Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx/patches-4.9/0258-4.9.159-all-fixes.patch

    Contents of /trunk/kernel-alx/patches-4.9/0258-4.9.159-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3311 - (show annotations) (download)
    Tue Mar 12 10:43:16 2019 UTC (5 years, 2 months ago) by niro
    File size: 80793 byte(s) 
    -linux-4.9.159
    1 diff --git a/Documentation/devicetree/bindings/eeprom/eeprom.txt b/Documentation/devicetree/bindings/eeprom/eeprom.txt
    2 index 735bc94444bb..4dcce8ee5cee 100644
    3 --- a/Documentation/devicetree/bindings/eeprom/eeprom.txt
    4 +++ b/Documentation/devicetree/bindings/eeprom/eeprom.txt
    5 @@ -6,7 +6,8 @@ Required properties:
    6
    7 "atmel,24c00", "atmel,24c01", "atmel,24c02", "atmel,24c04",
    8 "atmel,24c08", "atmel,24c16", "atmel,24c32", "atmel,24c64",
    9 - "atmel,24c128", "atmel,24c256", "atmel,24c512", "atmel,24c1024"
    10 + "atmel,24c128", "atmel,24c256", "atmel,24c512", "atmel,24c1024",
    11 + "atmel,24c2048"
    12
    13 "catalyst,24c32"
    14
    15 @@ -17,7 +18,7 @@ Required properties:
    16 If there is no specific driver for <manufacturer>, a generic
    17 driver based on <type> is selected. Possible types are:
    18 "24c00", "24c01", "24c02", "24c04", "24c08", "24c16", "24c32", "24c64",
    19 - "24c128", "24c256", "24c512", "24c1024", "spd"
    20 + "24c128", "24c256", "24c512", "24c1024", "24c2048", "spd"
    21
    22 - reg : the I2C address of the EEPROM
    23
    24 diff --git a/Makefile b/Makefile
    25 index 2b8434aaeece..a452ead13b1e 100644
    26 --- a/Makefile
    27 +++ b/Makefile
    28 @@ -1,6 +1,6 @@
    29 VERSION = 4
    30 PATCHLEVEL = 9
    31 -SUBLEVEL = 158
    32 +SUBLEVEL = 159
    33 EXTRAVERSION =
    34 NAME = Roaring Lionus
    35
    36 diff --git a/arch/alpha/include/asm/irq.h b/arch/alpha/include/asm/irq.h
    37 index 06377400dc09..469642801a68 100644
    38 --- a/arch/alpha/include/asm/irq.h
    39 +++ b/arch/alpha/include/asm/irq.h
    40 @@ -55,15 +55,15 @@
    41
    42 #elif defined(CONFIG_ALPHA_DP264) || \
    43 defined(CONFIG_ALPHA_LYNX) || \
    44 - defined(CONFIG_ALPHA_SHARK) || \
    45 - defined(CONFIG_ALPHA_EIGER)
    46 + defined(CONFIG_ALPHA_SHARK)
    47 # define NR_IRQS 64
    48
    49 #elif defined(CONFIG_ALPHA_TITAN)
    50 #define NR_IRQS 80
    51
    52 #elif defined(CONFIG_ALPHA_RAWHIDE) || \
    53 - defined(CONFIG_ALPHA_TAKARA)
    54 + defined(CONFIG_ALPHA_TAKARA) || \
    55 + defined(CONFIG_ALPHA_EIGER)
    56 # define NR_IRQS 128
    57
    58 #elif defined(CONFIG_ALPHA_WILDFIRE)
    59 diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
    60 index 83e9eee57a55..f70663127aad 100644
    61 --- a/arch/alpha/mm/fault.c
    62 +++ b/arch/alpha/mm/fault.c
    63 @@ -77,7 +77,7 @@ __load_new_mm_context(struct mm_struct *next_mm)
    64 /* Macro for exception fixup code to access integer registers. */
    65 #define dpf_reg(r) \
    66 (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \
    67 - (r) <= 18 ? (r)+8 : (r)-10])
    68 + (r) <= 18 ? (r)+10 : (r)-10])
    69
    70 asmlinkage void
    71 do_page_fault(unsigned long address, unsigned long mmcsr,
    72 diff --git a/arch/arm/boot/dts/da850-evm.dts b/arch/arm/boot/dts/da850-evm.dts
    73 index 78492a0bbbab..3c58ec707ea9 100644
    74 --- a/arch/arm/boot/dts/da850-evm.dts
    75 +++ b/arch/arm/boot/dts/da850-evm.dts
    76 @@ -156,7 +156,7 @@
    77
    78 sound {
    79 compatible = "simple-audio-card";
    80 - simple-audio-card,name = "DA850/OMAP-L138 EVM";
    81 + simple-audio-card,name = "DA850-OMAPL138 EVM";
    82 simple-audio-card,widgets =
    83 "Line", "Line In",
    84 "Line", "Line Out";
    85 diff --git a/arch/arm/boot/dts/da850-lcdk.dts b/arch/arm/boot/dts/da850-lcdk.dts
    86 index 7b8ab21fed6c..920e64cdb673 100644
    87 --- a/arch/arm/boot/dts/da850-lcdk.dts
    88 +++ b/arch/arm/boot/dts/da850-lcdk.dts
    89 @@ -26,7 +26,7 @@
    90
    91 sound {
    92 compatible = "simple-audio-card";
    93 - simple-audio-card,name = "DA850/OMAP-L138 LCDK";
    94 + simple-audio-card,name = "DA850-OMAPL138 LCDK";
    95 simple-audio-card,widgets =
    96 "Line", "Line In",
    97 "Line", "Line Out";
    98 diff --git a/arch/arm/boot/dts/kirkwood-dnskw.dtsi b/arch/arm/boot/dts/kirkwood-dnskw.dtsi
    99 index d8fca9db46d0..dddbc0d03da5 100644
    100 --- a/arch/arm/boot/dts/kirkwood-dnskw.dtsi
    101 +++ b/arch/arm/boot/dts/kirkwood-dnskw.dtsi
    102 @@ -35,8 +35,8 @@
    103 compatible = "gpio-fan";
    104 pinctrl-0 = <&pmx_fan_high_speed &pmx_fan_low_speed>;
    105 pinctrl-names = "default";
    106 - gpios = <&gpio1 14 GPIO_ACTIVE_LOW
    107 - &gpio1 13 GPIO_ACTIVE_LOW>;
    108 + gpios = <&gpio1 14 GPIO_ACTIVE_HIGH
    109 + &gpio1 13 GPIO_ACTIVE_HIGH>;
    110 gpio-fan,speed-map = <0 0
    111 3000 1
    112 6000 2>;
    113 diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
    114 index e616f61f859d..7d727506096f 100644
    115 --- a/arch/arm/include/asm/assembler.h
    116 +++ b/arch/arm/include/asm/assembler.h
    117 @@ -465,6 +465,17 @@ THUMB( orr \reg , \reg , #PSR_T_BIT )
    118 #endif
    119 .endm
    120
    121 + .macro uaccess_mask_range_ptr, addr:req, size:req, limit:req, tmp:req
    122 +#ifdef CONFIG_CPU_SPECTRE
    123 + sub \tmp, \limit, #1
    124 + subs \tmp, \tmp, \addr @ tmp = limit - 1 - addr
    125 + addhs \tmp, \tmp, #1 @ if (tmp >= 0) {
    126 + subhss \tmp, \tmp, \size @ tmp = limit - (addr + size) }
    127 + movlo \addr, #0 @ if (tmp < 0) addr = NULL
    128 + csdb
    129 +#endif
    130 + .endm
    131 +
    132 .macro uaccess_disable, tmp, isb=1
    133 #ifdef CONFIG_CPU_SW_DOMAIN_PAN
    134 /*
    135 diff --git a/arch/arm/include/asm/cputype.h b/arch/arm/include/asm/cputype.h
    136 index c55db1e22f0c..b9356dbfded0 100644
    137 --- a/arch/arm/include/asm/cputype.h
    138 +++ b/arch/arm/include/asm/cputype.h
    139 @@ -106,6 +106,7 @@
    140 #define ARM_CPU_PART_SCORPION 0x510002d0
    141
    142 extern unsigned int processor_id;
    143 +struct proc_info_list *lookup_processor(u32 midr);
    144
    145 #ifdef CONFIG_CPU_CP15
    146 #define read_cpuid(reg) \
    147 diff --git a/arch/arm/include/asm/proc-fns.h b/arch/arm/include/asm/proc-fns.h
    148 index f379f5f849a9..1bfcc3bcfc6d 100644
    149 --- a/arch/arm/include/asm/proc-fns.h
    150 +++ b/arch/arm/include/asm/proc-fns.h
    151 @@ -23,7 +23,7 @@ struct mm_struct;
    152 /*
    153 * Don't change this structure - ASM code relies on it.
    154 */
    155 -extern struct processor {
    156 +struct processor {
    157 /* MISC
    158 * get data abort address/flags
    159 */
    160 @@ -79,9 +79,13 @@ extern struct processor {
    161 unsigned int suspend_size;
    162 void (*do_suspend)(void *);
    163 void (*do_resume)(void *);
    164 -} processor;
    165 +};
    166
    167 #ifndef MULTI_CPU
    168 +static inline void init_proc_vtable(const struct processor *p)
    169 +{
    170 +}
    171 +
    172 extern void cpu_proc_init(void);
    173 extern void cpu_proc_fin(void);
    174 extern int cpu_do_idle(void);
    175 @@ -98,17 +102,50 @@ extern void cpu_reset(unsigned long addr) __attribute__((noreturn));
    176 extern void cpu_do_suspend(void *);
    177 extern void cpu_do_resume(void *);
    178 #else
    179 -#define cpu_proc_init processor._proc_init
    180 -#define cpu_proc_fin processor._proc_fin
    181 -#define cpu_reset processor.reset
    182 -#define cpu_do_idle processor._do_idle
    183 -#define cpu_dcache_clean_area processor.dcache_clean_area
    184 -#define cpu_set_pte_ext processor.set_pte_ext
    185 -#define cpu_do_switch_mm processor.switch_mm
    186
    187 -/* These three are private to arch/arm/kernel/suspend.c */
    188 -#define cpu_do_suspend processor.do_suspend
    189 -#define cpu_do_resume processor.do_resume
    190 +extern struct processor processor;
    191 +#if defined(CONFIG_BIG_LITTLE) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR)
    192 +#include <linux/smp.h>
    193 +/*
    194 + * This can't be a per-cpu variable because we need to access it before
    195 + * per-cpu has been initialised. We have a couple of functions that are
    196 + * called in a pre-emptible context, and so can't use smp_processor_id()
    197 + * there, hence PROC_TABLE(). We insist in init_proc_vtable() that the
    198 + * function pointers for these are identical across all CPUs.
    199 + */
    200 +extern struct processor *cpu_vtable[];
    201 +#define PROC_VTABLE(f) cpu_vtable[smp_processor_id()]->f
    202 +#define PROC_TABLE(f) cpu_vtable[0]->f
    203 +static inline void init_proc_vtable(const struct processor *p)
    204 +{
    205 + unsigned int cpu = smp_processor_id();
    206 + *cpu_vtable[cpu] = *p;
    207 + WARN_ON_ONCE(cpu_vtable[cpu]->dcache_clean_area !=
    208 + cpu_vtable[0]->dcache_clean_area);
    209 + WARN_ON_ONCE(cpu_vtable[cpu]->set_pte_ext !=
    210 + cpu_vtable[0]->set_pte_ext);
    211 +}
    212 +#else
    213 +#define PROC_VTABLE(f) processor.f
    214 +#define PROC_TABLE(f) processor.f
    215 +static inline void init_proc_vtable(const struct processor *p)
    216 +{
    217 + processor = *p;
    218 +}
    219 +#endif
    220 +
    221 +#define cpu_proc_init PROC_VTABLE(_proc_init)
    222 +#define cpu_check_bugs PROC_VTABLE(check_bugs)
    223 +#define cpu_proc_fin PROC_VTABLE(_proc_fin)
    224 +#define cpu_reset PROC_VTABLE(reset)
    225 +#define cpu_do_idle PROC_VTABLE(_do_idle)
    226 +#define cpu_dcache_clean_area PROC_TABLE(dcache_clean_area)
    227 +#define cpu_set_pte_ext PROC_TABLE(set_pte_ext)
    228 +#define cpu_do_switch_mm PROC_VTABLE(switch_mm)
    229 +
    230 +/* These two are private to arch/arm/kernel/suspend.c */
    231 +#define cpu_do_suspend PROC_VTABLE(do_suspend)
    232 +#define cpu_do_resume PROC_VTABLE(do_resume)
    233 #endif
    234
    235 extern void cpu_resume(void);
    236 diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
    237 index 57d2ad9c75ca..df8420672c7e 100644
    238 --- a/arch/arm/include/asm/thread_info.h
    239 +++ b/arch/arm/include/asm/thread_info.h
    240 @@ -124,8 +124,8 @@ extern void vfp_flush_hwstate(struct thread_info *);
    241 struct user_vfp;
    242 struct user_vfp_exc;
    243
    244 -extern int vfp_preserve_user_clear_hwstate(struct user_vfp __user *,
    245 - struct user_vfp_exc __user *);
    246 +extern int vfp_preserve_user_clear_hwstate(struct user_vfp *,
    247 + struct user_vfp_exc *);
    248 extern int vfp_restore_user_hwstate(struct user_vfp *,
    249 struct user_vfp_exc *);
    250 #endif
    251 diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
    252 index 7b17460127fd..0f6c6b873bc5 100644
    253 --- a/arch/arm/include/asm/uaccess.h
    254 +++ b/arch/arm/include/asm/uaccess.h
    255 @@ -99,6 +99,14 @@ extern int __put_user_bad(void);
    256 static inline void set_fs(mm_segment_t fs)
    257 {
    258 current_thread_info()->addr_limit = fs;
    259 +
    260 + /*
    261 + * Prevent a mispredicted conditional call to set_fs from forwarding
    262 + * the wrong address limit to access_ok under speculation.
    263 + */
    264 + dsb(nsh);
    265 + isb();
    266 +
    267 modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
    268 }
    269
    270 @@ -121,6 +129,32 @@ static inline void set_fs(mm_segment_t fs)
    271 #define __inttype(x) \
    272 __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
    273
    274 +/*
    275 + * Sanitise a uaccess pointer such that it becomes NULL if addr+size
    276 + * is above the current addr_limit.
    277 + */
    278 +#define uaccess_mask_range_ptr(ptr, size) \
    279 + ((__typeof__(ptr))__uaccess_mask_range_ptr(ptr, size))
    280 +static inline void __user *__uaccess_mask_range_ptr(const void __user *ptr,
    281 + size_t size)
    282 +{
    283 + void __user *safe_ptr = (void __user *)ptr;
    284 + unsigned long tmp;
    285 +
    286 + asm volatile(
    287 + " sub %1, %3, #1\n"
    288 + " subs %1, %1, %0\n"
    289 + " addhs %1, %1, #1\n"
    290 + " subhss %1, %1, %2\n"
    291 + " movlo %0, #0\n"
    292 + : "+r" (safe_ptr), "=&r" (tmp)
    293 + : "r" (size), "r" (current_thread_info()->addr_limit)
    294 + : "cc");
    295 +
    296 + csdb();
    297 + return safe_ptr;
    298 +}
    299 +
    300 /*
    301 * Single-value transfer routines. They automatically use the right
    302 * size if we just have the right pointer type. Note that the functions
    303 @@ -392,6 +426,14 @@ do { \
    304 __pu_err; \
    305 })
    306
    307 +#ifdef CONFIG_CPU_SPECTRE
    308 +/*
    309 + * When mitigating Spectre variant 1.1, all accessors need to include
    310 + * verification of the address space.
    311 + */
    312 +#define __put_user(x, ptr) put_user(x, ptr)
    313 +
    314 +#else
    315 #define __put_user(x, ptr) \
    316 ({ \
    317 long __pu_err = 0; \
    318 @@ -399,12 +441,6 @@ do { \
    319 __pu_err; \
    320 })
    321
    322 -#define __put_user_error(x, ptr, err) \
    323 -({ \
    324 - __put_user_switch((x), (ptr), (err), __put_user_nocheck); \
    325 - (void) 0; \
    326 -})
    327 -
    328 #define __put_user_nocheck(x, __pu_ptr, __err, __size) \
    329 do { \
    330 unsigned long __pu_addr = (unsigned long)__pu_ptr; \
    331 @@ -484,6 +520,7 @@ do { \
    332 : "r" (x), "i" (-EFAULT) \
    333 : "cc")
    334
    335 +#endif /* !CONFIG_CPU_SPECTRE */
    336
    337 #ifdef CONFIG_MMU
    338 extern unsigned long __must_check
    339 diff --git a/arch/arm/kernel/bugs.c b/arch/arm/kernel/bugs.c
    340 index 7be511310191..d41d3598e5e5 100644
    341 --- a/arch/arm/kernel/bugs.c
    342 +++ b/arch/arm/kernel/bugs.c
    343 @@ -6,8 +6,8 @@
    344 void check_other_bugs(void)
    345 {
    346 #ifdef MULTI_CPU
    347 - if (processor.check_bugs)
    348 - processor.check_bugs();
    349 + if (cpu_check_bugs)
    350 + cpu_check_bugs();
    351 #endif
    352 }
    353
    354 diff --git a/arch/arm/kernel/head-common.S b/arch/arm/kernel/head-common.S
    355 index 8733012d231f..7e662bdd5cb3 100644
    356 --- a/arch/arm/kernel/head-common.S
    357 +++ b/arch/arm/kernel/head-common.S
    358 @@ -122,6 +122,9 @@ __mmap_switched_data:
    359 .long init_thread_union + THREAD_START_SP @ sp
    360 .size __mmap_switched_data, . - __mmap_switched_data
    361
    362 + __FINIT
    363 + .text
    364 +
    365 /*
    366 * This provides a C-API version of __lookup_processor_type
    367 */
    368 @@ -133,9 +136,6 @@ ENTRY(lookup_processor_type)
    369 ldmfd sp!, {r4 - r6, r9, pc}
    370 ENDPROC(lookup_processor_type)
    371
    372 - __FINIT
    373 - .text
    374 -
    375 /*
    376 * Read processor ID register (CP#15, CR0), and look up in the linker-built
    377 * supported processor list. Note that we can't use the absolute addresses
    378 diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
    379 index f4e54503afa9..4764742db7b0 100644
    380 --- a/arch/arm/kernel/setup.c
    381 +++ b/arch/arm/kernel/setup.c
    382 @@ -115,6 +115,11 @@ EXPORT_SYMBOL(elf_hwcap2);
    383
    384 #ifdef MULTI_CPU
    385 struct processor processor __ro_after_init;
    386 +#if defined(CONFIG_BIG_LITTLE) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR)
    387 +struct processor *cpu_vtable[NR_CPUS] = {
    388 + [0] = &processor,
    389 +};
    390 +#endif
    391 #endif
    392 #ifdef MULTI_TLB
    393 struct cpu_tlb_fns cpu_tlb __ro_after_init;
    394 @@ -667,28 +672,33 @@ static void __init smp_build_mpidr_hash(void)
    395 }
    396 #endif
    397
    398 -static void __init setup_processor(void)
    399 +/*
    400 + * locate processor in the list of supported processor types. The linker
    401 + * builds this table for us from the entries in arch/arm/mm/proc-*.S
    402 + */
    403 +struct proc_info_list *lookup_processor(u32 midr)
    404 {
    405 - struct proc_info_list *list;
    406 + struct proc_info_list *list = lookup_processor_type(midr);
    407
    408 - /*
    409 - * locate processor in the list of supported processor
    410 - * types. The linker builds this table for us from the
    411 - * entries in arch/arm/mm/proc-*.S
    412 - */
    413 - list = lookup_processor_type(read_cpuid_id());
    414 if (!list) {
    415 - pr_err("CPU configuration botched (ID %08x), unable to continue.\n",
    416 - read_cpuid_id());
    417 - while (1);
    418 + pr_err("CPU%u: configuration botched (ID %08x), CPU halted\n",
    419 + smp_processor_id(), midr);
    420 + while (1)
    421 + /* can't use cpu_relax() here as it may require MMU setup */;
    422 }
    423
    424 + return list;
    425 +}
    426 +
    427 +static void __init setup_processor(void)
    428 +{
    429 + unsigned int midr = read_cpuid_id();
    430 + struct proc_info_list *list = lookup_processor(midr);
    431 +
    432 cpu_name = list->cpu_name;
    433 __cpu_architecture = __get_cpu_architecture();
    434
    435 -#ifdef MULTI_CPU
    436 - processor = *list->proc;
    437 -#endif
    438 + init_proc_vtable(list->proc);
    439 #ifdef MULTI_TLB
    440 cpu_tlb = *list->tlb;
    441 #endif
    442 @@ -700,7 +710,7 @@ static void __init setup_processor(void)
    443 #endif
    444
    445 pr_info("CPU: %s [%08x] revision %d (ARMv%s), cr=%08lx\n",
    446 - cpu_name, read_cpuid_id(), read_cpuid_id() & 15,
    447 + list->cpu_name, midr, midr & 15,
    448 proc_arch[cpu_architecture()], get_cr());
    449
    450 snprintf(init_utsname()->machine, __NEW_UTS_LEN + 1, "%s%c",
    451 diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
    452 index 6bee5c9b1133..0a066f03b5ec 100644
    453 --- a/arch/arm/kernel/signal.c
    454 +++ b/arch/arm/kernel/signal.c
    455 @@ -94,17 +94,18 @@ static int restore_iwmmxt_context(struct iwmmxt_sigframe *frame)
    456
    457 static int preserve_vfp_context(struct vfp_sigframe __user *frame)
    458 {
    459 - const unsigned long magic = VFP_MAGIC;
    460 - const unsigned long size = VFP_STORAGE_SIZE;
    461 + struct vfp_sigframe kframe;
    462 int err = 0;
    463
    464 - __put_user_error(magic, &frame->magic, err);
    465 - __put_user_error(size, &frame->size, err);
    466 + memset(&kframe, 0, sizeof(kframe));
    467 + kframe.magic = VFP_MAGIC;
    468 + kframe.size = VFP_STORAGE_SIZE;
    469
    470 + err = vfp_preserve_user_clear_hwstate(&kframe.ufp, &kframe.ufp_exc);
    471 if (err)
    472 - return -EFAULT;
    473 + return err;
    474
    475 - return vfp_preserve_user_clear_hwstate(&frame->ufp, &frame->ufp_exc);
    476 + return __copy_to_user(frame, &kframe, sizeof(kframe));
    477 }
    478
    479 static int restore_vfp_context(struct vfp_sigframe __user *auxp)
    480 @@ -256,30 +257,35 @@ static int
    481 setup_sigframe(struct sigframe __user *sf, struct pt_regs *regs, sigset_t *set)
    482 {
    483 struct aux_sigframe __user *aux;
    484 + struct sigcontext context;
    485 int err = 0;
    486
    487 - __put_user_error(regs->ARM_r0, &sf->uc.uc_mcontext.arm_r0, err);
    488 - __put_user_error(regs->ARM_r1, &sf->uc.uc_mcontext.arm_r1, err);
    489 - __put_user_error(regs->ARM_r2, &sf->uc.uc_mcontext.arm_r2, err);
    490 - __put_user_error(regs->ARM_r3, &sf->uc.uc_mcontext.arm_r3, err);
    491 - __put_user_error(regs->ARM_r4, &sf->uc.uc_mcontext.arm_r4, err);
    492 - __put_user_error(regs->ARM_r5, &sf->uc.uc_mcontext.arm_r5, err);
    493 - __put_user_error(regs->ARM_r6, &sf->uc.uc_mcontext.arm_r6, err);
    494 - __put_user_error(regs->ARM_r7, &sf->uc.uc_mcontext.arm_r7, err);
    495 - __put_user_error(regs->ARM_r8, &sf->uc.uc_mcontext.arm_r8, err);
    496 - __put_user_error(regs->ARM_r9, &sf->uc.uc_mcontext.arm_r9, err);
    497 - __put_user_error(regs->ARM_r10, &sf->uc.uc_mcontext.arm_r10, err);
    498 - __put_user_error(regs->ARM_fp, &sf->uc.uc_mcontext.arm_fp, err);
    499 - __put_user_error(regs->ARM_ip, &sf->uc.uc_mcontext.arm_ip, err);
    500 - __put_user_error(regs->ARM_sp, &sf->uc.uc_mcontext.arm_sp, err);
    501 - __put_user_error(regs->ARM_lr, &sf->uc.uc_mcontext.arm_lr, err);
    502 - __put_user_error(regs->ARM_pc, &sf->uc.uc_mcontext.arm_pc, err);
    503 - __put_user_error(regs->ARM_cpsr, &sf->uc.uc_mcontext.arm_cpsr, err);
    504 -
    505 - __put_user_error(current->thread.trap_no, &sf->uc.uc_mcontext.trap_no, err);
    506 - __put_user_error(current->thread.error_code, &sf->uc.uc_mcontext.error_code, err);
    507 - __put_user_error(current->thread.address, &sf->uc.uc_mcontext.fault_address, err);
    508 - __put_user_error(set->sig[0], &sf->uc.uc_mcontext.oldmask, err);
    509 + context = (struct sigcontext) {
    510 + .arm_r0 = regs->ARM_r0,
    511 + .arm_r1 = regs->ARM_r1,
    512 + .arm_r2 = regs->ARM_r2,
    513 + .arm_r3 = regs->ARM_r3,
    514 + .arm_r4 = regs->ARM_r4,
    515 + .arm_r5 = regs->ARM_r5,
    516 + .arm_r6 = regs->ARM_r6,
    517 + .arm_r7 = regs->ARM_r7,
    518 + .arm_r8 = regs->ARM_r8,
    519 + .arm_r9 = regs->ARM_r9,
    520 + .arm_r10 = regs->ARM_r10,
    521 + .arm_fp = regs->ARM_fp,
    522 + .arm_ip = regs->ARM_ip,
    523 + .arm_sp = regs->ARM_sp,
    524 + .arm_lr = regs->ARM_lr,
    525 + .arm_pc = regs->ARM_pc,
    526 + .arm_cpsr = regs->ARM_cpsr,
    527 +
    528 + .trap_no = current->thread.trap_no,
    529 + .error_code = current->thread.error_code,
    530 + .fault_address = current->thread.address,
    531 + .oldmask = set->sig[0],
    532 + };
    533 +
    534 + err |= __copy_to_user(&sf->uc.uc_mcontext, &context, sizeof(context));
    535
    536 err |= __copy_to_user(&sf->uc.uc_sigmask, set, sizeof(*set));
    537
    538 @@ -296,7 +302,7 @@ setup_sigframe(struct sigframe __user *sf, struct pt_regs *regs, sigset_t *set)
    539 if (err == 0)
    540 err |= preserve_vfp_context(&aux->vfp);
    541 #endif
    542 - __put_user_error(0, &aux->end_magic, err);
    543 + err |= __put_user(0, &aux->end_magic);
    544
    545 return err;
    546 }
    547 @@ -428,7 +434,7 @@ setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
    548 /*
    549 * Set uc.uc_flags to a value which sc.trap_no would never have.
    550 */
    551 - __put_user_error(0x5ac3c35a, &frame->uc.uc_flags, err);
    552 + err = __put_user(0x5ac3c35a, &frame->uc.uc_flags);
    553
    554 err |= setup_sigframe(frame, regs, set);
    555 if (err == 0)
    556 @@ -448,8 +454,8 @@ setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
    557
    558 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
    559
    560 - __put_user_error(0, &frame->sig.uc.uc_flags, err);
    561 - __put_user_error(NULL, &frame->sig.uc.uc_link, err);
    562 + err |= __put_user(0, &frame->sig.uc.uc_flags);
    563 + err |= __put_user(NULL, &frame->sig.uc.uc_link);
    564
    565 err |= __save_altstack(&frame->sig.uc.uc_stack, regs->ARM_sp);
    566 err |= setup_sigframe(&frame->sig, regs, set);
    567 diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
    568 index 4b129aac7233..8faf869e9fb2 100644
    569 --- a/arch/arm/kernel/smp.c
    570 +++ b/arch/arm/kernel/smp.c
    571 @@ -27,6 +27,7 @@
    572 #include <linux/completion.h>
    573 #include <linux/cpufreq.h>
    574 #include <linux/irq_work.h>
    575 +#include <linux/slab.h>
    576
    577 #include <linux/atomic.h>
    578 #include <asm/bugs.h>
    579 @@ -40,6 +41,7 @@
    580 #include <asm/mmu_context.h>
    581 #include <asm/pgtable.h>
    582 #include <asm/pgalloc.h>
    583 +#include <asm/procinfo.h>
    584 #include <asm/processor.h>
    585 #include <asm/sections.h>
    586 #include <asm/tlbflush.h>
    587 @@ -100,6 +102,30 @@ static unsigned long get_arch_pgd(pgd_t *pgd)
    588 #endif
    589 }
    590
    591 +#if defined(CONFIG_BIG_LITTLE) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR)
    592 +static int secondary_biglittle_prepare(unsigned int cpu)
    593 +{
    594 + if (!cpu_vtable[cpu])
    595 + cpu_vtable[cpu] = kzalloc(sizeof(*cpu_vtable[cpu]), GFP_KERNEL);
    596 +
    597 + return cpu_vtable[cpu] ? 0 : -ENOMEM;
    598 +}
    599 +
    600 +static void secondary_biglittle_init(void)
    601 +{
    602 + init_proc_vtable(lookup_processor(read_cpuid_id())->proc);
    603 +}
    604 +#else
    605 +static int secondary_biglittle_prepare(unsigned int cpu)
    606 +{
    607 + return 0;
    608 +}
    609 +
    610 +static void secondary_biglittle_init(void)
    611 +{
    612 +}
    613 +#endif
    614 +
    615 int __cpu_up(unsigned int cpu, struct task_struct *idle)
    616 {
    617 int ret;
    618 @@ -107,6 +133,10 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle)
    619 if (!smp_ops.smp_boot_secondary)
    620 return -ENOSYS;
    621
    622 + ret = secondary_biglittle_prepare(cpu);
    623 + if (ret)
    624 + return ret;
    625 +
    626 /*
    627 * We need to tell the secondary core where to find
    628 * its stack and the page tables.
    629 @@ -358,6 +388,8 @@ asmlinkage void secondary_start_kernel(void)
    630 struct mm_struct *mm = &init_mm;
    631 unsigned int cpu;
    632
    633 + secondary_biglittle_init();
    634 +
    635 /*
    636 * The identity mapping is uncached (strongly ordered), so
    637 * switch away from it before attempting any exclusive accesses.
    638 diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
    639 index 640748e27035..d844c5c9364b 100644
    640 --- a/arch/arm/kernel/sys_oabi-compat.c
    641 +++ b/arch/arm/kernel/sys_oabi-compat.c
    642 @@ -276,6 +276,7 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
    643 int maxevents, int timeout)
    644 {
    645 struct epoll_event *kbuf;
    646 + struct oabi_epoll_event e;
    647 mm_segment_t fs;
    648 long ret, err, i;
    649
    650 @@ -294,8 +295,11 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
    651 set_fs(fs);
    652 err = 0;
    653 for (i = 0; i < ret; i++) {
    654 - __put_user_error(kbuf[i].events, &events->events, err);
    655 - __put_user_error(kbuf[i].data, &events->data, err);
    656 + e.events = kbuf[i].events;
    657 + e.data = kbuf[i].data;
    658 + err = __copy_to_user(events, &e, sizeof(e));
    659 + if (err)
    660 + break;
    661 events++;
    662 }
    663 kfree(kbuf);
    664 diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
    665 index a826df3d3814..6709a8d33963 100644
    666 --- a/arch/arm/lib/copy_from_user.S
    667 +++ b/arch/arm/lib/copy_from_user.S
    668 @@ -93,11 +93,7 @@ ENTRY(arm_copy_from_user)
    669 #ifdef CONFIG_CPU_SPECTRE
    670 get_thread_info r3
    671 ldr r3, [r3, #TI_ADDR_LIMIT]
    672 - adds ip, r1, r2 @ ip=addr+size
    673 - sub r3, r3, #1 @ addr_limit - 1
    674 - cmpcc ip, r3 @ if (addr+size > addr_limit - 1)
    675 - movcs r1, #0 @ addr = NULL
    676 - csdb
    677 + uaccess_mask_range_ptr r1, r2, r3, ip
    678 #endif
    679
    680 #include "copy_template.S"
    681 diff --git a/arch/arm/lib/copy_to_user.S b/arch/arm/lib/copy_to_user.S
    682 index caf5019d8161..970abe521197 100644
    683 --- a/arch/arm/lib/copy_to_user.S
    684 +++ b/arch/arm/lib/copy_to_user.S
    685 @@ -94,6 +94,11 @@
    686
    687 ENTRY(__copy_to_user_std)
    688 WEAK(arm_copy_to_user)
    689 +#ifdef CONFIG_CPU_SPECTRE
    690 + get_thread_info r3
    691 + ldr r3, [r3, #TI_ADDR_LIMIT]
    692 + uaccess_mask_range_ptr r0, r2, r3, ip
    693 +#endif
    694
    695 #include "copy_template.S"
    696
    697 @@ -108,4 +113,3 @@ ENDPROC(__copy_to_user_std)
    698 rsb r0, r0, r2
    699 copy_abort_end
    700 .popsection
    701 -
    702 diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
    703 index 6bd1089b07e0..f598d792bace 100644
    704 --- a/arch/arm/lib/uaccess_with_memcpy.c
    705 +++ b/arch/arm/lib/uaccess_with_memcpy.c
    706 @@ -152,7 +152,8 @@ arm_copy_to_user(void __user *to, const void *from, unsigned long n)
    707 n = __copy_to_user_std(to, from, n);
    708 uaccess_restore(ua_flags);
    709 } else {
    710 - n = __copy_to_user_memcpy(to, from, n);
    711 + n = __copy_to_user_memcpy(uaccess_mask_range_ptr(to, n),
    712 + from, n);
    713 }
    714 return n;
    715 }
    716 diff --git a/arch/arm/mach-integrator/impd1.c b/arch/arm/mach-integrator/impd1.c
    717 index ed9a01484030..a52fe871adbc 100644
    718 --- a/arch/arm/mach-integrator/impd1.c
    719 +++ b/arch/arm/mach-integrator/impd1.c
    720 @@ -394,7 +394,11 @@ static int __ref impd1_probe(struct lm_device *dev)
    721 sizeof(*lookup) + 3 * sizeof(struct gpiod_lookup),
    722 GFP_KERNEL);
    723 chipname = devm_kstrdup(&dev->dev, devname, GFP_KERNEL);
    724 - mmciname = kasprintf(GFP_KERNEL, "lm%x:00700", dev->id);
    725 + mmciname = devm_kasprintf(&dev->dev, GFP_KERNEL,
    726 + "lm%x:00700", dev->id);
    727 + if (!lookup || !chipname || !mmciname)
    728 + return -ENOMEM;
    729 +
    730 lookup->dev_id = mmciname;
    731 /*
    732 * Offsets on GPIO block 1:
    733 diff --git a/arch/arm/mm/proc-macros.S b/arch/arm/mm/proc-macros.S
    734 index 7d9176c4a21d..f8bb65032b79 100644
    735 --- a/arch/arm/mm/proc-macros.S
    736 +++ b/arch/arm/mm/proc-macros.S
    737 @@ -275,6 +275,13 @@
    738 .endm
    739
    740 .macro define_processor_functions name:req, dabort:req, pabort:req, nommu=0, suspend=0, bugs=0
    741 +/*
    742 + * If we are building for big.Little with branch predictor hardening,
    743 + * we need the processor function tables to remain available after boot.
    744 + */
    745 +#if defined(CONFIG_BIG_LITTLE) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR)
    746 + .section ".rodata"
    747 +#endif
    748 .type \name\()_processor_functions, #object
    749 .align 2
    750 ENTRY(\name\()_processor_functions)
    751 @@ -310,6 +317,9 @@ ENTRY(\name\()_processor_functions)
    752 .endif
    753
    754 .size \name\()_processor_functions, . - \name\()_processor_functions
    755 +#if defined(CONFIG_BIG_LITTLE) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR)
    756 + .previous
    757 +#endif
    758 .endm
    759
    760 .macro define_cache_functions name:req
    761 diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c
    762 index 5544b82a2e7a..9a07916af8dd 100644
    763 --- a/arch/arm/mm/proc-v7-bugs.c
    764 +++ b/arch/arm/mm/proc-v7-bugs.c
    765 @@ -52,8 +52,6 @@ static void cpu_v7_spectre_init(void)
    766 case ARM_CPU_PART_CORTEX_A17:
    767 case ARM_CPU_PART_CORTEX_A73:
    768 case ARM_CPU_PART_CORTEX_A75:
    769 - if (processor.switch_mm != cpu_v7_bpiall_switch_mm)
    770 - goto bl_error;
    771 per_cpu(harden_branch_predictor_fn, cpu) =
    772 harden_branch_predictor_bpiall;
    773 spectre_v2_method = "BPIALL";
    774 @@ -61,8 +59,6 @@ static void cpu_v7_spectre_init(void)
    775
    776 case ARM_CPU_PART_CORTEX_A15:
    777 case ARM_CPU_PART_BRAHMA_B15:
    778 - if (processor.switch_mm != cpu_v7_iciallu_switch_mm)
    779 - goto bl_error;
    780 per_cpu(harden_branch_predictor_fn, cpu) =
    781 harden_branch_predictor_iciallu;
    782 spectre_v2_method = "ICIALLU";
    783 @@ -88,11 +84,9 @@ static void cpu_v7_spectre_init(void)
    784 ARM_SMCCC_ARCH_WORKAROUND_1, &res);
    785 if ((int)res.a0 != 0)
    786 break;
    787 - if (processor.switch_mm != cpu_v7_hvc_switch_mm && cpu)
    788 - goto bl_error;
    789 per_cpu(harden_branch_predictor_fn, cpu) =
    790 call_hvc_arch_workaround_1;
    791 - processor.switch_mm = cpu_v7_hvc_switch_mm;
    792 + cpu_do_switch_mm = cpu_v7_hvc_switch_mm;
    793 spectre_v2_method = "hypervisor";
    794 break;
    795
    796 @@ -101,11 +95,9 @@ static void cpu_v7_spectre_init(void)
    797 ARM_SMCCC_ARCH_WORKAROUND_1, &res);
    798 if ((int)res.a0 != 0)
    799 break;
    800 - if (processor.switch_mm != cpu_v7_smc_switch_mm && cpu)
    801 - goto bl_error;
    802 per_cpu(harden_branch_predictor_fn, cpu) =
    803 call_smc_arch_workaround_1;
    804 - processor.switch_mm = cpu_v7_smc_switch_mm;
    805 + cpu_do_switch_mm = cpu_v7_smc_switch_mm;
    806 spectre_v2_method = "firmware";
    807 break;
    808
    809 @@ -119,11 +111,6 @@ static void cpu_v7_spectre_init(void)
    810 if (spectre_v2_method)
    811 pr_info("CPU%u: Spectre v2: using %s workaround\n",
    812 smp_processor_id(), spectre_v2_method);
    813 - return;
    814 -
    815 -bl_error:
    816 - pr_err("CPU%u: Spectre v2: incorrect context switching function, system vulnerable\n",
    817 - cpu);
    818 }
    819 #else
    820 static void cpu_v7_spectre_init(void)
    821 diff --git a/arch/arm/vfp/vfpmodule.c b/arch/arm/vfp/vfpmodule.c
    822 index 8e5e97989fda..00dd8cf36632 100644
    823 --- a/arch/arm/vfp/vfpmodule.c
    824 +++ b/arch/arm/vfp/vfpmodule.c
    825 @@ -554,12 +554,11 @@ void vfp_flush_hwstate(struct thread_info *thread)
    826 * Save the current VFP state into the provided structures and prepare
    827 * for entry into a new function (signal handler).
    828 */
    829 -int vfp_preserve_user_clear_hwstate(struct user_vfp __user *ufp,
    830 - struct user_vfp_exc __user *ufp_exc)
    831 +int vfp_preserve_user_clear_hwstate(struct user_vfp *ufp,
    832 + struct user_vfp_exc *ufp_exc)
    833 {
    834 struct thread_info *thread = current_thread_info();
    835 struct vfp_hard_struct *hwstate = &thread->vfpstate.hard;
    836 - int err = 0;
    837
    838 /* Ensure that the saved hwstate is up-to-date. */
    839 vfp_sync_hwstate(thread);
    840 @@ -568,22 +567,19 @@ int vfp_preserve_user_clear_hwstate(struct user_vfp __user *ufp,
    841 * Copy the floating point registers. There can be unused
    842 * registers see asm/hwcap.h for details.
    843 */
    844 - err |= __copy_to_user(&ufp->fpregs, &hwstate->fpregs,
    845 - sizeof(hwstate->fpregs));
    846 + memcpy(&ufp->fpregs, &hwstate->fpregs, sizeof(hwstate->fpregs));
    847 +
    848 /*
    849 * Copy the status and control register.
    850 */
    851 - __put_user_error(hwstate->fpscr, &ufp->fpscr, err);
    852 + ufp->fpscr = hwstate->fpscr;
    853
    854 /*
    855 * Copy the exception registers.
    856 */
    857 - __put_user_error(hwstate->fpexc, &ufp_exc->fpexc, err);
    858 - __put_user_error(hwstate->fpinst, &ufp_exc->fpinst, err);
    859 - __put_user_error(hwstate->fpinst2, &ufp_exc->fpinst2, err);
    860 -
    861 - if (err)
    862 - return -EFAULT;
    863 + ufp_exc->fpexc = hwstate->fpexc;
    864 + ufp_exc->fpinst = hwstate->fpinst;
    865 + ufp_exc->fpinst2 = hwstate->fpinst2;
    866
    867 /* Ensure that VFP is disabled. */
    868 vfp_flush_hwstate(thread);
    869 diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
    870 index cadf99923600..ab04751a12b6 100644
    871 --- a/arch/x86/events/core.c
    872 +++ b/arch/x86/events/core.c
    873 @@ -2196,6 +2196,19 @@ void perf_check_microcode(void)
    874 }
    875 EXPORT_SYMBOL_GPL(perf_check_microcode);
    876
    877 +static int x86_pmu_check_period(struct perf_event *event, u64 value)
    878 +{
    879 + if (x86_pmu.check_period && x86_pmu.check_period(event, value))
    880 + return -EINVAL;
    881 +
    882 + if (value && x86_pmu.limit_period) {
    883 + if (x86_pmu.limit_period(event, value) > value)
    884 + return -EINVAL;
    885 + }
    886 +
    887 + return 0;
    888 +}
    889 +
    890 static struct pmu pmu = {
    891 .pmu_enable = x86_pmu_enable,
    892 .pmu_disable = x86_pmu_disable,
    893 @@ -2220,6 +2233,7 @@ static struct pmu pmu = {
    894 .event_idx = x86_pmu_event_idx,
    895 .sched_task = x86_pmu_sched_task,
    896 .task_ctx_size = sizeof(struct x86_perf_task_context),
    897 + .check_period = x86_pmu_check_period,
    898 };
    899
    900 void arch_perf_update_userpage(struct perf_event *event,
    901 diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
    902 index f600ab601e00..f0639c8ebcb6 100644
    903 --- a/arch/x86/events/intel/core.c
    904 +++ b/arch/x86/events/intel/core.c
    905 @@ -3262,6 +3262,11 @@ static void intel_pmu_sched_task(struct perf_event_context *ctx,
    906 intel_pmu_lbr_sched_task(ctx, sched_in);
    907 }
    908
    909 +static int intel_pmu_check_period(struct perf_event *event, u64 value)
    910 +{
    911 + return intel_pmu_has_bts_period(event, value) ? -EINVAL : 0;
    912 +}
    913 +
    914 PMU_FORMAT_ATTR(offcore_rsp, "config1:0-63");
    915
    916 PMU_FORMAT_ATTR(ldlat, "config1:0-15");
    917 @@ -3328,6 +3333,8 @@ static __initconst const struct x86_pmu core_pmu = {
    918 .cpu_starting = intel_pmu_cpu_starting,
    919 .cpu_dying = intel_pmu_cpu_dying,
    920 .cpu_dead = intel_pmu_cpu_dead,
    921 +
    922 + .check_period = intel_pmu_check_period,
    923 };
    924
    925 static __initconst const struct x86_pmu intel_pmu = {
    926 @@ -3367,6 +3374,8 @@ static __initconst const struct x86_pmu intel_pmu = {
    927
    928 .guest_get_msrs = intel_guest_get_msrs,
    929 .sched_task = intel_pmu_sched_task,
    930 +
    931 + .check_period = intel_pmu_check_period,
    932 };
    933
    934 static __init void intel_clovertown_quirk(void)
    935 diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
    936 index 7ace39c51ff7..5c21680b0a69 100644
    937 --- a/arch/x86/events/perf_event.h
    938 +++ b/arch/x86/events/perf_event.h
    939 @@ -626,6 +626,11 @@ struct x86_pmu {
    940 * Intel host/guest support (KVM)
    941 */
    942 struct perf_guest_switch_msr *(*guest_get_msrs)(int *nr);
    943 +
    944 + /*
    945 + * Check period value for PERF_EVENT_IOC_PERIOD ioctl.
    946 + */
    947 + int (*check_period) (struct perf_event *event, u64 period);
    948 };
    949
    950 struct x86_perf_task_context {
    951 @@ -833,7 +838,7 @@ static inline int amd_pmu_init(void)
    952
    953 #ifdef CONFIG_CPU_SUP_INTEL
    954
    955 -static inline bool intel_pmu_has_bts(struct perf_event *event)
    956 +static inline bool intel_pmu_has_bts_period(struct perf_event *event, u64 period)
    957 {
    958 struct hw_perf_event *hwc = &event->hw;
    959 unsigned int hw_event, bts_event;
    960 @@ -844,7 +849,14 @@ static inline bool intel_pmu_has_bts(struct perf_event *event)
    961 hw_event = hwc->config & INTEL_ARCH_EVENT_MASK;
    962 bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS);
    963
    964 - return hw_event == bts_event && hwc->sample_period == 1;
    965 + return hw_event == bts_event && period == 1;
    966 +}
    967 +
    968 +static inline bool intel_pmu_has_bts(struct perf_event *event)
    969 +{
    970 + struct hw_perf_event *hwc = &event->hw;
    971 +
    972 + return intel_pmu_has_bts_period(event, hwc->sample_period);
    973 }
    974
    975 int intel_pmu_save_and_restart(struct perf_event *event);
    976 diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
    977 index cb26f18d43af..555c002167ad 100644
    978 --- a/arch/x86/ia32/ia32_aout.c
    979 +++ b/arch/x86/ia32/ia32_aout.c
    980 @@ -50,7 +50,7 @@ static unsigned long get_dr(int n)
    981 /*
    982 * fill in the user structure for a core dump..
    983 */
    984 -static void dump_thread32(struct pt_regs *regs, struct user32 *dump)
    985 +static void fill_dump(struct pt_regs *regs, struct user32 *dump)
    986 {
    987 u32 fs, gs;
    988 memset(dump, 0, sizeof(*dump));
    989 @@ -156,10 +156,12 @@ static int aout_core_dump(struct coredump_params *cprm)
    990 fs = get_fs();
    991 set_fs(KERNEL_DS);
    992 has_dumped = 1;
    993 +
    994 + fill_dump(cprm->regs, &dump);
    995 +
    996 strncpy(dump.u_comm, current->comm, sizeof(current->comm));
    997 dump.u_ar0 = offsetof(struct user32, regs);
    998 dump.signal = cprm->siginfo->si_signo;
    999 - dump_thread32(cprm->regs, &dump);
    1000
    1001 /*
    1002 * If the size of the dump file exceeds the rlimit, then see
    1003 diff --git a/arch/x86/include/asm/uv/bios.h b/arch/x86/include/asm/uv/bios.h
    1004 index e652a7cc6186..3f697a9e3f59 100644
    1005 --- a/arch/x86/include/asm/uv/bios.h
    1006 +++ b/arch/x86/include/asm/uv/bios.h
    1007 @@ -48,7 +48,8 @@ enum {
    1008 BIOS_STATUS_SUCCESS = 0,
    1009 BIOS_STATUS_UNIMPLEMENTED = -ENOSYS,
    1010 BIOS_STATUS_EINVAL = -EINVAL,
    1011 - BIOS_STATUS_UNAVAIL = -EBUSY
    1012 + BIOS_STATUS_UNAVAIL = -EBUSY,
    1013 + BIOS_STATUS_ABORT = -EINTR,
    1014 };
    1015
    1016 /* Address map parameters */
    1017 @@ -167,4 +168,9 @@ extern long system_serial_number;
    1018
    1019 extern struct kobject *sgi_uv_kobj; /* /sys/firmware/sgi_uv */
    1020
    1021 +/*
    1022 + * EFI runtime lock; cf. firmware/efi/runtime-wrappers.c for details
    1023 + */
    1024 +extern struct semaphore __efi_uv_runtime_lock;
    1025 +
    1026 #endif /* _ASM_X86_UV_BIOS_H */
    1027 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
    1028 index 91db841101ca..1870fa7387b7 100644
    1029 --- a/arch/x86/kvm/vmx.c
    1030 +++ b/arch/x86/kvm/vmx.c
    1031 @@ -2178,7 +2178,8 @@ static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
    1032 if (!entry_only)
    1033 j = find_msr(&m->host, msr);
    1034
    1035 - if (i == NR_AUTOLOAD_MSRS || j == NR_AUTOLOAD_MSRS) {
    1036 + if ((i < 0 && m->guest.nr == NR_AUTOLOAD_MSRS) ||
    1037 + (j < 0 && m->host.nr == NR_AUTOLOAD_MSRS)) {
    1038 printk_once(KERN_WARNING "Not enough msr switch entries. "
    1039 "Can't add msr %x\n", msr);
    1040 return;
    1041 diff --git a/arch/x86/platform/uv/bios_uv.c b/arch/x86/platform/uv/bios_uv.c
    1042 index 4a6a5a26c582..eb33432f2f24 100644
    1043 --- a/arch/x86/platform/uv/bios_uv.c
    1044 +++ b/arch/x86/platform/uv/bios_uv.c
    1045 @@ -29,7 +29,8 @@
    1046
    1047 struct uv_systab *uv_systab;
    1048
    1049 -s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
    1050 +static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
    1051 + u64 a4, u64 a5)
    1052 {
    1053 struct uv_systab *tab = uv_systab;
    1054 s64 ret;
    1055 @@ -51,6 +52,19 @@ s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
    1056
    1057 return ret;
    1058 }
    1059 +
    1060 +s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
    1061 +{
    1062 + s64 ret;
    1063 +
    1064 + if (down_interruptible(&__efi_uv_runtime_lock))
    1065 + return BIOS_STATUS_ABORT;
    1066 +
    1067 + ret = __uv_bios_call(which, a1, a2, a3, a4, a5);
    1068 + up(&__efi_uv_runtime_lock);
    1069 +
    1070 + return ret;
    1071 +}
    1072 EXPORT_SYMBOL_GPL(uv_bios_call);
    1073
    1074 s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
    1075 @@ -59,10 +73,15 @@ s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
    1076 unsigned long bios_flags;
    1077 s64 ret;
    1078
    1079 + if (down_interruptible(&__efi_uv_runtime_lock))
    1080 + return BIOS_STATUS_ABORT;
    1081 +
    1082 local_irq_save(bios_flags);
    1083 - ret = uv_bios_call(which, a1, a2, a3, a4, a5);
    1084 + ret = __uv_bios_call(which, a1, a2, a3, a4, a5);
    1085 local_irq_restore(bios_flags);
    1086
    1087 + up(&__efi_uv_runtime_lock);
    1088 +
    1089 return ret;
    1090 }
    1091
    1092 diff --git a/drivers/acpi/numa.c b/drivers/acpi/numa.c
    1093 index 17b518cb787c..0ea065c6725a 100644
    1094 --- a/drivers/acpi/numa.c
    1095 +++ b/drivers/acpi/numa.c
    1096 @@ -147,9 +147,9 @@ acpi_table_print_srat_entry(struct acpi_subtable_header *header)
    1097 {
    1098 struct acpi_srat_mem_affinity *p =
    1099 (struct acpi_srat_mem_affinity *)header;
    1100 - pr_debug("SRAT Memory (0x%lx length 0x%lx) in proximity domain %d %s%s%s\n",
    1101 - (unsigned long)p->base_address,
    1102 - (unsigned long)p->length,
    1103 + pr_debug("SRAT Memory (0x%llx length 0x%llx) in proximity domain %d %s%s%s\n",
    1104 + (unsigned long long)p->base_address,
    1105 + (unsigned long long)p->length,
    1106 p->proximity_domain,
    1107 (p->flags & ACPI_SRAT_MEM_ENABLED) ?
    1108 "enabled" : "disabled",
    1109 diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
    1110 index d6d91e8afa9e..61fe4bbc6dc0 100644
    1111 --- a/drivers/cpufreq/cpufreq.c
    1112 +++ b/drivers/cpufreq/cpufreq.c
    1113 @@ -1496,17 +1496,16 @@ static unsigned int __cpufreq_get(struct cpufreq_policy *policy)
    1114 {
    1115 unsigned int ret_freq = 0;
    1116
    1117 - if (!cpufreq_driver->get)
    1118 + if (unlikely(policy_is_inactive(policy)) || !cpufreq_driver->get)
    1119 return ret_freq;
    1120
    1121 ret_freq = cpufreq_driver->get(policy->cpu);
    1122
    1123 /*
    1124 - * Updating inactive policies is invalid, so avoid doing that. Also
    1125 - * if fast frequency switching is used with the given policy, the check
    1126 + * If fast frequency switching is used with the given policy, the check
    1127 * against policy->cur is pointless, so skip it in that case too.
    1128 */
    1129 - if (unlikely(policy_is_inactive(policy)) || policy->fast_switch_enabled)
    1130 + if (policy->fast_switch_enabled)
    1131 return ret_freq;
    1132
    1133 if (ret_freq && policy->cur &&
    1134 diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c
    1135 index ae54870b2788..dd7f63354ca0 100644
    1136 --- a/drivers/firmware/efi/runtime-wrappers.c
    1137 +++ b/drivers/firmware/efi/runtime-wrappers.c
    1138 @@ -49,6 +49,13 @@ void efi_call_virt_check_flags(unsigned long flags, const char *call)
    1139 local_irq_restore(flags);
    1140 }
    1141
    1142 +/*
    1143 + * Expose the EFI runtime lock to the UV platform
    1144 + */
    1145 +#ifdef CONFIG_X86_UV
    1146 +extern struct semaphore __efi_uv_runtime_lock __alias(efi_runtime_lock);
    1147 +#endif
    1148 +
    1149 /*
    1150 * According to section 7.1 of the UEFI spec, Runtime Services are not fully
    1151 * reentrant, and there are particular combinations of calls that need to be
    1152 diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c
    1153 index f64f35cdc2ff..fa3f2f039a74 100644
    1154 --- a/drivers/gpu/drm/bridge/tc358767.c
    1155 +++ b/drivers/gpu/drm/bridge/tc358767.c
    1156 @@ -96,6 +96,8 @@
    1157 #define DP0_STARTVAL 0x064c
    1158 #define DP0_ACTIVEVAL 0x0650
    1159 #define DP0_SYNCVAL 0x0654
    1160 +#define SYNCVAL_HS_POL_ACTIVE_LOW (1 << 15)
    1161 +#define SYNCVAL_VS_POL_ACTIVE_LOW (1 << 31)
    1162 #define DP0_MISC 0x0658
    1163 #define TU_SIZE_RECOMMENDED (63) /* LSCLK cycles per TU */
    1164 #define BPC_6 (0 << 5)
    1165 @@ -140,6 +142,8 @@
    1166 #define DP0_LTLOOPCTRL 0x06d8
    1167 #define DP0_SNKLTCTRL 0x06e4
    1168
    1169 +#define DP1_SRCCTRL 0x07a0
    1170 +
    1171 /* PHY */
    1172 #define DP_PHY_CTRL 0x0800
    1173 #define DP_PHY_RST BIT(28) /* DP PHY Global Soft Reset */
    1174 @@ -148,6 +152,7 @@
    1175 #define PHY_M1_RST BIT(12) /* Reset PHY1 Main Channel */
    1176 #define PHY_RDY BIT(16) /* PHY Main Channels Ready */
    1177 #define PHY_M0_RST BIT(8) /* Reset PHY0 Main Channel */
    1178 +#define PHY_2LANE BIT(2) /* PHY Enable 2 lanes */
    1179 #define PHY_A0_EN BIT(1) /* PHY Aux Channel0 Enable */
    1180 #define PHY_M0_EN BIT(0) /* PHY Main Channel0 Enable */
    1181
    1182 @@ -538,6 +543,7 @@ static int tc_aux_link_setup(struct tc_data *tc)
    1183 unsigned long rate;
    1184 u32 value;
    1185 int ret;
    1186 + u32 dp_phy_ctrl;
    1187
    1188 rate = clk_get_rate(tc->refclk);
    1189 switch (rate) {
    1190 @@ -562,7 +568,10 @@ static int tc_aux_link_setup(struct tc_data *tc)
    1191 value |= SYSCLK_SEL_LSCLK | LSCLK_DIV_2;
    1192 tc_write(SYS_PLLPARAM, value);
    1193
    1194 - tc_write(DP_PHY_CTRL, BGREN | PWR_SW_EN | BIT(2) | PHY_A0_EN);
    1195 + dp_phy_ctrl = BGREN | PWR_SW_EN | PHY_A0_EN;
    1196 + if (tc->link.base.num_lanes == 2)
    1197 + dp_phy_ctrl |= PHY_2LANE;
    1198 + tc_write(DP_PHY_CTRL, dp_phy_ctrl);
    1199
    1200 /*
    1201 * Initially PLLs are in bypass. Force PLL parameter update,
    1202 @@ -717,7 +726,9 @@ static int tc_set_video_mode(struct tc_data *tc, struct drm_display_mode *mode)
    1203
    1204 tc_write(DP0_ACTIVEVAL, (mode->vdisplay << 16) | (mode->hdisplay));
    1205
    1206 - tc_write(DP0_SYNCVAL, (vsync_len << 16) | (hsync_len << 0));
    1207 + tc_write(DP0_SYNCVAL, (vsync_len << 16) | (hsync_len << 0) |
    1208 + ((mode->flags & DRM_MODE_FLAG_NHSYNC) ? SYNCVAL_HS_POL_ACTIVE_LOW : 0) |
    1209 + ((mode->flags & DRM_MODE_FLAG_NVSYNC) ? SYNCVAL_VS_POL_ACTIVE_LOW : 0));
    1210
    1211 tc_write(DPIPXLFMT, VS_POL_ACTIVE_LOW | HS_POL_ACTIVE_LOW |
    1212 DE_POL_ACTIVE_HIGH | SUB_CFG_TYPE_CONFIG1 | DPI_BPP_RGB888);
    1213 @@ -827,12 +838,11 @@ static int tc_main_link_setup(struct tc_data *tc)
    1214 if (!tc->mode)
    1215 return -EINVAL;
    1216
    1217 - /* from excel file - DP0_SrcCtrl */
    1218 - tc_write(DP0_SRCCTRL, DP0_SRCCTRL_SCRMBLDIS | DP0_SRCCTRL_EN810B |
    1219 - DP0_SRCCTRL_LANESKEW | DP0_SRCCTRL_LANES_2 |
    1220 - DP0_SRCCTRL_BW27 | DP0_SRCCTRL_AUTOCORRECT);
    1221 - /* from excel file - DP1_SrcCtrl */
    1222 - tc_write(0x07a0, 0x00003083);
    1223 + tc_write(DP0_SRCCTRL, tc_srcctrl(tc));
    1224 + /* SSCG and BW27 on DP1 must be set to the same as on DP0 */
    1225 + tc_write(DP1_SRCCTRL,
    1226 + (tc->link.spread ? DP0_SRCCTRL_SSCG : 0) |
    1227 + ((tc->link.base.rate != 162000) ? DP0_SRCCTRL_BW27 : 0));
    1228
    1229 rate = clk_get_rate(tc->refclk);
    1230 switch (rate) {
    1231 @@ -853,8 +863,11 @@ static int tc_main_link_setup(struct tc_data *tc)
    1232 }
    1233 value |= SYSCLK_SEL_LSCLK | LSCLK_DIV_2;
    1234 tc_write(SYS_PLLPARAM, value);
    1235 +
    1236 /* Setup Main Link */
    1237 - dp_phy_ctrl = BGREN | PWR_SW_EN | BIT(2) | PHY_A0_EN | PHY_M0_EN;
    1238 + dp_phy_ctrl = BGREN | PWR_SW_EN | PHY_A0_EN | PHY_M0_EN;
    1239 + if (tc->link.base.num_lanes == 2)
    1240 + dp_phy_ctrl |= PHY_2LANE;
    1241 tc_write(DP_PHY_CTRL, dp_phy_ctrl);
    1242 msleep(100);
    1243
    1244 @@ -1109,10 +1122,20 @@ static bool tc_bridge_mode_fixup(struct drm_bridge *bridge,
    1245 static int tc_connector_mode_valid(struct drm_connector *connector,
    1246 struct drm_display_mode *mode)
    1247 {
    1248 + struct tc_data *tc = connector_to_tc(connector);
    1249 + u32 req, avail;
    1250 + u32 bits_per_pixel = 24;
    1251 +
    1252 /* DPI interface clock limitation: upto 154 MHz */
    1253 if (mode->clock > 154000)
    1254 return MODE_CLOCK_HIGH;
    1255
    1256 + req = mode->clock * bits_per_pixel / 8;
    1257 + avail = tc->link.base.num_lanes * tc->link.base.rate;
    1258 +
    1259 + if (req > avail)
    1260 + return MODE_BAD;
    1261 +
    1262 return MODE_OK;
    1263 }
    1264
    1265 diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
    1266 index 7b2030925825..6509031098d5 100644
    1267 --- a/drivers/gpu/drm/i915/i915_gem.c
    1268 +++ b/drivers/gpu/drm/i915/i915_gem.c
    1269 @@ -1593,6 +1593,16 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
    1270 return err;
    1271 }
    1272
    1273 +static inline bool
    1274 +__vma_matches(struct vm_area_struct *vma, struct file *filp,
    1275 + unsigned long addr, unsigned long size)
    1276 +{
    1277 + if (vma->vm_file != filp)
    1278 + return false;
    1279 +
    1280 + return vma->vm_start == addr && (vma->vm_end - vma->vm_start) == size;
    1281 +}
    1282 +
    1283 /**
    1284 * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
    1285 * it is mapped to.
    1286 @@ -1651,7 +1661,7 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
    1287 return -EINTR;
    1288 }
    1289 vma = find_vma(mm, addr);
    1290 - if (vma)
    1291 + if (vma && __vma_matches(vma, obj->base.filp, addr, args->size))
    1292 vma->vm_page_prot =
    1293 pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
    1294 else
    1295 diff --git a/drivers/input/misc/bma150.c b/drivers/input/misc/bma150.c
    1296 index b0d445390ee4..d43bc7bd3387 100644
    1297 --- a/drivers/input/misc/bma150.c
    1298 +++ b/drivers/input/misc/bma150.c
    1299 @@ -482,13 +482,14 @@ static int bma150_register_input_device(struct bma150_data *bma150)
    1300 idev->close = bma150_irq_close;
    1301 input_set_drvdata(idev, bma150);
    1302
    1303 + bma150->input = idev;
    1304 +
    1305 error = input_register_device(idev);
    1306 if (error) {
    1307 input_free_device(idev);
    1308 return error;
    1309 }
    1310
    1311 - bma150->input = idev;
    1312 return 0;
    1313 }
    1314
    1315 @@ -511,15 +512,15 @@ static int bma150_register_polled_device(struct bma150_data *bma150)
    1316
    1317 bma150_init_input_device(bma150, ipoll_dev->input);
    1318
    1319 + bma150->input_polled = ipoll_dev;
    1320 + bma150->input = ipoll_dev->input;
    1321 +
    1322 error = input_register_polled_device(ipoll_dev);
    1323 if (error) {
    1324 input_free_polled_device(ipoll_dev);
    1325 return error;
    1326 }
    1327
    1328 - bma150->input_polled = ipoll_dev;
    1329 - bma150->input = ipoll_dev->input;
    1330 -
    1331 return 0;
    1332 }
    1333
    1334 diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
    1335 index 30adc5745cba..25ce9047b682 100644
    1336 --- a/drivers/input/mouse/elan_i2c_core.c
    1337 +++ b/drivers/input/mouse/elan_i2c_core.c
    1338 @@ -1240,7 +1240,6 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
    1339 static const struct acpi_device_id elan_acpi_id[] = {
    1340 { "ELAN0000", 0 },
    1341 { "ELAN0100", 0 },
    1342 - { "ELAN0501", 0 },
    1343 { "ELAN0600", 0 },
    1344 { "ELAN0602", 0 },
    1345 { "ELAN0605", 0 },
    1346 @@ -1251,6 +1250,7 @@ static const struct acpi_device_id elan_acpi_id[] = {
    1347 { "ELAN060C", 0 },
    1348 { "ELAN0611", 0 },
    1349 { "ELAN0612", 0 },
    1350 + { "ELAN0617", 0 },
    1351 { "ELAN0618", 0 },
    1352 { "ELAN061C", 0 },
    1353 { "ELAN061D", 0 },
    1354 diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
    1355 index c120afd9c46a..38edf8f5bf8a 100644
    1356 --- a/drivers/input/mouse/elantech.c
    1357 +++ b/drivers/input/mouse/elantech.c
    1358 @@ -1117,6 +1117,8 @@ static int elantech_get_resolution_v4(struct psmouse *psmouse,
    1359 * Asus UX31 0x361f00 20, 15, 0e clickpad
    1360 * Asus UX32VD 0x361f02 00, 15, 0e clickpad
    1361 * Avatar AVIU-145A2 0x361f00 ? clickpad
    1362 + * Fujitsu CELSIUS H760 0x570f02 40, 14, 0c 3 hw buttons (**)
    1363 + * Fujitsu CELSIUS H780 0x5d0f02 41, 16, 0d 3 hw buttons (**)
    1364 * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons
    1365 * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons
    1366 * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons
    1367 @@ -1169,6 +1171,13 @@ static const struct dmi_system_id elantech_dmi_has_middle_button[] = {
    1368 DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"),
    1369 },
    1370 },
    1371 + {
    1372 + /* Fujitsu H780 also has a middle button */
    1373 + .matches = {
    1374 + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
    1375 + DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H780"),
    1376 + },
    1377 + },
    1378 #endif
    1379 { }
    1380 };
    1381 diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
    1382 index 914c8a6bf93c..345f4d81ba07 100644
    1383 --- a/drivers/md/dm-thin.c
    1384 +++ b/drivers/md/dm-thin.c
    1385 @@ -257,6 +257,7 @@ struct pool {
    1386
    1387 spinlock_t lock;
    1388 struct bio_list deferred_flush_bios;
    1389 + struct bio_list deferred_flush_completions;
    1390 struct list_head prepared_mappings;
    1391 struct list_head prepared_discards;
    1392 struct list_head prepared_discards_pt2;
    1393 @@ -925,6 +926,39 @@ static void process_prepared_mapping_fail(struct dm_thin_new_mapping *m)
    1394 mempool_free(m, m->tc->pool->mapping_pool);
    1395 }
    1396
    1397 +static void complete_overwrite_bio(struct thin_c *tc, struct bio *bio)
    1398 +{
    1399 + struct pool *pool = tc->pool;
    1400 + unsigned long flags;
    1401 +
    1402 + /*
    1403 + * If the bio has the REQ_FUA flag set we must commit the metadata
    1404 + * before signaling its completion.
    1405 + */
    1406 + if (!bio_triggers_commit(tc, bio)) {
    1407 + bio_endio(bio);
    1408 + return;
    1409 + }
    1410 +
    1411 + /*
    1412 + * Complete bio with an error if earlier I/O caused changes to the
    1413 + * metadata that can't be committed, e.g, due to I/O errors on the
    1414 + * metadata device.
    1415 + */
    1416 + if (dm_thin_aborted_changes(tc->td)) {
    1417 + bio_io_error(bio);
    1418 + return;
    1419 + }
    1420 +
    1421 + /*
    1422 + * Batch together any bios that trigger commits and then issue a
    1423 + * single commit for them in process_deferred_bios().
    1424 + */
    1425 + spin_lock_irqsave(&pool->lock, flags);
    1426 + bio_list_add(&pool->deferred_flush_completions, bio);
    1427 + spin_unlock_irqrestore(&pool->lock, flags);
    1428 +}
    1429 +
    1430 static void process_prepared_mapping(struct dm_thin_new_mapping *m)
    1431 {
    1432 struct thin_c *tc = m->tc;
    1433 @@ -957,7 +991,7 @@ static void process_prepared_mapping(struct dm_thin_new_mapping *m)
    1434 */
    1435 if (bio) {
    1436 inc_remap_and_issue_cell(tc, m->cell, m->data_block);
    1437 - bio_endio(bio);
    1438 + complete_overwrite_bio(tc, bio);
    1439 } else {
    1440 inc_all_io_entry(tc->pool, m->cell->holder);
    1441 remap_and_issue(tc, m->cell->holder, m->data_block);
    1442 @@ -2303,7 +2337,7 @@ static void process_deferred_bios(struct pool *pool)
    1443 {
    1444 unsigned long flags;
    1445 struct bio *bio;
    1446 - struct bio_list bios;
    1447 + struct bio_list bios, bio_completions;
    1448 struct thin_c *tc;
    1449
    1450 tc = get_first_thin(pool);
    1451 @@ -2314,26 +2348,36 @@ static void process_deferred_bios(struct pool *pool)
    1452 }
    1453
    1454 /*
    1455 - * If there are any deferred flush bios, we must commit
    1456 - * the metadata before issuing them.
    1457 + * If there are any deferred flush bios, we must commit the metadata
    1458 + * before issuing them or signaling their completion.
    1459 */
    1460 bio_list_init(&bios);
    1461 + bio_list_init(&bio_completions);
    1462 +
    1463 spin_lock_irqsave(&pool->lock, flags);
    1464 bio_list_merge(&bios, &pool->deferred_flush_bios);
    1465 bio_list_init(&pool->deferred_flush_bios);
    1466 +
    1467 + bio_list_merge(&bio_completions, &pool->deferred_flush_completions);
    1468 + bio_list_init(&pool->deferred_flush_completions);
    1469 spin_unlock_irqrestore(&pool->lock, flags);
    1470
    1471 - if (bio_list_empty(&bios) &&
    1472 + if (bio_list_empty(&bios) && bio_list_empty(&bio_completions) &&
    1473 !(dm_pool_changed_this_transaction(pool->pmd) && need_commit_due_to_time(pool)))
    1474 return;
    1475
    1476 if (commit(pool)) {
    1477 + bio_list_merge(&bios, &bio_completions);
    1478 +
    1479 while ((bio = bio_list_pop(&bios)))
    1480 bio_io_error(bio);
    1481 return;
    1482 }
    1483 pool->last_commit_jiffies = jiffies;
    1484
    1485 + while ((bio = bio_list_pop(&bio_completions)))
    1486 + bio_endio(bio);
    1487 +
    1488 while ((bio = bio_list_pop(&bios)))
    1489 generic_make_request(bio);
    1490 }
    1491 @@ -2968,6 +3012,7 @@ static struct pool *pool_create(struct mapped_device *pool_md,
    1492 INIT_DELAYED_WORK(&pool->no_space_timeout, do_no_space_timeout);
    1493 spin_lock_init(&pool->lock);
    1494 bio_list_init(&pool->deferred_flush_bios);
    1495 + bio_list_init(&pool->deferred_flush_completions);
    1496 INIT_LIST_HEAD(&pool->prepared_mappings);
    1497 INIT_LIST_HEAD(&pool->prepared_discards);
    1498 INIT_LIST_HEAD(&pool->prepared_discards_pt2);
    1499 diff --git a/drivers/misc/eeprom/Kconfig b/drivers/misc/eeprom/Kconfig
    1500 index c4e41c26649e..fac10c0e852c 100644
    1501 --- a/drivers/misc/eeprom/Kconfig
    1502 +++ b/drivers/misc/eeprom/Kconfig
    1503 @@ -12,7 +12,7 @@ config EEPROM_AT24
    1504 ones like at24c64, 24lc02 or fm24c04:
    1505
    1506 24c00, 24c01, 24c02, spd (readonly 24c02), 24c04, 24c08,
    1507 - 24c16, 24c32, 24c64, 24c128, 24c256, 24c512, 24c1024
    1508 + 24c16, 24c32, 24c64, 24c128, 24c256, 24c512, 24c1024, 24c2048
    1509
    1510 Unless you like data loss puzzles, always be sure that any chip
    1511 you configure as a 24c32 (32 kbit) or larger is NOT really a
    1512 diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c
    1513 index d8a485f1798b..a37b9b6a315a 100644
    1514 --- a/drivers/misc/eeprom/at24.c
    1515 +++ b/drivers/misc/eeprom/at24.c
    1516 @@ -170,6 +170,7 @@ static const struct i2c_device_id at24_ids[] = {
    1517 { "24c256", AT24_DEVICE_MAGIC(262144 / 8, AT24_FLAG_ADDR16) },
    1518 { "24c512", AT24_DEVICE_MAGIC(524288 / 8, AT24_FLAG_ADDR16) },
    1519 { "24c1024", AT24_DEVICE_MAGIC(1048576 / 8, AT24_FLAG_ADDR16) },
    1520 + { "24c2048", AT24_DEVICE_MAGIC(2097152 / 8, AT24_FLAG_ADDR16) },
    1521 { "at24", 0 },
    1522 { /* END OF LIST */ }
    1523 };
    1524 diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
    1525 index 4bc2c806eb61..eeeb4c5740bf 100644
    1526 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
    1527 +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
    1528 @@ -12979,6 +12979,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb,
    1529 struct net_device *dev,
    1530 netdev_features_t features)
    1531 {
    1532 + /*
    1533 + * A skb with gso_size + header length > 9700 will cause a
    1534 + * firmware panic. Drop GSO support.
    1535 + *
    1536 + * Eventually the upper layer should not pass these packets down.
    1537 + *
    1538 + * For speed, if the gso_size is <= 9000, assume there will
    1539 + * not be 700 bytes of headers and pass it through. Only do a
    1540 + * full (slow) validation if the gso_size is > 9000.
    1541 + *
    1542 + * (Due to the way SKB_BY_FRAGS works this will also do a full
    1543 + * validation in that case.)
    1544 + */
    1545 + if (unlikely(skb_is_gso(skb) &&
    1546 + (skb_shinfo(skb)->gso_size > 9000) &&
    1547 + !skb_gso_validate_mac_len(skb, 9700)))
    1548 + features &= ~NETIF_F_GSO_MASK;
    1549 +
    1550 features = vlan_features_check(skb, features);
    1551 return vxlan_features_check(skb, features);
    1552 }
    1553 diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c
    1554 index 8a40202c0a17..c4f1c363e24b 100644
    1555 --- a/drivers/net/usb/ch9200.c
    1556 +++ b/drivers/net/usb/ch9200.c
    1557 @@ -254,14 +254,9 @@ static struct sk_buff *ch9200_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
    1558 tx_overhead = 0x40;
    1559
    1560 len = skb->len;
    1561 - if (skb_headroom(skb) < tx_overhead) {
    1562 - struct sk_buff *skb2;
    1563 -
    1564 - skb2 = skb_copy_expand(skb, tx_overhead, 0, flags);
    1565 + if (skb_cow_head(skb, tx_overhead)) {
    1566 dev_kfree_skb_any(skb);
    1567 - skb = skb2;
    1568 - if (!skb)
    1569 - return NULL;
    1570 + return NULL;
    1571 }
    1572
    1573 __skb_push(skb, tx_overhead);
    1574 diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c
    1575 index 66b34ddbe216..72d9e7954b0a 100644
    1576 --- a/drivers/net/usb/kaweth.c
    1577 +++ b/drivers/net/usb/kaweth.c
    1578 @@ -803,18 +803,12 @@ static netdev_tx_t kaweth_start_xmit(struct sk_buff *skb,
    1579 }
    1580
    1581 /* We now decide whether we can put our special header into the sk_buff */
    1582 - if (skb_cloned(skb) || skb_headroom(skb) < 2) {
    1583 - /* no such luck - we make our own */
    1584 - struct sk_buff *copied_skb;
    1585 - copied_skb = skb_copy_expand(skb, 2, 0, GFP_ATOMIC);
    1586 - dev_kfree_skb_irq(skb);
    1587 - skb = copied_skb;
    1588 - if (!copied_skb) {
    1589 - kaweth->stats.tx_errors++;
    1590 - netif_start_queue(net);
    1591 - spin_unlock_irq(&kaweth->device_lock);
    1592 - return NETDEV_TX_OK;
    1593 - }
    1594 + if (skb_cow_head(skb, 2)) {
    1595 + kaweth->stats.tx_errors++;
    1596 + netif_start_queue(net);
    1597 + spin_unlock_irq(&kaweth->device_lock);
    1598 + dev_kfree_skb_any(skb);
    1599 + return NETDEV_TX_OK;
    1600 }
    1601
    1602 private_header = (__le16 *)__skb_push(skb, 2);
    1603 diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
    1604 index e29f4c0767eb..e719ecd69d01 100644
    1605 --- a/drivers/net/usb/smsc95xx.c
    1606 +++ b/drivers/net/usb/smsc95xx.c
    1607 @@ -2011,13 +2011,13 @@ static struct sk_buff *smsc95xx_tx_fixup(struct usbnet *dev,
    1608 /* We do not advertise SG, so skbs should be already linearized */
    1609 BUG_ON(skb_shinfo(skb)->nr_frags);
    1610
    1611 - if (skb_headroom(skb) < overhead) {
    1612 - struct sk_buff *skb2 = skb_copy_expand(skb,
    1613 - overhead, 0, flags);
    1614 + /* Make writable and expand header space by overhead if required */
    1615 + if (skb_cow_head(skb, overhead)) {
    1616 + /* Must deallocate here as returning NULL to indicate error
    1617 + * means the skb won't be deallocated in the caller.
    1618 + */
    1619 dev_kfree_skb_any(skb);
    1620 - skb = skb2;
    1621 - if (!skb)
    1622 - return NULL;
    1623 + return NULL;
    1624 }
    1625
    1626 if (csum) {
    1627 diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c
    1628 index bedce3453dd3..5aa221487a9c 100644
    1629 --- a/drivers/pinctrl/qcom/pinctrl-msm.c
    1630 +++ b/drivers/pinctrl/qcom/pinctrl-msm.c
    1631 @@ -803,11 +803,24 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl)
    1632 return ret;
    1633 }
    1634
    1635 - ret = gpiochip_add_pin_range(&pctrl->chip, dev_name(pctrl->dev), 0, 0, chip->ngpio);
    1636 - if (ret) {
    1637 - dev_err(pctrl->dev, "Failed to add pin range\n");
    1638 - gpiochip_remove(&pctrl->chip);
    1639 - return ret;
    1640 + /*
    1641 + * For DeviceTree-supported systems, the gpio core checks the
    1642 + * pinctrl's device node for the "gpio-ranges" property.
    1643 + * If it is present, it takes care of adding the pin ranges
    1644 + * for the driver. In this case the driver can skip ahead.
    1645 + *
    1646 + * In order to remain compatible with older, existing DeviceTree
    1647 + * files which don't set the "gpio-ranges" property or systems that
    1648 + * utilize ACPI the driver has to call gpiochip_add_pin_range().
    1649 + */
    1650 + if (!of_property_read_bool(pctrl->dev->of_node, "gpio-ranges")) {
    1651 + ret = gpiochip_add_pin_range(&pctrl->chip,
    1652 + dev_name(pctrl->dev), 0, 0, chip->ngpio);
    1653 + if (ret) {
    1654 + dev_err(pctrl->dev, "Failed to add pin range\n");
    1655 + gpiochip_remove(&pctrl->chip);
    1656 + return ret;
    1657 + }
    1658 }
    1659
    1660 ret = gpiochip_irqchip_add(chip,
    1661 diff --git a/drivers/scsi/aic94xx/aic94xx_init.c b/drivers/scsi/aic94xx/aic94xx_init.c
    1662 index 85442edf3c49..913ebb6d0d29 100644
    1663 --- a/drivers/scsi/aic94xx/aic94xx_init.c
    1664 +++ b/drivers/scsi/aic94xx/aic94xx_init.c
    1665 @@ -281,7 +281,7 @@ static ssize_t asd_show_dev_rev(struct device *dev,
    1666 return snprintf(buf, PAGE_SIZE, "%s\n",
    1667 asd_dev_rev[asd_ha->revision_id]);
    1668 }
    1669 -static DEVICE_ATTR(aic_revision, S_IRUGO, asd_show_dev_rev, NULL);
    1670 +static DEVICE_ATTR(revision, S_IRUGO, asd_show_dev_rev, NULL);
    1671
    1672 static ssize_t asd_show_dev_bios_build(struct device *dev,
    1673 struct device_attribute *attr,char *buf)
    1674 @@ -478,7 +478,7 @@ static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
    1675 {
    1676 int err;
    1677
    1678 - err = device_create_file(&asd_ha->pcidev->dev, &dev_attr_aic_revision);
    1679 + err = device_create_file(&asd_ha->pcidev->dev, &dev_attr_revision);
    1680 if (err)
    1681 return err;
    1682
    1683 @@ -500,13 +500,13 @@ err_update_bios:
    1684 err_biosb:
    1685 device_remove_file(&asd_ha->pcidev->dev, &dev_attr_bios_build);
    1686 err_rev:
    1687 - device_remove_file(&asd_ha->pcidev->dev, &dev_attr_aic_revision);
    1688 + device_remove_file(&asd_ha->pcidev->dev, &dev_attr_revision);
    1689 return err;
    1690 }
    1691
    1692 static void asd_remove_dev_attrs(struct asd_ha_struct *asd_ha)
    1693 {
    1694 - device_remove_file(&asd_ha->pcidev->dev, &dev_attr_aic_revision);
    1695 + device_remove_file(&asd_ha->pcidev->dev, &dev_attr_revision);
    1696 device_remove_file(&asd_ha->pcidev->dev, &dev_attr_bios_build);
    1697 device_remove_file(&asd_ha->pcidev->dev, &dev_attr_pcba_sn);
    1698 device_remove_file(&asd_ha->pcidev->dev, &dev_attr_update_bios);
    1699 diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
    1700 index 984d6aae7529..0e5435330c07 100644
    1701 --- a/drivers/usb/dwc2/hcd.c
    1702 +++ b/drivers/usb/dwc2/hcd.c
    1703 @@ -5202,7 +5202,6 @@ error3:
    1704 error2:
    1705 usb_put_hcd(hcd);
    1706 error1:
    1707 - kfree(hsotg->core_params);
    1708
    1709 #ifdef CONFIG_USB_DWC2_TRACK_MISSED_SOFS
    1710 kfree(hsotg->last_frame_num_array);
    1711 diff --git a/fs/cifs/file.c b/fs/cifs/file.c
    1712 index a3046b6523c8..8ec296308729 100644
    1713 --- a/fs/cifs/file.c
    1714 +++ b/fs/cifs/file.c
    1715 @@ -1126,6 +1126,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
    1716 return -EINVAL;
    1717 }
    1718
    1719 + BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
    1720 + PAGE_SIZE);
    1721 + max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr),
    1722 + PAGE_SIZE);
    1723 max_num = (max_buf - sizeof(struct smb_hdr)) /
    1724 sizeof(LOCKING_ANDX_RANGE);
    1725 buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);
    1726 @@ -1462,6 +1466,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
    1727 if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
    1728 return -EINVAL;
    1729
    1730 + BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
    1731 + PAGE_SIZE);
    1732 + max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr),
    1733 + PAGE_SIZE);
    1734 max_num = (max_buf - sizeof(struct smb_hdr)) /
    1735 sizeof(LOCKING_ANDX_RANGE);
    1736 buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);
    1737 diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
    1738 index b7885dc0d9bb..dee5250701de 100644
    1739 --- a/fs/cifs/smb2file.c
    1740 +++ b/fs/cifs/smb2file.c
    1741 @@ -129,6 +129,8 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
    1742 if (max_buf < sizeof(struct smb2_lock_element))
    1743 return -EINVAL;
    1744
    1745 + BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE);
    1746 + max_buf = min_t(unsigned int, max_buf, PAGE_SIZE);
    1747 max_num = max_buf / sizeof(struct smb2_lock_element);
    1748 buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL);
    1749 if (!buf)
    1750 @@ -265,6 +267,8 @@ smb2_push_mandatory_locks(struct cifsFileInfo *cfile)
    1751 return -EINVAL;
    1752 }
    1753
    1754 + BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE);
    1755 + max_buf = min_t(unsigned int, max_buf, PAGE_SIZE);
    1756 max_num = max_buf / sizeof(struct smb2_lock_element);
    1757 buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL);
    1758 if (!buf) {
    1759 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
    1760 index 78ed8105e64d..ae8ecf821019 100644
    1761 --- a/include/linux/perf_event.h
    1762 +++ b/include/linux/perf_event.h
    1763 @@ -455,6 +455,11 @@ struct pmu {
    1764 * Filter events for PMU-specific reasons.
    1765 */
    1766 int (*filter_match) (struct perf_event *event); /* optional */
    1767 +
    1768 + /*
    1769 + * Check period value for PERF_EVENT_IOC_PERIOD ioctl.
    1770 + */
    1771 + int (*check_period) (struct perf_event *event, u64 value); /* optional */
    1772 };
    1773
    1774 /**
    1775 diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
    1776 index ed329a39d621..f8761774a94f 100644
    1777 --- a/include/linux/skbuff.h
    1778 +++ b/include/linux/skbuff.h
    1779 @@ -3102,6 +3102,7 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);
    1780 void skb_scrub_packet(struct sk_buff *skb, bool xnet);
    1781 unsigned int skb_gso_transport_seglen(const struct sk_buff *skb);
    1782 bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu);
    1783 +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len);
    1784 struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features);
    1785 struct sk_buff *skb_vlan_untag(struct sk_buff *skb);
    1786 int skb_ensure_writable(struct sk_buff *skb, int write_len);
    1787 @@ -3880,6 +3881,21 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
    1788 return hdr_len + skb_gso_transport_seglen(skb);
    1789 }
    1790
    1791 +/**
    1792 + * skb_gso_mac_seglen - Return length of individual segments of a gso packet
    1793 + *
    1794 + * @skb: GSO skb
    1795 + *
    1796 + * skb_gso_mac_seglen is used to determine the real size of the
    1797 + * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
    1798 + * headers (TCP/UDP).
    1799 + */
    1800 +static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
    1801 +{
    1802 + unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
    1803 + return hdr_len + skb_gso_transport_seglen(skb);
    1804 +}
    1805 +
    1806 /* Local Checksum Offload.
    1807 * Compute outer checksum based on the assumption that the
    1808 * inner checksum will be offloaded later.
    1809 diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
    1810 index b02af0bf5777..66f6b84df287 100644
    1811 --- a/include/net/netfilter/nf_tables.h
    1812 +++ b/include/net/netfilter/nf_tables.h
    1813 @@ -87,6 +87,35 @@ struct nft_regs {
    1814 };
    1815 };
    1816
    1817 +/* Store/load an u16 or u8 integer to/from the u32 data register.
    1818 + *
    1819 + * Note, when using concatenations, register allocation happens at 32-bit
    1820 + * level. So for store instruction, pad the rest part with zero to avoid
    1821 + * garbage values.
    1822 + */
    1823 +
    1824 +static inline void nft_reg_store16(u32 *dreg, u16 val)
    1825 +{
    1826 + *dreg = 0;
    1827 + *(u16 *)dreg = val;
    1828 +}
    1829 +
    1830 +static inline void nft_reg_store8(u32 *dreg, u8 val)
    1831 +{
    1832 + *dreg = 0;
    1833 + *(u8 *)dreg = val;
    1834 +}
    1835 +
    1836 +static inline u16 nft_reg_load16(u32 *sreg)
    1837 +{
    1838 + return *(u16 *)sreg;
    1839 +}
    1840 +
    1841 +static inline u8 nft_reg_load8(u32 *sreg)
    1842 +{
    1843 + return *(u8 *)sreg;
    1844 +}
    1845 +
    1846 static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
    1847 unsigned int len)
    1848 {
    1849 diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h
    1850 index 659b1634de61..3d3de5e9f9cc 100644
    1851 --- a/include/uapi/linux/if_ether.h
    1852 +++ b/include/uapi/linux/if_ether.h
    1853 @@ -139,11 +139,18 @@
    1854 * This is an Ethernet frame header.
    1855 */
    1856
    1857 +/* allow libcs like musl to deactivate this, glibc does not implement this. */
    1858 +#ifndef __UAPI_DEF_ETHHDR
    1859 +#define __UAPI_DEF_ETHHDR 1
    1860 +#endif
    1861 +
    1862 +#if __UAPI_DEF_ETHHDR
    1863 struct ethhdr {
    1864 unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
    1865 unsigned char h_source[ETH_ALEN]; /* source ether addr */
    1866 __be16 h_proto; /* packet type ID field */
    1867 } __attribute__((packed));
    1868 +#endif
    1869
    1870
    1871 #endif /* _UAPI_LINUX_IF_ETHER_H */
    1872 diff --git a/kernel/events/core.c b/kernel/events/core.c
    1873 index 1af0bbf20984..17339506f9f8 100644
    1874 --- a/kernel/events/core.c
    1875 +++ b/kernel/events/core.c
    1876 @@ -4600,6 +4600,11 @@ static void __perf_event_period(struct perf_event *event,
    1877 }
    1878 }
    1879
    1880 +static int perf_event_check_period(struct perf_event *event, u64 value)
    1881 +{
    1882 + return event->pmu->check_period(event, value);
    1883 +}
    1884 +
    1885 static int perf_event_period(struct perf_event *event, u64 __user *arg)
    1886 {
    1887 u64 value;
    1888 @@ -4616,6 +4621,9 @@ static int perf_event_period(struct perf_event *event, u64 __user *arg)
    1889 if (event->attr.freq && value > sysctl_perf_event_sample_rate)
    1890 return -EINVAL;
    1891
    1892 + if (perf_event_check_period(event, value))
    1893 + return -EINVAL;
    1894 +
    1895 event_function_call(event, __perf_event_period, &value);
    1896
    1897 return 0;
    1898 @@ -8622,6 +8630,11 @@ static int perf_pmu_nop_int(struct pmu *pmu)
    1899 return 0;
    1900 }
    1901
    1902 +static int perf_event_nop_int(struct perf_event *event, u64 value)
    1903 +{
    1904 + return 0;
    1905 +}
    1906 +
    1907 static DEFINE_PER_CPU(unsigned int, nop_txn_flags);
    1908
    1909 static void perf_pmu_start_txn(struct pmu *pmu, unsigned int flags)
    1910 @@ -8944,6 +8957,9 @@ got_cpu_context:
    1911 pmu->pmu_disable = perf_pmu_nop_void;
    1912 }
    1913
    1914 + if (!pmu->check_period)
    1915 + pmu->check_period = perf_event_nop_int;
    1916 +
    1917 if (!pmu->event_idx)
    1918 pmu->event_idx = perf_event_idx_default;
    1919
    1920 diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
    1921 index f4b5811ebe23..99becab2c1ce 100644
    1922 --- a/kernel/events/ring_buffer.c
    1923 +++ b/kernel/events/ring_buffer.c
    1924 @@ -700,7 +700,7 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags)
    1925 size = sizeof(struct ring_buffer);
    1926 size += nr_pages * sizeof(void *);
    1927
    1928 - if (order_base_2(size) >= MAX_ORDER)
    1929 + if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
    1930 goto fail;
    1931
    1932 rb = kzalloc(size, GFP_KERNEL);
    1933 diff --git a/kernel/signal.c b/kernel/signal.c
    1934 index 798b8f495ae2..c091dcc9f19b 100644
    1935 --- a/kernel/signal.c
    1936 +++ b/kernel/signal.c
    1937 @@ -2241,9 +2241,12 @@ relock:
    1938 }
    1939
    1940 /* Has this task already been marked for death? */
    1941 - ksig->info.si_signo = signr = SIGKILL;
    1942 - if (signal_group_exit(signal))
    1943 + if (signal_group_exit(signal)) {
    1944 + ksig->info.si_signo = signr = SIGKILL;
    1945 + sigdelset(&current->pending.signal, SIGKILL);
    1946 + recalc_sigpending();
    1947 goto fatal;
    1948 + }
    1949
    1950 for (;;) {
    1951 struct k_sigaction *ka;
    1952 diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
    1953 index f0ab801a6437..c6eee3d9ed00 100644
    1954 --- a/kernel/trace/trace_uprobe.c
    1955 +++ b/kernel/trace/trace_uprobe.c
    1956 @@ -150,7 +150,14 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs,
    1957
    1958 ret = strncpy_from_user(dst, src, maxlen);
    1959 if (ret == maxlen)
    1960 - dst[--ret] = '\0';
    1961 + dst[ret - 1] = '\0';
    1962 + else if (ret >= 0)
    1963 + /*
    1964 + * Include the terminating null byte. In this case it
    1965 + * was copied by strncpy_from_user but not accounted
    1966 + * for in ret.
    1967 + */
    1968 + ret++;
    1969
    1970 if (ret < 0) { /* Failed to fetch string */
    1971 ((u8 *)get_rloc_data(dest))[0] = '\0';
    1972 diff --git a/mm/memory.c b/mm/memory.c
    1973 index 35d8217bb046..47248dc0b9e1 100644
    1974 --- a/mm/memory.c
    1975 +++ b/mm/memory.c
    1976 @@ -3329,15 +3329,24 @@ static int do_fault(struct fault_env *fe)
    1977 {
    1978 struct vm_area_struct *vma = fe->vma;
    1979 pgoff_t pgoff = linear_page_index(vma, fe->address);
    1980 + int ret;
    1981
    1982 /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
    1983 if (!vma->vm_ops->fault)
    1984 - return VM_FAULT_SIGBUS;
    1985 - if (!(fe->flags & FAULT_FLAG_WRITE))
    1986 - return do_read_fault(fe, pgoff);
    1987 - if (!(vma->vm_flags & VM_SHARED))
    1988 - return do_cow_fault(fe, pgoff);
    1989 - return do_shared_fault(fe, pgoff);
    1990 + ret = VM_FAULT_SIGBUS;
    1991 + else if (!(fe->flags & FAULT_FLAG_WRITE))
    1992 + ret = do_read_fault(fe, pgoff);
    1993 + else if (!(vma->vm_flags & VM_SHARED))
    1994 + ret = do_cow_fault(fe, pgoff);
    1995 + else
    1996 + ret = do_shared_fault(fe, pgoff);
    1997 +
    1998 + /* preallocated pagetable is unused: free it */
    1999 + if (fe->prealloc_pte) {
    2000 + pte_free(vma->vm_mm, fe->prealloc_pte);
    2001 + fe->prealloc_pte = 0;
    2002 + }
    2003 + return ret;
    2004 }
    2005
    2006 static int numa_migrate_prep(struct page *page, struct vm_area_struct *vma,
    2007 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
    2008 index dca1fed0d7da..11501165f0df 100644
    2009 --- a/net/core/skbuff.c
    2010 +++ b/net/core/skbuff.c
    2011 @@ -4469,37 +4469,74 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
    2012 EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
    2013
    2014 /**
    2015 - * skb_gso_validate_mtu - Return in case such skb fits a given MTU
    2016 + * skb_gso_size_check - check the skb size, considering GSO_BY_FRAGS
    2017 *
    2018 - * @skb: GSO skb
    2019 - * @mtu: MTU to validate against
    2020 + * There are a couple of instances where we have a GSO skb, and we
    2021 + * want to determine what size it would be after it is segmented.
    2022 *
    2023 - * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU
    2024 - * once split.
    2025 + * We might want to check:
    2026 + * - L3+L4+payload size (e.g. IP forwarding)
    2027 + * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)
    2028 + *
    2029 + * This is a helper to do that correctly considering GSO_BY_FRAGS.
    2030 + *
    2031 + * @seg_len: The segmented length (from skb_gso_*_seglen). In the
    2032 + * GSO_BY_FRAGS case this will be [header sizes + GSO_BY_FRAGS].
    2033 + *
    2034 + * @max_len: The maximum permissible length.
    2035 + *
    2036 + * Returns true if the segmented length <= max length.
    2037 */
    2038 -bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu)
    2039 -{
    2040 +static inline bool skb_gso_size_check(const struct sk_buff *skb,
    2041 + unsigned int seg_len,
    2042 + unsigned int max_len) {
    2043 const struct skb_shared_info *shinfo = skb_shinfo(skb);
    2044 const struct sk_buff *iter;
    2045 - unsigned int hlen;
    2046 -
    2047 - hlen = skb_gso_network_seglen(skb);
    2048
    2049 if (shinfo->gso_size != GSO_BY_FRAGS)
    2050 - return hlen <= mtu;
    2051 + return seg_len <= max_len;
    2052
    2053 /* Undo this so we can re-use header sizes */
    2054 - hlen -= GSO_BY_FRAGS;
    2055 + seg_len -= GSO_BY_FRAGS;
    2056
    2057 skb_walk_frags(skb, iter) {
    2058 - if (hlen + skb_headlen(iter) > mtu)
    2059 + if (seg_len + skb_headlen(iter) > max_len)
    2060 return false;
    2061 }
    2062
    2063 return true;
    2064 }
    2065 +
    2066 +/**
    2067 + * skb_gso_validate_mtu - Return in case such skb fits a given MTU
    2068 + *
    2069 + * @skb: GSO skb
    2070 + * @mtu: MTU to validate against
    2071 + *
    2072 + * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU
    2073 + * once split.
    2074 + */
    2075 +bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu)
    2076 +{
    2077 + return skb_gso_size_check(skb, skb_gso_network_seglen(skb), mtu);
    2078 +}
    2079 EXPORT_SYMBOL_GPL(skb_gso_validate_mtu);
    2080
    2081 +/**
    2082 + * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
    2083 + *
    2084 + * @skb: GSO skb
    2085 + * @len: length to validate against
    2086 + *
    2087 + * skb_gso_validate_mac_len validates if a given skb will fit a wanted
    2088 + * length once split, including L2, L3 and L4 headers and the payload.
    2089 + */
    2090 +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
    2091 +{
    2092 + return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);
    2093 +}
    2094 +EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
    2095 +
    2096 static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
    2097 {
    2098 int mac_len;
    2099 diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
    2100 index 51ced81b616c..dc3628a396ec 100644
    2101 --- a/net/ipv4/netfilter/nft_masq_ipv4.c
    2102 +++ b/net/ipv4/netfilter/nft_masq_ipv4.c
    2103 @@ -26,10 +26,10 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
    2104 memset(&range, 0, sizeof(range));
    2105 range.flags = priv->flags;
    2106 if (priv->sreg_proto_min) {
    2107 - range.min_proto.all =
    2108 - *(__be16 *)&regs->data[priv->sreg_proto_min];
    2109 - range.max_proto.all =
    2110 - *(__be16 *)&regs->data[priv->sreg_proto_max];
    2111 + range.min_proto.all = (__force __be16)nft_reg_load16(
    2112 + &regs->data[priv->sreg_proto_min]);
    2113 + range.max_proto.all = (__force __be16)nft_reg_load16(
    2114 + &regs->data[priv->sreg_proto_max]);
    2115 }
    2116 regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->hook,
    2117 &range, pkt->out);
    2118 diff --git a/net/ipv4/netfilter/nft_redir_ipv4.c b/net/ipv4/netfilter/nft_redir_ipv4.c
    2119 index c09d4381427e..f760524e1353 100644
    2120 --- a/net/ipv4/netfilter/nft_redir_ipv4.c
    2121 +++ b/net/ipv4/netfilter/nft_redir_ipv4.c
    2122 @@ -26,10 +26,10 @@ static void nft_redir_ipv4_eval(const struct nft_expr *expr,
    2123
    2124 memset(&mr, 0, sizeof(mr));
    2125 if (priv->sreg_proto_min) {
    2126 - mr.range[0].min.all =
    2127 - *(__be16 *)&regs->data[priv->sreg_proto_min];
    2128 - mr.range[0].max.all =
    2129 - *(__be16 *)&regs->data[priv->sreg_proto_max];
    2130 + mr.range[0].min.all = (__force __be16)nft_reg_load16(
    2131 + &regs->data[priv->sreg_proto_min]);
    2132 + mr.range[0].max.all = (__force __be16)nft_reg_load16(
    2133 + &regs->data[priv->sreg_proto_max]);
    2134 mr.range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
    2135 }
    2136
    2137 diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c
    2138 index 9597ffb74077..b74a420050c4 100644
    2139 --- a/net/ipv6/netfilter/nft_masq_ipv6.c
    2140 +++ b/net/ipv6/netfilter/nft_masq_ipv6.c
    2141 @@ -27,10 +27,10 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
    2142 memset(&range, 0, sizeof(range));
    2143 range.flags = priv->flags;
    2144 if (priv->sreg_proto_min) {
    2145 - range.min_proto.all =
    2146 - *(__be16 *)&regs->data[priv->sreg_proto_min];
    2147 - range.max_proto.all =
    2148 - *(__be16 *)&regs->data[priv->sreg_proto_max];
    2149 + range.min_proto.all = (__force __be16)nft_reg_load16(
    2150 + &regs->data[priv->sreg_proto_min]);
    2151 + range.max_proto.all = (__force __be16)nft_reg_load16(
    2152 + &regs->data[priv->sreg_proto_max]);
    2153 }
    2154 regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);
    2155 }
    2156 diff --git a/net/ipv6/netfilter/nft_redir_ipv6.c b/net/ipv6/netfilter/nft_redir_ipv6.c
    2157 index aca44e89a881..7ef58e493fca 100644
    2158 --- a/net/ipv6/netfilter/nft_redir_ipv6.c
    2159 +++ b/net/ipv6/netfilter/nft_redir_ipv6.c
    2160 @@ -26,10 +26,10 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr,
    2161
    2162 memset(&range, 0, sizeof(range));
    2163 if (priv->sreg_proto_min) {
    2164 - range.min_proto.all =
    2165 - *(__be16 *)&regs->data[priv->sreg_proto_min],
    2166 - range.max_proto.all =
    2167 - *(__be16 *)&regs->data[priv->sreg_proto_max],
    2168 + range.min_proto.all = (__force __be16)nft_reg_load16(
    2169 + &regs->data[priv->sreg_proto_min]);
    2170 + range.max_proto.all = (__force __be16)nft_reg_load16(
    2171 + &regs->data[priv->sreg_proto_max]);
    2172 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
    2173 }
    2174
    2175 diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
    2176 index d7b0d171172a..2b9fda71fa8b 100644
    2177 --- a/net/netfilter/nft_ct.c
    2178 +++ b/net/netfilter/nft_ct.c
    2179 @@ -77,7 +77,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
    2180
    2181 switch (priv->key) {
    2182 case NFT_CT_DIRECTION:
    2183 - *dest = CTINFO2DIR(ctinfo);
    2184 + nft_reg_store8(dest, CTINFO2DIR(ctinfo));
    2185 return;
    2186 case NFT_CT_STATUS:
    2187 *dest = ct->status;
    2188 @@ -129,10 +129,10 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
    2189 return;
    2190 }
    2191 case NFT_CT_L3PROTOCOL:
    2192 - *dest = nf_ct_l3num(ct);
    2193 + nft_reg_store8(dest, nf_ct_l3num(ct));
    2194 return;
    2195 case NFT_CT_PROTOCOL:
    2196 - *dest = nf_ct_protonum(ct);
    2197 + nft_reg_store8(dest, nf_ct_protonum(ct));
    2198 return;
    2199 default:
    2200 break;
    2201 @@ -149,10 +149,10 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
    2202 nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
    2203 return;
    2204 case NFT_CT_PROTO_SRC:
    2205 - *dest = (__force __u16)tuple->src.u.all;
    2206 + nft_reg_store16(dest, (__force u16)tuple->src.u.all);
    2207 return;
    2208 case NFT_CT_PROTO_DST:
    2209 - *dest = (__force __u16)tuple->dst.u.all;
    2210 + nft_reg_store16(dest, (__force u16)tuple->dst.u.all);
    2211 return;
    2212 default:
    2213 break;
    2214 diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
    2215 index 7c3395513ff0..cec8dc0e5e6f 100644
    2216 --- a/net/netfilter/nft_meta.c
    2217 +++ b/net/netfilter/nft_meta.c
    2218 @@ -45,16 +45,15 @@ void nft_meta_get_eval(const struct nft_expr *expr,
    2219 *dest = skb->len;
    2220 break;
    2221 case NFT_META_PROTOCOL:
    2222 - *dest = 0;
    2223 - *(__be16 *)dest = skb->protocol;
    2224 + nft_reg_store16(dest, (__force u16)skb->protocol);
    2225 break;
    2226 case NFT_META_NFPROTO:
    2227 - *dest = pkt->pf;
    2228 + nft_reg_store8(dest, pkt->pf);
    2229 break;
    2230 case NFT_META_L4PROTO:
    2231 if (!pkt->tprot_set)
    2232 goto err;
    2233 - *dest = pkt->tprot;
    2234 + nft_reg_store8(dest, pkt->tprot);
    2235 break;
    2236 case NFT_META_PRIORITY:
    2237 *dest = skb->priority;
    2238 @@ -85,14 +84,12 @@ void nft_meta_get_eval(const struct nft_expr *expr,
    2239 case NFT_META_IIFTYPE:
    2240 if (in == NULL)
    2241 goto err;
    2242 - *dest = 0;
    2243 - *(u16 *)dest = in->type;
    2244 + nft_reg_store16(dest, in->type);
    2245 break;
    2246 case NFT_META_OIFTYPE:
    2247 if (out == NULL)
    2248 goto err;
    2249 - *dest = 0;
    2250 - *(u16 *)dest = out->type;
    2251 + nft_reg_store16(dest, out->type);
    2252 break;
    2253 case NFT_META_SKUID:
    2254 sk = skb_to_full_sk(skb);
    2255 @@ -142,22 +139,22 @@ void nft_meta_get_eval(const struct nft_expr *expr,
    2256 #endif
    2257 case NFT_META_PKTTYPE:
    2258 if (skb->pkt_type != PACKET_LOOPBACK) {
    2259 - *dest = skb->pkt_type;
    2260 + nft_reg_store8(dest, skb->pkt_type);
    2261 break;
    2262 }
    2263
    2264 switch (pkt->pf) {
    2265 case NFPROTO_IPV4:
    2266 if (ipv4_is_multicast(ip_hdr(skb)->daddr))
    2267 - *dest = PACKET_MULTICAST;
    2268 + nft_reg_store8(dest, PACKET_MULTICAST);
    2269 else
    2270 - *dest = PACKET_BROADCAST;
    2271 + nft_reg_store8(dest, PACKET_BROADCAST);
    2272 break;
    2273 case NFPROTO_IPV6:
    2274 if (ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
    2275 - *dest = PACKET_MULTICAST;
    2276 + nft_reg_store8(dest, PACKET_MULTICAST);
    2277 else
    2278 - *dest = PACKET_BROADCAST;
    2279 + nft_reg_store8(dest, PACKET_BROADCAST);
    2280 break;
    2281 case NFPROTO_NETDEV:
    2282 switch (skb->protocol) {
    2283 @@ -171,14 +168,14 @@ void nft_meta_get_eval(const struct nft_expr *expr,
    2284 goto err;
    2285
    2286 if (ipv4_is_multicast(iph->daddr))
    2287 - *dest = PACKET_MULTICAST;
    2288 + nft_reg_store8(dest, PACKET_MULTICAST);
    2289 else
    2290 - *dest = PACKET_BROADCAST;
    2291 + nft_reg_store8(dest, PACKET_BROADCAST);
    2292
    2293 break;
    2294 }
    2295 case htons(ETH_P_IPV6):
    2296 - *dest = PACKET_MULTICAST;
    2297 + nft_reg_store8(dest, PACKET_MULTICAST);
    2298 break;
    2299 default:
    2300 WARN_ON_ONCE(1);
    2301 @@ -233,7 +230,9 @@ void nft_meta_set_eval(const struct nft_expr *expr,
    2302 {
    2303 const struct nft_meta *meta = nft_expr_priv(expr);
    2304 struct sk_buff *skb = pkt->skb;
    2305 - u32 value = regs->data[meta->sreg];
    2306 + u32 *sreg = &regs->data[meta->sreg];
    2307 + u32 value = *sreg;
    2308 + u8 pkt_type;
    2309
    2310 switch (meta->key) {
    2311 case NFT_META_MARK:
    2312 @@ -243,9 +242,12 @@ void nft_meta_set_eval(const struct nft_expr *expr,
    2313 skb->priority = value;
    2314 break;
    2315 case NFT_META_PKTTYPE:
    2316 - if (skb->pkt_type != value &&
    2317 - skb_pkt_type_ok(value) && skb_pkt_type_ok(skb->pkt_type))
    2318 - skb->pkt_type = value;
    2319 + pkt_type = nft_reg_load8(sreg);
    2320 +
    2321 + if (skb->pkt_type != pkt_type &&
    2322 + skb_pkt_type_ok(pkt_type) &&
    2323 + skb_pkt_type_ok(skb->pkt_type))
    2324 + skb->pkt_type = pkt_type;
    2325 break;
    2326 case NFT_META_NFTRACE:
    2327 skb->nf_trace = !!value;
    2328 diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
    2329 index ee2d71753746..4c48e9bb21e2 100644
    2330 --- a/net/netfilter/nft_nat.c
    2331 +++ b/net/netfilter/nft_nat.c
    2332 @@ -65,10 +65,10 @@ static void nft_nat_eval(const struct nft_expr *expr,
    2333 }
    2334
    2335 if (priv->sreg_proto_min) {
    2336 - range.min_proto.all =
    2337 - *(__be16 *)&regs->data[priv->sreg_proto_min];
    2338 - range.max_proto.all =
    2339 - *(__be16 *)&regs->data[priv->sreg_proto_max];
    2340 + range.min_proto.all = (__force __be16)nft_reg_load16(
    2341 + &regs->data[priv->sreg_proto_min]);
    2342 + range.max_proto.all = (__force __be16)nft_reg_load16(
    2343 + &regs->data[priv->sreg_proto_max]);
    2344 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
    2345 }
    2346
    2347 diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
    2348 index b3f7980b0f27..d646aa770ac8 100644
    2349 --- a/net/sched/sch_tbf.c
    2350 +++ b/net/sched/sch_tbf.c
    2351 @@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r,
    2352 return len;
    2353 }
    2354
    2355 -/*
    2356 - * Return length of individual segments of a gso packet,
    2357 - * including all headers (MAC, IP, TCP/UDP)
    2358 - */
    2359 -static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
    2360 -{
    2361 - unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
    2362 - return hdr_len + skb_gso_transport_seglen(skb);
    2363 -}
    2364 -
    2365 /* GSO packet is too big, segment it so that tbf can transmit
    2366 * each segment in time
    2367 */
    2368 diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
    2369 index ba9cd75e4c98..447b3a8a83c3 100644
    2370 --- a/sound/pci/hda/patch_conexant.c
    2371 +++ b/sound/pci/hda/patch_conexant.c
    2372 @@ -854,6 +854,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
    2373 SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
    2374 SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
    2375 SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
    2376 + SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK),
    2377 SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
    2378 SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
    2379 SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
    2380 diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
    2381 index e6ac7b9b4648..497bad9f2789 100644
    2382 --- a/sound/usb/pcm.c
    2383 +++ b/sound/usb/pcm.c
    2384 @@ -313,6 +313,9 @@ static int search_roland_implicit_fb(struct usb_device *dev, int ifnum,
    2385 return 0;
    2386 }
    2387
    2388 +/* Setup an implicit feedback endpoint from a quirk. Returns 0 if no quirk
    2389 + * applies. Returns 1 if a quirk was found.
    2390 + */
    2391 static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
    2392 struct usb_device *dev,
    2393 struct usb_interface_descriptor *altsd,
    2394 @@ -391,7 +394,7 @@ add_sync_ep:
    2395
    2396 subs->data_endpoint->sync_master = subs->sync_endpoint;
    2397
    2398 - return 0;
    2399 + return 1;
    2400 }
    2401
    2402 static int set_sync_endpoint(struct snd_usb_substream *subs,
    2403 @@ -430,6 +433,10 @@ static int set_sync_endpoint(struct snd_usb_substream *subs,
    2404 if (err < 0)
    2405 return err;
    2406
    2407 + /* endpoint set by quirk */
    2408 + if (err > 0)
    2409 + return 0;
    2410 +
    2411 if (altsd->bNumEndpoints < 2)
    2412 return 0;
    2413
    2414 diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c
    2415 index 046a4850e3df..ff32ca1d81ff 100644
    2416 --- a/tools/perf/util/unwind-libdw.c
    2417 +++ b/tools/perf/util/unwind-libdw.c
    2418 @@ -231,7 +231,7 @@ int unwind__get_entries(unwind_entry_cb_t cb, void *arg,
    2419
    2420 err = dwfl_getthread_frames(ui->dwfl, thread->tid, frame_callback, ui);
    2421
    2422 - if (err && !ui->max_stack)
    2423 + if (err && ui->max_stack != max_stack)
    2424 err = 0;
    2425
    2426 /*