Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx/patches-4.19/0112-4.19.13-all-fixes.patch

    Contents of /trunk/kernel-alx/patches-4.19/0112-4.19.13-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3391 - (show annotations) (download)
    Fri Aug 2 11:47:26 2019 UTC (4 years, 8 months ago) by niro
    File size: 74632 byte(s) 
    -linux-4.19.13
    1 diff --git a/Makefile b/Makefile
    2 index 9770f29a690a..892ff14cbc9d 100644
    3 --- a/Makefile
    4 +++ b/Makefile
    5 @@ -1,7 +1,7 @@
    6 # SPDX-License-Identifier: GPL-2.0
    7 VERSION = 4
    8 PATCHLEVEL = 19
    9 -SUBLEVEL = 12
    10 +SUBLEVEL = 13
    11 EXTRAVERSION =
    12 NAME = "People's Front"
    13
    14 diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
    15 index 92fd2c8a9af0..12659ce5c1f3 100644
    16 --- a/arch/arm/include/asm/pgtable-2level.h
    17 +++ b/arch/arm/include/asm/pgtable-2level.h
    18 @@ -10,7 +10,7 @@
    19 #ifndef _ASM_PGTABLE_2LEVEL_H
    20 #define _ASM_PGTABLE_2LEVEL_H
    21
    22 -#define __PAGETABLE_PMD_FOLDED
    23 +#define __PAGETABLE_PMD_FOLDED 1
    24
    25 /*
    26 * Hardware-wise, we have a two level page table structure, where the first
    27 diff --git a/arch/m68k/include/asm/pgtable_mm.h b/arch/m68k/include/asm/pgtable_mm.h
    28 index 6181e4134483..fe3ddd73a0cc 100644
    29 --- a/arch/m68k/include/asm/pgtable_mm.h
    30 +++ b/arch/m68k/include/asm/pgtable_mm.h
    31 @@ -55,12 +55,12 @@
    32 */
    33 #ifdef CONFIG_SUN3
    34 #define PTRS_PER_PTE 16
    35 -#define __PAGETABLE_PMD_FOLDED
    36 +#define __PAGETABLE_PMD_FOLDED 1
    37 #define PTRS_PER_PMD 1
    38 #define PTRS_PER_PGD 2048
    39 #elif defined(CONFIG_COLDFIRE)
    40 #define PTRS_PER_PTE 512
    41 -#define __PAGETABLE_PMD_FOLDED
    42 +#define __PAGETABLE_PMD_FOLDED 1
    43 #define PTRS_PER_PMD 1
    44 #define PTRS_PER_PGD 1024
    45 #else
    46 diff --git a/arch/microblaze/include/asm/pgtable.h b/arch/microblaze/include/asm/pgtable.h
    47 index 7b650ab14fa0..2ca598534cc7 100644
    48 --- a/arch/microblaze/include/asm/pgtable.h
    49 +++ b/arch/microblaze/include/asm/pgtable.h
    50 @@ -63,7 +63,7 @@ extern int mem_init_done;
    51
    52 #include <asm-generic/4level-fixup.h>
    53
    54 -#define __PAGETABLE_PMD_FOLDED
    55 +#define __PAGETABLE_PMD_FOLDED 1
    56
    57 #ifdef __KERNEL__
    58 #ifndef __ASSEMBLY__
    59 diff --git a/arch/nds32/include/asm/pgtable.h b/arch/nds32/include/asm/pgtable.h
    60 index d3e19a55cf53..9f52db930c00 100644
    61 --- a/arch/nds32/include/asm/pgtable.h
    62 +++ b/arch/nds32/include/asm/pgtable.h
    63 @@ -4,7 +4,7 @@
    64 #ifndef _ASMNDS32_PGTABLE_H
    65 #define _ASMNDS32_PGTABLE_H
    66
    67 -#define __PAGETABLE_PMD_FOLDED
    68 +#define __PAGETABLE_PMD_FOLDED 1
    69 #include <asm-generic/4level-fixup.h>
    70 #include <asm-generic/sizes.h>
    71
    72 diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
    73 index fa6b7c78f18a..ff0860b2b21a 100644
    74 --- a/arch/parisc/include/asm/pgtable.h
    75 +++ b/arch/parisc/include/asm/pgtable.h
    76 @@ -117,7 +117,7 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
    77 #if CONFIG_PGTABLE_LEVELS == 3
    78 #define BITS_PER_PMD (PAGE_SHIFT + PMD_ORDER - BITS_PER_PMD_ENTRY)
    79 #else
    80 -#define __PAGETABLE_PMD_FOLDED
    81 +#define __PAGETABLE_PMD_FOLDED 1
    82 #define BITS_PER_PMD 0
    83 #endif
    84 #define PTRS_PER_PMD (1UL << BITS_PER_PMD)
    85 diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
    86 index 141d415a8c80..c3d7ccd25381 100644
    87 --- a/arch/x86/entry/vdso/Makefile
    88 +++ b/arch/x86/entry/vdso/Makefile
    89 @@ -171,7 +171,8 @@ quiet_cmd_vdso = VDSO $@
    90 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
    91
    92 VDSO_LDFLAGS = -shared $(call ld-option, --hash-style=both) \
    93 - $(call ld-option, --build-id) -Bsymbolic
    94 + $(call ld-option, --build-id) $(call ld-option, --eh-frame-hdr) \
    95 + -Bsymbolic
    96 GCOV_PROFILE := n
    97
    98 #
    99 diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
    100 index b3486c8b570a..1f9de7635bcb 100644
    101 --- a/arch/x86/include/asm/msr-index.h
    102 +++ b/arch/x86/include/asm/msr-index.h
    103 @@ -389,6 +389,7 @@
    104 #define MSR_F15H_NB_PERF_CTR 0xc0010241
    105 #define MSR_F15H_PTSC 0xc0010280
    106 #define MSR_F15H_IC_CFG 0xc0011021
    107 +#define MSR_F15H_EX_CFG 0xc001102c
    108
    109 /* Fam 10h MSRs */
    110 #define MSR_FAM10H_MMIO_CONF_BASE 0xc0010058
    111 diff --git a/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c b/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
    112 index 0f53049719cd..627e5c809b33 100644
    113 --- a/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
    114 +++ b/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
    115 @@ -23,6 +23,7 @@
    116
    117 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
    118
    119 +#include <linux/cpu.h>
    120 #include <linux/kernfs.h>
    121 #include <linux/seq_file.h>
    122 #include <linux/slab.h>
    123 @@ -310,9 +311,11 @@ ssize_t rdtgroup_schemata_write(struct kernfs_open_file *of,
    124 return -EINVAL;
    125 buf[nbytes - 1] = '\0';
    126
    127 + cpus_read_lock();
    128 rdtgrp = rdtgroup_kn_lock_live(of->kn);
    129 if (!rdtgrp) {
    130 rdtgroup_kn_unlock(of->kn);
    131 + cpus_read_unlock();
    132 return -ENOENT;
    133 }
    134 rdt_last_cmd_clear();
    135 @@ -367,6 +370,7 @@ ssize_t rdtgroup_schemata_write(struct kernfs_open_file *of,
    136
    137 out:
    138 rdtgroup_kn_unlock(of->kn);
    139 + cpus_read_unlock();
    140 return ret ?: nbytes;
    141 }
    142
    143 diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
    144 index 40eee6cc4124..254683b503a9 100644
    145 --- a/arch/x86/kernel/cpu/mtrr/if.c
    146 +++ b/arch/x86/kernel/cpu/mtrr/if.c
    147 @@ -165,6 +165,8 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
    148 struct mtrr_gentry gentry;
    149 void __user *arg = (void __user *) __arg;
    150
    151 + memset(&gentry, 0, sizeof(gentry));
    152 +
    153 switch (cmd) {
    154 case MTRRIOC_ADD_ENTRY:
    155 case MTRRIOC_SET_ENTRY:
    156 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
    157 index c97a9d60d305..33ffb6d17e73 100644
    158 --- a/arch/x86/kvm/vmx.c
    159 +++ b/arch/x86/kvm/vmx.c
    160 @@ -11471,6 +11471,8 @@ static void nested_get_vmcs12_pages(struct kvm_vcpu *vcpu)
    161 kunmap(vmx->nested.pi_desc_page);
    162 kvm_release_page_dirty(vmx->nested.pi_desc_page);
    163 vmx->nested.pi_desc_page = NULL;
    164 + vmx->nested.pi_desc = NULL;
    165 + vmcs_write64(POSTED_INTR_DESC_ADDR, -1ull);
    166 }
    167 page = kvm_vcpu_gpa_to_page(vcpu, vmcs12->posted_intr_desc_addr);
    168 if (is_error_page(page))
    169 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
    170 index 68b53f05a420..956eecd227f8 100644
    171 --- a/arch/x86/kvm/x86.c
    172 +++ b/arch/x86/kvm/x86.c
    173 @@ -2343,6 +2343,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
    174 case MSR_AMD64_PATCH_LOADER:
    175 case MSR_AMD64_BU_CFG2:
    176 case MSR_AMD64_DC_CFG:
    177 + case MSR_F15H_EX_CFG:
    178 break;
    179
    180 case MSR_IA32_UCODE_REV:
    181 @@ -2638,6 +2639,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
    182 case MSR_AMD64_BU_CFG2:
    183 case MSR_IA32_PERF_CTL:
    184 case MSR_AMD64_DC_CFG:
    185 + case MSR_F15H_EX_CFG:
    186 msr_info->data = 0;
    187 break;
    188 case MSR_F15H_PERF_CTL0 ... MSR_F15H_PERF_CTR5:
    189 @@ -7304,7 +7306,7 @@ void kvm_make_scan_ioapic_request(struct kvm *kvm)
    190
    191 static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
    192 {
    193 - if (!kvm_apic_hw_enabled(vcpu->arch.apic))
    194 + if (!kvm_apic_present(vcpu))
    195 return;
    196
    197 bitmap_zero(vcpu->arch.ioapic_handled_vectors, 256);
    198 diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
    199 index 3d0c83ef6aab..a3c9ea29d7cc 100644
    200 --- a/arch/x86/mm/pat.c
    201 +++ b/arch/x86/mm/pat.c
    202 @@ -519,8 +519,13 @@ static u64 sanitize_phys(u64 address)
    203 * for a "decoy" virtual address (bit 63 clear) passed to
    204 * set_memory_X(). __pa() on a "decoy" address results in a
    205 * physical address with bit 63 set.
    206 + *
    207 + * Decoy addresses are not present for 32-bit builds, see
    208 + * set_mce_nospec().
    209 */
    210 - return address & __PHYSICAL_MASK;
    211 + if (IS_ENABLED(CONFIG_X86_64))
    212 + return address & __PHYSICAL_MASK;
    213 + return address;
    214 }
    215
    216 /*
    217 @@ -546,7 +551,11 @@ int reserve_memtype(u64 start, u64 end, enum page_cache_mode req_type,
    218
    219 start = sanitize_phys(start);
    220 end = sanitize_phys(end);
    221 - BUG_ON(start >= end); /* end is exclusive */
    222 + if (start >= end) {
    223 + WARN(1, "%s failed: [mem %#010Lx-%#010Lx], req %s\n", __func__,
    224 + start, end - 1, cattr_name(req_type));
    225 + return -EINVAL;
    226 + }
    227
    228 if (!pat_enabled()) {
    229 /* This is identical to page table setting without PAT */
    230 diff --git a/drivers/gpio/gpio-max7301.c b/drivers/gpio/gpio-max7301.c
    231 index 05813fbf3daf..647dfbbc4e1c 100644
    232 --- a/drivers/gpio/gpio-max7301.c
    233 +++ b/drivers/gpio/gpio-max7301.c
    234 @@ -25,7 +25,7 @@ static int max7301_spi_write(struct device *dev, unsigned int reg,
    235 struct spi_device *spi = to_spi_device(dev);
    236 u16 word = ((reg & 0x7F) << 8) | (val & 0xFF);
    237
    238 - return spi_write(spi, (const u8 *)&word, sizeof(word));
    239 + return spi_write_then_read(spi, &word, sizeof(word), NULL, 0);
    240 }
    241
    242 /* A read from the MAX7301 means two transfers; here, one message each */
    243 @@ -37,14 +37,8 @@ static int max7301_spi_read(struct device *dev, unsigned int reg)
    244 struct spi_device *spi = to_spi_device(dev);
    245
    246 word = 0x8000 | (reg << 8);
    247 - ret = spi_write(spi, (const u8 *)&word, sizeof(word));
    248 - if (ret)
    249 - return ret;
    250 - /*
    251 - * This relies on the fact, that a transfer with NULL tx_buf shifts out
    252 - * zero bytes (=NOOP for MAX7301)
    253 - */
    254 - ret = spi_read(spi, (u8 *)&word, sizeof(word));
    255 + ret = spi_write_then_read(spi, &word, sizeof(word), &word,
    256 + sizeof(word));
    257 if (ret)
    258 return ret;
    259 return word & 0xff;
    260 diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
    261 index 8b9d7e42c600..c5e009f61021 100644
    262 --- a/drivers/gpio/gpiolib-acpi.c
    263 +++ b/drivers/gpio/gpiolib-acpi.c
    264 @@ -23,11 +23,28 @@
    265
    266 #include "gpiolib.h"
    267
    268 +/**
    269 + * struct acpi_gpio_event - ACPI GPIO event handler data
    270 + *
    271 + * @node: list-entry of the events list of the struct acpi_gpio_chip
    272 + * @handle: handle of ACPI method to execute when the IRQ triggers
    273 + * @handler: irq_handler to pass to request_irq when requesting the IRQ
    274 + * @pin: GPIO pin number on the gpio_chip
    275 + * @irq: Linux IRQ number for the event, for request_ / free_irq
    276 + * @irqflags: flags to pass to request_irq when requesting the IRQ
    277 + * @irq_is_wake: If the ACPI flags indicate the IRQ is a wakeup source
    278 + * @is_requested: True if request_irq has been done
    279 + * @desc: gpio_desc for the GPIO pin for this event
    280 + */
    281 struct acpi_gpio_event {
    282 struct list_head node;
    283 acpi_handle handle;
    284 + irq_handler_t handler;
    285 unsigned int pin;
    286 unsigned int irq;
    287 + unsigned long irqflags;
    288 + bool irq_is_wake;
    289 + bool irq_requested;
    290 struct gpio_desc *desc;
    291 };
    292
    293 @@ -53,10 +70,10 @@ struct acpi_gpio_chip {
    294
    295 /*
    296 * For gpiochips which call acpi_gpiochip_request_interrupts() before late_init
    297 - * (so builtin drivers) we register the ACPI GpioInt event handlers from a
    298 + * (so builtin drivers) we register the ACPI GpioInt IRQ handlers from a
    299 * late_initcall_sync handler, so that other builtin drivers can register their
    300 * OpRegions before the event handlers can run. This list contains gpiochips
    301 - * for which the acpi_gpiochip_request_interrupts() has been deferred.
    302 + * for which the acpi_gpiochip_request_irqs() call has been deferred.
    303 */
    304 static DEFINE_MUTEX(acpi_gpio_deferred_req_irqs_lock);
    305 static LIST_HEAD(acpi_gpio_deferred_req_irqs_list);
    306 @@ -137,8 +154,42 @@ bool acpi_gpio_get_irq_resource(struct acpi_resource *ares,
    307 }
    308 EXPORT_SYMBOL_GPL(acpi_gpio_get_irq_resource);
    309
    310 -static acpi_status acpi_gpiochip_request_interrupt(struct acpi_resource *ares,
    311 - void *context)
    312 +static void acpi_gpiochip_request_irq(struct acpi_gpio_chip *acpi_gpio,
    313 + struct acpi_gpio_event *event)
    314 +{
    315 + int ret, value;
    316 +
    317 + ret = request_threaded_irq(event->irq, NULL, event->handler,
    318 + event->irqflags, "ACPI:Event", event);
    319 + if (ret) {
    320 + dev_err(acpi_gpio->chip->parent,
    321 + "Failed to setup interrupt handler for %d\n",
    322 + event->irq);
    323 + return;
    324 + }
    325 +
    326 + if (event->irq_is_wake)
    327 + enable_irq_wake(event->irq);
    328 +
    329 + event->irq_requested = true;
    330 +
    331 + /* Make sure we trigger the initial state of edge-triggered IRQs */
    332 + value = gpiod_get_raw_value_cansleep(event->desc);
    333 + if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
    334 + ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0))
    335 + event->handler(event->irq, event);
    336 +}
    337 +
    338 +static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio)
    339 +{
    340 + struct acpi_gpio_event *event;
    341 +
    342 + list_for_each_entry(event, &acpi_gpio->events, node)
    343 + acpi_gpiochip_request_irq(acpi_gpio, event);
    344 +}
    345 +
    346 +static acpi_status acpi_gpiochip_alloc_event(struct acpi_resource *ares,
    347 + void *context)
    348 {
    349 struct acpi_gpio_chip *acpi_gpio = context;
    350 struct gpio_chip *chip = acpi_gpio->chip;
    351 @@ -147,8 +198,7 @@ static acpi_status acpi_gpiochip_request_interrupt(struct acpi_resource *ares,
    352 struct acpi_gpio_event *event;
    353 irq_handler_t handler = NULL;
    354 struct gpio_desc *desc;
    355 - unsigned long irqflags;
    356 - int ret, pin, irq, value;
    357 + int ret, pin, irq;
    358
    359 if (!acpi_gpio_get_irq_resource(ares, &agpio))
    360 return AE_OK;
    361 @@ -179,8 +229,6 @@ static acpi_status acpi_gpiochip_request_interrupt(struct acpi_resource *ares,
    362
    363 gpiod_direction_input(desc);
    364
    365 - value = gpiod_get_value_cansleep(desc);
    366 -
    367 ret = gpiochip_lock_as_irq(chip, pin);
    368 if (ret) {
    369 dev_err(chip->parent, "Failed to lock GPIO as interrupt\n");
    370 @@ -193,64 +241,42 @@ static acpi_status acpi_gpiochip_request_interrupt(struct acpi_resource *ares,
    371 goto fail_unlock_irq;
    372 }
    373
    374 - irqflags = IRQF_ONESHOT;
    375 + event = kzalloc(sizeof(*event), GFP_KERNEL);
    376 + if (!event)
    377 + goto fail_unlock_irq;
    378 +
    379 + event->irqflags = IRQF_ONESHOT;
    380 if (agpio->triggering == ACPI_LEVEL_SENSITIVE) {
    381 if (agpio->polarity == ACPI_ACTIVE_HIGH)
    382 - irqflags |= IRQF_TRIGGER_HIGH;
    383 + event->irqflags |= IRQF_TRIGGER_HIGH;
    384 else
    385 - irqflags |= IRQF_TRIGGER_LOW;
    386 + event->irqflags |= IRQF_TRIGGER_LOW;
    387 } else {
    388 switch (agpio->polarity) {
    389 case ACPI_ACTIVE_HIGH:
    390 - irqflags |= IRQF_TRIGGER_RISING;
    391 + event->irqflags |= IRQF_TRIGGER_RISING;
    392 break;
    393 case ACPI_ACTIVE_LOW:
    394 - irqflags |= IRQF_TRIGGER_FALLING;
    395 + event->irqflags |= IRQF_TRIGGER_FALLING;
    396 break;
    397 default:
    398 - irqflags |= IRQF_TRIGGER_RISING |
    399 - IRQF_TRIGGER_FALLING;
    400 + event->irqflags |= IRQF_TRIGGER_RISING |
    401 + IRQF_TRIGGER_FALLING;
    402 break;
    403 }
    404 }
    405
    406 - event = kzalloc(sizeof(*event), GFP_KERNEL);
    407 - if (!event)
    408 - goto fail_unlock_irq;
    409 -
    410 event->handle = evt_handle;
    411 + event->handler = handler;
    412 event->irq = irq;
    413 + event->irq_is_wake = agpio->wake_capable == ACPI_WAKE_CAPABLE;
    414 event->pin = pin;
    415 event->desc = desc;
    416
    417 - ret = request_threaded_irq(event->irq, NULL, handler, irqflags,
    418 - "ACPI:Event", event);
    419 - if (ret) {
    420 - dev_err(chip->parent,
    421 - "Failed to setup interrupt handler for %d\n",
    422 - event->irq);
    423 - goto fail_free_event;
    424 - }
    425 -
    426 - if (agpio->wake_capable == ACPI_WAKE_CAPABLE)
    427 - enable_irq_wake(irq);
    428 -
    429 list_add_tail(&event->node, &acpi_gpio->events);
    430
    431 - /*
    432 - * Make sure we trigger the initial state of the IRQ when using RISING
    433 - * or FALLING. Note we run the handlers on late_init, the AML code
    434 - * may refer to OperationRegions from other (builtin) drivers which
    435 - * may be probed after us.
    436 - */
    437 - if (((irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
    438 - ((irqflags & IRQF_TRIGGER_FALLING) && value == 0))
    439 - handler(event->irq, event);
    440 -
    441 return AE_OK;
    442
    443 -fail_free_event:
    444 - kfree(event);
    445 fail_unlock_irq:
    446 gpiochip_unlock_as_irq(chip, pin);
    447 fail_free_desc:
    448 @@ -287,6 +313,9 @@ void acpi_gpiochip_request_interrupts(struct gpio_chip *chip)
    449 if (ACPI_FAILURE(status))
    450 return;
    451
    452 + acpi_walk_resources(handle, "_AEI",
    453 + acpi_gpiochip_alloc_event, acpi_gpio);
    454 +
    455 mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
    456 defer = !acpi_gpio_deferred_req_irqs_done;
    457 if (defer)
    458 @@ -297,8 +326,7 @@ void acpi_gpiochip_request_interrupts(struct gpio_chip *chip)
    459 if (defer)
    460 return;
    461
    462 - acpi_walk_resources(handle, "_AEI",
    463 - acpi_gpiochip_request_interrupt, acpi_gpio);
    464 + acpi_gpiochip_request_irqs(acpi_gpio);
    465 }
    466 EXPORT_SYMBOL_GPL(acpi_gpiochip_request_interrupts);
    467
    468 @@ -335,10 +363,13 @@ void acpi_gpiochip_free_interrupts(struct gpio_chip *chip)
    469 list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) {
    470 struct gpio_desc *desc;
    471
    472 - if (irqd_is_wakeup_set(irq_get_irq_data(event->irq)))
    473 - disable_irq_wake(event->irq);
    474 + if (event->irq_requested) {
    475 + if (event->irq_is_wake)
    476 + disable_irq_wake(event->irq);
    477 +
    478 + free_irq(event->irq, event);
    479 + }
    480
    481 - free_irq(event->irq, event);
    482 desc = event->desc;
    483 if (WARN_ON(IS_ERR(desc)))
    484 continue;
    485 @@ -1204,23 +1235,16 @@ bool acpi_can_fallback_to_crs(struct acpi_device *adev, const char *con_id)
    486 return con_id == NULL;
    487 }
    488
    489 -/* Run deferred acpi_gpiochip_request_interrupts() */
    490 -static int acpi_gpio_handle_deferred_request_interrupts(void)
    491 +/* Run deferred acpi_gpiochip_request_irqs() */
    492 +static int acpi_gpio_handle_deferred_request_irqs(void)
    493 {
    494 struct acpi_gpio_chip *acpi_gpio, *tmp;
    495
    496 mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
    497 list_for_each_entry_safe(acpi_gpio, tmp,
    498 &acpi_gpio_deferred_req_irqs_list,
    499 - deferred_req_irqs_list_entry) {
    500 - acpi_handle handle;
    501 -
    502 - handle = ACPI_HANDLE(acpi_gpio->chip->parent);
    503 - acpi_walk_resources(handle, "_AEI",
    504 - acpi_gpiochip_request_interrupt, acpi_gpio);
    505 -
    506 - list_del_init(&acpi_gpio->deferred_req_irqs_list_entry);
    507 - }
    508 + deferred_req_irqs_list_entry)
    509 + acpi_gpiochip_request_irqs(acpi_gpio);
    510
    511 acpi_gpio_deferred_req_irqs_done = true;
    512 mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
    513 @@ -1228,4 +1252,4 @@ static int acpi_gpio_handle_deferred_request_interrupts(void)
    514 return 0;
    515 }
    516 /* We must use _sync so that this runs after the first deferred_probe run */
    517 -late_initcall_sync(acpi_gpio_handle_deferred_request_interrupts);
    518 +late_initcall_sync(acpi_gpio_handle_deferred_request_irqs);
    519 diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
    520 index ea10e9a26aad..ba129b64b61f 100644
    521 --- a/drivers/gpu/drm/drm_ioctl.c
    522 +++ b/drivers/gpu/drm/drm_ioctl.c
    523 @@ -37,6 +37,7 @@
    524
    525 #include <linux/pci.h>
    526 #include <linux/export.h>
    527 +#include <linux/nospec.h>
    528
    529 /**
    530 * DOC: getunique and setversion story
    531 @@ -794,13 +795,17 @@ long drm_ioctl(struct file *filp,
    532
    533 if (is_driver_ioctl) {
    534 /* driver ioctl */
    535 - if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
    536 + unsigned int index = nr - DRM_COMMAND_BASE;
    537 +
    538 + if (index >= dev->driver->num_ioctls)
    539 goto err_i1;
    540 - ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
    541 + index = array_index_nospec(index, dev->driver->num_ioctls);
    542 + ioctl = &dev->driver->ioctls[index];
    543 } else {
    544 /* core ioctl */
    545 if (nr >= DRM_CORE_IOCTL_COUNT)
    546 goto err_i1;
    547 + nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
    548 ioctl = &drm_ioctls[nr];
    549 }
    550
    551 @@ -882,6 +887,7 @@ bool drm_ioctl_flags(unsigned int nr, unsigned int *flags)
    552
    553 if (nr >= DRM_CORE_IOCTL_COUNT)
    554 return false;
    555 + nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
    556
    557 *flags = drm_ioctls[nr].flags;
    558 return true;
    559 diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
    560 index c71cc857b649..2c6d5c7a4445 100644
    561 --- a/drivers/hv/vmbus_drv.c
    562 +++ b/drivers/hv/vmbus_drv.c
    563 @@ -316,6 +316,8 @@ static ssize_t out_intr_mask_show(struct device *dev,
    564
    565 if (!hv_dev->channel)
    566 return -ENODEV;
    567 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    568 + return -EINVAL;
    569 hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
    570 return sprintf(buf, "%d\n", outbound.current_interrupt_mask);
    571 }
    572 @@ -329,6 +331,8 @@ static ssize_t out_read_index_show(struct device *dev,
    573
    574 if (!hv_dev->channel)
    575 return -ENODEV;
    576 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    577 + return -EINVAL;
    578 hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
    579 return sprintf(buf, "%d\n", outbound.current_read_index);
    580 }
    581 @@ -343,6 +347,8 @@ static ssize_t out_write_index_show(struct device *dev,
    582
    583 if (!hv_dev->channel)
    584 return -ENODEV;
    585 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    586 + return -EINVAL;
    587 hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
    588 return sprintf(buf, "%d\n", outbound.current_write_index);
    589 }
    590 @@ -357,6 +363,8 @@ static ssize_t out_read_bytes_avail_show(struct device *dev,
    591
    592 if (!hv_dev->channel)
    593 return -ENODEV;
    594 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    595 + return -EINVAL;
    596 hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
    597 return sprintf(buf, "%d\n", outbound.bytes_avail_toread);
    598 }
    599 @@ -371,6 +379,8 @@ static ssize_t out_write_bytes_avail_show(struct device *dev,
    600
    601 if (!hv_dev->channel)
    602 return -ENODEV;
    603 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    604 + return -EINVAL;
    605 hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
    606 return sprintf(buf, "%d\n", outbound.bytes_avail_towrite);
    607 }
    608 @@ -384,6 +394,8 @@ static ssize_t in_intr_mask_show(struct device *dev,
    609
    610 if (!hv_dev->channel)
    611 return -ENODEV;
    612 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    613 + return -EINVAL;
    614 hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
    615 return sprintf(buf, "%d\n", inbound.current_interrupt_mask);
    616 }
    617 @@ -397,6 +409,8 @@ static ssize_t in_read_index_show(struct device *dev,
    618
    619 if (!hv_dev->channel)
    620 return -ENODEV;
    621 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    622 + return -EINVAL;
    623 hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
    624 return sprintf(buf, "%d\n", inbound.current_read_index);
    625 }
    626 @@ -410,6 +424,8 @@ static ssize_t in_write_index_show(struct device *dev,
    627
    628 if (!hv_dev->channel)
    629 return -ENODEV;
    630 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    631 + return -EINVAL;
    632 hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
    633 return sprintf(buf, "%d\n", inbound.current_write_index);
    634 }
    635 @@ -424,6 +440,8 @@ static ssize_t in_read_bytes_avail_show(struct device *dev,
    636
    637 if (!hv_dev->channel)
    638 return -ENODEV;
    639 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    640 + return -EINVAL;
    641 hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
    642 return sprintf(buf, "%d\n", inbound.bytes_avail_toread);
    643 }
    644 @@ -438,6 +456,8 @@ static ssize_t in_write_bytes_avail_show(struct device *dev,
    645
    646 if (!hv_dev->channel)
    647 return -ENODEV;
    648 + if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
    649 + return -EINVAL;
    650 hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
    651 return sprintf(buf, "%d\n", inbound.bytes_avail_towrite);
    652 }
    653 diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
    654 index 2d95e8d93cc7..9fe075c137dc 100644
    655 --- a/drivers/input/mouse/elantech.c
    656 +++ b/drivers/input/mouse/elantech.c
    657 @@ -1767,6 +1767,18 @@ static int elantech_smbus = IS_ENABLED(CONFIG_MOUSE_ELAN_I2C_SMBUS) ?
    658 module_param_named(elantech_smbus, elantech_smbus, int, 0644);
    659 MODULE_PARM_DESC(elantech_smbus, "Use a secondary bus for the Elantech device.");
    660
    661 +static const char * const i2c_blacklist_pnp_ids[] = {
    662 + /*
    663 + * These are known to not be working properly as bits are missing
    664 + * in elan_i2c.
    665 + */
    666 + "LEN2131", /* ThinkPad P52 w/ NFC */
    667 + "LEN2132", /* ThinkPad P52 */
    668 + "LEN2133", /* ThinkPad P72 w/ NFC */
    669 + "LEN2134", /* ThinkPad P72 */
    670 + NULL
    671 +};
    672 +
    673 static int elantech_create_smbus(struct psmouse *psmouse,
    674 struct elantech_device_info *info,
    675 bool leave_breadcrumbs)
    676 @@ -1802,10 +1814,12 @@ static int elantech_setup_smbus(struct psmouse *psmouse,
    677
    678 if (elantech_smbus == ELANTECH_SMBUS_NOT_SET) {
    679 /*
    680 - * New ICs are enabled by default.
    681 + * New ICs are enabled by default, unless mentioned in
    682 + * i2c_blacklist_pnp_ids.
    683 * Old ICs are up to the user to decide.
    684 */
    685 - if (!ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version))
    686 + if (!ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version) ||
    687 + psmouse_matches_pnp_id(psmouse, i2c_blacklist_pnp_ids))
    688 return -ENXIO;
    689 }
    690
    691 diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
    692 index 30b15e91d8be..8e7a2a59cd32 100644
    693 --- a/drivers/media/i2c/ov5640.c
    694 +++ b/drivers/media/i2c/ov5640.c
    695 @@ -2020,6 +2020,7 @@ static int ov5640_set_fmt(struct v4l2_subdev *sd,
    696 struct ov5640_dev *sensor = to_ov5640_dev(sd);
    697 const struct ov5640_mode_info *new_mode;
    698 struct v4l2_mbus_framefmt *mbus_fmt = &format->format;
    699 + struct v4l2_mbus_framefmt *fmt;
    700 int ret;
    701
    702 if (format->pad != 0)
    703 @@ -2037,22 +2038,20 @@ static int ov5640_set_fmt(struct v4l2_subdev *sd,
    704 if (ret)
    705 goto out;
    706
    707 - if (format->which == V4L2_SUBDEV_FORMAT_TRY) {
    708 - struct v4l2_mbus_framefmt *fmt =
    709 - v4l2_subdev_get_try_format(sd, cfg, 0);
    710 + if (format->which == V4L2_SUBDEV_FORMAT_TRY)
    711 + fmt = v4l2_subdev_get_try_format(sd, cfg, 0);
    712 + else
    713 + fmt = &sensor->fmt;
    714
    715 - *fmt = *mbus_fmt;
    716 - goto out;
    717 - }
    718 + *fmt = *mbus_fmt;
    719
    720 if (new_mode != sensor->current_mode) {
    721 sensor->current_mode = new_mode;
    722 sensor->pending_mode_change = true;
    723 }
    724 - if (mbus_fmt->code != sensor->fmt.code) {
    725 - sensor->fmt = *mbus_fmt;
    726 + if (mbus_fmt->code != sensor->fmt.code)
    727 sensor->pending_fmt_change = true;
    728 - }
    729 +
    730 out:
    731 mutex_unlock(&sensor->lock);
    732 return ret;
    733 diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
    734 index bc1bd2c25613..55997cf84b39 100644
    735 --- a/drivers/mmc/core/mmc.c
    736 +++ b/drivers/mmc/core/mmc.c
    737 @@ -30,6 +30,7 @@
    738 #include "pwrseq.h"
    739
    740 #define DEFAULT_CMD6_TIMEOUT_MS 500
    741 +#define MIN_CACHE_EN_TIMEOUT_MS 1600
    742
    743 static const unsigned int tran_exp[] = {
    744 10000, 100000, 1000000, 10000000,
    745 @@ -526,8 +527,7 @@ static int mmc_decode_ext_csd(struct mmc_card *card, u8 *ext_csd)
    746 card->cid.year += 16;
    747
    748 /* check whether the eMMC card supports BKOPS */
    749 - if (!mmc_card_broken_hpi(card) &&
    750 - ext_csd[EXT_CSD_BKOPS_SUPPORT] & 0x1) {
    751 + if (ext_csd[EXT_CSD_BKOPS_SUPPORT] & 0x1) {
    752 card->ext_csd.bkops = 1;
    753 card->ext_csd.man_bkops_en =
    754 (ext_csd[EXT_CSD_BKOPS_EN] &
    755 @@ -1782,20 +1782,26 @@ static int mmc_init_card(struct mmc_host *host, u32 ocr,
    756 if (err) {
    757 pr_warn("%s: Enabling HPI failed\n",
    758 mmc_hostname(card->host));
    759 + card->ext_csd.hpi_en = 0;
    760 err = 0;
    761 - } else
    762 + } else {
    763 card->ext_csd.hpi_en = 1;
    764 + }
    765 }
    766
    767 /*
    768 - * If cache size is higher than 0, this indicates
    769 - * the existence of cache and it can be turned on.
    770 + * If cache size is higher than 0, this indicates the existence of cache
    771 + * and it can be turned on. Note that some eMMCs from Micron has been
    772 + * reported to need ~800 ms timeout, while enabling the cache after
    773 + * sudden power failure tests. Let's extend the timeout to a minimum of
    774 + * DEFAULT_CACHE_EN_TIMEOUT_MS and do it for all cards.
    775 */
    776 - if (!mmc_card_broken_hpi(card) &&
    777 - card->ext_csd.cache_size > 0) {
    778 + if (card->ext_csd.cache_size > 0) {
    779 + unsigned int timeout_ms = MIN_CACHE_EN_TIMEOUT_MS;
    780 +
    781 + timeout_ms = max(card->ext_csd.generic_cmd6_time, timeout_ms);
    782 err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
    783 - EXT_CSD_CACHE_CTRL, 1,
    784 - card->ext_csd.generic_cmd6_time);
    785 + EXT_CSD_CACHE_CTRL, 1, timeout_ms);
    786 if (err && err != -EBADMSG)
    787 goto free_card;
    788
    789 diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
    790 index 68760d4a5d3d..b23c57e07f36 100644
    791 --- a/drivers/mmc/host/omap_hsmmc.c
    792 +++ b/drivers/mmc/host/omap_hsmmc.c
    793 @@ -2066,7 +2066,6 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
    794 mmc->max_blk_size = 512; /* Block Length at max can be 1024 */
    795 mmc->max_blk_count = 0xFFFF; /* No. of Blocks is 16 bits */
    796 mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count;
    797 - mmc->max_seg_size = mmc->max_req_size;
    798
    799 mmc->caps |= MMC_CAP_MMC_HIGHSPEED | MMC_CAP_SD_HIGHSPEED |
    800 MMC_CAP_WAIT_WHILE_BUSY | MMC_CAP_ERASE | MMC_CAP_CMD23;
    801 @@ -2096,6 +2095,17 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
    802 goto err_irq;
    803 }
    804
    805 + /*
    806 + * Limit the maximum segment size to the lower of the request size
    807 + * and the DMA engine device segment size limits. In reality, with
    808 + * 32-bit transfers, the DMA engine can do longer segments than this
    809 + * but there is no way to represent that in the DMA model - if we
    810 + * increase this figure here, we get warnings from the DMA API debug.
    811 + */
    812 + mmc->max_seg_size = min3(mmc->max_req_size,
    813 + dma_get_max_seg_size(host->rx_chan->device->dev),
    814 + dma_get_max_seg_size(host->tx_chan->device->dev));
    815 +
    816 /* Request IRQ for MMC operations */
    817 ret = devm_request_irq(&pdev->dev, host->irq, omap_hsmmc_irq, 0,
    818 mmc_hostname(mmc), host);
    819 diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
    820 index 184c24baca15..d6916f787fce 100644
    821 --- a/drivers/net/usb/hso.c
    822 +++ b/drivers/net/usb/hso.c
    823 @@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
    824 return -EIO;
    825 }
    826
    827 + /* check if we have a valid interface */
    828 + if (if_num > 16) {
    829 + kfree(config_data);
    830 + return -EINVAL;
    831 + }
    832 +
    833 switch (config_data[if_num]) {
    834 case 0x0:
    835 result = 0;
    836 @@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
    837
    838 /* Get the interface/port specification from either driver_info or from
    839 * the device itself */
    840 - if (id->driver_info)
    841 + if (id->driver_info) {
    842 + /* if_num is controlled by the device, driver_info is a 0 terminated
    843 + * array. Make sure, the access is in bounds! */
    844 + for (i = 0; i <= if_num; ++i)
    845 + if (((u32 *)(id->driver_info))[i] == 0)
    846 + goto exit;
    847 port_spec = ((u32 *)(id->driver_info))[if_num];
    848 - else
    849 + } else {
    850 port_spec = hso_get_config_data(interface);
    851 + if (port_spec < 0)
    852 + goto exit;
    853 + }
    854
    855 /* Check if we need to switch to alt interfaces prior to port
    856 * configuration */
    857 diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
    858 index 4d49a1a3f504..16c6c7f921a8 100644
    859 --- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
    860 +++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
    861 @@ -868,6 +868,15 @@ static int iwl_mvm_sar_geo_init(struct iwl_mvm *mvm)
    862 int ret, i, j;
    863 u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT);
    864
    865 + /*
    866 + * This command is not supported on earlier firmware versions.
    867 + * Unfortunately, we don't have a TLV API flag to rely on, so
    868 + * rely on the major version which is in the first byte of
    869 + * ucode_ver.
    870 + */
    871 + if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41)
    872 + return 0;
    873 +
    874 ret = iwl_mvm_sar_get_wgds_table(mvm);
    875 if (ret < 0) {
    876 IWL_DEBUG_RADIO(mvm,
    877 diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
    878 index b150da4c6721..5d65500a8aa7 100644
    879 --- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
    880 +++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
    881 @@ -518,6 +518,56 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
    882 {IWL_PCI_DEVICE(0x24FD, 0x9074, iwl8265_2ac_cfg)},
    883
    884 /* 9000 Series */
    885 + {IWL_PCI_DEVICE(0x02F0, 0x0030, iwl9560_2ac_cfg_soc)},
    886 + {IWL_PCI_DEVICE(0x02F0, 0x0034, iwl9560_2ac_cfg_soc)},
    887 + {IWL_PCI_DEVICE(0x02F0, 0x0038, iwl9560_2ac_cfg_soc)},
    888 + {IWL_PCI_DEVICE(0x02F0, 0x003C, iwl9560_2ac_cfg_soc)},
    889 + {IWL_PCI_DEVICE(0x02F0, 0x0060, iwl9461_2ac_cfg_soc)},
    890 + {IWL_PCI_DEVICE(0x02F0, 0x0064, iwl9461_2ac_cfg_soc)},
    891 + {IWL_PCI_DEVICE(0x02F0, 0x00A0, iwl9462_2ac_cfg_soc)},
    892 + {IWL_PCI_DEVICE(0x02F0, 0x00A4, iwl9462_2ac_cfg_soc)},
    893 + {IWL_PCI_DEVICE(0x02F0, 0x0230, iwl9560_2ac_cfg_soc)},
    894 + {IWL_PCI_DEVICE(0x02F0, 0x0234, iwl9560_2ac_cfg_soc)},
    895 + {IWL_PCI_DEVICE(0x02F0, 0x0238, iwl9560_2ac_cfg_soc)},
    896 + {IWL_PCI_DEVICE(0x02F0, 0x023C, iwl9560_2ac_cfg_soc)},
    897 + {IWL_PCI_DEVICE(0x02F0, 0x0260, iwl9461_2ac_cfg_soc)},
    898 + {IWL_PCI_DEVICE(0x02F0, 0x0264, iwl9461_2ac_cfg_soc)},
    899 + {IWL_PCI_DEVICE(0x02F0, 0x02A0, iwl9462_2ac_cfg_soc)},
    900 + {IWL_PCI_DEVICE(0x02F0, 0x02A4, iwl9462_2ac_cfg_soc)},
    901 + {IWL_PCI_DEVICE(0x02F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
    902 + {IWL_PCI_DEVICE(0x02F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
    903 + {IWL_PCI_DEVICE(0x02F0, 0x2030, iwl9560_2ac_cfg_soc)},
    904 + {IWL_PCI_DEVICE(0x02F0, 0x2034, iwl9560_2ac_cfg_soc)},
    905 + {IWL_PCI_DEVICE(0x02F0, 0x4030, iwl9560_2ac_cfg_soc)},
    906 + {IWL_PCI_DEVICE(0x02F0, 0x4034, iwl9560_2ac_cfg_soc)},
    907 + {IWL_PCI_DEVICE(0x02F0, 0x40A4, iwl9462_2ac_cfg_soc)},
    908 + {IWL_PCI_DEVICE(0x02F0, 0x4234, iwl9560_2ac_cfg_soc)},
    909 + {IWL_PCI_DEVICE(0x02F0, 0x42A4, iwl9462_2ac_cfg_soc)},
    910 + {IWL_PCI_DEVICE(0x06F0, 0x0030, iwl9560_2ac_cfg_soc)},
    911 + {IWL_PCI_DEVICE(0x06F0, 0x0034, iwl9560_2ac_cfg_soc)},
    912 + {IWL_PCI_DEVICE(0x06F0, 0x0038, iwl9560_2ac_cfg_soc)},
    913 + {IWL_PCI_DEVICE(0x06F0, 0x003C, iwl9560_2ac_cfg_soc)},
    914 + {IWL_PCI_DEVICE(0x06F0, 0x0060, iwl9461_2ac_cfg_soc)},
    915 + {IWL_PCI_DEVICE(0x06F0, 0x0064, iwl9461_2ac_cfg_soc)},
    916 + {IWL_PCI_DEVICE(0x06F0, 0x00A0, iwl9462_2ac_cfg_soc)},
    917 + {IWL_PCI_DEVICE(0x06F0, 0x00A4, iwl9462_2ac_cfg_soc)},
    918 + {IWL_PCI_DEVICE(0x06F0, 0x0230, iwl9560_2ac_cfg_soc)},
    919 + {IWL_PCI_DEVICE(0x06F0, 0x0234, iwl9560_2ac_cfg_soc)},
    920 + {IWL_PCI_DEVICE(0x06F0, 0x0238, iwl9560_2ac_cfg_soc)},
    921 + {IWL_PCI_DEVICE(0x06F0, 0x023C, iwl9560_2ac_cfg_soc)},
    922 + {IWL_PCI_DEVICE(0x06F0, 0x0260, iwl9461_2ac_cfg_soc)},
    923 + {IWL_PCI_DEVICE(0x06F0, 0x0264, iwl9461_2ac_cfg_soc)},
    924 + {IWL_PCI_DEVICE(0x06F0, 0x02A0, iwl9462_2ac_cfg_soc)},
    925 + {IWL_PCI_DEVICE(0x06F0, 0x02A4, iwl9462_2ac_cfg_soc)},
    926 + {IWL_PCI_DEVICE(0x06F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
    927 + {IWL_PCI_DEVICE(0x06F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
    928 + {IWL_PCI_DEVICE(0x06F0, 0x2030, iwl9560_2ac_cfg_soc)},
    929 + {IWL_PCI_DEVICE(0x06F0, 0x2034, iwl9560_2ac_cfg_soc)},
    930 + {IWL_PCI_DEVICE(0x06F0, 0x4030, iwl9560_2ac_cfg_soc)},
    931 + {IWL_PCI_DEVICE(0x06F0, 0x4034, iwl9560_2ac_cfg_soc)},
    932 + {IWL_PCI_DEVICE(0x06F0, 0x40A4, iwl9462_2ac_cfg_soc)},
    933 + {IWL_PCI_DEVICE(0x06F0, 0x4234, iwl9560_2ac_cfg_soc)},
    934 + {IWL_PCI_DEVICE(0x06F0, 0x42A4, iwl9462_2ac_cfg_soc)},
    935 {IWL_PCI_DEVICE(0x2526, 0x0010, iwl9260_2ac_cfg)},
    936 {IWL_PCI_DEVICE(0x2526, 0x0014, iwl9260_2ac_cfg)},
    937 {IWL_PCI_DEVICE(0x2526, 0x0018, iwl9260_2ac_cfg)},
    938 diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c
    939 index e2addd8b878b..5d75c971004b 100644
    940 --- a/drivers/net/wireless/marvell/mwifiex/11n.c
    941 +++ b/drivers/net/wireless/marvell/mwifiex/11n.c
    942 @@ -696,11 +696,10 @@ void mwifiex_11n_delba(struct mwifiex_private *priv, int tid)
    943 "Send delba to tid=%d, %pM\n",
    944 tid, rx_reor_tbl_ptr->ta);
    945 mwifiex_send_delba(priv, tid, rx_reor_tbl_ptr->ta, 0);
    946 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock,
    947 - flags);
    948 - return;
    949 + goto exit;
    950 }
    951 }
    952 +exit:
    953 spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    954 }
    955
    956 diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
    957 index 8e63d14c1e1c..5380fba652cc 100644
    958 --- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
    959 +++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
    960 @@ -103,8 +103,6 @@ static int mwifiex_11n_dispatch_pkt(struct mwifiex_private *priv, void *payload)
    961 * There could be holes in the buffer, which are skipped by the function.
    962 * Since the buffer is linear, the function uses rotation to simulate
    963 * circular buffer.
    964 - *
    965 - * The caller must hold rx_reorder_tbl_lock spinlock.
    966 */
    967 static void
    968 mwifiex_11n_dispatch_pkt_until_start_win(struct mwifiex_private *priv,
    969 @@ -113,21 +111,25 @@ mwifiex_11n_dispatch_pkt_until_start_win(struct mwifiex_private *priv,
    970 {
    971 int pkt_to_send, i;
    972 void *rx_tmp_ptr;
    973 + unsigned long flags;
    974
    975 pkt_to_send = (start_win > tbl->start_win) ?
    976 min((start_win - tbl->start_win), tbl->win_size) :
    977 tbl->win_size;
    978
    979 for (i = 0; i < pkt_to_send; ++i) {
    980 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    981 rx_tmp_ptr = NULL;
    982 if (tbl->rx_reorder_ptr[i]) {
    983 rx_tmp_ptr = tbl->rx_reorder_ptr[i];
    984 tbl->rx_reorder_ptr[i] = NULL;
    985 }
    986 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    987 if (rx_tmp_ptr)
    988 mwifiex_11n_dispatch_pkt(priv, rx_tmp_ptr);
    989 }
    990
    991 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    992 /*
    993 * We don't have a circular buffer, hence use rotation to simulate
    994 * circular buffer
    995 @@ -138,6 +140,7 @@ mwifiex_11n_dispatch_pkt_until_start_win(struct mwifiex_private *priv,
    996 }
    997
    998 tbl->start_win = start_win;
    999 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1000 }
    1001
    1002 /*
    1003 @@ -147,8 +150,6 @@ mwifiex_11n_dispatch_pkt_until_start_win(struct mwifiex_private *priv,
    1004 * The start window is adjusted automatically when a hole is located.
    1005 * Since the buffer is linear, the function uses rotation to simulate
    1006 * circular buffer.
    1007 - *
    1008 - * The caller must hold rx_reorder_tbl_lock spinlock.
    1009 */
    1010 static void
    1011 mwifiex_11n_scan_and_dispatch(struct mwifiex_private *priv,
    1012 @@ -156,15 +157,22 @@ mwifiex_11n_scan_and_dispatch(struct mwifiex_private *priv,
    1013 {
    1014 int i, j, xchg;
    1015 void *rx_tmp_ptr;
    1016 + unsigned long flags;
    1017
    1018 for (i = 0; i < tbl->win_size; ++i) {
    1019 - if (!tbl->rx_reorder_ptr[i])
    1020 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1021 + if (!tbl->rx_reorder_ptr[i]) {
    1022 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock,
    1023 + flags);
    1024 break;
    1025 + }
    1026 rx_tmp_ptr = tbl->rx_reorder_ptr[i];
    1027 tbl->rx_reorder_ptr[i] = NULL;
    1028 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1029 mwifiex_11n_dispatch_pkt(priv, rx_tmp_ptr);
    1030 }
    1031
    1032 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1033 /*
    1034 * We don't have a circular buffer, hence use rotation to simulate
    1035 * circular buffer
    1036 @@ -177,6 +185,7 @@ mwifiex_11n_scan_and_dispatch(struct mwifiex_private *priv,
    1037 }
    1038 }
    1039 tbl->start_win = (tbl->start_win + i) & (MAX_TID_VALUE - 1);
    1040 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1041 }
    1042
    1043 /*
    1044 @@ -184,8 +193,6 @@ mwifiex_11n_scan_and_dispatch(struct mwifiex_private *priv,
    1045 *
    1046 * The function stops the associated timer and dispatches all the
    1047 * pending packets in the Rx reorder table before deletion.
    1048 - *
    1049 - * The caller must hold rx_reorder_tbl_lock spinlock.
    1050 */
    1051 static void
    1052 mwifiex_del_rx_reorder_entry(struct mwifiex_private *priv,
    1053 @@ -211,7 +218,11 @@ mwifiex_del_rx_reorder_entry(struct mwifiex_private *priv,
    1054
    1055 del_timer_sync(&tbl->timer_context.timer);
    1056 tbl->timer_context.timer_is_set = false;
    1057 +
    1058 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1059 list_del(&tbl->list);
    1060 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1061 +
    1062 kfree(tbl->rx_reorder_ptr);
    1063 kfree(tbl);
    1064
    1065 @@ -224,17 +235,22 @@ mwifiex_del_rx_reorder_entry(struct mwifiex_private *priv,
    1066 /*
    1067 * This function returns the pointer to an entry in Rx reordering
    1068 * table which matches the given TA/TID pair.
    1069 - *
    1070 - * The caller must hold rx_reorder_tbl_lock spinlock.
    1071 */
    1072 struct mwifiex_rx_reorder_tbl *
    1073 mwifiex_11n_get_rx_reorder_tbl(struct mwifiex_private *priv, int tid, u8 *ta)
    1074 {
    1075 struct mwifiex_rx_reorder_tbl *tbl;
    1076 + unsigned long flags;
    1077
    1078 - list_for_each_entry(tbl, &priv->rx_reorder_tbl_ptr, list)
    1079 - if (!memcmp(tbl->ta, ta, ETH_ALEN) && tbl->tid == tid)
    1080 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1081 + list_for_each_entry(tbl, &priv->rx_reorder_tbl_ptr, list) {
    1082 + if (!memcmp(tbl->ta, ta, ETH_ALEN) && tbl->tid == tid) {
    1083 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock,
    1084 + flags);
    1085 return tbl;
    1086 + }
    1087 + }
    1088 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1089
    1090 return NULL;
    1091 }
    1092 @@ -251,9 +267,14 @@ void mwifiex_11n_del_rx_reorder_tbl_by_ta(struct mwifiex_private *priv, u8 *ta)
    1093 return;
    1094
    1095 spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1096 - list_for_each_entry_safe(tbl, tmp, &priv->rx_reorder_tbl_ptr, list)
    1097 - if (!memcmp(tbl->ta, ta, ETH_ALEN))
    1098 + list_for_each_entry_safe(tbl, tmp, &priv->rx_reorder_tbl_ptr, list) {
    1099 + if (!memcmp(tbl->ta, ta, ETH_ALEN)) {
    1100 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock,
    1101 + flags);
    1102 mwifiex_del_rx_reorder_entry(priv, tbl);
    1103 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1104 + }
    1105 + }
    1106 spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1107
    1108 return;
    1109 @@ -262,18 +283,24 @@ void mwifiex_11n_del_rx_reorder_tbl_by_ta(struct mwifiex_private *priv, u8 *ta)
    1110 /*
    1111 * This function finds the last sequence number used in the packets
    1112 * buffered in Rx reordering table.
    1113 - *
    1114 - * The caller must hold rx_reorder_tbl_lock spinlock.
    1115 */
    1116 static int
    1117 mwifiex_11n_find_last_seq_num(struct reorder_tmr_cnxt *ctx)
    1118 {
    1119 struct mwifiex_rx_reorder_tbl *rx_reorder_tbl_ptr = ctx->ptr;
    1120 + struct mwifiex_private *priv = ctx->priv;
    1121 + unsigned long flags;
    1122 int i;
    1123
    1124 - for (i = rx_reorder_tbl_ptr->win_size - 1; i >= 0; --i)
    1125 - if (rx_reorder_tbl_ptr->rx_reorder_ptr[i])
    1126 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1127 + for (i = rx_reorder_tbl_ptr->win_size - 1; i >= 0; --i) {
    1128 + if (rx_reorder_tbl_ptr->rx_reorder_ptr[i]) {
    1129 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock,
    1130 + flags);
    1131 return i;
    1132 + }
    1133 + }
    1134 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1135
    1136 return -1;
    1137 }
    1138 @@ -291,22 +318,17 @@ mwifiex_flush_data(struct timer_list *t)
    1139 struct reorder_tmr_cnxt *ctx =
    1140 from_timer(ctx, t, timer);
    1141 int start_win, seq_num;
    1142 - unsigned long flags;
    1143
    1144 ctx->timer_is_set = false;
    1145 - spin_lock_irqsave(&ctx->priv->rx_reorder_tbl_lock, flags);
    1146 seq_num = mwifiex_11n_find_last_seq_num(ctx);
    1147
    1148 - if (seq_num < 0) {
    1149 - spin_unlock_irqrestore(&ctx->priv->rx_reorder_tbl_lock, flags);
    1150 + if (seq_num < 0)
    1151 return;
    1152 - }
    1153
    1154 mwifiex_dbg(ctx->priv->adapter, INFO, "info: flush data %d\n", seq_num);
    1155 start_win = (ctx->ptr->start_win + seq_num + 1) & (MAX_TID_VALUE - 1);
    1156 mwifiex_11n_dispatch_pkt_until_start_win(ctx->priv, ctx->ptr,
    1157 start_win);
    1158 - spin_unlock_irqrestore(&ctx->priv->rx_reorder_tbl_lock, flags);
    1159 }
    1160
    1161 /*
    1162 @@ -333,14 +355,11 @@ mwifiex_11n_create_rx_reorder_tbl(struct mwifiex_private *priv, u8 *ta,
    1163 * If we get a TID, ta pair which is already present dispatch all the
    1164 * the packets and move the window size until the ssn
    1165 */
    1166 - spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1167 tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, ta);
    1168 if (tbl) {
    1169 mwifiex_11n_dispatch_pkt_until_start_win(priv, tbl, seq_num);
    1170 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1171 return;
    1172 }
    1173 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1174 /* if !tbl then create one */
    1175 new_node = kzalloc(sizeof(struct mwifiex_rx_reorder_tbl), GFP_KERNEL);
    1176 if (!new_node)
    1177 @@ -551,20 +570,16 @@ int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *priv,
    1178 int prev_start_win, start_win, end_win, win_size;
    1179 u16 pkt_index;
    1180 bool init_window_shift = false;
    1181 - unsigned long flags;
    1182 int ret = 0;
    1183
    1184 - spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1185 tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, ta);
    1186 if (!tbl) {
    1187 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1188 if (pkt_type != PKT_TYPE_BAR)
    1189 mwifiex_11n_dispatch_pkt(priv, payload);
    1190 return ret;
    1191 }
    1192
    1193 if ((pkt_type == PKT_TYPE_AMSDU) && !tbl->amsdu) {
    1194 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1195 mwifiex_11n_dispatch_pkt(priv, payload);
    1196 return ret;
    1197 }
    1198 @@ -651,8 +666,6 @@ done:
    1199 if (!tbl->timer_context.timer_is_set ||
    1200 prev_start_win != tbl->start_win)
    1201 mwifiex_11n_rxreorder_timer_restart(tbl);
    1202 -
    1203 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1204 return ret;
    1205 }
    1206
    1207 @@ -681,18 +694,14 @@ mwifiex_del_ba_tbl(struct mwifiex_private *priv, int tid, u8 *peer_mac,
    1208 peer_mac, tid, initiator);
    1209
    1210 if (cleanup_rx_reorder_tbl) {
    1211 - spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1212 tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid,
    1213 peer_mac);
    1214 if (!tbl) {
    1215 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock,
    1216 - flags);
    1217 mwifiex_dbg(priv->adapter, EVENT,
    1218 "event: TID, TA not found in table\n");
    1219 return;
    1220 }
    1221 mwifiex_del_rx_reorder_entry(priv, tbl);
    1222 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1223 } else {
    1224 ptx_tbl = mwifiex_get_ba_tbl(priv, tid, peer_mac);
    1225 if (!ptx_tbl) {
    1226 @@ -726,7 +735,6 @@ int mwifiex_ret_11n_addba_resp(struct mwifiex_private *priv,
    1227 int tid, win_size;
    1228 struct mwifiex_rx_reorder_tbl *tbl;
    1229 uint16_t block_ack_param_set;
    1230 - unsigned long flags;
    1231
    1232 block_ack_param_set = le16_to_cpu(add_ba_rsp->block_ack_param_set);
    1233
    1234 @@ -740,20 +748,17 @@ int mwifiex_ret_11n_addba_resp(struct mwifiex_private *priv,
    1235 mwifiex_dbg(priv->adapter, ERROR, "ADDBA RSP: failed %pM tid=%d)\n",
    1236 add_ba_rsp->peer_mac_addr, tid);
    1237
    1238 - spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1239 tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid,
    1240 add_ba_rsp->peer_mac_addr);
    1241 if (tbl)
    1242 mwifiex_del_rx_reorder_entry(priv, tbl);
    1243
    1244 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1245 return 0;
    1246 }
    1247
    1248 win_size = (block_ack_param_set & IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK)
    1249 >> BLOCKACKPARAM_WINSIZE_POS;
    1250
    1251 - spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1252 tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid,
    1253 add_ba_rsp->peer_mac_addr);
    1254 if (tbl) {
    1255 @@ -764,7 +769,6 @@ int mwifiex_ret_11n_addba_resp(struct mwifiex_private *priv,
    1256 else
    1257 tbl->amsdu = false;
    1258 }
    1259 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1260
    1261 mwifiex_dbg(priv->adapter, CMD,
    1262 "cmd: ADDBA RSP: %pM tid=%d ssn=%d win_size=%d\n",
    1263 @@ -804,8 +808,11 @@ void mwifiex_11n_cleanup_reorder_tbl(struct mwifiex_private *priv)
    1264
    1265 spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1266 list_for_each_entry_safe(del_tbl_ptr, tmp_node,
    1267 - &priv->rx_reorder_tbl_ptr, list)
    1268 + &priv->rx_reorder_tbl_ptr, list) {
    1269 + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1270 mwifiex_del_rx_reorder_entry(priv, del_tbl_ptr);
    1271 + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1272 + }
    1273 INIT_LIST_HEAD(&priv->rx_reorder_tbl_ptr);
    1274 spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1275
    1276 @@ -929,7 +936,6 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
    1277 int tlv_buf_left = len;
    1278 int ret;
    1279 u8 *tmp;
    1280 - unsigned long flags;
    1281
    1282 mwifiex_dbg_dump(priv->adapter, EVT_D, "RXBA_SYNC event:",
    1283 event_buf, len);
    1284 @@ -949,18 +955,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
    1285 tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,
    1286 tlv_bitmap_len);
    1287
    1288 - spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1289 rx_reor_tbl_ptr =
    1290 mwifiex_11n_get_rx_reorder_tbl(priv, tlv_rxba->tid,
    1291 tlv_rxba->mac);
    1292 if (!rx_reor_tbl_ptr) {
    1293 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock,
    1294 - flags);
    1295 mwifiex_dbg(priv->adapter, ERROR,
    1296 "Can not find rx_reorder_tbl!");
    1297 return;
    1298 }
    1299 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1300
    1301 for (i = 0; i < tlv_bitmap_len; i++) {
    1302 for (j = 0 ; j < 8; j++) {
    1303 diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
    1304 index a83c5afc256a..5ce85d5727e4 100644
    1305 --- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
    1306 +++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
    1307 @@ -421,15 +421,12 @@ int mwifiex_process_uap_rx_packet(struct mwifiex_private *priv,
    1308 spin_unlock_irqrestore(&priv->sta_list_spinlock, flags);
    1309 }
    1310
    1311 - spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
    1312 if (!priv->ap_11n_enabled ||
    1313 (!mwifiex_11n_get_rx_reorder_tbl(priv, uap_rx_pd->priority, ta) &&
    1314 (le16_to_cpu(uap_rx_pd->rx_pkt_type) != PKT_TYPE_AMSDU))) {
    1315 ret = mwifiex_handle_uap_rx_forward(priv, skb);
    1316 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1317 return ret;
    1318 }
    1319 - spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
    1320
    1321 /* Reorder and send to kernel */
    1322 pkt_type = (u8)le16_to_cpu(uap_rx_pd->rx_pkt_type);
    1323 diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
    1324 index f4122c8fdd97..ef9b502ce576 100644
    1325 --- a/drivers/net/wireless/realtek/rtlwifi/base.c
    1326 +++ b/drivers/net/wireless/realtek/rtlwifi/base.c
    1327 @@ -2289,6 +2289,7 @@ void rtl_c2hcmd_enqueue(struct ieee80211_hw *hw, struct sk_buff *skb)
    1328
    1329 if (rtl_c2h_fast_cmd(hw, skb)) {
    1330 rtl_c2h_content_parsing(hw, skb);
    1331 + kfree_skb(skb);
    1332 return;
    1333 }
    1334
    1335 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
    1336 index 4a57ffecc7e6..5c9acb634ff7 100644
    1337 --- a/drivers/scsi/sd.c
    1338 +++ b/drivers/scsi/sd.c
    1339 @@ -132,6 +132,7 @@ static DEFINE_MUTEX(sd_ref_mutex);
    1340
    1341 static struct kmem_cache *sd_cdb_cache;
    1342 static mempool_t *sd_cdb_pool;
    1343 +static mempool_t *sd_page_pool;
    1344
    1345 static const char *sd_cache_types[] = {
    1346 "write through", "none", "write back",
    1347 @@ -758,9 +759,10 @@ static int sd_setup_unmap_cmnd(struct scsi_cmnd *cmd)
    1348 unsigned int data_len = 24;
    1349 char *buf;
    1350
    1351 - rq->special_vec.bv_page = alloc_page(GFP_ATOMIC | __GFP_ZERO);
    1352 + rq->special_vec.bv_page = mempool_alloc(sd_page_pool, GFP_ATOMIC);
    1353 if (!rq->special_vec.bv_page)
    1354 return BLKPREP_DEFER;
    1355 + clear_highpage(rq->special_vec.bv_page);
    1356 rq->special_vec.bv_offset = 0;
    1357 rq->special_vec.bv_len = data_len;
    1358 rq->rq_flags |= RQF_SPECIAL_PAYLOAD;
    1359 @@ -791,9 +793,10 @@ static int sd_setup_write_same16_cmnd(struct scsi_cmnd *cmd, bool unmap)
    1360 u32 nr_sectors = blk_rq_sectors(rq) >> (ilog2(sdp->sector_size) - 9);
    1361 u32 data_len = sdp->sector_size;
    1362
    1363 - rq->special_vec.bv_page = alloc_page(GFP_ATOMIC | __GFP_ZERO);
    1364 + rq->special_vec.bv_page = mempool_alloc(sd_page_pool, GFP_ATOMIC);
    1365 if (!rq->special_vec.bv_page)
    1366 return BLKPREP_DEFER;
    1367 + clear_highpage(rq->special_vec.bv_page);
    1368 rq->special_vec.bv_offset = 0;
    1369 rq->special_vec.bv_len = data_len;
    1370 rq->rq_flags |= RQF_SPECIAL_PAYLOAD;
    1371 @@ -821,9 +824,10 @@ static int sd_setup_write_same10_cmnd(struct scsi_cmnd *cmd, bool unmap)
    1372 u32 nr_sectors = blk_rq_sectors(rq) >> (ilog2(sdp->sector_size) - 9);
    1373 u32 data_len = sdp->sector_size;
    1374
    1375 - rq->special_vec.bv_page = alloc_page(GFP_ATOMIC | __GFP_ZERO);
    1376 + rq->special_vec.bv_page = mempool_alloc(sd_page_pool, GFP_ATOMIC);
    1377 if (!rq->special_vec.bv_page)
    1378 return BLKPREP_DEFER;
    1379 + clear_highpage(rq->special_vec.bv_page);
    1380 rq->special_vec.bv_offset = 0;
    1381 rq->special_vec.bv_len = data_len;
    1382 rq->rq_flags |= RQF_SPECIAL_PAYLOAD;
    1383 @@ -1287,7 +1291,7 @@ static void sd_uninit_command(struct scsi_cmnd *SCpnt)
    1384 u8 *cmnd;
    1385
    1386 if (rq->rq_flags & RQF_SPECIAL_PAYLOAD)
    1387 - __free_page(rq->special_vec.bv_page);
    1388 + mempool_free(rq->special_vec.bv_page, sd_page_pool);
    1389
    1390 if (SCpnt->cmnd != scsi_req(rq)->cmd) {
    1391 cmnd = SCpnt->cmnd;
    1392 @@ -3635,6 +3639,13 @@ static int __init init_sd(void)
    1393 goto err_out_cache;
    1394 }
    1395
    1396 + sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, 0);
    1397 + if (!sd_page_pool) {
    1398 + printk(KERN_ERR "sd: can't init discard page pool\n");
    1399 + err = -ENOMEM;
    1400 + goto err_out_ppool;
    1401 + }
    1402 +
    1403 err = scsi_register_driver(&sd_template.gendrv);
    1404 if (err)
    1405 goto err_out_driver;
    1406 @@ -3642,6 +3653,9 @@ static int __init init_sd(void)
    1407 return 0;
    1408
    1409 err_out_driver:
    1410 + mempool_destroy(sd_page_pool);
    1411 +
    1412 +err_out_ppool:
    1413 mempool_destroy(sd_cdb_pool);
    1414
    1415 err_out_cache:
    1416 @@ -3668,6 +3682,7 @@ static void __exit exit_sd(void)
    1417
    1418 scsi_unregister_driver(&sd_template.gendrv);
    1419 mempool_destroy(sd_cdb_pool);
    1420 + mempool_destroy(sd_page_pool);
    1421 kmem_cache_destroy(sd_cdb_cache);
    1422
    1423 class_unregister(&sd_disk_class);
    1424 diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
    1425 index 94aca1b5ac8a..01b5818a4be5 100644
    1426 --- a/drivers/usb/host/xhci-hub.c
    1427 +++ b/drivers/usb/host/xhci-hub.c
    1428 @@ -1507,7 +1507,8 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
    1429 portsc_buf[port_index] = 0;
    1430
    1431 /* Bail out if a USB3 port has a new device in link training */
    1432 - if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) {
    1433 + if ((hcd->speed >= HCD_USB3) &&
    1434 + (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
    1435 bus_state->bus_suspended = 0;
    1436 spin_unlock_irqrestore(&xhci->lock, flags);
    1437 xhci_dbg(xhci, "Bus suspend bailout, port in polling\n");
    1438 diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
    1439 index c3ed7d1c9f65..e88060ea1e33 100644
    1440 --- a/drivers/usb/host/xhci.h
    1441 +++ b/drivers/usb/host/xhci.h
    1442 @@ -1860,6 +1860,8 @@ struct xhci_hcd {
    1443 unsigned sw_lpm_support:1;
    1444 /* support xHCI 1.0 spec USB2 hardware LPM */
    1445 unsigned hw_lpm_support:1;
    1446 + /* Broken Suspend flag for SNPS Suspend resume issue */
    1447 + unsigned broken_suspend:1;
    1448 /* cached usb2 extened protocol capabilites */
    1449 u32 *ext_caps;
    1450 unsigned int num_ext_caps;
    1451 @@ -1877,8 +1879,6 @@ struct xhci_hcd {
    1452 void *dbc;
    1453 /* platform-specific data -- must come last */
    1454 unsigned long priv[0] __aligned(sizeof(s64));
    1455 - /* Broken Suspend flag for SNPS Suspend resume issue */
    1456 - u8 broken_suspend;
    1457 };
    1458
    1459 /* Platform specific overrides to generic XHCI hc_driver ops */
    1460 diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
    1461 index e72ad9f81c73..17787dc349f8 100644
    1462 --- a/drivers/usb/serial/option.c
    1463 +++ b/drivers/usb/serial/option.c
    1464 @@ -1164,6 +1164,10 @@ static const struct usb_device_id option_ids[] = {
    1465 { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1213, 0xff) },
    1466 { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214),
    1467 .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
    1468 + { USB_DEVICE(TELIT_VENDOR_ID, 0x1900), /* Telit LN940 (QMI) */
    1469 + .driver_info = NCTRL(0) | RSVD(1) },
    1470 + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */
    1471 + .driver_info = NCTRL(0) },
    1472 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
    1473 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff),
    1474 .driver_info = RSVD(1) },
    1475 @@ -1328,6 +1332,7 @@ static const struct usb_device_id option_ids[] = {
    1476 .driver_info = RSVD(4) },
    1477 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) },
    1478 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) },
    1479 + { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */
    1480 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff),
    1481 .driver_info = RSVD(4) },
    1482 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff, 0xff),
    1483 @@ -1531,6 +1536,7 @@ static const struct usb_device_id option_ids[] = {
    1484 .driver_info = RSVD(2) },
    1485 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff, 0xff), /* Telewell TW-LTE 4G v2 */
    1486 .driver_info = RSVD(2) },
    1487 + { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
    1488 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
    1489 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
    1490 { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },
    1491 @@ -1758,6 +1764,7 @@ static const struct usb_device_id option_ids[] = {
    1492 { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) },
    1493 { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E),
    1494 .driver_info = RSVD(5) | RSVD(6) },
    1495 + { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom SIM7500/SIM7600 MBIM mode */
    1496 { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
    1497 .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) },
    1498 { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D),
    1499 @@ -1940,7 +1947,14 @@ static const struct usb_device_id option_ids[] = {
    1500 { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
    1501 { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
    1502 { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
    1503 - { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */
    1504 + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */
    1505 + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x10) }, /* HP lt4132 (Huawei ME906s-158) */
    1506 + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x12) },
    1507 + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
    1508 + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
    1509 + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
    1510 + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
    1511 + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
    1512 { } /* Terminating entry */
    1513 };
    1514 MODULE_DEVICE_TABLE(usb, option_ids);
    1515 diff --git a/fs/iomap.c b/fs/iomap.c
    1516 index 37da7a61a6c5..ec15cf2ec696 100644
    1517 --- a/fs/iomap.c
    1518 +++ b/fs/iomap.c
    1519 @@ -117,12 +117,6 @@ iomap_page_create(struct inode *inode, struct page *page)
    1520 atomic_set(&iop->read_count, 0);
    1521 atomic_set(&iop->write_count, 0);
    1522 bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE);
    1523 -
    1524 - /*
    1525 - * migrate_page_move_mapping() assumes that pages with private data have
    1526 - * their count elevated by 1.
    1527 - */
    1528 - get_page(page);
    1529 set_page_private(page, (unsigned long)iop);
    1530 SetPagePrivate(page);
    1531 return iop;
    1532 @@ -139,7 +133,6 @@ iomap_page_release(struct page *page)
    1533 WARN_ON_ONCE(atomic_read(&iop->write_count));
    1534 ClearPagePrivate(page);
    1535 set_page_private(page, 0);
    1536 - put_page(page);
    1537 kfree(iop);
    1538 }
    1539
    1540 diff --git a/fs/namei.c b/fs/namei.c
    1541 index 0cab6494978c..914178cdbe94 100644
    1542 --- a/fs/namei.c
    1543 +++ b/fs/namei.c
    1544 @@ -3701,8 +3701,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
    1545 if (error)
    1546 return error;
    1547
    1548 - if ((S_ISCHR(mode) || S_ISBLK(mode)) &&
    1549 - !ns_capable(dentry->d_sb->s_user_ns, CAP_MKNOD))
    1550 + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
    1551 return -EPERM;
    1552
    1553 if (!dir->i_op->mknod)
    1554 diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
    1555 index 89921a0d2ebb..4d598a399bbf 100644
    1556 --- a/fs/proc/proc_sysctl.c
    1557 +++ b/fs/proc/proc_sysctl.c
    1558 @@ -464,7 +464,7 @@ static struct inode *proc_sys_make_inode(struct super_block *sb,
    1559
    1560 inode = new_inode(sb);
    1561 if (!inode)
    1562 - goto out;
    1563 + return ERR_PTR(-ENOMEM);
    1564
    1565 inode->i_ino = get_next_ino();
    1566
    1567 @@ -474,8 +474,7 @@ static struct inode *proc_sys_make_inode(struct super_block *sb,
    1568 if (unlikely(head->unregistering)) {
    1569 spin_unlock(&sysctl_lock);
    1570 iput(inode);
    1571 - inode = NULL;
    1572 - goto out;
    1573 + return ERR_PTR(-ENOENT);
    1574 }
    1575 ei->sysctl = head;
    1576 ei->sysctl_entry = table;
    1577 @@ -500,7 +499,6 @@ static struct inode *proc_sys_make_inode(struct super_block *sb,
    1578 if (root->set_ownership)
    1579 root->set_ownership(head, table, &inode->i_uid, &inode->i_gid);
    1580
    1581 -out:
    1582 return inode;
    1583 }
    1584
    1585 @@ -549,10 +547,11 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
    1586 goto out;
    1587 }
    1588
    1589 - err = ERR_PTR(-ENOMEM);
    1590 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
    1591 - if (!inode)
    1592 + if (IS_ERR(inode)) {
    1593 + err = ERR_CAST(inode);
    1594 goto out;
    1595 + }
    1596
    1597 d_set_d_op(dentry, &proc_sys_dentry_operations);
    1598 err = d_splice_alias(inode, dentry);
    1599 @@ -685,7 +684,7 @@ static bool proc_sys_fill_cache(struct file *file,
    1600 if (d_in_lookup(child)) {
    1601 struct dentry *res;
    1602 inode = proc_sys_make_inode(dir->d_sb, head, table);
    1603 - if (!inode) {
    1604 + if (IS_ERR(inode)) {
    1605 d_lookup_done(child);
    1606 dput(child);
    1607 return false;
    1608 diff --git a/fs/ubifs/replay.c b/fs/ubifs/replay.c
    1609 index 4844538eb926..c6f9b2225387 100644
    1610 --- a/fs/ubifs/replay.c
    1611 +++ b/fs/ubifs/replay.c
    1612 @@ -209,6 +209,38 @@ static int trun_remove_range(struct ubifs_info *c, struct replay_entry *r)
    1613 return ubifs_tnc_remove_range(c, &min_key, &max_key);
    1614 }
    1615
    1616 +/**
    1617 + * inode_still_linked - check whether inode in question will be re-linked.
    1618 + * @c: UBIFS file-system description object
    1619 + * @rino: replay entry to test
    1620 + *
    1621 + * O_TMPFILE files can be re-linked, this means link count goes from 0 to 1.
    1622 + * This case needs special care, otherwise all references to the inode will
    1623 + * be removed upon the first replay entry of an inode with link count 0
    1624 + * is found.
    1625 + */
    1626 +static bool inode_still_linked(struct ubifs_info *c, struct replay_entry *rino)
    1627 +{
    1628 + struct replay_entry *r;
    1629 +
    1630 + ubifs_assert(c, rino->deletion);
    1631 + ubifs_assert(c, key_type(c, &rino->key) == UBIFS_INO_KEY);
    1632 +
    1633 + /*
    1634 + * Find the most recent entry for the inode behind @rino and check
    1635 + * whether it is a deletion.
    1636 + */
    1637 + list_for_each_entry_reverse(r, &c->replay_list, list) {
    1638 + ubifs_assert(c, r->sqnum >= rino->sqnum);
    1639 + if (key_inum(c, &r->key) == key_inum(c, &rino->key))
    1640 + return r->deletion == 0;
    1641 +
    1642 + }
    1643 +
    1644 + ubifs_assert(c, 0);
    1645 + return false;
    1646 +}
    1647 +
    1648 /**
    1649 * apply_replay_entry - apply a replay entry to the TNC.
    1650 * @c: UBIFS file-system description object
    1651 @@ -236,6 +268,11 @@ static int apply_replay_entry(struct ubifs_info *c, struct replay_entry *r)
    1652 {
    1653 ino_t inum = key_inum(c, &r->key);
    1654
    1655 + if (inode_still_linked(c, r)) {
    1656 + err = 0;
    1657 + break;
    1658 + }
    1659 +
    1660 err = ubifs_tnc_remove_ino(c, inum);
    1661 break;
    1662 }
    1663 diff --git a/include/asm-generic/4level-fixup.h b/include/asm-generic/4level-fixup.h
    1664 index 89f3b03b1445..e3667c9a33a5 100644
    1665 --- a/include/asm-generic/4level-fixup.h
    1666 +++ b/include/asm-generic/4level-fixup.h
    1667 @@ -3,7 +3,7 @@
    1668 #define _4LEVEL_FIXUP_H
    1669
    1670 #define __ARCH_HAS_4LEVEL_HACK
    1671 -#define __PAGETABLE_PUD_FOLDED
    1672 +#define __PAGETABLE_PUD_FOLDED 1
    1673
    1674 #define PUD_SHIFT PGDIR_SHIFT
    1675 #define PUD_SIZE PGDIR_SIZE
    1676 diff --git a/include/asm-generic/5level-fixup.h b/include/asm-generic/5level-fixup.h
    1677 index 9c2e0708eb82..73474bb52344 100644
    1678 --- a/include/asm-generic/5level-fixup.h
    1679 +++ b/include/asm-generic/5level-fixup.h
    1680 @@ -3,7 +3,7 @@
    1681 #define _5LEVEL_FIXUP_H
    1682
    1683 #define __ARCH_HAS_5LEVEL_HACK
    1684 -#define __PAGETABLE_P4D_FOLDED
    1685 +#define __PAGETABLE_P4D_FOLDED 1
    1686
    1687 #define P4D_SHIFT PGDIR_SHIFT
    1688 #define P4D_SIZE PGDIR_SIZE
    1689 diff --git a/include/asm-generic/pgtable-nop4d-hack.h b/include/asm-generic/pgtable-nop4d-hack.h
    1690 index 0c34215263b8..1d6dd38c0e5e 100644
    1691 --- a/include/asm-generic/pgtable-nop4d-hack.h
    1692 +++ b/include/asm-generic/pgtable-nop4d-hack.h
    1693 @@ -5,7 +5,7 @@
    1694 #ifndef __ASSEMBLY__
    1695 #include <asm-generic/5level-fixup.h>
    1696
    1697 -#define __PAGETABLE_PUD_FOLDED
    1698 +#define __PAGETABLE_PUD_FOLDED 1
    1699
    1700 /*
    1701 * Having the pud type consist of a pgd gets the size right, and allows
    1702 diff --git a/include/asm-generic/pgtable-nop4d.h b/include/asm-generic/pgtable-nop4d.h
    1703 index 1a29b2a0282b..04cb913797bc 100644
    1704 --- a/include/asm-generic/pgtable-nop4d.h
    1705 +++ b/include/asm-generic/pgtable-nop4d.h
    1706 @@ -4,7 +4,7 @@
    1707
    1708 #ifndef __ASSEMBLY__
    1709
    1710 -#define __PAGETABLE_P4D_FOLDED
    1711 +#define __PAGETABLE_P4D_FOLDED 1
    1712
    1713 typedef struct { pgd_t pgd; } p4d_t;
    1714
    1715 diff --git a/include/asm-generic/pgtable-nopmd.h b/include/asm-generic/pgtable-nopmd.h
    1716 index f35f6e8149e4..b85b8271a73d 100644
    1717 --- a/include/asm-generic/pgtable-nopmd.h
    1718 +++ b/include/asm-generic/pgtable-nopmd.h
    1719 @@ -8,7 +8,7 @@
    1720
    1721 struct mm_struct;
    1722
    1723 -#define __PAGETABLE_PMD_FOLDED
    1724 +#define __PAGETABLE_PMD_FOLDED 1
    1725
    1726 /*
    1727 * Having the pmd type consist of a pud gets the size right, and allows
    1728 diff --git a/include/asm-generic/pgtable-nopud.h b/include/asm-generic/pgtable-nopud.h
    1729 index e950b9c50f34..9bef475db6fe 100644
    1730 --- a/include/asm-generic/pgtable-nopud.h
    1731 +++ b/include/asm-generic/pgtable-nopud.h
    1732 @@ -9,7 +9,7 @@
    1733 #else
    1734 #include <asm-generic/pgtable-nop4d.h>
    1735
    1736 -#define __PAGETABLE_PUD_FOLDED
    1737 +#define __PAGETABLE_PUD_FOLDED 1
    1738
    1739 /*
    1740 * Having the pud type consist of a p4d gets the size right, and allows
    1741 diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
    1742 index 88ebc6102c7c..15fd0277ffa6 100644
    1743 --- a/include/asm-generic/pgtable.h
    1744 +++ b/include/asm-generic/pgtable.h
    1745 @@ -1127,4 +1127,20 @@ static inline bool arch_has_pfn_modify_check(void)
    1746 #endif
    1747 #endif
    1748
    1749 +/*
    1750 + * On some architectures it depends on the mm if the p4d/pud or pmd
    1751 + * layer of the page table hierarchy is folded or not.
    1752 + */
    1753 +#ifndef mm_p4d_folded
    1754 +#define mm_p4d_folded(mm) __is_defined(__PAGETABLE_P4D_FOLDED)
    1755 +#endif
    1756 +
    1757 +#ifndef mm_pud_folded
    1758 +#define mm_pud_folded(mm) __is_defined(__PAGETABLE_PUD_FOLDED)
    1759 +#endif
    1760 +
    1761 +#ifndef mm_pmd_folded
    1762 +#define mm_pmd_folded(mm) __is_defined(__PAGETABLE_PMD_FOLDED)
    1763 +#endif
    1764 +
    1765 #endif /* _ASM_GENERIC_PGTABLE_H */
    1766 diff --git a/include/linux/math64.h b/include/linux/math64.h
    1767 index 837f2f2d1d34..bb2c84afb80c 100644
    1768 --- a/include/linux/math64.h
    1769 +++ b/include/linux/math64.h
    1770 @@ -281,4 +281,7 @@ static inline u64 mul_u64_u32_div(u64 a, u32 mul, u32 divisor)
    1771 }
    1772 #endif /* mul_u64_u32_div */
    1773
    1774 +#define DIV64_U64_ROUND_UP(ll, d) \
    1775 + ({ u64 _tmp = (d); div64_u64((ll) + _tmp - 1, _tmp); })
    1776 +
    1777 #endif /* _LINUX_MATH64_H */
    1778 diff --git a/include/linux/mm.h b/include/linux/mm.h
    1779 index 0416a7204be3..e899460f1bc5 100644
    1780 --- a/include/linux/mm.h
    1781 +++ b/include/linux/mm.h
    1782 @@ -1724,11 +1724,15 @@ int __pud_alloc(struct mm_struct *mm, p4d_t *p4d, unsigned long address);
    1783
    1784 static inline void mm_inc_nr_puds(struct mm_struct *mm)
    1785 {
    1786 + if (mm_pud_folded(mm))
    1787 + return;
    1788 atomic_long_add(PTRS_PER_PUD * sizeof(pud_t), &mm->pgtables_bytes);
    1789 }
    1790
    1791 static inline void mm_dec_nr_puds(struct mm_struct *mm)
    1792 {
    1793 + if (mm_pud_folded(mm))
    1794 + return;
    1795 atomic_long_sub(PTRS_PER_PUD * sizeof(pud_t), &mm->pgtables_bytes);
    1796 }
    1797 #endif
    1798 @@ -1748,11 +1752,15 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address);
    1799
    1800 static inline void mm_inc_nr_pmds(struct mm_struct *mm)
    1801 {
    1802 + if (mm_pmd_folded(mm))
    1803 + return;
    1804 atomic_long_add(PTRS_PER_PMD * sizeof(pmd_t), &mm->pgtables_bytes);
    1805 }
    1806
    1807 static inline void mm_dec_nr_pmds(struct mm_struct *mm)
    1808 {
    1809 + if (mm_pmd_folded(mm))
    1810 + return;
    1811 atomic_long_sub(PTRS_PER_PMD * sizeof(pmd_t), &mm->pgtables_bytes);
    1812 }
    1813 #endif
    1814 diff --git a/include/linux/t10-pi.h b/include/linux/t10-pi.h
    1815 index b9626aa7e90c..3e2a80cc7b56 100644
    1816 --- a/include/linux/t10-pi.h
    1817 +++ b/include/linux/t10-pi.h
    1818 @@ -39,12 +39,13 @@ struct t10_pi_tuple {
    1819
    1820 static inline u32 t10_pi_ref_tag(struct request *rq)
    1821 {
    1822 + unsigned int shift = ilog2(queue_logical_block_size(rq->q));
    1823 +
    1824 #ifdef CONFIG_BLK_DEV_INTEGRITY
    1825 - return blk_rq_pos(rq) >>
    1826 - (rq->q->integrity.interval_exp - 9) & 0xffffffff;
    1827 -#else
    1828 - return -1U;
    1829 + if (rq->q->integrity.interval_exp)
    1830 + shift = rq->q->integrity.interval_exp;
    1831 #endif
    1832 + return blk_rq_pos(rq) >> (shift - SECTOR_SHIFT) & 0xffffffff;
    1833 }
    1834
    1835 extern const struct blk_integrity_profile t10_pi_type1_crc;
    1836 diff --git a/include/net/xfrm.h b/include/net/xfrm.h
    1837 index 0eb390c205af..da588def3c61 100644
    1838 --- a/include/net/xfrm.h
    1839 +++ b/include/net/xfrm.h
    1840 @@ -1552,6 +1552,7 @@ int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
    1841 int (*func)(struct xfrm_state *, int, void*), void *);
    1842 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
    1843 struct xfrm_state *xfrm_state_alloc(struct net *net);
    1844 +void xfrm_state_free(struct xfrm_state *x);
    1845 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
    1846 const xfrm_address_t *saddr,
    1847 const struct flowi *fl,
    1848 diff --git a/kernel/futex.c b/kernel/futex.c
    1849 index 11fc3bb456d6..f89abca89513 100644
    1850 --- a/kernel/futex.c
    1851 +++ b/kernel/futex.c
    1852 @@ -1148,11 +1148,65 @@ out_error:
    1853 return ret;
    1854 }
    1855
    1856 +static int handle_exit_race(u32 __user *uaddr, u32 uval,
    1857 + struct task_struct *tsk)
    1858 +{
    1859 + u32 uval2;
    1860 +
    1861 + /*
    1862 + * If PF_EXITPIDONE is not yet set, then try again.
    1863 + */
    1864 + if (tsk && !(tsk->flags & PF_EXITPIDONE))
    1865 + return -EAGAIN;
    1866 +
    1867 + /*
    1868 + * Reread the user space value to handle the following situation:
    1869 + *
    1870 + * CPU0 CPU1
    1871 + *
    1872 + * sys_exit() sys_futex()
    1873 + * do_exit() futex_lock_pi()
    1874 + * futex_lock_pi_atomic()
    1875 + * exit_signals(tsk) No waiters:
    1876 + * tsk->flags |= PF_EXITING; *uaddr == 0x00000PID
    1877 + * mm_release(tsk) Set waiter bit
    1878 + * exit_robust_list(tsk) { *uaddr = 0x80000PID;
    1879 + * Set owner died attach_to_pi_owner() {
    1880 + * *uaddr = 0xC0000000; tsk = get_task(PID);
    1881 + * } if (!tsk->flags & PF_EXITING) {
    1882 + * ... attach();
    1883 + * tsk->flags |= PF_EXITPIDONE; } else {
    1884 + * if (!(tsk->flags & PF_EXITPIDONE))
    1885 + * return -EAGAIN;
    1886 + * return -ESRCH; <--- FAIL
    1887 + * }
    1888 + *
    1889 + * Returning ESRCH unconditionally is wrong here because the
    1890 + * user space value has been changed by the exiting task.
    1891 + *
    1892 + * The same logic applies to the case where the exiting task is
    1893 + * already gone.
    1894 + */
    1895 + if (get_futex_value_locked(&uval2, uaddr))
    1896 + return -EFAULT;
    1897 +
    1898 + /* If the user space value has changed, try again. */
    1899 + if (uval2 != uval)
    1900 + return -EAGAIN;
    1901 +
    1902 + /*
    1903 + * The exiting task did not have a robust list, the robust list was
    1904 + * corrupted or the user space value in *uaddr is simply bogus.
    1905 + * Give up and tell user space.
    1906 + */
    1907 + return -ESRCH;
    1908 +}
    1909 +
    1910 /*
    1911 * Lookup the task for the TID provided from user space and attach to
    1912 * it after doing proper sanity checks.
    1913 */
    1914 -static int attach_to_pi_owner(u32 uval, union futex_key *key,
    1915 +static int attach_to_pi_owner(u32 __user *uaddr, u32 uval, union futex_key *key,
    1916 struct futex_pi_state **ps)
    1917 {
    1918 pid_t pid = uval & FUTEX_TID_MASK;
    1919 @@ -1162,12 +1216,15 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
    1920 /*
    1921 * We are the first waiter - try to look up the real owner and attach
    1922 * the new pi_state to it, but bail out when TID = 0 [1]
    1923 + *
    1924 + * The !pid check is paranoid. None of the call sites should end up
    1925 + * with pid == 0, but better safe than sorry. Let the caller retry
    1926 */
    1927 if (!pid)
    1928 - return -ESRCH;
    1929 + return -EAGAIN;
    1930 p = find_get_task_by_vpid(pid);
    1931 if (!p)
    1932 - return -ESRCH;
    1933 + return handle_exit_race(uaddr, uval, NULL);
    1934
    1935 if (unlikely(p->flags & PF_KTHREAD)) {
    1936 put_task_struct(p);
    1937 @@ -1187,7 +1244,7 @@ static int attach_to_pi_owner(u32 uval, union futex_key *key,
    1938 * set, we know that the task has finished the
    1939 * cleanup:
    1940 */
    1941 - int ret = (p->flags & PF_EXITPIDONE) ? -ESRCH : -EAGAIN;
    1942 + int ret = handle_exit_race(uaddr, uval, p);
    1943
    1944 raw_spin_unlock_irq(&p->pi_lock);
    1945 put_task_struct(p);
    1946 @@ -1244,7 +1301,7 @@ static int lookup_pi_state(u32 __user *uaddr, u32 uval,
    1947 * We are the first waiter - try to look up the owner based on
    1948 * @uval and attach to it.
    1949 */
    1950 - return attach_to_pi_owner(uval, key, ps);
    1951 + return attach_to_pi_owner(uaddr, uval, key, ps);
    1952 }
    1953
    1954 static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
    1955 @@ -1352,7 +1409,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
    1956 * attach to the owner. If that fails, no harm done, we only
    1957 * set the FUTEX_WAITERS bit in the user space variable.
    1958 */
    1959 - return attach_to_pi_owner(uval, key, ps);
    1960 + return attach_to_pi_owner(uaddr, newval, key, ps);
    1961 }
    1962
    1963 /**
    1964 diff --git a/kernel/panic.c b/kernel/panic.c
    1965 index 8b2e002d52eb..6a6df23acd1a 100644
    1966 --- a/kernel/panic.c
    1967 +++ b/kernel/panic.c
    1968 @@ -14,6 +14,7 @@
    1969 #include <linux/kmsg_dump.h>
    1970 #include <linux/kallsyms.h>
    1971 #include <linux/notifier.h>
    1972 +#include <linux/vt_kern.h>
    1973 #include <linux/module.h>
    1974 #include <linux/random.h>
    1975 #include <linux/ftrace.h>
    1976 @@ -233,7 +234,10 @@ void panic(const char *fmt, ...)
    1977 if (_crash_kexec_post_notifiers)
    1978 __crash_kexec(NULL);
    1979
    1980 - bust_spinlocks(0);
    1981 +#ifdef CONFIG_VT
    1982 + unblank_screen();
    1983 +#endif
    1984 + console_unblank();
    1985
    1986 /*
    1987 * We may have ended up stopping the CPU holding the lock (in
    1988 diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
    1989 index 4b9127e95430..5a01c4fdbfef 100644
    1990 --- a/kernel/time/posix-timers.c
    1991 +++ b/kernel/time/posix-timers.c
    1992 @@ -289,9 +289,6 @@ static void common_hrtimer_rearm(struct k_itimer *timr)
    1993 {
    1994 struct hrtimer *timer = &timr->it.real.timer;
    1995
    1996 - if (!timr->it_interval)
    1997 - return;
    1998 -
    1999 timr->it_overrun += hrtimer_forward(timer, timer->base->get_time(),
    2000 timr->it_interval);
    2001 hrtimer_restart(timer);
    2002 @@ -317,7 +314,7 @@ void posixtimer_rearm(struct siginfo *info)
    2003 if (!timr)
    2004 return;
    2005
    2006 - if (timr->it_requeue_pending == info->si_sys_private) {
    2007 + if (timr->it_interval && timr->it_requeue_pending == info->si_sys_private) {
    2008 timr->kclock->timer_rearm(timr);
    2009
    2010 timr->it_active = 1;
    2011 diff --git a/mm/huge_memory.c b/mm/huge_memory.c
    2012 index 15310f14c25e..d2cd70cfaa90 100644
    2013 --- a/mm/huge_memory.c
    2014 +++ b/mm/huge_memory.c
    2015 @@ -2127,23 +2127,25 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
    2016 */
    2017 old_pmd = pmdp_invalidate(vma, haddr, pmd);
    2018
    2019 -#ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION
    2020 pmd_migration = is_pmd_migration_entry(old_pmd);
    2021 - if (pmd_migration) {
    2022 + if (unlikely(pmd_migration)) {
    2023 swp_entry_t entry;
    2024
    2025 entry = pmd_to_swp_entry(old_pmd);
    2026 page = pfn_to_page(swp_offset(entry));
    2027 - } else
    2028 -#endif
    2029 + write = is_write_migration_entry(entry);
    2030 + young = false;
    2031 + soft_dirty = pmd_swp_soft_dirty(old_pmd);
    2032 + } else {
    2033 page = pmd_page(old_pmd);
    2034 + if (pmd_dirty(old_pmd))
    2035 + SetPageDirty(page);
    2036 + write = pmd_write(old_pmd);
    2037 + young = pmd_young(old_pmd);
    2038 + soft_dirty = pmd_soft_dirty(old_pmd);
    2039 + }
    2040 VM_BUG_ON_PAGE(!page_count(page), page);
    2041 page_ref_add(page, HPAGE_PMD_NR - 1);
    2042 - if (pmd_dirty(old_pmd))
    2043 - SetPageDirty(page);
    2044 - write = pmd_write(old_pmd);
    2045 - young = pmd_young(old_pmd);
    2046 - soft_dirty = pmd_soft_dirty(old_pmd);
    2047
    2048 /*
    2049 * Withdraw the table only after we mark the pmd entry invalid.
    2050 diff --git a/mm/page_alloc.c b/mm/page_alloc.c
    2051 index 6a62b2421cdf..93e73ccb4dec 100644
    2052 --- a/mm/page_alloc.c
    2053 +++ b/mm/page_alloc.c
    2054 @@ -5538,6 +5538,18 @@ not_early:
    2055 cond_resched();
    2056 }
    2057 }
    2058 +#ifdef CONFIG_SPARSEMEM
    2059 + /*
    2060 + * If the zone does not span the rest of the section then
    2061 + * we should at least initialize those pages. Otherwise we
    2062 + * could blow up on a poisoned page in some paths which depend
    2063 + * on full sections being initialized (e.g. memory hotplug).
    2064 + */
    2065 + while (end_pfn % PAGES_PER_SECTION) {
    2066 + __init_single_page(pfn_to_page(end_pfn), end_pfn, zone, nid);
    2067 + end_pfn++;
    2068 + }
    2069 +#endif
    2070 }
    2071
    2072 static void __meminit zone_init_free_lists(struct zone *zone)
    2073 @@ -7704,11 +7716,14 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count,
    2074 * handle each tail page individually in migration.
    2075 */
    2076 if (PageHuge(page)) {
    2077 + struct page *head = compound_head(page);
    2078 + unsigned int skip_pages;
    2079
    2080 - if (!hugepage_migration_supported(page_hstate(page)))
    2081 + if (!hugepage_migration_supported(page_hstate(head)))
    2082 goto unmovable;
    2083
    2084 - iter = round_up(iter + 1, 1<<compound_order(page)) - 1;
    2085 + skip_pages = (1 << compound_order(head)) - (page - head);
    2086 + iter += skip_pages - 1;
    2087 continue;
    2088 }
    2089
    2090 diff --git a/mm/vmscan.c b/mm/vmscan.c
    2091 index c5ef7240cbcb..961401c46334 100644
    2092 --- a/mm/vmscan.c
    2093 +++ b/mm/vmscan.c
    2094 @@ -2456,9 +2456,11 @@ out:
    2095 /*
    2096 * Scan types proportional to swappiness and
    2097 * their relative recent reclaim efficiency.
    2098 + * Make sure we don't miss the last page
    2099 + * because of a round-off error.
    2100 */
    2101 - scan = div64_u64(scan * fraction[file],
    2102 - denominator);
    2103 + scan = DIV64_U64_ROUND_UP(scan * fraction[file],
    2104 + denominator);
    2105 break;
    2106 case SCAN_FILE:
    2107 case SCAN_ANON:
    2108 diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
    2109 index b669262682c9..7a34990a68b1 100644
    2110 --- a/net/xfrm/xfrm_state.c
    2111 +++ b/net/xfrm/xfrm_state.c
    2112 @@ -426,6 +426,12 @@ static void xfrm_put_mode(struct xfrm_mode *mode)
    2113 module_put(mode->owner);
    2114 }
    2115
    2116 +void xfrm_state_free(struct xfrm_state *x)
    2117 +{
    2118 + kmem_cache_free(xfrm_state_cache, x);
    2119 +}
    2120 +EXPORT_SYMBOL(xfrm_state_free);
    2121 +
    2122 static void xfrm_state_gc_destroy(struct xfrm_state *x)
    2123 {
    2124 tasklet_hrtimer_cancel(&x->mtimer);
    2125 @@ -452,7 +458,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
    2126 }
    2127 xfrm_dev_state_free(x);
    2128 security_xfrm_state_free(x);
    2129 - kmem_cache_free(xfrm_state_cache, x);
    2130 + xfrm_state_free(x);
    2131 }
    2132
    2133 static void xfrm_state_gc_task(struct work_struct *work)
    2134 diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
    2135 index df7ca2dabc48..566919838d5e 100644
    2136 --- a/net/xfrm/xfrm_user.c
    2137 +++ b/net/xfrm/xfrm_user.c
    2138 @@ -2288,13 +2288,13 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
    2139
    2140 }
    2141
    2142 - kfree(x);
    2143 + xfrm_state_free(x);
    2144 kfree(xp);
    2145
    2146 return 0;
    2147
    2148 free_state:
    2149 - kfree(x);
    2150 + xfrm_state_free(x);
    2151 nomem:
    2152 return err;
    2153 }