++ b/include/uapi/linux/seccomp.h +@@ -15,7 +15,9 @@ + #define SECCOMP_SET_MODE_FILTER 1 + + /* Valid flags for SECCOMP_SET_MODE_FILTER */ +-#define SECCOMP_FILTER_FLAG_TSYNC 1 ++#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) ++/* In v4.14+ SECCOMP_FILTER_FLAG_LOG is (1UL << 1) */ ++#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) + + /* + * All BPF programs must return a 32-bit value. +diff --git a/kernel/seccomp.c b/kernel/seccomp.c +index efd384f3f852..9a9203b15cde 100644 +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -16,6 +16,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -214,8 +216,11 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode) + return true; + } + ++void __weak arch_seccomp_spec_mitigate(struct task_struct *task) { } ++ + static inline void seccomp_assign_mode(struct task_struct *task, +- unsigned long seccomp_mode) ++ unsigned long seccomp_mode, ++ unsigned long flags) + { + assert_spin_locked(&task->sighand->siglock); + +@@ -225,6 +230,9 @@ static inline void seccomp_assign_mode(struct task_struct *task, + * filter) is set. + */ + smp_mb__before_atomic(); ++ /* Assume default seccomp processes want spec flaw mitigation. */ ++ if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0) ++ arch_seccomp_spec_mitigate(task); + set_tsk_thread_flag(task, TIF_SECCOMP); + } + +@@ -292,7 +300,7 @@ static inline pid_t seccomp_can_sync_threads(void) + * without dropping the locks. + * + */ +-static inline void seccomp_sync_threads(void) ++static inline void seccomp_sync_threads(unsigned long flags) + { + struct task_struct *thread, *caller; + +@@ -333,7 +341,8 @@ static inline void seccomp_sync_threads(void) + * allow one thread to transition the other. + */ + if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) +- seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); ++ seccomp_assign_mode(thread, SECCOMP_MODE_FILTER, ++ flags); + } + } + +@@ -452,7 +461,7 @@ static long seccomp_attach_filter(unsigned int flags, + + /* Now that the new filter is in place, synchronize to all threads. */ + if (flags & SECCOMP_FILTER_FLAG_TSYNC) +- seccomp_sync_threads(); ++ seccomp_sync_threads(flags); + + return 0; + } +@@ -747,7 +756,7 @@ static long seccomp_set_mode_strict(void) + #ifdef TIF_NOTSC + disable_TSC(); + #endif +- seccomp_assign_mode(current, seccomp_mode); ++ seccomp_assign_mode(current, seccomp_mode, 0); + ret = 0; + + out: +@@ -805,7 +814,7 @@ static long seccomp_set_mode_filter(unsigned int flags, + /* Do not free the successfully attached filter. */ + prepared = NULL; + +- seccomp_assign_mode(current, seccomp_mode); ++ seccomp_assign_mode(current, seccomp_mode, flags); + out: + spin_unlock_irq(¤t->sighand->siglock); + if (flags & SECCOMP_FILTER_FLAG_TSYNC) +diff --git a/kernel/sys.c b/kernel/sys.c +index 6624919ef0e7..f718742e55e6 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -2075,6 +2075,17 @@ static int prctl_get_tid_address(struct task_struct *me, int __user **tid_addr) + } + #endif + ++int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which) ++{ ++ return -EINVAL; ++} ++ ++int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, ++ unsigned long ctrl) ++{ ++ return -EINVAL; ++} ++ + SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, + unsigned long, arg4, unsigned long, arg5) + { +@@ -2269,6 +2280,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, + case PR_GET_FP_MODE: + error = GET_FP_MODE(me); + break; ++ case PR_GET_SPECULATION_CTRL: ++ if (arg3 || arg4 || arg5) ++ return -EINVAL; ++ error = arch_prctl_spec_ctrl_get(me, arg2); ++ break; ++ case PR_SET_SPECULATION_CTRL: ++ if (arg4 || arg5) ++ return -EINVAL; ++ error = arch_prctl_spec_ctrl_set(me, arg2, arg3); ++ break; + default: + error = -EINVAL; + break; +diff --git a/lib/rhashtable.c b/lib/rhashtable.c +index 51282f579760..37ea94b636a3 100644 +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -670,8 +670,16 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_stop); + + static size_t rounded_hashtable_size(const struct rhashtable_params *params) + { +- return max(roundup_pow_of_two(params->nelem_hint * 4 / 3), +- (unsigned long)params->min_size); ++ size_t retsize; ++ ++ if (params->nelem_hint) ++ retsize = max(roundup_pow_of_two(params->nelem_hint * 4 / 3), ++ (unsigned long)params->min_size); ++ else ++ retsize = max(HASH_DEFAULT_SIZE, ++ (unsigned long)params->min_size); ++ ++ return retsize; + } + + static u32 rhashtable_jhash2(const void *key, u32 length, u32 seed) +@@ -728,8 +736,6 @@ int rhashtable_init(struct rhashtable *ht, + struct bucket_table *tbl; + size_t size; + +- size = HASH_DEFAULT_SIZE; +- + if ((!params->key_len && !params->obj_hashfn) || + (params->obj_hashfn && !params->obj_cmpfn)) + return -EINVAL; +@@ -756,8 +762,7 @@ int rhashtable_init(struct rhashtable *ht, + + ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE); + +- if (params->nelem_hint) +- size = rounded_hashtable_size(&ht->p); ++ size = rounded_hashtable_size(&ht->p); + + /* The maximum (not average) chain length grows with the + * size of the hash table, at a rate of (log N)/(log log N). +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 55a9facb8e8d..9a8e688724b1 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -996,7 +996,7 @@ static void invalidate_reclaim_iterators(struct mem_cgroup *dead_memcg) + int nid, zid; + int i; + +- while ((memcg = parent_mem_cgroup(memcg))) { ++ for (; memcg; memcg = parent_mem_cgroup(memcg)) { + for_each_node(nid) { + for (zid = 0; zid < MAX_NR_ZONES; zid++) { + mz = &memcg->nodeinfo[nid]->zoneinfo[zid]; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index fa02c680eebc..55be076706e5 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -828,6 +828,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) + n->cloned = 1; + n->nohdr = 0; + n->peeked = 0; ++ C(pfmemalloc); + n->destructor = NULL; + C(tail); + C(end); +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index c9e68ff48a72..8f05816a8be2 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -297,6 +297,7 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb) + if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) { + struct flowi4 fl4 = { + .flowi4_iif = LOOPBACK_IFINDEX, ++ .flowi4_oif = l3mdev_master_ifindex_rcu(dev), + .daddr = ip_hdr(skb)->saddr, + .flowi4_tos = RT_TOS(ip_hdr(skb)->tos), + .flowi4_scope = scope, +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 75abf978ef30..da90c74d12ef 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -141,8 +141,9 @@ static int ipv4_ping_group_range(struct ctl_table *table, int write, + if (write && ret == 0) { + low = make_kgid(user_ns, urange[0]); + high = make_kgid(user_ns, urange[1]); +- if (!gid_valid(low) || !gid_valid(high) || +- (urange[1] < urange[0]) || gid_lt(high, low)) { ++ if (!gid_valid(low) || !gid_valid(high)) ++ return -EINVAL; ++ if (urange[1] < urange[0] || gid_lt(high, low)) { + low = make_kgid(&init_user_ns, 1); + high = make_kgid(&init_user_ns, 0); + } +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c +index 16f8124b1150..59111cadaec2 100644 +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user(struct snd_card *card, + int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream, + struct snd_rawmidi_params * params) + { +- char *newbuf; ++ char *newbuf, *oldbuf; + struct snd_rawmidi_runtime *runtime = substream->runtime; + + if (substream->append && substream->use_count > 1) +@@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream, + return -EINVAL; + } + if (params->buffer_size != runtime->buffer_size) { +- newbuf = krealloc(runtime->buffer, params->buffer_size, +- GFP_KERNEL); ++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL); + if (!newbuf) + return -ENOMEM; ++ spin_lock_irq(&runtime->lock); ++ oldbuf = runtime->buffer; + runtime->buffer = newbuf; + runtime->buffer_size = params->buffer_size; + runtime->avail = runtime->buffer_size; ++ runtime->appl_ptr = runtime->hw_ptr = 0; ++ spin_unlock_irq(&runtime->lock); ++ kfree(oldbuf); + } + runtime->avail_min = params->avail_min; + substream->active_sensing = !params->no_active_sensing; +@@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params); + int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream, + struct snd_rawmidi_params * params) + { +- char *newbuf; ++ char *newbuf, *oldbuf; + struct snd_rawmidi_runtime *runtime = substream->runtime; + + snd_rawmidi_drain_input(substream); +@@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream, + return -EINVAL; + } + if (params->buffer_size != runtime->buffer_size) { +- newbuf = krealloc(runtime->buffer, params->buffer_size, +- GFP_KERNEL); ++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL); + if (!newbuf) + return -ENOMEM; ++ spin_lock_irq(&runtime->lock); ++ oldbuf = runtime->buffer; + runtime->buffer = newbuf; + runtime->buffer_size = params->buffer_size; ++ runtime->appl_ptr = runtime->hw_ptr = 0; ++ spin_unlock_irq(&runtime->lock); ++ kfree(oldbuf); + } + runtime->avail_min = params->avail_min; + return 0; +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 882fe83a3554..b3f345433ec7 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -1476,15 +1476,19 @@ TEST_F(TRACE_syscall, syscall_dropped) + #define SECCOMP_SET_MODE_FILTER 1 + #endif + +-#ifndef SECCOMP_FLAG_FILTER_TSYNC +-#define SECCOMP_FLAG_FILTER_TSYNC 1 ++#ifndef SECCOMP_FILTER_FLAG_TSYNC ++#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) ++#endif ++ ++#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW ++#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) + #endif + + #ifndef seccomp +-int seccomp(unsigned int op, unsigned int flags, struct sock_fprog *filter) ++int seccomp(unsigned int op, unsigned int flags, void *args) + { + errno = 0; +- return syscall(__NR_seccomp, op, flags, filter); ++ return syscall(__NR_seccomp, op, flags, args); + } + #endif + +@@ -1576,6 +1580,78 @@ TEST(seccomp_syscall_mode_lock) + } + } + ++/* ++ * Test detection of known and unknown filter flags. Userspace needs to be able ++ * to check if a filter flag is supported by the current kernel and a good way ++ * of doing that is by attempting to enter filter mode, with the flag bit in ++ * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates ++ * that the flag is valid and EINVAL indicates that the flag is invalid. ++ */ ++TEST(detect_seccomp_filter_flags) ++{ ++ unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC, ++ SECCOMP_FILTER_FLAG_SPEC_ALLOW }; ++ unsigned int flag, all_flags; ++ int i; ++ long ret; ++ ++ /* Test detection of known-good filter flags */ ++ for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) { ++ int bits = 0; ++ ++ flag = flags[i]; ++ /* Make sure the flag is a single bit! */ ++ while (flag) { ++ if (flag & 0x1) ++ bits ++; ++ flag >>= 1; ++ } ++ ASSERT_EQ(1, bits); ++ flag = flags[i]; ++ ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); ++ ASSERT_NE(ENOSYS, errno) { ++ TH_LOG("Kernel does not support seccomp syscall!"); ++ } ++ EXPECT_EQ(-1, ret); ++ EXPECT_EQ(EFAULT, errno) { ++ TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!", ++ flag); ++ } ++ ++ all_flags |= flag; ++ } ++ ++ /* Test detection of all known-good filter flags */ ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL); ++ EXPECT_EQ(-1, ret); ++ EXPECT_EQ(EFAULT, errno) { ++ TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!", ++ all_flags); ++ } ++ ++ /* Test detection of an unknown filter flag */ ++ flag = -1; ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); ++ EXPECT_EQ(-1, ret); ++ EXPECT_EQ(EINVAL, errno) { ++ TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!", ++ flag); ++ } ++ ++ /* ++ * Test detection of an unknown filter flag that may simply need to be ++ * added to this test ++ */ ++ flag = flags[ARRAY_SIZE(flags) - 1] << 1; ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); ++ EXPECT_EQ(-1, ret); ++ EXPECT_EQ(EINVAL, errno) { ++ TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?", ++ flag); ++ } ++} ++ + TEST(TSYNC_first) + { + struct sock_filter filter[] = { +@@ -1592,7 +1668,7 @@ TEST(TSYNC_first) + TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); + } + +- ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, + &prog); + ASSERT_NE(ENOSYS, errno) { + TH_LOG("Kernel does not support seccomp syscall!"); +@@ -1810,7 +1886,7 @@ TEST_F(TSYNC, two_siblings_with_ancestor) + self->sibling_count++; + } + +- ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, + &self->apply_prog); + ASSERT_EQ(0, ret) { + TH_LOG("Could install filter on all threads!"); +@@ -1871,7 +1947,7 @@ TEST_F(TSYNC, two_siblings_with_no_filter) + TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); + } + +- ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, + &self->apply_prog); + ASSERT_NE(ENOSYS, errno) { + TH_LOG("Kernel does not support seccomp syscall!"); +@@ -1919,7 +1995,7 @@ TEST_F(TSYNC, two_siblings_with_one_divergence) + self->sibling_count++; + } + +- ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, + &self->apply_prog); + ASSERT_EQ(self->sibling[0].system_tid, ret) { + TH_LOG("Did not fail on diverged sibling."); +@@ -1971,7 +2047,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter) + TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!"); + } + +- ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, + &self->apply_prog); + ASSERT_EQ(ret, self->sibling[0].system_tid) { + TH_LOG("Did not fail on diverged sibling."); +@@ -2000,7 +2076,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter) + /* Switch to the remaining sibling */ + sib = !sib; + +- ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, + &self->apply_prog); + ASSERT_EQ(0, ret) { + TH_LOG("Expected the remaining sibling to sync"); +@@ -2023,7 +2099,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter) + while (!kill(self->sibling[sib].system_tid, 0)) + sleep(0.1); + +- ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, ++ ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, + &self->apply_prog); + ASSERT_EQ(0, ret); /* just us chickens */ + } +diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c +index 49001fa84ead..1203829316b2 100644 +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -119,8 +119,12 @@ irqfd_shutdown(struct work_struct *work) + { + struct kvm_kernel_irqfd *irqfd = + container_of(work, struct kvm_kernel_irqfd, shutdown); ++ struct kvm *kvm = irqfd->kvm; + u64 cnt; + ++ /* Make sure irqfd has been initalized in assign path. */ ++ synchronize_srcu(&kvm->irq_srcu); ++ + /* + * Synchronize with the wait-queue and unhook ourselves to prevent + * further events. +@@ -387,7 +391,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct kvm_irqfd *args) + + idx = srcu_read_lock(&kvm->irq_srcu); + irqfd_update(kvm, irqfd); +- srcu_read_unlock(&kvm->irq_srcu, idx); + + list_add_tail(&irqfd->list, &kvm->irqfds.items); + +@@ -419,6 +422,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct kvm_irqfd *args) + irqfd->consumer.token, ret); + #endif + ++ srcu_read_unlock(&kvm->irq_srcu, idx); + return 0; + + fail: diff --git a/patch/kernel/mvebu-default/04-patch-4.4.144-145.patch b/patch/kernel/mvebu-default/04-patch-4.4.144-145.patch new file mode 100644 index 0000000000..f7b3f94d86 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.144-145.patch @@ -0,0 +1,1006 @@ +diff --git a/Makefile b/Makefile +index 63f3e2438a26..be31491a2d67 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 144 ++SUBLEVEL = 145 + EXTRAVERSION = + NAME = Blurry Fish Butt + +@@ -624,6 +624,7 @@ KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,) + KBUILD_CFLAGS += $(call cc-disable-warning, format-truncation) + KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow) + KBUILD_CFLAGS += $(call cc-disable-warning, int-in-bool-context) ++KBUILD_CFLAGS += $(call cc-disable-warning, attribute-alias) + + ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE + KBUILD_CFLAGS += -Os +diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h +index 35c9db857ebe..cd8b589111ba 100644 +--- a/arch/arm/include/asm/uaccess.h ++++ b/arch/arm/include/asm/uaccess.h +@@ -251,7 +251,7 @@ extern int __put_user_8(void *, unsigned long long); + ({ \ + unsigned long __limit = current_thread_info()->addr_limit - 1; \ + const typeof(*(p)) __user *__tmp_p = (p); \ +- register const typeof(*(p)) __r2 asm("r2") = (x); \ ++ register typeof(*(p)) __r2 asm("r2") = (x); \ + register const typeof(*(p)) __user *__p asm("r0") = __tmp_p; \ + register unsigned long __l asm("r1") = __limit; \ + register int __e asm("r0"); \ +diff --git a/arch/mips/ath79/common.c b/arch/mips/ath79/common.c +index 8ae4067a5eda..40ecb6e700cd 100644 +--- a/arch/mips/ath79/common.c ++++ b/arch/mips/ath79/common.c +@@ -58,7 +58,7 @@ EXPORT_SYMBOL_GPL(ath79_ddr_ctrl_init); + + void ath79_ddr_wb_flush(u32 reg) + { +- void __iomem *flush_reg = ath79_ddr_wb_flush_base + reg; ++ void __iomem *flush_reg = ath79_ddr_wb_flush_base + (reg * 4); + + /* Flush the DDR write buffer. */ + __raw_writel(0x1, flush_reg); +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index a641cf3ccad6..1dffb018a7fe 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -304,14 +304,6 @@ static int really_probe(struct device *dev, struct device_driver *drv) + goto probe_failed; + } + +- /* +- * Ensure devices are listed in devices_kset in correct order +- * It's important to move Dev to the end of devices_kset before +- * calling .probe, because it could be recursive and parent Dev +- * should always go first +- */ +- devices_kset_move_last(dev); +- + if (dev->bus->probe) { + ret = dev->bus->probe(dev); + if (ret) +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c +index 51670b322409..700b98d9c250 100644 +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -2,6 +2,7 @@ + * + * Copyright (C) 2012 - 2014 Xilinx, Inc. + * Copyright (C) 2009 PetaLogix. All rights reserved. ++ * Copyright (C) 2017 Sandvik Mining and Construction Oy + * + * Description: + * This driver is developed for Axi CAN IP and for Zynq CANPS Controller. +@@ -25,8 +26,10 @@ + #include + #include + #include ++#include + #include + #include ++#include + #include + #include + #include +@@ -100,7 +103,7 @@ enum xcan_reg { + #define XCAN_INTR_ALL (XCAN_IXR_TXOK_MASK | XCAN_IXR_BSOFF_MASK |\ + XCAN_IXR_WKUP_MASK | XCAN_IXR_SLP_MASK | \ + XCAN_IXR_RXNEMP_MASK | XCAN_IXR_ERROR_MASK | \ +- XCAN_IXR_ARBLST_MASK | XCAN_IXR_RXOK_MASK) ++ XCAN_IXR_RXOFLW_MASK | XCAN_IXR_ARBLST_MASK) + + /* CAN register bit shift - XCAN___SHIFT */ + #define XCAN_BTR_SJW_SHIFT 7 /* Synchronous jump width */ +@@ -117,6 +120,7 @@ enum xcan_reg { + /** + * struct xcan_priv - This definition define CAN driver instance + * @can: CAN private data structure. ++ * @tx_lock: Lock for synchronizing TX interrupt handling + * @tx_head: Tx CAN packets ready to send on the queue + * @tx_tail: Tx CAN packets successfully sended on the queue + * @tx_max: Maximum number packets the driver can send +@@ -131,6 +135,7 @@ enum xcan_reg { + */ + struct xcan_priv { + struct can_priv can; ++ spinlock_t tx_lock; + unsigned int tx_head; + unsigned int tx_tail; + unsigned int tx_max; +@@ -158,6 +163,11 @@ static const struct can_bittiming_const xcan_bittiming_const = { + .brp_inc = 1, + }; + ++#define XCAN_CAP_WATERMARK 0x0001 ++struct xcan_devtype_data { ++ unsigned int caps; ++}; ++ + /** + * xcan_write_reg_le - Write a value to the device register little endian + * @priv: Driver private data structure +@@ -237,6 +247,10 @@ static int set_reset_mode(struct net_device *ndev) + usleep_range(500, 10000); + } + ++ /* reset clears FIFOs */ ++ priv->tx_head = 0; ++ priv->tx_tail = 0; ++ + return 0; + } + +@@ -391,6 +405,7 @@ static int xcan_start_xmit(struct sk_buff *skb, struct net_device *ndev) + struct net_device_stats *stats = &ndev->stats; + struct can_frame *cf = (struct can_frame *)skb->data; + u32 id, dlc, data[2] = {0, 0}; ++ unsigned long flags; + + if (can_dropped_invalid_skb(ndev, skb)) + return NETDEV_TX_OK; +@@ -438,6 +453,9 @@ static int xcan_start_xmit(struct sk_buff *skb, struct net_device *ndev) + data[1] = be32_to_cpup((__be32 *)(cf->data + 4)); + + can_put_echo_skb(skb, ndev, priv->tx_head % priv->tx_max); ++ ++ spin_lock_irqsave(&priv->tx_lock, flags); ++ + priv->tx_head++; + + /* Write the Frame to Xilinx CAN TX FIFO */ +@@ -453,10 +471,16 @@ static int xcan_start_xmit(struct sk_buff *skb, struct net_device *ndev) + stats->tx_bytes += cf->can_dlc; + } + ++ /* Clear TX-FIFO-empty interrupt for xcan_tx_interrupt() */ ++ if (priv->tx_max > 1) ++ priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXFEMP_MASK); ++ + /* Check if the TX buffer is full */ + if ((priv->tx_head - priv->tx_tail) == priv->tx_max) + netif_stop_queue(ndev); + ++ spin_unlock_irqrestore(&priv->tx_lock, flags); ++ + return NETDEV_TX_OK; + } + +@@ -528,6 +552,123 @@ static int xcan_rx(struct net_device *ndev) + return 1; + } + ++/** ++ * xcan_current_error_state - Get current error state from HW ++ * @ndev: Pointer to net_device structure ++ * ++ * Checks the current CAN error state from the HW. Note that this ++ * only checks for ERROR_PASSIVE and ERROR_WARNING. ++ * ++ * Return: ++ * ERROR_PASSIVE or ERROR_WARNING if either is active, ERROR_ACTIVE ++ * otherwise. ++ */ ++static enum can_state xcan_current_error_state(struct net_device *ndev) ++{ ++ struct xcan_priv *priv = netdev_priv(ndev); ++ u32 status = priv->read_reg(priv, XCAN_SR_OFFSET); ++ ++ if ((status & XCAN_SR_ESTAT_MASK) == XCAN_SR_ESTAT_MASK) ++ return CAN_STATE_ERROR_PASSIVE; ++ else if (status & XCAN_SR_ERRWRN_MASK) ++ return CAN_STATE_ERROR_WARNING; ++ else ++ return CAN_STATE_ERROR_ACTIVE; ++} ++ ++/** ++ * xcan_set_error_state - Set new CAN error state ++ * @ndev: Pointer to net_device structure ++ * @new_state: The new CAN state to be set ++ * @cf: Error frame to be populated or NULL ++ * ++ * Set new CAN error state for the device, updating statistics and ++ * populating the error frame if given. ++ */ ++static void xcan_set_error_state(struct net_device *ndev, ++ enum can_state new_state, ++ struct can_frame *cf) ++{ ++ struct xcan_priv *priv = netdev_priv(ndev); ++ u32 ecr = priv->read_reg(priv, XCAN_ECR_OFFSET); ++ u32 txerr = ecr & XCAN_ECR_TEC_MASK; ++ u32 rxerr = (ecr & XCAN_ECR_REC_MASK) >> XCAN_ESR_REC_SHIFT; ++ ++ priv->can.state = new_state; ++ ++ if (cf) { ++ cf->can_id |= CAN_ERR_CRTL; ++ cf->data[6] = txerr; ++ cf->data[7] = rxerr; ++ } ++ ++ switch (new_state) { ++ case CAN_STATE_ERROR_PASSIVE: ++ priv->can.can_stats.error_passive++; ++ if (cf) ++ cf->data[1] = (rxerr > 127) ? ++ CAN_ERR_CRTL_RX_PASSIVE : ++ CAN_ERR_CRTL_TX_PASSIVE; ++ break; ++ case CAN_STATE_ERROR_WARNING: ++ priv->can.can_stats.error_warning++; ++ if (cf) ++ cf->data[1] |= (txerr > rxerr) ? ++ CAN_ERR_CRTL_TX_WARNING : ++ CAN_ERR_CRTL_RX_WARNING; ++ break; ++ case CAN_STATE_ERROR_ACTIVE: ++ if (cf) ++ cf->data[1] |= CAN_ERR_CRTL_ACTIVE; ++ break; ++ default: ++ /* non-ERROR states are handled elsewhere */ ++ WARN_ON(1); ++ break; ++ } ++} ++ ++/** ++ * xcan_update_error_state_after_rxtx - Update CAN error state after RX/TX ++ * @ndev: Pointer to net_device structure ++ * ++ * If the device is in a ERROR-WARNING or ERROR-PASSIVE state, check if ++ * the performed RX/TX has caused it to drop to a lesser state and set ++ * the interface state accordingly. ++ */ ++static void xcan_update_error_state_after_rxtx(struct net_device *ndev) ++{ ++ struct xcan_priv *priv = netdev_priv(ndev); ++ enum can_state old_state = priv->can.state; ++ enum can_state new_state; ++ ++ /* changing error state due to successful frame RX/TX can only ++ * occur from these states ++ */ ++ if (old_state != CAN_STATE_ERROR_WARNING && ++ old_state != CAN_STATE_ERROR_PASSIVE) ++ return; ++ ++ new_state = xcan_current_error_state(ndev); ++ ++ if (new_state != old_state) { ++ struct sk_buff *skb; ++ struct can_frame *cf; ++ ++ skb = alloc_can_err_skb(ndev, &cf); ++ ++ xcan_set_error_state(ndev, new_state, skb ? cf : NULL); ++ ++ if (skb) { ++ struct net_device_stats *stats = &ndev->stats; ++ ++ stats->rx_packets++; ++ stats->rx_bytes += cf->can_dlc; ++ netif_rx(skb); ++ } ++ } ++} ++ + /** + * xcan_err_interrupt - error frame Isr + * @ndev: net_device pointer +@@ -543,16 +684,12 @@ static void xcan_err_interrupt(struct net_device *ndev, u32 isr) + struct net_device_stats *stats = &ndev->stats; + struct can_frame *cf; + struct sk_buff *skb; +- u32 err_status, status, txerr = 0, rxerr = 0; ++ u32 err_status; + + skb = alloc_can_err_skb(ndev, &cf); + + err_status = priv->read_reg(priv, XCAN_ESR_OFFSET); + priv->write_reg(priv, XCAN_ESR_OFFSET, err_status); +- txerr = priv->read_reg(priv, XCAN_ECR_OFFSET) & XCAN_ECR_TEC_MASK; +- rxerr = ((priv->read_reg(priv, XCAN_ECR_OFFSET) & +- XCAN_ECR_REC_MASK) >> XCAN_ESR_REC_SHIFT); +- status = priv->read_reg(priv, XCAN_SR_OFFSET); + + if (isr & XCAN_IXR_BSOFF_MASK) { + priv->can.state = CAN_STATE_BUS_OFF; +@@ -562,28 +699,10 @@ static void xcan_err_interrupt(struct net_device *ndev, u32 isr) + can_bus_off(ndev); + if (skb) + cf->can_id |= CAN_ERR_BUSOFF; +- } else if ((status & XCAN_SR_ESTAT_MASK) == XCAN_SR_ESTAT_MASK) { +- priv->can.state = CAN_STATE_ERROR_PASSIVE; +- priv->can.can_stats.error_passive++; +- if (skb) { +- cf->can_id |= CAN_ERR_CRTL; +- cf->data[1] = (rxerr > 127) ? +- CAN_ERR_CRTL_RX_PASSIVE : +- CAN_ERR_CRTL_TX_PASSIVE; +- cf->data[6] = txerr; +- cf->data[7] = rxerr; +- } +- } else if (status & XCAN_SR_ERRWRN_MASK) { +- priv->can.state = CAN_STATE_ERROR_WARNING; +- priv->can.can_stats.error_warning++; +- if (skb) { +- cf->can_id |= CAN_ERR_CRTL; +- cf->data[1] |= (txerr > rxerr) ? +- CAN_ERR_CRTL_TX_WARNING : +- CAN_ERR_CRTL_RX_WARNING; +- cf->data[6] = txerr; +- cf->data[7] = rxerr; +- } ++ } else { ++ enum can_state new_state = xcan_current_error_state(ndev); ++ ++ xcan_set_error_state(ndev, new_state, skb ? cf : NULL); + } + + /* Check for Arbitration lost interrupt */ +@@ -599,7 +718,6 @@ static void xcan_err_interrupt(struct net_device *ndev, u32 isr) + if (isr & XCAN_IXR_RXOFLW_MASK) { + stats->rx_over_errors++; + stats->rx_errors++; +- priv->write_reg(priv, XCAN_SRR_OFFSET, XCAN_SRR_RESET_MASK); + if (skb) { + cf->can_id |= CAN_ERR_CRTL; + cf->data[1] |= CAN_ERR_CRTL_RX_OVERFLOW; +@@ -708,26 +826,20 @@ static int xcan_rx_poll(struct napi_struct *napi, int quota) + + isr = priv->read_reg(priv, XCAN_ISR_OFFSET); + while ((isr & XCAN_IXR_RXNEMP_MASK) && (work_done < quota)) { +- if (isr & XCAN_IXR_RXOK_MASK) { +- priv->write_reg(priv, XCAN_ICR_OFFSET, +- XCAN_IXR_RXOK_MASK); +- work_done += xcan_rx(ndev); +- } else { +- priv->write_reg(priv, XCAN_ICR_OFFSET, +- XCAN_IXR_RXNEMP_MASK); +- break; +- } ++ work_done += xcan_rx(ndev); + priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_RXNEMP_MASK); + isr = priv->read_reg(priv, XCAN_ISR_OFFSET); + } + +- if (work_done) ++ if (work_done) { + can_led_event(ndev, CAN_LED_EVENT_RX); ++ xcan_update_error_state_after_rxtx(ndev); ++ } + + if (work_done < quota) { + napi_complete(napi); + ier = priv->read_reg(priv, XCAN_IER_OFFSET); +- ier |= (XCAN_IXR_RXOK_MASK | XCAN_IXR_RXNEMP_MASK); ++ ier |= XCAN_IXR_RXNEMP_MASK; + priv->write_reg(priv, XCAN_IER_OFFSET, ier); + } + return work_done; +@@ -742,18 +854,71 @@ static void xcan_tx_interrupt(struct net_device *ndev, u32 isr) + { + struct xcan_priv *priv = netdev_priv(ndev); + struct net_device_stats *stats = &ndev->stats; ++ unsigned int frames_in_fifo; ++ int frames_sent = 1; /* TXOK => at least 1 frame was sent */ ++ unsigned long flags; ++ int retries = 0; ++ ++ /* Synchronize with xmit as we need to know the exact number ++ * of frames in the FIFO to stay in sync due to the TXFEMP ++ * handling. ++ * This also prevents a race between netif_wake_queue() and ++ * netif_stop_queue(). ++ */ ++ spin_lock_irqsave(&priv->tx_lock, flags); + +- while ((priv->tx_head - priv->tx_tail > 0) && +- (isr & XCAN_IXR_TXOK_MASK)) { ++ frames_in_fifo = priv->tx_head - priv->tx_tail; ++ ++ if (WARN_ON_ONCE(frames_in_fifo == 0)) { ++ /* clear TXOK anyway to avoid getting back here */ + priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK); ++ spin_unlock_irqrestore(&priv->tx_lock, flags); ++ return; ++ } ++ ++ /* Check if 2 frames were sent (TXOK only means that at least 1 ++ * frame was sent). ++ */ ++ if (frames_in_fifo > 1) { ++ WARN_ON(frames_in_fifo > priv->tx_max); ++ ++ /* Synchronize TXOK and isr so that after the loop: ++ * (1) isr variable is up-to-date at least up to TXOK clear ++ * time. This avoids us clearing a TXOK of a second frame ++ * but not noticing that the FIFO is now empty and thus ++ * marking only a single frame as sent. ++ * (2) No TXOK is left. Having one could mean leaving a ++ * stray TXOK as we might process the associated frame ++ * via TXFEMP handling as we read TXFEMP *after* TXOK ++ * clear to satisfy (1). ++ */ ++ while ((isr & XCAN_IXR_TXOK_MASK) && !WARN_ON(++retries == 100)) { ++ priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK); ++ isr = priv->read_reg(priv, XCAN_ISR_OFFSET); ++ } ++ ++ if (isr & XCAN_IXR_TXFEMP_MASK) { ++ /* nothing in FIFO anymore */ ++ frames_sent = frames_in_fifo; ++ } ++ } else { ++ /* single frame in fifo, just clear TXOK */ ++ priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK); ++ } ++ ++ while (frames_sent--) { + can_get_echo_skb(ndev, priv->tx_tail % + priv->tx_max); + priv->tx_tail++; + stats->tx_packets++; +- isr = priv->read_reg(priv, XCAN_ISR_OFFSET); + } +- can_led_event(ndev, CAN_LED_EVENT_TX); ++ + netif_wake_queue(ndev); ++ ++ spin_unlock_irqrestore(&priv->tx_lock, flags); ++ ++ can_led_event(ndev, CAN_LED_EVENT_TX); ++ xcan_update_error_state_after_rxtx(ndev); + } + + /** +@@ -772,6 +937,7 @@ static irqreturn_t xcan_interrupt(int irq, void *dev_id) + struct net_device *ndev = (struct net_device *)dev_id; + struct xcan_priv *priv = netdev_priv(ndev); + u32 isr, ier; ++ u32 isr_errors; + + /* Get the interrupt status from Xilinx CAN */ + isr = priv->read_reg(priv, XCAN_ISR_OFFSET); +@@ -790,18 +956,17 @@ static irqreturn_t xcan_interrupt(int irq, void *dev_id) + xcan_tx_interrupt(ndev, isr); + + /* Check for the type of error interrupt and Processing it */ +- if (isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK | +- XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK)) { +- priv->write_reg(priv, XCAN_ICR_OFFSET, (XCAN_IXR_ERROR_MASK | +- XCAN_IXR_RXOFLW_MASK | XCAN_IXR_BSOFF_MASK | +- XCAN_IXR_ARBLST_MASK)); ++ isr_errors = isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK | ++ XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK); ++ if (isr_errors) { ++ priv->write_reg(priv, XCAN_ICR_OFFSET, isr_errors); + xcan_err_interrupt(ndev, isr); + } + + /* Check for the type of receive interrupt and Processing it */ +- if (isr & (XCAN_IXR_RXNEMP_MASK | XCAN_IXR_RXOK_MASK)) { ++ if (isr & XCAN_IXR_RXNEMP_MASK) { + ier = priv->read_reg(priv, XCAN_IER_OFFSET); +- ier &= ~(XCAN_IXR_RXNEMP_MASK | XCAN_IXR_RXOK_MASK); ++ ier &= ~XCAN_IXR_RXNEMP_MASK; + priv->write_reg(priv, XCAN_IER_OFFSET, ier); + napi_schedule(&priv->napi); + } +@@ -1030,6 +1195,18 @@ static int __maybe_unused xcan_resume(struct device *dev) + + static SIMPLE_DEV_PM_OPS(xcan_dev_pm_ops, xcan_suspend, xcan_resume); + ++static const struct xcan_devtype_data xcan_zynq_data = { ++ .caps = XCAN_CAP_WATERMARK, ++}; ++ ++/* Match table for OF platform binding */ ++static const struct of_device_id xcan_of_match[] = { ++ { .compatible = "xlnx,zynq-can-1.0", .data = &xcan_zynq_data }, ++ { .compatible = "xlnx,axi-can-1.00.a", }, ++ { /* end of list */ }, ++}; ++MODULE_DEVICE_TABLE(of, xcan_of_match); ++ + /** + * xcan_probe - Platform registration call + * @pdev: Handle to the platform device structure +@@ -1044,8 +1221,10 @@ static int xcan_probe(struct platform_device *pdev) + struct resource *res; /* IO mem resources */ + struct net_device *ndev; + struct xcan_priv *priv; ++ const struct of_device_id *of_id; ++ int caps = 0; + void __iomem *addr; +- int ret, rx_max, tx_max; ++ int ret, rx_max, tx_max, tx_fifo_depth; + + /* Get the virtual base address for the device */ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +@@ -1055,7 +1234,8 @@ static int xcan_probe(struct platform_device *pdev) + goto err; + } + +- ret = of_property_read_u32(pdev->dev.of_node, "tx-fifo-depth", &tx_max); ++ ret = of_property_read_u32(pdev->dev.of_node, "tx-fifo-depth", ++ &tx_fifo_depth); + if (ret < 0) + goto err; + +@@ -1063,6 +1243,30 @@ static int xcan_probe(struct platform_device *pdev) + if (ret < 0) + goto err; + ++ of_id = of_match_device(xcan_of_match, &pdev->dev); ++ if (of_id) { ++ const struct xcan_devtype_data *devtype_data = of_id->data; ++ ++ if (devtype_data) ++ caps = devtype_data->caps; ++ } ++ ++ /* There is no way to directly figure out how many frames have been ++ * sent when the TXOK interrupt is processed. If watermark programming ++ * is supported, we can have 2 frames in the FIFO and use TXFEMP ++ * to determine if 1 or 2 frames have been sent. ++ * Theoretically we should be able to use TXFWMEMP to determine up ++ * to 3 frames, but it seems that after putting a second frame in the ++ * FIFO, with watermark at 2 frames, it can happen that TXFWMEMP (less ++ * than 2 frames in FIFO) is set anyway with no TXOK (a frame was ++ * sent), which is not a sensible state - possibly TXFWMEMP is not ++ * completely synchronized with the rest of the bits? ++ */ ++ if (caps & XCAN_CAP_WATERMARK) ++ tx_max = min(tx_fifo_depth, 2); ++ else ++ tx_max = 1; ++ + /* Create a CAN device instance */ + ndev = alloc_candev(sizeof(struct xcan_priv), tx_max); + if (!ndev) +@@ -1077,6 +1281,7 @@ static int xcan_probe(struct platform_device *pdev) + CAN_CTRLMODE_BERR_REPORTING; + priv->reg_base = addr; + priv->tx_max = tx_max; ++ spin_lock_init(&priv->tx_lock); + + /* Get IRQ for the device */ + ndev->irq = platform_get_irq(pdev, 0); +@@ -1144,9 +1349,9 @@ static int xcan_probe(struct platform_device *pdev) + devm_can_led_init(ndev); + clk_disable_unprepare(priv->bus_clk); + clk_disable_unprepare(priv->can_clk); +- netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx fifo depth:%d\n", ++ netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx fifo depth: actual %d, using %d\n", + priv->reg_base, ndev->irq, priv->can.clock.freq, +- priv->tx_max); ++ tx_fifo_depth, priv->tx_max); + + return 0; + +@@ -1182,14 +1387,6 @@ static int xcan_remove(struct platform_device *pdev) + return 0; + } + +-/* Match table for OF platform binding */ +-static const struct of_device_id xcan_of_match[] = { +- { .compatible = "xlnx,zynq-can-1.0", }, +- { .compatible = "xlnx,axi-can-1.00.a", }, +- { /* end of list */ }, +-}; +-MODULE_DEVICE_TABLE(of, xcan_of_match); +- + static struct platform_driver xcan_driver = { + .probe = xcan_probe, + .remove = xcan_remove, +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +index e3080fbd9d00..7911dc3da98e 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -2891,7 +2891,7 @@ int mlx4_RST2INIT_QP_wrapper(struct mlx4_dev *dev, int slave, + u32 srqn = qp_get_srqn(qpc) & 0xffffff; + int use_srq = (qp_get_srqn(qpc) >> 24) & 1; + struct res_srq *srq; +- int local_qpn = be32_to_cpu(qpc->local_qpn) & 0xffffff; ++ int local_qpn = vhcr->in_modifier & 0xffffff; + + err = adjust_qp_sched_queue(dev, slave, qpc, inbox); + if (err) +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 7ed30d0b5273..a501f3ba6a3f 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1771,6 +1771,9 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x09d8, 0x0320), /* Elatec GmbH TWN3 */ + .driver_info = NO_UNION_NORMAL, /* has misplaced union descriptor */ + }, ++ { USB_DEVICE(0x0ca6, 0xa050), /* Castles VEGA3000 */ ++ .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */ ++ }, + + { USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */ + .driver_info = CLEAR_HALT_CONDITIONS, +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 4d86da0df131..93756664592a 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1123,10 +1123,14 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + + if (!udev || udev->state == USB_STATE_NOTATTACHED) { + /* Tell hub_wq to disconnect the device or +- * check for a new connection ++ * check for a new connection or over current condition. ++ * Based on USB2.0 Spec Section 11.12.5, ++ * C_PORT_OVER_CURRENT could be set while ++ * PORT_OVER_CURRENT is not. So check for any of them. + */ + if (udev || (portstatus & USB_PORT_STAT_CONNECTION) || +- (portstatus & USB_PORT_STAT_OVERCURRENT)) ++ (portstatus & USB_PORT_STAT_OVERCURRENT) || ++ (portchange & USB_PORT_STAT_C_OVERCURRENT)) + set_bit(port1, hub->change_bits); + + } else if (portstatus & USB_PORT_STAT_ENABLE) { +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 4191feb765b1..4800bb22cdd6 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3037,7 +3037,7 @@ static int ffs_func_setup(struct usb_function *f, + __ffs_event_add(ffs, FUNCTIONFS_SETUP); + spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); + +- return USB_GADGET_DELAYED_STATUS; ++ return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0; + } + + static void ffs_func_suspend(struct usb_function *f) +diff --git a/include/net/tcp.h b/include/net/tcp.h +index a3696b778757..65babd8a682d 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -376,6 +376,7 @@ ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos, + struct pipe_inode_info *pipe, size_t len, + unsigned int flags); + ++void tcp_enter_quickack_mode(struct sock *sk); + static inline void tcp_dec_quickack_mode(struct sock *sk, + const unsigned int pkts) + { +@@ -559,6 +560,7 @@ void tcp_send_fin(struct sock *sk); + void tcp_send_active_reset(struct sock *sk, gfp_t priority); + int tcp_send_synack(struct sock *); + void tcp_push_one(struct sock *, unsigned int mss_now); ++void __tcp_send_ack(struct sock *sk, u32 rcv_nxt); + void tcp_send_ack(struct sock *sk); + void tcp_send_delayed_ack(struct sock *sk); + void tcp_send_loss_probe(struct sock *sk); +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 2017ffa5197a..96c9c0f0905a 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2087,9 +2087,12 @@ int rtnl_configure_link(struct net_device *dev, const struct ifinfomsg *ifm) + return err; + } + +- dev->rtnl_link_state = RTNL_LINK_INITIALIZED; +- +- __dev_notify_flags(dev, old_flags, ~0U); ++ if (dev->rtnl_link_state == RTNL_LINK_INITIALIZED) { ++ __dev_notify_flags(dev, old_flags, 0U); ++ } else { ++ dev->rtnl_link_state = RTNL_LINK_INITIALIZED; ++ __dev_notify_flags(dev, old_flags, ~0U); ++ } + return 0; + } + EXPORT_SYMBOL(rtnl_configure_link); +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 10286432f684..c11bb6d2d00a 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -480,6 +480,8 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) + to->dev = from->dev; + to->mark = from->mark; + ++ skb_copy_hash(to, from); ++ + /* Copy the flags to each fragment. */ + IPCB(to)->flags = IPCB(from)->flags; + +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index ce9a7fbb7c5f..88426a6a7a85 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -135,15 +135,18 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) + { + struct sockaddr_in sin; + const struct iphdr *iph = ip_hdr(skb); +- __be16 *ports = (__be16 *)skb_transport_header(skb); ++ __be16 *ports; ++ int end; + +- if (skb_transport_offset(skb) + 4 > skb->len) ++ end = skb_transport_offset(skb) + 4; ++ if (end > 0 && !pskb_may_pull(skb, end)) + return; + + /* All current transport protocols have the port numbers in the + * first four bytes of the transport header and this function is + * written with this assumption in mind. + */ ++ ports = (__be16 *)skb_transport_header(skb); + + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = iph->daddr; +diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c +index 55d7da1d2ce9..e63b764e55ea 100644 +--- a/net/ipv4/tcp_dctcp.c ++++ b/net/ipv4/tcp_dctcp.c +@@ -131,23 +131,14 @@ static void dctcp_ce_state_0_to_1(struct sock *sk) + struct dctcp *ca = inet_csk_ca(sk); + struct tcp_sock *tp = tcp_sk(sk); + +- /* State has changed from CE=0 to CE=1 and delayed +- * ACK has not sent yet. +- */ +- if (!ca->ce_state && ca->delayed_ack_reserved) { +- u32 tmp_rcv_nxt; +- +- /* Save current rcv_nxt. */ +- tmp_rcv_nxt = tp->rcv_nxt; +- +- /* Generate previous ack with CE=0. */ +- tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR; +- tp->rcv_nxt = ca->prior_rcv_nxt; +- +- tcp_send_ack(sk); +- +- /* Recover current rcv_nxt. */ +- tp->rcv_nxt = tmp_rcv_nxt; ++ if (!ca->ce_state) { ++ /* State has changed from CE=0 to CE=1, force an immediate ++ * ACK to reflect the new CE state. If an ACK was delayed, ++ * send that first to reflect the prior CE state. ++ */ ++ if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER) ++ __tcp_send_ack(sk, ca->prior_rcv_nxt); ++ tcp_enter_quickack_mode(sk); + } + + ca->prior_rcv_nxt = tp->rcv_nxt; +@@ -161,23 +152,14 @@ static void dctcp_ce_state_1_to_0(struct sock *sk) + struct dctcp *ca = inet_csk_ca(sk); + struct tcp_sock *tp = tcp_sk(sk); + +- /* State has changed from CE=1 to CE=0 and delayed +- * ACK has not sent yet. +- */ +- if (ca->ce_state && ca->delayed_ack_reserved) { +- u32 tmp_rcv_nxt; +- +- /* Save current rcv_nxt. */ +- tmp_rcv_nxt = tp->rcv_nxt; +- +- /* Generate previous ack with CE=1. */ +- tp->ecn_flags |= TCP_ECN_DEMAND_CWR; +- tp->rcv_nxt = ca->prior_rcv_nxt; +- +- tcp_send_ack(sk); +- +- /* Recover current rcv_nxt. */ +- tp->rcv_nxt = tmp_rcv_nxt; ++ if (ca->ce_state) { ++ /* State has changed from CE=1 to CE=0, force an immediate ++ * ACK to reflect the new CE state. If an ACK was delayed, ++ * send that first to reflect the prior CE state. ++ */ ++ if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER) ++ __tcp_send_ack(sk, ca->prior_rcv_nxt); ++ tcp_enter_quickack_mode(sk); + } + + ca->prior_rcv_nxt = tp->rcv_nxt; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 4350ee058441..5c645069a09a 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -187,13 +187,14 @@ static void tcp_incr_quickack(struct sock *sk) + icsk->icsk_ack.quick = min(quickacks, TCP_MAX_QUICKACKS); + } + +-static void tcp_enter_quickack_mode(struct sock *sk) ++void tcp_enter_quickack_mode(struct sock *sk) + { + struct inet_connection_sock *icsk = inet_csk(sk); + tcp_incr_quickack(sk); + icsk->icsk_ack.pingpong = 0; + icsk->icsk_ack.ato = TCP_ATO_MIN; + } ++EXPORT_SYMBOL(tcp_enter_quickack_mode); + + /* Send ACKs quickly, if "quick" count is not exhausted + * and the session is not interactive. +@@ -4788,6 +4789,7 @@ restart: + static void tcp_collapse_ofo_queue(struct sock *sk) + { + struct tcp_sock *tp = tcp_sk(sk); ++ u32 range_truesize, sum_tiny = 0; + struct sk_buff *skb = skb_peek(&tp->out_of_order_queue); + struct sk_buff *head; + u32 start, end; +@@ -4797,6 +4799,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk) + + start = TCP_SKB_CB(skb)->seq; + end = TCP_SKB_CB(skb)->end_seq; ++ range_truesize = skb->truesize; + head = skb; + + for (;;) { +@@ -4811,14 +4814,24 @@ static void tcp_collapse_ofo_queue(struct sock *sk) + if (!skb || + after(TCP_SKB_CB(skb)->seq, end) || + before(TCP_SKB_CB(skb)->end_seq, start)) { +- tcp_collapse(sk, &tp->out_of_order_queue, +- head, skb, start, end); ++ /* Do not attempt collapsing tiny skbs */ ++ if (range_truesize != head->truesize || ++ end - start >= SKB_WITH_OVERHEAD(SK_MEM_QUANTUM)) { ++ tcp_collapse(sk, &tp->out_of_order_queue, ++ head, skb, start, end); ++ } else { ++ sum_tiny += range_truesize; ++ if (sum_tiny > sk->sk_rcvbuf >> 3) ++ return; ++ } ++ + head = skb; + if (!skb) + break; + /* Start new segment */ + start = TCP_SKB_CB(skb)->seq; + end = TCP_SKB_CB(skb)->end_seq; ++ range_truesize = skb->truesize; + } else { + if (before(TCP_SKB_CB(skb)->seq, start)) + start = TCP_SKB_CB(skb)->seq; +@@ -4874,6 +4887,9 @@ static int tcp_prune_queue(struct sock *sk) + else if (tcp_under_memory_pressure(sk)) + tp->rcv_ssthresh = min(tp->rcv_ssthresh, 4U * tp->advmss); + ++ if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf) ++ return 0; ++ + tcp_collapse_ofo_queue(sk); + if (!skb_queue_empty(&sk->sk_receive_queue)) + tcp_collapse(sk, &sk->sk_receive_queue, +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 2854db094864..6fa749ce231f 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -177,8 +177,13 @@ static void tcp_event_data_sent(struct tcp_sock *tp, + } + + /* Account for an ACK we sent. */ +-static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts) ++static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts, ++ u32 rcv_nxt) + { ++ struct tcp_sock *tp = tcp_sk(sk); ++ ++ if (unlikely(rcv_nxt != tp->rcv_nxt)) ++ return; /* Special ACK sent by DCTCP to reflect ECN */ + tcp_dec_quickack_mode(sk, pkts); + inet_csk_clear_xmit_timer(sk, ICSK_TIME_DACK); + } +@@ -901,8 +906,8 @@ out: + * We are working here with either a clone of the original + * SKB, or a fresh unique copy made by the retransmit engine. + */ +-static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it, +- gfp_t gfp_mask) ++static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, ++ int clone_it, gfp_t gfp_mask, u32 rcv_nxt) + { + const struct inet_connection_sock *icsk = inet_csk(sk); + struct inet_sock *inet; +@@ -962,7 +967,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it, + th->source = inet->inet_sport; + th->dest = inet->inet_dport; + th->seq = htonl(tcb->seq); +- th->ack_seq = htonl(tp->rcv_nxt); ++ th->ack_seq = htonl(rcv_nxt); + *(((__be16 *)th) + 6) = htons(((tcp_header_size >> 2) << 12) | + tcb->tcp_flags); + +@@ -1005,7 +1010,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it, + icsk->icsk_af_ops->send_check(sk, skb); + + if (likely(tcb->tcp_flags & TCPHDR_ACK)) +- tcp_event_ack_sent(sk, tcp_skb_pcount(skb)); ++ tcp_event_ack_sent(sk, tcp_skb_pcount(skb), rcv_nxt); + + if (skb->len != tcp_header_size) + tcp_event_data_sent(tp, sk); +@@ -1036,6 +1041,13 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it, + return net_xmit_eval(err); + } + ++static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it, ++ gfp_t gfp_mask) ++{ ++ return __tcp_transmit_skb(sk, skb, clone_it, gfp_mask, ++ tcp_sk(sk)->rcv_nxt); ++} ++ + /* This routine just queues the buffer for sending. + * + * NOTE: probe0 timer is not checked, do not forget tcp_push_pending_frames, +@@ -3354,7 +3366,7 @@ void tcp_send_delayed_ack(struct sock *sk) + } + + /* This routine sends an ack and also updates the window. */ +-void tcp_send_ack(struct sock *sk) ++void __tcp_send_ack(struct sock *sk, u32 rcv_nxt) + { + struct sk_buff *buff; + +@@ -3391,9 +3403,14 @@ void tcp_send_ack(struct sock *sk) + + /* Send it off, this clears delayed acks for us. */ + skb_mstamp_get(&buff->skb_mstamp); +- tcp_transmit_skb(sk, buff, 0, sk_gfp_atomic(sk, GFP_ATOMIC)); ++ __tcp_transmit_skb(sk, buff, 0, sk_gfp_atomic(sk, GFP_ATOMIC), rcv_nxt); ++} ++EXPORT_SYMBOL_GPL(__tcp_send_ack); ++ ++void tcp_send_ack(struct sock *sk) ++{ ++ __tcp_send_ack(sk, tcp_sk(sk)->rcv_nxt); + } +-EXPORT_SYMBOL_GPL(tcp_send_ack); + + /* This routine sends a packet with an out of date sequence + * number. It assumes the other end will try to ack it. +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index cae37bfd12ab..9f6e57ded338 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -657,13 +657,16 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg, + } + if (np->rxopt.bits.rxorigdstaddr) { + struct sockaddr_in6 sin6; +- __be16 *ports = (__be16 *) skb_transport_header(skb); ++ __be16 *ports; ++ int end; + +- if (skb_transport_offset(skb) + 4 <= skb->len) { ++ end = skb_transport_offset(skb) + 4; ++ if (end <= 0 || pskb_may_pull(skb, end)) { + /* All current transport protocols have the port numbers in the + * first four bytes of the transport header and this function is + * written with this assumption in mind. + */ ++ ports = (__be16 *)skb_transport_header(skb); + + sin6.sin6_family = AF_INET6; + sin6.sin6_addr = ipv6_hdr(skb)->daddr; +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 74786783834b..0feede45bd28 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -559,6 +559,8 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from) + to->dev = from->dev; + to->mark = from->mark; + ++ skb_copy_hash(to, from); ++ + #ifdef CONFIG_NET_SCHED + to->tc_index = from->tc_index; + #endif diff --git a/patch/kernel/mvebu-default/04-patch-4.4.145-146.patch b/patch/kernel/mvebu-default/04-patch-4.4.145-146.patch new file mode 100644 index 0000000000..5b8de0dd2c --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.145-146.patch @@ -0,0 +1,2741 @@ +diff --git a/Makefile b/Makefile +index be31491a2d67..030f5af05f4e 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 145 ++SUBLEVEL = 146 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/microblaze/boot/Makefile b/arch/microblaze/boot/Makefile +index 91d2068da1b9..0f3fe6a151dc 100644 +--- a/arch/microblaze/boot/Makefile ++++ b/arch/microblaze/boot/Makefile +@@ -21,17 +21,19 @@ $(obj)/linux.bin.gz: $(obj)/linux.bin FORCE + quiet_cmd_cp = CP $< $@$2 + cmd_cp = cat $< >$@$2 || (rm -f $@ && echo false) + +-quiet_cmd_strip = STRIP $@ ++quiet_cmd_strip = STRIP $< $@$2 + cmd_strip = $(STRIP) -K microblaze_start -K _end -K __log_buf \ +- -K _fdt_start vmlinux -o $@ ++ -K _fdt_start $< -o $@$2 + + UIMAGE_LOADADDR = $(CONFIG_KERNEL_BASE_ADDR) ++UIMAGE_IN = $@ ++UIMAGE_OUT = $@.ub + + $(obj)/simpleImage.%: vmlinux FORCE + $(call if_changed,cp,.unstrip) + $(call if_changed,objcopy) + $(call if_changed,uimage) +- $(call if_changed,strip) +- @echo 'Kernel: $@ is ready' ' (#'`cat .version`')' ++ $(call if_changed,strip,.strip) ++ @echo 'Kernel: $(UIMAGE_OUT) is ready' ' (#'`cat .version`')' + + clean-files += simpleImage.*.unstrip linux.bin.ub dts/*.dtb +diff --git a/arch/mips/include/asm/pci.h b/arch/mips/include/asm/pci.h +index 98c31e5d9579..a7bc901819c8 100644 +--- a/arch/mips/include/asm/pci.h ++++ b/arch/mips/include/asm/pci.h +@@ -89,7 +89,7 @@ static inline void pci_resource_to_user(const struct pci_dev *dev, int bar, + phys_addr_t size = resource_size(rsrc); + + *start = fixup_bigphys_addr(rsrc->start, size); +- *end = rsrc->start + size; ++ *end = rsrc->start + size - 1; + } + + /* +diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S +index 78c1eba4c04a..01e274e6907b 100644 +--- a/arch/powerpc/kernel/head_8xx.S ++++ b/arch/powerpc/kernel/head_8xx.S +@@ -720,7 +720,7 @@ start_here: + tovirt(r6,r6) + lis r5, abatron_pteptrs@h + ori r5, r5, abatron_pteptrs@l +- stw r5, 0xf0(r0) /* Must match your Abatron config file */ ++ stw r5, 0xf0(0) /* Must match your Abatron config file */ + tophys(r5,r5) + stw r6, 0(r5) + +diff --git a/arch/powerpc/kernel/pci_32.c b/arch/powerpc/kernel/pci_32.c +index 1f7930037cb7..d9e41b77dd13 100644 +--- a/arch/powerpc/kernel/pci_32.c ++++ b/arch/powerpc/kernel/pci_32.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/arch/powerpc/mm/slb.c b/arch/powerpc/mm/slb.c +index 515730e499fe..309027208f7c 100644 +--- a/arch/powerpc/mm/slb.c ++++ b/arch/powerpc/mm/slb.c +@@ -69,14 +69,14 @@ static inline void slb_shadow_update(unsigned long ea, int ssize, + * updating it. No write barriers are needed here, provided + * we only update the current CPU's SLB shadow buffer. + */ +- p->save_area[index].esid = 0; +- p->save_area[index].vsid = cpu_to_be64(mk_vsid_data(ea, ssize, flags)); +- p->save_area[index].esid = cpu_to_be64(mk_esid_data(ea, ssize, index)); ++ WRITE_ONCE(p->save_area[index].esid, 0); ++ WRITE_ONCE(p->save_area[index].vsid, cpu_to_be64(mk_vsid_data(ea, ssize, flags))); ++ WRITE_ONCE(p->save_area[index].esid, cpu_to_be64(mk_esid_data(ea, ssize, index))); + } + + static inline void slb_shadow_clear(enum slb_index index) + { +- get_slb_shadow()->save_area[index].esid = 0; ++ WRITE_ONCE(get_slb_shadow()->save_area[index].esid, 0); + } + + static inline void create_shadowed_slbe(unsigned long ea, int ssize, +diff --git a/arch/powerpc/platforms/chrp/time.c b/arch/powerpc/platforms/chrp/time.c +index f803f4b8ab6f..8608e358217f 100644 +--- a/arch/powerpc/platforms/chrp/time.c ++++ b/arch/powerpc/platforms/chrp/time.c +@@ -27,6 +27,8 @@ + #include + #include + ++#include ++ + extern spinlock_t rtc_lock; + + #define NVRAM_AS0 0x74 +@@ -62,7 +64,7 @@ long __init chrp_time_init(void) + return 0; + } + +-int chrp_cmos_clock_read(int addr) ++static int chrp_cmos_clock_read(int addr) + { + if (nvram_as1 != 0) + outb(addr>>8, nvram_as1); +@@ -70,7 +72,7 @@ int chrp_cmos_clock_read(int addr) + return (inb(nvram_data)); + } + +-void chrp_cmos_clock_write(unsigned long val, int addr) ++static void chrp_cmos_clock_write(unsigned long val, int addr) + { + if (nvram_as1 != 0) + outb(addr>>8, nvram_as1); +diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +index 9b7975706bfc..9485f1024d46 100644 +--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c ++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +@@ -35,6 +35,8 @@ + */ + #define HW_BROADWAY_ICR 0x00 + #define HW_BROADWAY_IMR 0x04 ++#define HW_STARLET_ICR 0x08 ++#define HW_STARLET_IMR 0x0c + + + /* +@@ -74,6 +76,9 @@ static void hlwd_pic_unmask(struct irq_data *d) + void __iomem *io_base = irq_data_get_irq_chip_data(d); + + setbits32(io_base + HW_BROADWAY_IMR, 1 << irq); ++ ++ /* Make sure the ARM (aka. Starlet) doesn't handle this interrupt. */ ++ clrbits32(io_base + HW_STARLET_IMR, 1 << irq); + } + + +diff --git a/arch/powerpc/platforms/powermac/bootx_init.c b/arch/powerpc/platforms/powermac/bootx_init.c +index 76f5013c35e5..89237b84b096 100644 +--- a/arch/powerpc/platforms/powermac/bootx_init.c ++++ b/arch/powerpc/platforms/powermac/bootx_init.c +@@ -467,7 +467,7 @@ void __init bootx_init(unsigned long r3, unsigned long r4) + boot_infos_t *bi = (boot_infos_t *) r4; + unsigned long hdr; + unsigned long space; +- unsigned long ptr, x; ++ unsigned long ptr; + char *model; + unsigned long offset = reloc_offset(); + +@@ -561,6 +561,8 @@ void __init bootx_init(unsigned long r3, unsigned long r4) + * MMU switched OFF, so this should not be useful anymore. + */ + if (bi->version < 4) { ++ unsigned long x __maybe_unused; ++ + bootx_printf("Touching pages...\n"); + + /* +diff --git a/arch/powerpc/platforms/powermac/setup.c b/arch/powerpc/platforms/powermac/setup.c +index 8dd78f4e1af4..32fc56cf6261 100644 +--- a/arch/powerpc/platforms/powermac/setup.c ++++ b/arch/powerpc/platforms/powermac/setup.c +@@ -359,6 +359,7 @@ static int pmac_late_init(void) + } + machine_late_initcall(powermac, pmac_late_init); + ++void note_bootable_part(dev_t dev, int part, int goodness); + /* + * This is __init_refok because we check for "initializing" before + * touching any of the __init sensitive things and "initializing" +diff --git a/arch/s390/include/asm/cpu_mf.h b/arch/s390/include/asm/cpu_mf.h +index 9dd04b9e9782..b2f8c52b3840 100644 +--- a/arch/s390/include/asm/cpu_mf.h ++++ b/arch/s390/include/asm/cpu_mf.h +@@ -113,7 +113,7 @@ struct hws_basic_entry { + + struct hws_diag_entry { + unsigned int def:16; /* 0-15 Data Entry Format */ +- unsigned int R:14; /* 16-19 and 20-30 reserved */ ++ unsigned int R:15; /* 16-19 and 20-30 reserved */ + unsigned int I:1; /* 31 entry valid or invalid */ + u8 data[]; /* Machine-dependent sample data */ + } __packed; +@@ -129,7 +129,9 @@ struct hws_trailer_entry { + unsigned int f:1; /* 0 - Block Full Indicator */ + unsigned int a:1; /* 1 - Alert request control */ + unsigned int t:1; /* 2 - Timestamp format */ +- unsigned long long:61; /* 3 - 63: Reserved */ ++ unsigned int :29; /* 3 - 31: Reserved */ ++ unsigned int bsdes:16; /* 32-47: size of basic SDE */ ++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ + }; + unsigned long long flags; /* 0 - 63: All indicators */ + }; +diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c +index 61215a69b03d..b22e9c4dd111 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c +@@ -229,7 +229,7 @@ void uncore_perf_event_update(struct intel_uncore_box *box, struct perf_event *e + u64 prev_count, new_count, delta; + int shift; + +- if (event->hw.idx >= UNCORE_PMC_IDX_FIXED) ++ if (event->hw.idx == UNCORE_PMC_IDX_FIXED) + shift = 64 - uncore_fixed_ctr_bits(box); + else + shift = 64 - uncore_perf_ctr_bits(box); +diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c b/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c +index 2749965afed0..83cadc2605a7 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c +@@ -240,7 +240,7 @@ static void nhmex_uncore_msr_enable_event(struct intel_uncore_box *box, struct p + { + struct hw_perf_event *hwc = &event->hw; + +- if (hwc->idx >= UNCORE_PMC_IDX_FIXED) ++ if (hwc->idx == UNCORE_PMC_IDX_FIXED) + wrmsrl(hwc->config_base, NHMEX_PMON_CTL_EN_BIT0); + else if (box->pmu->type->event_mask & NHMEX_PMON_CTL_EN_BIT0) + wrmsrl(hwc->config_base, hwc->config | NHMEX_PMON_CTL_EN_BIT22); +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 18143886b186..c5a4b1978cbf 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6843,6 +6843,8 @@ static int handle_vmon(struct kvm_vcpu *vcpu) + HRTIMER_MODE_REL); + vmx->nested.preemption_timer.function = vmx_preemption_timer_fn; + ++ vmx->nested.vpid02 = allocate_vpid(); ++ + vmx->nested.vmxon = true; + + skip_emulated_instruction(vcpu); +@@ -8887,10 +8889,8 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) + goto free_vmcs; + } + +- if (nested) { ++ if (nested) + nested_vmx_setup_ctls_msrs(vmx); +- vmx->nested.vpid02 = allocate_vpid(); +- } + + vmx->nested.posted_intr_nv = -1; + vmx->nested.current_vmptr = -1ull; +@@ -8899,7 +8899,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) + return &vmx->vcpu; + + free_vmcs: +- free_vpid(vmx->nested.vpid02); + free_loaded_vmcs(vmx->loaded_vmcs); + free_msrs: + kfree(vmx->guest_msrs); +diff --git a/crypto/authenc.c b/crypto/authenc.c +index 55a354d57251..b7290c5b1eaa 100644 +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -108,6 +108,7 @@ static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key, + CRYPTO_TFM_RES_MASK); + + out: ++ memzero_explicit(&keys, sizeof(keys)); + return err; + + badkey: +diff --git a/crypto/authencesn.c b/crypto/authencesn.c +index 52154ef21b5e..fa0c4567f697 100644 +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -90,6 +90,7 @@ static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 * + CRYPTO_TFM_RES_MASK); + + out: ++ memzero_explicit(&keys, sizeof(keys)); + return err; + + badkey: +diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c +index ae3fe4e64203..3b0b4bd67b71 100644 +--- a/drivers/acpi/pci_root.c ++++ b/drivers/acpi/pci_root.c +@@ -472,9 +472,11 @@ static void negotiate_os_control(struct acpi_pci_root *root, int *no_aspm) + } + + control = OSC_PCI_EXPRESS_CAPABILITY_CONTROL +- | OSC_PCI_EXPRESS_NATIVE_HP_CONTROL + | OSC_PCI_EXPRESS_PME_CONTROL; + ++ if (IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) ++ control |= OSC_PCI_EXPRESS_NATIVE_HP_CONTROL; ++ + if (pci_aer_available()) { + if (aer_acpi_firmware_first()) + dev_info(&device->dev, +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 75cced210b2a..7db76b5c7ada 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2198,12 +2198,16 @@ static void ata_eh_link_autopsy(struct ata_link *link) + if (qc->err_mask & ~AC_ERR_OTHER) + qc->err_mask &= ~AC_ERR_OTHER; + +- /* SENSE_VALID trumps dev/unknown error and revalidation */ ++ /* ++ * SENSE_VALID trumps dev/unknown error and revalidation. Upper ++ * layers will determine whether the command is worth retrying ++ * based on the sense data and device class/type. Otherwise, ++ * determine directly if the command is worth retrying using its ++ * error mask and flags. ++ */ + if (qc->flags & ATA_QCFLAG_SENSE_VALID) + qc->err_mask &= ~(AC_ERR_DEV | AC_ERR_OTHER); +- +- /* determine whether the command is worth retrying */ +- if (ata_eh_worth_retry(qc)) ++ else if (ata_eh_worth_retry(qc)) + qc->flags |= ATA_QCFLAG_RETRY; + + /* accumulate error info */ +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 91676535a1a3..4a899b41145e 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -339,6 +339,9 @@ static const struct usb_device_id blacklist_table[] = { + /* Additional Realtek 8723BU Bluetooth devices */ + { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8723DE Bluetooth devices */ ++ { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK }, ++ + /* Additional Realtek 8821AE Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 476d39c7ba20..ecfb9ed2cff6 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -884,7 +884,7 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate) + */ + set_current_state(TASK_UNINTERRUPTIBLE); + schedule_timeout(msecs_to_jiffies(BAUDRATE_SETTLE_TIMEOUT_MS)); +- set_current_state(TASK_INTERRUPTIBLE); ++ set_current_state(TASK_RUNNING); + + return 0; + } +diff --git a/drivers/char/random.c b/drivers/char/random.c +index dffd06a3bb76..2916d08ee30e 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1503,14 +1503,22 @@ static int + write_pool(struct entropy_store *r, const char __user *buffer, size_t count) + { + size_t bytes; +- __u32 buf[16]; ++ __u32 t, buf[16]; + const char __user *p = buffer; + + while (count > 0) { ++ int b, i = 0; ++ + bytes = min(count, sizeof(buf)); + if (copy_from_user(&buf, p, bytes)) + return -EFAULT; + ++ for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) { ++ if (!arch_get_random_int(&t)) ++ break; ++ buf[i] ^= t; ++ } ++ + count -= bytes; + p += bytes; + +diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c +index 97a364694bfc..047ef69b7e65 100644 +--- a/drivers/crypto/padlock-aes.c ++++ b/drivers/crypto/padlock-aes.c +@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key, + return; + } + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key, + + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +- : "d"(control_word), "b"(key), "c"(count - initial)); ++ : "d"(control_word), "b"(key), "c"(count)); + } + + static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, +@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, + if (count < cbc_fetch_blocks) + return cbc_crypt(input, output, key, iv, control_word, count); + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, + + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +- : "d" (control_word), "b" (key), "c" (count-initial)); ++ : "d" (control_word), "b" (key), "c" (count)); + return iv; + } + +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c +index 55f5d33f6dc7..4251e9ac0373 100644 +--- a/drivers/dma/pxa_dma.c ++++ b/drivers/dma/pxa_dma.c +@@ -1321,7 +1321,7 @@ static int pxad_init_phys(struct platform_device *op, + return 0; + } + +-static const struct of_device_id const pxad_dt_ids[] = { ++static const struct of_device_id pxad_dt_ids[] = { + { .compatible = "marvell,pdma-1.0", }, + {} + }; +diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c +index 50d74e5ce41b..355ad1b97df6 100644 +--- a/drivers/gpu/drm/drm_atomic.c ++++ b/drivers/gpu/drm/drm_atomic.c +@@ -960,7 +960,9 @@ drm_atomic_set_crtc_for_plane(struct drm_plane_state *plane_state, + { + struct drm_plane *plane = plane_state->plane; + struct drm_crtc_state *crtc_state; +- ++ /* Nothing to do for same crtc*/ ++ if (plane_state->crtc == crtc) ++ return 0; + if (plane_state->crtc) { + crtc_state = drm_atomic_get_crtc_state(plane_state->state, + plane_state->crtc); +diff --git a/drivers/gpu/drm/gma500/psb_intel_drv.h b/drivers/gpu/drm/gma500/psb_intel_drv.h +index 860dd2177ca1..283570080d47 100644 +--- a/drivers/gpu/drm/gma500/psb_intel_drv.h ++++ b/drivers/gpu/drm/gma500/psb_intel_drv.h +@@ -252,7 +252,7 @@ extern int intelfb_remove(struct drm_device *dev, + extern bool psb_intel_lvds_mode_fixup(struct drm_encoder *encoder, + const struct drm_display_mode *mode, + struct drm_display_mode *adjusted_mode); +-extern int psb_intel_lvds_mode_valid(struct drm_connector *connector, ++extern enum drm_mode_status psb_intel_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode); + extern int psb_intel_lvds_set_property(struct drm_connector *connector, + struct drm_property *property, +diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c +index 61e3a097a478..ccd1b8bf0fd5 100644 +--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c ++++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c +@@ -343,7 +343,7 @@ static void psb_intel_lvds_restore(struct drm_connector *connector) + } + } + +-int psb_intel_lvds_mode_valid(struct drm_connector *connector, ++enum drm_mode_status psb_intel_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_psb_private *dev_priv = connector->dev->dev_private; +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index 1a2a7365d0b5..c6bf378534f8 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -844,7 +844,7 @@ static int radeon_lvds_get_modes(struct drm_connector *connector) + return ret; + } + +-static int radeon_lvds_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_encoder *encoder = radeon_best_single_encoder(connector); +@@ -993,7 +993,7 @@ static int radeon_vga_get_modes(struct drm_connector *connector) + return ret; + } + +-static int radeon_vga_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_vga_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; +@@ -1136,7 +1136,7 @@ static int radeon_tv_get_modes(struct drm_connector *connector) + return 1; + } + +-static int radeon_tv_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_tv_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + if ((mode->hdisplay > 1024) || (mode->vdisplay > 768)) +@@ -1477,7 +1477,7 @@ static void radeon_dvi_force(struct drm_connector *connector) + radeon_connector->use_digital = true; + } + +-static int radeon_dvi_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_dvi_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; +@@ -1778,7 +1778,7 @@ out: + return ret; + } + +-static int radeon_dp_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_dp_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; +diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c +index febb21ee190e..584b10d3fc3d 100644 +--- a/drivers/hid/hid-plantronics.c ++++ b/drivers/hid/hid-plantronics.c +@@ -2,7 +2,7 @@ + * Plantronics USB HID Driver + * + * Copyright (c) 2014 JD Cole +- * Copyright (c) 2015 Terry Junge ++ * Copyright (c) 2015-2018 Terry Junge + */ + + /* +@@ -48,6 +48,10 @@ static int plantronics_input_mapping(struct hid_device *hdev, + unsigned short mapped_key; + unsigned long plt_type = (unsigned long)hid_get_drvdata(hdev); + ++ /* special case for PTT products */ ++ if (field->application == HID_GD_JOYSTICK) ++ goto defaulted; ++ + /* handle volume up/down mapping */ + /* non-standard types or multi-HID interfaces - plt_type is PID */ + if (!(plt_type & HID_USAGE_PAGE)) { +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index a5fed668fde1..4248d253c32a 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -1017,6 +1017,14 @@ static int i2c_hid_probe(struct i2c_client *client, + pm_runtime_set_active(&client->dev); + pm_runtime_enable(&client->dev); + ++ /* Make sure there is something at this address */ ++ ret = i2c_smbus_read_byte(client); ++ if (ret < 0) { ++ dev_dbg(&client->dev, "nothing at this address: %d\n", ret); ++ ret = -ENXIO; ++ goto err_pm; ++ } ++ + ret = i2c_hid_fetch_hid_descriptor(ihid); + if (ret < 0) + goto err_pm; +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index 8d84c563ba75..616173b7a5e8 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -1548,7 +1548,8 @@ static int add_oui_reg_req(struct ib_mad_reg_req *mad_reg_req, + mad_reg_req->oui, 3)) { + method = &(*vendor_table)->vendor_class[ + vclass]->method_table[i]; +- BUG_ON(!*method); ++ if (!*method) ++ goto error3; + goto check_in_use; + } + } +@@ -1558,10 +1559,12 @@ static int add_oui_reg_req(struct ib_mad_reg_req *mad_reg_req, + vclass]->oui[i])) { + method = &(*vendor_table)->vendor_class[ + vclass]->method_table[i]; +- BUG_ON(*method); + /* Allocate method table for this OUI */ +- if ((ret = allocate_method_table(method))) +- goto error3; ++ if (!*method) { ++ ret = allocate_method_table(method); ++ if (ret) ++ goto error3; ++ } + memcpy((*vendor_table)->vendor_class[vclass]->oui[i], + mad_reg_req->oui, 3); + goto check_in_use; +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 795938edce3f..55aa8d3d752f 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -217,7 +217,7 @@ static struct ucma_multicast* ucma_alloc_multicast(struct ucma_context *ctx) + return NULL; + + mutex_lock(&mut); +- mc->id = idr_alloc(&multicast_idr, mc, 0, 0, GFP_KERNEL); ++ mc->id = idr_alloc(&multicast_idr, NULL, 0, 0, GFP_KERNEL); + mutex_unlock(&mut); + if (mc->id < 0) + goto error; +@@ -1375,6 +1375,10 @@ static ssize_t ucma_process_join(struct ucma_file *file, + goto err3; + } + ++ mutex_lock(&mut); ++ idr_replace(&multicast_idr, mc, mc->id); ++ mutex_unlock(&mut); ++ + mutex_unlock(&file->mut); + ucma_put_ctx(ctx); + return 0; +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 97f6e05cffce..a716482774db 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1251,6 +1251,8 @@ static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, + { "ELAN0618", 0 }, ++ { "ELAN061D", 0 }, ++ { "ELAN0622", 0 }, + { "ELAN1000", 0 }, + { } + }; +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index e484ea2dc787..34be09651ee8 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -527,6 +527,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"), + }, + }, ++ { ++ /* Lenovo LaVie Z */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"), ++ }, ++ }, + { } + }; + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 0663463df2f7..07f307402351 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6145,6 +6145,9 @@ static int hot_remove_disk(struct mddev *mddev, dev_t dev) + struct md_rdev *rdev; + int ret = -1; + ++ if (!mddev->pers) ++ return -ENODEV; ++ + rdev = find_rdev(mddev, dev); + if (!rdev) + return -ENXIO; +diff --git a/drivers/media/common/siano/smsendian.c b/drivers/media/common/siano/smsendian.c +index bfe831c10b1c..b95a631f23f9 100644 +--- a/drivers/media/common/siano/smsendian.c ++++ b/drivers/media/common/siano/smsendian.c +@@ -35,7 +35,7 @@ void smsendian_handle_tx_message(void *buffer) + switch (msg->x_msg_header.msg_type) { + case MSG_SMS_DATA_DOWNLOAD_REQ: + { +- msg->msg_data[0] = le32_to_cpu(msg->msg_data[0]); ++ msg->msg_data[0] = le32_to_cpu((__force __le32)(msg->msg_data[0])); + break; + } + +@@ -44,7 +44,7 @@ void smsendian_handle_tx_message(void *buffer) + sizeof(struct sms_msg_hdr))/4; + + for (i = 0; i < msg_words; i++) +- msg->msg_data[i] = le32_to_cpu(msg->msg_data[i]); ++ msg->msg_data[i] = le32_to_cpu((__force __le32)msg->msg_data[i]); + + break; + } +@@ -64,7 +64,7 @@ void smsendian_handle_rx_message(void *buffer) + { + struct sms_version_res *ver = + (struct sms_version_res *) msg; +- ver->chip_model = le16_to_cpu(ver->chip_model); ++ ver->chip_model = le16_to_cpu((__force __le16)ver->chip_model); + break; + } + +@@ -81,7 +81,7 @@ void smsendian_handle_rx_message(void *buffer) + sizeof(struct sms_msg_hdr))/4; + + for (i = 0; i < msg_words; i++) +- msg->msg_data[i] = le32_to_cpu(msg->msg_data[i]); ++ msg->msg_data[i] = le32_to_cpu((__force __le32)msg->msg_data[i]); + + break; + } +@@ -95,9 +95,9 @@ void smsendian_handle_message_header(void *msg) + #ifdef __BIG_ENDIAN + struct sms_msg_hdr *phdr = (struct sms_msg_hdr *)msg; + +- phdr->msg_type = le16_to_cpu(phdr->msg_type); +- phdr->msg_length = le16_to_cpu(phdr->msg_length); +- phdr->msg_flags = le16_to_cpu(phdr->msg_flags); ++ phdr->msg_type = le16_to_cpu((__force __le16)phdr->msg_type); ++ phdr->msg_length = le16_to_cpu((__force __le16)phdr->msg_length); ++ phdr->msg_flags = le16_to_cpu((__force __le16)phdr->msg_flags); + #endif /* __BIG_ENDIAN */ + } + EXPORT_SYMBOL_GPL(smsendian_handle_message_header); +diff --git a/drivers/media/i2c/smiapp/smiapp-core.c b/drivers/media/i2c/smiapp/smiapp-core.c +index fb39dfd55e75..46a052c5be2e 100644 +--- a/drivers/media/i2c/smiapp/smiapp-core.c ++++ b/drivers/media/i2c/smiapp/smiapp-core.c +@@ -981,7 +981,7 @@ static int smiapp_read_nvm(struct smiapp_sensor *sensor, + if (rval) + goto out; + +- for (i = 0; i < 1000; i++) { ++ for (i = 1000; i > 0; i--) { + rval = smiapp_read( + sensor, + SMIAPP_REG_U8_DATA_TRANSFER_IF_1_STATUS, &s); +@@ -992,11 +992,10 @@ static int smiapp_read_nvm(struct smiapp_sensor *sensor, + if (s & SMIAPP_DATA_TRANSFER_IF_1_STATUS_RD_READY) + break; + +- if (--i == 0) { +- rval = -ETIMEDOUT; +- goto out; +- } +- ++ } ++ if (!i) { ++ rval = -ETIMEDOUT; ++ goto out; + } + + for (i = 0; i < SMIAPP_NVM_PAGE_SIZE; i++) { +diff --git a/drivers/media/pci/saa7164/saa7164-fw.c b/drivers/media/pci/saa7164/saa7164-fw.c +index 269e0782c7b6..93d53195e8ca 100644 +--- a/drivers/media/pci/saa7164/saa7164-fw.c ++++ b/drivers/media/pci/saa7164/saa7164-fw.c +@@ -430,7 +430,8 @@ int saa7164_downloadfirmware(struct saa7164_dev *dev) + __func__, fw->size); + + if (fw->size != fwlength) { +- printk(KERN_ERR "xc5000: firmware incorrect size\n"); ++ printk(KERN_ERR "saa7164: firmware incorrect size %zu != %u\n", ++ fw->size, fwlength); + ret = -ENOMEM; + goto out; + } +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c +index 56e683b19a73..91e02c1ff392 100644 +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2077,6 +2077,7 @@ error_csiphy: + + static void isp_detach_iommu(struct isp_device *isp) + { ++ arm_iommu_detach_device(isp->dev); + arm_iommu_release_mapping(isp->mapping); + isp->mapping = NULL; + iommu_group_remove_device(isp->dev); +@@ -2110,8 +2111,7 @@ static int isp_attach_iommu(struct isp_device *isp) + mapping = arm_iommu_create_mapping(&platform_bus_type, SZ_1G, SZ_2G); + if (IS_ERR(mapping)) { + dev_err(isp->dev, "failed to create ARM IOMMU mapping\n"); +- ret = PTR_ERR(mapping); +- goto error; ++ return PTR_ERR(mapping); + } + + isp->mapping = mapping; +@@ -2126,7 +2126,8 @@ static int isp_attach_iommu(struct isp_device *isp) + return 0; + + error: +- isp_detach_iommu(isp); ++ arm_iommu_release_mapping(isp->mapping); ++ isp->mapping = NULL; + return ret; + } + +diff --git a/drivers/media/platform/rcar_jpu.c b/drivers/media/platform/rcar_jpu.c +index f8e3e83c52a2..20de5e9fc217 100644 +--- a/drivers/media/platform/rcar_jpu.c ++++ b/drivers/media/platform/rcar_jpu.c +@@ -1278,7 +1278,7 @@ static int jpu_open(struct file *file) + /* ...issue software reset */ + ret = jpu_reset(jpu); + if (ret) +- goto device_prepare_rollback; ++ goto jpu_reset_rollback; + } + + jpu->ref_count++; +@@ -1286,6 +1286,8 @@ static int jpu_open(struct file *file) + mutex_unlock(&jpu->mutex); + return 0; + ++jpu_reset_rollback: ++ clk_disable_unprepare(jpu->clk); + device_prepare_rollback: + mutex_unlock(&jpu->mutex); + v4l_prepare_rollback: +diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c +index 471d6a8ae8a4..9326439bc49c 100644 +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -96,7 +96,7 @@ MODULE_PARM_DESC(max_rds_errors, "RDS maximum block errors: *1*"); + */ + int si470x_get_register(struct si470x_device *radio, int regnr) + { +- u16 buf[READ_REG_NUM]; ++ __be16 buf[READ_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, +@@ -121,7 +121,7 @@ int si470x_get_register(struct si470x_device *radio, int regnr) + int si470x_set_register(struct si470x_device *radio, int regnr) + { + int i; +- u16 buf[WRITE_REG_NUM]; ++ __be16 buf[WRITE_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, +@@ -151,7 +151,7 @@ int si470x_set_register(struct si470x_device *radio, int regnr) + static int si470x_get_all_registers(struct si470x_device *radio) + { + int i; +- u16 buf[READ_REG_NUM]; ++ __be16 buf[READ_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, +diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c +index bb1e19f7ed5a..0c1a42bf27fd 100644 +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -870,9 +870,12 @@ void vb2_buffer_done(struct vb2_buffer *vb, enum vb2_buffer_state state) + dprintk(4, "done processing on buffer %d, state: %d\n", + vb->index, state); + +- /* sync buffers */ +- for (plane = 0; plane < vb->num_planes; ++plane) +- call_void_memop(vb, finish, vb->planes[plane].mem_priv); ++ if (state != VB2_BUF_STATE_QUEUED && ++ state != VB2_BUF_STATE_REQUEUEING) { ++ /* sync buffers */ ++ for (plane = 0; plane < vb->num_planes; ++plane) ++ call_void_memop(vb, finish, vb->planes[plane].mem_priv); ++ } + + spin_lock_irqsave(&q->done_lock, flags); + if (state == VB2_BUF_STATE_QUEUED || +diff --git a/drivers/memory/tegra/mc.c b/drivers/memory/tegra/mc.c +index a1ae0cc2b86d..6ab481ee8ece 100644 +--- a/drivers/memory/tegra/mc.c ++++ b/drivers/memory/tegra/mc.c +@@ -20,14 +20,6 @@ + #include "mc.h" + + #define MC_INTSTATUS 0x000 +-#define MC_INT_DECERR_MTS (1 << 16) +-#define MC_INT_SECERR_SEC (1 << 13) +-#define MC_INT_DECERR_VPR (1 << 12) +-#define MC_INT_INVALID_APB_ASID_UPDATE (1 << 11) +-#define MC_INT_INVALID_SMMU_PAGE (1 << 10) +-#define MC_INT_ARBITRATION_EMEM (1 << 9) +-#define MC_INT_SECURITY_VIOLATION (1 << 8) +-#define MC_INT_DECERR_EMEM (1 << 6) + + #define MC_INTMASK 0x004 + +@@ -248,12 +240,13 @@ static const char *const error_names[8] = { + static irqreturn_t tegra_mc_irq(int irq, void *data) + { + struct tegra_mc *mc = data; +- unsigned long status, mask; ++ unsigned long status; + unsigned int bit; + + /* mask all interrupts to avoid flooding */ +- status = mc_readl(mc, MC_INTSTATUS); +- mask = mc_readl(mc, MC_INTMASK); ++ status = mc_readl(mc, MC_INTSTATUS) & mc->soc->intmask; ++ if (!status) ++ return IRQ_NONE; + + for_each_set_bit(bit, &status, 32) { + const char *error = status_names[bit] ?: "unknown"; +@@ -346,7 +339,6 @@ static int tegra_mc_probe(struct platform_device *pdev) + const struct of_device_id *match; + struct resource *res; + struct tegra_mc *mc; +- u32 value; + int err; + + match = of_match_node(tegra_mc_of_match, pdev->dev.of_node); +@@ -414,11 +406,7 @@ static int tegra_mc_probe(struct platform_device *pdev) + + WARN(!mc->soc->client_id_mask, "Missing client ID mask for this SoC\n"); + +- value = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR | +- MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE | +- MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM; +- +- mc_writel(mc, value, MC_INTMASK); ++ mc_writel(mc, mc->soc->intmask, MC_INTMASK); + + return 0; + } +diff --git a/drivers/memory/tegra/mc.h b/drivers/memory/tegra/mc.h +index ddb16676c3af..24e020b4609b 100644 +--- a/drivers/memory/tegra/mc.h ++++ b/drivers/memory/tegra/mc.h +@@ -14,6 +14,15 @@ + + #include + ++#define MC_INT_DECERR_MTS (1 << 16) ++#define MC_INT_SECERR_SEC (1 << 13) ++#define MC_INT_DECERR_VPR (1 << 12) ++#define MC_INT_INVALID_APB_ASID_UPDATE (1 << 11) ++#define MC_INT_INVALID_SMMU_PAGE (1 << 10) ++#define MC_INT_ARBITRATION_EMEM (1 << 9) ++#define MC_INT_SECURITY_VIOLATION (1 << 8) ++#define MC_INT_DECERR_EMEM (1 << 6) ++ + static inline u32 mc_readl(struct tegra_mc *mc, unsigned long offset) + { + return readl(mc->regs + offset); +diff --git a/drivers/memory/tegra/tegra114.c b/drivers/memory/tegra/tegra114.c +index ba8fff3d66a6..6d2a5a849d92 100644 +--- a/drivers/memory/tegra/tegra114.c ++++ b/drivers/memory/tegra/tegra114.c +@@ -930,4 +930,6 @@ const struct tegra_mc_soc tegra114_mc_soc = { + .atom_size = 32, + .client_id_mask = 0x7f, + .smmu = &tegra114_smmu_soc, ++ .intmask = MC_INT_INVALID_SMMU_PAGE | MC_INT_SECURITY_VIOLATION | ++ MC_INT_DECERR_EMEM, + }; +diff --git a/drivers/memory/tegra/tegra124.c b/drivers/memory/tegra/tegra124.c +index 21e7255e3d96..234e74f97a4b 100644 +--- a/drivers/memory/tegra/tegra124.c ++++ b/drivers/memory/tegra/tegra124.c +@@ -1019,6 +1019,9 @@ const struct tegra_mc_soc tegra124_mc_soc = { + .smmu = &tegra124_smmu_soc, + .emem_regs = tegra124_mc_emem_regs, + .num_emem_regs = ARRAY_SIZE(tegra124_mc_emem_regs), ++ .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR | ++ MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE | ++ MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM, + }; + #endif /* CONFIG_ARCH_TEGRA_124_SOC */ + +@@ -1041,5 +1044,8 @@ const struct tegra_mc_soc tegra132_mc_soc = { + .atom_size = 32, + .client_id_mask = 0x7f, + .smmu = &tegra132_smmu_soc, ++ .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR | ++ MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE | ++ MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM, + }; + #endif /* CONFIG_ARCH_TEGRA_132_SOC */ +diff --git a/drivers/memory/tegra/tegra210.c b/drivers/memory/tegra/tegra210.c +index 5e144abe4c18..47c78a6d8f00 100644 +--- a/drivers/memory/tegra/tegra210.c ++++ b/drivers/memory/tegra/tegra210.c +@@ -1077,4 +1077,7 @@ const struct tegra_mc_soc tegra210_mc_soc = { + .atom_size = 64, + .client_id_mask = 0xff, + .smmu = &tegra210_smmu_soc, ++ .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR | ++ MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE | ++ MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM, + }; +diff --git a/drivers/memory/tegra/tegra30.c b/drivers/memory/tegra/tegra30.c +index b44737840e70..d0689428ea1a 100644 +--- a/drivers/memory/tegra/tegra30.c ++++ b/drivers/memory/tegra/tegra30.c +@@ -952,4 +952,6 @@ const struct tegra_mc_soc tegra30_mc_soc = { + .atom_size = 16, + .client_id_mask = 0x7f, + .smmu = &tegra30_smmu_soc, ++ .intmask = MC_INT_INVALID_SMMU_PAGE | MC_INT_SECURITY_VIOLATION | ++ MC_INT_DECERR_EMEM, + }; +diff --git a/drivers/mfd/cros_ec.c b/drivers/mfd/cros_ec.c +index 0eee63542038..115a6f67ab51 100644 +--- a/drivers/mfd/cros_ec.c ++++ b/drivers/mfd/cros_ec.c +@@ -68,7 +68,11 @@ int cros_ec_register(struct cros_ec_device *ec_dev) + + mutex_init(&ec_dev->lock); + +- cros_ec_query_all(ec_dev); ++ err = cros_ec_query_all(ec_dev); ++ if (err) { ++ dev_err(dev, "Cannot identify the EC: error %d\n", err); ++ return err; ++ } + + err = mfd_add_devices(ec_dev->dev, PLATFORM_DEVID_AUTO, &ec_cell, 1, + NULL, ec_dev->irq, NULL); +diff --git a/drivers/mtd/nand/fsl_ifc_nand.c b/drivers/mtd/nand/fsl_ifc_nand.c +index 5e3fa5861039..2c0bbaed3609 100644 +--- a/drivers/mtd/nand/fsl_ifc_nand.c ++++ b/drivers/mtd/nand/fsl_ifc_nand.c +@@ -449,9 +449,16 @@ static void fsl_ifc_cmdfunc(struct mtd_info *mtd, unsigned int command, + + case NAND_CMD_READID: + case NAND_CMD_PARAM: { ++ /* ++ * For READID, read 8 bytes that are currently used. ++ * For PARAM, read all 3 copies of 256-bytes pages. ++ */ ++ int len = 8; + int timing = IFC_FIR_OP_RB; +- if (command == NAND_CMD_PARAM) ++ if (command == NAND_CMD_PARAM) { + timing = IFC_FIR_OP_RBCD; ++ len = 256 * 3; ++ } + + ifc_out32((IFC_FIR_OP_CW0 << IFC_NAND_FIR0_OP0_SHIFT) | + (IFC_FIR_OP_UA << IFC_NAND_FIR0_OP1_SHIFT) | +@@ -461,12 +468,8 @@ static void fsl_ifc_cmdfunc(struct mtd_info *mtd, unsigned int command, + &ifc->ifc_nand.nand_fcr0); + ifc_out32(column, &ifc->ifc_nand.row3); + +- /* +- * although currently it's 8 bytes for READID, we always read +- * the maximum 256 bytes(for PARAM) +- */ +- ifc_out32(256, &ifc->ifc_nand.nand_fbcr); +- ifc_nand_ctrl->read_bytes = 256; ++ ifc_out32(len, &ifc->ifc_nand.nand_fbcr); ++ ifc_nand_ctrl->read_bytes = len; + + set_addr(mtd, 0, 0, 0); + fsl_ifc_run_command(mtd); +diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c +index 357c9e89fdf9..047348033e27 100644 +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -1078,6 +1078,7 @@ static void ems_usb_disconnect(struct usb_interface *intf) + usb_free_urb(dev->intr_urb); + + kfree(dev->intr_in_buffer); ++ kfree(dev->tx_msg_buffer); + } + } + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 446058081866..7a0ab4c44ee4 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -872,14 +872,14 @@ static void xgbe_phy_adjust_link(struct xgbe_prv_data *pdata) + + if (pdata->tx_pause != pdata->phy.tx_pause) { + new_state = 1; +- pdata->hw_if.config_tx_flow_control(pdata); + pdata->tx_pause = pdata->phy.tx_pause; ++ pdata->hw_if.config_tx_flow_control(pdata); + } + + if (pdata->rx_pause != pdata->phy.rx_pause) { + new_state = 1; +- pdata->hw_if.config_rx_flow_control(pdata); + pdata->rx_pause = pdata->phy.rx_pause; ++ pdata->hw_if.config_rx_flow_control(pdata); + } + + /* Speed support */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 5adaf537513b..7bba30f24135 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -54,7 +54,7 @@ + #include + #include + +-#define STMMAC_ALIGN(x) L1_CACHE_ALIGN(x) ++#define STMMAC_ALIGN(x) __ALIGN_KERNEL(x, SMP_CACHE_BYTES) + + /* Module parameters */ + #define TX_TIMEO 5000 +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index a6d429950cb0..acec4b565511 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1361,6 +1361,8 @@ static void lan78xx_init_mac_address(struct lan78xx_net *dev) + netif_dbg(dev, ifup, dev->net, + "MAC address set to random addr"); + } ++ ++ tasklet_schedule(&dev->bh); + } + + ret = lan78xx_write_reg(dev, MAF_LO(0), addr_lo); +diff --git a/drivers/net/wireless/ath/regd.h b/drivers/net/wireless/ath/regd.h +index 37f53bd8fcb1..184b6810cde9 100644 +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -68,12 +68,14 @@ enum CountryCode { + CTRY_AUSTRALIA = 36, + CTRY_AUSTRIA = 40, + CTRY_AZERBAIJAN = 31, ++ CTRY_BAHAMAS = 44, + CTRY_BAHRAIN = 48, + CTRY_BANGLADESH = 50, + CTRY_BARBADOS = 52, + CTRY_BELARUS = 112, + CTRY_BELGIUM = 56, + CTRY_BELIZE = 84, ++ CTRY_BERMUDA = 60, + CTRY_BOLIVIA = 68, + CTRY_BOSNIA_HERZ = 70, + CTRY_BRAZIL = 76, +@@ -159,6 +161,7 @@ enum CountryCode { + CTRY_ROMANIA = 642, + CTRY_RUSSIA = 643, + CTRY_SAUDI_ARABIA = 682, ++ CTRY_SERBIA = 688, + CTRY_SERBIA_MONTENEGRO = 891, + CTRY_SINGAPORE = 702, + CTRY_SLOVAKIA = 703, +@@ -170,11 +173,13 @@ enum CountryCode { + CTRY_SWITZERLAND = 756, + CTRY_SYRIA = 760, + CTRY_TAIWAN = 158, ++ CTRY_TANZANIA = 834, + CTRY_THAILAND = 764, + CTRY_TRINIDAD_Y_TOBAGO = 780, + CTRY_TUNISIA = 788, + CTRY_TURKEY = 792, + CTRY_UAE = 784, ++ CTRY_UGANDA = 800, + CTRY_UKRAINE = 804, + CTRY_UNITED_KINGDOM = 826, + CTRY_UNITED_STATES = 840, +diff --git a/drivers/net/wireless/ath/regd_common.h b/drivers/net/wireless/ath/regd_common.h +index bdd2b4d61f2f..15bbd1e0d912 100644 +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -35,6 +35,7 @@ enum EnumRd { + FRANCE_RES = 0x31, + FCC3_FCCA = 0x3A, + FCC3_WORLD = 0x3B, ++ FCC3_ETSIC = 0x3F, + + ETSI1_WORLD = 0x37, + ETSI3_ETSIA = 0x32, +@@ -44,6 +45,7 @@ enum EnumRd { + ETSI4_ETSIC = 0x38, + ETSI5_WORLD = 0x39, + ETSI6_WORLD = 0x34, ++ ETSI8_WORLD = 0x3D, + ETSI_RESERVED = 0x33, + + MKK1_MKKA = 0x40, +@@ -59,6 +61,7 @@ enum EnumRd { + MKK1_MKKA1 = 0x4A, + MKK1_MKKA2 = 0x4B, + MKK1_MKKC = 0x4C, ++ APL2_FCCA = 0x4D, + + APL3_FCCA = 0x50, + APL1_WORLD = 0x52, +@@ -67,6 +70,7 @@ enum EnumRd { + APL1_ETSIC = 0x55, + APL2_ETSIC = 0x56, + APL5_WORLD = 0x58, ++ APL13_WORLD = 0x5A, + APL6_WORLD = 0x5B, + APL7_FCCA = 0x5C, + APL8_WORLD = 0x5D, +@@ -168,6 +172,7 @@ static struct reg_dmn_pair_mapping regDomainPairs[] = { + {FCC2_ETSIC, CTL_FCC, CTL_ETSI}, + {FCC3_FCCA, CTL_FCC, CTL_FCC}, + {FCC3_WORLD, CTL_FCC, CTL_ETSI}, ++ {FCC3_ETSIC, CTL_FCC, CTL_ETSI}, + {FCC4_FCCA, CTL_FCC, CTL_FCC}, + {FCC5_FCCA, CTL_FCC, CTL_FCC}, + {FCC6_FCCA, CTL_FCC, CTL_FCC}, +@@ -179,6 +184,7 @@ static struct reg_dmn_pair_mapping regDomainPairs[] = { + {ETSI4_WORLD, CTL_ETSI, CTL_ETSI}, + {ETSI5_WORLD, CTL_ETSI, CTL_ETSI}, + {ETSI6_WORLD, CTL_ETSI, CTL_ETSI}, ++ {ETSI8_WORLD, CTL_ETSI, CTL_ETSI}, + + /* XXX: For ETSI3_ETSIA, Was NO_CTL meant for the 2 GHz band ? */ + {ETSI3_ETSIA, CTL_ETSI, CTL_ETSI}, +@@ -188,9 +194,11 @@ static struct reg_dmn_pair_mapping regDomainPairs[] = { + {FCC1_FCCA, CTL_FCC, CTL_FCC}, + {APL1_WORLD, CTL_FCC, CTL_ETSI}, + {APL2_WORLD, CTL_FCC, CTL_ETSI}, ++ {APL2_FCCA, CTL_FCC, CTL_FCC}, + {APL3_WORLD, CTL_FCC, CTL_ETSI}, + {APL4_WORLD, CTL_FCC, CTL_ETSI}, + {APL5_WORLD, CTL_FCC, CTL_ETSI}, ++ {APL13_WORLD, CTL_ETSI, CTL_ETSI}, + {APL6_WORLD, CTL_ETSI, CTL_ETSI}, + {APL8_WORLD, CTL_ETSI, CTL_ETSI}, + {APL9_WORLD, CTL_ETSI, CTL_ETSI}, +@@ -298,6 +306,7 @@ static struct country_code_to_enum_rd allCountries[] = { + {CTRY_AUSTRALIA2, FCC6_WORLD, "AU"}, + {CTRY_AUSTRIA, ETSI1_WORLD, "AT"}, + {CTRY_AZERBAIJAN, ETSI4_WORLD, "AZ"}, ++ {CTRY_BAHAMAS, FCC3_WORLD, "BS"}, + {CTRY_BAHRAIN, APL6_WORLD, "BH"}, + {CTRY_BANGLADESH, NULL1_WORLD, "BD"}, + {CTRY_BARBADOS, FCC2_WORLD, "BB"}, +@@ -305,6 +314,7 @@ static struct country_code_to_enum_rd allCountries[] = { + {CTRY_BELGIUM, ETSI1_WORLD, "BE"}, + {CTRY_BELGIUM2, ETSI4_WORLD, "BL"}, + {CTRY_BELIZE, APL1_ETSIC, "BZ"}, ++ {CTRY_BERMUDA, FCC3_FCCA, "BM"}, + {CTRY_BOLIVIA, APL1_ETSIC, "BO"}, + {CTRY_BOSNIA_HERZ, ETSI1_WORLD, "BA"}, + {CTRY_BRAZIL, FCC3_WORLD, "BR"}, +@@ -444,6 +454,7 @@ static struct country_code_to_enum_rd allCountries[] = { + {CTRY_ROMANIA, NULL1_WORLD, "RO"}, + {CTRY_RUSSIA, NULL1_WORLD, "RU"}, + {CTRY_SAUDI_ARABIA, NULL1_WORLD, "SA"}, ++ {CTRY_SERBIA, ETSI1_WORLD, "RS"}, + {CTRY_SERBIA_MONTENEGRO, ETSI1_WORLD, "CS"}, + {CTRY_SINGAPORE, APL6_WORLD, "SG"}, + {CTRY_SLOVAKIA, ETSI1_WORLD, "SK"}, +@@ -455,10 +466,12 @@ static struct country_code_to_enum_rd allCountries[] = { + {CTRY_SWITZERLAND, ETSI1_WORLD, "CH"}, + {CTRY_SYRIA, NULL1_WORLD, "SY"}, + {CTRY_TAIWAN, APL3_FCCA, "TW"}, ++ {CTRY_TANZANIA, APL1_WORLD, "TZ"}, + {CTRY_THAILAND, FCC3_WORLD, "TH"}, + {CTRY_TRINIDAD_Y_TOBAGO, FCC3_WORLD, "TT"}, + {CTRY_TUNISIA, ETSI3_WORLD, "TN"}, + {CTRY_TURKEY, ETSI3_WORLD, "TR"}, ++ {CTRY_UGANDA, FCC3_WORLD, "UG"}, + {CTRY_UKRAINE, NULL1_WORLD, "UA"}, + {CTRY_UAE, NULL1_WORLD, "AE"}, + {CTRY_UNITED_KINGDOM, ETSI1_WORLD, "GB"}, +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c +index 59cef6c69fe8..91da67657f81 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c +@@ -1109,6 +1109,7 @@ static const struct sdio_device_id brcmf_sdmmc_ids[] = { + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43340), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43341), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43362), ++ BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43364), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4335_4339), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43430), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4345), +diff --git a/drivers/net/wireless/iwlwifi/pcie/rx.c b/drivers/net/wireless/iwlwifi/pcie/rx.c +index e06591f625c4..d6f9858ff2de 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/iwlwifi/pcie/rx.c +@@ -713,6 +713,8 @@ int iwl_pcie_rx_init(struct iwl_trans *trans) + WQ_HIGHPRI | WQ_UNBOUND, 1); + INIT_WORK(&rba->rx_alloc, iwl_pcie_rx_allocator_work); + ++ cancel_work_sync(&rba->rx_alloc); ++ + spin_lock(&rba->lock); + atomic_set(&rba->req_pending, 0); + atomic_set(&rba->req_ready, 0); +diff --git a/drivers/net/wireless/mwifiex/usb.c b/drivers/net/wireless/mwifiex/usb.c +index e43aff932360..1a1b1de87583 100644 +--- a/drivers/net/wireless/mwifiex/usb.c ++++ b/drivers/net/wireless/mwifiex/usb.c +@@ -624,6 +624,9 @@ static void mwifiex_usb_disconnect(struct usb_interface *intf) + MWIFIEX_FUNC_SHUTDOWN); + } + ++ if (adapter->workqueue) ++ flush_workqueue(adapter->workqueue); ++ + mwifiex_usb_free(card); + + mwifiex_dbg(adapter, FATAL, +diff --git a/drivers/net/wireless/mwifiex/util.c b/drivers/net/wireless/mwifiex/util.c +index 0cec8a64473e..eb5ffa5b1c6c 100644 +--- a/drivers/net/wireless/mwifiex/util.c ++++ b/drivers/net/wireless/mwifiex/util.c +@@ -702,12 +702,14 @@ void mwifiex_hist_data_set(struct mwifiex_private *priv, u8 rx_rate, s8 snr, + s8 nflr) + { + struct mwifiex_histogram_data *phist_data = priv->hist_data; ++ s8 nf = -nflr; ++ s8 rssi = snr - nflr; + + atomic_inc(&phist_data->num_samples); + atomic_inc(&phist_data->rx_rate[rx_rate]); +- atomic_inc(&phist_data->snr[snr]); +- atomic_inc(&phist_data->noise_flr[128 + nflr]); +- atomic_inc(&phist_data->sig_str[nflr - snr]); ++ atomic_inc(&phist_data->snr[snr + 128]); ++ atomic_inc(&phist_data->noise_flr[nf + 128]); ++ atomic_inc(&phist_data->sig_str[rssi + 128]); + } + + /* function to reset histogram data during init/reset */ +diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c +index 8428858204a6..fc895b466ebb 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -155,7 +155,6 @@ static void rsi_reset_card(struct sdio_func *pfunction) + int err; + struct mmc_card *card = pfunction->card; + struct mmc_host *host = card->host; +- s32 bit = (fls(host->ocr_avail) - 1); + u8 cmd52_resp; + u32 clock, resp, i; + u16 rca; +@@ -175,7 +174,6 @@ static void rsi_reset_card(struct sdio_func *pfunction) + msleep(20); + + /* Initialize the SDIO card */ +- host->ios.vdd = bit; + host->ios.chip_select = MMC_CS_DONTCARE; + host->ios.bus_mode = MMC_BUSMODE_OPENDRAIN; + host->ios.power_mode = MMC_POWER_UP; +diff --git a/drivers/net/wireless/ti/wlcore/sdio.c b/drivers/net/wireless/ti/wlcore/sdio.c +index c172da56b550..e4a8280cea83 100644 +--- a/drivers/net/wireless/ti/wlcore/sdio.c ++++ b/drivers/net/wireless/ti/wlcore/sdio.c +@@ -388,6 +388,11 @@ static int wl1271_suspend(struct device *dev) + mmc_pm_flag_t sdio_flags; + int ret = 0; + ++ if (!wl) { ++ dev_err(dev, "no wilink module was probed\n"); ++ goto out; ++ } ++ + dev_dbg(dev, "wl1271 suspend. wow_enabled: %d\n", + wl->wow_enabled); + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index a0de2453fa09..bec9f099573b 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -86,6 +86,7 @@ struct netfront_cb { + /* IRQ name is queue name with "-tx" or "-rx" appended */ + #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3) + ++static DECLARE_WAIT_QUEUE_HEAD(module_load_q); + static DECLARE_WAIT_QUEUE_HEAD(module_unload_q); + + struct netfront_stats { +@@ -238,7 +239,7 @@ static void rx_refill_timeout(unsigned long data) + static int netfront_tx_slot_available(struct netfront_queue *queue) + { + return (queue->tx.req_prod_pvt - queue->tx.rsp_cons) < +- (NET_TX_RING_SIZE - MAX_SKB_FRAGS - 2); ++ (NET_TX_RING_SIZE - XEN_NETIF_NR_SLOTS_MIN - 1); + } + + static void xennet_maybe_wake_tx(struct netfront_queue *queue) +@@ -775,7 +776,7 @@ static int xennet_get_responses(struct netfront_queue *queue, + RING_IDX cons = queue->rx.rsp_cons; + struct sk_buff *skb = xennet_get_rx_skb(queue, cons); + grant_ref_t ref = xennet_get_rx_ref(queue, cons); +- int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD); ++ int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD); + int slots = 1; + int err = 0; + unsigned long ret; +@@ -1335,6 +1336,11 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev) + netif_carrier_off(netdev); + + xenbus_switch_state(dev, XenbusStateInitialising); ++ wait_event(module_load_q, ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateClosed && ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateUnknown); + return netdev; + + exit: +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index ec91cd17bf34..5fb4ed6ea322 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -180,13 +180,16 @@ static ssize_t enable_store(struct device *dev, struct device_attribute *attr, + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + +- if (!val) { +- if (pci_is_enabled(pdev)) +- pci_disable_device(pdev); +- else +- result = -EIO; +- } else ++ device_lock(dev); ++ if (dev->driver) ++ result = -EBUSY; ++ else if (val) + result = pci_enable_device(pdev); ++ else if (pci_is_enabled(pdev)) ++ pci_disable_device(pdev); ++ else ++ result = -EIO; ++ device_unlock(dev); + + return result < 0 ? result : count; + } +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index 271cca63e9bd..9aa82a4e9e25 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -568,8 +568,10 @@ static int atmel_pctl_dt_node_to_map(struct pinctrl_dev *pctldev, + for_each_child_of_node(np_config, np) { + ret = atmel_pctl_dt_subnode_to_map(pctldev, np, map, + &reserved_maps, num_maps); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(np); + break; ++ } + } + } + +diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c +index 2a44e5dd9c2a..c68556bf6f39 100644 +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -152,6 +152,7 @@ static struct regulator_ops pfuze100_sw_regulator_ops = { + static struct regulator_ops pfuze100_swb_regulator_ops = { + .enable = regulator_enable_regmap, + .disable = regulator_disable_regmap, ++ .is_enabled = regulator_is_enabled_regmap, + .list_voltage = regulator_list_voltage_table, + .map_voltage = regulator_map_voltage_ascend, + .set_voltage_sel = regulator_set_voltage_sel_regmap, +diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c +index c2cf9485fe32..8c10f3db6336 100644 +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -349,6 +349,11 @@ int rtc_set_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm) + { + int err; + ++ if (!rtc->ops) ++ return -ENODEV; ++ else if (!rtc->ops->set_alarm) ++ return -EINVAL; ++ + err = rtc_valid_tm(&alarm->time); + if (err != 0) + return err; +diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c +index a56a7b243e91..5466246c69b4 100644 +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -889,6 +889,11 @@ static int twa_chrdev_open(struct inode *inode, struct file *file) + unsigned int minor_number; + int retval = TW_IOCTL_ERROR_OS_ENODEV; + ++ if (!capable(CAP_SYS_ADMIN)) { ++ retval = -EACCES; ++ goto out; ++ } ++ + minor_number = iminor(inode); + if (minor_number >= twa_device_extension_count) + goto out; +diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c +index 2940bd769936..14af38036287 100644 +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -1034,6 +1034,9 @@ static int tw_chrdev_open(struct inode *inode, struct file *file) + + dprintk(KERN_WARNING "3w-xxxx: tw_ioctl_open()\n"); + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++ + minor_number = iminor(inode); + if (minor_number >= tw_device_extension_count) + return -ENODEV; +diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c +index 9d05302a3bcd..19bffe0b2cc0 100644 +--- a/drivers/scsi/megaraid.c ++++ b/drivers/scsi/megaraid.c +@@ -4197,6 +4197,9 @@ megaraid_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + int irq, i, j; + int error = -ENODEV; + ++ if (hba_count >= MAX_CONTROLLERS) ++ goto out; ++ + if (pci_enable_device(pdev)) + goto out; + pci_set_master(pdev); +diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c +index 96007633ad39..213944ed64d9 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -1886,6 +1886,9 @@ megasas_build_syspd_fusion(struct megasas_instance *instance, + pRAID_Context->timeoutValue = cpu_to_le16(os_timeout_value); + pRAID_Context->VirtualDiskTgtId = cpu_to_le16(device_id); + } else { ++ if (os_timeout_value) ++ os_timeout_value++; ++ + /* system pd Fast Path */ + io_request->Function = MPI2_FUNCTION_SCSI_IO_REQUEST; + timeout_limit = (scmd->device->type == TYPE_DISK) ? +diff --git a/drivers/scsi/scsi_dh.c b/drivers/scsi/scsi_dh.c +index 5711d58f9e81..a8ebaeace154 100644 +--- a/drivers/scsi/scsi_dh.c ++++ b/drivers/scsi/scsi_dh.c +@@ -58,7 +58,10 @@ static const struct scsi_dh_blist scsi_dh_blist[] = { + {"IBM", "3526", "rdac", }, + {"IBM", "3542", "rdac", }, + {"IBM", "3552", "rdac", }, +- {"SGI", "TP9", "rdac", }, ++ {"SGI", "TP9300", "rdac", }, ++ {"SGI", "TP9400", "rdac", }, ++ {"SGI", "TP9500", "rdac", }, ++ {"SGI", "TP9700", "rdac", }, + {"SGI", "IS", "rdac", }, + {"STK", "OPENstorage", "rdac", }, + {"STK", "FLEXLINE 380", "rdac", }, +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 4302880a20b3..e1639e80db53 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2195,6 +2195,7 @@ sg_add_sfp(Sg_device * sdp) + write_lock_irqsave(&sdp->sfd_lock, iflags); + if (atomic_read(&sdp->detaching)) { + write_unlock_irqrestore(&sdp->sfd_lock, iflags); ++ kfree(sfp); + return ERR_PTR(-ENODEV); + } + list_add_tail(&sfp->sfd_siblings, &sdp->sfds); +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 18f26cf1e24d..8c58adadb728 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -3447,6 +3447,7 @@ static void ufshcd_exception_event_handler(struct work_struct *work) + hba = container_of(work, struct ufs_hba, eeh_work); + + pm_runtime_get_sync(hba->dev); ++ scsi_block_requests(hba->host); + err = ufshcd_get_ee_status(hba, &status); + if (err) { + dev_err(hba->dev, "%s: failed to get exception status %d\n", +@@ -3462,6 +3463,7 @@ static void ufshcd_exception_event_handler(struct work_struct *work) + __func__, err); + } + out: ++ scsi_unblock_requests(hba->host); + pm_runtime_put_sync(hba->dev); + return; + } +diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c +index fa61eff88496..16d45a25284f 100644 +--- a/drivers/thermal/samsung/exynos_tmu.c ++++ b/drivers/thermal/samsung/exynos_tmu.c +@@ -585,6 +585,7 @@ static int exynos5433_tmu_initialize(struct platform_device *pdev) + threshold_code = temp_to_code(data, temp); + + rising_threshold = readl(data->base + rising_reg_offset); ++ rising_threshold &= ~(0xff << j * 8); + rising_threshold |= (threshold_code << j * 8); + writel(rising_threshold, data->base + rising_reg_offset); + +diff --git a/drivers/tty/hvc/hvc_opal.c b/drivers/tty/hvc/hvc_opal.c +index 47b54c6aefd2..9f660e55d1ba 100644 +--- a/drivers/tty/hvc/hvc_opal.c ++++ b/drivers/tty/hvc/hvc_opal.c +@@ -323,7 +323,6 @@ static void udbg_init_opal_common(void) + udbg_putc = udbg_opal_putc; + udbg_getc = udbg_opal_getc; + udbg_getc_poll = udbg_opal_getc_poll; +- tb_ticks_per_usec = 0x200; /* Make udelay not suck */ + } + + void __init hvc_opal_init_early(void) +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index 96aa0ad32497..c8a2e5b0eff7 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -106,16 +106,19 @@ static void pty_unthrottle(struct tty_struct *tty) + static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) + { + struct tty_struct *to = tty->link; ++ unsigned long flags; + + if (tty->stopped) + return 0; + + if (c > 0) { ++ spin_lock_irqsave(&to->port->lock, flags); + /* Stuff the data into the input queue of the other end */ + c = tty_insert_flip_string(to->port, buf, c); + /* And shovel */ + if (c) + tty_flip_buffer_push(to->port); ++ spin_unlock_irqrestore(&to->port->lock, flags); + } + return c; + } +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 93756664592a..2facffea2ee0 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3308,6 +3308,10 @@ static int wait_for_ss_port_enable(struct usb_device *udev, + while (delay_ms < 2000) { + if (status || *portstatus & USB_PORT_STAT_CONNECTION) + break; ++ if (!port_is_power_on(hub, *portstatus)) { ++ status = -ENODEV; ++ break; ++ } + msleep(20); + delay_ms += 20; + status = hub_port_status(hub, *port1, portstatus, portchange); +diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c +index 7cf26768ea0b..cbe9e2295752 100644 +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -479,7 +479,9 @@ static int virtballoon_migratepage(struct balloon_dev_info *vb_dev_info, + tell_host(vb, vb->inflate_vq); + + /* balloon's page migration 2nd step -- deflate "page" */ ++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags); + balloon_page_delete(page); ++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags); + vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE; + set_page_pfns(vb, vb->pfns, page); + tell_host(vb, vb->deflate_vq); +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 88d9b66e2207..a751937dded5 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2185,6 +2185,21 @@ void assert_qgroups_uptodate(struct btrfs_trans_handle *trans) + BUG(); + } + ++/* ++ * Check if the leaf is the last leaf. Which means all node pointers ++ * are at their last position. ++ */ ++static bool is_last_leaf(struct btrfs_path *path) ++{ ++ int i; ++ ++ for (i = 1; i < BTRFS_MAX_LEVEL && path->nodes[i]; i++) { ++ if (path->slots[i] != btrfs_header_nritems(path->nodes[i]) - 1) ++ return false; ++ } ++ return true; ++} ++ + /* + * returns < 0 on error, 0 when more leafs are to be scanned. + * returns 1 when done. +@@ -2198,6 +2213,7 @@ qgroup_rescan_leaf(struct btrfs_fs_info *fs_info, struct btrfs_path *path, + struct ulist *roots = NULL; + struct seq_list tree_mod_seq_elem = SEQ_LIST_INIT(tree_mod_seq_elem); + u64 num_bytes; ++ bool done; + int slot; + int ret; + +@@ -2225,6 +2241,7 @@ qgroup_rescan_leaf(struct btrfs_fs_info *fs_info, struct btrfs_path *path, + mutex_unlock(&fs_info->qgroup_rescan_lock); + return ret; + } ++ done = is_last_leaf(path); + + btrfs_item_key_to_cpu(path->nodes[0], &found, + btrfs_header_nritems(path->nodes[0]) - 1); +@@ -2271,6 +2288,8 @@ out: + } + btrfs_put_tree_mod_seq(fs_info, &tree_mod_seq_elem); + ++ if (done && !ret) ++ ret = 1; + return ret; + } + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 738f5d6beb95..2c7f9a5f8717 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2961,8 +2961,11 @@ out_wake_log_root: + mutex_unlock(&log_root_tree->log_mutex); + + /* +- * The barrier before waitqueue_active is implied by mutex_unlock ++ * The barrier before waitqueue_active is needed so all the updates ++ * above are seen by the woken threads. It might not be necessary, but ++ * proving that seems to be hard. + */ ++ smp_mb(); + if (waitqueue_active(&log_root_tree->log_commit_wait[index2])) + wake_up(&log_root_tree->log_commit_wait[index2]); + out: +@@ -2973,8 +2976,11 @@ out: + mutex_unlock(&root->log_mutex); + + /* +- * The barrier before waitqueue_active is implied by mutex_unlock ++ * The barrier before waitqueue_active is needed so all the updates ++ * above are seen by the woken threads. It might not be necessary, but ++ * proving that seems to be hard. + */ ++ smp_mb(); + if (waitqueue_active(&root->log_commit_wait[index1])) + wake_up(&root->log_commit_wait[index1]); + return ret; +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index f77b3258454a..2bba0c4ef4b7 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -295,6 +295,9 @@ void f2fs_balance_fs(struct f2fs_sb_info *sbi) + + void f2fs_balance_fs_bg(struct f2fs_sb_info *sbi) + { ++ if (unlikely(is_sbi_flag_set(sbi, SBI_POR_DOING))) ++ return; ++ + /* try to shrink extent cache when there is no enough memory */ + if (!available_free_memory(sbi, EXTENT_CACHE)) + f2fs_shrink_extent_tree(sbi, EXTENT_CACHE_SHRINK_NUMBER); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 4f666368aa85..6cc67e1bbb41 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1566,6 +1566,12 @@ static int __init init_f2fs_fs(void) + { + int err; + ++ if (PAGE_SIZE != F2FS_BLKSIZE) { ++ printk("F2FS not supported on PAGE_SIZE(%lu) != %d\n", ++ PAGE_SIZE, F2FS_BLKSIZE); ++ return -EINVAL; ++ } ++ + f2fs_build_trace_ios(); + + err = init_inodecache(); +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 57e3262ec57a..ee0da259a3d3 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -1538,6 +1538,8 @@ nfsd4_decode_getdeviceinfo(struct nfsd4_compoundargs *argp, + gdev->gd_maxcount = be32_to_cpup(p++); + num = be32_to_cpup(p++); + if (num) { ++ if (num > 1000) ++ goto xdr_error; + READ_BUF(4 * num); + gdev->gd_notify_types = be32_to_cpup(p++); + for (i = 1; i < num; i++) { +diff --git a/fs/squashfs/cache.c b/fs/squashfs/cache.c +index 1cb70a0b2168..91ce49c05b7c 100644 +--- a/fs/squashfs/cache.c ++++ b/fs/squashfs/cache.c +@@ -350,6 +350,9 @@ int squashfs_read_metadata(struct super_block *sb, void *buffer, + + TRACE("Entered squashfs_read_metadata [%llx:%x]\n", *block, *offset); + ++ if (unlikely(length < 0)) ++ return -EIO; ++ + while (length) { + entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0); + if (entry->error) { +diff --git a/fs/squashfs/file.c b/fs/squashfs/file.c +index e5c9689062ba..1ec7bae2751d 100644 +--- a/fs/squashfs/file.c ++++ b/fs/squashfs/file.c +@@ -194,7 +194,11 @@ static long long read_indexes(struct super_block *sb, int n, + } + + for (i = 0; i < blocks; i++) { +- int size = le32_to_cpu(blist[i]); ++ int size = squashfs_block_size(blist[i]); ++ if (size < 0) { ++ err = size; ++ goto failure; ++ } + block += SQUASHFS_COMPRESSED_SIZE_BLOCK(size); + } + n -= blocks; +@@ -367,7 +371,7 @@ static int read_blocklist(struct inode *inode, int index, u64 *block) + sizeof(size)); + if (res < 0) + return res; +- return le32_to_cpu(size); ++ return squashfs_block_size(size); + } + + /* Copy data into page cache */ +diff --git a/fs/squashfs/fragment.c b/fs/squashfs/fragment.c +index 0ed6edbc5c71..0681feab4a84 100644 +--- a/fs/squashfs/fragment.c ++++ b/fs/squashfs/fragment.c +@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment, + u64 *fragment_block) + { + struct squashfs_sb_info *msblk = sb->s_fs_info; +- int block = SQUASHFS_FRAGMENT_INDEX(fragment); +- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); +- u64 start_block = le64_to_cpu(msblk->fragment_index[block]); ++ int block, offset, size; + struct squashfs_fragment_entry fragment_entry; +- int size; ++ u64 start_block; ++ ++ if (fragment >= msblk->fragments) ++ return -EIO; ++ block = SQUASHFS_FRAGMENT_INDEX(fragment); ++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); ++ ++ start_block = le64_to_cpu(msblk->fragment_index[block]); + + size = squashfs_read_metadata(sb, &fragment_entry, &start_block, + &offset, sizeof(fragment_entry)); +@@ -61,9 +66,7 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment, + return size; + + *fragment_block = le64_to_cpu(fragment_entry.start_block); +- size = le32_to_cpu(fragment_entry.size); +- +- return size; ++ return squashfs_block_size(fragment_entry.size); + } + + +diff --git a/fs/squashfs/squashfs_fs.h b/fs/squashfs/squashfs_fs.h +index 506f4ba5b983..e66486366f02 100644 +--- a/fs/squashfs/squashfs_fs.h ++++ b/fs/squashfs/squashfs_fs.h +@@ -129,6 +129,12 @@ + + #define SQUASHFS_COMPRESSED_BLOCK(B) (!((B) & SQUASHFS_COMPRESSED_BIT_BLOCK)) + ++static inline int squashfs_block_size(__le32 raw) ++{ ++ u32 size = le32_to_cpu(raw); ++ return (size >> 25) ? -EIO : size; ++} ++ + /* + * Inode number ops. Inodes consist of a compressed block number, and an + * uncompressed offset within that block +diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h +index 1da565cb50c3..ef69c31947bf 100644 +--- a/fs/squashfs/squashfs_fs_sb.h ++++ b/fs/squashfs/squashfs_fs_sb.h +@@ -75,6 +75,7 @@ struct squashfs_sb_info { + unsigned short block_log; + long long bytes_used; + unsigned int inodes; ++ unsigned int fragments; + int xattr_ids; + }; + #endif +diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c +index 5056babe00df..93aa3e23c845 100644 +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -176,6 +176,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) + msblk->inode_table = le64_to_cpu(sblk->inode_table_start); + msblk->directory_table = le64_to_cpu(sblk->directory_table_start); + msblk->inodes = le32_to_cpu(sblk->inodes); ++ msblk->fragments = le32_to_cpu(sblk->fragments); + flags = le16_to_cpu(sblk->flags); + + TRACE("Found valid superblock on %s\n", bdevname(sb->s_bdev, b)); +@@ -186,7 +187,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) + TRACE("Filesystem size %lld bytes\n", msblk->bytes_used); + TRACE("Block size %d\n", msblk->block_size); + TRACE("Number of inodes %d\n", msblk->inodes); +- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments)); ++ TRACE("Number of fragments %d\n", msblk->fragments); + TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids)); + TRACE("sblk->inode_table_start %llx\n", msblk->inode_table); + TRACE("sblk->directory_table_start %llx\n", msblk->directory_table); +@@ -273,7 +274,7 @@ allocate_id_index_table: + sb->s_export_op = &squashfs_export_ops; + + handle_fragments: +- fragments = le32_to_cpu(sblk->fragments); ++ fragments = msblk->fragments; + if (fragments == 0) + goto check_directory_table; + +diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h +index bb9d0deca07c..0fb4975fae91 100644 +--- a/include/drm/drm_dp_helper.h ++++ b/include/drm/drm_dp_helper.h +@@ -342,6 +342,7 @@ + # define DP_PSR_FRAME_CAPTURE (1 << 3) + # define DP_PSR_SELECTIVE_UPDATE (1 << 4) + # define DP_PSR_IRQ_HPD_WITH_CRC_ERRORS (1 << 5) ++# define DP_PSR_ENABLE_PSR2 (1 << 6) /* eDP 1.4a */ + + #define DP_ADAPTER_CTRL 0x1a0 + # define DP_ADAPTER_CTRL_FORCE_LOAD_SENSE (1 << 0) +diff --git a/include/linux/dma-iommu.h b/include/linux/dma-iommu.h +index fc481037478a..19baa7f4f403 100644 +--- a/include/linux/dma-iommu.h ++++ b/include/linux/dma-iommu.h +@@ -17,6 +17,7 @@ + #define __DMA_IOMMU_H + + #ifdef __KERNEL__ ++#include + #include + + #ifdef CONFIG_IOMMU_DMA +diff --git a/include/linux/mmc/sdio_ids.h b/include/linux/mmc/sdio_ids.h +index 83430f2ea757..e0325706b76d 100644 +--- a/include/linux/mmc/sdio_ids.h ++++ b/include/linux/mmc/sdio_ids.h +@@ -33,6 +33,7 @@ + #define SDIO_DEVICE_ID_BROADCOM_43341 0xa94d + #define SDIO_DEVICE_ID_BROADCOM_4335_4339 0x4335 + #define SDIO_DEVICE_ID_BROADCOM_43362 0xa962 ++#define SDIO_DEVICE_ID_BROADCOM_43364 0xa9a4 + #define SDIO_DEVICE_ID_BROADCOM_43430 0xa9a6 + #define SDIO_DEVICE_ID_BROADCOM_4345 0x4345 + #define SDIO_DEVICE_ID_BROADCOM_4354 0x4354 +diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h +index 1d6a935c1ac5..8793f5a7b820 100644 +--- a/include/linux/netfilter/ipset/ip_set_timeout.h ++++ b/include/linux/netfilter/ipset/ip_set_timeout.h +@@ -65,8 +65,14 @@ ip_set_timeout_set(unsigned long *timeout, u32 value) + static inline u32 + ip_set_timeout_get(unsigned long *timeout) + { +- return *timeout == IPSET_ELEM_PERMANENT ? 0 : +- jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC; ++ u32 t; ++ ++ if (*timeout == IPSET_ELEM_PERMANENT) ++ return 0; ++ ++ t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC; ++ /* Zero value in userspace means no timeout */ ++ return t == 0 ? 1 : t; + } + + #endif /* __KERNEL__ */ +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 65babd8a682d..cac4a6ad5db3 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -376,7 +376,7 @@ ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos, + struct pipe_inode_info *pipe, size_t len, + unsigned int flags); + +-void tcp_enter_quickack_mode(struct sock *sk); ++void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks); + static inline void tcp_dec_quickack_mode(struct sock *sk, + const unsigned int pkts) + { +diff --git a/include/soc/tegra/mc.h b/include/soc/tegra/mc.h +index 44202ff897fd..f759e0918037 100644 +--- a/include/soc/tegra/mc.h ++++ b/include/soc/tegra/mc.h +@@ -99,6 +99,8 @@ struct tegra_mc_soc { + u8 client_id_mask; + + const struct tegra_smmu_soc *smmu; ++ ++ u32 intmask; + }; + + struct tegra_mc { +diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c +index b8ff9e193753..b57f929f1b46 100644 +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -406,7 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) + return -EINVAL; + break; + case AUDIT_EXE: +- if (f->op != Audit_equal) ++ if (f->op != Audit_not_equal && f->op != Audit_equal) + return -EINVAL; + if (entry->rule.listnr != AUDIT_FILTER_EXIT) + return -EINVAL; +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 7444f95f3ee9..0fe8b337291a 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -470,6 +470,8 @@ static int audit_filter_rules(struct task_struct *tsk, + break; + case AUDIT_EXE: + result = audit_exe_compare(tsk, rule->exe); ++ if (f->op == Audit_not_equal) ++ result = !result; + break; + case AUDIT_UID: + result = audit_uid_comparator(cred->uid, f->op, f->uid); +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 79e3c21a35d0..35dfa9e9d69e 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2101,7 +2101,7 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) + /* hold the map. If the program is rejected by verifier, + * the map will be released by release_maps() or it + * will be used by the valid program until it's unloaded +- * and all maps are released in free_bpf_prog_info() ++ * and all maps are released in free_used_maps() + */ + map = bpf_map_inc(map, false); + if (IS_ERR(map)) { +@@ -2487,7 +2487,7 @@ free_log_buf: + vfree(log_buf); + if (!env->prog->aux->used_maps) + /* if we didn't copy map pointers into bpf_prog_info, release +- * them now. Otherwise free_bpf_prog_info() will release them. ++ * them now. Otherwise free_used_maps() will release them. + */ + release_maps(env); + *prog = env->prog; +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index 2172dd61577e..b8a894adab2c 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -663,6 +663,8 @@ event_trigger_callback(struct event_command *cmd_ops, + goto out_free; + + out_reg: ++ /* Up the trigger_data count to make sure reg doesn't free it on failure */ ++ event_trigger_init(trigger_ops, trigger_data); + ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file); + /* + * The above returns on success the # of functions enabled, +@@ -670,11 +672,13 @@ event_trigger_callback(struct event_command *cmd_ops, + * Consider no functions a failure too. + */ + if (!ret) { ++ cmd_ops->unreg(glob, trigger_ops, trigger_data, file); + ret = -ENOENT; +- goto out_free; +- } else if (ret < 0) +- goto out_free; +- ret = 0; ++ } else if (ret > 0) ++ ret = 0; ++ ++ /* Down the counter of trigger_data or free it if not used anymore */ ++ event_trigger_free(trigger_ops, trigger_data); + out: + return ret; + +@@ -1227,6 +1231,9 @@ event_enable_trigger_func(struct event_command *cmd_ops, + goto out; + } + ++ /* Up the trigger_data count to make sure nothing frees it on failure */ ++ event_trigger_init(trigger_ops, trigger_data); ++ + if (trigger) { + number = strsep(&trigger, ":"); + +@@ -1277,6 +1284,7 @@ event_enable_trigger_func(struct event_command *cmd_ops, + goto out_disable; + /* Just return zero, not the number of enabled functions */ + ret = 0; ++ event_trigger_free(trigger_ops, trigger_data); + out: + return ret; + +@@ -1287,7 +1295,7 @@ event_enable_trigger_func(struct event_command *cmd_ops, + out_free: + if (cmd_ops->set_filter) + cmd_ops->set_filter(NULL, trigger_data, NULL); +- kfree(trigger_data); ++ event_trigger_free(trigger_ops, trigger_data); + kfree(enable_data); + goto out; + } +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index f2682799c215..f0ee722be520 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -349,11 +349,10 @@ static struct trace_kprobe *find_trace_kprobe(const char *event, + static int + enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file) + { ++ struct event_file_link *link = NULL; + int ret = 0; + + if (file) { +- struct event_file_link *link; +- + link = kmalloc(sizeof(*link), GFP_KERNEL); + if (!link) { + ret = -ENOMEM; +@@ -373,6 +372,18 @@ enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file) + else + ret = enable_kprobe(&tk->rp.kp); + } ++ ++ if (ret) { ++ if (file) { ++ /* Notice the if is true on not WARN() */ ++ if (!WARN_ON_ONCE(!link)) ++ list_del_rcu(&link->list); ++ kfree(link); ++ tk->tp.flags &= ~TP_FLAG_TRACE; ++ } else { ++ tk->tp.flags &= ~TP_FLAG_PROFILE; ++ } ++ } + out: + return ret; + } +diff --git a/mm/slub.c b/mm/slub.c +index 4cf3a9c768b1..2284c4333857 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -659,7 +659,7 @@ void object_err(struct kmem_cache *s, struct page *page, + print_trailer(s, page, object); + } + +-static void slab_err(struct kmem_cache *s, struct page *page, ++static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page, + const char *fmt, ...) + { + va_list args; +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 8e3c9c5a3042..de8e372ece04 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1460,7 +1460,7 @@ static void __vunmap(const void *addr, int deallocate_pages) + addr)) + return; + +- area = remove_vm_area(addr); ++ area = find_vmap_area((unsigned long)addr)->vm; + if (unlikely(!area)) { + WARN(1, KERN_ERR "Trying to vfree() nonexistent vm area (%p)\n", + addr); +@@ -1470,6 +1470,7 @@ static void __vunmap(const void *addr, int deallocate_pages) + debug_check_no_locks_freed(addr, get_vm_area_size(area)); + debug_check_no_obj_freed(addr, get_vm_area_size(area)); + ++ remove_vm_area(addr); + if (deallocate_pages) { + int i; + +diff --git a/net/dsa/slave.c b/net/dsa/slave.c +index 554c2a961ad5..48b28a7ecc7a 100644 +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -1099,6 +1099,9 @@ int dsa_slave_suspend(struct net_device *slave_dev) + { + struct dsa_slave_priv *p = netdev_priv(slave_dev); + ++ if (!netif_running(slave_dev)) ++ return 0; ++ + netif_device_detach(slave_dev); + + if (p->phy) { +@@ -1116,6 +1119,9 @@ int dsa_slave_resume(struct net_device *slave_dev) + { + struct dsa_slave_priv *p = netdev_priv(slave_dev); + ++ if (!netif_running(slave_dev)) ++ return 0; ++ + netif_device_attach(slave_dev); + + if (p->phy) { +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 8f05816a8be2..015c33712803 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -289,19 +289,19 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb) + return ip_hdr(skb)->daddr; + + in_dev = __in_dev_get_rcu(dev); +- BUG_ON(!in_dev); + + net = dev_net(dev); + + scope = RT_SCOPE_UNIVERSE; + if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) { ++ bool vmark = in_dev && IN_DEV_SRC_VMARK(in_dev); + struct flowi4 fl4 = { + .flowi4_iif = LOOPBACK_IFINDEX, + .flowi4_oif = l3mdev_master_ifindex_rcu(dev), + .daddr = ip_hdr(skb)->saddr, + .flowi4_tos = RT_TOS(ip_hdr(skb)->tos), + .flowi4_scope = scope, +- .flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0, ++ .flowi4_mark = vmark ? skb->mark : 0, + }; + if (!fib_lookup(net, &fl4, &res, 0)) + return FIB_RES_PREFSRC(net, res); +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index b34fa1bb278f..b2001b20e029 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -364,11 +364,6 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf, + { + struct inet_frag_queue *q; + +- if (frag_mem_limit(nf) > nf->high_thresh) { +- inet_frag_schedule_worker(f); +- return NULL; +- } +- + q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC); + if (!q) + return NULL; +@@ -405,6 +400,11 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, + struct inet_frag_queue *q; + int depth = 0; + ++ if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) { ++ inet_frag_schedule_worker(f); ++ return NULL; ++ } ++ + if (frag_mem_limit(nf) > nf->low_thresh) + inet_frag_schedule_worker(f); + +diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c +index 9d6b9c4c5f82..60f564db25a3 100644 +--- a/net/ipv4/ipconfig.c ++++ b/net/ipv4/ipconfig.c +@@ -790,6 +790,11 @@ static void __init ic_bootp_init_ext(u8 *e) + */ + static inline void __init ic_bootp_init(void) + { ++ /* Re-initialise all name servers to NONE, in case any were set via the ++ * "ip=" or "nfsaddrs=" kernel command line parameters: any IP addresses ++ * specified there will already have been decoded but are no longer ++ * needed ++ */ + ic_nameservers_predef(); + + dev_add_pack(&bootp_packet_type); +@@ -1423,6 +1428,13 @@ static int __init ip_auto_config(void) + int err; + unsigned int i; + ++ /* Initialise all name servers to NONE (but only if the "ip=" or ++ * "nfsaddrs=" kernel command line parameters weren't decoded, otherwise ++ * we'll overwrite the IP addresses specified there) ++ */ ++ if (ic_set_manually == 0) ++ ic_nameservers_predef(); ++ + #ifdef CONFIG_PROC_FS + proc_create("pnp", S_IRUGO, init_net.proc_net, &pnp_seq_fops); + #endif /* CONFIG_PROC_FS */ +@@ -1640,6 +1652,7 @@ static int __init ip_auto_config_setup(char *addrs) + return 1; + } + ++ /* Initialise all name servers to NONE */ + ic_nameservers_predef(); + + /* Parse string for static IP assignment. */ +diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c +index e63b764e55ea..6300edf90e60 100644 +--- a/net/ipv4/tcp_dctcp.c ++++ b/net/ipv4/tcp_dctcp.c +@@ -138,7 +138,7 @@ static void dctcp_ce_state_0_to_1(struct sock *sk) + */ + if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER) + __tcp_send_ack(sk, ca->prior_rcv_nxt); +- tcp_enter_quickack_mode(sk); ++ tcp_enter_quickack_mode(sk, 1); + } + + ca->prior_rcv_nxt = tp->rcv_nxt; +@@ -159,7 +159,7 @@ static void dctcp_ce_state_1_to_0(struct sock *sk) + */ + if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER) + __tcp_send_ack(sk, ca->prior_rcv_nxt); +- tcp_enter_quickack_mode(sk); ++ tcp_enter_quickack_mode(sk, 1); + } + + ca->prior_rcv_nxt = tp->rcv_nxt; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 5c645069a09a..4a261e078082 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -176,21 +176,23 @@ static void tcp_measure_rcv_mss(struct sock *sk, const struct sk_buff *skb) + } + } + +-static void tcp_incr_quickack(struct sock *sk) ++static void tcp_incr_quickack(struct sock *sk, unsigned int max_quickacks) + { + struct inet_connection_sock *icsk = inet_csk(sk); + unsigned int quickacks = tcp_sk(sk)->rcv_wnd / (2 * icsk->icsk_ack.rcv_mss); + + if (quickacks == 0) + quickacks = 2; ++ quickacks = min(quickacks, max_quickacks); + if (quickacks > icsk->icsk_ack.quick) +- icsk->icsk_ack.quick = min(quickacks, TCP_MAX_QUICKACKS); ++ icsk->icsk_ack.quick = quickacks; + } + +-void tcp_enter_quickack_mode(struct sock *sk) ++void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks) + { + struct inet_connection_sock *icsk = inet_csk(sk); +- tcp_incr_quickack(sk); ++ ++ tcp_incr_quickack(sk, max_quickacks); + icsk->icsk_ack.pingpong = 0; + icsk->icsk_ack.ato = TCP_ATO_MIN; + } +@@ -226,8 +228,10 @@ static void tcp_ecn_withdraw_cwr(struct tcp_sock *tp) + tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR; + } + +-static void __tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb) ++static void __tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb) + { ++ struct tcp_sock *tp = tcp_sk(sk); ++ + switch (TCP_SKB_CB(skb)->ip_dsfield & INET_ECN_MASK) { + case INET_ECN_NOT_ECT: + /* Funny extension: if ECT is not set on a segment, +@@ -235,31 +239,31 @@ static void __tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb) + * it is probably a retransmit. + */ + if (tp->ecn_flags & TCP_ECN_SEEN) +- tcp_enter_quickack_mode((struct sock *)tp); ++ tcp_enter_quickack_mode(sk, 2); + break; + case INET_ECN_CE: +- if (tcp_ca_needs_ecn((struct sock *)tp)) +- tcp_ca_event((struct sock *)tp, CA_EVENT_ECN_IS_CE); ++ if (tcp_ca_needs_ecn(sk)) ++ tcp_ca_event(sk, CA_EVENT_ECN_IS_CE); + + if (!(tp->ecn_flags & TCP_ECN_DEMAND_CWR)) { + /* Better not delay acks, sender can have a very low cwnd */ +- tcp_enter_quickack_mode((struct sock *)tp); ++ tcp_enter_quickack_mode(sk, 2); + tp->ecn_flags |= TCP_ECN_DEMAND_CWR; + } + tp->ecn_flags |= TCP_ECN_SEEN; + break; + default: +- if (tcp_ca_needs_ecn((struct sock *)tp)) +- tcp_ca_event((struct sock *)tp, CA_EVENT_ECN_NO_CE); ++ if (tcp_ca_needs_ecn(sk)) ++ tcp_ca_event(sk, CA_EVENT_ECN_NO_CE); + tp->ecn_flags |= TCP_ECN_SEEN; + break; + } + } + +-static void tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb) ++static void tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb) + { +- if (tp->ecn_flags & TCP_ECN_OK) +- __tcp_ecn_check_ce(tp, skb); ++ if (tcp_sk(sk)->ecn_flags & TCP_ECN_OK) ++ __tcp_ecn_check_ce(sk, skb); + } + + static void tcp_ecn_rcv_synack(struct tcp_sock *tp, const struct tcphdr *th) +@@ -651,7 +655,7 @@ static void tcp_event_data_recv(struct sock *sk, struct sk_buff *skb) + /* The _first_ data packet received, initialize + * delayed ACK engine. + */ +- tcp_incr_quickack(sk); ++ tcp_incr_quickack(sk, TCP_MAX_QUICKACKS); + icsk->icsk_ack.ato = TCP_ATO_MIN; + } else { + int m = now - icsk->icsk_ack.lrcvtime; +@@ -667,13 +671,13 @@ static void tcp_event_data_recv(struct sock *sk, struct sk_buff *skb) + /* Too long gap. Apparently sender failed to + * restart window, so that we send ACKs quickly. + */ +- tcp_incr_quickack(sk); ++ tcp_incr_quickack(sk, TCP_MAX_QUICKACKS); + sk_mem_reclaim(sk); + } + } + icsk->icsk_ack.lrcvtime = now; + +- tcp_ecn_check_ce(tp, skb); ++ tcp_ecn_check_ce(sk, skb); + + if (skb->len >= 128) + tcp_grow_window(sk, skb); +@@ -4136,7 +4140,7 @@ static void tcp_send_dupack(struct sock *sk, const struct sk_buff *skb) + if (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq && + before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) { + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOST); +- tcp_enter_quickack_mode(sk); ++ tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS); + + if (tcp_is_sack(tp) && sysctl_tcp_dsack) { + u32 end_seq = TCP_SKB_CB(skb)->end_seq; +@@ -4364,7 +4368,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb) + struct sk_buff *skb1; + u32 seq, end_seq; + +- tcp_ecn_check_ce(tp, skb); ++ tcp_ecn_check_ce(sk, skb); + + if (unlikely(tcp_try_rmem_schedule(sk, skb, skb->truesize))) { + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPOFODROP); +@@ -4638,7 +4642,7 @@ queue_and_out: + tcp_dsack_set(sk, TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq); + + out_of_window: +- tcp_enter_quickack_mode(sk); ++ tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS); + inet_csk_schedule_ack(sk); + drop: + __kfree_skb(skb); +@@ -4649,8 +4653,6 @@ drop: + if (!before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt + tcp_receive_window(tp))) + goto out_of_window; + +- tcp_enter_quickack_mode(sk); +- + if (before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) { + /* Partial packet, seq < rcv_next < end_seq */ + SOCK_DEBUG(sk, "partial packet: rcv_next %X seq %X - %X\n", +@@ -5676,7 +5678,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + * to stand against the temptation 8) --ANK + */ + inet_csk_schedule_ack(sk); +- tcp_enter_quickack_mode(sk); ++ tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS); + inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK, + TCP_DELACK_MAX, TCP_RTO_MAX); + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 818400fddc9b..9708fff318d5 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -62,6 +62,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -654,6 +655,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol, + + if (protocol < 0 || protocol >= MAX_LINKS) + return -EPROTONOSUPPORT; ++ protocol = array_index_nospec(protocol, MAX_LINKS); + + netlink_lock_table(); + #ifdef CONFIG_MODULES +diff --git a/net/socket.c b/net/socket.c +index 5b31e5baf3b5..0c544ae48eac 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -89,6 +89,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2324,6 +2325,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) + + if (call < 1 || call > SYS_SENDMMSG) + return -EINVAL; ++ call = array_index_nospec(call, SYS_SENDMMSG + 1); + + len = nargs[call]; + if (len > sizeof(a)) +diff --git a/sound/pci/emu10k1/emupcm.c b/sound/pci/emu10k1/emupcm.c +index 14a305bd8a98..72e442d86bb1 100644 +--- a/sound/pci/emu10k1/emupcm.c ++++ b/sound/pci/emu10k1/emupcm.c +@@ -1850,7 +1850,9 @@ int snd_emu10k1_pcm_efx(struct snd_emu10k1 *emu, int device) + if (!kctl) + return -ENOMEM; + kctl->id.device = device; +- snd_ctl_add(emu->card, kctl); ++ err = snd_ctl_add(emu->card, kctl); ++ if (err < 0) ++ return err; + + snd_pcm_lib_preallocate_pages_for_all(pcm, SNDRV_DMA_TYPE_DEV, snd_dma_pci_data(emu->pci), 64*1024, 64*1024); + +diff --git a/sound/pci/emu10k1/memory.c b/sound/pci/emu10k1/memory.c +index 4f1f69be1865..8c778fa33031 100644 +--- a/sound/pci/emu10k1/memory.c ++++ b/sound/pci/emu10k1/memory.c +@@ -237,13 +237,13 @@ __found_pages: + static int is_valid_page(struct snd_emu10k1 *emu, dma_addr_t addr) + { + if (addr & ~emu->dma_mask) { +- dev_err(emu->card->dev, ++ dev_err_ratelimited(emu->card->dev, + "max memory size is 0x%lx (addr = 0x%lx)!!\n", + emu->dma_mask, (unsigned long)addr); + return 0; + } + if (addr & (EMUPAGESIZE-1)) { +- dev_err(emu->card->dev, "page is not aligned\n"); ++ dev_err_ratelimited(emu->card->dev, "page is not aligned\n"); + return 0; + } + return 1; +@@ -334,7 +334,7 @@ snd_emu10k1_alloc_pages(struct snd_emu10k1 *emu, struct snd_pcm_substream *subst + else + addr = snd_pcm_sgbuf_get_addr(substream, ofs); + if (! is_valid_page(emu, addr)) { +- dev_err(emu->card->dev, ++ dev_err_ratelimited(emu->card->dev, + "emu: failure page = %d\n", idx); + mutex_unlock(&hdr->block_mutex); + return NULL; +diff --git a/sound/pci/fm801.c b/sound/pci/fm801.c +index 1fdd92b6f18f..d6e89a6d0bb9 100644 +--- a/sound/pci/fm801.c ++++ b/sound/pci/fm801.c +@@ -1050,11 +1050,19 @@ static int snd_fm801_mixer(struct fm801 *chip) + if ((err = snd_ac97_mixer(chip->ac97_bus, &ac97, &chip->ac97_sec)) < 0) + return err; + } +- for (i = 0; i < FM801_CONTROLS; i++) +- snd_ctl_add(chip->card, snd_ctl_new1(&snd_fm801_controls[i], chip)); ++ for (i = 0; i < FM801_CONTROLS; i++) { ++ err = snd_ctl_add(chip->card, ++ snd_ctl_new1(&snd_fm801_controls[i], chip)); ++ if (err < 0) ++ return err; ++ } + if (chip->multichannel) { +- for (i = 0; i < FM801_CONTROLS_MULTI; i++) +- snd_ctl_add(chip->card, snd_ctl_new1(&snd_fm801_controls_multi[i], chip)); ++ for (i = 0; i < FM801_CONTROLS_MULTI; i++) { ++ err = snd_ctl_add(chip->card, ++ snd_ctl_new1(&snd_fm801_controls_multi[i], chip)); ++ if (err < 0) ++ return err; ++ } + } + return 0; + } +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 29e1ce2263bc..c55c0131be0a 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -38,6 +38,10 @@ + /* Enable this to see controls for tuning purpose. */ + /*#define ENABLE_TUNING_CONTROLS*/ + ++#ifdef ENABLE_TUNING_CONTROLS ++#include ++#endif ++ + #define FLOAT_ZERO 0x00000000 + #define FLOAT_ONE 0x3f800000 + #define FLOAT_TWO 0x40000000 +@@ -3067,8 +3071,8 @@ static int equalizer_ctl_put(struct snd_kcontrol *kcontrol, + return 1; + } + +-static const DECLARE_TLV_DB_SCALE(voice_focus_db_scale, 2000, 100, 0); +-static const DECLARE_TLV_DB_SCALE(eq_db_scale, -2400, 100, 0); ++static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(voice_focus_db_scale, 2000, 100, 0); ++static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(eq_db_scale, -2400, 100, 0); + + static int add_tuning_control(struct hda_codec *codec, + hda_nid_t pnid, hda_nid_t nid, +diff --git a/sound/soc/pxa/brownstone.c b/sound/soc/pxa/brownstone.c +index 6147e86e9b0f..55ca9c9364b8 100644 +--- a/sound/soc/pxa/brownstone.c ++++ b/sound/soc/pxa/brownstone.c +@@ -136,3 +136,4 @@ module_platform_driver(mmp_driver); + MODULE_AUTHOR("Leo Yan "); + MODULE_DESCRIPTION("ALSA SoC Brownstone"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:brownstone-audio"); +diff --git a/sound/soc/pxa/mioa701_wm9713.c b/sound/soc/pxa/mioa701_wm9713.c +index 29bc60e85e92..6cd28f95d548 100644 +--- a/sound/soc/pxa/mioa701_wm9713.c ++++ b/sound/soc/pxa/mioa701_wm9713.c +@@ -203,3 +203,4 @@ module_platform_driver(mioa701_wm9713_driver); + MODULE_AUTHOR("Robert Jarzmik (rjarzmik@free.fr)"); + MODULE_DESCRIPTION("ALSA SoC WM9713 MIO A701"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:mioa701-wm9713"); +diff --git a/sound/soc/pxa/mmp-pcm.c b/sound/soc/pxa/mmp-pcm.c +index 51e790d006f5..96df9b2d8fc4 100644 +--- a/sound/soc/pxa/mmp-pcm.c ++++ b/sound/soc/pxa/mmp-pcm.c +@@ -248,3 +248,4 @@ module_platform_driver(mmp_pcm_driver); + MODULE_AUTHOR("Leo Yan "); + MODULE_DESCRIPTION("MMP Soc Audio DMA module"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:mmp-pcm-audio"); +diff --git a/sound/soc/pxa/mmp-sspa.c b/sound/soc/pxa/mmp-sspa.c +index eca60c29791a..ca8b23f8c525 100644 +--- a/sound/soc/pxa/mmp-sspa.c ++++ b/sound/soc/pxa/mmp-sspa.c +@@ -482,3 +482,4 @@ module_platform_driver(asoc_mmp_sspa_driver); + MODULE_AUTHOR("Leo Yan "); + MODULE_DESCRIPTION("MMP SSPA SoC Interface"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:mmp-sspa-dai"); +diff --git a/sound/soc/pxa/palm27x.c b/sound/soc/pxa/palm27x.c +index 4e74d9573f03..bcc81e920a67 100644 +--- a/sound/soc/pxa/palm27x.c ++++ b/sound/soc/pxa/palm27x.c +@@ -161,3 +161,4 @@ module_platform_driver(palm27x_wm9712_driver); + MODULE_AUTHOR("Marek Vasut "); + MODULE_DESCRIPTION("ALSA SoC Palm T|X, T5 and LifeDrive"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:palm27x-asoc"); +diff --git a/sound/soc/pxa/pxa-ssp.c b/sound/soc/pxa/pxa-ssp.c +index da03fad1b9cd..3cad990dad2c 100644 +--- a/sound/soc/pxa/pxa-ssp.c ++++ b/sound/soc/pxa/pxa-ssp.c +@@ -833,3 +833,4 @@ module_platform_driver(asoc_ssp_driver); + MODULE_AUTHOR("Mark Brown "); + MODULE_DESCRIPTION("PXA SSP/PCM SoC Interface"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:pxa-ssp-dai"); +diff --git a/sound/soc/pxa/pxa2xx-ac97.c b/sound/soc/pxa/pxa2xx-ac97.c +index f3de615aacd7..9615e6de1306 100644 +--- a/sound/soc/pxa/pxa2xx-ac97.c ++++ b/sound/soc/pxa/pxa2xx-ac97.c +@@ -287,3 +287,4 @@ module_platform_driver(pxa2xx_ac97_driver); + MODULE_AUTHOR("Nicolas Pitre"); + MODULE_DESCRIPTION("AC97 driver for the Intel PXA2xx chip"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:pxa2xx-ac97"); +diff --git a/sound/soc/pxa/pxa2xx-pcm.c b/sound/soc/pxa/pxa2xx-pcm.c +index 9f390398d518..410d48b93031 100644 +--- a/sound/soc/pxa/pxa2xx-pcm.c ++++ b/sound/soc/pxa/pxa2xx-pcm.c +@@ -117,3 +117,4 @@ module_platform_driver(pxa_pcm_driver); + MODULE_AUTHOR("Nicolas Pitre"); + MODULE_DESCRIPTION("Intel PXA2xx PCM DMA module"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:pxa-pcm-audio"); +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index 977066ba1769..43b80db952d1 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -1682,8 +1682,10 @@ int dpcm_be_dai_shutdown(struct snd_soc_pcm_runtime *fe, int stream) + continue; + + if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_HW_FREE) && +- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_OPEN)) +- continue; ++ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_OPEN)) { ++ soc_pcm_hw_free(be_substream); ++ be->dpcm[stream].state = SND_SOC_DPCM_STATE_HW_FREE; ++ } + + dev_dbg(be->dev, "ASoC: close BE %s\n", + dpcm->fe->dai_link->name); +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index 8e8db4ddf365..a9079654107c 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1300,7 +1300,7 @@ static void retire_capture_urb(struct snd_usb_substream *subs, + if (bytes % (runtime->sample_bits >> 3) != 0) { + int oldbytes = bytes; + bytes = frames * stride; +- dev_warn(&subs->dev->dev, ++ dev_warn_ratelimited(&subs->dev->dev, + "Corrected urb data len. %d->%d\n", + oldbytes, bytes); + } +diff --git a/tools/usb/usbip/src/usbip_detach.c b/tools/usb/usbip/src/usbip_detach.c +index 9db9d21bb2ec..6a8db858caa5 100644 +--- a/tools/usb/usbip/src/usbip_detach.c ++++ b/tools/usb/usbip/src/usbip_detach.c +@@ -43,7 +43,7 @@ void usbip_detach_usage(void) + + static int detach_port(char *port) + { +- int ret; ++ int ret = 0; + uint8_t portnum; + char path[PATH_MAX+1]; + +@@ -73,9 +73,12 @@ static int detach_port(char *port) + } + + ret = usbip_vhci_detach_device(portnum); +- if (ret < 0) +- return -1; ++ if (ret < 0) { ++ ret = -1; ++ goto call_driver_close; ++ } + ++call_driver_close: + usbip_vhci_driver_close(); + + return ret; diff --git a/patch/kernel/mvebu-default/04-patch-4.4.146-147.patch b/patch/kernel/mvebu-default/04-patch-4.4.146-147.patch new file mode 100644 index 0000000000..57311537b2 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.146-147.patch @@ -0,0 +1,254 @@ +diff --git a/Makefile b/Makefile +index 030f5af05f4e..ee92a12e3a4b 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 146 ++SUBLEVEL = 147 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c +index d4d853680ae4..a4abf7dc9576 100644 +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -382,6 +382,7 @@ static int i2c_imx_dma_xfer(struct imx_i2c_struct *i2c_imx, + goto err_desc; + } + ++ reinit_completion(&dma->cmd_complete); + txdesc->callback = i2c_imx_dma_callback; + txdesc->callback_param = i2c_imx; + if (dma_submit_error(dmaengine_submit(txdesc))) { +@@ -631,7 +632,6 @@ static int i2c_imx_dma_write(struct imx_i2c_struct *i2c_imx, + * The first byte must be transmitted by the CPU. + */ + imx_i2c_write_reg(msgs->addr << 1, i2c_imx, IMX_I2C_I2DR); +- reinit_completion(&i2c_imx->dma->cmd_complete); + time_left = wait_for_completion_timeout( + &i2c_imx->dma->cmd_complete, + msecs_to_jiffies(DMA_TIMEOUT)); +@@ -690,7 +690,6 @@ static int i2c_imx_dma_read(struct imx_i2c_struct *i2c_imx, + if (result) + return result; + +- reinit_completion(&i2c_imx->dma->cmd_complete); + time_left = wait_for_completion_timeout( + &i2c_imx->dma->cmd_complete, + msecs_to_jiffies(DMA_TIMEOUT)); +diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c +index a32ba753e413..afaf13474796 100644 +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -543,7 +543,7 @@ void acpi_pci_add_bus(struct pci_bus *bus) + union acpi_object *obj; + struct pci_host_bridge *bridge; + +- if (acpi_pci_disabled || !bus->bridge) ++ if (acpi_pci_disabled || !bus->bridge || !ACPI_HANDLE(bus->bridge)) + return; + + acpi_pci_slot_enumerate(bus); +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index a9eb3cd453be..41a646696bab 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -325,11 +325,10 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun, + + wait_for_completion(&tm_iocb->u.tmf.comp); + +- rval = tm_iocb->u.tmf.comp_status == CS_COMPLETE ? +- QLA_SUCCESS : QLA_FUNCTION_FAILED; ++ rval = tm_iocb->u.tmf.data; + +- if ((rval != QLA_SUCCESS) || tm_iocb->u.tmf.data) { +- ql_dbg(ql_dbg_taskm, vha, 0x8030, ++ if (rval != QLA_SUCCESS) { ++ ql_log(ql_log_warn, vha, 0x8030, + "TM IOCB failed (%x).\n", rval); + } + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 5cbf20ab94aa..18b19744398a 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4938,8 +4938,9 @@ qla2x00_do_dpc(void *data) + } + } + +- if (test_and_clear_bit(ISP_ABORT_NEEDED, +- &base_vha->dpc_flags)) { ++ if (test_and_clear_bit ++ (ISP_ABORT_NEEDED, &base_vha->dpc_flags) && ++ !test_bit(UNLOADING, &base_vha->dpc_flags)) { + + ql_dbg(ql_dbg_dpc, base_vha, 0x4007, + "ISP abort scheduled.\n"); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 49af3c50b263..3e4d8ac1974e 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2102,7 +2102,7 @@ static int ext4_check_descriptors(struct super_block *sb, + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); + ext4_fsblk_t last_block; +- ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; ++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0); + ext4_fsblk_t block_bitmap; + ext4_fsblk_t inode_bitmap; + ext4_fsblk_t inode_table; +@@ -3777,13 +3777,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + goto failed_mount2; + } + } ++ sbi->s_gdb_count = db_count; + if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) { + ext4_msg(sb, KERN_ERR, "group descriptors corrupted!"); + ret = -EFSCORRUPTED; + goto failed_mount2; + } + +- sbi->s_gdb_count = db_count; + get_random_bytes(&sbi->s_next_generation, sizeof(u32)); + spin_lock_init(&sbi->s_next_gen_lock); + +diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c +index 48b15a6e5558..40a26a542341 100644 +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -493,15 +493,17 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) + if (size > PSIZE) { + /* + * To keep the rest of the code simple. Allocate a +- * contiguous buffer to work with ++ * contiguous buffer to work with. Make the buffer large ++ * enough to make use of the whole extent. + */ +- ea_buf->xattr = kmalloc(size, GFP_KERNEL); ++ ea_buf->max_size = (size + sb->s_blocksize - 1) & ++ ~(sb->s_blocksize - 1); ++ ++ ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL); + if (ea_buf->xattr == NULL) + return -ENOMEM; + + ea_buf->flag = EA_MALLOC; +- ea_buf->max_size = (size + sb->s_blocksize - 1) & +- ~(sb->s_blocksize - 1); + + if (ea_size == 0) + return 0; +diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h +index 4acc552e9279..19d0778ec382 100644 +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -162,6 +162,7 @@ void ring_buffer_record_enable(struct ring_buffer *buffer); + void ring_buffer_record_off(struct ring_buffer *buffer); + void ring_buffer_record_on(struct ring_buffer *buffer); + int ring_buffer_record_is_on(struct ring_buffer *buffer); ++int ring_buffer_record_is_set_on(struct ring_buffer *buffer); + void ring_buffer_record_disable_cpu(struct ring_buffer *buffer, int cpu); + void ring_buffer_record_enable_cpu(struct ring_buffer *buffer, int cpu); + +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index 5f55a8bf5264..0df2b44dac7c 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -1012,6 +1012,13 @@ static int irq_setup_forced_threading(struct irqaction *new) + if (new->flags & (IRQF_NO_THREAD | IRQF_PERCPU | IRQF_ONESHOT)) + return 0; + ++ /* ++ * No further action required for interrupts which are requested as ++ * threaded interrupts already ++ */ ++ if (new->handler == irq_default_primary_handler) ++ return 0; ++ + new->flags |= IRQF_ONESHOT; + + /* +@@ -1019,7 +1026,7 @@ static int irq_setup_forced_threading(struct irqaction *new) + * thread handler. We force thread them as well by creating a + * secondary action. + */ +- if (new->handler != irq_default_primary_handler && new->thread_fn) { ++ if (new->handler && new->thread_fn) { + /* Allocate the secondary action */ + new->secondary = kzalloc(sizeof(struct irqaction), GFP_KERNEL); + if (!new->secondary) +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index e5d228f7224c..5ad2e852e9f6 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -570,7 +570,7 @@ static void tick_nohz_restart(struct tick_sched *ts, ktime_t now) + + static inline bool local_timer_softirq_pending(void) + { +- return local_softirq_pending() & TIMER_SOFTIRQ; ++ return local_softirq_pending() & BIT(TIMER_SOFTIRQ); + } + + static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts, +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index d9cd6191760b..fdaa88f38aec 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -3141,6 +3141,22 @@ int ring_buffer_record_is_on(struct ring_buffer *buffer) + return !atomic_read(&buffer->record_disabled); + } + ++/** ++ * ring_buffer_record_is_set_on - return true if the ring buffer is set writable ++ * @buffer: The ring buffer to see if write is set enabled ++ * ++ * Returns true if the ring buffer is set writable by ring_buffer_record_on(). ++ * Note that this does NOT mean it is in a writable state. ++ * ++ * It may return true when the ring buffer has been disabled by ++ * ring_buffer_record_disable(), as that is a temporary disabling of ++ * the ring buffer. ++ */ ++int ring_buffer_record_is_set_on(struct ring_buffer *buffer) ++{ ++ return !(atomic_read(&buffer->record_disabled) & RB_BUFFER_OFF); ++} ++ + /** + * ring_buffer_record_disable_cpu - stop all writes into the cpu_buffer + * @buffer: The ring buffer to stop writes to. +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 8aef4e63ac57..1b980a8ef791 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1088,6 +1088,12 @@ update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu) + + arch_spin_lock(&tr->max_lock); + ++ /* Inherit the recordable setting from trace_buffer */ ++ if (ring_buffer_record_is_set_on(tr->trace_buffer.buffer)) ++ ring_buffer_record_on(tr->max_buffer.buffer); ++ else ++ ring_buffer_record_off(tr->max_buffer.buffer); ++ + buf = tr->trace_buffer.buffer; + tr->trace_buffer.buffer = tr->max_buffer.buffer; + tr->max_buffer.buffer = buf; +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 9708fff318d5..bf292010760a 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -986,6 +986,11 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr, + return err; + } + ++ if (nlk->ngroups == 0) ++ groups = 0; ++ else if (nlk->ngroups < 8*sizeof(groups)) ++ groups &= (1UL << nlk->ngroups) - 1; ++ + bound = nlk->bound; + if (bound) { + /* Ensure nlk->portid is up-to-date. */ diff --git a/patch/kernel/mvebu-default/04-patch-4.4.147-148.patch b/patch/kernel/mvebu-default/04-patch-4.4.147-148.patch new file mode 100644 index 0000000000..ea24e41098 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.147-148.patch @@ -0,0 +1,1873 @@ +diff --git a/Makefile b/Makefile +index ee92a12e3a4b..9b795164122e 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 147 ++SUBLEVEL = 148 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi +index 167f77b3bd43..6963dff815dc 100644 +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -1250,7 +1250,7 @@ + /* non-prefetchable memory */ + 0x82000000 0 0x08000000 0x08000000 0 0x00f00000>; + num-lanes = <1>; +- interrupts = ; ++ interrupts = ; + clocks = <&clks IMX6SX_CLK_PCIE_REF_125M>, + <&clks IMX6SX_CLK_PCIE_AXI>, + <&clks IMX6SX_CLK_LVDS1_OUT>, +diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig +index 729f89163bc3..210b3d675261 100644 +--- a/arch/parisc/Kconfig ++++ b/arch/parisc/Kconfig +@@ -177,7 +177,7 @@ config PREFETCH + + config MLONGCALLS + bool "Enable the -mlong-calls compiler option for big kernels" +- def_bool y if (!MODULES) ++ default y + depends on PA8X00 + help + If you configure the kernel to include many drivers built-in instead +diff --git a/arch/parisc/include/asm/barrier.h b/arch/parisc/include/asm/barrier.h +new file mode 100644 +index 000000000000..dbaaca84f27f +--- /dev/null ++++ b/arch/parisc/include/asm/barrier.h +@@ -0,0 +1,32 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef __ASM_BARRIER_H ++#define __ASM_BARRIER_H ++ ++#ifndef __ASSEMBLY__ ++ ++/* The synchronize caches instruction executes as a nop on systems in ++ which all memory references are performed in order. */ ++#define synchronize_caches() __asm__ __volatile__ ("sync" : : : "memory") ++ ++#if defined(CONFIG_SMP) ++#define mb() do { synchronize_caches(); } while (0) ++#define rmb() mb() ++#define wmb() mb() ++#define dma_rmb() mb() ++#define dma_wmb() mb() ++#else ++#define mb() barrier() ++#define rmb() barrier() ++#define wmb() barrier() ++#define dma_rmb() barrier() ++#define dma_wmb() barrier() ++#endif ++ ++#define __smp_mb() mb() ++#define __smp_rmb() mb() ++#define __smp_wmb() mb() ++ ++#include ++ ++#endif /* !__ASSEMBLY__ */ ++#endif /* __ASM_BARRIER_H */ +diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S +index 5dc831955de5..13cb2461fef5 100644 +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -481,6 +481,8 @@ + /* Release pa_tlb_lock lock without reloading lock address. */ + .macro tlb_unlock0 spc,tmp + #ifdef CONFIG_SMP ++ or,COND(=) %r0,\spc,%r0 ++ sync + or,COND(=) %r0,\spc,%r0 + stw \spc,0(\tmp) + #endif +diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S +index 16073f472118..b3434a7fd3c9 100644 +--- a/arch/parisc/kernel/pacache.S ++++ b/arch/parisc/kernel/pacache.S +@@ -354,6 +354,7 @@ ENDPROC(flush_data_cache_local) + .macro tlb_unlock la,flags,tmp + #ifdef CONFIG_SMP + ldi 1,\tmp ++ sync + stw \tmp,0(\la) + mtsm \flags + #endif +diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S +index 9f22195b90ed..f68eedc72484 100644 +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -631,6 +631,7 @@ cas_action: + sub,<> %r28, %r25, %r0 + 2: stw,ma %r24, 0(%r26) + /* Free lock */ ++ sync + stw,ma %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG + /* Clear thread register indicator */ +@@ -645,6 +646,7 @@ cas_action: + 3: + /* Error occurred on load or store */ + /* Free lock */ ++ sync + stw %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG + stw %r0, 4(%sr2,%r20) +@@ -846,6 +848,7 @@ cas2_action: + + cas2_end: + /* Free lock */ ++ sync + stw,ma %r20, 0(%sr2,%r20) + /* Enable interrupts */ + ssm PSW_SM_I, %r0 +@@ -856,6 +859,7 @@ cas2_end: + 22: + /* Error occurred on load or store */ + /* Free lock */ ++ sync + stw %r20, 0(%sr2,%r20) + ssm PSW_SM_I, %r0 + ldo 1(%r0),%r28 +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index f4b175db70f4..dd2269dcbc47 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -193,12 +193,12 @@ + #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */ + #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ + ++#define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ ++#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ ++ + #define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */ + #define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ + +-#define X86_FEATURE_RETPOLINE ( 7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */ +-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */ +- + #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ + #define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */ + +@@ -214,7 +214,7 @@ + #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ + #define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */ +- ++#define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + + /* Virtualization flags: Linux defined, word 8 */ + #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ +@@ -310,6 +310,7 @@ + #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ + #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ + #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ ++#define X86_FEATURE_FLUSH_L1D (18*32+28) /* Flush L1D cache */ + #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ + #define X86_FEATURE_SPEC_CTRL_SSBD (18*32+31) /* "" Speculative Store Bypass Disable */ + +@@ -331,5 +332,6 @@ + #define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ + #define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ + #define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ ++#define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ + + #endif /* _ASM_X86_CPUFEATURES_H */ +diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h +index 0056bc945cd1..cb7f04981c6b 100644 +--- a/arch/x86/include/asm/irqflags.h ++++ b/arch/x86/include/asm/irqflags.h +@@ -8,6 +8,8 @@ + * Interrupt control: + */ + ++/* Declaration required for gcc < 4.9 to prevent -Werror=missing-prototypes */ ++extern inline unsigned long native_save_fl(void); + extern inline unsigned long native_save_fl(void) + { + unsigned long flags; +diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h +index 3a52ee0e726d..bfceb5cc6347 100644 +--- a/arch/x86/include/asm/page_32_types.h ++++ b/arch/x86/include/asm/page_32_types.h +@@ -27,8 +27,13 @@ + #define N_EXCEPTION_STACKS 1 + + #ifdef CONFIG_X86_PAE +-/* 44=32+12, the limit we can fit into an unsigned long pfn */ +-#define __PHYSICAL_MASK_SHIFT 44 ++/* ++ * This is beyond the 44 bit limit imposed by the 32bit long pfns, ++ * but we need the full mask to make sure inverted PROT_NONE ++ * entries have all the host bits set in a guest. ++ * The real limit is still 44 bits. ++ */ ++#define __PHYSICAL_MASK_SHIFT 52 + #define __VIRTUAL_MASK_SHIFT 32 + + #else /* !CONFIG_X86_PAE */ +diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h +index fd74a11959de..89c50332a71e 100644 +--- a/arch/x86/include/asm/pgtable-2level.h ++++ b/arch/x86/include/asm/pgtable-2level.h +@@ -77,4 +77,21 @@ static inline unsigned long pte_bitop(unsigned long value, unsigned int rightshi + #define __pte_to_swp_entry(pte) ((swp_entry_t) { (pte).pte_low }) + #define __swp_entry_to_pte(x) ((pte_t) { .pte = (x).val }) + ++/* No inverted PFNs on 2 level page tables */ ++ ++static inline u64 protnone_mask(u64 val) ++{ ++ return 0; ++} ++ ++static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask) ++{ ++ return val; ++} ++ ++static inline bool __pte_needs_invert(u64 val) ++{ ++ return false; ++} ++ + #endif /* _ASM_X86_PGTABLE_2LEVEL_H */ +diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h +index cdaa58c9b39e..5c686382d84b 100644 +--- a/arch/x86/include/asm/pgtable-3level.h ++++ b/arch/x86/include/asm/pgtable-3level.h +@@ -177,11 +177,44 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *pmdp) + #endif + + /* Encode and de-code a swap entry */ ++#define SWP_TYPE_BITS 5 ++ ++#define SWP_OFFSET_FIRST_BIT (_PAGE_BIT_PROTNONE + 1) ++ ++/* We always extract/encode the offset by shifting it all the way up, and then down again */ ++#define SWP_OFFSET_SHIFT (SWP_OFFSET_FIRST_BIT + SWP_TYPE_BITS) ++ + #define MAX_SWAPFILES_CHECK() BUILD_BUG_ON(MAX_SWAPFILES_SHIFT > 5) + #define __swp_type(x) (((x).val) & 0x1f) + #define __swp_offset(x) ((x).val >> 5) + #define __swp_entry(type, offset) ((swp_entry_t){(type) | (offset) << 5}) +-#define __pte_to_swp_entry(pte) ((swp_entry_t){ (pte).pte_high }) +-#define __swp_entry_to_pte(x) ((pte_t){ { .pte_high = (x).val } }) ++ ++/* ++ * Normally, __swp_entry() converts from arch-independent swp_entry_t to ++ * arch-dependent swp_entry_t, and __swp_entry_to_pte() just stores the result ++ * to pte. But here we have 32bit swp_entry_t and 64bit pte, and need to use the ++ * whole 64 bits. Thus, we shift the "real" arch-dependent conversion to ++ * __swp_entry_to_pte() through the following helper macro based on 64bit ++ * __swp_entry(). ++ */ ++#define __swp_pteval_entry(type, offset) ((pteval_t) { \ ++ (~(pteval_t)(offset) << SWP_OFFSET_SHIFT >> SWP_TYPE_BITS) \ ++ | ((pteval_t)(type) << (64 - SWP_TYPE_BITS)) }) ++ ++#define __swp_entry_to_pte(x) ((pte_t){ .pte = \ ++ __swp_pteval_entry(__swp_type(x), __swp_offset(x)) }) ++/* ++ * Analogically, __pte_to_swp_entry() doesn't just extract the arch-dependent ++ * swp_entry_t, but also has to convert it from 64bit to the 32bit ++ * intermediate representation, using the following macros based on 64bit ++ * __swp_type() and __swp_offset(). ++ */ ++#define __pteval_swp_type(x) ((unsigned long)((x).pte >> (64 - SWP_TYPE_BITS))) ++#define __pteval_swp_offset(x) ((unsigned long)(~((x).pte) << SWP_TYPE_BITS >> SWP_OFFSET_SHIFT)) ++ ++#define __pte_to_swp_entry(pte) (__swp_entry(__pteval_swp_type(pte), \ ++ __pteval_swp_offset(pte))) ++ ++#include + + #endif /* _ASM_X86_PGTABLE_3LEVEL_H */ +diff --git a/arch/x86/include/asm/pgtable-invert.h b/arch/x86/include/asm/pgtable-invert.h +new file mode 100644 +index 000000000000..44b1203ece12 +--- /dev/null ++++ b/arch/x86/include/asm/pgtable-invert.h +@@ -0,0 +1,32 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ASM_PGTABLE_INVERT_H ++#define _ASM_PGTABLE_INVERT_H 1 ++ ++#ifndef __ASSEMBLY__ ++ ++static inline bool __pte_needs_invert(u64 val) ++{ ++ return !(val & _PAGE_PRESENT); ++} ++ ++/* Get a mask to xor with the page table entry to get the correct pfn. */ ++static inline u64 protnone_mask(u64 val) ++{ ++ return __pte_needs_invert(val) ? ~0ull : 0; ++} ++ ++static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask) ++{ ++ /* ++ * When a PTE transitions from NONE to !NONE or vice-versa ++ * invert the PFN part to stop speculation. ++ * pte_pfn undoes this when needed. ++ */ ++ if (__pte_needs_invert(oldval) != __pte_needs_invert(val)) ++ val = (val & ~mask) | (~val & mask); ++ return val; ++} ++ ++#endif /* __ASSEMBLY__ */ ++ ++#endif +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index 84c62d950023..4de6c282c02a 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -148,19 +148,29 @@ static inline int pte_special(pte_t pte) + return pte_flags(pte) & _PAGE_SPECIAL; + } + ++/* Entries that were set to PROT_NONE are inverted */ ++ ++static inline u64 protnone_mask(u64 val); ++ + static inline unsigned long pte_pfn(pte_t pte) + { +- return (pte_val(pte) & PTE_PFN_MASK) >> PAGE_SHIFT; ++ phys_addr_t pfn = pte_val(pte); ++ pfn ^= protnone_mask(pfn); ++ return (pfn & PTE_PFN_MASK) >> PAGE_SHIFT; + } + + static inline unsigned long pmd_pfn(pmd_t pmd) + { +- return (pmd_val(pmd) & pmd_pfn_mask(pmd)) >> PAGE_SHIFT; ++ phys_addr_t pfn = pmd_val(pmd); ++ pfn ^= protnone_mask(pfn); ++ return (pfn & pmd_pfn_mask(pmd)) >> PAGE_SHIFT; + } + + static inline unsigned long pud_pfn(pud_t pud) + { +- return (pud_val(pud) & pud_pfn_mask(pud)) >> PAGE_SHIFT; ++ phys_addr_t pfn = pud_val(pud); ++ pfn ^= protnone_mask(pfn); ++ return (pfn & pud_pfn_mask(pud)) >> PAGE_SHIFT; + } + + #define pte_page(pte) pfn_to_page(pte_pfn(pte)) +@@ -305,11 +315,6 @@ static inline pmd_t pmd_mkwrite(pmd_t pmd) + return pmd_set_flags(pmd, _PAGE_RW); + } + +-static inline pmd_t pmd_mknotpresent(pmd_t pmd) +-{ +- return pmd_clear_flags(pmd, _PAGE_PRESENT | _PAGE_PROTNONE); +-} +- + #ifdef CONFIG_HAVE_ARCH_SOFT_DIRTY + static inline int pte_soft_dirty(pte_t pte) + { +@@ -359,19 +364,58 @@ static inline pgprotval_t massage_pgprot(pgprot_t pgprot) + + static inline pte_t pfn_pte(unsigned long page_nr, pgprot_t pgprot) + { +- return __pte(((phys_addr_t)page_nr << PAGE_SHIFT) | +- massage_pgprot(pgprot)); ++ phys_addr_t pfn = (phys_addr_t)page_nr << PAGE_SHIFT; ++ pfn ^= protnone_mask(pgprot_val(pgprot)); ++ pfn &= PTE_PFN_MASK; ++ return __pte(pfn | massage_pgprot(pgprot)); + } + + static inline pmd_t pfn_pmd(unsigned long page_nr, pgprot_t pgprot) + { +- return __pmd(((phys_addr_t)page_nr << PAGE_SHIFT) | +- massage_pgprot(pgprot)); ++ phys_addr_t pfn = (phys_addr_t)page_nr << PAGE_SHIFT; ++ pfn ^= protnone_mask(pgprot_val(pgprot)); ++ pfn &= PHYSICAL_PMD_PAGE_MASK; ++ return __pmd(pfn | massage_pgprot(pgprot)); ++} ++ ++static inline pud_t pfn_pud(unsigned long page_nr, pgprot_t pgprot) ++{ ++ phys_addr_t pfn = page_nr << PAGE_SHIFT; ++ pfn ^= protnone_mask(pgprot_val(pgprot)); ++ pfn &= PHYSICAL_PUD_PAGE_MASK; ++ return __pud(pfn | massage_pgprot(pgprot)); ++} ++ ++static inline pmd_t pmd_mknotpresent(pmd_t pmd) ++{ ++ return pfn_pmd(pmd_pfn(pmd), ++ __pgprot(pmd_flags(pmd) & ~(_PAGE_PRESENT|_PAGE_PROTNONE))); + } + ++static inline pud_t pud_set_flags(pud_t pud, pudval_t set) ++{ ++ pudval_t v = native_pud_val(pud); ++ ++ return __pud(v | set); ++} ++ ++static inline pud_t pud_clear_flags(pud_t pud, pudval_t clear) ++{ ++ pudval_t v = native_pud_val(pud); ++ ++ return __pud(v & ~clear); ++} ++ ++static inline pud_t pud_mkhuge(pud_t pud) ++{ ++ return pud_set_flags(pud, _PAGE_PSE); ++} ++ ++static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask); ++ + static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) + { +- pteval_t val = pte_val(pte); ++ pteval_t val = pte_val(pte), oldval = val; + + /* + * Chop off the NX bit (if present), and add the NX portion of +@@ -379,17 +423,17 @@ static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) + */ + val &= _PAGE_CHG_MASK; + val |= massage_pgprot(newprot) & ~_PAGE_CHG_MASK; +- ++ val = flip_protnone_guard(oldval, val, PTE_PFN_MASK); + return __pte(val); + } + + static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot) + { +- pmdval_t val = pmd_val(pmd); ++ pmdval_t val = pmd_val(pmd), oldval = val; + + val &= _HPAGE_CHG_MASK; + val |= massage_pgprot(newprot) & ~_HPAGE_CHG_MASK; +- ++ val = flip_protnone_guard(oldval, val, PHYSICAL_PMD_PAGE_MASK); + return __pmd(val); + } + +@@ -926,6 +970,14 @@ static inline pte_t pte_swp_clear_soft_dirty(pte_t pte) + } + #endif + ++#define __HAVE_ARCH_PFN_MODIFY_ALLOWED 1 ++extern bool pfn_modify_allowed(unsigned long pfn, pgprot_t prot); ++ ++static inline bool arch_has_pfn_modify_check(void) ++{ ++ return boot_cpu_has_bug(X86_BUG_L1TF); ++} ++ + #include + #endif /* __ASSEMBLY__ */ + +diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h +index c810226e741a..221a32ed1372 100644 +--- a/arch/x86/include/asm/pgtable_64.h ++++ b/arch/x86/include/asm/pgtable_64.h +@@ -163,18 +163,52 @@ static inline int pgd_large(pgd_t pgd) { return 0; } + #define pte_offset_map(dir, address) pte_offset_kernel((dir), (address)) + #define pte_unmap(pte) ((void)(pte))/* NOP */ + +-/* Encode and de-code a swap entry */ +-#define SWP_TYPE_BITS 5 +-#define SWP_OFFSET_SHIFT (_PAGE_BIT_PROTNONE + 1) ++/* ++ * Encode and de-code a swap entry ++ * ++ * | ... | 11| 10| 9|8|7|6|5| 4| 3|2| 1|0| <- bit number ++ * | ... |SW3|SW2|SW1|G|L|D|A|CD|WT|U| W|P| <- bit names ++ * | TYPE (59-63) | ~OFFSET (9-58) |0|0|X|X| X| X|X|SD|0| <- swp entry ++ * ++ * G (8) is aliased and used as a PROT_NONE indicator for ++ * !present ptes. We need to start storing swap entries above ++ * there. We also need to avoid using A and D because of an ++ * erratum where they can be incorrectly set by hardware on ++ * non-present PTEs. ++ * ++ * SD (1) in swp entry is used to store soft dirty bit, which helps us ++ * remember soft dirty over page migration ++ * ++ * Bit 7 in swp entry should be 0 because pmd_present checks not only P, ++ * but also L and G. ++ * ++ * The offset is inverted by a binary not operation to make the high ++ * physical bits set. ++ */ ++#define SWP_TYPE_BITS 5 ++ ++#define SWP_OFFSET_FIRST_BIT (_PAGE_BIT_PROTNONE + 1) ++ ++/* We always extract/encode the offset by shifting it all the way up, and then down again */ ++#define SWP_OFFSET_SHIFT (SWP_OFFSET_FIRST_BIT+SWP_TYPE_BITS) + + #define MAX_SWAPFILES_CHECK() BUILD_BUG_ON(MAX_SWAPFILES_SHIFT > SWP_TYPE_BITS) + +-#define __swp_type(x) (((x).val >> (_PAGE_BIT_PRESENT + 1)) \ +- & ((1U << SWP_TYPE_BITS) - 1)) +-#define __swp_offset(x) ((x).val >> SWP_OFFSET_SHIFT) +-#define __swp_entry(type, offset) ((swp_entry_t) { \ +- ((type) << (_PAGE_BIT_PRESENT + 1)) \ +- | ((offset) << SWP_OFFSET_SHIFT) }) ++/* Extract the high bits for type */ ++#define __swp_type(x) ((x).val >> (64 - SWP_TYPE_BITS)) ++ ++/* Shift up (to get rid of type), then down to get value */ ++#define __swp_offset(x) (~(x).val << SWP_TYPE_BITS >> SWP_OFFSET_SHIFT) ++ ++/* ++ * Shift the offset up "too far" by TYPE bits, then down again ++ * The offset is inverted by a binary not operation to make the high ++ * physical bits set. ++ */ ++#define __swp_entry(type, offset) ((swp_entry_t) { \ ++ (~(unsigned long)(offset) << SWP_OFFSET_SHIFT >> SWP_TYPE_BITS) \ ++ | ((unsigned long)(type) << (64-SWP_TYPE_BITS)) }) ++ + #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val((pte)) }) + #define __swp_entry_to_pte(x) ((pte_t) { .pte = (x).val }) + +@@ -201,6 +235,8 @@ extern void cleanup_highmap(void); + extern void init_extra_mapping_uc(unsigned long phys, unsigned long size); + extern void init_extra_mapping_wb(unsigned long phys, unsigned long size); + ++#include ++ + #endif /* !__ASSEMBLY__ */ + + #endif /* _ASM_X86_PGTABLE_64_H */ +diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h +index 8dba273da25a..7572ce32055e 100644 +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -70,15 +70,15 @@ + /* + * Tracking soft dirty bit when a page goes to a swap is tricky. + * We need a bit which can be stored in pte _and_ not conflict +- * with swap entry format. On x86 bits 6 and 7 are *not* involved +- * into swap entry computation, but bit 6 is used for nonlinear +- * file mapping, so we borrow bit 7 for soft dirty tracking. ++ * with swap entry format. On x86 bits 1-4 are *not* involved ++ * into swap entry computation, but bit 7 is used for thp migration, ++ * so we borrow bit 1 for soft dirty tracking. + * + * Please note that this bit must be treated as swap dirty page +- * mark if and only if the PTE has present bit clear! ++ * mark if and only if the PTE/PMD has present bit clear! + */ + #ifdef CONFIG_MEM_SOFT_DIRTY +-#define _PAGE_SWP_SOFT_DIRTY _PAGE_PSE ++#define _PAGE_SWP_SOFT_DIRTY _PAGE_RW + #else + #define _PAGE_SWP_SOFT_DIRTY (_AT(pteval_t, 0)) + #endif +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index 8e415cf65457..a3a53955f01c 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -172,6 +172,11 @@ extern const struct seq_operations cpuinfo_op; + + extern void cpu_detect(struct cpuinfo_x86 *c); + ++static inline unsigned long l1tf_pfn_limit(void) ++{ ++ return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1; ++} ++ + extern void early_cpu_init(void); + extern void identify_boot_cpu(void); + extern void identify_secondary_cpu(struct cpuinfo_x86 *); +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 12a8867071f3..34e4aaaf03d2 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -26,9 +26,11 @@ + #include + #include + #include ++#include + + static void __init spectre_v2_select_mitigation(void); + static void __init ssb_select_mitigation(void); ++static void __init l1tf_select_mitigation(void); + + /* + * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any +@@ -80,6 +82,8 @@ void __init check_bugs(void) + */ + ssb_select_mitigation(); + ++ l1tf_select_mitigation(); ++ + #ifdef CONFIG_X86_32 + /* + * Check whether we are able to run this kernel safely on SMP. +@@ -309,23 +313,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) + return cmd; + } + +-/* Check for Skylake-like CPUs (for RSB handling) */ +-static bool __init is_skylake_era(void) +-{ +- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && +- boot_cpu_data.x86 == 6) { +- switch (boot_cpu_data.x86_model) { +- case INTEL_FAM6_SKYLAKE_MOBILE: +- case INTEL_FAM6_SKYLAKE_DESKTOP: +- case INTEL_FAM6_SKYLAKE_X: +- case INTEL_FAM6_KABYLAKE_MOBILE: +- case INTEL_FAM6_KABYLAKE_DESKTOP: +- return true; +- } +- } +- return false; +-} +- + static void __init spectre_v2_select_mitigation(void) + { + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); +@@ -386,22 +373,15 @@ retpoline_auto: + pr_info("%s\n", spectre_v2_strings[mode]); + + /* +- * If neither SMEP nor PTI are available, there is a risk of +- * hitting userspace addresses in the RSB after a context switch +- * from a shallow call stack to a deeper one. To prevent this fill +- * the entire RSB, even when using IBRS. ++ * If spectre v2 protection has been enabled, unconditionally fill ++ * RSB during a context switch; this protects against two independent ++ * issues: + * +- * Skylake era CPUs have a separate issue with *underflow* of the +- * RSB, when they will predict 'ret' targets from the generic BTB. +- * The proper mitigation for this is IBRS. If IBRS is not supported +- * or deactivated in favour of retpolines the RSB fill on context +- * switch is required. ++ * - RSB underflow (and switch to BTB) on Skylake+ ++ * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs + */ +- if ((!boot_cpu_has(X86_FEATURE_KAISER) && +- !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { +- setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); +- pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); +- } ++ setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); ++ pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); + + /* Initialize Indirect Branch Prediction Barrier if supported */ + if (boot_cpu_has(X86_FEATURE_IBPB)) { +@@ -652,6 +632,35 @@ void x86_spec_ctrl_setup_ap(void) + x86_amd_ssb_disable(); + } + ++#undef pr_fmt ++#define pr_fmt(fmt) "L1TF: " fmt ++static void __init l1tf_select_mitigation(void) ++{ ++ u64 half_pa; ++ ++ if (!boot_cpu_has_bug(X86_BUG_L1TF)) ++ return; ++ ++#if CONFIG_PGTABLE_LEVELS == 2 ++ pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n"); ++ return; ++#endif ++ ++ /* ++ * This is extremely unlikely to happen because almost all ++ * systems have far more MAX_PA/2 than RAM can be fit into ++ * DIMM slots. ++ */ ++ half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT; ++ if (e820_any_mapped(half_pa, ULLONG_MAX - half_pa, E820_RAM)) { ++ pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n"); ++ return; ++ } ++ ++ setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV); ++} ++#undef pr_fmt ++ + #ifdef CONFIG_SYSFS + + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, +@@ -679,6 +688,11 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr + case X86_BUG_SPEC_STORE_BYPASS: + return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); + ++ case X86_BUG_L1TF: ++ if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV)) ++ return sprintf(buf, "Mitigation: Page Table Inversion\n"); ++ break; ++ + default: + break; + } +@@ -705,4 +719,9 @@ ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute * + { + return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS); + } ++ ++ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_common(dev, attr, buf, X86_BUG_L1TF); ++} + #endif +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 3d21b28f9826..4d3fa79c0f09 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -880,6 +880,21 @@ static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = { + {} + }; + ++static const __initconst struct x86_cpu_id cpu_no_l1tf[] = { ++ /* in addition to cpu_no_speculation */ ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT2 }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MERRIFIELD }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MOOREFIELD }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GOLDMONT }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_DENVERTON }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_GEMINI_LAKE }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL }, ++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM }, ++ {} ++}; ++ + static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) + { + u64 ia32_cap = 0; +@@ -905,6 +920,11 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) + return; + + setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); ++ ++ if (x86_match_cpu(cpu_no_l1tf)) ++ return; ++ ++ setup_force_cpu_bug(X86_BUG_L1TF); + } + + /* +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 1f5c47a49e35..c6f466d6cc57 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -393,7 +393,6 @@ int __copy_instruction(u8 *dest, u8 *src) + newdisp = (u8 *) src + (s64) insn.displacement.value - (u8 *) dest; + if ((s64) (s32) newdisp != newdisp) { + pr_err("Kprobes error: new displacement does not fit into s32 (%llx)\n", newdisp); +- pr_err("\tSrc: %p, Dest: %p, old disp: %x\n", src, dest, insn.displacement.value); + return 0; + } + disp = (u8 *) dest + insn_offset_displacement(&insn); +@@ -609,8 +608,7 @@ static int reenter_kprobe(struct kprobe *p, struct pt_regs *regs, + * Raise a BUG or we'll continue in an endless reentering loop + * and eventually a stack overflow. + */ +- printk(KERN_WARNING "Unrecoverable kprobe detected at %p.\n", +- p->addr); ++ pr_err("Unrecoverable kprobe detected.\n"); + dump_kprobe(p); + BUG(); + default: +diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c +index f534a0e3af53..632195b41688 100644 +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -97,10 +97,12 @@ unsigned paravirt_patch_call(void *insnbuf, + struct branch *b = insnbuf; + unsigned long delta = (unsigned long)target - (addr+5); + +- if (tgt_clobbers & ~site_clobbers) +- return len; /* target would clobber too much for this site */ +- if (len < 5) ++ if (len < 5) { ++#ifdef CONFIG_RETPOLINE ++ WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr); ++#endif + return len; /* call too long for patch site */ ++ } + + b->opcode = 0xe8; /* call */ + b->delta = delta; +@@ -115,8 +117,12 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target, + struct branch *b = insnbuf; + unsigned long delta = (unsigned long)target - (addr+5); + +- if (len < 5) ++ if (len < 5) { ++#ifdef CONFIG_RETPOLINE ++ WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr); ++#endif + return len; /* call too long for patch site */ ++ } + + b->opcode = 0xe9; /* jmp */ + b->delta = delta; +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index bbaae4cf9e8e..31c4bc0d3372 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -851,6 +851,12 @@ void __init setup_arch(char **cmdline_p) + memblock_reserve(__pa_symbol(_text), + (unsigned long)__bss_stop - (unsigned long)_text); + ++ /* ++ * Make sure page 0 is always reserved because on systems with ++ * L1TF its contents can be leaked to user processes. ++ */ ++ memblock_reserve(0, PAGE_SIZE); ++ + early_reserve_initrd(); + + /* +diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c +index 151fd33e9043..4954a6cef50a 100644 +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -4,6 +4,8 @@ + #include + #include + #include /* for max_low_pfn */ ++#include ++#include + + #include + #include +@@ -767,3 +769,26 @@ void update_cache_mode_entry(unsigned entry, enum page_cache_mode cache) + __cachemode2pte_tbl[cache] = __cm_idx2pte(entry); + __pte2cachemode_tbl[entry] = cache; + } ++ ++#ifdef CONFIG_SWAP ++unsigned long max_swapfile_size(void) ++{ ++ unsigned long pages; ++ ++ pages = generic_max_swapfile_size(); ++ ++ if (boot_cpu_has_bug(X86_BUG_L1TF)) { ++ /* Limit the swap file size to MAX_PA/2 for L1TF workaround */ ++ unsigned long l1tf_limit = l1tf_pfn_limit() + 1; ++ /* ++ * We encode swap offsets also with 3 bits below those for pfn ++ * which makes the usable limit higher. ++ */ ++#if CONFIG_PGTABLE_LEVELS > 2 ++ l1tf_limit <<= PAGE_SHIFT - SWP_OFFSET_FIRST_BIT; ++#endif ++ pages = min_t(unsigned long, l1tf_limit, pages); ++ } ++ return pages; ++} ++#endif +diff --git a/arch/x86/mm/kmmio.c b/arch/x86/mm/kmmio.c +index 76604c8a2a48..7bf14e74fc8f 100644 +--- a/arch/x86/mm/kmmio.c ++++ b/arch/x86/mm/kmmio.c +@@ -125,24 +125,29 @@ static struct kmmio_fault_page *get_kmmio_fault_page(unsigned long addr) + + static void clear_pmd_presence(pmd_t *pmd, bool clear, pmdval_t *old) + { ++ pmd_t new_pmd; + pmdval_t v = pmd_val(*pmd); + if (clear) { +- *old = v & _PAGE_PRESENT; +- v &= ~_PAGE_PRESENT; +- } else /* presume this has been called with clear==true previously */ +- v |= *old; +- set_pmd(pmd, __pmd(v)); ++ *old = v; ++ new_pmd = pmd_mknotpresent(*pmd); ++ } else { ++ /* Presume this has been called with clear==true previously */ ++ new_pmd = __pmd(*old); ++ } ++ set_pmd(pmd, new_pmd); + } + + static void clear_pte_presence(pte_t *pte, bool clear, pteval_t *old) + { + pteval_t v = pte_val(*pte); + if (clear) { +- *old = v & _PAGE_PRESENT; +- v &= ~_PAGE_PRESENT; +- } else /* presume this has been called with clear==true previously */ +- v |= *old; +- set_pte_atomic(pte, __pte(v)); ++ *old = v; ++ /* Nothing should care about address */ ++ pte_clear(&init_mm, 0, pte); ++ } else { ++ /* Presume this has been called with clear==true previously */ ++ set_pte_atomic(pte, __pte(*old)); ++ } + } + + static int clear_page_presence(struct kmmio_fault_page *f, bool clear) +diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c +index 307f60ecfc6d..9a055ea279eb 100644 +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -121,3 +121,24 @@ const char *arch_vma_name(struct vm_area_struct *vma) + return "[mpx]"; + return NULL; + } ++ ++/* ++ * Only allow root to set high MMIO mappings to PROT_NONE. ++ * This prevents an unpriv. user to set them to PROT_NONE and invert ++ * them, then pointing to valid memory for L1TF speculation. ++ * ++ * Note: for locked down kernels may want to disable the root override. ++ */ ++bool pfn_modify_allowed(unsigned long pfn, pgprot_t prot) ++{ ++ if (!boot_cpu_has_bug(X86_BUG_L1TF)) ++ return true; ++ if (!__pte_needs_invert(pgprot_val(prot))) ++ return true; ++ /* If it's real memory always allow */ ++ if (pfn_valid(pfn)) ++ return true; ++ if (pfn > l1tf_pfn_limit() && !capable(CAP_SYS_ADMIN)) ++ return false; ++ return true; ++} +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index 79377e2a7bcd..27610c2d1821 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -1006,8 +1006,8 @@ static int populate_pmd(struct cpa_data *cpa, + + pmd = pmd_offset(pud, start); + +- set_pmd(pmd, __pmd(cpa->pfn | _PAGE_PSE | +- massage_pgprot(pmd_pgprot))); ++ set_pmd(pmd, pmd_mkhuge(pfn_pmd(cpa->pfn, ++ canon_pgprot(pmd_pgprot)))); + + start += PMD_SIZE; + cpa->pfn += PMD_SIZE; +@@ -1079,8 +1079,8 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd, + * Map everything starting from the Gb boundary, possibly with 1G pages + */ + while (end - start >= PUD_SIZE) { +- set_pud(pud, __pud(cpa->pfn | _PAGE_PSE | +- massage_pgprot(pud_pgprot))); ++ set_pud(pud, pud_mkhuge(pfn_pud(cpa->pfn, ++ canon_pgprot(pud_pgprot)))); + + start += PUD_SIZE; + cpa->pfn += PUD_SIZE; +diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c +index f9e0d09f7c66..8a0f77fb5181 100644 +--- a/drivers/acpi/acpi_lpss.c ++++ b/drivers/acpi/acpi_lpss.c +@@ -154,10 +154,12 @@ static const struct lpss_device_desc lpt_sdio_dev_desc = { + + static const struct lpss_device_desc byt_pwm_dev_desc = { + .flags = LPSS_SAVE_CTX, ++ .prv_offset = 0x800, + }; + + static const struct lpss_device_desc bsw_pwm_dev_desc = { + .flags = LPSS_SAVE_CTX | LPSS_NO_D3_DELAY, ++ .prv_offset = 0x800, + }; + + static const struct lpss_device_desc byt_uart_dev_desc = { +diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c +index 143edea1076f..41090ef5facb 100644 +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -524,16 +524,24 @@ ssize_t __weak cpu_show_spec_store_bypass(struct device *dev, + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_l1tf(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); + static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL); ++static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, + &dev_attr_spectre_v1.attr, + &dev_attr_spectre_v2.attr, + &dev_attr_spec_store_bypass.attr, ++ &dev_attr_l1tf.attr, + NULL + }; + +diff --git a/drivers/char/tpm/tpm-dev.c b/drivers/char/tpm/tpm-dev.c +index 912ad30be585..4719aa781bf2 100644 +--- a/drivers/char/tpm/tpm-dev.c ++++ b/drivers/char/tpm/tpm-dev.c +@@ -25,7 +25,7 @@ struct file_priv { + struct tpm_chip *chip; + + /* Data passed to and from the tpm via the read/write calls */ +- atomic_t data_pending; ++ size_t data_pending; + struct mutex buffer_mutex; + + struct timer_list user_read_timer; /* user needs to claim result */ +@@ -46,7 +46,7 @@ static void timeout_work(struct work_struct *work) + struct file_priv *priv = container_of(work, struct file_priv, work); + + mutex_lock(&priv->buffer_mutex); +- atomic_set(&priv->data_pending, 0); ++ priv->data_pending = 0; + memset(priv->data_buffer, 0, sizeof(priv->data_buffer)); + mutex_unlock(&priv->buffer_mutex); + } +@@ -72,7 +72,6 @@ static int tpm_open(struct inode *inode, struct file *file) + } + + priv->chip = chip; +- atomic_set(&priv->data_pending, 0); + mutex_init(&priv->buffer_mutex); + setup_timer(&priv->user_read_timer, user_reader_timeout, + (unsigned long)priv); +@@ -86,28 +85,24 @@ static ssize_t tpm_read(struct file *file, char __user *buf, + size_t size, loff_t *off) + { + struct file_priv *priv = file->private_data; +- ssize_t ret_size; ++ ssize_t ret_size = 0; + int rc; + + del_singleshot_timer_sync(&priv->user_read_timer); + flush_work(&priv->work); +- ret_size = atomic_read(&priv->data_pending); +- if (ret_size > 0) { /* relay data */ +- ssize_t orig_ret_size = ret_size; +- if (size < ret_size) +- ret_size = size; ++ mutex_lock(&priv->buffer_mutex); + +- mutex_lock(&priv->buffer_mutex); ++ if (priv->data_pending) { ++ ret_size = min_t(ssize_t, size, priv->data_pending); + rc = copy_to_user(buf, priv->data_buffer, ret_size); +- memset(priv->data_buffer, 0, orig_ret_size); ++ memset(priv->data_buffer, 0, priv->data_pending); + if (rc) + ret_size = -EFAULT; + +- mutex_unlock(&priv->buffer_mutex); ++ priv->data_pending = 0; + } + +- atomic_set(&priv->data_pending, 0); +- ++ mutex_unlock(&priv->buffer_mutex); + return ret_size; + } + +@@ -118,18 +113,20 @@ static ssize_t tpm_write(struct file *file, const char __user *buf, + size_t in_size = size; + ssize_t out_size; + +- /* cannot perform a write until the read has cleared +- either via tpm_read or a user_read_timer timeout. +- This also prevents splitted buffered writes from blocking here. +- */ +- if (atomic_read(&priv->data_pending) != 0) +- return -EBUSY; +- + if (in_size > TPM_BUFSIZE) + return -E2BIG; + + mutex_lock(&priv->buffer_mutex); + ++ /* Cannot perform a write until the read has cleared either via ++ * tpm_read or a user_read_timer timeout. This also prevents split ++ * buffered writes from blocking here. ++ */ ++ if (priv->data_pending != 0) { ++ mutex_unlock(&priv->buffer_mutex); ++ return -EBUSY; ++ } ++ + if (copy_from_user + (priv->data_buffer, (void __user *) buf, in_size)) { + mutex_unlock(&priv->buffer_mutex); +@@ -153,7 +150,7 @@ static ssize_t tpm_write(struct file *file, const char __user *buf, + return out_size; + } + +- atomic_set(&priv->data_pending, out_size); ++ priv->data_pending = out_size; + mutex_unlock(&priv->buffer_mutex); + + /* Set a timeout by which the reader must come claim the result */ +@@ -172,7 +169,7 @@ static int tpm_release(struct inode *inode, struct file *file) + del_singleshot_timer_sync(&priv->user_read_timer); + flush_work(&priv->work); + file->private_data = NULL; +- atomic_set(&priv->data_pending, 0); ++ priv->data_pending = 0; + clear_bit(0, &priv->chip->is_open); + kfree(priv); + return 0; +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index 6790ebb366dd..98fd9a594841 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -122,16 +122,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, + umem->address = addr; + umem->page_size = PAGE_SIZE; + umem->pid = get_task_pid(current, PIDTYPE_PID); +- /* +- * We ask for writable memory if any of the following +- * access flags are set. "Local write" and "remote write" +- * obviously require write access. "Remote atomic" can do +- * things like fetch and add, which will modify memory, and +- * "MW bind" can change permissions by binding a window. +- */ +- umem->writable = !!(access & +- (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | +- IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND)); ++ umem->writable = ib_access_writable(access); + + if (access & IB_ACCESS_ON_DEMAND) { + put_pid(umem->pid); +diff --git a/drivers/infiniband/hw/mlx4/mr.c b/drivers/infiniband/hw/mlx4/mr.c +index ce87e9cc7eff..bf52e35dd506 100644 +--- a/drivers/infiniband/hw/mlx4/mr.c ++++ b/drivers/infiniband/hw/mlx4/mr.c +@@ -130,6 +130,40 @@ out: + return err; + } + ++static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start, ++ u64 length, u64 virt_addr, ++ int access_flags) ++{ ++ /* ++ * Force registering the memory as writable if the underlying pages ++ * are writable. This is so rereg can change the access permissions ++ * from readable to writable without having to run through ib_umem_get ++ * again ++ */ ++ if (!ib_access_writable(access_flags)) { ++ struct vm_area_struct *vma; ++ ++ down_read(¤t->mm->mmap_sem); ++ /* ++ * FIXME: Ideally this would iterate over all the vmas that ++ * cover the memory, but for now it requires a single vma to ++ * entirely cover the MR to support RO mappings. ++ */ ++ vma = find_vma(current->mm, start); ++ if (vma && vma->vm_end >= start + length && ++ vma->vm_start <= start) { ++ if (vma->vm_flags & VM_WRITE) ++ access_flags |= IB_ACCESS_LOCAL_WRITE; ++ } else { ++ access_flags |= IB_ACCESS_LOCAL_WRITE; ++ } ++ ++ up_read(¤t->mm->mmap_sem); ++ } ++ ++ return ib_umem_get(context, start, length, access_flags, 0); ++} ++ + struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + u64 virt_addr, int access_flags, + struct ib_udata *udata) +@@ -144,10 +178,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + if (!mr) + return ERR_PTR(-ENOMEM); + +- /* Force registering the memory as writable. */ +- /* Used for memory re-registeration. HCA protects the access */ +- mr->umem = ib_umem_get(pd->uobject->context, start, length, +- access_flags | IB_ACCESS_LOCAL_WRITE, 0); ++ mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length, ++ virt_addr, access_flags); + if (IS_ERR(mr->umem)) { + err = PTR_ERR(mr->umem); + goto err_free; +@@ -214,6 +246,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *mr, int flags, + } + + if (flags & IB_MR_REREG_ACCESS) { ++ if (ib_access_writable(mr_access_flags) && !mmr->umem->writable) ++ return -EPERM; ++ + err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry, + convert_access(mr_access_flags)); + +@@ -227,10 +262,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *mr, int flags, + + mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr); + ib_umem_release(mmr->umem); +- mmr->umem = ib_umem_get(mr->uobject->context, start, length, +- mr_access_flags | +- IB_ACCESS_LOCAL_WRITE, +- 0); ++ mmr->umem = ++ mlx4_get_umem_mr(mr->uobject->context, start, length, ++ virt_addr, mr_access_flags); + if (IS_ERR(mmr->umem)) { + err = PTR_ERR(mmr->umem); + /* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */ +diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c +index 748b63b86cbc..40242ead096f 100644 +--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c +@@ -643,7 +643,7 @@ static ssize_t ocrdma_dbgfs_ops_write(struct file *filp, + struct ocrdma_stats *pstats = filp->private_data; + struct ocrdma_dev *dev = pstats->dev; + +- if (count > 32) ++ if (*ppos != 0 || count == 0 || count > sizeof(tmp_str)) + goto err; + + if (copy_from_user(tmp_str, buffer, count)) +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index bec9f099573b..68d0a5c9d437 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -879,7 +879,6 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, + struct sk_buff *skb, + struct sk_buff_head *list) + { +- struct skb_shared_info *shinfo = skb_shinfo(skb); + RING_IDX cons = queue->rx.rsp_cons; + struct sk_buff *nskb; + +@@ -888,15 +887,16 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, + RING_GET_RESPONSE(&queue->rx, ++cons); + skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0]; + +- if (shinfo->nr_frags == MAX_SKB_FRAGS) { ++ if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) { + unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; + + BUG_ON(pull_to <= skb_headlen(skb)); + __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); + } +- BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS); ++ BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS); + +- skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag), ++ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, ++ skb_frag_page(nfrag), + rx->offset, rx->status, PAGE_SIZE); + + skb_shinfo(nskb)->nr_frags = 0; +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index de53c9694b68..5dc288fecace 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -520,18 +520,26 @@ static int sr_init_command(struct scsi_cmnd *SCpnt) + static int sr_block_open(struct block_device *bdev, fmode_t mode) + { + struct scsi_cd *cd; ++ struct scsi_device *sdev; + int ret = -ENXIO; + ++ cd = scsi_cd_get(bdev->bd_disk); ++ if (!cd) ++ goto out; ++ ++ sdev = cd->device; ++ scsi_autopm_get_device(sdev); + check_disk_change(bdev); + + mutex_lock(&sr_mutex); +- cd = scsi_cd_get(bdev->bd_disk); +- if (cd) { +- ret = cdrom_open(&cd->cdi, bdev, mode); +- if (ret) +- scsi_cd_put(cd); +- } ++ ret = cdrom_open(&cd->cdi, bdev, mode); + mutex_unlock(&sr_mutex); ++ ++ scsi_autopm_put_device(sdev); ++ if (ret) ++ scsi_cd_put(cd); ++ ++out: + return ret; + } + +@@ -559,6 +567,8 @@ static int sr_block_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd, + if (ret) + goto out; + ++ scsi_autopm_get_device(sdev); ++ + /* + * Send SCSI addressing ioctls directly to mid level, send other + * ioctls to cdrom/block level. +@@ -567,15 +577,18 @@ static int sr_block_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd, + case SCSI_IOCTL_GET_IDLUN: + case SCSI_IOCTL_GET_BUS_NUMBER: + ret = scsi_ioctl(sdev, cmd, argp); +- goto out; ++ goto put; + } + + ret = cdrom_ioctl(&cd->cdi, bdev, mode, cmd, arg); + if (ret != -ENOSYS) +- goto out; ++ goto put; + + ret = scsi_ioctl(sdev, cmd, argp); + ++put: ++ scsi_autopm_put_device(sdev); ++ + out: + mutex_unlock(&sr_mutex); + return ret; +diff --git a/fs/dcache.c b/fs/dcache.c +index 250c1222e30c..807efaab838e 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1954,10 +1954,12 @@ struct dentry *d_make_root(struct inode *root_inode) + static const struct qstr name = QSTR_INIT("/", 1); + + res = __d_alloc(root_inode->i_sb, &name); +- if (res) ++ if (res) { ++ res->d_flags |= DCACHE_RCUACCESS; + d_instantiate(res, root_inode); +- else ++ } else { + iput(root_inode); ++ } + } + return res; + } +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 041117fd8fd7..0963213e9cd3 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -1308,7 +1308,10 @@ int ext4_init_inode_table(struct super_block *sb, ext4_group_t group, + ext4_itable_unused_count(sb, gdp)), + sbi->s_inodes_per_block); + +- if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group)) { ++ if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group) || ++ ((group == 0) && ((EXT4_INODES_PER_GROUP(sb) - ++ ext4_itable_unused_count(sb, gdp)) < ++ EXT4_FIRST_INO(sb)))) { + ext4_error(sb, "Something is wrong with group %u: " + "used itable blocks: %d; " + "itable unused count: %u", +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 3e4d8ac1974e..8d18f6142da5 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2875,14 +2875,8 @@ static ext4_group_t ext4_has_uninit_itable(struct super_block *sb) + if (!gdp) + continue; + +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)) +- continue; +- if (group != 0) ++ if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))) + break; +- ext4_error(sb, "Inode table for bg 0 marked as " +- "needing zeroing"); +- if (sb->s_flags & MS_RDONLY) +- return ngroups; + } + + return group; +diff --git a/fs/namespace.c b/fs/namespace.c +index a879560ea144..b56b50e3da11 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -603,12 +603,21 @@ int __legitimize_mnt(struct vfsmount *bastard, unsigned seq) + return 0; + mnt = real_mount(bastard); + mnt_add_count(mnt, 1); ++ smp_mb(); // see mntput_no_expire() + if (likely(!read_seqretry(&mount_lock, seq))) + return 0; + if (bastard->mnt_flags & MNT_SYNC_UMOUNT) { + mnt_add_count(mnt, -1); + return 1; + } ++ lock_mount_hash(); ++ if (unlikely(bastard->mnt_flags & MNT_DOOMED)) { ++ mnt_add_count(mnt, -1); ++ unlock_mount_hash(); ++ return 1; ++ } ++ unlock_mount_hash(); ++ /* caller will mntput() */ + return -1; + } + +@@ -1124,12 +1133,27 @@ static DECLARE_DELAYED_WORK(delayed_mntput_work, delayed_mntput); + static void mntput_no_expire(struct mount *mnt) + { + rcu_read_lock(); +- mnt_add_count(mnt, -1); +- if (likely(mnt->mnt_ns)) { /* shouldn't be the last one */ ++ if (likely(READ_ONCE(mnt->mnt_ns))) { ++ /* ++ * Since we don't do lock_mount_hash() here, ++ * ->mnt_ns can change under us. However, if it's ++ * non-NULL, then there's a reference that won't ++ * be dropped until after an RCU delay done after ++ * turning ->mnt_ns NULL. So if we observe it ++ * non-NULL under rcu_read_lock(), the reference ++ * we are dropping is not the final one. ++ */ ++ mnt_add_count(mnt, -1); + rcu_read_unlock(); + return; + } + lock_mount_hash(); ++ /* ++ * make sure that if __legitimize_mnt() has not seen us grab ++ * mount_lock, we'll see their refcount increment here. ++ */ ++ smp_mb(); ++ mnt_add_count(mnt, -1); + if (mnt_get_count(mnt)) { + rcu_read_unlock(); + unlock_mount_hash(); +diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h +index 25b793325b09..dabecb661264 100644 +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -799,6 +799,18 @@ static inline int pmd_free_pte_page(pmd_t *pmd) + } + #endif /* CONFIG_HAVE_ARCH_HUGE_VMAP */ + ++#ifndef __HAVE_ARCH_PFN_MODIFY_ALLOWED ++static inline bool pfn_modify_allowed(unsigned long pfn, pgprot_t prot) ++{ ++ return true; ++} ++ ++static inline bool arch_has_pfn_modify_check(void) ++{ ++ return false; ++} ++#endif /* !_HAVE_ARCH_PFN_MODIFY_ALLOWED */ ++ + #endif /* !__ASSEMBLY__ */ + + #ifndef io_remap_pfn_range +diff --git a/include/linux/cpu.h b/include/linux/cpu.h +index 2f9d12022100..063c73ed6d78 100644 +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -48,6 +48,8 @@ extern ssize_t cpu_show_spectre_v2(struct device *dev, + struct device_attribute *attr, char *buf); + extern ssize_t cpu_show_spec_store_bypass(struct device *dev, + struct device_attribute *attr, char *buf); ++extern ssize_t cpu_show_l1tf(struct device *dev, ++ struct device_attribute *attr, char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, +diff --git a/include/linux/mm.h b/include/linux/mm.h +index a100946607a5..1f4366567e7d 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -2083,6 +2083,8 @@ int remap_pfn_range(struct vm_area_struct *, unsigned long addr, + int vm_insert_page(struct vm_area_struct *, unsigned long addr, struct page *); + int vm_insert_pfn(struct vm_area_struct *vma, unsigned long addr, + unsigned long pfn); ++int vm_insert_pfn_prot(struct vm_area_struct *vma, unsigned long addr, ++ unsigned long pfn, pgprot_t pgprot); + int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, + unsigned long pfn); + int vm_iomap_memory(struct vm_area_struct *vma, phys_addr_t start, unsigned long len); +diff --git a/include/linux/swapfile.h b/include/linux/swapfile.h +index 388293a91e8c..e4594de79bc4 100644 +--- a/include/linux/swapfile.h ++++ b/include/linux/swapfile.h +@@ -9,5 +9,7 @@ extern spinlock_t swap_lock; + extern struct plist_head swap_active_head; + extern struct swap_info_struct *swap_info[]; + extern int try_to_unuse(unsigned int, bool, unsigned long); ++extern unsigned long generic_max_swapfile_size(void); ++extern unsigned long max_swapfile_size(void); + + #endif /* _LINUX_SWAPFILE_H */ +diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h +index ff307b548ed3..646891f3bc1e 100644 +--- a/include/linux/thread_info.h ++++ b/include/linux/thread_info.h +@@ -55,11 +55,7 @@ extern long do_no_restart_syscall(struct restart_block *parm); + + #ifdef __KERNEL__ + +-#ifdef CONFIG_DEBUG_STACK_USAGE +-# define THREADINFO_GFP (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO) +-#else +-# define THREADINFO_GFP (GFP_KERNEL | __GFP_NOTRACK) +-#endif ++#define THREADINFO_GFP (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO) + + /* + * flag set/clear/test wrappers +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index 120da1d7f57e..10fefb0dc640 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -3007,6 +3007,20 @@ static inline int ib_check_mr_access(int flags) + return 0; + } + ++static inline bool ib_access_writable(int access_flags) ++{ ++ /* ++ * We have writable memory backing the MR if any of the following ++ * access flags are set. "Local write" and "remote write" obviously ++ * require write access. "Remote atomic" can do things like fetch and ++ * add, which will modify memory, and "MW bind" can change permissions ++ * by binding a window. ++ */ ++ return access_flags & ++ (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | ++ IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND); ++} ++ + /** + * ib_check_mr_status: lightweight check of MR status. + * This routine may provide status checks on a selected +diff --git a/mm/memory.c b/mm/memory.c +index 177cb7d111a9..d5bb1465d30c 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1604,9 +1604,30 @@ out: + */ + int vm_insert_pfn(struct vm_area_struct *vma, unsigned long addr, + unsigned long pfn) ++{ ++ return vm_insert_pfn_prot(vma, addr, pfn, vma->vm_page_prot); ++} ++EXPORT_SYMBOL(vm_insert_pfn); ++ ++/** ++ * vm_insert_pfn_prot - insert single pfn into user vma with specified pgprot ++ * @vma: user vma to map to ++ * @addr: target user address of this page ++ * @pfn: source kernel pfn ++ * @pgprot: pgprot flags for the inserted page ++ * ++ * This is exactly like vm_insert_pfn, except that it allows drivers to ++ * to override pgprot on a per-page basis. ++ * ++ * This only makes sense for IO mappings, and it makes no sense for ++ * cow mappings. In general, using multiple vmas is preferable; ++ * vm_insert_pfn_prot should only be used if using multiple VMAs is ++ * impractical. ++ */ ++int vm_insert_pfn_prot(struct vm_area_struct *vma, unsigned long addr, ++ unsigned long pfn, pgprot_t pgprot) + { + int ret; +- pgprot_t pgprot = vma->vm_page_prot; + /* + * Technically, architectures with pte_special can avoid all these + * restrictions (same for remap_pfn_range). However we would like +@@ -1624,19 +1645,29 @@ int vm_insert_pfn(struct vm_area_struct *vma, unsigned long addr, + if (track_pfn_insert(vma, &pgprot, pfn)) + return -EINVAL; + ++ if (!pfn_modify_allowed(pfn, pgprot)) ++ return -EACCES; ++ + ret = insert_pfn(vma, addr, pfn, pgprot); + + return ret; + } +-EXPORT_SYMBOL(vm_insert_pfn); ++EXPORT_SYMBOL(vm_insert_pfn_prot); + + int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, + unsigned long pfn) + { ++ pgprot_t pgprot = vma->vm_page_prot; ++ + BUG_ON(!(vma->vm_flags & VM_MIXEDMAP)); + + if (addr < vma->vm_start || addr >= vma->vm_end) + return -EFAULT; ++ if (track_pfn_insert(vma, &pgprot, pfn)) ++ return -EINVAL; ++ ++ if (!pfn_modify_allowed(pfn, pgprot)) ++ return -EACCES; + + /* + * If we don't have pte special, then we have to use the pfn_valid() +@@ -1649,9 +1680,9 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, + struct page *page; + + page = pfn_to_page(pfn); +- return insert_page(vma, addr, page, vma->vm_page_prot); ++ return insert_page(vma, addr, page, pgprot); + } +- return insert_pfn(vma, addr, pfn, vma->vm_page_prot); ++ return insert_pfn(vma, addr, pfn, pgprot); + } + EXPORT_SYMBOL(vm_insert_mixed); + +@@ -1666,6 +1697,7 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, + { + pte_t *pte; + spinlock_t *ptl; ++ int err = 0; + + pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); + if (!pte) +@@ -1673,12 +1705,16 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, + arch_enter_lazy_mmu_mode(); + do { + BUG_ON(!pte_none(*pte)); ++ if (!pfn_modify_allowed(pfn, prot)) { ++ err = -EACCES; ++ break; ++ } + set_pte_at(mm, addr, pte, pte_mkspecial(pfn_pte(pfn, prot))); + pfn++; + } while (pte++, addr += PAGE_SIZE, addr != end); + arch_leave_lazy_mmu_mode(); + pte_unmap_unlock(pte - 1, ptl); +- return 0; ++ return err; + } + + static inline int remap_pmd_range(struct mm_struct *mm, pud_t *pud, +@@ -1687,6 +1723,7 @@ static inline int remap_pmd_range(struct mm_struct *mm, pud_t *pud, + { + pmd_t *pmd; + unsigned long next; ++ int err; + + pfn -= addr >> PAGE_SHIFT; + pmd = pmd_alloc(mm, pud, addr); +@@ -1695,9 +1732,10 @@ static inline int remap_pmd_range(struct mm_struct *mm, pud_t *pud, + VM_BUG_ON(pmd_trans_huge(*pmd)); + do { + next = pmd_addr_end(addr, end); +- if (remap_pte_range(mm, pmd, addr, next, +- pfn + (addr >> PAGE_SHIFT), prot)) +- return -ENOMEM; ++ err = remap_pte_range(mm, pmd, addr, next, ++ pfn + (addr >> PAGE_SHIFT), prot); ++ if (err) ++ return err; + } while (pmd++, addr = next, addr != end); + return 0; + } +@@ -1708,6 +1746,7 @@ static inline int remap_pud_range(struct mm_struct *mm, pgd_t *pgd, + { + pud_t *pud; + unsigned long next; ++ int err; + + pfn -= addr >> PAGE_SHIFT; + pud = pud_alloc(mm, pgd, addr); +@@ -1715,9 +1754,10 @@ static inline int remap_pud_range(struct mm_struct *mm, pgd_t *pgd, + return -ENOMEM; + do { + next = pud_addr_end(addr, end); +- if (remap_pmd_range(mm, pud, addr, next, +- pfn + (addr >> PAGE_SHIFT), prot)) +- return -ENOMEM; ++ err = remap_pmd_range(mm, pud, addr, next, ++ pfn + (addr >> PAGE_SHIFT), prot); ++ if (err) ++ return err; + } while (pud++, addr = next, addr != end); + return 0; + } +diff --git a/mm/mprotect.c b/mm/mprotect.c +index c0b4b2a49462..a277f3412a5d 100644 +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -255,6 +255,42 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, + return pages; + } + ++static int prot_none_pte_entry(pte_t *pte, unsigned long addr, ++ unsigned long next, struct mm_walk *walk) ++{ ++ return pfn_modify_allowed(pte_pfn(*pte), *(pgprot_t *)(walk->private)) ? ++ 0 : -EACCES; ++} ++ ++static int prot_none_hugetlb_entry(pte_t *pte, unsigned long hmask, ++ unsigned long addr, unsigned long next, ++ struct mm_walk *walk) ++{ ++ return pfn_modify_allowed(pte_pfn(*pte), *(pgprot_t *)(walk->private)) ? ++ 0 : -EACCES; ++} ++ ++static int prot_none_test(unsigned long addr, unsigned long next, ++ struct mm_walk *walk) ++{ ++ return 0; ++} ++ ++static int prot_none_walk(struct vm_area_struct *vma, unsigned long start, ++ unsigned long end, unsigned long newflags) ++{ ++ pgprot_t new_pgprot = vm_get_page_prot(newflags); ++ struct mm_walk prot_none_walk = { ++ .pte_entry = prot_none_pte_entry, ++ .hugetlb_entry = prot_none_hugetlb_entry, ++ .test_walk = prot_none_test, ++ .mm = current->mm, ++ .private = &new_pgprot, ++ }; ++ ++ return walk_page_range(start, end, &prot_none_walk); ++} ++ + int + mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, + unsigned long start, unsigned long end, unsigned long newflags) +@@ -272,6 +308,19 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, + return 0; + } + ++ /* ++ * Do PROT_NONE PFN permission checks here when we can still ++ * bail out without undoing a lot of state. This is a rather ++ * uncommon case, so doesn't need to be very optimized. ++ */ ++ if (arch_has_pfn_modify_check() && ++ (vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) && ++ (newflags & (VM_READ|VM_WRITE|VM_EXEC)) == 0) { ++ error = prot_none_walk(vma, start, end, newflags); ++ if (error) ++ return error; ++ } ++ + /* + * If we make a private mapping writable we increase our commit; + * but (without finer accounting) cannot reduce our commit if we +diff --git a/mm/swapfile.c b/mm/swapfile.c +index 674bf177ce44..8e25ff2b693a 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2206,6 +2206,35 @@ static int claim_swapfile(struct swap_info_struct *p, struct inode *inode) + return 0; + } + ++ ++/* ++ * Find out how many pages are allowed for a single swap device. There ++ * are two limiting factors: ++ * 1) the number of bits for the swap offset in the swp_entry_t type, and ++ * 2) the number of bits in the swap pte, as defined by the different ++ * architectures. ++ * ++ * In order to find the largest possible bit mask, a swap entry with ++ * swap type 0 and swap offset ~0UL is created, encoded to a swap pte, ++ * decoded to a swp_entry_t again, and finally the swap offset is ++ * extracted. ++ * ++ * This will mask all the bits from the initial ~0UL mask that can't ++ * be encoded in either the swp_entry_t or the architecture definition ++ * of a swap pte. ++ */ ++unsigned long generic_max_swapfile_size(void) ++{ ++ return swp_offset(pte_to_swp_entry( ++ swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; ++} ++ ++/* Can be overridden by an architecture for additional checks. */ ++__weak unsigned long max_swapfile_size(void) ++{ ++ return generic_max_swapfile_size(); ++} ++ + static unsigned long read_swap_header(struct swap_info_struct *p, + union swap_header *swap_header, + struct inode *inode) +@@ -2241,22 +2270,7 @@ static unsigned long read_swap_header(struct swap_info_struct *p, + p->cluster_next = 1; + p->cluster_nr = 0; + +- /* +- * Find out how many pages are allowed for a single swap +- * device. There are two limiting factors: 1) the number +- * of bits for the swap offset in the swp_entry_t type, and +- * 2) the number of bits in the swap pte as defined by the +- * different architectures. In order to find the +- * largest possible bit mask, a swap entry with swap type 0 +- * and swap offset ~0UL is created, encoded to a swap pte, +- * decoded to a swp_entry_t again, and finally the swap +- * offset is extracted. This will mask all the bits from +- * the initial ~0UL mask that can't be encoded in either +- * the swp_entry_t or the architecture definition of a +- * swap pte. +- */ +- maxpages = swp_offset(pte_to_swp_entry( +- swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; ++ maxpages = max_swapfile_size(); + last_page = swap_header->info.last_page; + if (!last_page) { + pr_warn("Empty swap-file\n"); +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 93581bba8643..09d6c4a6b53d 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -354,6 +354,7 @@ config INET_ESP + select CRYPTO_CBC + select CRYPTO_SHA1 + select CRYPTO_DES ++ select CRYPTO_ECHAINIV + ---help--- + Support for IPsec ESP. + +diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig +index 851d5c9e3ecc..0f50248bad17 100644 +--- a/net/ipv6/Kconfig ++++ b/net/ipv6/Kconfig +@@ -69,6 +69,7 @@ config INET6_ESP + select CRYPTO_CBC + select CRYPTO_SHA1 + select CRYPTO_DES ++ select CRYPTO_ECHAINIV + ---help--- + Support for IPsec ESP. + diff --git a/patch/kernel/mvebu-default/04-patch-4.4.148-149.patch b/patch/kernel/mvebu-default/04-patch-4.4.148-149.patch new file mode 100644 index 0000000000..95d38f8acb --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.148-149.patch @@ -0,0 +1,1202 @@ +diff --git a/Documentation/Changes b/Documentation/Changes +index ec97b77c8b00..f25649ffb892 100644 +--- a/Documentation/Changes ++++ b/Documentation/Changes +@@ -25,7 +25,7 @@ o GNU C 3.2 # gcc --version + o GNU make 3.80 # make --version + o binutils 2.12 # ld -v + o util-linux 2.10o # fdformat --version +-o module-init-tools 0.9.10 # depmod -V ++o kmod 13 # depmod -V + o e2fsprogs 1.41.4 # e2fsck -V + o jfsutils 1.1.3 # fsck.jfs -V + o reiserfsprogs 3.6.3 # reiserfsck -V +@@ -132,12 +132,6 @@ is not build with CONFIG_KALLSYMS and you have no way to rebuild and + reproduce the Oops with that option, then you can still decode that Oops + with ksymoops. + +-Module-Init-Tools +------------------ +- +-A new module loader is now in the kernel that requires module-init-tools +-to use. It is backward compatible with the 2.4.x series kernels. +- + Mkinitrd + -------- + +@@ -319,14 +313,15 @@ Util-linux + ---------- + o + ++Kmod ++---- ++o ++o ++ + Ksymoops + -------- + o + +-Module-Init-Tools +------------------ +-o +- + Mkinitrd + -------- + o +diff --git a/Makefile b/Makefile +index 9b795164122e..e7c46ece5f27 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 148 ++SUBLEVEL = 149 + EXTRAVERSION = + NAME = Blurry Fish Butt + +@@ -418,7 +418,8 @@ export MAKE AWK GENKSYMS INSTALLKERNEL PERL PYTHON UTS_MACHINE + export HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS + + export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS +-export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV CFLAGS_KASAN ++export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV ++export CFLAGS_KASAN CFLAGS_KASAN_NOSANITIZE + export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE + export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE + export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 51ac84e0812d..e9d96b028766 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -699,12 +699,12 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys) + } + + #ifdef CONFIG_HAVE_ARCH_HUGE_VMAP +-int pud_free_pmd_page(pud_t *pud) ++int pud_free_pmd_page(pud_t *pud, unsigned long addr) + { + return pud_none(*pud); + } + +-int pmd_free_pte_page(pmd_t *pmd) ++int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) + { + return pmd_none(*pmd); + } +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c +index 08e94b6139ab..55c7446311a7 100644 +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -676,28 +676,50 @@ int pmd_clear_huge(pmd_t *pmd) + return 0; + } + ++#ifdef CONFIG_X86_64 + /** + * pud_free_pmd_page - Clear pud entry and free pmd page. + * @pud: Pointer to a PUD. ++ * @addr: Virtual address associated with pud. + * +- * Context: The pud range has been unmaped and TLB purged. ++ * Context: The pud range has been unmapped and TLB purged. + * Return: 1 if clearing the entry succeeded. 0 otherwise. ++ * ++ * NOTE: Callers must allow a single page allocation. + */ +-int pud_free_pmd_page(pud_t *pud) ++int pud_free_pmd_page(pud_t *pud, unsigned long addr) + { +- pmd_t *pmd; ++ pmd_t *pmd, *pmd_sv; ++ pte_t *pte; + int i; + + if (pud_none(*pud)) + return 1; + + pmd = (pmd_t *)pud_page_vaddr(*pud); ++ pmd_sv = (pmd_t *)__get_free_page(GFP_KERNEL); ++ if (!pmd_sv) ++ return 0; + +- for (i = 0; i < PTRS_PER_PMD; i++) +- if (!pmd_free_pte_page(&pmd[i])) +- return 0; ++ for (i = 0; i < PTRS_PER_PMD; i++) { ++ pmd_sv[i] = pmd[i]; ++ if (!pmd_none(pmd[i])) ++ pmd_clear(&pmd[i]); ++ } + + pud_clear(pud); ++ ++ /* INVLPG to clear all paging-structure caches */ ++ flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); ++ ++ for (i = 0; i < PTRS_PER_PMD; i++) { ++ if (!pmd_none(pmd_sv[i])) { ++ pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]); ++ free_page((unsigned long)pte); ++ } ++ } ++ ++ free_page((unsigned long)pmd_sv); + free_page((unsigned long)pmd); + + return 1; +@@ -706,11 +728,12 @@ int pud_free_pmd_page(pud_t *pud) + /** + * pmd_free_pte_page - Clear pmd entry and free pte page. + * @pmd: Pointer to a PMD. ++ * @addr: Virtual address associated with pmd. + * +- * Context: The pmd range has been unmaped and TLB purged. ++ * Context: The pmd range has been unmapped and TLB purged. + * Return: 1 if clearing the entry succeeded. 0 otherwise. + */ +-int pmd_free_pte_page(pmd_t *pmd) ++int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) + { + pte_t *pte; + +@@ -719,8 +742,30 @@ int pmd_free_pte_page(pmd_t *pmd) + + pte = (pte_t *)pmd_page_vaddr(*pmd); + pmd_clear(pmd); ++ ++ /* INVLPG to clear all paging-structure caches */ ++ flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); ++ + free_page((unsigned long)pte); + + return 1; + } ++ ++#else /* !CONFIG_X86_64 */ ++ ++int pud_free_pmd_page(pud_t *pud, unsigned long addr) ++{ ++ return pud_none(*pud); ++} ++ ++/* ++ * Disable free page handling on x86-PAE. This assures that ioremap() ++ * does not update sync'd pmd entries. See vmalloc_sync_one(). ++ */ ++int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) ++{ ++ return pmd_none(*pmd); ++} ++ ++#endif /* CONFIG_X86_64 */ + #endif /* CONFIG_HAVE_ARCH_HUGE_VMAP */ +diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c +index e5b5721809e2..149e7a7f04fe 100644 +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -73,11 +73,9 @@ static inline u8 *ablkcipher_get_spot(u8 *start, unsigned int len) + return max(start, end_page); + } + +-static inline unsigned int ablkcipher_done_slow(struct ablkcipher_walk *walk, +- unsigned int bsize) ++static inline void ablkcipher_done_slow(struct ablkcipher_walk *walk, ++ unsigned int n) + { +- unsigned int n = bsize; +- + for (;;) { + unsigned int len_this_page = scatterwalk_pagelen(&walk->out); + +@@ -89,17 +87,13 @@ static inline unsigned int ablkcipher_done_slow(struct ablkcipher_walk *walk, + n -= len_this_page; + scatterwalk_start(&walk->out, sg_next(walk->out.sg)); + } +- +- return bsize; + } + +-static inline unsigned int ablkcipher_done_fast(struct ablkcipher_walk *walk, +- unsigned int n) ++static inline void ablkcipher_done_fast(struct ablkcipher_walk *walk, ++ unsigned int n) + { + scatterwalk_advance(&walk->in, n); + scatterwalk_advance(&walk->out, n); +- +- return n; + } + + static int ablkcipher_walk_next(struct ablkcipher_request *req, +@@ -109,39 +103,40 @@ int ablkcipher_walk_done(struct ablkcipher_request *req, + struct ablkcipher_walk *walk, int err) + { + struct crypto_tfm *tfm = req->base.tfm; +- unsigned int nbytes = 0; ++ unsigned int n; /* bytes processed */ ++ bool more; + +- if (likely(err >= 0)) { +- unsigned int n = walk->nbytes - err; ++ if (unlikely(err < 0)) ++ goto finish; + +- if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW))) +- n = ablkcipher_done_fast(walk, n); +- else if (WARN_ON(err)) { +- err = -EINVAL; +- goto err; +- } else +- n = ablkcipher_done_slow(walk, n); ++ n = walk->nbytes - err; ++ walk->total -= n; ++ more = (walk->total != 0); + +- nbytes = walk->total - n; +- err = 0; ++ if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW))) { ++ ablkcipher_done_fast(walk, n); ++ } else { ++ if (WARN_ON(err)) { ++ /* unexpected case; didn't process all bytes */ ++ err = -EINVAL; ++ goto finish; ++ } ++ ablkcipher_done_slow(walk, n); + } + +- scatterwalk_done(&walk->in, 0, nbytes); +- scatterwalk_done(&walk->out, 1, nbytes); +- +-err: +- walk->total = nbytes; +- walk->nbytes = nbytes; ++ scatterwalk_done(&walk->in, 0, more); ++ scatterwalk_done(&walk->out, 1, more); + +- if (nbytes) { ++ if (more) { + crypto_yield(req->base.flags); + return ablkcipher_walk_next(req, walk); + } +- ++ err = 0; ++finish: ++ walk->nbytes = 0; + if (walk->iv != req->info) + memcpy(req->info, walk->iv, tfm->crt_ablkcipher.ivsize); + kfree(walk->iv_buffer); +- + return err; + } + EXPORT_SYMBOL_GPL(ablkcipher_walk_done); +diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c +index dca7bc87dad9..2d08e59b3212 100644 +--- a/crypto/blkcipher.c ++++ b/crypto/blkcipher.c +@@ -71,19 +71,18 @@ static inline u8 *blkcipher_get_spot(u8 *start, unsigned int len) + return max(start, end_page); + } + +-static inline unsigned int blkcipher_done_slow(struct blkcipher_walk *walk, +- unsigned int bsize) ++static inline void blkcipher_done_slow(struct blkcipher_walk *walk, ++ unsigned int bsize) + { + u8 *addr; + + addr = (u8 *)ALIGN((unsigned long)walk->buffer, walk->alignmask + 1); + addr = blkcipher_get_spot(addr, bsize); + scatterwalk_copychunks(addr, &walk->out, bsize, 1); +- return bsize; + } + +-static inline unsigned int blkcipher_done_fast(struct blkcipher_walk *walk, +- unsigned int n) ++static inline void blkcipher_done_fast(struct blkcipher_walk *walk, ++ unsigned int n) + { + if (walk->flags & BLKCIPHER_WALK_COPY) { + blkcipher_map_dst(walk); +@@ -97,49 +96,48 @@ static inline unsigned int blkcipher_done_fast(struct blkcipher_walk *walk, + + scatterwalk_advance(&walk->in, n); + scatterwalk_advance(&walk->out, n); +- +- return n; + } + + int blkcipher_walk_done(struct blkcipher_desc *desc, + struct blkcipher_walk *walk, int err) + { +- unsigned int nbytes = 0; ++ unsigned int n; /* bytes processed */ ++ bool more; + +- if (likely(err >= 0)) { +- unsigned int n = walk->nbytes - err; ++ if (unlikely(err < 0)) ++ goto finish; + +- if (likely(!(walk->flags & BLKCIPHER_WALK_SLOW))) +- n = blkcipher_done_fast(walk, n); +- else if (WARN_ON(err)) { +- err = -EINVAL; +- goto err; +- } else +- n = blkcipher_done_slow(walk, n); ++ n = walk->nbytes - err; ++ walk->total -= n; ++ more = (walk->total != 0); + +- nbytes = walk->total - n; +- err = 0; ++ if (likely(!(walk->flags & BLKCIPHER_WALK_SLOW))) { ++ blkcipher_done_fast(walk, n); ++ } else { ++ if (WARN_ON(err)) { ++ /* unexpected case; didn't process all bytes */ ++ err = -EINVAL; ++ goto finish; ++ } ++ blkcipher_done_slow(walk, n); + } + +- scatterwalk_done(&walk->in, 0, nbytes); +- scatterwalk_done(&walk->out, 1, nbytes); +- +-err: +- walk->total = nbytes; +- walk->nbytes = nbytes; ++ scatterwalk_done(&walk->in, 0, more); ++ scatterwalk_done(&walk->out, 1, more); + +- if (nbytes) { ++ if (more) { + crypto_yield(desc->flags); + return blkcipher_walk_next(desc, walk); + } +- ++ err = 0; ++finish: ++ walk->nbytes = 0; + if (walk->iv != desc->info) + memcpy(desc->info, walk->iv, walk->ivsize); + if (walk->buffer != walk->page) + kfree(walk->buffer); + if (walk->page) + free_page((unsigned long)walk->page); +- + return err; + } + EXPORT_SYMBOL_GPL(blkcipher_walk_done); +diff --git a/crypto/vmac.c b/crypto/vmac.c +index df76a816cfb2..bb2fc787d615 100644 +--- a/crypto/vmac.c ++++ b/crypto/vmac.c +@@ -1,6 +1,10 @@ + /* +- * Modified to interface to the Linux kernel ++ * VMAC: Message Authentication Code using Universal Hashing ++ * ++ * Reference: https://tools.ietf.org/html/draft-krovetz-vmac-01 ++ * + * Copyright (c) 2009, Intel Corporation. ++ * Copyright (c) 2018, Google Inc. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, +@@ -16,14 +20,15 @@ + * Place - Suite 330, Boston, MA 02111-1307 USA. + */ + +-/* -------------------------------------------------------------------------- +- * VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai. +- * This implementation is herby placed in the public domain. +- * The authors offers no warranty. Use at your own risk. +- * Please send bug reports to the authors. +- * Last modified: 17 APR 08, 1700 PDT +- * ----------------------------------------------------------------------- */ ++/* ++ * Derived from: ++ * VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai. ++ * This implementation is herby placed in the public domain. ++ * The authors offers no warranty. Use at your own risk. ++ * Last modified: 17 APR 08, 1700 PDT ++ */ + ++#include + #include + #include + #include +@@ -31,9 +36,35 @@ + #include + #include + #include +-#include + #include + ++/* ++ * User definable settings. ++ */ ++#define VMAC_TAG_LEN 64 ++#define VMAC_KEY_SIZE 128/* Must be 128, 192 or 256 */ ++#define VMAC_KEY_LEN (VMAC_KEY_SIZE/8) ++#define VMAC_NHBYTES 128/* Must 2^i for any 3 < i < 13 Standard = 128*/ ++ ++/* per-transform (per-key) context */ ++struct vmac_tfm_ctx { ++ struct crypto_cipher *cipher; ++ u64 nhkey[(VMAC_NHBYTES/8)+2*(VMAC_TAG_LEN/64-1)]; ++ u64 polykey[2*VMAC_TAG_LEN/64]; ++ u64 l3key[2*VMAC_TAG_LEN/64]; ++}; ++ ++/* per-request context */ ++struct vmac_desc_ctx { ++ union { ++ u8 partial[VMAC_NHBYTES]; /* partial block */ ++ __le64 partial_words[VMAC_NHBYTES / 8]; ++ }; ++ unsigned int partial_size; /* size of the partial block */ ++ bool first_block_processed; ++ u64 polytmp[2*VMAC_TAG_LEN/64]; /* running total of L2-hash */ ++}; ++ + /* + * Constants and masks + */ +@@ -318,13 +349,6 @@ static void poly_step_func(u64 *ahi, u64 *alo, + } while (0) + #endif + +-static void vhash_abort(struct vmac_ctx *ctx) +-{ +- ctx->polytmp[0] = ctx->polykey[0] ; +- ctx->polytmp[1] = ctx->polykey[1] ; +- ctx->first_block_processed = 0; +-} +- + static u64 l3hash(u64 p1, u64 p2, u64 k1, u64 k2, u64 len) + { + u64 rh, rl, t, z = 0; +@@ -364,280 +388,209 @@ static u64 l3hash(u64 p1, u64 p2, u64 k1, u64 k2, u64 len) + return rl; + } + +-static void vhash_update(const unsigned char *m, +- unsigned int mbytes, /* Pos multiple of VMAC_NHBYTES */ +- struct vmac_ctx *ctx) ++/* L1 and L2-hash one or more VMAC_NHBYTES-byte blocks */ ++static void vhash_blocks(const struct vmac_tfm_ctx *tctx, ++ struct vmac_desc_ctx *dctx, ++ const __le64 *mptr, unsigned int blocks) + { +- u64 rh, rl, *mptr; +- const u64 *kptr = (u64 *)ctx->nhkey; +- int i; +- u64 ch, cl; +- u64 pkh = ctx->polykey[0]; +- u64 pkl = ctx->polykey[1]; +- +- if (!mbytes) +- return; +- +- BUG_ON(mbytes % VMAC_NHBYTES); +- +- mptr = (u64 *)m; +- i = mbytes / VMAC_NHBYTES; /* Must be non-zero */ +- +- ch = ctx->polytmp[0]; +- cl = ctx->polytmp[1]; +- +- if (!ctx->first_block_processed) { +- ctx->first_block_processed = 1; ++ const u64 *kptr = tctx->nhkey; ++ const u64 pkh = tctx->polykey[0]; ++ const u64 pkl = tctx->polykey[1]; ++ u64 ch = dctx->polytmp[0]; ++ u64 cl = dctx->polytmp[1]; ++ u64 rh, rl; ++ ++ if (!dctx->first_block_processed) { ++ dctx->first_block_processed = true; + nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl); + rh &= m62; + ADD128(ch, cl, rh, rl); + mptr += (VMAC_NHBYTES/sizeof(u64)); +- i--; ++ blocks--; + } + +- while (i--) { ++ while (blocks--) { + nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl); + rh &= m62; + poly_step(ch, cl, pkh, pkl, rh, rl); + mptr += (VMAC_NHBYTES/sizeof(u64)); + } + +- ctx->polytmp[0] = ch; +- ctx->polytmp[1] = cl; ++ dctx->polytmp[0] = ch; ++ dctx->polytmp[1] = cl; + } + +-static u64 vhash(unsigned char m[], unsigned int mbytes, +- u64 *tagl, struct vmac_ctx *ctx) ++static int vmac_setkey(struct crypto_shash *tfm, ++ const u8 *key, unsigned int keylen) + { +- u64 rh, rl, *mptr; +- const u64 *kptr = (u64 *)ctx->nhkey; +- int i, remaining; +- u64 ch, cl; +- u64 pkh = ctx->polykey[0]; +- u64 pkl = ctx->polykey[1]; +- +- mptr = (u64 *)m; +- i = mbytes / VMAC_NHBYTES; +- remaining = mbytes % VMAC_NHBYTES; +- +- if (ctx->first_block_processed) { +- ch = ctx->polytmp[0]; +- cl = ctx->polytmp[1]; +- } else if (i) { +- nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, ch, cl); +- ch &= m62; +- ADD128(ch, cl, pkh, pkl); +- mptr += (VMAC_NHBYTES/sizeof(u64)); +- i--; +- } else if (remaining) { +- nh_16(mptr, kptr, 2*((remaining+15)/16), ch, cl); +- ch &= m62; +- ADD128(ch, cl, pkh, pkl); +- mptr += (VMAC_NHBYTES/sizeof(u64)); +- goto do_l3; +- } else {/* Empty String */ +- ch = pkh; cl = pkl; +- goto do_l3; +- } +- +- while (i--) { +- nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl); +- rh &= m62; +- poly_step(ch, cl, pkh, pkl, rh, rl); +- mptr += (VMAC_NHBYTES/sizeof(u64)); +- } +- if (remaining) { +- nh_16(mptr, kptr, 2*((remaining+15)/16), rh, rl); +- rh &= m62; +- poly_step(ch, cl, pkh, pkl, rh, rl); +- } +- +-do_l3: +- vhash_abort(ctx); +- remaining *= 8; +- return l3hash(ch, cl, ctx->l3key[0], ctx->l3key[1], remaining); +-} ++ struct vmac_tfm_ctx *tctx = crypto_shash_ctx(tfm); ++ __be64 out[2]; ++ u8 in[16] = { 0 }; ++ unsigned int i; ++ int err; + +-static u64 vmac(unsigned char m[], unsigned int mbytes, +- const unsigned char n[16], u64 *tagl, +- struct vmac_ctx_t *ctx) +-{ +- u64 *in_n, *out_p; +- u64 p, h; +- int i; +- +- in_n = ctx->__vmac_ctx.cached_nonce; +- out_p = ctx->__vmac_ctx.cached_aes; +- +- i = n[15] & 1; +- if ((*(u64 *)(n+8) != in_n[1]) || (*(u64 *)(n) != in_n[0])) { +- in_n[0] = *(u64 *)(n); +- in_n[1] = *(u64 *)(n+8); +- ((unsigned char *)in_n)[15] &= 0xFE; +- crypto_cipher_encrypt_one(ctx->child, +- (unsigned char *)out_p, (unsigned char *)in_n); +- +- ((unsigned char *)in_n)[15] |= (unsigned char)(1-i); ++ if (keylen != VMAC_KEY_LEN) { ++ crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); ++ return -EINVAL; + } +- p = be64_to_cpup(out_p + i); +- h = vhash(m, mbytes, (u64 *)0, &ctx->__vmac_ctx); +- return le64_to_cpu(p + h); +-} + +-static int vmac_set_key(unsigned char user_key[], struct vmac_ctx_t *ctx) +-{ +- u64 in[2] = {0}, out[2]; +- unsigned i; +- int err = 0; +- +- err = crypto_cipher_setkey(ctx->child, user_key, VMAC_KEY_LEN); ++ err = crypto_cipher_setkey(tctx->cipher, key, keylen); + if (err) + return err; + + /* Fill nh key */ +- ((unsigned char *)in)[0] = 0x80; +- for (i = 0; i < sizeof(ctx->__vmac_ctx.nhkey)/8; i += 2) { +- crypto_cipher_encrypt_one(ctx->child, +- (unsigned char *)out, (unsigned char *)in); +- ctx->__vmac_ctx.nhkey[i] = be64_to_cpup(out); +- ctx->__vmac_ctx.nhkey[i+1] = be64_to_cpup(out+1); +- ((unsigned char *)in)[15] += 1; ++ in[0] = 0x80; ++ for (i = 0; i < ARRAY_SIZE(tctx->nhkey); i += 2) { ++ crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in); ++ tctx->nhkey[i] = be64_to_cpu(out[0]); ++ tctx->nhkey[i+1] = be64_to_cpu(out[1]); ++ in[15]++; + } + + /* Fill poly key */ +- ((unsigned char *)in)[0] = 0xC0; +- in[1] = 0; +- for (i = 0; i < sizeof(ctx->__vmac_ctx.polykey)/8; i += 2) { +- crypto_cipher_encrypt_one(ctx->child, +- (unsigned char *)out, (unsigned char *)in); +- ctx->__vmac_ctx.polytmp[i] = +- ctx->__vmac_ctx.polykey[i] = +- be64_to_cpup(out) & mpoly; +- ctx->__vmac_ctx.polytmp[i+1] = +- ctx->__vmac_ctx.polykey[i+1] = +- be64_to_cpup(out+1) & mpoly; +- ((unsigned char *)in)[15] += 1; ++ in[0] = 0xC0; ++ in[15] = 0; ++ for (i = 0; i < ARRAY_SIZE(tctx->polykey); i += 2) { ++ crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in); ++ tctx->polykey[i] = be64_to_cpu(out[0]) & mpoly; ++ tctx->polykey[i+1] = be64_to_cpu(out[1]) & mpoly; ++ in[15]++; + } + + /* Fill ip key */ +- ((unsigned char *)in)[0] = 0xE0; +- in[1] = 0; +- for (i = 0; i < sizeof(ctx->__vmac_ctx.l3key)/8; i += 2) { ++ in[0] = 0xE0; ++ in[15] = 0; ++ for (i = 0; i < ARRAY_SIZE(tctx->l3key); i += 2) { + do { +- crypto_cipher_encrypt_one(ctx->child, +- (unsigned char *)out, (unsigned char *)in); +- ctx->__vmac_ctx.l3key[i] = be64_to_cpup(out); +- ctx->__vmac_ctx.l3key[i+1] = be64_to_cpup(out+1); +- ((unsigned char *)in)[15] += 1; +- } while (ctx->__vmac_ctx.l3key[i] >= p64 +- || ctx->__vmac_ctx.l3key[i+1] >= p64); ++ crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in); ++ tctx->l3key[i] = be64_to_cpu(out[0]); ++ tctx->l3key[i+1] = be64_to_cpu(out[1]); ++ in[15]++; ++ } while (tctx->l3key[i] >= p64 || tctx->l3key[i+1] >= p64); + } + +- /* Invalidate nonce/aes cache and reset other elements */ +- ctx->__vmac_ctx.cached_nonce[0] = (u64)-1; /* Ensure illegal nonce */ +- ctx->__vmac_ctx.cached_nonce[1] = (u64)0; /* Ensure illegal nonce */ +- ctx->__vmac_ctx.first_block_processed = 0; +- +- return err; ++ return 0; + } + +-static int vmac_setkey(struct crypto_shash *parent, +- const u8 *key, unsigned int keylen) ++static int vmac_init(struct shash_desc *desc) + { +- struct vmac_ctx_t *ctx = crypto_shash_ctx(parent); ++ const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); ++ struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); + +- if (keylen != VMAC_KEY_LEN) { +- crypto_shash_set_flags(parent, CRYPTO_TFM_RES_BAD_KEY_LEN); +- return -EINVAL; +- } +- +- return vmac_set_key((u8 *)key, ctx); +-} +- +-static int vmac_init(struct shash_desc *pdesc) +-{ ++ dctx->partial_size = 0; ++ dctx->first_block_processed = false; ++ memcpy(dctx->polytmp, tctx->polykey, sizeof(dctx->polytmp)); + return 0; + } + +-static int vmac_update(struct shash_desc *pdesc, const u8 *p, +- unsigned int len) ++static int vmac_update(struct shash_desc *desc, const u8 *p, unsigned int len) + { +- struct crypto_shash *parent = pdesc->tfm; +- struct vmac_ctx_t *ctx = crypto_shash_ctx(parent); +- int expand; +- int min; +- +- expand = VMAC_NHBYTES - ctx->partial_size > 0 ? +- VMAC_NHBYTES - ctx->partial_size : 0; +- +- min = len < expand ? len : expand; +- +- memcpy(ctx->partial + ctx->partial_size, p, min); +- ctx->partial_size += min; +- +- if (len < expand) +- return 0; +- +- vhash_update(ctx->partial, VMAC_NHBYTES, &ctx->__vmac_ctx); +- ctx->partial_size = 0; +- +- len -= expand; +- p += expand; ++ const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); ++ struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); ++ unsigned int n; ++ ++ if (dctx->partial_size) { ++ n = min(len, VMAC_NHBYTES - dctx->partial_size); ++ memcpy(&dctx->partial[dctx->partial_size], p, n); ++ dctx->partial_size += n; ++ p += n; ++ len -= n; ++ if (dctx->partial_size == VMAC_NHBYTES) { ++ vhash_blocks(tctx, dctx, dctx->partial_words, 1); ++ dctx->partial_size = 0; ++ } ++ } + +- if (len % VMAC_NHBYTES) { +- memcpy(ctx->partial, p + len - (len % VMAC_NHBYTES), +- len % VMAC_NHBYTES); +- ctx->partial_size = len % VMAC_NHBYTES; ++ if (len >= VMAC_NHBYTES) { ++ n = round_down(len, VMAC_NHBYTES); ++ /* TODO: 'p' may be misaligned here */ ++ vhash_blocks(tctx, dctx, (const __le64 *)p, n / VMAC_NHBYTES); ++ p += n; ++ len -= n; + } + +- vhash_update(p, len - len % VMAC_NHBYTES, &ctx->__vmac_ctx); ++ if (len) { ++ memcpy(dctx->partial, p, len); ++ dctx->partial_size = len; ++ } + + return 0; + } + +-static int vmac_final(struct shash_desc *pdesc, u8 *out) ++static u64 vhash_final(const struct vmac_tfm_ctx *tctx, ++ struct vmac_desc_ctx *dctx) + { +- struct crypto_shash *parent = pdesc->tfm; +- struct vmac_ctx_t *ctx = crypto_shash_ctx(parent); +- vmac_t mac; +- u8 nonce[16] = {}; +- +- /* vmac() ends up accessing outside the array bounds that +- * we specify. In appears to access up to the next 2-word +- * boundary. We'll just be uber cautious and zero the +- * unwritten bytes in the buffer. +- */ +- if (ctx->partial_size) { +- memset(ctx->partial + ctx->partial_size, 0, +- VMAC_NHBYTES - ctx->partial_size); ++ unsigned int partial = dctx->partial_size; ++ u64 ch = dctx->polytmp[0]; ++ u64 cl = dctx->polytmp[1]; ++ ++ /* L1 and L2-hash the final block if needed */ ++ if (partial) { ++ /* Zero-pad to next 128-bit boundary */ ++ unsigned int n = round_up(partial, 16); ++ u64 rh, rl; ++ ++ memset(&dctx->partial[partial], 0, n - partial); ++ nh_16(dctx->partial_words, tctx->nhkey, n / 8, rh, rl); ++ rh &= m62; ++ if (dctx->first_block_processed) ++ poly_step(ch, cl, tctx->polykey[0], tctx->polykey[1], ++ rh, rl); ++ else ++ ADD128(ch, cl, rh, rl); + } +- mac = vmac(ctx->partial, ctx->partial_size, nonce, NULL, ctx); +- memcpy(out, &mac, sizeof(vmac_t)); +- memzero_explicit(&mac, sizeof(vmac_t)); +- memset(&ctx->__vmac_ctx, 0, sizeof(struct vmac_ctx)); +- ctx->partial_size = 0; ++ ++ /* L3-hash the 128-bit output of L2-hash */ ++ return l3hash(ch, cl, tctx->l3key[0], tctx->l3key[1], partial * 8); ++} ++ ++static int vmac_final(struct shash_desc *desc, u8 *out) ++{ ++ const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); ++ struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); ++ static const u8 nonce[16] = {}; /* TODO: this is insecure */ ++ union { ++ u8 bytes[16]; ++ __be64 pads[2]; ++ } block; ++ int index; ++ u64 hash, pad; ++ ++ /* Finish calculating the VHASH of the message */ ++ hash = vhash_final(tctx, dctx); ++ ++ /* Generate pseudorandom pad by encrypting the nonce */ ++ memcpy(&block, nonce, 16); ++ index = block.bytes[15] & 1; ++ block.bytes[15] &= ~1; ++ crypto_cipher_encrypt_one(tctx->cipher, block.bytes, block.bytes); ++ pad = be64_to_cpu(block.pads[index]); ++ ++ /* The VMAC is the sum of VHASH and the pseudorandom pad */ ++ put_unaligned_le64(hash + pad, out); + return 0; + } + + static int vmac_init_tfm(struct crypto_tfm *tfm) + { +- struct crypto_cipher *cipher; +- struct crypto_instance *inst = (void *)tfm->__crt_alg; ++ struct crypto_instance *inst = crypto_tfm_alg_instance(tfm); + struct crypto_spawn *spawn = crypto_instance_ctx(inst); +- struct vmac_ctx_t *ctx = crypto_tfm_ctx(tfm); ++ struct vmac_tfm_ctx *tctx = crypto_tfm_ctx(tfm); ++ struct crypto_cipher *cipher; + + cipher = crypto_spawn_cipher(spawn); + if (IS_ERR(cipher)) + return PTR_ERR(cipher); + +- ctx->child = cipher; ++ tctx->cipher = cipher; + return 0; + } + + static void vmac_exit_tfm(struct crypto_tfm *tfm) + { +- struct vmac_ctx_t *ctx = crypto_tfm_ctx(tfm); +- crypto_free_cipher(ctx->child); ++ struct vmac_tfm_ctx *tctx = crypto_tfm_ctx(tfm); ++ ++ crypto_free_cipher(tctx->cipher); + } + + static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb) +@@ -655,6 +608,10 @@ static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb) + if (IS_ERR(alg)) + return PTR_ERR(alg); + ++ err = -EINVAL; ++ if (alg->cra_blocksize != 16) ++ goto out_put_alg; ++ + inst = shash_alloc_instance("vmac", alg); + err = PTR_ERR(inst); + if (IS_ERR(inst)) +@@ -670,11 +627,12 @@ static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb) + inst->alg.base.cra_blocksize = alg->cra_blocksize; + inst->alg.base.cra_alignmask = alg->cra_alignmask; + +- inst->alg.digestsize = sizeof(vmac_t); +- inst->alg.base.cra_ctxsize = sizeof(struct vmac_ctx_t); ++ inst->alg.base.cra_ctxsize = sizeof(struct vmac_tfm_ctx); + inst->alg.base.cra_init = vmac_init_tfm; + inst->alg.base.cra_exit = vmac_exit_tfm; + ++ inst->alg.descsize = sizeof(struct vmac_desc_ctx); ++ inst->alg.digestsize = VMAC_TAG_LEN / 8; + inst->alg.init = vmac_init; + inst->alg.update = vmac_update; + inst->alg.final = vmac_final; +diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c +index 1111cb966a44..fa2b58142cde 100644 +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -587,7 +587,7 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr, + + /* unmap the data buffer */ + if (dma_size != 0) +- dma_unmap_single(&adap->dev, dma_addr, dma_size, dma_direction); ++ dma_unmap_single(dev, dma_addr, dma_size, dma_direction); + + if (unlikely(!time_left)) { + dev_err(dev, "completion wait timed out\n"); +diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h +index dabecb661264..53a47d75cc43 100644 +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -770,8 +770,8 @@ int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot); + int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot); + int pud_clear_huge(pud_t *pud); + int pmd_clear_huge(pmd_t *pmd); +-int pud_free_pmd_page(pud_t *pud); +-int pmd_free_pte_page(pmd_t *pmd); ++int pud_free_pmd_page(pud_t *pud, unsigned long addr); ++int pmd_free_pte_page(pmd_t *pmd, unsigned long addr); + #else /* !CONFIG_HAVE_ARCH_HUGE_VMAP */ + static inline int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot) + { +@@ -789,11 +789,11 @@ static inline int pmd_clear_huge(pmd_t *pmd) + { + return 0; + } +-static inline int pud_free_pmd_page(pud_t *pud) ++static inline int pud_free_pmd_page(pud_t *pud, unsigned long addr) + { + return 0; + } +-static inline int pmd_free_pte_page(pmd_t *pmd) ++static inline int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) + { + return 0; + } +diff --git a/include/crypto/vmac.h b/include/crypto/vmac.h +deleted file mode 100644 +index 6b700c7b2fe1..000000000000 +--- a/include/crypto/vmac.h ++++ /dev/null +@@ -1,63 +0,0 @@ +-/* +- * Modified to interface to the Linux kernel +- * Copyright (c) 2009, Intel Corporation. +- * +- * This program is free software; you can redistribute it and/or modify it +- * under the terms and conditions of the GNU General Public License, +- * version 2, as published by the Free Software Foundation. +- * +- * This program is distributed in the hope it will be useful, but WITHOUT +- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +- * more details. +- * +- * You should have received a copy of the GNU General Public License along with +- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple +- * Place - Suite 330, Boston, MA 02111-1307 USA. +- */ +- +-#ifndef __CRYPTO_VMAC_H +-#define __CRYPTO_VMAC_H +- +-/* -------------------------------------------------------------------------- +- * VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai. +- * This implementation is herby placed in the public domain. +- * The authors offers no warranty. Use at your own risk. +- * Please send bug reports to the authors. +- * Last modified: 17 APR 08, 1700 PDT +- * ----------------------------------------------------------------------- */ +- +-/* +- * User definable settings. +- */ +-#define VMAC_TAG_LEN 64 +-#define VMAC_KEY_SIZE 128/* Must be 128, 192 or 256 */ +-#define VMAC_KEY_LEN (VMAC_KEY_SIZE/8) +-#define VMAC_NHBYTES 128/* Must 2^i for any 3 < i < 13 Standard = 128*/ +- +-/* +- * This implementation uses u32 and u64 as names for unsigned 32- +- * and 64-bit integer types. These are defined in C99 stdint.h. The +- * following may need adaptation if you are not running a C99 or +- * Microsoft C environment. +- */ +-struct vmac_ctx { +- u64 nhkey[(VMAC_NHBYTES/8)+2*(VMAC_TAG_LEN/64-1)]; +- u64 polykey[2*VMAC_TAG_LEN/64]; +- u64 l3key[2*VMAC_TAG_LEN/64]; +- u64 polytmp[2*VMAC_TAG_LEN/64]; +- u64 cached_nonce[2]; +- u64 cached_aes[2]; +- int first_block_processed; +-}; +- +-typedef u64 vmac_t; +- +-struct vmac_ctx_t { +- struct crypto_cipher *child; +- struct vmac_ctx __vmac_ctx; +- u8 partial[VMAC_NHBYTES]; /* partial block */ +- int partial_size; /* size of the partial block */ +-}; +- +-#endif /* __CRYPTO_VMAC_H */ +diff --git a/lib/ioremap.c b/lib/ioremap.c +index 5323b59ca393..b9462037868d 100644 +--- a/lib/ioremap.c ++++ b/lib/ioremap.c +@@ -84,7 +84,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr, + if (ioremap_pmd_enabled() && + ((next - addr) == PMD_SIZE) && + IS_ALIGNED(phys_addr + addr, PMD_SIZE) && +- pmd_free_pte_page(pmd)) { ++ pmd_free_pte_page(pmd, addr)) { + if (pmd_set_huge(pmd, phys_addr + addr, prot)) + continue; + } +@@ -111,7 +111,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr, + if (ioremap_pud_enabled() && + ((next - addr) == PUD_SIZE) && + IS_ALIGNED(phys_addr + addr, PUD_SIZE) && +- pud_free_pmd_page(pud)) { ++ pud_free_pmd_page(pud, addr)) { + if (pud_set_huge(pud, phys_addr + addr, prot)) + continue; + } +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 1fc076420d1e..1811f8e7ddf4 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session) + del_timer(&session->timer); + } + +-static void hidp_process_report(struct hidp_session *session, +- int type, const u8 *data, int len, int intr) ++static void hidp_process_report(struct hidp_session *session, int type, ++ const u8 *data, unsigned int len, int intr) + { + if (len > HID_MAX_BUFFER_SIZE) + len = HID_MAX_BUFFER_SIZE; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 4a261e078082..9c4c6cd0316e 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4835,6 +4835,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk) + end = TCP_SKB_CB(skb)->end_seq; + range_truesize = skb->truesize; + } else { ++ range_truesize += skb->truesize; + if (before(TCP_SKB_CB(skb)->seq, start)) + start = TCP_SKB_CB(skb)->seq; + if (after(TCP_SKB_CB(skb)->end_seq, end)) +diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan +index 37323b0df374..2624d4bf9a45 100644 +--- a/scripts/Makefile.kasan ++++ b/scripts/Makefile.kasan +@@ -28,4 +28,7 @@ else + CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL) + endif + endif ++ ++CFLAGS_KASAN_NOSANITIZE := -fno-builtin ++ + endif +diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib +index 24914e7de944..a2d0e6d32659 100644 +--- a/scripts/Makefile.lib ++++ b/scripts/Makefile.lib +@@ -126,7 +126,7 @@ endif + ifeq ($(CONFIG_KASAN),y) + _c_flags += $(if $(patsubst n%,, \ + $(KASAN_SANITIZE_$(basetarget).o)$(KASAN_SANITIZE)y), \ +- $(CFLAGS_KASAN)) ++ $(CFLAGS_KASAN), $(CFLAGS_KASAN_NOSANITIZE)) + endif + + # If building the kernel in a separate objtree expand all occurrences +diff --git a/scripts/depmod.sh b/scripts/depmod.sh +index 122599b1c13b..ea1e96921e3b 100755 +--- a/scripts/depmod.sh ++++ b/scripts/depmod.sh +@@ -10,10 +10,16 @@ DEPMOD=$1 + KERNELRELEASE=$2 + SYMBOL_PREFIX=$3 + +-if ! test -r System.map -a -x "$DEPMOD"; then ++if ! test -r System.map ; then + exit 0 + fi + ++if [ -z $(command -v $DEPMOD) ]; then ++ echo "'make modules_install' requires $DEPMOD. Please install it." >&2 ++ echo "This is probably in the kmod package." >&2 ++ exit 1 ++fi ++ + # older versions of depmod don't support -P + # support was added in module-init-tools 3.13 + if test -n "$SYMBOL_PREFIX"; then +diff --git a/sound/soc/intel/boards/cht_bsw_max98090_ti.c b/sound/soc/intel/boards/cht_bsw_max98090_ti.c +index 4e2fcf188dd1..01a573a063d1 100644 +--- a/sound/soc/intel/boards/cht_bsw_max98090_ti.c ++++ b/sound/soc/intel/boards/cht_bsw_max98090_ti.c +@@ -131,23 +131,19 @@ static int cht_codec_init(struct snd_soc_pcm_runtime *runtime) + struct cht_mc_private *ctx = snd_soc_card_get_drvdata(runtime->card); + struct snd_soc_jack *jack = &ctx->jack; + +- /** +- * TI supports 4 butons headset detection +- * KEY_MEDIA +- * KEY_VOICECOMMAND +- * KEY_VOLUMEUP +- * KEY_VOLUMEDOWN +- */ +- if (ctx->ts3a227e_present) +- jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE | +- SND_JACK_BTN_0 | SND_JACK_BTN_1 | +- SND_JACK_BTN_2 | SND_JACK_BTN_3; +- else +- jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE; ++ if (ctx->ts3a227e_present) { ++ /* ++ * The jack has already been created in the ++ * cht_max98090_headset_init() function. ++ */ ++ snd_soc_jack_notifier_register(jack, &cht_jack_nb); ++ return 0; ++ } ++ ++ jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE; + + ret = snd_soc_card_jack_new(runtime->card, "Headset Jack", + jack_type, jack, NULL, 0); +- + if (ret) { + dev_err(runtime->dev, "Headset Jack creation failed %d\n", ret); + return ret; +@@ -203,6 +199,27 @@ static int cht_max98090_headset_init(struct snd_soc_component *component) + { + struct snd_soc_card *card = component->card; + struct cht_mc_private *ctx = snd_soc_card_get_drvdata(card); ++ struct snd_soc_jack *jack = &ctx->jack; ++ int jack_type; ++ int ret; ++ ++ /* ++ * TI supports 4 butons headset detection ++ * KEY_MEDIA ++ * KEY_VOICECOMMAND ++ * KEY_VOLUMEUP ++ * KEY_VOLUMEDOWN ++ */ ++ jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE | ++ SND_JACK_BTN_0 | SND_JACK_BTN_1 | ++ SND_JACK_BTN_2 | SND_JACK_BTN_3; ++ ++ ret = snd_soc_card_jack_new(card, "Headset Jack", jack_type, ++ jack, NULL, 0); ++ if (ret) { ++ dev_err(card->dev, "Headset Jack creation failed %d\n", ret); ++ return ret; ++ } + + return ts3a227e_enable_jack_detect(component, &ctx->jack); + } diff --git a/patch/kernel/mvebu-default/04-patch-4.4.149-150.patch b/patch/kernel/mvebu-default/04-patch-4.4.149-150.patch new file mode 100644 index 0000000000..2446bbe3c0 --- /dev/null +++ b/patch/kernel/mvebu-default/04-patch-4.4.149-150.patch @@ -0,0 +1,36 @@ +diff --git a/Makefile b/Makefile +index e7c46ece5f27..7789195c6a59 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 149 ++SUBLEVEL = 150 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/x86/include/asm/pgtable-invert.h b/arch/x86/include/asm/pgtable-invert.h +index 44b1203ece12..a0c1525f1b6f 100644 +--- a/arch/x86/include/asm/pgtable-invert.h ++++ b/arch/x86/include/asm/pgtable-invert.h +@@ -4,9 +4,18 @@ + + #ifndef __ASSEMBLY__ + ++/* ++ * A clear pte value is special, and doesn't get inverted. ++ * ++ * Note that even users that only pass a pgprot_t (rather ++ * than a full pte) won't trigger the special zero case, ++ * because even PAGE_NONE has _PAGE_PROTNONE | _PAGE_ACCESSED ++ * set. So the all zero case really is limited to just the ++ * cleared page table entry case. ++ */ + static inline bool __pte_needs_invert(u64 val) + { +- return !(val & _PAGE_PRESENT); ++ return val && !(val & _PAGE_PRESENT); + } + + /* Get a mask to xor with the page table entry to get the correct pfn. */ diff --git a/patch/kernel/mvebu-next/linux-999-revert-softirq-let-ksoftirqd-do-its-job.patch b/patch/kernel/mvebu-next/linux-999-revert-softirq-let-ksoftirqd-do-its-job.patch deleted file mode 100644 index bb87a670b3..0000000000 --- a/patch/kernel/mvebu-next/linux-999-revert-softirq-let-ksoftirqd-do-its-job.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 3364d0056328b93fb10ab929ae99933af9e304ad Mon Sep 17 00:00:00 2001 -From: MilhouseVH -Date: Thu, 4 Jan 2018 19:56:05 +0000 -Subject: [PATCH] Revert "softirq: Let ksoftirqd do its job" - -See: https://forum.libreelec.tv/thread/4235-dvb-issue-since-le-switched-to-kernel-4-9-x/?postID=75965#post75965 ---- - kernel/softirq.c | 16 +--------------- - 1 file changed, 1 insertion(+), 15 deletions(-) - -diff --git a/kernel/softirq.c b/kernel/softirq.c -index 4e09821..58bb6f6 100644 ---- a/kernel/softirq.c -+++ b/kernel/softirq.c -@@ -77,17 +77,6 @@ static void wakeup_softirqd(void) - wake_up_process(tsk); - } - --/* -- * If ksoftirqd is scheduled, we do not want to process pending softirqs -- * right now. Let ksoftirqd handle this at its own rate, to get fairness. -- */ --static bool ksoftirqd_running(void) --{ -- struct task_struct *tsk = __this_cpu_read(ksoftirqd); -- -- return tsk && (tsk->state == TASK_RUNNING); --} -- - /* - * preempt_count and SOFTIRQ_OFFSET usage: - * - preempt_count is changed by SOFTIRQ_OFFSET on entering or leaving -@@ -324,7 +313,7 @@ asmlinkage __visible void do_softirq(void) - - pending = local_softirq_pending(); - -- if (pending && !ksoftirqd_running()) -+ if (pending) - do_softirq_own_stack(); - - local_irq_restore(flags); -@@ -351,9 +340,6 @@ void irq_enter(void) - - static inline void invoke_softirq(void) - { -- if (ksoftirqd_running()) -- return; -- - if (!force_irqthreads) { - #ifdef CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK - /* --- -2.14.1 -