Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx/patches-4.19/0178-4.19.79-all-fixes.patch

    Contents of /trunk/kernel-alx/patches-4.19/0178-4.19.79-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3475 - (show annotations) (download)
    Tue Oct 29 10:31:34 2019 UTC (4 years, 5 months ago) by niro
    File size: 143853 byte(s) 
    -linux-4.19.79
    1 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
    2 index e8ddf0ef232e..16607b178b47 100644
    3 --- a/Documentation/admin-guide/kernel-parameters.txt
    4 +++ b/Documentation/admin-guide/kernel-parameters.txt
    5 @@ -2503,8 +2503,8 @@
    6 http://repo.or.cz/w/linux-2.6/mini2440.git
    7
    8 mitigations=
    9 - [X86,PPC,S390] Control optional mitigations for CPU
    10 - vulnerabilities. This is a set of curated,
    11 + [X86,PPC,S390,ARM64] Control optional mitigations for
    12 + CPU vulnerabilities. This is a set of curated,
    13 arch-independent options, each of which is an
    14 aggregation of existing arch-specific options.
    15
    16 @@ -2513,12 +2513,14 @@
    17 improves system performance, but it may also
    18 expose users to several CPU vulnerabilities.
    19 Equivalent to: nopti [X86,PPC]
    20 + kpti=0 [ARM64]
    21 nospectre_v1 [PPC]
    22 nobp=0 [S390]
    23 nospectre_v1 [X86]
    24 - nospectre_v2 [X86,PPC,S390]
    25 + nospectre_v2 [X86,PPC,S390,ARM64]
    26 spectre_v2_user=off [X86]
    27 spec_store_bypass_disable=off [X86,PPC]
    28 + ssbd=force-off [ARM64]
    29 l1tf=off [X86]
    30 mds=off [X86]
    31
    32 @@ -2866,10 +2868,10 @@
    33 (bounds check bypass). With this option data leaks
    34 are possible in the system.
    35
    36 - nospectre_v2 [X86,PPC_FSL_BOOK3E] Disable all mitigations for the Spectre variant 2
    37 - (indirect branch prediction) vulnerability. System may
    38 - allow data leaks with this option, which is equivalent
    39 - to spectre_v2=off.
    40 + nospectre_v2 [X86,PPC_FSL_BOOK3E,ARM64] Disable all mitigations for
    41 + the Spectre variant 2 (indirect branch prediction)
    42 + vulnerability. System may allow data leaks with this
    43 + option.
    44
    45 nospec_store_bypass_disable
    46 [HW] Disable all mitigations for the Speculative Store Bypass vulnerability
    47 diff --git a/Documentation/arm64/elf_hwcaps.txt b/Documentation/arm64/elf_hwcaps.txt
    48 index d6aff2c5e9e2..6feaffe90e22 100644
    49 --- a/Documentation/arm64/elf_hwcaps.txt
    50 +++ b/Documentation/arm64/elf_hwcaps.txt
    51 @@ -178,3 +178,7 @@ HWCAP_ILRCPC
    52 HWCAP_FLAGM
    53
    54 Functionality implied by ID_AA64ISAR0_EL1.TS == 0b0001.
    55 +
    56 +HWCAP_SSBS
    57 +
    58 + Functionality implied by ID_AA64PFR1_EL1.SSBS == 0b0010.
    59 diff --git a/Makefile b/Makefile
    60 index 440c5b5c4f4b..4d29c7370b46 100644
    61 --- a/Makefile
    62 +++ b/Makefile
    63 @@ -1,7 +1,7 @@
    64 # SPDX-License-Identifier: GPL-2.0
    65 VERSION = 4
    66 PATCHLEVEL = 19
    67 -SUBLEVEL = 78
    68 +SUBLEVEL = 79
    69 EXTRAVERSION =
    70 NAME = "People's Front"
    71
    72 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
    73 index e3ebece79617..51fe21f5d078 100644
    74 --- a/arch/arm64/Kconfig
    75 +++ b/arch/arm64/Kconfig
    76 @@ -84,6 +84,7 @@ config ARM64
    77 select GENERIC_CLOCKEVENTS
    78 select GENERIC_CLOCKEVENTS_BROADCAST
    79 select GENERIC_CPU_AUTOPROBE
    80 + select GENERIC_CPU_VULNERABILITIES
    81 select GENERIC_EARLY_IOREMAP
    82 select GENERIC_IDLE_POLL_SETUP
    83 select GENERIC_IRQ_MULTI_HANDLER
    84 diff --git a/arch/arm64/include/asm/cpucaps.h b/arch/arm64/include/asm/cpucaps.h
    85 index 25ce9056cf64..c3de0bbf0e9a 100644
    86 --- a/arch/arm64/include/asm/cpucaps.h
    87 +++ b/arch/arm64/include/asm/cpucaps.h
    88 @@ -52,7 +52,8 @@
    89 #define ARM64_MISMATCHED_CACHE_TYPE 31
    90 #define ARM64_HAS_STAGE2_FWB 32
    91 #define ARM64_WORKAROUND_1463225 33
    92 +#define ARM64_SSBS 34
    93
    94 -#define ARM64_NCAPS 34
    95 +#define ARM64_NCAPS 35
    96
    97 #endif /* __ASM_CPUCAPS_H */
    98 diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
    99 index 510f687d269a..dda6e5056810 100644
    100 --- a/arch/arm64/include/asm/cpufeature.h
    101 +++ b/arch/arm64/include/asm/cpufeature.h
    102 @@ -525,11 +525,7 @@ static inline int arm64_get_ssbd_state(void)
    103 #endif
    104 }
    105
    106 -#ifdef CONFIG_ARM64_SSBD
    107 void arm64_set_ssbd_mitigation(bool state);
    108 -#else
    109 -static inline void arm64_set_ssbd_mitigation(bool state) {}
    110 -#endif
    111
    112 #endif /* __ASSEMBLY__ */
    113
    114 diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
    115 index 6abe4002945f..367b2e0b6d76 100644
    116 --- a/arch/arm64/include/asm/kvm_host.h
    117 +++ b/arch/arm64/include/asm/kvm_host.h
    118 @@ -398,6 +398,8 @@ struct kvm_vcpu *kvm_mpidr_to_vcpu(struct kvm *kvm, unsigned long mpidr);
    119
    120 DECLARE_PER_CPU(kvm_cpu_context_t, kvm_host_cpu_state);
    121
    122 +void __kvm_enable_ssbs(void);
    123 +
    124 static inline void __cpu_init_hyp_mode(phys_addr_t pgd_ptr,
    125 unsigned long hyp_stack_ptr,
    126 unsigned long vector_ptr)
    127 @@ -418,6 +420,15 @@ static inline void __cpu_init_hyp_mode(phys_addr_t pgd_ptr,
    128 */
    129 BUG_ON(!static_branch_likely(&arm64_const_caps_ready));
    130 __kvm_call_hyp((void *)pgd_ptr, hyp_stack_ptr, vector_ptr, tpidr_el2);
    131 +
    132 + /*
    133 + * Disabling SSBD on a non-VHE system requires us to enable SSBS
    134 + * at EL2.
    135 + */
    136 + if (!has_vhe() && this_cpu_has_cap(ARM64_SSBS) &&
    137 + arm64_get_ssbd_state() == ARM64_SSBD_FORCE_DISABLE) {
    138 + kvm_call_hyp(__kvm_enable_ssbs);
    139 + }
    140 }
    141
    142 static inline bool kvm_arch_check_sve_has_vhe(void)
    143 diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
    144 index def5a5e807f0..773ea8e0e442 100644
    145 --- a/arch/arm64/include/asm/processor.h
    146 +++ b/arch/arm64/include/asm/processor.h
    147 @@ -177,11 +177,25 @@ static inline void start_thread_common(struct pt_regs *regs, unsigned long pc)
    148 regs->pc = pc;
    149 }
    150
    151 +static inline void set_ssbs_bit(struct pt_regs *regs)
    152 +{
    153 + regs->pstate |= PSR_SSBS_BIT;
    154 +}
    155 +
    156 +static inline void set_compat_ssbs_bit(struct pt_regs *regs)
    157 +{
    158 + regs->pstate |= PSR_AA32_SSBS_BIT;
    159 +}
    160 +
    161 static inline void start_thread(struct pt_regs *regs, unsigned long pc,
    162 unsigned long sp)
    163 {
    164 start_thread_common(regs, pc);
    165 regs->pstate = PSR_MODE_EL0t;
    166 +
    167 + if (arm64_get_ssbd_state() != ARM64_SSBD_FORCE_ENABLE)
    168 + set_ssbs_bit(regs);
    169 +
    170 regs->sp = sp;
    171 }
    172
    173 @@ -198,6 +212,9 @@ static inline void compat_start_thread(struct pt_regs *regs, unsigned long pc,
    174 regs->pstate |= PSR_AA32_E_BIT;
    175 #endif
    176
    177 + if (arm64_get_ssbd_state() != ARM64_SSBD_FORCE_ENABLE)
    178 + set_compat_ssbs_bit(regs);
    179 +
    180 regs->compat_sp = sp;
    181 }
    182 #endif
    183 diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
    184 index 177b851ca6d9..6bc43889d11e 100644
    185 --- a/arch/arm64/include/asm/ptrace.h
    186 +++ b/arch/arm64/include/asm/ptrace.h
    187 @@ -50,6 +50,7 @@
    188 #define PSR_AA32_I_BIT 0x00000080
    189 #define PSR_AA32_A_BIT 0x00000100
    190 #define PSR_AA32_E_BIT 0x00000200
    191 +#define PSR_AA32_SSBS_BIT 0x00800000
    192 #define PSR_AA32_DIT_BIT 0x01000000
    193 #define PSR_AA32_Q_BIT 0x08000000
    194 #define PSR_AA32_V_BIT 0x10000000
    195 diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
    196 index c1470931b897..3091ae5975a3 100644
    197 --- a/arch/arm64/include/asm/sysreg.h
    198 +++ b/arch/arm64/include/asm/sysreg.h
    199 @@ -86,11 +86,14 @@
    200
    201 #define REG_PSTATE_PAN_IMM sys_reg(0, 0, 4, 0, 4)
    202 #define REG_PSTATE_UAO_IMM sys_reg(0, 0, 4, 0, 3)
    203 +#define REG_PSTATE_SSBS_IMM sys_reg(0, 3, 4, 0, 1)
    204
    205 #define SET_PSTATE_PAN(x) __emit_inst(0xd5000000 | REG_PSTATE_PAN_IMM | \
    206 (!!x)<<8 | 0x1f)
    207 #define SET_PSTATE_UAO(x) __emit_inst(0xd5000000 | REG_PSTATE_UAO_IMM | \
    208 (!!x)<<8 | 0x1f)
    209 +#define SET_PSTATE_SSBS(x) __emit_inst(0xd5000000 | REG_PSTATE_SSBS_IMM | \
    210 + (!!x)<<8 | 0x1f)
    211
    212 #define SYS_DC_ISW sys_insn(1, 0, 7, 6, 2)
    213 #define SYS_DC_CSW sys_insn(1, 0, 7, 10, 2)
    214 @@ -419,6 +422,7 @@
    215 #define SYS_ICH_LR15_EL2 __SYS__LR8_EL2(7)
    216
    217 /* Common SCTLR_ELx flags. */
    218 +#define SCTLR_ELx_DSSBS (1UL << 44)
    219 #define SCTLR_ELx_EE (1 << 25)
    220 #define SCTLR_ELx_IESB (1 << 21)
    221 #define SCTLR_ELx_WXN (1 << 19)
    222 @@ -439,7 +443,7 @@
    223 (1 << 10) | (1 << 13) | (1 << 14) | (1 << 15) | \
    224 (1 << 17) | (1 << 20) | (1 << 24) | (1 << 26) | \
    225 (1 << 27) | (1 << 30) | (1 << 31) | \
    226 - (0xffffffffUL << 32))
    227 + (0xffffefffUL << 32))
    228
    229 #ifdef CONFIG_CPU_BIG_ENDIAN
    230 #define ENDIAN_SET_EL2 SCTLR_ELx_EE
    231 @@ -453,7 +457,7 @@
    232 #define SCTLR_EL2_SET (SCTLR_ELx_IESB | ENDIAN_SET_EL2 | SCTLR_EL2_RES1)
    233 #define SCTLR_EL2_CLEAR (SCTLR_ELx_M | SCTLR_ELx_A | SCTLR_ELx_C | \
    234 SCTLR_ELx_SA | SCTLR_ELx_I | SCTLR_ELx_WXN | \
    235 - ENDIAN_CLEAR_EL2 | SCTLR_EL2_RES0)
    236 + SCTLR_ELx_DSSBS | ENDIAN_CLEAR_EL2 | SCTLR_EL2_RES0)
    237
    238 #if (SCTLR_EL2_SET ^ SCTLR_EL2_CLEAR) != 0xffffffffffffffff
    239 #error "Inconsistent SCTLR_EL2 set/clear bits"
    240 @@ -477,7 +481,7 @@
    241 (1 << 29))
    242 #define SCTLR_EL1_RES0 ((1 << 6) | (1 << 10) | (1 << 13) | (1 << 17) | \
    243 (1 << 27) | (1 << 30) | (1 << 31) | \
    244 - (0xffffffffUL << 32))
    245 + (0xffffefffUL << 32))
    246
    247 #ifdef CONFIG_CPU_BIG_ENDIAN
    248 #define ENDIAN_SET_EL1 (SCTLR_EL1_E0E | SCTLR_ELx_EE)
    249 @@ -494,7 +498,7 @@
    250 ENDIAN_SET_EL1 | SCTLR_EL1_UCI | SCTLR_EL1_RES1)
    251 #define SCTLR_EL1_CLEAR (SCTLR_ELx_A | SCTLR_EL1_CP15BEN | SCTLR_EL1_ITD |\
    252 SCTLR_EL1_UMA | SCTLR_ELx_WXN | ENDIAN_CLEAR_EL1 |\
    253 - SCTLR_EL1_RES0)
    254 + SCTLR_ELx_DSSBS | SCTLR_EL1_RES0)
    255
    256 #if (SCTLR_EL1_SET ^ SCTLR_EL1_CLEAR) != 0xffffffffffffffff
    257 #error "Inconsistent SCTLR_EL1 set/clear bits"
    258 @@ -544,6 +548,13 @@
    259 #define ID_AA64PFR0_EL0_64BIT_ONLY 0x1
    260 #define ID_AA64PFR0_EL0_32BIT_64BIT 0x2
    261
    262 +/* id_aa64pfr1 */
    263 +#define ID_AA64PFR1_SSBS_SHIFT 4
    264 +
    265 +#define ID_AA64PFR1_SSBS_PSTATE_NI 0
    266 +#define ID_AA64PFR1_SSBS_PSTATE_ONLY 1
    267 +#define ID_AA64PFR1_SSBS_PSTATE_INSNS 2
    268 +
    269 /* id_aa64mmfr0 */
    270 #define ID_AA64MMFR0_TGRAN4_SHIFT 28
    271 #define ID_AA64MMFR0_TGRAN64_SHIFT 24
    272 diff --git a/arch/arm64/include/uapi/asm/hwcap.h b/arch/arm64/include/uapi/asm/hwcap.h
    273 index 17c65c8f33cb..2bcd6e4f3474 100644
    274 --- a/arch/arm64/include/uapi/asm/hwcap.h
    275 +++ b/arch/arm64/include/uapi/asm/hwcap.h
    276 @@ -48,5 +48,6 @@
    277 #define HWCAP_USCAT (1 << 25)
    278 #define HWCAP_ILRCPC (1 << 26)
    279 #define HWCAP_FLAGM (1 << 27)
    280 +#define HWCAP_SSBS (1 << 28)
    281
    282 #endif /* _UAPI__ASM_HWCAP_H */
    283 diff --git a/arch/arm64/include/uapi/asm/ptrace.h b/arch/arm64/include/uapi/asm/ptrace.h
    284 index 5dff8eccd17d..b0fd1d300154 100644
    285 --- a/arch/arm64/include/uapi/asm/ptrace.h
    286 +++ b/arch/arm64/include/uapi/asm/ptrace.h
    287 @@ -46,6 +46,7 @@
    288 #define PSR_I_BIT 0x00000080
    289 #define PSR_A_BIT 0x00000100
    290 #define PSR_D_BIT 0x00000200
    291 +#define PSR_SSBS_BIT 0x00001000
    292 #define PSR_PAN_BIT 0x00400000
    293 #define PSR_UAO_BIT 0x00800000
    294 #define PSR_V_BIT 0x10000000
    295 diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
    296 index dc6c535cbd13..9ccf16939d13 100644
    297 --- a/arch/arm64/kernel/cpu_errata.c
    298 +++ b/arch/arm64/kernel/cpu_errata.c
    299 @@ -19,6 +19,7 @@
    300 #include <linux/arm-smccc.h>
    301 #include <linux/psci.h>
    302 #include <linux/types.h>
    303 +#include <linux/cpu.h>
    304 #include <asm/cpu.h>
    305 #include <asm/cputype.h>
    306 #include <asm/cpufeature.h>
    307 @@ -87,7 +88,6 @@ cpu_enable_trap_ctr_access(const struct arm64_cpu_capabilities *__unused)
    308
    309 atomic_t arm64_el2_vector_last_slot = ATOMIC_INIT(-1);
    310
    311 -#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
    312 #include <asm/mmu_context.h>
    313 #include <asm/cacheflush.h>
    314
    315 @@ -109,9 +109,9 @@ static void __copy_hyp_vect_bpi(int slot, const char *hyp_vecs_start,
    316 __flush_icache_range((uintptr_t)dst, (uintptr_t)dst + SZ_2K);
    317 }
    318
    319 -static void __install_bp_hardening_cb(bp_hardening_cb_t fn,
    320 - const char *hyp_vecs_start,
    321 - const char *hyp_vecs_end)
    322 +static void install_bp_hardening_cb(bp_hardening_cb_t fn,
    323 + const char *hyp_vecs_start,
    324 + const char *hyp_vecs_end)
    325 {
    326 static DEFINE_SPINLOCK(bp_lock);
    327 int cpu, slot = -1;
    328 @@ -138,7 +138,7 @@ static void __install_bp_hardening_cb(bp_hardening_cb_t fn,
    329 #define __smccc_workaround_1_smc_start NULL
    330 #define __smccc_workaround_1_smc_end NULL
    331
    332 -static void __install_bp_hardening_cb(bp_hardening_cb_t fn,
    333 +static void install_bp_hardening_cb(bp_hardening_cb_t fn,
    334 const char *hyp_vecs_start,
    335 const char *hyp_vecs_end)
    336 {
    337 @@ -146,23 +146,6 @@ static void __install_bp_hardening_cb(bp_hardening_cb_t fn,
    338 }
    339 #endif /* CONFIG_KVM_INDIRECT_VECTORS */
    340
    341 -static void install_bp_hardening_cb(const struct arm64_cpu_capabilities *entry,
    342 - bp_hardening_cb_t fn,
    343 - const char *hyp_vecs_start,
    344 - const char *hyp_vecs_end)
    345 -{
    346 - u64 pfr0;
    347 -
    348 - if (!entry->matches(entry, SCOPE_LOCAL_CPU))
    349 - return;
    350 -
    351 - pfr0 = read_cpuid(ID_AA64PFR0_EL1);
    352 - if (cpuid_feature_extract_unsigned_field(pfr0, ID_AA64PFR0_CSV2_SHIFT))
    353 - return;
    354 -
    355 - __install_bp_hardening_cb(fn, hyp_vecs_start, hyp_vecs_end);
    356 -}
    357 -
    358 #include <uapi/linux/psci.h>
    359 #include <linux/arm-smccc.h>
    360 #include <linux/psci.h>
    361 @@ -189,60 +172,83 @@ static void qcom_link_stack_sanitization(void)
    362 : "=&r" (tmp));
    363 }
    364
    365 -static void
    366 -enable_smccc_arch_workaround_1(const struct arm64_cpu_capabilities *entry)
    367 +static bool __nospectre_v2;
    368 +static int __init parse_nospectre_v2(char *str)
    369 +{
    370 + __nospectre_v2 = true;
    371 + return 0;
    372 +}
    373 +early_param("nospectre_v2", parse_nospectre_v2);
    374 +
    375 +/*
    376 + * -1: No workaround
    377 + * 0: No workaround required
    378 + * 1: Workaround installed
    379 + */
    380 +static int detect_harden_bp_fw(void)
    381 {
    382 bp_hardening_cb_t cb;
    383 void *smccc_start, *smccc_end;
    384 struct arm_smccc_res res;
    385 u32 midr = read_cpuid_id();
    386
    387 - if (!entry->matches(entry, SCOPE_LOCAL_CPU))
    388 - return;
    389 -
    390 if (psci_ops.smccc_version == SMCCC_VERSION_1_0)
    391 - return;
    392 + return -1;
    393
    394 switch (psci_ops.conduit) {
    395 case PSCI_CONDUIT_HVC:
    396 arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
    397 ARM_SMCCC_ARCH_WORKAROUND_1, &res);
    398 - if ((int)res.a0 < 0)
    399 - return;
    400 - cb = call_hvc_arch_workaround_1;
    401 - /* This is a guest, no need to patch KVM vectors */
    402 - smccc_start = NULL;
    403 - smccc_end = NULL;
    404 + switch ((int)res.a0) {
    405 + case 1:
    406 + /* Firmware says we're just fine */
    407 + return 0;
    408 + case 0:
    409 + cb = call_hvc_arch_workaround_1;
    410 + /* This is a guest, no need to patch KVM vectors */
    411 + smccc_start = NULL;
    412 + smccc_end = NULL;
    413 + break;
    414 + default:
    415 + return -1;
    416 + }
    417 break;
    418
    419 case PSCI_CONDUIT_SMC:
    420 arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
    421 ARM_SMCCC_ARCH_WORKAROUND_1, &res);
    422 - if ((int)res.a0 < 0)
    423 - return;
    424 - cb = call_smc_arch_workaround_1;
    425 - smccc_start = __smccc_workaround_1_smc_start;
    426 - smccc_end = __smccc_workaround_1_smc_end;
    427 + switch ((int)res.a0) {
    428 + case 1:
    429 + /* Firmware says we're just fine */
    430 + return 0;
    431 + case 0:
    432 + cb = call_smc_arch_workaround_1;
    433 + smccc_start = __smccc_workaround_1_smc_start;
    434 + smccc_end = __smccc_workaround_1_smc_end;
    435 + break;
    436 + default:
    437 + return -1;
    438 + }
    439 break;
    440
    441 default:
    442 - return;
    443 + return -1;
    444 }
    445
    446 if (((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR) ||
    447 ((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR_V1))
    448 cb = qcom_link_stack_sanitization;
    449
    450 - install_bp_hardening_cb(entry, cb, smccc_start, smccc_end);
    451 + if (IS_ENABLED(CONFIG_HARDEN_BRANCH_PREDICTOR))
    452 + install_bp_hardening_cb(cb, smccc_start, smccc_end);
    453
    454 - return;
    455 + return 1;
    456 }
    457 -#endif /* CONFIG_HARDEN_BRANCH_PREDICTOR */
    458
    459 -#ifdef CONFIG_ARM64_SSBD
    460 DEFINE_PER_CPU_READ_MOSTLY(u64, arm64_ssbd_callback_required);
    461
    462 int ssbd_state __read_mostly = ARM64_SSBD_KERNEL;
    463 +static bool __ssb_safe = true;
    464
    465 static const struct ssbd_options {
    466 const char *str;
    467 @@ -312,6 +318,19 @@ void __init arm64_enable_wa2_handling(struct alt_instr *alt,
    468
    469 void arm64_set_ssbd_mitigation(bool state)
    470 {
    471 + if (!IS_ENABLED(CONFIG_ARM64_SSBD)) {
    472 + pr_info_once("SSBD disabled by kernel configuration\n");
    473 + return;
    474 + }
    475 +
    476 + if (this_cpu_has_cap(ARM64_SSBS)) {
    477 + if (state)
    478 + asm volatile(SET_PSTATE_SSBS(0));
    479 + else
    480 + asm volatile(SET_PSTATE_SSBS(1));
    481 + return;
    482 + }
    483 +
    484 switch (psci_ops.conduit) {
    485 case PSCI_CONDUIT_HVC:
    486 arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_WORKAROUND_2, state, NULL);
    487 @@ -333,11 +352,28 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
    488 struct arm_smccc_res res;
    489 bool required = true;
    490 s32 val;
    491 + bool this_cpu_safe = false;
    492
    493 WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
    494
    495 + if (cpu_mitigations_off())
    496 + ssbd_state = ARM64_SSBD_FORCE_DISABLE;
    497 +
    498 + /* delay setting __ssb_safe until we get a firmware response */
    499 + if (is_midr_in_range_list(read_cpuid_id(), entry->midr_range_list))
    500 + this_cpu_safe = true;
    501 +
    502 + if (this_cpu_has_cap(ARM64_SSBS)) {
    503 + if (!this_cpu_safe)
    504 + __ssb_safe = false;
    505 + required = false;
    506 + goto out_printmsg;
    507 + }
    508 +
    509 if (psci_ops.smccc_version == SMCCC_VERSION_1_0) {
    510 ssbd_state = ARM64_SSBD_UNKNOWN;
    511 + if (!this_cpu_safe)
    512 + __ssb_safe = false;
    513 return false;
    514 }
    515
    516 @@ -354,6 +390,8 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
    517
    518 default:
    519 ssbd_state = ARM64_SSBD_UNKNOWN;
    520 + if (!this_cpu_safe)
    521 + __ssb_safe = false;
    522 return false;
    523 }
    524
    525 @@ -362,14 +400,18 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
    526 switch (val) {
    527 case SMCCC_RET_NOT_SUPPORTED:
    528 ssbd_state = ARM64_SSBD_UNKNOWN;
    529 + if (!this_cpu_safe)
    530 + __ssb_safe = false;
    531 return false;
    532
    533 + /* machines with mixed mitigation requirements must not return this */
    534 case SMCCC_RET_NOT_REQUIRED:
    535 pr_info_once("%s mitigation not required\n", entry->desc);
    536 ssbd_state = ARM64_SSBD_MITIGATED;
    537 return false;
    538
    539 case SMCCC_RET_SUCCESS:
    540 + __ssb_safe = false;
    541 required = true;
    542 break;
    543
    544 @@ -379,12 +421,13 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
    545
    546 default:
    547 WARN_ON(1);
    548 + if (!this_cpu_safe)
    549 + __ssb_safe = false;
    550 return false;
    551 }
    552
    553 switch (ssbd_state) {
    554 case ARM64_SSBD_FORCE_DISABLE:
    555 - pr_info_once("%s disabled from command-line\n", entry->desc);
    556 arm64_set_ssbd_mitigation(false);
    557 required = false;
    558 break;
    559 @@ -397,7 +440,6 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
    560 break;
    561
    562 case ARM64_SSBD_FORCE_ENABLE:
    563 - pr_info_once("%s forced from command-line\n", entry->desc);
    564 arm64_set_ssbd_mitigation(true);
    565 required = true;
    566 break;
    567 @@ -407,9 +449,27 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
    568 break;
    569 }
    570
    571 +out_printmsg:
    572 + switch (ssbd_state) {
    573 + case ARM64_SSBD_FORCE_DISABLE:
    574 + pr_info_once("%s disabled from command-line\n", entry->desc);
    575 + break;
    576 +
    577 + case ARM64_SSBD_FORCE_ENABLE:
    578 + pr_info_once("%s forced from command-line\n", entry->desc);
    579 + break;
    580 + }
    581 +
    582 return required;
    583 }
    584 -#endif /* CONFIG_ARM64_SSBD */
    585 +
    586 +/* known invulnerable cores */
    587 +static const struct midr_range arm64_ssb_cpus[] = {
    588 + MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
    589 + MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
    590 + MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
    591 + {},
    592 +};
    593
    594 #ifdef CONFIG_ARM64_ERRATUM_1463225
    595 DEFINE_PER_CPU(int, __in_cortex_a76_erratum_1463225_wa);
    596 @@ -464,6 +524,10 @@ has_cortex_a76_erratum_1463225(const struct arm64_cpu_capabilities *entry,
    597 .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, \
    598 CAP_MIDR_RANGE_LIST(midr_list)
    599
    600 +/* Track overall mitigation state. We are only mitigated if all cores are ok */
    601 +static bool __hardenbp_enab = true;
    602 +static bool __spectrev2_safe = true;
    603 +
    604 /*
    605 * Generic helper for handling capabilties with multiple (match,enable) pairs
    606 * of call backs, sharing the same capability bit.
    607 @@ -496,26 +560,63 @@ multi_entry_cap_cpu_enable(const struct arm64_cpu_capabilities *entry)
    608 caps->cpu_enable(caps);
    609 }
    610
    611 -#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
    612 -
    613 /*
    614 - * List of CPUs where we need to issue a psci call to
    615 - * harden the branch predictor.
    616 + * List of CPUs that do not need any Spectre-v2 mitigation at all.
    617 */
    618 -static const struct midr_range arm64_bp_harden_smccc_cpus[] = {
    619 - MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
    620 - MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
    621 - MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
    622 - MIDR_ALL_VERSIONS(MIDR_CORTEX_A75),
    623 - MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN),
    624 - MIDR_ALL_VERSIONS(MIDR_CAVIUM_THUNDERX2),
    625 - MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR_V1),
    626 - MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR),
    627 - MIDR_ALL_VERSIONS(MIDR_NVIDIA_DENVER),
    628 - {},
    629 +static const struct midr_range spectre_v2_safe_list[] = {
    630 + MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
    631 + MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
    632 + MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
    633 + { /* sentinel */ }
    634 };
    635
    636 -#endif
    637 +/*
    638 + * Track overall bp hardening for all heterogeneous cores in the machine.
    639 + * We are only considered "safe" if all booted cores are known safe.
    640 + */
    641 +static bool __maybe_unused
    642 +check_branch_predictor(const struct arm64_cpu_capabilities *entry, int scope)
    643 +{
    644 + int need_wa;
    645 +
    646 + WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
    647 +
    648 + /* If the CPU has CSV2 set, we're safe */
    649 + if (cpuid_feature_extract_unsigned_field(read_cpuid(ID_AA64PFR0_EL1),
    650 + ID_AA64PFR0_CSV2_SHIFT))
    651 + return false;
    652 +
    653 + /* Alternatively, we have a list of unaffected CPUs */
    654 + if (is_midr_in_range_list(read_cpuid_id(), spectre_v2_safe_list))
    655 + return false;
    656 +
    657 + /* Fallback to firmware detection */
    658 + need_wa = detect_harden_bp_fw();
    659 + if (!need_wa)
    660 + return false;
    661 +
    662 + __spectrev2_safe = false;
    663 +
    664 + if (!IS_ENABLED(CONFIG_HARDEN_BRANCH_PREDICTOR)) {
    665 + pr_warn_once("spectrev2 mitigation disabled by kernel configuration\n");
    666 + __hardenbp_enab = false;
    667 + return false;
    668 + }
    669 +
    670 + /* forced off */
    671 + if (__nospectre_v2 || cpu_mitigations_off()) {
    672 + pr_info_once("spectrev2 mitigation disabled by command line option\n");
    673 + __hardenbp_enab = false;
    674 + return false;
    675 + }
    676 +
    677 + if (need_wa < 0) {
    678 + pr_warn_once("ARM_SMCCC_ARCH_WORKAROUND_1 missing from firmware\n");
    679 + __hardenbp_enab = false;
    680 + }
    681 +
    682 + return (need_wa > 0);
    683 +}
    684
    685 #ifdef CONFIG_HARDEN_EL2_VECTORS
    686
    687 @@ -674,13 +775,11 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
    688 ERRATA_MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
    689 },
    690 #endif
    691 -#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
    692 {
    693 .capability = ARM64_HARDEN_BRANCH_PREDICTOR,
    694 - .cpu_enable = enable_smccc_arch_workaround_1,
    695 - ERRATA_MIDR_RANGE_LIST(arm64_bp_harden_smccc_cpus),
    696 + .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
    697 + .matches = check_branch_predictor,
    698 },
    699 -#endif
    700 #ifdef CONFIG_HARDEN_EL2_VECTORS
    701 {
    702 .desc = "EL2 vector hardening",
    703 @@ -688,14 +787,13 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
    704 ERRATA_MIDR_RANGE_LIST(arm64_harden_el2_vectors),
    705 },
    706 #endif
    707 -#ifdef CONFIG_ARM64_SSBD
    708 {
    709 .desc = "Speculative Store Bypass Disable",
    710 .capability = ARM64_SSBD,
    711 .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
    712 .matches = has_ssbd_mitigation,
    713 + .midr_range_list = arm64_ssb_cpus,
    714 },
    715 -#endif
    716 #ifdef CONFIG_ARM64_ERRATUM_1463225
    717 {
    718 .desc = "ARM erratum 1463225",
    719 @@ -707,3 +805,38 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
    720 {
    721 }
    722 };
    723 +
    724 +ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr,
    725 + char *buf)
    726 +{
    727 + return sprintf(buf, "Mitigation: __user pointer sanitization\n");
    728 +}
    729 +
    730 +ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,
    731 + char *buf)
    732 +{
    733 + if (__spectrev2_safe)
    734 + return sprintf(buf, "Not affected\n");
    735 +
    736 + if (__hardenbp_enab)
    737 + return sprintf(buf, "Mitigation: Branch predictor hardening\n");
    738 +
    739 + return sprintf(buf, "Vulnerable\n");
    740 +}
    741 +
    742 +ssize_t cpu_show_spec_store_bypass(struct device *dev,
    743 + struct device_attribute *attr, char *buf)
    744 +{
    745 + if (__ssb_safe)
    746 + return sprintf(buf, "Not affected\n");
    747 +
    748 + switch (ssbd_state) {
    749 + case ARM64_SSBD_KERNEL:
    750 + case ARM64_SSBD_FORCE_ENABLE:
    751 + if (IS_ENABLED(CONFIG_ARM64_SSBD))
    752 + return sprintf(buf,
    753 + "Mitigation: Speculative Store Bypass disabled via prctl\n");
    754 + }
    755 +
    756 + return sprintf(buf, "Vulnerable\n");
    757 +}
    758 diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
    759 index a897efdb3ddd..ff5beb59b3dc 100644
    760 --- a/arch/arm64/kernel/cpufeature.c
    761 +++ b/arch/arm64/kernel/cpufeature.c
    762 @@ -24,6 +24,7 @@
    763 #include <linux/stop_machine.h>
    764 #include <linux/types.h>
    765 #include <linux/mm.h>
    766 +#include <linux/cpu.h>
    767 #include <asm/cpu.h>
    768 #include <asm/cpufeature.h>
    769 #include <asm/cpu_ops.h>
    770 @@ -164,6 +165,11 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr0[] = {
    771 ARM64_FTR_END,
    772 };
    773
    774 +static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = {
    775 + ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR1_SSBS_SHIFT, 4, ID_AA64PFR1_SSBS_PSTATE_NI),
    776 + ARM64_FTR_END,
    777 +};
    778 +
    779 static const struct arm64_ftr_bits ftr_id_aa64mmfr0[] = {
    780 /*
    781 * We already refuse to boot CPUs that don't support our configured
    782 @@ -379,7 +385,7 @@ static const struct __ftr_reg_entry {
    783
    784 /* Op1 = 0, CRn = 0, CRm = 4 */
    785 ARM64_FTR_REG(SYS_ID_AA64PFR0_EL1, ftr_id_aa64pfr0),
    786 - ARM64_FTR_REG(SYS_ID_AA64PFR1_EL1, ftr_raz),
    787 + ARM64_FTR_REG(SYS_ID_AA64PFR1_EL1, ftr_id_aa64pfr1),
    788 ARM64_FTR_REG(SYS_ID_AA64ZFR0_EL1, ftr_raz),
    789
    790 /* Op1 = 0, CRn = 0, CRm = 5 */
    791 @@ -669,7 +675,6 @@ void update_cpu_features(int cpu,
    792
    793 /*
    794 * EL3 is not our concern.
    795 - * ID_AA64PFR1 is currently RES0.
    796 */
    797 taint |= check_update_ftr_reg(SYS_ID_AA64PFR0_EL1, cpu,
    798 info->reg_id_aa64pfr0, boot->reg_id_aa64pfr0);
    799 @@ -885,7 +890,7 @@ static bool has_cache_dic(const struct arm64_cpu_capabilities *entry,
    800 return ctr & BIT(CTR_DIC_SHIFT);
    801 }
    802
    803 -#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
    804 +static bool __meltdown_safe = true;
    805 static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */
    806
    807 static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
    808 @@ -903,7 +908,17 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
    809 MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
    810 { /* sentinel */ }
    811 };
    812 - char const *str = "command line option";
    813 + char const *str = "kpti command line option";
    814 + bool meltdown_safe;
    815 +
    816 + meltdown_safe = is_midr_in_range_list(read_cpuid_id(), kpti_safe_list);
    817 +
    818 + /* Defer to CPU feature registers */
    819 + if (has_cpuid_feature(entry, scope))
    820 + meltdown_safe = true;
    821 +
    822 + if (!meltdown_safe)
    823 + __meltdown_safe = false;
    824
    825 /*
    826 * For reasons that aren't entirely clear, enabling KPTI on Cavium
    827 @@ -915,6 +930,24 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
    828 __kpti_forced = -1;
    829 }
    830
    831 + /* Useful for KASLR robustness */
    832 + if (IS_ENABLED(CONFIG_RANDOMIZE_BASE) && kaslr_offset() > 0) {
    833 + if (!__kpti_forced) {
    834 + str = "KASLR";
    835 + __kpti_forced = 1;
    836 + }
    837 + }
    838 +
    839 + if (cpu_mitigations_off() && !__kpti_forced) {
    840 + str = "mitigations=off";
    841 + __kpti_forced = -1;
    842 + }
    843 +
    844 + if (!IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0)) {
    845 + pr_info_once("kernel page table isolation disabled by kernel configuration\n");
    846 + return false;
    847 + }
    848 +
    849 /* Forced? */
    850 if (__kpti_forced) {
    851 pr_info_once("kernel page table isolation forced %s by %s\n",
    852 @@ -922,18 +955,10 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
    853 return __kpti_forced > 0;
    854 }
    855
    856 - /* Useful for KASLR robustness */
    857 - if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
    858 - return true;
    859 -
    860 - /* Don't force KPTI for CPUs that are not vulnerable */
    861 - if (is_midr_in_range_list(read_cpuid_id(), kpti_safe_list))
    862 - return false;
    863 -
    864 - /* Defer to CPU feature registers */
    865 - return !has_cpuid_feature(entry, scope);
    866 + return !meltdown_safe;
    867 }
    868
    869 +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
    870 static void
    871 kpti_install_ng_mappings(const struct arm64_cpu_capabilities *__unused)
    872 {
    873 @@ -958,6 +983,12 @@ kpti_install_ng_mappings(const struct arm64_cpu_capabilities *__unused)
    874
    875 return;
    876 }
    877 +#else
    878 +static void
    879 +kpti_install_ng_mappings(const struct arm64_cpu_capabilities *__unused)
    880 +{
    881 +}
    882 +#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
    883
    884 static int __init parse_kpti(char *str)
    885 {
    886 @@ -971,7 +1002,6 @@ static int __init parse_kpti(char *str)
    887 return 0;
    888 }
    889 early_param("kpti", parse_kpti);
    890 -#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
    891
    892 #ifdef CONFIG_ARM64_HW_AFDBM
    893 static inline void __cpu_enable_hw_dbm(void)
    894 @@ -1067,6 +1097,48 @@ static void cpu_has_fwb(const struct arm64_cpu_capabilities *__unused)
    895 WARN_ON(val & (7 << 27 | 7 << 21));
    896 }
    897
    898 +#ifdef CONFIG_ARM64_SSBD
    899 +static int ssbs_emulation_handler(struct pt_regs *regs, u32 instr)
    900 +{
    901 + if (user_mode(regs))
    902 + return 1;
    903 +
    904 + if (instr & BIT(CRm_shift))
    905 + regs->pstate |= PSR_SSBS_BIT;
    906 + else
    907 + regs->pstate &= ~PSR_SSBS_BIT;
    908 +
    909 + arm64_skip_faulting_instruction(regs, 4);
    910 + return 0;
    911 +}
    912 +
    913 +static struct undef_hook ssbs_emulation_hook = {
    914 + .instr_mask = ~(1U << CRm_shift),
    915 + .instr_val = 0xd500001f | REG_PSTATE_SSBS_IMM,
    916 + .fn = ssbs_emulation_handler,
    917 +};
    918 +
    919 +static void cpu_enable_ssbs(const struct arm64_cpu_capabilities *__unused)
    920 +{
    921 + static bool undef_hook_registered = false;
    922 + static DEFINE_SPINLOCK(hook_lock);
    923 +
    924 + spin_lock(&hook_lock);
    925 + if (!undef_hook_registered) {
    926 + register_undef_hook(&ssbs_emulation_hook);
    927 + undef_hook_registered = true;
    928 + }
    929 + spin_unlock(&hook_lock);
    930 +
    931 + if (arm64_get_ssbd_state() == ARM64_SSBD_FORCE_DISABLE) {
    932 + sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_DSSBS);
    933 + arm64_set_ssbd_mitigation(false);
    934 + } else {
    935 + arm64_set_ssbd_mitigation(true);
    936 + }
    937 +}
    938 +#endif /* CONFIG_ARM64_SSBD */
    939 +
    940 static const struct arm64_cpu_capabilities arm64_features[] = {
    941 {
    942 .desc = "GIC system register CPU interface",
    943 @@ -1150,7 +1222,6 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
    944 .field_pos = ID_AA64PFR0_EL0_SHIFT,
    945 .min_field_value = ID_AA64PFR0_EL0_32BIT_64BIT,
    946 },
    947 -#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
    948 {
    949 .desc = "Kernel page table isolation (KPTI)",
    950 .capability = ARM64_UNMAP_KERNEL_AT_EL0,
    951 @@ -1166,7 +1237,6 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
    952 .matches = unmap_kernel_at_el0,
    953 .cpu_enable = kpti_install_ng_mappings,
    954 },
    955 -#endif
    956 {
    957 /* FP/SIMD is not implemented */
    958 .capability = ARM64_HAS_NO_FPSIMD,
    959 @@ -1253,6 +1323,19 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
    960 .matches = has_hw_dbm,
    961 .cpu_enable = cpu_enable_hw_dbm,
    962 },
    963 +#endif
    964 +#ifdef CONFIG_ARM64_SSBD
    965 + {
    966 + .desc = "Speculative Store Bypassing Safe (SSBS)",
    967 + .capability = ARM64_SSBS,
    968 + .type = ARM64_CPUCAP_WEAK_LOCAL_CPU_FEATURE,
    969 + .matches = has_cpuid_feature,
    970 + .sys_reg = SYS_ID_AA64PFR1_EL1,
    971 + .field_pos = ID_AA64PFR1_SSBS_SHIFT,
    972 + .sign = FTR_UNSIGNED,
    973 + .min_field_value = ID_AA64PFR1_SSBS_PSTATE_ONLY,
    974 + .cpu_enable = cpu_enable_ssbs,
    975 + },
    976 #endif
    977 {},
    978 };
    979 @@ -1299,6 +1382,7 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = {
    980 #ifdef CONFIG_ARM64_SVE
    981 HWCAP_CAP(SYS_ID_AA64PFR0_EL1, ID_AA64PFR0_SVE_SHIFT, FTR_UNSIGNED, ID_AA64PFR0_SVE, CAP_HWCAP, HWCAP_SVE),
    982 #endif
    983 + HWCAP_CAP(SYS_ID_AA64PFR1_EL1, ID_AA64PFR1_SSBS_SHIFT, FTR_UNSIGNED, ID_AA64PFR1_SSBS_PSTATE_INSNS, CAP_HWCAP, HWCAP_SSBS),
    984 {},
    985 };
    986
    987 @@ -1793,3 +1877,15 @@ void cpu_clear_disr(const struct arm64_cpu_capabilities *__unused)
    988 /* Firmware may have left a deferred SError in this register. */
    989 write_sysreg_s(0, SYS_DISR_EL1);
    990 }
    991 +
    992 +ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,
    993 + char *buf)
    994 +{
    995 + if (__meltdown_safe)
    996 + return sprintf(buf, "Not affected\n");
    997 +
    998 + if (arm64_kernel_unmapped_at_el0())
    999 + return sprintf(buf, "Mitigation: PTI\n");
    1000 +
    1001 + return sprintf(buf, "Vulnerable\n");
    1002 +}
    1003 diff --git a/arch/arm64/kernel/cpuinfo.c b/arch/arm64/kernel/cpuinfo.c
    1004 index e9ab7b3ed317..dce971f2c167 100644
    1005 --- a/arch/arm64/kernel/cpuinfo.c
    1006 +++ b/arch/arm64/kernel/cpuinfo.c
    1007 @@ -81,6 +81,7 @@ static const char *const hwcap_str[] = {
    1008 "uscat",
    1009 "ilrcpc",
    1010 "flagm",
    1011 + "ssbs",
    1012 NULL
    1013 };
    1014
    1015 diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
    1016 index 7f1628effe6d..bc2226608e13 100644
    1017 --- a/arch/arm64/kernel/process.c
    1018 +++ b/arch/arm64/kernel/process.c
    1019 @@ -358,6 +358,10 @@ int copy_thread(unsigned long clone_flags, unsigned long stack_start,
    1020 if (IS_ENABLED(CONFIG_ARM64_UAO) &&
    1021 cpus_have_const_cap(ARM64_HAS_UAO))
    1022 childregs->pstate |= PSR_UAO_BIT;
    1023 +
    1024 + if (arm64_get_ssbd_state() == ARM64_SSBD_FORCE_DISABLE)
    1025 + set_ssbs_bit(childregs);
    1026 +
    1027 p->thread.cpu_context.x19 = stack_start;
    1028 p->thread.cpu_context.x20 = stk_sz;
    1029 }
    1030 @@ -397,6 +401,32 @@ void uao_thread_switch(struct task_struct *next)
    1031 }
    1032 }
    1033
    1034 +/*
    1035 + * Force SSBS state on context-switch, since it may be lost after migrating
    1036 + * from a CPU which treats the bit as RES0 in a heterogeneous system.
    1037 + */
    1038 +static void ssbs_thread_switch(struct task_struct *next)
    1039 +{
    1040 + struct pt_regs *regs = task_pt_regs(next);
    1041 +
    1042 + /*
    1043 + * Nothing to do for kernel threads, but 'regs' may be junk
    1044 + * (e.g. idle task) so check the flags and bail early.
    1045 + */
    1046 + if (unlikely(next->flags & PF_KTHREAD))
    1047 + return;
    1048 +
    1049 + /* If the mitigation is enabled, then we leave SSBS clear. */
    1050 + if ((arm64_get_ssbd_state() == ARM64_SSBD_FORCE_ENABLE) ||
    1051 + test_tsk_thread_flag(next, TIF_SSBD))
    1052 + return;
    1053 +
    1054 + if (compat_user_mode(regs))
    1055 + set_compat_ssbs_bit(regs);
    1056 + else if (user_mode(regs))
    1057 + set_ssbs_bit(regs);
    1058 +}
    1059 +
    1060 /*
    1061 * We store our current task in sp_el0, which is clobbered by userspace. Keep a
    1062 * shadow copy so that we can restore this upon entry from userspace.
    1063 @@ -425,6 +455,7 @@ __notrace_funcgraph struct task_struct *__switch_to(struct task_struct *prev,
    1064 contextidr_thread_switch(next);
    1065 entry_task_switch(next);
    1066 uao_thread_switch(next);
    1067 + ssbs_thread_switch(next);
    1068
    1069 /*
    1070 * Complete any pending TLB or cache maintenance on this CPU in case
    1071 diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
    1072 index 6219486fa25f..0211c3c7533b 100644
    1073 --- a/arch/arm64/kernel/ptrace.c
    1074 +++ b/arch/arm64/kernel/ptrace.c
    1075 @@ -1666,19 +1666,20 @@ void syscall_trace_exit(struct pt_regs *regs)
    1076 }
    1077
    1078 /*
    1079 - * SPSR_ELx bits which are always architecturally RES0 per ARM DDI 0487C.a
    1080 - * We also take into account DIT (bit 24), which is not yet documented, and
    1081 - * treat PAN and UAO as RES0 bits, as they are meaningless at EL0, and may be
    1082 - * allocated an EL0 meaning in future.
    1083 + * SPSR_ELx bits which are always architecturally RES0 per ARM DDI 0487D.a.
    1084 + * We permit userspace to set SSBS (AArch64 bit 12, AArch32 bit 23) which is
    1085 + * not described in ARM DDI 0487D.a.
    1086 + * We treat PAN and UAO as RES0 bits, as they are meaningless at EL0, and may
    1087 + * be allocated an EL0 meaning in future.
    1088 * Userspace cannot use these until they have an architectural meaning.
    1089 * Note that this follows the SPSR_ELx format, not the AArch32 PSR format.
    1090 * We also reserve IL for the kernel; SS is handled dynamically.
    1091 */
    1092 #define SPSR_EL1_AARCH64_RES0_BITS \
    1093 - (GENMASK_ULL(63,32) | GENMASK_ULL(27, 25) | GENMASK_ULL(23, 22) | \
    1094 - GENMASK_ULL(20, 10) | GENMASK_ULL(5, 5))
    1095 + (GENMASK_ULL(63, 32) | GENMASK_ULL(27, 25) | GENMASK_ULL(23, 22) | \
    1096 + GENMASK_ULL(20, 13) | GENMASK_ULL(11, 10) | GENMASK_ULL(5, 5))
    1097 #define SPSR_EL1_AARCH32_RES0_BITS \
    1098 - (GENMASK_ULL(63,32) | GENMASK_ULL(23, 22) | GENMASK_ULL(20,20))
    1099 + (GENMASK_ULL(63, 32) | GENMASK_ULL(22, 22) | GENMASK_ULL(20, 20))
    1100
    1101 static int valid_compat_regs(struct user_pt_regs *regs)
    1102 {
    1103 diff --git a/arch/arm64/kernel/ssbd.c b/arch/arm64/kernel/ssbd.c
    1104 index 388f8fc13080..f496fb2f7122 100644
    1105 --- a/arch/arm64/kernel/ssbd.c
    1106 +++ b/arch/arm64/kernel/ssbd.c
    1107 @@ -3,13 +3,31 @@
    1108 * Copyright (C) 2018 ARM Ltd, All Rights Reserved.
    1109 */
    1110
    1111 +#include <linux/compat.h>
    1112 #include <linux/errno.h>
    1113 #include <linux/prctl.h>
    1114 #include <linux/sched.h>
    1115 +#include <linux/sched/task_stack.h>
    1116 #include <linux/thread_info.h>
    1117
    1118 #include <asm/cpufeature.h>
    1119
    1120 +static void ssbd_ssbs_enable(struct task_struct *task)
    1121 +{
    1122 + u64 val = is_compat_thread(task_thread_info(task)) ?
    1123 + PSR_AA32_SSBS_BIT : PSR_SSBS_BIT;
    1124 +
    1125 + task_pt_regs(task)->pstate |= val;
    1126 +}
    1127 +
    1128 +static void ssbd_ssbs_disable(struct task_struct *task)
    1129 +{
    1130 + u64 val = is_compat_thread(task_thread_info(task)) ?
    1131 + PSR_AA32_SSBS_BIT : PSR_SSBS_BIT;
    1132 +
    1133 + task_pt_regs(task)->pstate &= ~val;
    1134 +}
    1135 +
    1136 /*
    1137 * prctl interface for SSBD
    1138 * FIXME: Drop the below ifdefery once merged in 4.18.
    1139 @@ -47,12 +65,14 @@ static int ssbd_prctl_set(struct task_struct *task, unsigned long ctrl)
    1140 return -EPERM;
    1141 task_clear_spec_ssb_disable(task);
    1142 clear_tsk_thread_flag(task, TIF_SSBD);
    1143 + ssbd_ssbs_enable(task);
    1144 break;
    1145 case PR_SPEC_DISABLE:
    1146 if (state == ARM64_SSBD_FORCE_DISABLE)
    1147 return -EPERM;
    1148 task_set_spec_ssb_disable(task);
    1149 set_tsk_thread_flag(task, TIF_SSBD);
    1150 + ssbd_ssbs_disable(task);
    1151 break;
    1152 case PR_SPEC_FORCE_DISABLE:
    1153 if (state == ARM64_SSBD_FORCE_DISABLE)
    1154 @@ -60,6 +80,7 @@ static int ssbd_prctl_set(struct task_struct *task, unsigned long ctrl)
    1155 task_set_spec_ssb_disable(task);
    1156 task_set_spec_ssb_force_disable(task);
    1157 set_tsk_thread_flag(task, TIF_SSBD);
    1158 + ssbd_ssbs_disable(task);
    1159 break;
    1160 default:
    1161 return -ERANGE;
    1162 diff --git a/arch/arm64/kvm/hyp/sysreg-sr.c b/arch/arm64/kvm/hyp/sysreg-sr.c
    1163 index 963d669ae3a2..7414b76191c2 100644
    1164 --- a/arch/arm64/kvm/hyp/sysreg-sr.c
    1165 +++ b/arch/arm64/kvm/hyp/sysreg-sr.c
    1166 @@ -293,3 +293,14 @@ void kvm_vcpu_put_sysregs(struct kvm_vcpu *vcpu)
    1167
    1168 vcpu->arch.sysregs_loaded_on_cpu = false;
    1169 }
    1170 +
    1171 +void __hyp_text __kvm_enable_ssbs(void)
    1172 +{
    1173 + u64 tmp;
    1174 +
    1175 + asm volatile(
    1176 + "mrs %0, sctlr_el2\n"
    1177 + "orr %0, %0, %1\n"
    1178 + "msr sctlr_el2, %0"
    1179 + : "=&r" (tmp) : "L" (SCTLR_ELx_DSSBS));
    1180 +}
    1181 diff --git a/arch/mips/include/asm/cpu-features.h b/arch/mips/include/asm/cpu-features.h
    1182 index 0edba3e75747..4e2ee743088f 100644
    1183 --- a/arch/mips/include/asm/cpu-features.h
    1184 +++ b/arch/mips/include/asm/cpu-features.h
    1185 @@ -387,6 +387,22 @@
    1186 #define cpu_has_dsp3 __ase(MIPS_ASE_DSP3)
    1187 #endif
    1188
    1189 +#ifndef cpu_has_loongson_mmi
    1190 +#define cpu_has_loongson_mmi __ase(MIPS_ASE_LOONGSON_MMI)
    1191 +#endif
    1192 +
    1193 +#ifndef cpu_has_loongson_cam
    1194 +#define cpu_has_loongson_cam __ase(MIPS_ASE_LOONGSON_CAM)
    1195 +#endif
    1196 +
    1197 +#ifndef cpu_has_loongson_ext
    1198 +#define cpu_has_loongson_ext __ase(MIPS_ASE_LOONGSON_EXT)
    1199 +#endif
    1200 +
    1201 +#ifndef cpu_has_loongson_ext2
    1202 +#define cpu_has_loongson_ext2 __ase(MIPS_ASE_LOONGSON_EXT2)
    1203 +#endif
    1204 +
    1205 #ifndef cpu_has_mipsmt
    1206 #define cpu_has_mipsmt __isa_lt_and_ase(6, MIPS_ASE_MIPSMT)
    1207 #endif
    1208 diff --git a/arch/mips/include/asm/cpu.h b/arch/mips/include/asm/cpu.h
    1209 index dacbdb84516a..2b4b14a56575 100644
    1210 --- a/arch/mips/include/asm/cpu.h
    1211 +++ b/arch/mips/include/asm/cpu.h
    1212 @@ -436,5 +436,9 @@ enum cpu_type_enum {
    1213 #define MIPS_ASE_MSA 0x00000100 /* MIPS SIMD Architecture */
    1214 #define MIPS_ASE_DSP3 0x00000200 /* Signal Processing ASE Rev 3*/
    1215 #define MIPS_ASE_MIPS16E2 0x00000400 /* MIPS16e2 */
    1216 +#define MIPS_ASE_LOONGSON_MMI 0x00000800 /* Loongson MultiMedia extensions Instructions */
    1217 +#define MIPS_ASE_LOONGSON_CAM 0x00001000 /* Loongson CAM */
    1218 +#define MIPS_ASE_LOONGSON_EXT 0x00002000 /* Loongson EXTensions */
    1219 +#define MIPS_ASE_LOONGSON_EXT2 0x00004000 /* Loongson EXTensions R2 */
    1220
    1221 #endif /* _ASM_CPU_H */
    1222 diff --git a/arch/mips/kernel/cpu-probe.c b/arch/mips/kernel/cpu-probe.c
    1223 index 25cd8737e7fe..958b627592c3 100644
    1224 --- a/arch/mips/kernel/cpu-probe.c
    1225 +++ b/arch/mips/kernel/cpu-probe.c
    1226 @@ -1489,6 +1489,8 @@ static inline void cpu_probe_legacy(struct cpuinfo_mips *c, unsigned int cpu)
    1227 __cpu_name[cpu] = "ICT Loongson-3";
    1228 set_elf_platform(cpu, "loongson3a");
    1229 set_isa(c, MIPS_CPU_ISA_M64R1);
    1230 + c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_CAM |
    1231 + MIPS_ASE_LOONGSON_EXT);
    1232 break;
    1233 case PRID_REV_LOONGSON3B_R1:
    1234 case PRID_REV_LOONGSON3B_R2:
    1235 @@ -1496,6 +1498,8 @@ static inline void cpu_probe_legacy(struct cpuinfo_mips *c, unsigned int cpu)
    1236 __cpu_name[cpu] = "ICT Loongson-3";
    1237 set_elf_platform(cpu, "loongson3b");
    1238 set_isa(c, MIPS_CPU_ISA_M64R1);
    1239 + c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_CAM |
    1240 + MIPS_ASE_LOONGSON_EXT);
    1241 break;
    1242 }
    1243
    1244 @@ -1861,6 +1865,8 @@ static inline void cpu_probe_loongson(struct cpuinfo_mips *c, unsigned int cpu)
    1245 decode_configs(c);
    1246 c->options |= MIPS_CPU_FTLB | MIPS_CPU_TLBINV | MIPS_CPU_LDPTE;
    1247 c->writecombine = _CACHE_UNCACHED_ACCELERATED;
    1248 + c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_CAM |
    1249 + MIPS_ASE_LOONGSON_EXT | MIPS_ASE_LOONGSON_EXT2);
    1250 break;
    1251 default:
    1252 panic("Unknown Loongson Processor ID!");
    1253 diff --git a/arch/mips/kernel/proc.c b/arch/mips/kernel/proc.c
    1254 index b2de408a259e..f8d36710cd58 100644
    1255 --- a/arch/mips/kernel/proc.c
    1256 +++ b/arch/mips/kernel/proc.c
    1257 @@ -124,6 +124,10 @@ static int show_cpuinfo(struct seq_file *m, void *v)
    1258 if (cpu_has_eva) seq_printf(m, "%s", " eva");
    1259 if (cpu_has_htw) seq_printf(m, "%s", " htw");
    1260 if (cpu_has_xpa) seq_printf(m, "%s", " xpa");
    1261 + if (cpu_has_loongson_mmi) seq_printf(m, "%s", " loongson-mmi");
    1262 + if (cpu_has_loongson_cam) seq_printf(m, "%s", " loongson-cam");
    1263 + if (cpu_has_loongson_ext) seq_printf(m, "%s", " loongson-ext");
    1264 + if (cpu_has_loongson_ext2) seq_printf(m, "%s", " loongson-ext2");
    1265 seq_printf(m, "\n");
    1266
    1267 if (cpu_has_mmips) {
    1268 diff --git a/arch/powerpc/include/asm/cputable.h b/arch/powerpc/include/asm/cputable.h
    1269 index 29f49a35d6ee..6a6804c2e1b0 100644
    1270 --- a/arch/powerpc/include/asm/cputable.h
    1271 +++ b/arch/powerpc/include/asm/cputable.h
    1272 @@ -212,7 +212,7 @@ static inline void cpu_feature_keys_init(void) { }
    1273 #define CPU_FTR_POWER9_DD2_1 LONG_ASM_CONST(0x0000080000000000)
    1274 #define CPU_FTR_P9_TM_HV_ASSIST LONG_ASM_CONST(0x0000100000000000)
    1275 #define CPU_FTR_P9_TM_XER_SO_BUG LONG_ASM_CONST(0x0000200000000000)
    1276 -#define CPU_FTR_P9_TLBIE_BUG LONG_ASM_CONST(0x0000400000000000)
    1277 +#define CPU_FTR_P9_TLBIE_STQ_BUG LONG_ASM_CONST(0x0000400000000000)
    1278 #define CPU_FTR_P9_TIDR LONG_ASM_CONST(0x0000800000000000)
    1279
    1280 #ifndef __ASSEMBLY__
    1281 @@ -460,7 +460,7 @@ static inline void cpu_feature_keys_init(void) { }
    1282 CPU_FTR_CFAR | CPU_FTR_HVMODE | CPU_FTR_VMX_COPY | \
    1283 CPU_FTR_DBELL | CPU_FTR_HAS_PPR | CPU_FTR_ARCH_207S | \
    1284 CPU_FTR_TM_COMP | CPU_FTR_ARCH_300 | CPU_FTR_PKEY | \
    1285 - CPU_FTR_P9_TLBIE_BUG | CPU_FTR_P9_TIDR)
    1286 + CPU_FTR_P9_TLBIE_STQ_BUG | CPU_FTR_P9_TIDR)
    1287 #define CPU_FTRS_POWER9_DD2_0 CPU_FTRS_POWER9
    1288 #define CPU_FTRS_POWER9_DD2_1 (CPU_FTRS_POWER9 | CPU_FTR_POWER9_DD2_1)
    1289 #define CPU_FTRS_POWER9_DD2_2 (CPU_FTRS_POWER9 | CPU_FTR_POWER9_DD2_1 | \
    1290 diff --git a/arch/powerpc/kernel/dt_cpu_ftrs.c b/arch/powerpc/kernel/dt_cpu_ftrs.c
    1291 index f432054234a4..f3b8e04eca9c 100644
    1292 --- a/arch/powerpc/kernel/dt_cpu_ftrs.c
    1293 +++ b/arch/powerpc/kernel/dt_cpu_ftrs.c
    1294 @@ -694,9 +694,35 @@ static bool __init cpufeatures_process_feature(struct dt_cpu_feature *f)
    1295 return true;
    1296 }
    1297
    1298 +/*
    1299 + * Handle POWER9 broadcast tlbie invalidation issue using
    1300 + * cpu feature flag.
    1301 + */
    1302 +static __init void update_tlbie_feature_flag(unsigned long pvr)
    1303 +{
    1304 + if (PVR_VER(pvr) == PVR_POWER9) {
    1305 + /*
    1306 + * Set the tlbie feature flag for anything below
    1307 + * Nimbus DD 2.3 and Cumulus DD 1.3
    1308 + */
    1309 + if ((pvr & 0xe000) == 0) {
    1310 + /* Nimbus */
    1311 + if ((pvr & 0xfff) < 0x203)
    1312 + cur_cpu_spec->cpu_features |= CPU_FTR_P9_TLBIE_STQ_BUG;
    1313 + } else if ((pvr & 0xc000) == 0) {
    1314 + /* Cumulus */
    1315 + if ((pvr & 0xfff) < 0x103)
    1316 + cur_cpu_spec->cpu_features |= CPU_FTR_P9_TLBIE_STQ_BUG;
    1317 + } else {
    1318 + WARN_ONCE(1, "Unknown PVR");
    1319 + cur_cpu_spec->cpu_features |= CPU_FTR_P9_TLBIE_STQ_BUG;
    1320 + }
    1321 + }
    1322 +}
    1323 +
    1324 static __init void cpufeatures_cpu_quirks(void)
    1325 {
    1326 - int version = mfspr(SPRN_PVR);
    1327 + unsigned long version = mfspr(SPRN_PVR);
    1328
    1329 /*
    1330 * Not all quirks can be derived from the cpufeatures device tree.
    1331 @@ -715,10 +741,10 @@ static __init void cpufeatures_cpu_quirks(void)
    1332
    1333 if ((version & 0xffff0000) == 0x004e0000) {
    1334 cur_cpu_spec->cpu_features &= ~(CPU_FTR_DAWR);
    1335 - cur_cpu_spec->cpu_features |= CPU_FTR_P9_TLBIE_BUG;
    1336 cur_cpu_spec->cpu_features |= CPU_FTR_P9_TIDR;
    1337 }
    1338
    1339 + update_tlbie_feature_flag(version);
    1340 /*
    1341 * PKEY was not in the initial base or feature node
    1342 * specification, but it should become optional in the next
    1343 diff --git a/arch/powerpc/kernel/mce.c b/arch/powerpc/kernel/mce.c
    1344 index efdd16a79075..93e06778b136 100644
    1345 --- a/arch/powerpc/kernel/mce.c
    1346 +++ b/arch/powerpc/kernel/mce.c
    1347 @@ -45,6 +45,7 @@ static DEFINE_PER_CPU(struct machine_check_event[MAX_MC_EVT],
    1348 mce_ue_event_queue);
    1349
    1350 static void machine_check_process_queued_event(struct irq_work *work);
    1351 +static void machine_check_ue_irq_work(struct irq_work *work);
    1352 void machine_check_ue_event(struct machine_check_event *evt);
    1353 static void machine_process_ue_event(struct work_struct *work);
    1354
    1355 @@ -52,6 +53,10 @@ static struct irq_work mce_event_process_work = {
    1356 .func = machine_check_process_queued_event,
    1357 };
    1358
    1359 +static struct irq_work mce_ue_event_irq_work = {
    1360 + .func = machine_check_ue_irq_work,
    1361 +};
    1362 +
    1363 DECLARE_WORK(mce_ue_event_work, machine_process_ue_event);
    1364
    1365 static void mce_set_error_info(struct machine_check_event *mce,
    1366 @@ -208,6 +213,10 @@ void release_mce_event(void)
    1367 get_mce_event(NULL, true);
    1368 }
    1369
    1370 +static void machine_check_ue_irq_work(struct irq_work *work)
    1371 +{
    1372 + schedule_work(&mce_ue_event_work);
    1373 +}
    1374
    1375 /*
    1376 * Queue up the MCE event which then can be handled later.
    1377 @@ -225,7 +234,7 @@ void machine_check_ue_event(struct machine_check_event *evt)
    1378 memcpy(this_cpu_ptr(&mce_ue_event_queue[index]), evt, sizeof(*evt));
    1379
    1380 /* Queue work to process this event later. */
    1381 - schedule_work(&mce_ue_event_work);
    1382 + irq_work_queue(&mce_ue_event_irq_work);
    1383 }
    1384
    1385 /*
    1386 diff --git a/arch/powerpc/kernel/mce_power.c b/arch/powerpc/kernel/mce_power.c
    1387 index 3022d67f0c48..37a110b8e7e1 100644
    1388 --- a/arch/powerpc/kernel/mce_power.c
    1389 +++ b/arch/powerpc/kernel/mce_power.c
    1390 @@ -39,6 +39,7 @@
    1391 static unsigned long addr_to_pfn(struct pt_regs *regs, unsigned long addr)
    1392 {
    1393 pte_t *ptep;
    1394 + unsigned int shift;
    1395 unsigned long flags;
    1396 struct mm_struct *mm;
    1397
    1398 @@ -48,13 +49,18 @@ static unsigned long addr_to_pfn(struct pt_regs *regs, unsigned long addr)
    1399 mm = &init_mm;
    1400
    1401 local_irq_save(flags);
    1402 - if (mm == current->mm)
    1403 - ptep = find_current_mm_pte(mm->pgd, addr, NULL, NULL);
    1404 - else
    1405 - ptep = find_init_mm_pte(addr, NULL);
    1406 + ptep = __find_linux_pte(mm->pgd, addr, NULL, &shift);
    1407 local_irq_restore(flags);
    1408 +
    1409 if (!ptep || pte_special(*ptep))
    1410 return ULONG_MAX;
    1411 +
    1412 + if (shift > PAGE_SHIFT) {
    1413 + unsigned long rpnmask = (1ul << shift) - PAGE_SIZE;
    1414 +
    1415 + return pte_pfn(__pte(pte_val(*ptep) | (addr & rpnmask)));
    1416 + }
    1417 +
    1418 return pte_pfn(*ptep);
    1419 }
    1420
    1421 @@ -339,7 +345,7 @@ static const struct mce_derror_table mce_p9_derror_table[] = {
    1422 MCE_INITIATOR_CPU, MCE_SEV_ERROR_SYNC, },
    1423 { 0, false, 0, 0, 0, 0 } };
    1424
    1425 -static int mce_find_instr_ea_and_pfn(struct pt_regs *regs, uint64_t *addr,
    1426 +static int mce_find_instr_ea_and_phys(struct pt_regs *regs, uint64_t *addr,
    1427 uint64_t *phys_addr)
    1428 {
    1429 /*
    1430 @@ -530,7 +536,8 @@ static int mce_handle_derror(struct pt_regs *regs,
    1431 * kernel/exception-64s.h
    1432 */
    1433 if (get_paca()->in_mce < MAX_MCE_DEPTH)
    1434 - mce_find_instr_ea_and_pfn(regs, addr, phys_addr);
    1435 + mce_find_instr_ea_and_phys(regs, addr,
    1436 + phys_addr);
    1437 }
    1438 found = 1;
    1439 }
    1440 diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
    1441 index 05b32cc12e41..3ae3e8d141e3 100644
    1442 --- a/arch/powerpc/kvm/book3s_hv.c
    1443 +++ b/arch/powerpc/kvm/book3s_hv.c
    1444 @@ -1407,7 +1407,14 @@ static int kvmppc_get_one_reg_hv(struct kvm_vcpu *vcpu, u64 id,
    1445 *val = get_reg_val(id, vcpu->arch.pspb);
    1446 break;
    1447 case KVM_REG_PPC_DPDES:
    1448 - *val = get_reg_val(id, vcpu->arch.vcore->dpdes);
    1449 + /*
    1450 + * On POWER9, where we are emulating msgsndp etc.,
    1451 + * we return 1 bit for each vcpu, which can come from
    1452 + * either vcore->dpdes or doorbell_request.
    1453 + * On POWER8, doorbell_request is 0.
    1454 + */
    1455 + *val = get_reg_val(id, vcpu->arch.vcore->dpdes |
    1456 + vcpu->arch.doorbell_request);
    1457 break;
    1458 case KVM_REG_PPC_VTB:
    1459 *val = get_reg_val(id, vcpu->arch.vcore->vtb);
    1460 @@ -2550,7 +2557,7 @@ static void collect_piggybacks(struct core_info *cip, int target_threads)
    1461 if (!spin_trylock(&pvc->lock))
    1462 continue;
    1463 prepare_threads(pvc);
    1464 - if (!pvc->n_runnable) {
    1465 + if (!pvc->n_runnable || !pvc->kvm->arch.mmu_ready) {
    1466 list_del_init(&pvc->preempt_list);
    1467 if (pvc->runner == NULL) {
    1468 pvc->vcore_state = VCORE_INACTIVE;
    1469 @@ -2571,15 +2578,20 @@ static void collect_piggybacks(struct core_info *cip, int target_threads)
    1470 spin_unlock(&lp->lock);
    1471 }
    1472
    1473 -static bool recheck_signals(struct core_info *cip)
    1474 +static bool recheck_signals_and_mmu(struct core_info *cip)
    1475 {
    1476 int sub, i;
    1477 struct kvm_vcpu *vcpu;
    1478 + struct kvmppc_vcore *vc;
    1479
    1480 - for (sub = 0; sub < cip->n_subcores; ++sub)
    1481 - for_each_runnable_thread(i, vcpu, cip->vc[sub])
    1482 + for (sub = 0; sub < cip->n_subcores; ++sub) {
    1483 + vc = cip->vc[sub];
    1484 + if (!vc->kvm->arch.mmu_ready)
    1485 + return true;
    1486 + for_each_runnable_thread(i, vcpu, vc)
    1487 if (signal_pending(vcpu->arch.run_task))
    1488 return true;
    1489 + }
    1490 return false;
    1491 }
    1492
    1493 @@ -2800,7 +2812,7 @@ static noinline void kvmppc_run_core(struct kvmppc_vcore *vc)
    1494 local_irq_disable();
    1495 hard_irq_disable();
    1496 if (lazy_irq_pending() || need_resched() ||
    1497 - recheck_signals(&core_info) || !vc->kvm->arch.mmu_ready) {
    1498 + recheck_signals_and_mmu(&core_info)) {
    1499 local_irq_enable();
    1500 vc->vcore_state = VCORE_INACTIVE;
    1501 /* Unlock all except the primary vcore */
    1502 diff --git a/arch/powerpc/kvm/book3s_hv_rm_mmu.c b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
    1503 index a67cf1cdeda4..7c68d834c94a 100644
    1504 --- a/arch/powerpc/kvm/book3s_hv_rm_mmu.c
    1505 +++ b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
    1506 @@ -452,7 +452,7 @@ static void do_tlbies(struct kvm *kvm, unsigned long *rbvalues,
    1507 "r" (rbvalues[i]), "r" (kvm->arch.lpid));
    1508 }
    1509
    1510 - if (cpu_has_feature(CPU_FTR_P9_TLBIE_BUG)) {
    1511 + if (cpu_has_feature(CPU_FTR_P9_TLBIE_STQ_BUG)) {
    1512 /*
    1513 * Need the extra ptesync to make sure we don't
    1514 * re-order the tlbie
    1515 diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
    1516 index 68c7591f2b5f..f1878e13dd56 100644
    1517 --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
    1518 +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
    1519 @@ -2903,29 +2903,39 @@ kvm_cede_prodded:
    1520 kvm_cede_exit:
    1521 ld r9, HSTATE_KVM_VCPU(r13)
    1522 #ifdef CONFIG_KVM_XICS
    1523 - /* Abort if we still have a pending escalation */
    1524 + /* are we using XIVE with single escalation? */
    1525 + ld r10, VCPU_XIVE_ESC_VADDR(r9)
    1526 + cmpdi r10, 0
    1527 + beq 3f
    1528 + li r6, XIVE_ESB_SET_PQ_00
    1529 + /*
    1530 + * If we still have a pending escalation, abort the cede,
    1531 + * and we must set PQ to 10 rather than 00 so that we don't
    1532 + * potentially end up with two entries for the escalation
    1533 + * interrupt in the XIVE interrupt queue. In that case
    1534 + * we also don't want to set xive_esc_on to 1 here in
    1535 + * case we race with xive_esc_irq().
    1536 + */
    1537 lbz r5, VCPU_XIVE_ESC_ON(r9)
    1538 cmpwi r5, 0
    1539 - beq 1f
    1540 + beq 4f
    1541 li r0, 0
    1542 stb r0, VCPU_CEDED(r9)
    1543 -1: /* Enable XIVE escalation */
    1544 - li r5, XIVE_ESB_SET_PQ_00
    1545 + li r6, XIVE_ESB_SET_PQ_10
    1546 + b 5f
    1547 +4: li r0, 1
    1548 + stb r0, VCPU_XIVE_ESC_ON(r9)
    1549 + /* make sure store to xive_esc_on is seen before xive_esc_irq runs */
    1550 + sync
    1551 +5: /* Enable XIVE escalation */
    1552 mfmsr r0
    1553 andi. r0, r0, MSR_DR /* in real mode? */
    1554 beq 1f
    1555 - ld r10, VCPU_XIVE_ESC_VADDR(r9)
    1556 - cmpdi r10, 0
    1557 - beq 3f
    1558 - ldx r0, r10, r5
    1559 + ldx r0, r10, r6
    1560 b 2f
    1561 1: ld r10, VCPU_XIVE_ESC_RADDR(r9)
    1562 - cmpdi r10, 0
    1563 - beq 3f
    1564 - ldcix r0, r10, r5
    1565 + ldcix r0, r10, r6
    1566 2: sync
    1567 - li r0, 1
    1568 - stb r0, VCPU_XIVE_ESC_ON(r9)
    1569 #endif /* CONFIG_KVM_XICS */
    1570 3: b guest_exit_cont
    1571
    1572 diff --git a/arch/powerpc/kvm/book3s_xive.c b/arch/powerpc/kvm/book3s_xive.c
    1573 index aae34f218ab4..031f07f048af 100644
    1574 --- a/arch/powerpc/kvm/book3s_xive.c
    1575 +++ b/arch/powerpc/kvm/book3s_xive.c
    1576 @@ -1037,20 +1037,22 @@ void kvmppc_xive_cleanup_vcpu(struct kvm_vcpu *vcpu)
    1577 /* Mask the VP IPI */
    1578 xive_vm_esb_load(&xc->vp_ipi_data, XIVE_ESB_SET_PQ_01);
    1579
    1580 - /* Disable the VP */
    1581 - xive_native_disable_vp(xc->vp_id);
    1582 -
    1583 - /* Free the queues & associated interrupts */
    1584 + /* Free escalations */
    1585 for (i = 0; i < KVMPPC_XIVE_Q_COUNT; i++) {
    1586 - struct xive_q *q = &xc->queues[i];
    1587 -
    1588 - /* Free the escalation irq */
    1589 if (xc->esc_virq[i]) {
    1590 free_irq(xc->esc_virq[i], vcpu);
    1591 irq_dispose_mapping(xc->esc_virq[i]);
    1592 kfree(xc->esc_virq_names[i]);
    1593 }
    1594 - /* Free the queue */
    1595 + }
    1596 +
    1597 + /* Disable the VP */
    1598 + xive_native_disable_vp(xc->vp_id);
    1599 +
    1600 + /* Free the queues */
    1601 + for (i = 0; i < KVMPPC_XIVE_Q_COUNT; i++) {
    1602 + struct xive_q *q = &xc->queues[i];
    1603 +
    1604 xive_native_disable_queue(xc->vp_id, q, i);
    1605 if (q->qpage) {
    1606 free_pages((unsigned long)q->qpage,
    1607 diff --git a/arch/powerpc/mm/hash_native_64.c b/arch/powerpc/mm/hash_native_64.c
    1608 index aaa28fd918fe..0c13561d8b80 100644
    1609 --- a/arch/powerpc/mm/hash_native_64.c
    1610 +++ b/arch/powerpc/mm/hash_native_64.c
    1611 @@ -203,7 +203,7 @@ static inline unsigned long ___tlbie(unsigned long vpn, int psize,
    1612
    1613 static inline void fixup_tlbie(unsigned long vpn, int psize, int apsize, int ssize)
    1614 {
    1615 - if (cpu_has_feature(CPU_FTR_P9_TLBIE_BUG)) {
    1616 + if (cpu_has_feature(CPU_FTR_P9_TLBIE_STQ_BUG)) {
    1617 /* Need the extra ptesync to ensure we don't reorder tlbie*/
    1618 asm volatile("ptesync": : :"memory");
    1619 ___tlbie(vpn, psize, apsize, ssize);
    1620 diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c
    1621 index 29fd8940867e..b1007e9a31ba 100644
    1622 --- a/arch/powerpc/mm/hash_utils_64.c
    1623 +++ b/arch/powerpc/mm/hash_utils_64.c
    1624 @@ -37,6 +37,7 @@
    1625 #include <linux/context_tracking.h>
    1626 #include <linux/libfdt.h>
    1627 #include <linux/pkeys.h>
    1628 +#include <linux/cpu.h>
    1629
    1630 #include <asm/debugfs.h>
    1631 #include <asm/processor.h>
    1632 @@ -1891,10 +1892,16 @@ static int hpt_order_get(void *data, u64 *val)
    1633
    1634 static int hpt_order_set(void *data, u64 val)
    1635 {
    1636 + int ret;
    1637 +
    1638 if (!mmu_hash_ops.resize_hpt)
    1639 return -ENODEV;
    1640
    1641 - return mmu_hash_ops.resize_hpt(val);
    1642 + cpus_read_lock();
    1643 + ret = mmu_hash_ops.resize_hpt(val);
    1644 + cpus_read_unlock();
    1645 +
    1646 + return ret;
    1647 }
    1648
    1649 DEFINE_SIMPLE_ATTRIBUTE(fops_hpt_order, hpt_order_get, hpt_order_set, "%llu\n");
    1650 diff --git a/arch/powerpc/mm/tlb-radix.c b/arch/powerpc/mm/tlb-radix.c
    1651 index fef3e1eb3a19..0cddae4263f9 100644
    1652 --- a/arch/powerpc/mm/tlb-radix.c
    1653 +++ b/arch/powerpc/mm/tlb-radix.c
    1654 @@ -220,7 +220,7 @@ static inline void fixup_tlbie(void)
    1655 unsigned long pid = 0;
    1656 unsigned long va = ((1UL << 52) - 1);
    1657
    1658 - if (cpu_has_feature(CPU_FTR_P9_TLBIE_BUG)) {
    1659 + if (cpu_has_feature(CPU_FTR_P9_TLBIE_STQ_BUG)) {
    1660 asm volatile("ptesync": : :"memory");
    1661 __tlbie_va(va, pid, mmu_get_ap(MMU_PAGE_64K), RIC_FLUSH_TLB);
    1662 }
    1663 @@ -230,7 +230,7 @@ static inline void fixup_tlbie_lpid(unsigned long lpid)
    1664 {
    1665 unsigned long va = ((1UL << 52) - 1);
    1666
    1667 - if (cpu_has_feature(CPU_FTR_P9_TLBIE_BUG)) {
    1668 + if (cpu_has_feature(CPU_FTR_P9_TLBIE_STQ_BUG)) {
    1669 asm volatile("ptesync": : :"memory");
    1670 __tlbie_lpid_va(va, lpid, mmu_get_ap(MMU_PAGE_64K), RIC_FLUSH_TLB);
    1671 }
    1672 diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
    1673 index 38fe4087484a..edf9032e2e5c 100644
    1674 --- a/arch/powerpc/platforms/powernv/opal.c
    1675 +++ b/arch/powerpc/platforms/powernv/opal.c
    1676 @@ -680,7 +680,10 @@ static ssize_t symbol_map_read(struct file *fp, struct kobject *kobj,
    1677 bin_attr->size);
    1678 }
    1679
    1680 -static BIN_ATTR_RO(symbol_map, 0);
    1681 +static struct bin_attribute symbol_map_attr = {
    1682 + .attr = {.name = "symbol_map", .mode = 0400},
    1683 + .read = symbol_map_read
    1684 +};
    1685
    1686 static void opal_export_symmap(void)
    1687 {
    1688 @@ -697,10 +700,10 @@ static void opal_export_symmap(void)
    1689 return;
    1690
    1691 /* Setup attributes */
    1692 - bin_attr_symbol_map.private = __va(be64_to_cpu(syms[0]));
    1693 - bin_attr_symbol_map.size = be64_to_cpu(syms[1]);
    1694 + symbol_map_attr.private = __va(be64_to_cpu(syms[0]));
    1695 + symbol_map_attr.size = be64_to_cpu(syms[1]);
    1696
    1697 - rc = sysfs_create_bin_file(opal_kobj, &bin_attr_symbol_map);
    1698 + rc = sysfs_create_bin_file(opal_kobj, &symbol_map_attr);
    1699 if (rc)
    1700 pr_warn("Error %d creating OPAL symbols file\n", rc);
    1701 }
    1702 diff --git a/arch/powerpc/platforms/powernv/pci-ioda-tce.c b/arch/powerpc/platforms/powernv/pci-ioda-tce.c
    1703 index 29e66d6e5763..15a567128c0f 100644
    1704 --- a/arch/powerpc/platforms/powernv/pci-ioda-tce.c
    1705 +++ b/arch/powerpc/platforms/powernv/pci-ioda-tce.c
    1706 @@ -49,6 +49,9 @@ static __be64 *pnv_alloc_tce_level(int nid, unsigned int shift)
    1707 return addr;
    1708 }
    1709
    1710 +static void pnv_pci_ioda2_table_do_free_pages(__be64 *addr,
    1711 + unsigned long size, unsigned int levels);
    1712 +
    1713 static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)
    1714 {
    1715 __be64 *tmp = user ? tbl->it_userspace : (__be64 *) tbl->it_base;
    1716 @@ -58,9 +61,9 @@ static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)
    1717
    1718 while (level) {
    1719 int n = (idx & mask) >> (level * shift);
    1720 - unsigned long tce;
    1721 + unsigned long oldtce, tce = be64_to_cpu(READ_ONCE(tmp[n]));
    1722
    1723 - if (tmp[n] == 0) {
    1724 + if (!tce) {
    1725 __be64 *tmp2;
    1726
    1727 if (!alloc)
    1728 @@ -71,10 +74,15 @@ static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)
    1729 if (!tmp2)
    1730 return NULL;
    1731
    1732 - tmp[n] = cpu_to_be64(__pa(tmp2) |
    1733 - TCE_PCI_READ | TCE_PCI_WRITE);
    1734 + tce = __pa(tmp2) | TCE_PCI_READ | TCE_PCI_WRITE;
    1735 + oldtce = be64_to_cpu(cmpxchg(&tmp[n], 0,
    1736 + cpu_to_be64(tce)));
    1737 + if (oldtce) {
    1738 + pnv_pci_ioda2_table_do_free_pages(tmp2,
    1739 + ilog2(tbl->it_level_size) + 3, 1);
    1740 + tce = oldtce;
    1741 + }
    1742 }
    1743 - tce = be64_to_cpu(tmp[n]);
    1744
    1745 tmp = __va(tce & ~(TCE_PCI_READ | TCE_PCI_WRITE));
    1746 idx &= ~mask;
    1747 diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
    1748 index 9e52b686a8fa..ea602f7f97ce 100644
    1749 --- a/arch/powerpc/platforms/pseries/lpar.c
    1750 +++ b/arch/powerpc/platforms/pseries/lpar.c
    1751 @@ -647,7 +647,10 @@ static int pseries_lpar_resize_hpt_commit(void *data)
    1752 return 0;
    1753 }
    1754
    1755 -/* Must be called in user context */
    1756 +/*
    1757 + * Must be called in process context. The caller must hold the
    1758 + * cpus_lock.
    1759 + */
    1760 static int pseries_lpar_resize_hpt(unsigned long shift)
    1761 {
    1762 struct hpt_resize_state state = {
    1763 @@ -699,7 +702,8 @@ static int pseries_lpar_resize_hpt(unsigned long shift)
    1764
    1765 t1 = ktime_get();
    1766
    1767 - rc = stop_machine(pseries_lpar_resize_hpt_commit, &state, NULL);
    1768 + rc = stop_machine_cpuslocked(pseries_lpar_resize_hpt_commit,
    1769 + &state, NULL);
    1770
    1771 t2 = ktime_get();
    1772
    1773 diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
    1774 index fa2c08e3c05e..a03821b2656a 100644
    1775 --- a/arch/riscv/kernel/entry.S
    1776 +++ b/arch/riscv/kernel/entry.S
    1777 @@ -171,9 +171,13 @@ ENTRY(handle_exception)
    1778 move a1, s4 /* scause */
    1779 tail do_IRQ
    1780 1:
    1781 - /* Exceptions run with interrupts enabled */
    1782 + /* Exceptions run with interrupts enabled or disabled
    1783 + depending on the state of sstatus.SR_SPIE */
    1784 + andi t0, s1, SR_SPIE
    1785 + beqz t0, 1f
    1786 csrs sstatus, SR_SIE
    1787
    1788 +1:
    1789 /* Handle syscalls */
    1790 li t0, EXC_SYSCALL
    1791 beq s4, t0, handle_syscall
    1792 diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
    1793 index 6e758bb6cd29..99ef537e548a 100644
    1794 --- a/arch/s390/kernel/process.c
    1795 +++ b/arch/s390/kernel/process.c
    1796 @@ -183,20 +183,30 @@ unsigned long get_wchan(struct task_struct *p)
    1797
    1798 if (!p || p == current || p->state == TASK_RUNNING || !task_stack_page(p))
    1799 return 0;
    1800 +
    1801 + if (!try_get_task_stack(p))
    1802 + return 0;
    1803 +
    1804 low = task_stack_page(p);
    1805 high = (struct stack_frame *) task_pt_regs(p);
    1806 sf = (struct stack_frame *) p->thread.ksp;
    1807 - if (sf <= low || sf > high)
    1808 - return 0;
    1809 + if (sf <= low || sf > high) {
    1810 + return_address = 0;
    1811 + goto out;
    1812 + }
    1813 for (count = 0; count < 16; count++) {
    1814 sf = (struct stack_frame *) sf->back_chain;
    1815 - if (sf <= low || sf > high)
    1816 - return 0;
    1817 + if (sf <= low || sf > high) {
    1818 + return_address = 0;
    1819 + goto out;
    1820 + }
    1821 return_address = sf->gprs[8];
    1822 if (!in_sched_functions(return_address))
    1823 - return return_address;
    1824 + goto out;
    1825 }
    1826 - return 0;
    1827 +out:
    1828 + put_task_stack(p);
    1829 + return return_address;
    1830 }
    1831
    1832 unsigned long arch_align_stack(unsigned long sp)
    1833 diff --git a/arch/s390/kernel/topology.c b/arch/s390/kernel/topology.c
    1834 index e8184a15578a..7b96888974db 100644
    1835 --- a/arch/s390/kernel/topology.c
    1836 +++ b/arch/s390/kernel/topology.c
    1837 @@ -311,7 +311,8 @@ int arch_update_cpu_topology(void)
    1838 on_each_cpu(__arch_update_dedicated_flag, NULL, 0);
    1839 for_each_online_cpu(cpu) {
    1840 dev = get_cpu_device(cpu);
    1841 - kobject_uevent(&dev->kobj, KOBJ_CHANGE);
    1842 + if (dev)
    1843 + kobject_uevent(&dev->kobj, KOBJ_CHANGE);
    1844 }
    1845 return rc;
    1846 }
    1847 diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
    1848 index e0551c948c59..fac1d4eaa426 100644
    1849 --- a/arch/s390/kvm/kvm-s390.c
    1850 +++ b/arch/s390/kvm/kvm-s390.c
    1851 @@ -3890,7 +3890,7 @@ static long kvm_s390_guest_mem_op(struct kvm_vcpu *vcpu,
    1852 const u64 supported_flags = KVM_S390_MEMOP_F_INJECT_EXCEPTION
    1853 | KVM_S390_MEMOP_F_CHECK_ONLY;
    1854
    1855 - if (mop->flags & ~supported_flags)
    1856 + if (mop->flags & ~supported_flags || mop->ar >= NUM_ACRS || !mop->size)
    1857 return -EINVAL;
    1858
    1859 if (mop->size > MEM_OP_MAX_SIZE)
    1860 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
    1861 index e83f4f6bfdac..6f7b3acdab26 100644
    1862 --- a/arch/x86/kvm/vmx.c
    1863 +++ b/arch/x86/kvm/vmx.c
    1864 @@ -8801,7 +8801,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
    1865 /* _system ok, nested_vmx_check_permission has verified cpl=0 */
    1866 if (kvm_write_guest_virt_system(vcpu, gva, &field_value,
    1867 (is_long_mode(vcpu) ? 8 : 4),
    1868 - NULL))
    1869 + &e))
    1870 kvm_inject_page_fault(vcpu, &e);
    1871 }
    1872
    1873 @@ -12574,7 +12574,7 @@ static int check_vmentry_prereqs(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
    1874
    1875 /* VM-entry exception error code */
    1876 if (has_error_code &&
    1877 - vmcs12->vm_entry_exception_error_code & GENMASK(31, 15))
    1878 + vmcs12->vm_entry_exception_error_code & GENMASK(31, 16))
    1879 return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
    1880
    1881 /* VM-entry interruption-info field: reserved bits */
    1882 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
    1883 index 05cb5855255e..6ae8a013af31 100644
    1884 --- a/arch/x86/kvm/x86.c
    1885 +++ b/arch/x86/kvm/x86.c
    1886 @@ -791,34 +791,42 @@ int kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr)
    1887 }
    1888 EXPORT_SYMBOL_GPL(kvm_set_xcr);
    1889
    1890 -int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
    1891 +static int kvm_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
    1892 {
    1893 - unsigned long old_cr4 = kvm_read_cr4(vcpu);
    1894 - unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
    1895 - X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE;
    1896 -
    1897 if (cr4 & CR4_RESERVED_BITS)
    1898 - return 1;
    1899 + return -EINVAL;
    1900
    1901 if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVE) && (cr4 & X86_CR4_OSXSAVE))
    1902 - return 1;
    1903 + return -EINVAL;
    1904
    1905 if (!guest_cpuid_has(vcpu, X86_FEATURE_SMEP) && (cr4 & X86_CR4_SMEP))
    1906 - return 1;
    1907 + return -EINVAL;
    1908
    1909 if (!guest_cpuid_has(vcpu, X86_FEATURE_SMAP) && (cr4 & X86_CR4_SMAP))
    1910 - return 1;
    1911 + return -EINVAL;
    1912
    1913 if (!guest_cpuid_has(vcpu, X86_FEATURE_FSGSBASE) && (cr4 & X86_CR4_FSGSBASE))
    1914 - return 1;
    1915 + return -EINVAL;
    1916
    1917 if (!guest_cpuid_has(vcpu, X86_FEATURE_PKU) && (cr4 & X86_CR4_PKE))
    1918 - return 1;
    1919 + return -EINVAL;
    1920
    1921 if (!guest_cpuid_has(vcpu, X86_FEATURE_LA57) && (cr4 & X86_CR4_LA57))
    1922 - return 1;
    1923 + return -EINVAL;
    1924
    1925 if (!guest_cpuid_has(vcpu, X86_FEATURE_UMIP) && (cr4 & X86_CR4_UMIP))
    1926 + return -EINVAL;
    1927 +
    1928 + return 0;
    1929 +}
    1930 +
    1931 +int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
    1932 +{
    1933 + unsigned long old_cr4 = kvm_read_cr4(vcpu);
    1934 + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
    1935 + X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE;
    1936 +
    1937 + if (kvm_valid_cr4(vcpu, cr4))
    1938 return 1;
    1939
    1940 if (is_long_mode(vcpu)) {
    1941 @@ -8237,10 +8245,6 @@ EXPORT_SYMBOL_GPL(kvm_task_switch);
    1942
    1943 static int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
    1944 {
    1945 - if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVE) &&
    1946 - (sregs->cr4 & X86_CR4_OSXSAVE))
    1947 - return -EINVAL;
    1948 -
    1949 if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG)) {
    1950 /*
    1951 * When EFER.LME and CR0.PG are set, the processor is in
    1952 @@ -8259,7 +8263,7 @@ static int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
    1953 return -EINVAL;
    1954 }
    1955
    1956 - return 0;
    1957 + return kvm_valid_cr4(vcpu, sregs->cr4);
    1958 }
    1959
    1960 static int __set_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
    1961 diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile
    1962 index 10fb42da0007..b81b5172cf99 100644
    1963 --- a/arch/x86/purgatory/Makefile
    1964 +++ b/arch/x86/purgatory/Makefile
    1965 @@ -23,6 +23,7 @@ KCOV_INSTRUMENT := n
    1966
    1967 PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel
    1968 PURGATORY_CFLAGS := -mcmodel=large -ffreestanding -fno-zero-initialized-in-bss
    1969 +PURGATORY_CFLAGS += $(DISABLE_STACKLEAK_PLUGIN)
    1970
    1971 # Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That
    1972 # in turn leaves some undefined symbols like __fentry__ in purgatory and not
    1973 diff --git a/crypto/skcipher.c b/crypto/skcipher.c
    1974 index b664cf867f5f..a8750b4ebf26 100644
    1975 --- a/crypto/skcipher.c
    1976 +++ b/crypto/skcipher.c
    1977 @@ -95,7 +95,7 @@ static inline u8 *skcipher_get_spot(u8 *start, unsigned int len)
    1978 return max(start, end_page);
    1979 }
    1980
    1981 -static void skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize)
    1982 +static int skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize)
    1983 {
    1984 u8 *addr;
    1985
    1986 @@ -103,19 +103,21 @@ static void skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize)
    1987 addr = skcipher_get_spot(addr, bsize);
    1988 scatterwalk_copychunks(addr, &walk->out, bsize,
    1989 (walk->flags & SKCIPHER_WALK_PHYS) ? 2 : 1);
    1990 + return 0;
    1991 }
    1992
    1993 int skcipher_walk_done(struct skcipher_walk *walk, int err)
    1994 {
    1995 - unsigned int n; /* bytes processed */
    1996 - bool more;
    1997 + unsigned int n = walk->nbytes;
    1998 + unsigned int nbytes = 0;
    1999
    2000 - if (unlikely(err < 0))
    2001 + if (!n)
    2002 goto finish;
    2003
    2004 - n = walk->nbytes - err;
    2005 - walk->total -= n;
    2006 - more = (walk->total != 0);
    2007 + if (likely(err >= 0)) {
    2008 + n -= err;
    2009 + nbytes = walk->total - n;
    2010 + }
    2011
    2012 if (likely(!(walk->flags & (SKCIPHER_WALK_PHYS |
    2013 SKCIPHER_WALK_SLOW |
    2014 @@ -131,7 +133,7 @@ unmap_src:
    2015 memcpy(walk->dst.virt.addr, walk->page, n);
    2016 skcipher_unmap_dst(walk);
    2017 } else if (unlikely(walk->flags & SKCIPHER_WALK_SLOW)) {
    2018 - if (err) {
    2019 + if (err > 0) {
    2020 /*
    2021 * Didn't process all bytes. Either the algorithm is
    2022 * broken, or this was the last step and it turned out
    2023 @@ -139,27 +141,29 @@ unmap_src:
    2024 * the algorithm requires it.
    2025 */
    2026 err = -EINVAL;
    2027 - goto finish;
    2028 - }
    2029 - skcipher_done_slow(walk, n);
    2030 - goto already_advanced;
    2031 + nbytes = 0;
    2032 + } else
    2033 + n = skcipher_done_slow(walk, n);
    2034 }
    2035
    2036 + if (err > 0)
    2037 + err = 0;
    2038 +
    2039 + walk->total = nbytes;
    2040 + walk->nbytes = 0;
    2041 +
    2042 scatterwalk_advance(&walk->in, n);
    2043 scatterwalk_advance(&walk->out, n);
    2044 -already_advanced:
    2045 - scatterwalk_done(&walk->in, 0, more);
    2046 - scatterwalk_done(&walk->out, 1, more);
    2047 + scatterwalk_done(&walk->in, 0, nbytes);
    2048 + scatterwalk_done(&walk->out, 1, nbytes);
    2049
    2050 - if (more) {
    2051 + if (nbytes) {
    2052 crypto_yield(walk->flags & SKCIPHER_WALK_SLEEP ?
    2053 CRYPTO_TFM_REQ_MAY_SLEEP : 0);
    2054 return skcipher_walk_next(walk);
    2055 }
    2056 - err = 0;
    2057 -finish:
    2058 - walk->nbytes = 0;
    2059
    2060 +finish:
    2061 /* Short-circuit for the common/fast path. */
    2062 if (!((unsigned long)walk->buffer | (unsigned long)walk->page))
    2063 goto out;
    2064 diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
    2065 index b1c7009de1f4..bc2fa4e85f0c 100644
    2066 --- a/drivers/block/nbd.c
    2067 +++ b/drivers/block/nbd.c
    2068 @@ -106,6 +106,7 @@ struct nbd_device {
    2069 struct nbd_config *config;
    2070 struct mutex config_lock;
    2071 struct gendisk *disk;
    2072 + struct workqueue_struct *recv_workq;
    2073
    2074 struct list_head list;
    2075 struct task_struct *task_recv;
    2076 @@ -132,9 +133,10 @@ static struct dentry *nbd_dbg_dir;
    2077
    2078 #define NBD_MAGIC 0x68797548
    2079
    2080 +#define NBD_DEF_BLKSIZE 1024
    2081 +
    2082 static unsigned int nbds_max = 16;
    2083 static int max_part = 16;
    2084 -static struct workqueue_struct *recv_workqueue;
    2085 static int part_shift;
    2086
    2087 static int nbd_dev_dbg_init(struct nbd_device *nbd);
    2088 @@ -1025,7 +1027,7 @@ static int nbd_reconnect_socket(struct nbd_device *nbd, unsigned long arg)
    2089 /* We take the tx_mutex in an error path in the recv_work, so we
    2090 * need to queue_work outside of the tx_mutex.
    2091 */
    2092 - queue_work(recv_workqueue, &args->work);
    2093 + queue_work(nbd->recv_workq, &args->work);
    2094
    2095 atomic_inc(&config->live_connections);
    2096 wake_up(&config->conn_wait);
    2097 @@ -1126,6 +1128,10 @@ static void nbd_config_put(struct nbd_device *nbd)
    2098 kfree(nbd->config);
    2099 nbd->config = NULL;
    2100
    2101 + if (nbd->recv_workq)
    2102 + destroy_workqueue(nbd->recv_workq);
    2103 + nbd->recv_workq = NULL;
    2104 +
    2105 nbd->tag_set.timeout = 0;
    2106 nbd->disk->queue->limits.discard_granularity = 0;
    2107 nbd->disk->queue->limits.discard_alignment = 0;
    2108 @@ -1154,6 +1160,14 @@ static int nbd_start_device(struct nbd_device *nbd)
    2109 return -EINVAL;
    2110 }
    2111
    2112 + nbd->recv_workq = alloc_workqueue("knbd%d-recv",
    2113 + WQ_MEM_RECLAIM | WQ_HIGHPRI |
    2114 + WQ_UNBOUND, 0, nbd->index);
    2115 + if (!nbd->recv_workq) {
    2116 + dev_err(disk_to_dev(nbd->disk), "Could not allocate knbd recv work queue.\n");
    2117 + return -ENOMEM;
    2118 + }
    2119 +
    2120 blk_mq_update_nr_hw_queues(&nbd->tag_set, config->num_connections);
    2121 nbd->task_recv = current;
    2122
    2123 @@ -1184,7 +1198,7 @@ static int nbd_start_device(struct nbd_device *nbd)
    2124 INIT_WORK(&args->work, recv_work);
    2125 args->nbd = nbd;
    2126 args->index = i;
    2127 - queue_work(recv_workqueue, &args->work);
    2128 + queue_work(nbd->recv_workq, &args->work);
    2129 }
    2130 nbd_size_update(nbd);
    2131 return error;
    2132 @@ -1204,8 +1218,10 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *b
    2133 mutex_unlock(&nbd->config_lock);
    2134 ret = wait_event_interruptible(config->recv_wq,
    2135 atomic_read(&config->recv_threads) == 0);
    2136 - if (ret)
    2137 + if (ret) {
    2138 sock_shutdown(nbd);
    2139 + flush_workqueue(nbd->recv_workq);
    2140 + }
    2141 mutex_lock(&nbd->config_lock);
    2142 nbd_bdev_reset(bdev);
    2143 /* user requested, ignore socket errors */
    2144 @@ -1227,6 +1243,14 @@ static void nbd_clear_sock_ioctl(struct nbd_device *nbd,
    2145 nbd_config_put(nbd);
    2146 }
    2147
    2148 +static bool nbd_is_valid_blksize(unsigned long blksize)
    2149 +{
    2150 + if (!blksize || !is_power_of_2(blksize) || blksize < 512 ||
    2151 + blksize > PAGE_SIZE)
    2152 + return false;
    2153 + return true;
    2154 +}
    2155 +
    2156 /* Must be called with config_lock held */
    2157 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
    2158 unsigned int cmd, unsigned long arg)
    2159 @@ -1242,8 +1266,9 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
    2160 case NBD_SET_SOCK:
    2161 return nbd_add_socket(nbd, arg, false);
    2162 case NBD_SET_BLKSIZE:
    2163 - if (!arg || !is_power_of_2(arg) || arg < 512 ||
    2164 - arg > PAGE_SIZE)
    2165 + if (!arg)
    2166 + arg = NBD_DEF_BLKSIZE;
    2167 + if (!nbd_is_valid_blksize(arg))
    2168 return -EINVAL;
    2169 nbd_size_set(nbd, arg,
    2170 div_s64(config->bytesize, arg));
    2171 @@ -1323,7 +1348,7 @@ static struct nbd_config *nbd_alloc_config(void)
    2172 atomic_set(&config->recv_threads, 0);
    2173 init_waitqueue_head(&config->recv_wq);
    2174 init_waitqueue_head(&config->conn_wait);
    2175 - config->blksize = 1024;
    2176 + config->blksize = NBD_DEF_BLKSIZE;
    2177 atomic_set(&config->live_connections, 0);
    2178 try_module_get(THIS_MODULE);
    2179 return config;
    2180 @@ -1759,6 +1784,12 @@ again:
    2181 if (info->attrs[NBD_ATTR_BLOCK_SIZE_BYTES]) {
    2182 u64 bsize =
    2183 nla_get_u64(info->attrs[NBD_ATTR_BLOCK_SIZE_BYTES]);
    2184 + if (!bsize)
    2185 + bsize = NBD_DEF_BLKSIZE;
    2186 + if (!nbd_is_valid_blksize(bsize)) {
    2187 + ret = -EINVAL;
    2188 + goto out;
    2189 + }
    2190 nbd_size_set(nbd, bsize, div64_u64(config->bytesize, bsize));
    2191 }
    2192 if (info->attrs[NBD_ATTR_TIMEOUT]) {
    2193 @@ -1835,6 +1866,12 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd)
    2194 nbd_disconnect(nbd);
    2195 nbd_clear_sock(nbd);
    2196 mutex_unlock(&nbd->config_lock);
    2197 + /*
    2198 + * Make sure recv thread has finished, so it does not drop the last
    2199 + * config ref and try to destroy the workqueue from inside the work
    2200 + * queue.
    2201 + */
    2202 + flush_workqueue(nbd->recv_workq);
    2203 if (test_and_clear_bit(NBD_HAS_CONFIG_REF,
    2204 &nbd->config->runtime_flags))
    2205 nbd_config_put(nbd);
    2206 @@ -2215,20 +2252,12 @@ static int __init nbd_init(void)
    2207
    2208 if (nbds_max > 1UL << (MINORBITS - part_shift))
    2209 return -EINVAL;
    2210 - recv_workqueue = alloc_workqueue("knbd-recv",
    2211 - WQ_MEM_RECLAIM | WQ_HIGHPRI |
    2212 - WQ_UNBOUND, 0);
    2213 - if (!recv_workqueue)
    2214 - return -ENOMEM;
    2215
    2216 - if (register_blkdev(NBD_MAJOR, "nbd")) {
    2217 - destroy_workqueue(recv_workqueue);
    2218 + if (register_blkdev(NBD_MAJOR, "nbd"))
    2219 return -EIO;
    2220 - }
    2221
    2222 if (genl_register_family(&nbd_genl_family)) {
    2223 unregister_blkdev(NBD_MAJOR, "nbd");
    2224 - destroy_workqueue(recv_workqueue);
    2225 return -EINVAL;
    2226 }
    2227 nbd_dbg_init();
    2228 @@ -2270,7 +2299,6 @@ static void __exit nbd_cleanup(void)
    2229
    2230 idr_destroy(&nbd_index_idr);
    2231 genl_unregister_family(&nbd_genl_family);
    2232 - destroy_workqueue(recv_workqueue);
    2233 unregister_blkdev(NBD_MAJOR, "nbd");
    2234 }
    2235
    2236 diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caamalg_desc.c
    2237 index a408edd84f34..edacf9b39b63 100644
    2238 --- a/drivers/crypto/caam/caamalg_desc.c
    2239 +++ b/drivers/crypto/caam/caamalg_desc.c
    2240 @@ -509,6 +509,7 @@ void cnstr_shdsc_aead_givencap(u32 * const desc, struct alginfo *cdata,
    2241 const bool is_qi, int era)
    2242 {
    2243 u32 geniv, moveiv;
    2244 + u32 *wait_cmd;
    2245
    2246 /* Note: Context registers are saved. */
    2247 init_sh_desc_key_aead(desc, cdata, adata, is_rfc3686, nonce, era);
    2248 @@ -604,6 +605,14 @@ copy_iv:
    2249
    2250 /* Will read cryptlen */
    2251 append_math_add(desc, VARSEQINLEN, SEQINLEN, REG0, CAAM_CMD_SZ);
    2252 +
    2253 + /*
    2254 + * Wait for IV transfer (ofifo -> class2) to finish before starting
    2255 + * ciphertext transfer (ofifo -> external memory).
    2256 + */
    2257 + wait_cmd = append_jump(desc, JUMP_JSL | JUMP_TEST_ALL | JUMP_COND_NIFP);
    2258 + set_jump_tgt_here(desc, wait_cmd);
    2259 +
    2260 append_seq_fifo_load(desc, 0, FIFOLD_CLASS_BOTH | KEY_VLF |
    2261 FIFOLD_TYPE_MSG1OUT2 | FIFOLD_TYPE_LASTBOTH);
    2262 append_seq_fifo_store(desc, 0, FIFOST_TYPE_MESSAGE_DATA | KEY_VLF);
    2263 diff --git a/drivers/crypto/caam/caamalg_desc.h b/drivers/crypto/caam/caamalg_desc.h
    2264 index a917af5776ce..05516b0a4240 100644
    2265 --- a/drivers/crypto/caam/caamalg_desc.h
    2266 +++ b/drivers/crypto/caam/caamalg_desc.h
    2267 @@ -12,7 +12,7 @@
    2268 #define DESC_AEAD_BASE (4 * CAAM_CMD_SZ)
    2269 #define DESC_AEAD_ENC_LEN (DESC_AEAD_BASE + 11 * CAAM_CMD_SZ)
    2270 #define DESC_AEAD_DEC_LEN (DESC_AEAD_BASE + 15 * CAAM_CMD_SZ)
    2271 -#define DESC_AEAD_GIVENC_LEN (DESC_AEAD_ENC_LEN + 7 * CAAM_CMD_SZ)
    2272 +#define DESC_AEAD_GIVENC_LEN (DESC_AEAD_ENC_LEN + 8 * CAAM_CMD_SZ)
    2273 #define DESC_QI_AEAD_ENC_LEN (DESC_AEAD_ENC_LEN + 3 * CAAM_CMD_SZ)
    2274 #define DESC_QI_AEAD_DEC_LEN (DESC_AEAD_DEC_LEN + 3 * CAAM_CMD_SZ)
    2275 #define DESC_QI_AEAD_GIVENC_LEN (DESC_AEAD_GIVENC_LEN + 3 * CAAM_CMD_SZ)
    2276 diff --git a/drivers/crypto/cavium/zip/zip_main.c b/drivers/crypto/cavium/zip/zip_main.c
    2277 index 6183f9128a8a..ea901bc5733c 100644
    2278 --- a/drivers/crypto/cavium/zip/zip_main.c
    2279 +++ b/drivers/crypto/cavium/zip/zip_main.c
    2280 @@ -593,6 +593,7 @@ static const struct file_operations zip_stats_fops = {
    2281 .owner = THIS_MODULE,
    2282 .open = zip_stats_open,
    2283 .read = seq_read,
    2284 + .release = single_release,
    2285 };
    2286
    2287 static int zip_clear_open(struct inode *inode, struct file *file)
    2288 @@ -604,6 +605,7 @@ static const struct file_operations zip_clear_fops = {
    2289 .owner = THIS_MODULE,
    2290 .open = zip_clear_open,
    2291 .read = seq_read,
    2292 + .release = single_release,
    2293 };
    2294
    2295 static int zip_regs_open(struct inode *inode, struct file *file)
    2296 @@ -615,6 +617,7 @@ static const struct file_operations zip_regs_fops = {
    2297 .owner = THIS_MODULE,
    2298 .open = zip_regs_open,
    2299 .read = seq_read,
    2300 + .release = single_release,
    2301 };
    2302
    2303 /* Root directory for thunderx_zip debugfs entry */
    2304 diff --git a/drivers/crypto/ccree/cc_aead.c b/drivers/crypto/ccree/cc_aead.c
    2305 index 0669033f5be5..aa6b45bc13b9 100644
    2306 --- a/drivers/crypto/ccree/cc_aead.c
    2307 +++ b/drivers/crypto/ccree/cc_aead.c
    2308 @@ -227,7 +227,7 @@ static void cc_aead_complete(struct device *dev, void *cc_req, int err)
    2309 /* In case of payload authentication failure, MUST NOT
    2310 * revealed the decrypted message --> zero its memory.
    2311 */
    2312 - cc_zero_sgl(areq->dst, areq_ctx->cryptlen);
    2313 + cc_zero_sgl(areq->dst, areq->cryptlen);
    2314 err = -EBADMSG;
    2315 }
    2316 } else { /*ENCRYPT*/
    2317 diff --git a/drivers/crypto/ccree/cc_fips.c b/drivers/crypto/ccree/cc_fips.c
    2318 index 09f708f6418e..bac278d274b0 100644
    2319 --- a/drivers/crypto/ccree/cc_fips.c
    2320 +++ b/drivers/crypto/ccree/cc_fips.c
    2321 @@ -21,7 +21,13 @@ static bool cc_get_tee_fips_status(struct cc_drvdata *drvdata)
    2322 u32 reg;
    2323
    2324 reg = cc_ioread(drvdata, CC_REG(GPR_HOST));
    2325 - return (reg == (CC_FIPS_SYNC_TEE_STATUS | CC_FIPS_SYNC_MODULE_OK));
    2326 + /* Did the TEE report status? */
    2327 + if (reg & CC_FIPS_SYNC_TEE_STATUS)
    2328 + /* Yes. Is it OK? */
    2329 + return (reg & CC_FIPS_SYNC_MODULE_OK);
    2330 +
    2331 + /* No. It's either not in use or will be reported later */
    2332 + return true;
    2333 }
    2334
    2335 /*
    2336 diff --git a/drivers/crypto/qat/qat_common/adf_common_drv.h b/drivers/crypto/qat/qat_common/adf_common_drv.h
    2337 index 5c4c0a253129..d78f8d5c89c3 100644
    2338 --- a/drivers/crypto/qat/qat_common/adf_common_drv.h
    2339 +++ b/drivers/crypto/qat/qat_common/adf_common_drv.h
    2340 @@ -95,7 +95,7 @@ struct service_hndl {
    2341
    2342 static inline int get_current_node(void)
    2343 {
    2344 - return topology_physical_package_id(smp_processor_id());
    2345 + return topology_physical_package_id(raw_smp_processor_id());
    2346 }
    2347
    2348 int adf_service_register(struct service_hndl *service);
    2349 diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c
    2350 index c59d2eee5d30..06768074d2d8 100644
    2351 --- a/drivers/devfreq/tegra-devfreq.c
    2352 +++ b/drivers/devfreq/tegra-devfreq.c
    2353 @@ -486,11 +486,11 @@ static int tegra_devfreq_target(struct device *dev, unsigned long *freq,
    2354 {
    2355 struct tegra_devfreq *tegra = dev_get_drvdata(dev);
    2356 struct dev_pm_opp *opp;
    2357 - unsigned long rate = *freq * KHZ;
    2358 + unsigned long rate;
    2359
    2360 - opp = devfreq_recommended_opp(dev, &rate, flags);
    2361 + opp = devfreq_recommended_opp(dev, freq, flags);
    2362 if (IS_ERR(opp)) {
    2363 - dev_err(dev, "Failed to find opp for %lu KHz\n", *freq);
    2364 + dev_err(dev, "Failed to find opp for %lu Hz\n", *freq);
    2365 return PTR_ERR(opp);
    2366 }
    2367 rate = dev_pm_opp_get_freq(opp);
    2368 @@ -499,8 +499,6 @@ static int tegra_devfreq_target(struct device *dev, unsigned long *freq,
    2369 clk_set_min_rate(tegra->emc_clock, rate);
    2370 clk_set_rate(tegra->emc_clock, 0);
    2371
    2372 - *freq = rate;
    2373 -
    2374 return 0;
    2375 }
    2376
    2377 @@ -510,7 +508,7 @@ static int tegra_devfreq_get_dev_status(struct device *dev,
    2378 struct tegra_devfreq *tegra = dev_get_drvdata(dev);
    2379 struct tegra_devfreq_device *actmon_dev;
    2380
    2381 - stat->current_frequency = tegra->cur_freq;
    2382 + stat->current_frequency = tegra->cur_freq * KHZ;
    2383
    2384 /* To be used by the tegra governor */
    2385 stat->private_data = tegra;
    2386 @@ -565,7 +563,7 @@ static int tegra_governor_get_target(struct devfreq *devfreq,
    2387 target_freq = max(target_freq, dev->target_freq);
    2388 }
    2389
    2390 - *freq = target_freq;
    2391 + *freq = target_freq * KHZ;
    2392
    2393 return 0;
    2394 }
    2395 diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
    2396 index 51b5e977ca88..f4e9d1b10e3e 100644
    2397 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
    2398 +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
    2399 @@ -139,7 +139,8 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs,
    2400 /* ring tests don't use a job */
    2401 if (job) {
    2402 vm = job->vm;
    2403 - fence_ctx = job->base.s_fence->scheduled.context;
    2404 + fence_ctx = job->base.s_fence ?
    2405 + job->base.s_fence->scheduled.context : 0;
    2406 } else {
    2407 vm = NULL;
    2408 fence_ctx = 0;
    2409 diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
    2410 index c0396e83f352..fc93b103f777 100644
    2411 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
    2412 +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
    2413 @@ -562,6 +562,9 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file
    2414 if (sh_num == AMDGPU_INFO_MMR_SH_INDEX_MASK)
    2415 sh_num = 0xffffffff;
    2416
    2417 + if (info->read_mmr_reg.count > 128)
    2418 + return -EINVAL;
    2419 +
    2420 regs = kmalloc_array(info->read_mmr_reg.count, sizeof(*regs), GFP_KERNEL);
    2421 if (!regs)
    2422 return -ENOMEM;
    2423 diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c
    2424 index 663a7c9ca3d3..d0e216d85a22 100644
    2425 --- a/drivers/gpu/drm/i915/gvt/scheduler.c
    2426 +++ b/drivers/gpu/drm/i915/gvt/scheduler.c
    2427 @@ -1276,9 +1276,6 @@ static int prepare_mm(struct intel_vgpu_workload *workload)
    2428 #define same_context(a, b) (((a)->context_id == (b)->context_id) && \
    2429 ((a)->lrca == (b)->lrca))
    2430
    2431 -#define get_last_workload(q) \
    2432 - (list_empty(q) ? NULL : container_of(q->prev, \
    2433 - struct intel_vgpu_workload, list))
    2434 /**
    2435 * intel_vgpu_create_workload - create a vGPU workload
    2436 * @vgpu: a vGPU
    2437 @@ -1297,7 +1294,7 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id,
    2438 {
    2439 struct intel_vgpu_submission *s = &vgpu->submission;
    2440 struct list_head *q = workload_q_head(vgpu, ring_id);
    2441 - struct intel_vgpu_workload *last_workload = get_last_workload(q);
    2442 + struct intel_vgpu_workload *last_workload = NULL;
    2443 struct intel_vgpu_workload *workload = NULL;
    2444 struct drm_i915_private *dev_priv = vgpu->gvt->dev_priv;
    2445 u64 ring_context_gpa;
    2446 @@ -1320,15 +1317,20 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id,
    2447 head &= RB_HEAD_OFF_MASK;
    2448 tail &= RB_TAIL_OFF_MASK;
    2449
    2450 - if (last_workload && same_context(&last_workload->ctx_desc, desc)) {
    2451 - gvt_dbg_el("ring id %d cur workload == last\n", ring_id);
    2452 - gvt_dbg_el("ctx head %x real head %lx\n", head,
    2453 - last_workload->rb_tail);
    2454 - /*
    2455 - * cannot use guest context head pointer here,
    2456 - * as it might not be updated at this time
    2457 - */
    2458 - head = last_workload->rb_tail;
    2459 + list_for_each_entry_reverse(last_workload, q, list) {
    2460 +
    2461 + if (same_context(&last_workload->ctx_desc, desc)) {
    2462 + gvt_dbg_el("ring id %d cur workload == last\n",
    2463 + ring_id);
    2464 + gvt_dbg_el("ctx head %x real head %lx\n", head,
    2465 + last_workload->rb_tail);
    2466 + /*
    2467 + * cannot use guest context head pointer here,
    2468 + * as it might not be updated at this time
    2469 + */
    2470 + head = last_workload->rb_tail;
    2471 + break;
    2472 + }
    2473 }
    2474
    2475 gvt_dbg_el("ring id %d begin a new workload\n", ring_id);
    2476 diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
    2477 index 96fb5f635314..cc4ea5502d6c 100644
    2478 --- a/drivers/gpu/drm/msm/dsi/dsi_host.c
    2479 +++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
    2480 @@ -429,15 +429,15 @@ static int dsi_clk_init(struct msm_dsi_host *msm_host)
    2481 }
    2482
    2483 msm_host->byte_clk_src = clk_get_parent(msm_host->byte_clk);
    2484 - if (!msm_host->byte_clk_src) {
    2485 - ret = -ENODEV;
    2486 + if (IS_ERR(msm_host->byte_clk_src)) {
    2487 + ret = PTR_ERR(msm_host->byte_clk_src);
    2488 pr_err("%s: can't find byte_clk clock. ret=%d\n", __func__, ret);
    2489 goto exit;
    2490 }
    2491
    2492 msm_host->pixel_clk_src = clk_get_parent(msm_host->pixel_clk);
    2493 - if (!msm_host->pixel_clk_src) {
    2494 - ret = -ENODEV;
    2495 + if (IS_ERR(msm_host->pixel_clk_src)) {
    2496 + ret = PTR_ERR(msm_host->pixel_clk_src);
    2497 pr_err("%s: can't find pixel_clk clock. ret=%d\n", __func__, ret);
    2498 goto exit;
    2499 }
    2500 diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c
    2501 index 5e01bfb69d7a..10107e551fac 100644
    2502 --- a/drivers/gpu/drm/nouveau/dispnv50/disp.c
    2503 +++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c
    2504 @@ -1517,7 +1517,8 @@ nv50_sor_create(struct drm_connector *connector, struct dcb_output *dcbe)
    2505 nv_encoder->aux = aux;
    2506 }
    2507
    2508 - if ((data = nvbios_dp_table(bios, &ver, &hdr, &cnt, &len)) &&
    2509 + if (nv_connector->type != DCB_CONNECTOR_eDP &&
    2510 + (data = nvbios_dp_table(bios, &ver, &hdr, &cnt, &len)) &&
    2511 ver >= 0x40 && (nvbios_rd08(bios, data + 0x08) & 0x04)) {
    2512 ret = nv50_mstm_new(nv_encoder, &nv_connector->aux, 16,
    2513 nv_connector->base.base.id,
    2514 diff --git a/drivers/gpu/drm/omapdrm/dss/dss.c b/drivers/gpu/drm/omapdrm/dss/dss.c
    2515 index cb80ddaa19d2..7e9e2f064454 100644
    2516 --- a/drivers/gpu/drm/omapdrm/dss/dss.c
    2517 +++ b/drivers/gpu/drm/omapdrm/dss/dss.c
    2518 @@ -1110,7 +1110,7 @@ static const struct dss_features omap34xx_dss_feats = {
    2519
    2520 static const struct dss_features omap3630_dss_feats = {
    2521 .model = DSS_MODEL_OMAP3,
    2522 - .fck_div_max = 32,
    2523 + .fck_div_max = 31,
    2524 .fck_freq_max = 173000000,
    2525 .dss_fck_multiplier = 1,
    2526 .parent_clk_name = "dpll4_ck",
    2527 diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c
    2528 index 25b5407c74b5..d83310751a8e 100644
    2529 --- a/drivers/gpu/drm/radeon/radeon_drv.c
    2530 +++ b/drivers/gpu/drm/radeon/radeon_drv.c
    2531 @@ -340,8 +340,39 @@ static int radeon_kick_out_firmware_fb(struct pci_dev *pdev)
    2532 static int radeon_pci_probe(struct pci_dev *pdev,
    2533 const struct pci_device_id *ent)
    2534 {
    2535 + unsigned long flags = 0;
    2536 int ret;
    2537
    2538 + if (!ent)
    2539 + return -ENODEV; /* Avoid NULL-ptr deref in drm_get_pci_dev */
    2540 +
    2541 + flags = ent->driver_data;
    2542 +
    2543 + if (!radeon_si_support) {
    2544 + switch (flags & RADEON_FAMILY_MASK) {
    2545 + case CHIP_TAHITI:
    2546 + case CHIP_PITCAIRN:
    2547 + case CHIP_VERDE:
    2548 + case CHIP_OLAND:
    2549 + case CHIP_HAINAN:
    2550 + dev_info(&pdev->dev,
    2551 + "SI support disabled by module param\n");
    2552 + return -ENODEV;
    2553 + }
    2554 + }
    2555 + if (!radeon_cik_support) {
    2556 + switch (flags & RADEON_FAMILY_MASK) {
    2557 + case CHIP_KAVERI:
    2558 + case CHIP_BONAIRE:
    2559 + case CHIP_HAWAII:
    2560 + case CHIP_KABINI:
    2561 + case CHIP_MULLINS:
    2562 + dev_info(&pdev->dev,
    2563 + "CIK support disabled by module param\n");
    2564 + return -ENODEV;
    2565 + }
    2566 + }
    2567 +
    2568 if (vga_switcheroo_client_probe_defer(pdev))
    2569 return -EPROBE_DEFER;
    2570
    2571 diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
    2572 index 6a8fb6fd183c..3ff835767ac5 100644
    2573 --- a/drivers/gpu/drm/radeon/radeon_kms.c
    2574 +++ b/drivers/gpu/drm/radeon/radeon_kms.c
    2575 @@ -95,31 +95,6 @@ int radeon_driver_load_kms(struct drm_device *dev, unsigned long flags)
    2576 struct radeon_device *rdev;
    2577 int r, acpi_status;
    2578
    2579 - if (!radeon_si_support) {
    2580 - switch (flags & RADEON_FAMILY_MASK) {
    2581 - case CHIP_TAHITI:
    2582 - case CHIP_PITCAIRN:
    2583 - case CHIP_VERDE:
    2584 - case CHIP_OLAND:
    2585 - case CHIP_HAINAN:
    2586 - dev_info(dev->dev,
    2587 - "SI support disabled by module param\n");
    2588 - return -ENODEV;
    2589 - }
    2590 - }
    2591 - if (!radeon_cik_support) {
    2592 - switch (flags & RADEON_FAMILY_MASK) {
    2593 - case CHIP_KAVERI:
    2594 - case CHIP_BONAIRE:
    2595 - case CHIP_HAWAII:
    2596 - case CHIP_KABINI:
    2597 - case CHIP_MULLINS:
    2598 - dev_info(dev->dev,
    2599 - "CIK support disabled by module param\n");
    2600 - return -ENODEV;
    2601 - }
    2602 - }
    2603 -
    2604 rdev = kzalloc(sizeof(struct radeon_device), GFP_KERNEL);
    2605 if (rdev == NULL) {
    2606 return -ENOMEM;
    2607 diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c
    2608 index 2bce7cf0b0af..e45b5ec2f451 100644
    2609 --- a/drivers/hwtracing/coresight/coresight-etm4x.c
    2610 +++ b/drivers/hwtracing/coresight/coresight-etm4x.c
    2611 @@ -174,6 +174,12 @@ static void etm4_enable_hw(void *info)
    2612 if (coresight_timeout(drvdata->base, TRCSTATR, TRCSTATR_IDLE_BIT, 0))
    2613 dev_err(drvdata->dev,
    2614 "timeout while waiting for Idle Trace Status\n");
    2615 + /*
    2616 + * As recommended by section 4.3.7 ("Synchronization when using the
    2617 + * memory-mapped interface") of ARM IHI 0064D
    2618 + */
    2619 + dsb(sy);
    2620 + isb();
    2621
    2622 CS_LOCK(drvdata->base);
    2623
    2624 @@ -324,8 +330,12 @@ static void etm4_disable_hw(void *info)
    2625 /* EN, bit[0] Trace unit enable bit */
    2626 control &= ~0x1;
    2627
    2628 - /* make sure everything completes before disabling */
    2629 - mb();
    2630 + /*
    2631 + * Make sure everything completes before disabling, as recommended
    2632 + * by section 7.3.77 ("TRCVICTLR, ViewInst Main Control Register,
    2633 + * SSTATUS") of ARM IHI 0064D
    2634 + */
    2635 + dsb(sy);
    2636 isb();
    2637 writel_relaxed(control, drvdata->base + TRCPRGCTLR);
    2638
    2639 diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
    2640 index e5c598ae5f24..6627523e728b 100644
    2641 --- a/drivers/mmc/host/sdhci-of-esdhc.c
    2642 +++ b/drivers/mmc/host/sdhci-of-esdhc.c
    2643 @@ -480,7 +480,12 @@ static int esdhc_of_enable_dma(struct sdhci_host *host)
    2644 dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40));
    2645
    2646 value = sdhci_readl(host, ESDHC_DMA_SYSCTL);
    2647 - value |= ESDHC_DMA_SNOOP;
    2648 +
    2649 + if (of_dma_is_coherent(dev->of_node))
    2650 + value |= ESDHC_DMA_SNOOP;
    2651 + else
    2652 + value &= ~ESDHC_DMA_SNOOP;
    2653 +
    2654 sdhci_writel(host, value, ESDHC_DMA_SYSCTL);
    2655 return 0;
    2656 }
    2657 diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
    2658 index eb33b892b484..e99d5632d8fa 100644
    2659 --- a/drivers/mmc/host/sdhci.c
    2660 +++ b/drivers/mmc/host/sdhci.c
    2661 @@ -2720,6 +2720,7 @@ static void sdhci_cmd_irq(struct sdhci_host *host, u32 intmask, u32 *intmask_p)
    2662 static void sdhci_adma_show_error(struct sdhci_host *host)
    2663 {
    2664 void *desc = host->adma_table;
    2665 + dma_addr_t dma = host->adma_addr;
    2666
    2667 sdhci_dumpregs(host);
    2668
    2669 @@ -2727,18 +2728,21 @@ static void sdhci_adma_show_error(struct sdhci_host *host)
    2670 struct sdhci_adma2_64_desc *dma_desc = desc;
    2671
    2672 if (host->flags & SDHCI_USE_64_BIT_DMA)
    2673 - DBG("%p: DMA 0x%08x%08x, LEN 0x%04x, Attr=0x%02x\n",
    2674 - desc, le32_to_cpu(dma_desc->addr_hi),
    2675 + SDHCI_DUMP("%08llx: DMA 0x%08x%08x, LEN 0x%04x, Attr=0x%02x\n",
    2676 + (unsigned long long)dma,
    2677 + le32_to_cpu(dma_desc->addr_hi),
    2678 le32_to_cpu(dma_desc->addr_lo),
    2679 le16_to_cpu(dma_desc->len),
    2680 le16_to_cpu(dma_desc->cmd));
    2681 else
    2682 - DBG("%p: DMA 0x%08x, LEN 0x%04x, Attr=0x%02x\n",
    2683 - desc, le32_to_cpu(dma_desc->addr_lo),
    2684 + SDHCI_DUMP("%08llx: DMA 0x%08x, LEN 0x%04x, Attr=0x%02x\n",
    2685 + (unsigned long long)dma,
    2686 + le32_to_cpu(dma_desc->addr_lo),
    2687 le16_to_cpu(dma_desc->len),
    2688 le16_to_cpu(dma_desc->cmd));
    2689
    2690 desc += host->desc_sz;
    2691 + dma += host->desc_sz;
    2692
    2693 if (dma_desc->cmd & cpu_to_le16(ADMA2_END))
    2694 break;
    2695 @@ -2814,7 +2818,8 @@ static void sdhci_data_irq(struct sdhci_host *host, u32 intmask)
    2696 != MMC_BUS_TEST_R)
    2697 host->data->error = -EILSEQ;
    2698 else if (intmask & SDHCI_INT_ADMA_ERROR) {
    2699 - pr_err("%s: ADMA error\n", mmc_hostname(host->mmc));
    2700 + pr_err("%s: ADMA error: 0x%08x\n", mmc_hostname(host->mmc),
    2701 + intmask);
    2702 sdhci_adma_show_error(host);
    2703 host->data->error = -EIO;
    2704 if (host->ops->adma_workaround)
    2705 diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
    2706 index fccb6bf21fad..de8d9dceb123 100644
    2707 --- a/drivers/net/can/spi/mcp251x.c
    2708 +++ b/drivers/net/can/spi/mcp251x.c
    2709 @@ -626,7 +626,7 @@ static int mcp251x_setup(struct net_device *net, struct spi_device *spi)
    2710 static int mcp251x_hw_reset(struct spi_device *spi)
    2711 {
    2712 struct mcp251x_priv *priv = spi_get_drvdata(spi);
    2713 - u8 reg;
    2714 + unsigned long timeout;
    2715 int ret;
    2716
    2717 /* Wait for oscillator startup timer after power up */
    2718 @@ -640,10 +640,19 @@ static int mcp251x_hw_reset(struct spi_device *spi)
    2719 /* Wait for oscillator startup timer after reset */
    2720 mdelay(MCP251X_OST_DELAY_MS);
    2721
    2722 - reg = mcp251x_read_reg(spi, CANSTAT);
    2723 - if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF)
    2724 - return -ENODEV;
    2725 -
    2726 + /* Wait for reset to finish */
    2727 + timeout = jiffies + HZ;
    2728 + while ((mcp251x_read_reg(spi, CANSTAT) & CANCTRL_REQOP_MASK) !=
    2729 + CANCTRL_REQOP_CONF) {
    2730 + usleep_range(MCP251X_OST_DELAY_MS * 1000,
    2731 + MCP251X_OST_DELAY_MS * 1000 * 2);
    2732 +
    2733 + if (time_after(jiffies, timeout)) {
    2734 + dev_err(&spi->dev,
    2735 + "MCP251x didn't enter in conf mode after reset\n");
    2736 + return -EBUSY;
    2737 + }
    2738 + }
    2739 return 0;
    2740 }
    2741
    2742 diff --git a/drivers/net/ethernet/netronome/nfp/flower/main.c b/drivers/net/ethernet/netronome/nfp/flower/main.c
    2743 index 22c572a09b32..c19e88efe958 100644
    2744 --- a/drivers/net/ethernet/netronome/nfp/flower/main.c
    2745 +++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
    2746 @@ -272,6 +272,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_app *app,
    2747 port = nfp_port_alloc(app, port_type, repr);
    2748 if (IS_ERR(port)) {
    2749 err = PTR_ERR(port);
    2750 + kfree(repr_priv);
    2751 nfp_repr_free(repr);
    2752 goto err_reprs_clean;
    2753 }
    2754 diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
    2755 index 4f684cbcdc57..078027bbe002 100644
    2756 --- a/drivers/net/ieee802154/atusb.c
    2757 +++ b/drivers/net/ieee802154/atusb.c
    2758 @@ -1140,10 +1140,11 @@ static void atusb_disconnect(struct usb_interface *interface)
    2759
    2760 ieee802154_unregister_hw(atusb->hw);
    2761
    2762 + usb_put_dev(atusb->usb_dev);
    2763 +
    2764 ieee802154_free_hw(atusb->hw);
    2765
    2766 usb_set_intfdata(interface, NULL);
    2767 - usb_put_dev(atusb->usb_dev);
    2768
    2769 pr_debug("%s done\n", __func__);
    2770 }
    2771 diff --git a/drivers/ntb/test/ntb_perf.c b/drivers/ntb/test/ntb_perf.c
    2772 index 2a9d6b0d1f19..80508da3c8b5 100644
    2773 --- a/drivers/ntb/test/ntb_perf.c
    2774 +++ b/drivers/ntb/test/ntb_perf.c
    2775 @@ -1373,7 +1373,7 @@ static int perf_setup_peer_mw(struct perf_peer *peer)
    2776 int ret;
    2777
    2778 /* Get outbound MW parameters and map it */
    2779 - ret = ntb_peer_mw_get_addr(perf->ntb, peer->gidx, &phys_addr,
    2780 + ret = ntb_peer_mw_get_addr(perf->ntb, perf->gidx, &phys_addr,
    2781 &peer->outbuf_size);
    2782 if (ret)
    2783 return ret;
    2784 diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
    2785 index 2ba22cd1331b..54a633e8cb5d 100644
    2786 --- a/drivers/nvdimm/bus.c
    2787 +++ b/drivers/nvdimm/bus.c
    2788 @@ -189,7 +189,7 @@ static int nvdimm_clear_badblocks_region(struct device *dev, void *data)
    2789 sector_t sector;
    2790
    2791 /* make sure device is a region */
    2792 - if (!is_nd_pmem(dev))
    2793 + if (!is_memory(dev))
    2794 return 0;
    2795
    2796 nd_region = to_nd_region(dev);
    2797 diff --git a/drivers/nvdimm/region.c b/drivers/nvdimm/region.c
    2798 index f9130cc157e8..22224b21c34d 100644
    2799 --- a/drivers/nvdimm/region.c
    2800 +++ b/drivers/nvdimm/region.c
    2801 @@ -42,7 +42,7 @@ static int nd_region_probe(struct device *dev)
    2802 if (rc)
    2803 return rc;
    2804
    2805 - if (is_nd_pmem(&nd_region->dev)) {
    2806 + if (is_memory(&nd_region->dev)) {
    2807 struct resource ndr_res;
    2808
    2809 if (devm_init_badblocks(dev, &nd_region->bb))
    2810 @@ -131,7 +131,7 @@ static void nd_region_notify(struct device *dev, enum nvdimm_event event)
    2811 struct nd_region *nd_region = to_nd_region(dev);
    2812 struct resource res;
    2813
    2814 - if (is_nd_pmem(&nd_region->dev)) {
    2815 + if (is_memory(&nd_region->dev)) {
    2816 res.start = nd_region->ndr_start;
    2817 res.end = nd_region->ndr_start +
    2818 nd_region->ndr_size - 1;
    2819 diff --git a/drivers/nvdimm/region_devs.c b/drivers/nvdimm/region_devs.c
    2820 index 0303296e6d5b..609fc450522a 100644
    2821 --- a/drivers/nvdimm/region_devs.c
    2822 +++ b/drivers/nvdimm/region_devs.c
    2823 @@ -633,11 +633,11 @@ static umode_t region_visible(struct kobject *kobj, struct attribute *a, int n)
    2824 if (!is_memory(dev) && a == &dev_attr_dax_seed.attr)
    2825 return 0;
    2826
    2827 - if (!is_nd_pmem(dev) && a == &dev_attr_badblocks.attr)
    2828 + if (!is_memory(dev) && a == &dev_attr_badblocks.attr)
    2829 return 0;
    2830
    2831 if (a == &dev_attr_resource.attr) {
    2832 - if (is_nd_pmem(dev))
    2833 + if (is_memory(dev))
    2834 return 0400;
    2835 else
    2836 return 0;
    2837 diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c
    2838 index fd2dbd7eed7b..52d4fa4161dc 100644
    2839 --- a/drivers/pci/controller/vmd.c
    2840 +++ b/drivers/pci/controller/vmd.c
    2841 @@ -31,6 +31,9 @@
    2842 #define PCI_REG_VMLOCK 0x70
    2843 #define MB2_SHADOW_EN(vmlock) (vmlock & 0x2)
    2844
    2845 +#define MB2_SHADOW_OFFSET 0x2000
    2846 +#define MB2_SHADOW_SIZE 16
    2847 +
    2848 enum vmd_features {
    2849 /*
    2850 * Device may contain registers which hint the physical location of the
    2851 @@ -600,7 +603,7 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features)
    2852 u32 vmlock;
    2853 int ret;
    2854
    2855 - membar2_offset = 0x2018;
    2856 + membar2_offset = MB2_SHADOW_OFFSET + MB2_SHADOW_SIZE;
    2857 ret = pci_read_config_dword(vmd->dev, PCI_REG_VMLOCK, &vmlock);
    2858 if (ret || vmlock == ~0)
    2859 return -ENODEV;
    2860 @@ -612,9 +615,9 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features)
    2861 if (!membar2)
    2862 return -ENOMEM;
    2863 offset[0] = vmd->dev->resource[VMD_MEMBAR1].start -
    2864 - readq(membar2 + 0x2008);
    2865 + readq(membar2 + MB2_SHADOW_OFFSET);
    2866 offset[1] = vmd->dev->resource[VMD_MEMBAR2].start -
    2867 - readq(membar2 + 0x2010);
    2868 + readq(membar2 + MB2_SHADOW_OFFSET + 8);
    2869 pci_iounmap(vmd->dev, membar2);
    2870 }
    2871 }
    2872 diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
    2873 index c65465385d8c..6384930a6749 100644
    2874 --- a/drivers/pci/pci.c
    2875 +++ b/drivers/pci/pci.c
    2876 @@ -1366,7 +1366,7 @@ static void pci_restore_rebar_state(struct pci_dev *pdev)
    2877 pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
    2878 bar_idx = ctrl & PCI_REBAR_CTRL_BAR_IDX;
    2879 res = pdev->resource + bar_idx;
    2880 - size = order_base_2((resource_size(res) >> 20) | 1) - 1;
    2881 + size = ilog2(resource_size(res)) - 20;
    2882 ctrl &= ~PCI_REBAR_CTRL_BAR_SIZE;
    2883 ctrl |= size << PCI_REBAR_CTRL_BAR_SHIFT;
    2884 pci_write_config_dword(pdev, pos + PCI_REBAR_CTRL, ctrl);
    2885 diff --git a/drivers/power/supply/sbs-battery.c b/drivers/power/supply/sbs-battery.c
    2886 index 8ba6abf584de..3958ee03eec1 100644
    2887 --- a/drivers/power/supply/sbs-battery.c
    2888 +++ b/drivers/power/supply/sbs-battery.c
    2889 @@ -323,17 +323,22 @@ static int sbs_get_battery_presence_and_health(
    2890 {
    2891 int ret;
    2892
    2893 - if (psp == POWER_SUPPLY_PROP_PRESENT) {
    2894 - /* Dummy command; if it succeeds, battery is present. */
    2895 - ret = sbs_read_word_data(client, sbs_data[REG_STATUS].addr);
    2896 - if (ret < 0)
    2897 - val->intval = 0; /* battery disconnected */
    2898 - else
    2899 - val->intval = 1; /* battery present */
    2900 - } else { /* POWER_SUPPLY_PROP_HEALTH */
    2901 + /* Dummy command; if it succeeds, battery is present. */
    2902 + ret = sbs_read_word_data(client, sbs_data[REG_STATUS].addr);
    2903 +
    2904 + if (ret < 0) { /* battery not present*/
    2905 + if (psp == POWER_SUPPLY_PROP_PRESENT) {
    2906 + val->intval = 0;
    2907 + return 0;
    2908 + }
    2909 + return ret;
    2910 + }
    2911 +
    2912 + if (psp == POWER_SUPPLY_PROP_PRESENT)
    2913 + val->intval = 1; /* battery present */
    2914 + else /* POWER_SUPPLY_PROP_HEALTH */
    2915 /* SBS spec doesn't have a general health command. */
    2916 val->intval = POWER_SUPPLY_HEALTH_UNKNOWN;
    2917 - }
    2918
    2919 return 0;
    2920 }
    2921 @@ -629,12 +634,14 @@ static int sbs_get_property(struct power_supply *psy,
    2922 switch (psp) {
    2923 case POWER_SUPPLY_PROP_PRESENT:
    2924 case POWER_SUPPLY_PROP_HEALTH:
    2925 - if (client->flags & SBS_FLAGS_TI_BQ20Z75)
    2926 + if (chip->flags & SBS_FLAGS_TI_BQ20Z75)
    2927 ret = sbs_get_ti_battery_presence_and_health(client,
    2928 psp, val);
    2929 else
    2930 ret = sbs_get_battery_presence_and_health(client, psp,
    2931 val);
    2932 +
    2933 + /* this can only be true if no gpio is used */
    2934 if (psp == POWER_SUPPLY_PROP_PRESENT)
    2935 return 0;
    2936 break;
    2937 diff --git a/drivers/pwm/pwm-stm32-lp.c b/drivers/pwm/pwm-stm32-lp.c
    2938 index 0059b24cfdc3..28e1f6413476 100644
    2939 --- a/drivers/pwm/pwm-stm32-lp.c
    2940 +++ b/drivers/pwm/pwm-stm32-lp.c
    2941 @@ -58,6 +58,12 @@ static int stm32_pwm_lp_apply(struct pwm_chip *chip, struct pwm_device *pwm,
    2942 /* Calculate the period and prescaler value */
    2943 div = (unsigned long long)clk_get_rate(priv->clk) * state->period;
    2944 do_div(div, NSEC_PER_SEC);
    2945 + if (!div) {
    2946 + /* Clock is too slow to achieve requested period. */
    2947 + dev_dbg(priv->chip.dev, "Can't reach %u ns\n", state->period);
    2948 + return -EINVAL;
    2949 + }
    2950 +
    2951 prd = div;
    2952 while (div > STM32_LPTIM_MAX_ARR) {
    2953 presc++;
    2954 diff --git a/drivers/s390/cio/ccwgroup.c b/drivers/s390/cio/ccwgroup.c
    2955 index 93b2862bd3fa..674d848e377c 100644
    2956 --- a/drivers/s390/cio/ccwgroup.c
    2957 +++ b/drivers/s390/cio/ccwgroup.c
    2958 @@ -372,7 +372,7 @@ int ccwgroup_create_dev(struct device *parent, struct ccwgroup_driver *gdrv,
    2959 goto error;
    2960 }
    2961 /* Check for trailing stuff. */
    2962 - if (i == num_devices && strlen(buf) > 0) {
    2963 + if (i == num_devices && buf && strlen(buf) > 0) {
    2964 rc = -EINVAL;
    2965 goto error;
    2966 }
    2967 diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
    2968 index aea502922646..df09ed53ab45 100644
    2969 --- a/drivers/s390/cio/css.c
    2970 +++ b/drivers/s390/cio/css.c
    2971 @@ -1213,6 +1213,8 @@ device_initcall(cio_settle_init);
    2972
    2973 int sch_is_pseudo_sch(struct subchannel *sch)
    2974 {
    2975 + if (!sch->dev.parent)
    2976 + return 0;
    2977 return sch == to_css(sch->dev.parent)->pseudo_subchannel;
    2978 }
    2979
    2980 diff --git a/drivers/staging/erofs/dir.c b/drivers/staging/erofs/dir.c
    2981 index 0a089cf5c78f..fe6683effd05 100644
    2982 --- a/drivers/staging/erofs/dir.c
    2983 +++ b/drivers/staging/erofs/dir.c
    2984 @@ -100,8 +100,15 @@ static int erofs_readdir(struct file *f, struct dir_context *ctx)
    2985 unsigned nameoff, maxsize;
    2986
    2987 dentry_page = read_mapping_page(mapping, i, NULL);
    2988 - if (IS_ERR(dentry_page))
    2989 - continue;
    2990 + if (dentry_page == ERR_PTR(-ENOMEM)) {
    2991 + err = -ENOMEM;
    2992 + break;
    2993 + } else if (IS_ERR(dentry_page)) {
    2994 + errln("fail to readdir of logical block %u of nid %llu",
    2995 + i, EROFS_V(dir)->nid);
    2996 + err = PTR_ERR(dentry_page);
    2997 + break;
    2998 + }
    2999
    3000 lock_page(dentry_page);
    3001 de = (struct erofs_dirent *)kmap(dentry_page);
    3002 diff --git a/drivers/staging/erofs/unzip_vle.c b/drivers/staging/erofs/unzip_vle.c
    3003 index ad6fe6d9d00a..0f1558c6747e 100644
    3004 --- a/drivers/staging/erofs/unzip_vle.c
    3005 +++ b/drivers/staging/erofs/unzip_vle.c
    3006 @@ -311,7 +311,11 @@ z_erofs_vle_work_lookup(struct super_block *sb,
    3007 /* if multiref is disabled, `primary' is always true */
    3008 primary = true;
    3009
    3010 - DBG_BUGON(work->pageofs != pageofs);
    3011 + if (work->pageofs != pageofs) {
    3012 + DBG_BUGON(1);
    3013 + erofs_workgroup_put(egrp);
    3014 + return ERR_PTR(-EIO);
    3015 + }
    3016
    3017 /*
    3018 * lock must be taken first to avoid grp->next == NIL between
    3019 @@ -853,6 +857,7 @@ repeat:
    3020 for (i = 0; i < nr_pages; ++i)
    3021 pages[i] = NULL;
    3022
    3023 + err = 0;
    3024 z_erofs_pagevec_ctor_init(&ctor,
    3025 Z_EROFS_VLE_INLINE_PAGEVECS, work->pagevec, 0);
    3026
    3027 @@ -874,8 +879,17 @@ repeat:
    3028 pagenr = z_erofs_onlinepage_index(page);
    3029
    3030 DBG_BUGON(pagenr >= nr_pages);
    3031 - DBG_BUGON(pages[pagenr]);
    3032
    3033 + /*
    3034 + * currently EROFS doesn't support multiref(dedup),
    3035 + * so here erroring out one multiref page.
    3036 + */
    3037 + if (pages[pagenr]) {
    3038 + DBG_BUGON(1);
    3039 + SetPageError(pages[pagenr]);
    3040 + z_erofs_onlinepage_endio(pages[pagenr]);
    3041 + err = -EIO;
    3042 + }
    3043 pages[pagenr] = page;
    3044 }
    3045 sparsemem_pages = i;
    3046 @@ -885,7 +899,6 @@ repeat:
    3047 overlapped = false;
    3048 compressed_pages = grp->compressed_pages;
    3049
    3050 - err = 0;
    3051 for (i = 0; i < clusterpages; ++i) {
    3052 unsigned pagenr;
    3053
    3054 @@ -911,7 +924,12 @@ repeat:
    3055 pagenr = z_erofs_onlinepage_index(page);
    3056
    3057 DBG_BUGON(pagenr >= nr_pages);
    3058 - DBG_BUGON(pages[pagenr]);
    3059 + if (pages[pagenr]) {
    3060 + DBG_BUGON(1);
    3061 + SetPageError(pages[pagenr]);
    3062 + z_erofs_onlinepage_endio(pages[pagenr]);
    3063 + err = -EIO;
    3064 + }
    3065 ++sparsemem_pages;
    3066 pages[pagenr] = page;
    3067
    3068 @@ -1335,19 +1353,18 @@ static int z_erofs_vle_normalaccess_readpage(struct file *file,
    3069 err = z_erofs_do_read_page(&f, page, &pagepool);
    3070 (void)z_erofs_vle_work_iter_end(&f.builder);
    3071
    3072 - if (err) {
    3073 + /* if some compressed cluster ready, need submit them anyway */
    3074 + z_erofs_submit_and_unzip(&f, &pagepool, true);
    3075 +
    3076 + if (err)
    3077 errln("%s, failed to read, err [%d]", __func__, err);
    3078 - goto out;
    3079 - }
    3080
    3081 - z_erofs_submit_and_unzip(&f, &pagepool, true);
    3082 -out:
    3083 if (f.m_iter.mpage != NULL)
    3084 put_page(f.m_iter.mpage);
    3085
    3086 /* clean up the remaining free pages */
    3087 put_pages_list(&pagepool);
    3088 - return 0;
    3089 + return err;
    3090 }
    3091
    3092 static inline int __z_erofs_vle_normalaccess_readpages(
    3093 diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
    3094 index bf9721fc2824..be3eafc7682b 100644
    3095 --- a/drivers/thermal/thermal_core.c
    3096 +++ b/drivers/thermal/thermal_core.c
    3097 @@ -296,7 +296,7 @@ static void thermal_zone_device_set_polling(struct thermal_zone_device *tz,
    3098 mod_delayed_work(system_freezable_wq, &tz->poll_queue,
    3099 msecs_to_jiffies(delay));
    3100 else
    3101 - cancel_delayed_work(&tz->poll_queue);
    3102 + cancel_delayed_work_sync(&tz->poll_queue);
    3103 }
    3104
    3105 static void monitor_thermal_zone(struct thermal_zone_device *tz)
    3106 diff --git a/drivers/thermal/thermal_hwmon.c b/drivers/thermal/thermal_hwmon.c
    3107 index 40c69a533b24..dd5d8ee37928 100644
    3108 --- a/drivers/thermal/thermal_hwmon.c
    3109 +++ b/drivers/thermal/thermal_hwmon.c
    3110 @@ -87,13 +87,17 @@ static struct thermal_hwmon_device *
    3111 thermal_hwmon_lookup_by_type(const struct thermal_zone_device *tz)
    3112 {
    3113 struct thermal_hwmon_device *hwmon;
    3114 + char type[THERMAL_NAME_LENGTH];
    3115
    3116 mutex_lock(&thermal_hwmon_list_lock);
    3117 - list_for_each_entry(hwmon, &thermal_hwmon_list, node)
    3118 - if (!strcmp(hwmon->type, tz->type)) {
    3119 + list_for_each_entry(hwmon, &thermal_hwmon_list, node) {
    3120 + strcpy(type, tz->type);
    3121 + strreplace(type, '-', '_');
    3122 + if (!strcmp(hwmon->type, type)) {
    3123 mutex_unlock(&thermal_hwmon_list_lock);
    3124 return hwmon;
    3125 }
    3126 + }
    3127 mutex_unlock(&thermal_hwmon_list_lock);
    3128
    3129 return NULL;
    3130 diff --git a/drivers/watchdog/aspeed_wdt.c b/drivers/watchdog/aspeed_wdt.c
    3131 index 1abe4d021fd2..ffde179a9bb2 100644
    3132 --- a/drivers/watchdog/aspeed_wdt.c
    3133 +++ b/drivers/watchdog/aspeed_wdt.c
    3134 @@ -38,6 +38,7 @@ static const struct aspeed_wdt_config ast2500_config = {
    3135 static const struct of_device_id aspeed_wdt_of_table[] = {
    3136 { .compatible = "aspeed,ast2400-wdt", .data = &ast2400_config },
    3137 { .compatible = "aspeed,ast2500-wdt", .data = &ast2500_config },
    3138 + { .compatible = "aspeed,ast2600-wdt", .data = &ast2500_config },
    3139 { },
    3140 };
    3141 MODULE_DEVICE_TABLE(of, aspeed_wdt_of_table);
    3142 @@ -264,7 +265,8 @@ static int aspeed_wdt_probe(struct platform_device *pdev)
    3143 set_bit(WDOG_HW_RUNNING, &wdt->wdd.status);
    3144 }
    3145
    3146 - if (of_device_is_compatible(np, "aspeed,ast2500-wdt")) {
    3147 + if ((of_device_is_compatible(np, "aspeed,ast2500-wdt")) ||
    3148 + (of_device_is_compatible(np, "aspeed,ast2600-wdt"))) {
    3149 u32 reg = readl(wdt->base + WDT_RESET_WIDTH);
    3150
    3151 reg &= config->ext_pulse_width_mask;
    3152 diff --git a/drivers/watchdog/imx2_wdt.c b/drivers/watchdog/imx2_wdt.c
    3153 index 7e7bdcbbc741..9f3123b04536 100644
    3154 --- a/drivers/watchdog/imx2_wdt.c
    3155 +++ b/drivers/watchdog/imx2_wdt.c
    3156 @@ -55,7 +55,7 @@
    3157
    3158 #define IMX2_WDT_WMCR 0x08 /* Misc Register */
    3159
    3160 -#define IMX2_WDT_MAX_TIME 128
    3161 +#define IMX2_WDT_MAX_TIME 128U
    3162 #define IMX2_WDT_DEFAULT_TIME 60 /* in seconds */
    3163
    3164 #define WDOG_SEC_TO_COUNT(s) ((s * 2 - 1) << 8)
    3165 @@ -180,7 +180,7 @@ static int imx2_wdt_set_timeout(struct watchdog_device *wdog,
    3166 {
    3167 unsigned int actual;
    3168
    3169 - actual = min(new_timeout, wdog->max_hw_heartbeat_ms * 1000);
    3170 + actual = min(new_timeout, IMX2_WDT_MAX_TIME);
    3171 __imx2_wdt_set_timeout(wdog, actual);
    3172 wdog->timeout = new_timeout;
    3173 return 0;
    3174 diff --git a/drivers/xen/pci.c b/drivers/xen/pci.c
    3175 index 7494dbeb4409..db58aaa4dc59 100644
    3176 --- a/drivers/xen/pci.c
    3177 +++ b/drivers/xen/pci.c
    3178 @@ -29,6 +29,8 @@
    3179 #include "../pci/pci.h"
    3180 #ifdef CONFIG_PCI_MMCONFIG
    3181 #include <asm/pci_x86.h>
    3182 +
    3183 +static int xen_mcfg_late(void);
    3184 #endif
    3185
    3186 static bool __read_mostly pci_seg_supported = true;
    3187 @@ -40,7 +42,18 @@ static int xen_add_device(struct device *dev)
    3188 #ifdef CONFIG_PCI_IOV
    3189 struct pci_dev *physfn = pci_dev->physfn;
    3190 #endif
    3191 -
    3192 +#ifdef CONFIG_PCI_MMCONFIG
    3193 + static bool pci_mcfg_reserved = false;
    3194 + /*
    3195 + * Reserve MCFG areas in Xen on first invocation due to this being
    3196 + * potentially called from inside of acpi_init immediately after
    3197 + * MCFG table has been finally parsed.
    3198 + */
    3199 + if (!pci_mcfg_reserved) {
    3200 + xen_mcfg_late();
    3201 + pci_mcfg_reserved = true;
    3202 + }
    3203 +#endif
    3204 if (pci_seg_supported) {
    3205 struct {
    3206 struct physdev_pci_device_add add;
    3207 @@ -213,7 +226,7 @@ static int __init register_xen_pci_notifier(void)
    3208 arch_initcall(register_xen_pci_notifier);
    3209
    3210 #ifdef CONFIG_PCI_MMCONFIG
    3211 -static int __init xen_mcfg_late(void)
    3212 +static int xen_mcfg_late(void)
    3213 {
    3214 struct pci_mmcfg_region *cfg;
    3215 int rc;
    3216 @@ -252,8 +265,4 @@ static int __init xen_mcfg_late(void)
    3217 }
    3218 return 0;
    3219 }
    3220 -/*
    3221 - * Needs to be done after acpi_init which are subsys_initcall.
    3222 - */
    3223 -subsys_initcall_sync(xen_mcfg_late);
    3224 #endif
    3225 diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
    3226 index 39c63152a358..454c6826abdb 100644
    3227 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c
    3228 +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
    3229 @@ -55,6 +55,7 @@
    3230 #include <linux/string.h>
    3231 #include <linux/slab.h>
    3232 #include <linux/miscdevice.h>
    3233 +#include <linux/workqueue.h>
    3234
    3235 #include <xen/xenbus.h>
    3236 #include <xen/xen.h>
    3237 @@ -116,6 +117,8 @@ struct xenbus_file_priv {
    3238 wait_queue_head_t read_waitq;
    3239
    3240 struct kref kref;
    3241 +
    3242 + struct work_struct wq;
    3243 };
    3244
    3245 /* Read out any raw xenbus messages queued up. */
    3246 @@ -300,14 +303,14 @@ static void watch_fired(struct xenbus_watch *watch,
    3247 mutex_unlock(&adap->dev_data->reply_mutex);
    3248 }
    3249
    3250 -static void xenbus_file_free(struct kref *kref)
    3251 +static void xenbus_worker(struct work_struct *wq)
    3252 {
    3253 struct xenbus_file_priv *u;
    3254 struct xenbus_transaction_holder *trans, *tmp;
    3255 struct watch_adapter *watch, *tmp_watch;
    3256 struct read_buffer *rb, *tmp_rb;
    3257
    3258 - u = container_of(kref, struct xenbus_file_priv, kref);
    3259 + u = container_of(wq, struct xenbus_file_priv, wq);
    3260
    3261 /*
    3262 * No need for locking here because there are no other users,
    3263 @@ -333,6 +336,18 @@ static void xenbus_file_free(struct kref *kref)
    3264 kfree(u);
    3265 }
    3266
    3267 +static void xenbus_file_free(struct kref *kref)
    3268 +{
    3269 + struct xenbus_file_priv *u;
    3270 +
    3271 + /*
    3272 + * We might be called in xenbus_thread().
    3273 + * Use workqueue to avoid deadlock.
    3274 + */
    3275 + u = container_of(kref, struct xenbus_file_priv, kref);
    3276 + schedule_work(&u->wq);
    3277 +}
    3278 +
    3279 static struct xenbus_transaction_holder *xenbus_get_transaction(
    3280 struct xenbus_file_priv *u, uint32_t tx_id)
    3281 {
    3282 @@ -652,6 +667,7 @@ static int xenbus_file_open(struct inode *inode, struct file *filp)
    3283 INIT_LIST_HEAD(&u->watches);
    3284 INIT_LIST_HEAD(&u->read_buffers);
    3285 init_waitqueue_head(&u->read_waitq);
    3286 + INIT_WORK(&u->wq, xenbus_worker);
    3287
    3288 mutex_init(&u->reply_mutex);
    3289 mutex_init(&u->msgbuffer_mutex);
    3290 diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
    3291 index 05454a7e22dc..550d0b169d7c 100644
    3292 --- a/fs/9p/vfs_file.c
    3293 +++ b/fs/9p/vfs_file.c
    3294 @@ -528,6 +528,7 @@ v9fs_mmap_file_mmap(struct file *filp, struct vm_area_struct *vma)
    3295 v9inode = V9FS_I(inode);
    3296 mutex_lock(&v9inode->v_mutex);
    3297 if (!v9inode->writeback_fid &&
    3298 + (vma->vm_flags & VM_SHARED) &&
    3299 (vma->vm_flags & VM_WRITE)) {
    3300 /*
    3301 * clone a fid and add it to writeback_fid
    3302 @@ -629,6 +630,8 @@ static void v9fs_mmap_vm_close(struct vm_area_struct *vma)
    3303 (vma->vm_end - vma->vm_start - 1),
    3304 };
    3305
    3306 + if (!(vma->vm_flags & VM_SHARED))
    3307 + return;
    3308
    3309 p9_debug(P9_DEBUG_VFS, "9p VMA close, %p, flushing", vma);
    3310
    3311 diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
    3312 index c06845237cba..8196c21d8623 100644
    3313 --- a/fs/ceph/inode.c
    3314 +++ b/fs/ceph/inode.c
    3315 @@ -807,7 +807,12 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
    3316
    3317 /* update inode */
    3318 inode->i_rdev = le32_to_cpu(info->rdev);
    3319 - inode->i_blkbits = fls(le32_to_cpu(info->layout.fl_stripe_unit)) - 1;
    3320 + /* directories have fl_stripe_unit set to zero */
    3321 + if (le32_to_cpu(info->layout.fl_stripe_unit))
    3322 + inode->i_blkbits =
    3323 + fls(le32_to_cpu(info->layout.fl_stripe_unit)) - 1;
    3324 + else
    3325 + inode->i_blkbits = CEPH_BLOCK_SHIFT;
    3326
    3327 __ceph_update_quota(ci, iinfo->max_bytes, iinfo->max_files);
    3328
    3329 diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
    3330 index bfcf11c70bfa..09db6d08614d 100644
    3331 --- a/fs/ceph/mds_client.c
    3332 +++ b/fs/ceph/mds_client.c
    3333 @@ -3640,7 +3640,9 @@ static void delayed_work(struct work_struct *work)
    3334 pr_info("mds%d hung\n", s->s_mds);
    3335 }
    3336 }
    3337 - if (s->s_state < CEPH_MDS_SESSION_OPEN) {
    3338 + if (s->s_state == CEPH_MDS_SESSION_NEW ||
    3339 + s->s_state == CEPH_MDS_SESSION_RESTARTING ||
    3340 + s->s_state == CEPH_MDS_SESSION_REJECTED) {
    3341 /* this mds is failed or recovering, just wait */
    3342 ceph_put_mds_session(s);
    3343 continue;
    3344 diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
    3345 index 8f68181256c0..f057c213c453 100644
    3346 --- a/fs/fuse/cuse.c
    3347 +++ b/fs/fuse/cuse.c
    3348 @@ -518,6 +518,7 @@ static int cuse_channel_open(struct inode *inode, struct file *file)
    3349 rc = cuse_send_init(cc);
    3350 if (rc) {
    3351 fuse_dev_free(fud);
    3352 + fuse_conn_put(&cc->fc);
    3353 return rc;
    3354 }
    3355 file->private_data = fud;
    3356 diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
    3357 index b7bde12d8cd5..1c0227c78a7b 100644
    3358 --- a/fs/nfs/nfs4xdr.c
    3359 +++ b/fs/nfs/nfs4xdr.c
    3360 @@ -1171,7 +1171,7 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap,
    3361 } else
    3362 *p++ = cpu_to_be32(NFS4_SET_TO_SERVER_TIME);
    3363 }
    3364 - if (bmval[2] & FATTR4_WORD2_SECURITY_LABEL) {
    3365 + if (label && (bmval[2] & FATTR4_WORD2_SECURITY_LABEL)) {
    3366 *p++ = cpu_to_be32(label->lfs);
    3367 *p++ = cpu_to_be32(label->pi);
    3368 *p++ = cpu_to_be32(label->len);
    3369 diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
    3370 index 4931c3a75f03..c818f9886f61 100644
    3371 --- a/fs/nfs/pnfs.c
    3372 +++ b/fs/nfs/pnfs.c
    3373 @@ -1426,10 +1426,15 @@ void pnfs_roc_release(struct nfs4_layoutreturn_args *args,
    3374 const nfs4_stateid *res_stateid = NULL;
    3375 struct nfs4_xdr_opaque_data *ld_private = args->ld_private;
    3376
    3377 - if (ret == 0) {
    3378 - arg_stateid = &args->stateid;
    3379 + switch (ret) {
    3380 + case -NFS4ERR_NOMATCHING_LAYOUT:
    3381 + break;
    3382 + case 0:
    3383 if (res->lrs_present)
    3384 res_stateid = &res->stateid;
    3385 + /* Fallthrough */
    3386 + default:
    3387 + arg_stateid = &args->stateid;
    3388 }
    3389 pnfs_layoutreturn_free_lsegs(lo, arg_stateid, &args->range,
    3390 res_stateid);
    3391 diff --git a/fs/statfs.c b/fs/statfs.c
    3392 index f0216629621d..56f655f757ff 100644
    3393 --- a/fs/statfs.c
    3394 +++ b/fs/statfs.c
    3395 @@ -304,19 +304,10 @@ COMPAT_SYSCALL_DEFINE2(fstatfs, unsigned int, fd, struct compat_statfs __user *,
    3396 static int put_compat_statfs64(struct compat_statfs64 __user *ubuf, struct kstatfs *kbuf)
    3397 {
    3398 struct compat_statfs64 buf;
    3399 - if (sizeof(ubuf->f_bsize) == 4) {
    3400 - if ((kbuf->f_type | kbuf->f_bsize | kbuf->f_namelen |
    3401 - kbuf->f_frsize | kbuf->f_flags) & 0xffffffff00000000ULL)
    3402 - return -EOVERFLOW;
    3403 - /* f_files and f_ffree may be -1; it's okay
    3404 - * to stuff that into 32 bits */
    3405 - if (kbuf->f_files != 0xffffffffffffffffULL
    3406 - && (kbuf->f_files & 0xffffffff00000000ULL))
    3407 - return -EOVERFLOW;
    3408 - if (kbuf->f_ffree != 0xffffffffffffffffULL
    3409 - && (kbuf->f_ffree & 0xffffffff00000000ULL))
    3410 - return -EOVERFLOW;
    3411 - }
    3412 +
    3413 + if ((kbuf->f_bsize | kbuf->f_frsize) & 0xffffffff00000000ULL)
    3414 + return -EOVERFLOW;
    3415 +
    3416 memset(&buf, 0, sizeof(struct compat_statfs64));
    3417 buf.f_type = kbuf->f_type;
    3418 buf.f_bsize = kbuf->f_bsize;
    3419 diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
    3420 index 9c03a7d5e400..c83478271c2e 100644
    3421 --- a/include/linux/ieee80211.h
    3422 +++ b/include/linux/ieee80211.h
    3423 @@ -3185,4 +3185,57 @@ static inline bool ieee80211_action_contains_tpc(struct sk_buff *skb)
    3424 return true;
    3425 }
    3426
    3427 +struct element {
    3428 + u8 id;
    3429 + u8 datalen;
    3430 + u8 data[];
    3431 +} __packed;
    3432 +
    3433 +/* element iteration helpers */
    3434 +#define for_each_element(_elem, _data, _datalen) \
    3435 + for (_elem = (const struct element *)(_data); \
    3436 + (const u8 *)(_data) + (_datalen) - (const u8 *)_elem >= \
    3437 + (int)sizeof(*_elem) && \
    3438 + (const u8 *)(_data) + (_datalen) - (const u8 *)_elem >= \
    3439 + (int)sizeof(*_elem) + _elem->datalen; \
    3440 + _elem = (const struct element *)(_elem->data + _elem->datalen))
    3441 +
    3442 +#define for_each_element_id(element, _id, data, datalen) \
    3443 + for_each_element(element, data, datalen) \
    3444 + if (element->id == (_id))
    3445 +
    3446 +#define for_each_element_extid(element, extid, data, datalen) \
    3447 + for_each_element(element, data, datalen) \
    3448 + if (element->id == WLAN_EID_EXTENSION && \
    3449 + element->datalen > 0 && \
    3450 + element->data[0] == (extid))
    3451 +
    3452 +#define for_each_subelement(sub, element) \
    3453 + for_each_element(sub, (element)->data, (element)->datalen)
    3454 +
    3455 +#define for_each_subelement_id(sub, id, element) \
    3456 + for_each_element_id(sub, id, (element)->data, (element)->datalen)
    3457 +
    3458 +#define for_each_subelement_extid(sub, extid, element) \
    3459 + for_each_element_extid(sub, extid, (element)->data, (element)->datalen)
    3460 +
    3461 +/**
    3462 + * for_each_element_completed - determine if element parsing consumed all data
    3463 + * @element: element pointer after for_each_element() or friends
    3464 + * @data: same data pointer as passed to for_each_element() or friends
    3465 + * @datalen: same data length as passed to for_each_element() or friends
    3466 + *
    3467 + * This function returns %true if all the data was parsed or considered
    3468 + * while walking the elements. Only use this if your for_each_element()
    3469 + * loop cannot be broken out of, otherwise it always returns %false.
    3470 + *
    3471 + * If some data was malformed, this returns %false since the last parsed
    3472 + * element will not fill the whole remaining data.
    3473 + */
    3474 +static inline bool for_each_element_completed(const struct element *element,
    3475 + const void *data, size_t datalen)
    3476 +{
    3477 + return (const u8 *)element == (const u8 *)data + datalen;
    3478 +}
    3479 +
    3480 #endif /* LINUX_IEEE80211_H */
    3481 diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h
    3482 index 0d10b7ce0da7..e9d4e389aed9 100644
    3483 --- a/include/linux/sched/mm.h
    3484 +++ b/include/linux/sched/mm.h
    3485 @@ -330,6 +330,8 @@ enum {
    3486
    3487 static inline void membarrier_mm_sync_core_before_usermode(struct mm_struct *mm)
    3488 {
    3489 + if (current->mm != mm)
    3490 + return;
    3491 if (likely(!(atomic_read(&mm->membarrier_state) &
    3492 MEMBARRIER_STATE_PRIVATE_EXPEDITED_SYNC_CORE)))
    3493 return;
    3494 diff --git a/include/sound/soc-dapm.h b/include/sound/soc-dapm.h
    3495 index fdaaafdc7a00..5165e3b30899 100644
    3496 --- a/include/sound/soc-dapm.h
    3497 +++ b/include/sound/soc-dapm.h
    3498 @@ -353,6 +353,8 @@ struct device;
    3499 #define SND_SOC_DAPM_WILL_PMD 0x80 /* called at start of sequence */
    3500 #define SND_SOC_DAPM_PRE_POST_PMD \
    3501 (SND_SOC_DAPM_PRE_PMD | SND_SOC_DAPM_POST_PMD)
    3502 +#define SND_SOC_DAPM_PRE_POST_PMU \
    3503 + (SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMU)
    3504
    3505 /* convenience event type detection */
    3506 #define SND_SOC_DAPM_EVENT_ON(e) \
    3507 diff --git a/kernel/elfcore.c b/kernel/elfcore.c
    3508 index fc482c8e0bd8..57fb4dcff434 100644
    3509 --- a/kernel/elfcore.c
    3510 +++ b/kernel/elfcore.c
    3511 @@ -3,6 +3,7 @@
    3512 #include <linux/fs.h>
    3513 #include <linux/mm.h>
    3514 #include <linux/binfmts.h>
    3515 +#include <linux/elfcore.h>
    3516
    3517 Elf_Half __weak elf_core_extra_phdrs(void)
    3518 {
    3519 diff --git a/kernel/locking/qspinlock_paravirt.h b/kernel/locking/qspinlock_paravirt.h
    3520 index 5a0cf5f9008c..82104d3dd18e 100644
    3521 --- a/kernel/locking/qspinlock_paravirt.h
    3522 +++ b/kernel/locking/qspinlock_paravirt.h
    3523 @@ -271,7 +271,7 @@ pv_wait_early(struct pv_node *prev, int loop)
    3524 if ((loop & PV_PREV_CHECK_MASK) != 0)
    3525 return false;
    3526
    3527 - return READ_ONCE(prev->state) != vcpu_running || vcpu_is_preempted(prev->cpu);
    3528 + return READ_ONCE(prev->state) != vcpu_running;
    3529 }
    3530
    3531 /*
    3532 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
    3533 index f4e050681ba1..78ecdfae25b6 100644
    3534 --- a/kernel/sched/core.c
    3535 +++ b/kernel/sched/core.c
    3536 @@ -1077,7 +1077,8 @@ static int __set_cpus_allowed_ptr(struct task_struct *p,
    3537 if (cpumask_equal(&p->cpus_allowed, new_mask))
    3538 goto out;
    3539
    3540 - if (!cpumask_intersects(new_mask, cpu_valid_mask)) {
    3541 + dest_cpu = cpumask_any_and(cpu_valid_mask, new_mask);
    3542 + if (dest_cpu >= nr_cpu_ids) {
    3543 ret = -EINVAL;
    3544 goto out;
    3545 }
    3546 @@ -1098,7 +1099,6 @@ static int __set_cpus_allowed_ptr(struct task_struct *p,
    3547 if (cpumask_test_cpu(task_cpu(p), new_mask))
    3548 goto out;
    3549
    3550 - dest_cpu = cpumask_any_and(cpu_valid_mask, new_mask);
    3551 if (task_running(rq, p) || p->state == TASK_WAKING) {
    3552 struct migration_arg arg = { p, dest_cpu };
    3553 /* Need help from migration thread: drop lock and wait. */
    3554 diff --git a/kernel/sched/membarrier.c b/kernel/sched/membarrier.c
    3555 index 76e0eaf4654e..dd27e632b1ba 100644
    3556 --- a/kernel/sched/membarrier.c
    3557 +++ b/kernel/sched/membarrier.c
    3558 @@ -235,7 +235,7 @@ static int membarrier_register_private_expedited(int flags)
    3559 * groups, which use the same mm. (CLONE_VM but not
    3560 * CLONE_THREAD).
    3561 */
    3562 - if (atomic_read(&mm->membarrier_state) & state)
    3563 + if ((atomic_read(&mm->membarrier_state) & state) == state)
    3564 return 0;
    3565 atomic_or(MEMBARRIER_STATE_PRIVATE_EXPEDITED, &mm->membarrier_state);
    3566 if (flags & MEMBARRIER_FLAG_SYNC_CORE)
    3567 diff --git a/kernel/time/tick-broadcast-hrtimer.c b/kernel/time/tick-broadcast-hrtimer.c
    3568 index a59641fb88b6..a836efd34589 100644
    3569 --- a/kernel/time/tick-broadcast-hrtimer.c
    3570 +++ b/kernel/time/tick-broadcast-hrtimer.c
    3571 @@ -44,34 +44,39 @@ static int bc_shutdown(struct clock_event_device *evt)
    3572 */
    3573 static int bc_set_next(ktime_t expires, struct clock_event_device *bc)
    3574 {
    3575 - int bc_moved;
    3576 /*
    3577 - * We try to cancel the timer first. If the callback is on
    3578 - * flight on some other cpu then we let it handle it. If we
    3579 - * were able to cancel the timer nothing can rearm it as we
    3580 - * own broadcast_lock.
    3581 + * This is called either from enter/exit idle code or from the
    3582 + * broadcast handler. In all cases tick_broadcast_lock is held.
    3583 *
    3584 - * However we can also be called from the event handler of
    3585 - * ce_broadcast_hrtimer itself when it expires. We cannot
    3586 - * restart the timer because we are in the callback, but we
    3587 - * can set the expiry time and let the callback return
    3588 - * HRTIMER_RESTART.
    3589 + * hrtimer_cancel() cannot be called here neither from the
    3590 + * broadcast handler nor from the enter/exit idle code. The idle
    3591 + * code can run into the problem described in bc_shutdown() and the
    3592 + * broadcast handler cannot wait for itself to complete for obvious
    3593 + * reasons.
    3594 *
    3595 - * Since we are in the idle loop at this point and because
    3596 - * hrtimer_{start/cancel} functions call into tracing,
    3597 - * calls to these functions must be bound within RCU_NONIDLE.
    3598 + * Each caller tries to arm the hrtimer on its own CPU, but if the
    3599 + * hrtimer callbback function is currently running, then
    3600 + * hrtimer_start() cannot move it and the timer stays on the CPU on
    3601 + * which it is assigned at the moment.
    3602 + *
    3603 + * As this can be called from idle code, the hrtimer_start()
    3604 + * invocation has to be wrapped with RCU_NONIDLE() as
    3605 + * hrtimer_start() can call into tracing.
    3606 */
    3607 - RCU_NONIDLE({
    3608 - bc_moved = hrtimer_try_to_cancel(&bctimer) >= 0;
    3609 - if (bc_moved)
    3610 - hrtimer_start(&bctimer, expires,
    3611 - HRTIMER_MODE_ABS_PINNED);});
    3612 - if (bc_moved) {
    3613 - /* Bind the "device" to the cpu */
    3614 - bc->bound_on = smp_processor_id();
    3615 - } else if (bc->bound_on == smp_processor_id()) {
    3616 - hrtimer_set_expires(&bctimer, expires);
    3617 - }
    3618 + RCU_NONIDLE( {
    3619 + hrtimer_start(&bctimer, expires, HRTIMER_MODE_ABS_PINNED);
    3620 + /*
    3621 + * The core tick broadcast mode expects bc->bound_on to be set
    3622 + * correctly to prevent a CPU which has the broadcast hrtimer
    3623 + * armed from going deep idle.
    3624 + *
    3625 + * As tick_broadcast_lock is held, nothing can change the cpu
    3626 + * base which was just established in hrtimer_start() above. So
    3627 + * the below access is safe even without holding the hrtimer
    3628 + * base lock.
    3629 + */
    3630 + bc->bound_on = bctimer.base->cpu_base->cpu;
    3631 + } );
    3632 return 0;
    3633 }
    3634
    3635 @@ -97,10 +102,6 @@ static enum hrtimer_restart bc_handler(struct hrtimer *t)
    3636 {
    3637 ce_broadcast_hrtimer.event_handler(&ce_broadcast_hrtimer);
    3638
    3639 - if (clockevent_state_oneshot(&ce_broadcast_hrtimer))
    3640 - if (ce_broadcast_hrtimer.next_event != KTIME_MAX)
    3641 - return HRTIMER_RESTART;
    3642 -
    3643 return HRTIMER_NORESTART;
    3644 }
    3645
    3646 diff --git a/kernel/time/timer.c b/kernel/time/timer.c
    3647 index fa49cd753dea..ae64cb819a9a 100644
    3648 --- a/kernel/time/timer.c
    3649 +++ b/kernel/time/timer.c
    3650 @@ -1590,24 +1590,26 @@ void timer_clear_idle(void)
    3651 static int collect_expired_timers(struct timer_base *base,
    3652 struct hlist_head *heads)
    3653 {
    3654 + unsigned long now = READ_ONCE(jiffies);
    3655 +
    3656 /*
    3657 * NOHZ optimization. After a long idle sleep we need to forward the
    3658 * base to current jiffies. Avoid a loop by searching the bitfield for
    3659 * the next expiring timer.
    3660 */
    3661 - if ((long)(jiffies - base->clk) > 2) {
    3662 + if ((long)(now - base->clk) > 2) {
    3663 unsigned long next = __next_timer_interrupt(base);
    3664
    3665 /*
    3666 * If the next timer is ahead of time forward to current
    3667 * jiffies, otherwise forward to the next expiry time:
    3668 */
    3669 - if (time_after(next, jiffies)) {
    3670 + if (time_after(next, now)) {
    3671 /*
    3672 * The call site will increment base->clk and then
    3673 * terminate the expiry loop immediately.
    3674 */
    3675 - base->clk = jiffies;
    3676 + base->clk = now;
    3677 return 0;
    3678 }
    3679 base->clk = next;
    3680 diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
    3681 index 3f34cfb66a85..bdf104596d12 100644
    3682 --- a/kernel/trace/trace_events_hist.c
    3683 +++ b/kernel/trace/trace_events_hist.c
    3684 @@ -2526,6 +2526,8 @@ static struct hist_field *create_alias(struct hist_trigger_data *hist_data,
    3685 return NULL;
    3686 }
    3687
    3688 + alias->var_ref_idx = var_ref->var_ref_idx;
    3689 +
    3690 return alias;
    3691 }
    3692
    3693 diff --git a/mm/usercopy.c b/mm/usercopy.c
    3694 index 51411f9c4068..e81d11715d95 100644
    3695 --- a/mm/usercopy.c
    3696 +++ b/mm/usercopy.c
    3697 @@ -15,6 +15,7 @@
    3698 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
    3699
    3700 #include <linux/mm.h>
    3701 +#include <linux/highmem.h>
    3702 #include <linux/slab.h>
    3703 #include <linux/sched.h>
    3704 #include <linux/sched/task.h>
    3705 @@ -231,7 +232,12 @@ static inline void check_heap_object(const void *ptr, unsigned long n,
    3706 if (!virt_addr_valid(ptr))
    3707 return;
    3708
    3709 - page = virt_to_head_page(ptr);
    3710 + /*
    3711 + * When CONFIG_HIGHMEM=y, kmap_to_page() will give either the
    3712 + * highmem page or fallback to virt_to_page(). The following
    3713 + * is effectively a highmem-aware virt_to_head_page().
    3714 + */
    3715 + page = compound_head(kmap_to_page((void *)ptr));
    3716
    3717 if (PageSlab(page)) {
    3718 /* Check slab allocator for flags and size. */
    3719 diff --git a/net/9p/client.c b/net/9p/client.c
    3720 index b615aae5a0f8..d62f83f93d7b 100644
    3721 --- a/net/9p/client.c
    3722 +++ b/net/9p/client.c
    3723 @@ -296,6 +296,7 @@ p9_tag_alloc(struct p9_client *c, int8_t type, unsigned int max_size)
    3724
    3725 p9pdu_reset(&req->tc);
    3726 p9pdu_reset(&req->rc);
    3727 + req->t_err = 0;
    3728 req->status = REQ_STATUS_ALLOC;
    3729 init_waitqueue_head(&req->wq);
    3730 INIT_LIST_HEAD(&req->req_list);
    3731 diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
    3732 index 2145581d7b3d..24fddf032279 100644
    3733 --- a/net/netfilter/nf_tables_api.c
    3734 +++ b/net/netfilter/nf_tables_api.c
    3735 @@ -3429,8 +3429,11 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
    3736 NFT_SET_OBJECT))
    3737 return -EINVAL;
    3738 /* Only one of these operations is supported */
    3739 - if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
    3740 - (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
    3741 + if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
    3742 + (NFT_SET_MAP | NFT_SET_OBJECT))
    3743 + return -EOPNOTSUPP;
    3744 + if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
    3745 + (NFT_SET_EVAL | NFT_SET_OBJECT))
    3746 return -EOPNOTSUPP;
    3747 }
    3748
    3749 diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
    3750 index 161c3451a747..55754d9939b5 100644
    3751 --- a/net/netfilter/nft_lookup.c
    3752 +++ b/net/netfilter/nft_lookup.c
    3753 @@ -76,9 +76,6 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
    3754 if (IS_ERR(set))
    3755 return PTR_ERR(set);
    3756
    3757 - if (set->flags & NFT_SET_EVAL)
    3758 - return -EOPNOTSUPP;
    3759 -
    3760 priv->sreg = nft_parse_register(tb[NFTA_LOOKUP_SREG]);
    3761 err = nft_validate_register_load(priv->sreg, set->klen);
    3762 if (err < 0)
    3763 diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
    3764 index 6168db3c35e4..334e3181f1c5 100644
    3765 --- a/net/wireless/nl80211.c
    3766 +++ b/net/wireless/nl80211.c
    3767 @@ -200,6 +200,38 @@ cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
    3768 return __cfg80211_rdev_from_attrs(netns, info->attrs);
    3769 }
    3770
    3771 +static int validate_beacon_head(const struct nlattr *attr,
    3772 + struct netlink_ext_ack *extack)
    3773 +{
    3774 + const u8 *data = nla_data(attr);
    3775 + unsigned int len = nla_len(attr);
    3776 + const struct element *elem;
    3777 + const struct ieee80211_mgmt *mgmt = (void *)data;
    3778 + unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
    3779 + u.beacon.variable);
    3780 +
    3781 + if (len < fixedlen)
    3782 + goto err;
    3783 +
    3784 + if (ieee80211_hdrlen(mgmt->frame_control) !=
    3785 + offsetof(struct ieee80211_mgmt, u.beacon))
    3786 + goto err;
    3787 +
    3788 + data += fixedlen;
    3789 + len -= fixedlen;
    3790 +
    3791 + for_each_element(elem, data, len) {
    3792 + /* nothing */
    3793 + }
    3794 +
    3795 + if (for_each_element_completed(elem, data, len))
    3796 + return 0;
    3797 +
    3798 +err:
    3799 + NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
    3800 + return -EINVAL;
    3801 +}
    3802 +
    3803 /* policy for the attributes */
    3804 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
    3805 [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
    3806 @@ -2299,6 +2331,8 @@ static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
    3807
    3808 control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
    3809
    3810 + memset(chandef, 0, sizeof(*chandef));
    3811 +
    3812 chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
    3813 chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
    3814 chandef->center_freq1 = control_freq;
    3815 @@ -2819,7 +2853,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
    3816
    3817 if (rdev->ops->get_channel) {
    3818 int ret;
    3819 - struct cfg80211_chan_def chandef;
    3820 + struct cfg80211_chan_def chandef = {};
    3821
    3822 ret = rdev_get_channel(rdev, wdev, &chandef);
    3823 if (ret == 0) {
    3824 @@ -4014,6 +4048,12 @@ static int nl80211_parse_beacon(struct nlattr *attrs[],
    3825 memset(bcn, 0, sizeof(*bcn));
    3826
    3827 if (attrs[NL80211_ATTR_BEACON_HEAD]) {
    3828 + int ret = validate_beacon_head(attrs[NL80211_ATTR_BEACON_HEAD],
    3829 + NULL);
    3830 +
    3831 + if (ret)
    3832 + return ret;
    3833 +
    3834 bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
    3835 bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
    3836 if (!bcn->head_len)
    3837 diff --git a/net/wireless/reg.c b/net/wireless/reg.c
    3838 index d8ebf4f0ef6e..cccbf845079c 100644
    3839 --- a/net/wireless/reg.c
    3840 +++ b/net/wireless/reg.c
    3841 @@ -2095,7 +2095,7 @@ static void reg_call_notifier(struct wiphy *wiphy,
    3842
    3843 static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
    3844 {
    3845 - struct cfg80211_chan_def chandef;
    3846 + struct cfg80211_chan_def chandef = {};
    3847 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
    3848 enum nl80211_iftype iftype;
    3849
    3850 diff --git a/net/wireless/scan.c b/net/wireless/scan.c
    3851 index d0e7472dd9fd..e5d61ba837ad 100644
    3852 --- a/net/wireless/scan.c
    3853 +++ b/net/wireless/scan.c
    3854 @@ -484,6 +484,8 @@ const u8 *cfg80211_find_ie_match(u8 eid, const u8 *ies, int len,
    3855 const u8 *match, int match_len,
    3856 int match_offset)
    3857 {
    3858 + const struct element *elem;
    3859 +
    3860 /* match_offset can't be smaller than 2, unless match_len is
    3861 * zero, in which case match_offset must be zero as well.
    3862 */
    3863 @@ -491,14 +493,10 @@ const u8 *cfg80211_find_ie_match(u8 eid, const u8 *ies, int len,
    3864 (!match_len && match_offset)))
    3865 return NULL;
    3866
    3867 - while (len >= 2 && len >= ies[1] + 2) {
    3868 - if ((ies[0] == eid) &&
    3869 - (ies[1] + 2 >= match_offset + match_len) &&
    3870 - !memcmp(ies + match_offset, match, match_len))
    3871 - return ies;
    3872 -
    3873 - len -= ies[1] + 2;
    3874 - ies += ies[1] + 2;
    3875 + for_each_element_id(elem, eid, ies, len) {
    3876 + if (elem->datalen >= match_offset - 2 + match_len &&
    3877 + !memcmp(elem->data + match_offset - 2, match, match_len))
    3878 + return (void *)elem;
    3879 }
    3880
    3881 return NULL;
    3882 diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
    3883 index 06943d9c9835..4f0cfb8cc682 100644
    3884 --- a/net/wireless/wext-compat.c
    3885 +++ b/net/wireless/wext-compat.c
    3886 @@ -800,7 +800,7 @@ static int cfg80211_wext_giwfreq(struct net_device *dev,
    3887 {
    3888 struct wireless_dev *wdev = dev->ieee80211_ptr;
    3889 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
    3890 - struct cfg80211_chan_def chandef;
    3891 + struct cfg80211_chan_def chandef = {};
    3892 int ret;
    3893
    3894 switch (wdev->iftype) {
    3895 diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
    3896 index d9e7728027c6..f63b4bd45d60 100644
    3897 --- a/security/integrity/ima/ima_crypto.c
    3898 +++ b/security/integrity/ima/ima_crypto.c
    3899 @@ -271,8 +271,16 @@ static int ima_calc_file_hash_atfm(struct file *file,
    3900 rbuf_len = min_t(loff_t, i_size - offset, rbuf_size[active]);
    3901 rc = integrity_kernel_read(file, offset, rbuf[active],
    3902 rbuf_len);
    3903 - if (rc != rbuf_len)
    3904 + if (rc != rbuf_len) {
    3905 + if (rc >= 0)
    3906 + rc = -EINVAL;
    3907 + /*
    3908 + * Forward current rc, do not overwrite with return value
    3909 + * from ahash_wait()
    3910 + */
    3911 + ahash_wait(ahash_rc, &wait);
    3912 goto out3;
    3913 + }
    3914
    3915 if (rbuf[1] && offset) {
    3916 /* Using two buffers, and it is not the first
    3917 diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c
    3918 index 18cddf1729a6..64a52d495b1f 100644
    3919 --- a/sound/soc/codecs/sgtl5000.c
    3920 +++ b/sound/soc/codecs/sgtl5000.c
    3921 @@ -31,6 +31,13 @@
    3922 #define SGTL5000_DAP_REG_OFFSET 0x0100
    3923 #define SGTL5000_MAX_REG_OFFSET 0x013A
    3924
    3925 +/* Delay for the VAG ramp up */
    3926 +#define SGTL5000_VAG_POWERUP_DELAY 500 /* ms */
    3927 +/* Delay for the VAG ramp down */
    3928 +#define SGTL5000_VAG_POWERDOWN_DELAY 500 /* ms */
    3929 +
    3930 +#define SGTL5000_OUTPUTS_MUTE (SGTL5000_HP_MUTE | SGTL5000_LINE_OUT_MUTE)
    3931 +
    3932 /* default value of sgtl5000 registers */
    3933 static const struct reg_default sgtl5000_reg_defaults[] = {
    3934 { SGTL5000_CHIP_DIG_POWER, 0x0000 },
    3935 @@ -116,6 +123,13 @@ enum {
    3936 I2S_LRCLK_STRENGTH_HIGH,
    3937 };
    3938
    3939 +enum {
    3940 + HP_POWER_EVENT,
    3941 + DAC_POWER_EVENT,
    3942 + ADC_POWER_EVENT,
    3943 + LAST_POWER_EVENT = ADC_POWER_EVENT
    3944 +};
    3945 +
    3946 /* sgtl5000 private structure in codec */
    3947 struct sgtl5000_priv {
    3948 int sysclk; /* sysclk rate */
    3949 @@ -129,8 +143,109 @@ struct sgtl5000_priv {
    3950 u8 micbias_resistor;
    3951 u8 micbias_voltage;
    3952 u8 lrclk_strength;
    3953 + u16 mute_state[LAST_POWER_EVENT + 1];
    3954 };
    3955
    3956 +static inline int hp_sel_input(struct snd_soc_component *component)
    3957 +{
    3958 + return (snd_soc_component_read32(component, SGTL5000_CHIP_ANA_CTRL) &
    3959 + SGTL5000_HP_SEL_MASK) >> SGTL5000_HP_SEL_SHIFT;
    3960 +}
    3961 +
    3962 +static inline u16 mute_output(struct snd_soc_component *component,
    3963 + u16 mute_mask)
    3964 +{
    3965 + u16 mute_reg = snd_soc_component_read32(component,
    3966 + SGTL5000_CHIP_ANA_CTRL);
    3967 +
    3968 + snd_soc_component_update_bits(component, SGTL5000_CHIP_ANA_CTRL,
    3969 + mute_mask, mute_mask);
    3970 + return mute_reg;
    3971 +}
    3972 +
    3973 +static inline void restore_output(struct snd_soc_component *component,
    3974 + u16 mute_mask, u16 mute_reg)
    3975 +{
    3976 + snd_soc_component_update_bits(component, SGTL5000_CHIP_ANA_CTRL,
    3977 + mute_mask, mute_reg);
    3978 +}
    3979 +
    3980 +static void vag_power_on(struct snd_soc_component *component, u32 source)
    3981 +{
    3982 + if (snd_soc_component_read32(component, SGTL5000_CHIP_ANA_POWER) &
    3983 + SGTL5000_VAG_POWERUP)
    3984 + return;
    3985 +
    3986 + snd_soc_component_update_bits(component, SGTL5000_CHIP_ANA_POWER,
    3987 + SGTL5000_VAG_POWERUP, SGTL5000_VAG_POWERUP);
    3988 +
    3989 + /* When VAG powering on to get local loop from Line-In, the sleep
    3990 + * is required to avoid loud pop.
    3991 + */
    3992 + if (hp_sel_input(component) == SGTL5000_HP_SEL_LINE_IN &&
    3993 + source == HP_POWER_EVENT)
    3994 + msleep(SGTL5000_VAG_POWERUP_DELAY);
    3995 +}
    3996 +
    3997 +static int vag_power_consumers(struct snd_soc_component *component,
    3998 + u16 ana_pwr_reg, u32 source)
    3999 +{
    4000 + int consumers = 0;
    4001 +
    4002 + /* count dac/adc consumers unconditional */
    4003 + if (ana_pwr_reg & SGTL5000_DAC_POWERUP)
    4004 + consumers++;
    4005 + if (ana_pwr_reg & SGTL5000_ADC_POWERUP)
    4006 + consumers++;
    4007 +
    4008 + /*
    4009 + * If the event comes from HP and Line-In is selected,
    4010 + * current action is 'DAC to be powered down'.
    4011 + * As HP_POWERUP is not set when HP muxed to line-in,
    4012 + * we need to keep VAG power ON.
    4013 + */
    4014 + if (source == HP_POWER_EVENT) {
    4015 + if (hp_sel_input(component) == SGTL5000_HP_SEL_LINE_IN)
    4016 + consumers++;
    4017 + } else {
    4018 + if (ana_pwr_reg & SGTL5000_HP_POWERUP)
    4019 + consumers++;
    4020 + }
    4021 +
    4022 + return consumers;
    4023 +}
    4024 +
    4025 +static void vag_power_off(struct snd_soc_component *component, u32 source)
    4026 +{
    4027 + u16 ana_pwr = snd_soc_component_read32(component,
    4028 + SGTL5000_CHIP_ANA_POWER);
    4029 +
    4030 + if (!(ana_pwr & SGTL5000_VAG_POWERUP))
    4031 + return;
    4032 +
    4033 + /*
    4034 + * This function calls when any of VAG power consumers is disappearing.
    4035 + * Thus, if there is more than one consumer at the moment, as minimum
    4036 + * one consumer will definitely stay after the end of the current
    4037 + * event.
    4038 + * Don't clear VAG_POWERUP if 2 or more consumers of VAG present:
    4039 + * - LINE_IN (for HP events) / HP (for DAC/ADC events)
    4040 + * - DAC
    4041 + * - ADC
    4042 + * (the current consumer is disappearing right now)
    4043 + */
    4044 + if (vag_power_consumers(component, ana_pwr, source) >= 2)
    4045 + return;
    4046 +
    4047 + snd_soc_component_update_bits(component, SGTL5000_CHIP_ANA_POWER,
    4048 + SGTL5000_VAG_POWERUP, 0);
    4049 + /* In power down case, we need wait 400-1000 ms
    4050 + * when VAG fully ramped down.
    4051 + * As longer we wait, as smaller pop we've got.
    4052 + */
    4053 + msleep(SGTL5000_VAG_POWERDOWN_DELAY);
    4054 +}
    4055 +
    4056 /*
    4057 * mic_bias power on/off share the same register bits with
    4058 * output impedance of mic bias, when power on mic bias, we
    4059 @@ -162,36 +277,46 @@ static int mic_bias_event(struct snd_soc_dapm_widget *w,
    4060 return 0;
    4061 }
    4062
    4063 -/*
    4064 - * As manual described, ADC/DAC only works when VAG powerup,
    4065 - * So enabled VAG before ADC/DAC up.
    4066 - * In power down case, we need wait 400ms when vag fully ramped down.
    4067 - */
    4068 -static int power_vag_event(struct snd_soc_dapm_widget *w,
    4069 - struct snd_kcontrol *kcontrol, int event)
    4070 +static int vag_and_mute_control(struct snd_soc_component *component,
    4071 + int event, int event_source)
    4072 {
    4073 - struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
    4074 - const u32 mask = SGTL5000_DAC_POWERUP | SGTL5000_ADC_POWERUP;
    4075 + static const u16 mute_mask[] = {
    4076 + /*
    4077 + * Mask for HP_POWER_EVENT.
    4078 + * Muxing Headphones have to be wrapped with mute/unmute
    4079 + * headphones only.
    4080 + */
    4081 + SGTL5000_HP_MUTE,
    4082 + /*
    4083 + * Masks for DAC_POWER_EVENT/ADC_POWER_EVENT.
    4084 + * Muxing DAC or ADC block have to wrapped with mute/unmute
    4085 + * both headphones and line-out.
    4086 + */
    4087 + SGTL5000_OUTPUTS_MUTE,
    4088 + SGTL5000_OUTPUTS_MUTE
    4089 + };
    4090 +
    4091 + struct sgtl5000_priv *sgtl5000 =
    4092 + snd_soc_component_get_drvdata(component);
    4093
    4094 switch (event) {
    4095 + case SND_SOC_DAPM_PRE_PMU:
    4096 + sgtl5000->mute_state[event_source] =
    4097 + mute_output(component, mute_mask[event_source]);
    4098 + break;
    4099 case SND_SOC_DAPM_POST_PMU:
    4100 - snd_soc_component_update_bits(component, SGTL5000_CHIP_ANA_POWER,
    4101 - SGTL5000_VAG_POWERUP, SGTL5000_VAG_POWERUP);
    4102 - msleep(400);
    4103 + vag_power_on(component, event_source);
    4104 + restore_output(component, mute_mask[event_source],
    4105 + sgtl5000->mute_state[event_source]);
    4106 break;
    4107 -
    4108 case SND_SOC_DAPM_PRE_PMD:
    4109 - /*
    4110 - * Don't clear VAG_POWERUP, when both DAC and ADC are
    4111 - * operational to prevent inadvertently starving the
    4112 - * other one of them.
    4113 - */
    4114 - if ((snd_soc_component_read32(component, SGTL5000_CHIP_ANA_POWER) &
    4115 - mask) != mask) {
    4116 - snd_soc_component_update_bits(component, SGTL5000_CHIP_ANA_POWER,
    4117 - SGTL5000_VAG_POWERUP, 0);
    4118 - msleep(400);
    4119 - }
    4120 + sgtl5000->mute_state[event_source] =
    4121 + mute_output(component, mute_mask[event_source]);
    4122 + vag_power_off(component, event_source);
    4123 + break;
    4124 + case SND_SOC_DAPM_POST_PMD:
    4125 + restore_output(component, mute_mask[event_source],
    4126 + sgtl5000->mute_state[event_source]);
    4127 break;
    4128 default:
    4129 break;
    4130 @@ -200,6 +325,41 @@ static int power_vag_event(struct snd_soc_dapm_widget *w,
    4131 return 0;
    4132 }
    4133
    4134 +/*
    4135 + * Mute Headphone when power it up/down.
    4136 + * Control VAG power on HP power path.
    4137 + */
    4138 +static int headphone_pga_event(struct snd_soc_dapm_widget *w,
    4139 + struct snd_kcontrol *kcontrol, int event)
    4140 +{
    4141 + struct snd_soc_component *component =
    4142 + snd_soc_dapm_to_component(w->dapm);
    4143 +
    4144 + return vag_and_mute_control(component, event, HP_POWER_EVENT);
    4145 +}
    4146 +
    4147 +/* As manual describes, ADC/DAC powering up/down requires
    4148 + * to mute outputs to avoid pops.
    4149 + * Control VAG power on ADC/DAC power path.
    4150 + */
    4151 +static int adc_updown_depop(struct snd_soc_dapm_widget *w,
    4152 + struct snd_kcontrol *kcontrol, int event)
    4153 +{
    4154 + struct snd_soc_component *component =
    4155 + snd_soc_dapm_to_component(w->dapm);
    4156 +
    4157 + return vag_and_mute_control(component, event, ADC_POWER_EVENT);
    4158 +}
    4159 +
    4160 +static int dac_updown_depop(struct snd_soc_dapm_widget *w,
    4161 + struct snd_kcontrol *kcontrol, int event)
    4162 +{
    4163 + struct snd_soc_component *component =
    4164 + snd_soc_dapm_to_component(w->dapm);
    4165 +
    4166 + return vag_and_mute_control(component, event, DAC_POWER_EVENT);
    4167 +}
    4168 +
    4169 /* input sources for ADC */
    4170 static const char *adc_mux_text[] = {
    4171 "MIC_IN", "LINE_IN"
    4172 @@ -272,7 +432,10 @@ static const struct snd_soc_dapm_widget sgtl5000_dapm_widgets[] = {
    4173 mic_bias_event,
    4174 SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD),
    4175
    4176 - SND_SOC_DAPM_PGA("HP", SGTL5000_CHIP_ANA_POWER, 4, 0, NULL, 0),
    4177 + SND_SOC_DAPM_PGA_E("HP", SGTL5000_CHIP_ANA_POWER, 4, 0, NULL, 0,
    4178 + headphone_pga_event,
    4179 + SND_SOC_DAPM_PRE_POST_PMU |
    4180 + SND_SOC_DAPM_PRE_POST_PMD),
    4181 SND_SOC_DAPM_PGA("LO", SGTL5000_CHIP_ANA_POWER, 0, 0, NULL, 0),
    4182
    4183 SND_SOC_DAPM_MUX("Capture Mux", SND_SOC_NOPM, 0, 0, &adc_mux),
    4184 @@ -293,11 +456,12 @@ static const struct snd_soc_dapm_widget sgtl5000_dapm_widgets[] = {
    4185 0, SGTL5000_CHIP_DIG_POWER,
    4186 1, 0),
    4187
    4188 - SND_SOC_DAPM_ADC("ADC", "Capture", SGTL5000_CHIP_ANA_POWER, 1, 0),
    4189 - SND_SOC_DAPM_DAC("DAC", "Playback", SGTL5000_CHIP_ANA_POWER, 3, 0),
    4190 -
    4191 - SND_SOC_DAPM_PRE("VAG_POWER_PRE", power_vag_event),
    4192 - SND_SOC_DAPM_POST("VAG_POWER_POST", power_vag_event),
    4193 + SND_SOC_DAPM_ADC_E("ADC", "Capture", SGTL5000_CHIP_ANA_POWER, 1, 0,
    4194 + adc_updown_depop, SND_SOC_DAPM_PRE_POST_PMU |
    4195 + SND_SOC_DAPM_PRE_POST_PMD),
    4196 + SND_SOC_DAPM_DAC_E("DAC", "Playback", SGTL5000_CHIP_ANA_POWER, 3, 0,
    4197 + dac_updown_depop, SND_SOC_DAPM_PRE_POST_PMU |
    4198 + SND_SOC_DAPM_PRE_POST_PMD),
    4199 };
    4200
    4201 /* routes for sgtl5000 */
    4202 diff --git a/tools/lib/traceevent/Makefile b/tools/lib/traceevent/Makefile
    4203 index 95a43ccb6dd0..bca0c9e5452c 100644
    4204 --- a/tools/lib/traceevent/Makefile
    4205 +++ b/tools/lib/traceevent/Makefile
    4206 @@ -259,8 +259,8 @@ endef
    4207
    4208 define do_generate_dynamic_list_file
    4209 symbol_type=`$(NM) -u -D $1 | awk 'NF>1 {print $$1}' | \
    4210 - xargs echo "U W w" | tr ' ' '\n' | sort -u | xargs echo`;\
    4211 - if [ "$$symbol_type" = "U W w" ];then \
    4212 + xargs echo "U w W" | tr 'w ' 'W\n' | sort -u | xargs echo`;\
    4213 + if [ "$$symbol_type" = "U W" ];then \
    4214 (echo '{'; \
    4215 $(NM) -u -D $1 | awk 'NF>1 {print "\t"$$2";"}' | sort -u;\
    4216 echo '};'; \
    4217 diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
    4218 index 6ccfd13d5cf9..382e476629fb 100644
    4219 --- a/tools/lib/traceevent/event-parse.c
    4220 +++ b/tools/lib/traceevent/event-parse.c
    4221 @@ -254,10 +254,10 @@ static int add_new_comm(struct tep_handle *pevent, const char *comm, int pid)
    4222 errno = ENOMEM;
    4223 return -1;
    4224 }
    4225 + pevent->cmdlines = cmdlines;
    4226
    4227 cmdlines[pevent->cmdline_count].comm = strdup(comm);
    4228 if (!cmdlines[pevent->cmdline_count].comm) {
    4229 - free(cmdlines);
    4230 errno = ENOMEM;
    4231 return -1;
    4232 }
    4233 @@ -268,7 +268,6 @@ static int add_new_comm(struct tep_handle *pevent, const char *comm, int pid)
    4234 pevent->cmdline_count++;
    4235
    4236 qsort(cmdlines, pevent->cmdline_count, sizeof(*cmdlines), cmdline_cmp);
    4237 - pevent->cmdlines = cmdlines;
    4238
    4239 return 0;
    4240 }
    4241 diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
    4242 index 849b3be15bd8..510caedd7319 100644
    4243 --- a/tools/perf/Makefile.config
    4244 +++ b/tools/perf/Makefile.config
    4245 @@ -837,7 +837,7 @@ ifndef NO_JVMTI
    4246 JDIR=$(shell /usr/sbin/update-java-alternatives -l | head -1 | awk '{print $$3}')
    4247 else
    4248 ifneq (,$(wildcard /usr/sbin/alternatives))
    4249 - JDIR=$(shell /usr/sbin/alternatives --display java | tail -1 | cut -d' ' -f 5 | sed 's%/jre/bin/java.%%g')
    4250 + JDIR=$(shell /usr/sbin/alternatives --display java | tail -1 | cut -d' ' -f 5 | sed -e 's%/jre/bin/java.%%g' -e 's%/bin/java.%%g')
    4251 endif
    4252 endif
    4253 ifndef JDIR
    4254 diff --git a/tools/perf/arch/x86/util/unwind-libunwind.c b/tools/perf/arch/x86/util/unwind-libunwind.c
    4255 index 05920e3edf7a..47357973b55b 100644
    4256 --- a/tools/perf/arch/x86/util/unwind-libunwind.c
    4257 +++ b/tools/perf/arch/x86/util/unwind-libunwind.c
    4258 @@ -1,11 +1,11 @@
    4259 // SPDX-License-Identifier: GPL-2.0
    4260
    4261 #include <errno.h>
    4262 +#include "../../util/debug.h"
    4263 #ifndef REMOTE_UNWIND_LIBUNWIND
    4264 #include <libunwind.h>
    4265 #include "perf_regs.h"
    4266 #include "../../util/unwind.h"
    4267 -#include "../../util/debug.h"
    4268 #endif
    4269
    4270 #ifdef HAVE_ARCH_X86_64_SUPPORT
    4271 diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
    4272 index 789962565c9c..6aae10ff954c 100644
    4273 --- a/tools/perf/builtin-stat.c
    4274 +++ b/tools/perf/builtin-stat.c
    4275 @@ -3090,8 +3090,11 @@ int cmd_stat(int argc, const char **argv)
    4276 fprintf(output, "[ perf stat: executing run #%d ... ]\n",
    4277 run_idx + 1);
    4278
    4279 + if (run_idx != 0)
    4280 + perf_evlist__reset_prev_raw_counts(evsel_list);
    4281 +
    4282 status = run_perf_stat(argc, argv, run_idx);
    4283 - if (forever && status != -1) {
    4284 + if (forever && status != -1 && !interval) {
    4285 print_counters(NULL, argc, argv);
    4286 perf_stat__reset_stats();
    4287 }
    4288 diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
    4289 index 0c70788593c8..3c0d74fc1ff2 100644
    4290 --- a/tools/perf/util/header.c
    4291 +++ b/tools/perf/util/header.c
    4292 @@ -1114,7 +1114,7 @@ static int cpu_cache_level__read(struct cpu_cache_level *cache, u32 cpu, u16 lev
    4293
    4294 scnprintf(file, PATH_MAX, "%s/shared_cpu_list", path);
    4295 if (sysfs__read_str(file, &cache->map, &len)) {
    4296 - free(cache->map);
    4297 + free(cache->size);
    4298 free(cache->type);
    4299 return -1;
    4300 }
    4301 diff --git a/tools/perf/util/stat.c b/tools/perf/util/stat.c
    4302 index a0061e0b0fad..6917ba8a0024 100644
    4303 --- a/tools/perf/util/stat.c
    4304 +++ b/tools/perf/util/stat.c
    4305 @@ -154,6 +154,15 @@ static void perf_evsel__free_prev_raw_counts(struct perf_evsel *evsel)
    4306 evsel->prev_raw_counts = NULL;
    4307 }
    4308
    4309 +static void perf_evsel__reset_prev_raw_counts(struct perf_evsel *evsel)
    4310 +{
    4311 + if (evsel->prev_raw_counts) {
    4312 + evsel->prev_raw_counts->aggr.val = 0;
    4313 + evsel->prev_raw_counts->aggr.ena = 0;
    4314 + evsel->prev_raw_counts->aggr.run = 0;
    4315 + }
    4316 +}
    4317 +
    4318 static int perf_evsel__alloc_stats(struct perf_evsel *evsel, bool alloc_raw)
    4319 {
    4320 int ncpus = perf_evsel__nr_cpus(evsel);
    4321 @@ -204,6 +213,14 @@ void perf_evlist__reset_stats(struct perf_evlist *evlist)
    4322 }
    4323 }
    4324
    4325 +void perf_evlist__reset_prev_raw_counts(struct perf_evlist *evlist)
    4326 +{
    4327 + struct perf_evsel *evsel;
    4328 +
    4329 + evlist__for_each_entry(evlist, evsel)
    4330 + perf_evsel__reset_prev_raw_counts(evsel);
    4331 +}
    4332 +
    4333 static void zero_per_pkg(struct perf_evsel *counter)
    4334 {
    4335 if (counter->per_pkg_mask)
    4336 diff --git a/tools/perf/util/stat.h b/tools/perf/util/stat.h
    4337 index 36efb986f7fc..e19abb1635c4 100644
    4338 --- a/tools/perf/util/stat.h
    4339 +++ b/tools/perf/util/stat.h
    4340 @@ -158,6 +158,7 @@ void perf_stat__collect_metric_expr(struct perf_evlist *);
    4341 int perf_evlist__alloc_stats(struct perf_evlist *evlist, bool alloc_raw);
    4342 void perf_evlist__free_stats(struct perf_evlist *evlist);
    4343 void perf_evlist__reset_stats(struct perf_evlist *evlist);
    4344 +void perf_evlist__reset_prev_raw_counts(struct perf_evlist *evlist);
    4345
    4346 int perf_stat_process_counter(struct perf_stat_config *config,
    4347 struct perf_evsel *counter);
    4348 diff --git a/tools/testing/nvdimm/test/nfit_test.h b/tools/testing/nvdimm/test/nfit_test.h
    4349 index 33752e06ff8d..3de57cc8716b 100644
    4350 --- a/tools/testing/nvdimm/test/nfit_test.h
    4351 +++ b/tools/testing/nvdimm/test/nfit_test.h
    4352 @@ -12,6 +12,7 @@
    4353 */
    4354 #ifndef __NFIT_TEST_H__
    4355 #define __NFIT_TEST_H__
    4356 +#include <linux/acpi.h>
    4357 #include <linux/list.h>
    4358 #include <linux/uuid.h>
    4359 #include <linux/ioport.h>
    4360 @@ -234,9 +235,6 @@ struct nd_intel_lss {
    4361 __u32 status;
    4362 } __packed;
    4363
    4364 -union acpi_object;
    4365 -typedef void *acpi_handle;
    4366 -
    4367 typedef struct nfit_test_resource *(*nfit_test_lookup_fn)(resource_size_t);
    4368 typedef union acpi_object *(*nfit_test_evaluate_dsm_fn)(acpi_handle handle,
    4369 const guid_t *guid, u64 rev, u64 func,