Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-alx/patches-5.4/0279-5.4.180-all-fixes.patch

    Annotation of /trunk/kernel-alx/patches-5.4/0279-5.4.180-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3637 - (hide annotations) (download)
    Mon Oct 24 12:40:44 2022 UTC (18 months, 3 weeks ago) by niro
    File size: 71371 byte(s) 
    -add missing
    1 niro 3637 diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
    2     index 032c7cd3cede0..7b477fa19534d 100644
    3     --- a/Documentation/admin-guide/sysctl/kernel.rst
    4     +++ b/Documentation/admin-guide/sysctl/kernel.rst
    5     @@ -1125,6 +1125,27 @@ NMI switch that most IA32 servers have fires unknown NMI up, for
    6     example. If a system hangs up, try pressing the NMI switch.
    7    
    8    
    9     +unprivileged_bpf_disabled:
    10     +==========================
    11     +
    12     +Writing 1 to this entry will disable unprivileged calls to ``bpf()``;
    13     +once disabled, calling ``bpf()`` without ``CAP_SYS_ADMIN`` will return
    14     +``-EPERM``. Once set to 1, this can't be cleared from the running kernel
    15     +anymore.
    16     +
    17     +Writing 2 to this entry will also disable unprivileged calls to ``bpf()``,
    18     +however, an admin can still change this setting later on, if needed, by
    19     +writing 0 or 1 to this entry.
    20     +
    21     +If ``BPF_UNPRIV_DEFAULT_OFF`` is enabled in the kernel config, then this
    22     +entry will default to 2 instead of 0.
    23     +
    24     += =============================================================
    25     +0 Unprivileged calls to ``bpf()`` are enabled
    26     +1 Unprivileged calls to ``bpf()`` are disabled without recovery
    27     +2 Unprivileged calls to ``bpf()`` are disabled
    28     += =============================================================
    29     +
    30     watchdog:
    31     =========
    32    
    33     diff --git a/Makefile b/Makefile
    34     index 5688e17a44363..6eb6645647147 100644
    35     --- a/Makefile
    36     +++ b/Makefile
    37     @@ -1,7 +1,7 @@
    38     # SPDX-License-Identifier: GPL-2.0
    39     VERSION = 5
    40     PATCHLEVEL = 4
    41     -SUBLEVEL = 179
    42     +SUBLEVEL = 180
    43     EXTRAVERSION =
    44     NAME = Kleptomaniac Octopus
    45    
    46     diff --git a/arch/arm/boot/dts/imx23-evk.dts b/arch/arm/boot/dts/imx23-evk.dts
    47     index 0b2701ca29212..858b8057e8540 100644
    48     --- a/arch/arm/boot/dts/imx23-evk.dts
    49     +++ b/arch/arm/boot/dts/imx23-evk.dts
    50     @@ -79,7 +79,6 @@
    51     MX23_PAD_LCD_RESET__GPIO_1_18
    52     MX23_PAD_PWM3__GPIO_1_29
    53     MX23_PAD_PWM4__GPIO_1_30
    54     - MX23_PAD_SSP1_DETECT__SSP1_DETECT
    55     >;
    56     fsl,drive-strength = <MXS_DRIVE_4mA>;
    57     fsl,voltage = <MXS_VOLTAGE_HIGH>;
    58     diff --git a/arch/arm/boot/dts/imx6qdl-udoo.dtsi b/arch/arm/boot/dts/imx6qdl-udoo.dtsi
    59     index 16672cbada287..6c8da3f037335 100644
    60     --- a/arch/arm/boot/dts/imx6qdl-udoo.dtsi
    61     +++ b/arch/arm/boot/dts/imx6qdl-udoo.dtsi
    62     @@ -5,6 +5,8 @@
    63     * Author: Fabio Estevam <fabio.estevam@freescale.com>
    64     */
    65    
    66     +#include <dt-bindings/gpio/gpio.h>
    67     +
    68     / {
    69     aliases {
    70     backlight = &backlight;
    71     @@ -218,6 +220,7 @@
    72     MX6QDL_PAD_SD3_DAT1__SD3_DATA1 0x17059
    73     MX6QDL_PAD_SD3_DAT2__SD3_DATA2 0x17059
    74     MX6QDL_PAD_SD3_DAT3__SD3_DATA3 0x17059
    75     + MX6QDL_PAD_SD3_DAT5__GPIO7_IO00 0x1b0b0
    76     >;
    77     };
    78    
    79     @@ -290,7 +293,7 @@
    80     &usdhc3 {
    81     pinctrl-names = "default";
    82     pinctrl-0 = <&pinctrl_usdhc3>;
    83     - non-removable;
    84     + cd-gpios = <&gpio7 0 GPIO_ACTIVE_LOW>;
    85     status = "okay";
    86     };
    87    
    88     diff --git a/arch/arm/boot/dts/meson.dtsi b/arch/arm/boot/dts/meson.dtsi
    89     index c4447f6c8b2cb..e141ce7484841 100644
    90     --- a/arch/arm/boot/dts/meson.dtsi
    91     +++ b/arch/arm/boot/dts/meson.dtsi
    92     @@ -49,14 +49,14 @@
    93     };
    94    
    95     uart_A: serial@84c0 {
    96     - compatible = "amlogic,meson6-uart", "amlogic,meson-uart";
    97     + compatible = "amlogic,meson6-uart";
    98     reg = <0x84c0 0x18>;
    99     interrupts = <GIC_SPI 26 IRQ_TYPE_EDGE_RISING>;
    100     status = "disabled";
    101     };
    102    
    103     uart_B: serial@84dc {
    104     - compatible = "amlogic,meson6-uart", "amlogic,meson-uart";
    105     + compatible = "amlogic,meson6-uart";
    106     reg = <0x84dc 0x18>;
    107     interrupts = <GIC_SPI 75 IRQ_TYPE_EDGE_RISING>;
    108     status = "disabled";
    109     @@ -94,7 +94,7 @@
    110     };
    111    
    112     uart_C: serial@8700 {
    113     - compatible = "amlogic,meson6-uart", "amlogic,meson-uart";
    114     + compatible = "amlogic,meson6-uart";
    115     reg = <0x8700 0x18>;
    116     interrupts = <GIC_SPI 93 IRQ_TYPE_EDGE_RISING>;
    117     status = "disabled";
    118     @@ -196,7 +196,7 @@
    119     };
    120    
    121     uart_AO: serial@4c0 {
    122     - compatible = "amlogic,meson6-uart", "amlogic,meson-ao-uart", "amlogic,meson-uart";
    123     + compatible = "amlogic,meson6-uart", "amlogic,meson-ao-uart";
    124     reg = <0x4c0 0x18>;
    125     interrupts = <GIC_SPI 90 IRQ_TYPE_EDGE_RISING>;
    126     status = "disabled";
    127     diff --git a/arch/arm/mach-socfpga/Kconfig b/arch/arm/mach-socfpga/Kconfig
    128     index 22af5e308db6c..61b872792c4cb 100644
    129     --- a/arch/arm/mach-socfpga/Kconfig
    130     +++ b/arch/arm/mach-socfpga/Kconfig
    131     @@ -2,6 +2,7 @@
    132     menuconfig ARCH_SOCFPGA
    133     bool "Altera SOCFPGA family"
    134     depends on ARCH_MULTI_V7
    135     + select ARCH_HAS_RESET_CONTROLLER
    136     select ARCH_SUPPORTS_BIG_ENDIAN
    137     select ARM_AMBA
    138     select ARM_GIC
    139     @@ -19,6 +20,7 @@ menuconfig ARCH_SOCFPGA
    140     select PL310_ERRATA_727915
    141     select PL310_ERRATA_753970 if PL310
    142     select PL310_ERRATA_769419
    143     + select RESET_CONTROLLER
    144    
    145     if ARCH_SOCFPGA
    146     config SOCFPGA_SUSPEND
    147     diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile
    148     index 1cbe0ad78b0f3..7b579a003e30a 100644
    149     --- a/arch/riscv/Makefile
    150     +++ b/arch/riscv/Makefile
    151     @@ -48,6 +48,12 @@ riscv-march-$(CONFIG_ARCH_RV32I) := rv32ima
    152     riscv-march-$(CONFIG_ARCH_RV64I) := rv64ima
    153     riscv-march-$(CONFIG_FPU) := $(riscv-march-y)fd
    154     riscv-march-$(CONFIG_RISCV_ISA_C) := $(riscv-march-y)c
    155     +
    156     +# Newer binutils versions default to ISA spec version 20191213 which moves some
    157     +# instructions from the I extension to the Zicsr and Zifencei extensions.
    158     +toolchain-need-zicsr-zifencei := $(call cc-option-yn, -march=$(riscv-march-y)_zicsr_zifencei)
    159     +riscv-march-$(toolchain-need-zicsr-zifencei) := $(riscv-march-y)_zicsr_zifencei
    160     +
    161     KBUILD_CFLAGS += -march=$(subst fd,,$(riscv-march-y))
    162     KBUILD_AFLAGS += -march=$(riscv-march-y)
    163    
    164     diff --git a/arch/x86/kvm/vmx/evmcs.h b/arch/x86/kvm/vmx/evmcs.h
    165     index 07ebf6882a458..632bed227152e 100644
    166     --- a/arch/x86/kvm/vmx/evmcs.h
    167     +++ b/arch/x86/kvm/vmx/evmcs.h
    168     @@ -58,7 +58,9 @@ DECLARE_STATIC_KEY_FALSE(enable_evmcs);
    169     SECONDARY_EXEC_SHADOW_VMCS | \
    170     SECONDARY_EXEC_TSC_SCALING | \
    171     SECONDARY_EXEC_PAUSE_LOOP_EXITING)
    172     -#define EVMCS1_UNSUPPORTED_VMEXIT_CTRL (VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL)
    173     +#define EVMCS1_UNSUPPORTED_VMEXIT_CTRL \
    174     + (VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL | \
    175     + VM_EXIT_SAVE_VMX_PREEMPTION_TIMER)
    176     #define EVMCS1_UNSUPPORTED_VMENTRY_CTRL (VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL)
    177     #define EVMCS1_UNSUPPORTED_VMFUNC (VMX_VMFUNC_EPTP_SWITCHING)
    178    
    179     diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
    180     index bc95a5eebd137..553c89b0bdcbb 100644
    181     --- a/drivers/acpi/arm64/iort.c
    182     +++ b/drivers/acpi/arm64/iort.c
    183     @@ -1373,9 +1373,17 @@ static void __init arm_smmu_v3_pmcg_init_resources(struct resource *res,
    184     res[0].start = pmcg->page0_base_address;
    185     res[0].end = pmcg->page0_base_address + SZ_4K - 1;
    186     res[0].flags = IORESOURCE_MEM;
    187     - res[1].start = pmcg->page1_base_address;
    188     - res[1].end = pmcg->page1_base_address + SZ_4K - 1;
    189     - res[1].flags = IORESOURCE_MEM;
    190     + /*
    191     + * The initial version in DEN0049C lacked a way to describe register
    192     + * page 1, which makes it broken for most PMCG implementations; in
    193     + * that case, just let the driver fail gracefully if it expects to
    194     + * find a second memory resource.
    195     + */
    196     + if (node->revision > 0) {
    197     + res[1].start = pmcg->page1_base_address;
    198     + res[1].end = pmcg->page1_base_address + SZ_4K - 1;
    199     + res[1].flags = IORESOURCE_MEM;
    200     + }
    201    
    202     if (pmcg->overflow_gsiv)
    203     acpi_iort_register_irq(pmcg->overflow_gsiv, "overflow",
    204     diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
    205     index e5b92958c299e..ce9a570f217ad 100644
    206     --- a/drivers/acpi/ec.c
    207     +++ b/drivers/acpi/ec.c
    208     @@ -2002,6 +2002,16 @@ bool acpi_ec_dispatch_gpe(void)
    209     if (acpi_any_gpe_status_set(first_ec->gpe))
    210     return true;
    211    
    212     + /*
    213     + * Cancel the SCI wakeup and process all pending events in case there
    214     + * are any wakeup ones in there.
    215     + *
    216     + * Note that if any non-EC GPEs are active at this point, the SCI will
    217     + * retrigger after the rearming in acpi_s2idle_wake(), so no events
    218     + * should be missed by canceling the wakeup here.
    219     + */
    220     + pm_system_cancel_wakeup();
    221     +
    222     /*
    223     * Dispatch the EC GPE in-band, but do not report wakeup in any case
    224     * to allow the caller to process events properly after that.
    225     diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
    226     index d1b74179d2179..cd590b4793e09 100644
    227     --- a/drivers/acpi/sleep.c
    228     +++ b/drivers/acpi/sleep.c
    229     @@ -1003,19 +1003,13 @@ static bool acpi_s2idle_wake(void)
    230     if (acpi_check_wakeup_handlers())
    231     return true;
    232    
    233     - /* Check non-EC GPE wakeups and dispatch the EC GPE. */
    234     + /*
    235     + * Check non-EC GPE wakeups and if there are none, cancel the
    236     + * SCI-related wakeup and dispatch the EC GPE.
    237     + */
    238     if (acpi_ec_dispatch_gpe())
    239     return true;
    240    
    241     - /*
    242     - * Cancel the SCI wakeup and process all pending events in case
    243     - * there are any wakeup ones in there.
    244     - *
    245     - * Note that if any non-EC GPEs are active at this point, the
    246     - * SCI will retrigger after the rearming below, so no events
    247     - * should be missed by canceling the wakeup here.
    248     - */
    249     - pm_system_cancel_wakeup();
    250     acpi_os_wait_events_complete();
    251    
    252     /*
    253     @@ -1027,6 +1021,7 @@ static bool acpi_s2idle_wake(void)
    254     if (pm_wakeup_pending())
    255     return true;
    256    
    257     + pm_wakeup_clear(acpi_sci_irq);
    258     rearm_wake_irq(acpi_sci_irq);
    259     }
    260    
    261     diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
    262     index 92f0960e90145..49082c5570deb 100644
    263     --- a/drivers/base/power/wakeup.c
    264     +++ b/drivers/base/power/wakeup.c
    265     @@ -31,7 +31,8 @@ suspend_state_t pm_suspend_target_state;
    266     bool events_check_enabled __read_mostly;
    267    
    268     /* First wakeup IRQ seen by the kernel in the last cycle. */
    269     -unsigned int pm_wakeup_irq __read_mostly;
    270     +static unsigned int wakeup_irq[2] __read_mostly;
    271     +static DEFINE_RAW_SPINLOCK(wakeup_irq_lock);
    272    
    273     /* If greater than 0 and the system is suspending, terminate the suspend. */
    274     static atomic_t pm_abort_suspend __read_mostly;
    275     @@ -884,19 +885,45 @@ void pm_system_cancel_wakeup(void)
    276     atomic_dec_if_positive(&pm_abort_suspend);
    277     }
    278    
    279     -void pm_wakeup_clear(bool reset)
    280     +void pm_wakeup_clear(unsigned int irq_number)
    281     {
    282     - pm_wakeup_irq = 0;
    283     - if (reset)
    284     + raw_spin_lock_irq(&wakeup_irq_lock);
    285     +
    286     + if (irq_number && wakeup_irq[0] == irq_number)
    287     + wakeup_irq[0] = wakeup_irq[1];
    288     + else
    289     + wakeup_irq[0] = 0;
    290     +
    291     + wakeup_irq[1] = 0;
    292     +
    293     + raw_spin_unlock_irq(&wakeup_irq_lock);
    294     +
    295     + if (!irq_number)
    296     atomic_set(&pm_abort_suspend, 0);
    297     }
    298    
    299     void pm_system_irq_wakeup(unsigned int irq_number)
    300     {
    301     - if (pm_wakeup_irq == 0) {
    302     - pm_wakeup_irq = irq_number;
    303     + unsigned long flags;
    304     +
    305     + raw_spin_lock_irqsave(&wakeup_irq_lock, flags);
    306     +
    307     + if (wakeup_irq[0] == 0)
    308     + wakeup_irq[0] = irq_number;
    309     + else if (wakeup_irq[1] == 0)
    310     + wakeup_irq[1] = irq_number;
    311     + else
    312     + irq_number = 0;
    313     +
    314     + raw_spin_unlock_irqrestore(&wakeup_irq_lock, flags);
    315     +
    316     + if (irq_number)
    317     pm_system_wakeup();
    318     - }
    319     +}
    320     +
    321     +unsigned int pm_wakeup_irq(void)
    322     +{
    323     + return wakeup_irq[0];
    324     }
    325    
    326     /**
    327     diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
    328     index 9d1bd8f491ad7..448c2f2d803a6 100644
    329     --- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
    330     +++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
    331     @@ -115,6 +115,12 @@ static const struct drm_dmi_panel_orientation_data lcd1280x1920_rightside_up = {
    332     .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
    333     };
    334    
    335     +static const struct drm_dmi_panel_orientation_data lcd1600x2560_leftside_up = {
    336     + .width = 1600,
    337     + .height = 2560,
    338     + .orientation = DRM_MODE_PANEL_ORIENTATION_LEFT_UP,
    339     +};
    340     +
    341     static const struct dmi_system_id orientation_data[] = {
    342     { /* Acer One 10 (S1003) */
    343     .matches = {
    344     @@ -261,6 +267,12 @@ static const struct dmi_system_id orientation_data[] = {
    345     DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Default string"),
    346     },
    347     .driver_data = (void *)&onegx1_pro,
    348     + }, { /* OneXPlayer */
    349     + .matches = {
    350     + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ONE-NETBOOK TECHNOLOGY CO., LTD."),
    351     + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "ONE XPLAYER"),
    352     + },
    353     + .driver_data = (void *)&lcd1600x2560_leftside_up,
    354     }, { /* Samsung GalaxyBook 10.6 */
    355     .matches = {
    356     DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."),
    357     diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
    358     index 2eaed0008f376..785e7a07bb291 100644
    359     --- a/drivers/hwmon/dell-smm-hwmon.c
    360     +++ b/drivers/hwmon/dell-smm-hwmon.c
    361     @@ -301,7 +301,7 @@ static int i8k_get_fan_nominal_speed(int fan, int speed)
    362     }
    363    
    364     /*
    365     - * Set the fan speed (off, low, high). Returns the new fan status.
    366     + * Set the fan speed (off, low, high, ...).
    367     */
    368     static int i8k_set_fan(int fan, int speed)
    369     {
    370     @@ -313,7 +313,7 @@ static int i8k_set_fan(int fan, int speed)
    371     speed = (speed < 0) ? 0 : ((speed > i8k_fan_max) ? i8k_fan_max : speed);
    372     regs.ebx = (fan & 0xff) | (speed << 8);
    373    
    374     - return i8k_smm(&regs) ? : i8k_get_fan_status(fan);
    375     + return i8k_smm(&regs);
    376     }
    377    
    378     static int i8k_get_temp_type(int sensor)
    379     @@ -427,7 +427,7 @@ static int
    380     i8k_ioctl_unlocked(struct file *fp, unsigned int cmd, unsigned long arg)
    381     {
    382     int val = 0;
    383     - int speed;
    384     + int speed, err;
    385     unsigned char buff[16];
    386     int __user *argp = (int __user *)arg;
    387    
    388     @@ -488,7 +488,11 @@ i8k_ioctl_unlocked(struct file *fp, unsigned int cmd, unsigned long arg)
    389     if (copy_from_user(&speed, argp + 1, sizeof(int)))
    390     return -EFAULT;
    391    
    392     - val = i8k_set_fan(val, speed);
    393     + err = i8k_set_fan(val, speed);
    394     + if (err < 0)
    395     + return err;
    396     +
    397     + val = i8k_get_fan_status(val);
    398     break;
    399    
    400     default:
    401     diff --git a/drivers/misc/eeprom/ee1004.c b/drivers/misc/eeprom/ee1004.c
    402     index b081c67416d77..6b313997085e0 100644
    403     --- a/drivers/misc/eeprom/ee1004.c
    404     +++ b/drivers/misc/eeprom/ee1004.c
    405     @@ -82,6 +82,9 @@ static ssize_t ee1004_eeprom_read(struct i2c_client *client, char *buf,
    406     if (unlikely(offset + count > EE1004_PAGE_SIZE))
    407     count = EE1004_PAGE_SIZE - offset;
    408    
    409     + if (count > I2C_SMBUS_BLOCK_MAX)
    410     + count = I2C_SMBUS_BLOCK_MAX;
    411     +
    412     status = i2c_smbus_read_i2c_block_data_or_emulated(client, offset,
    413     count, buf);
    414     dev_dbg(&client->dev, "read %zu@%d --> %d\n", count, offset, status);
    415     diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
    416     index f76c64084f4b2..fb5ddf3864fdd 100644
    417     --- a/drivers/misc/fastrpc.c
    418     +++ b/drivers/misc/fastrpc.c
    419     @@ -1245,7 +1245,14 @@ static int fastrpc_dmabuf_alloc(struct fastrpc_user *fl, char __user *argp)
    420     }
    421    
    422     if (copy_to_user(argp, &bp, sizeof(bp))) {
    423     - dma_buf_put(buf->dmabuf);
    424     + /*
    425     + * The usercopy failed, but we can't do much about it, as
    426     + * dma_buf_fd() already called fd_install() and made the
    427     + * file descriptor accessible for the current process. It
    428     + * might already be closed and dmabuf no longer valid when
    429     + * we reach this point. Therefore "leak" the fd and rely on
    430     + * the process exit path to do any required cleanup.
    431     + */
    432     return -EFAULT;
    433     }
    434    
    435     diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
    436     index 5922ae021d869..0ff339004d8a5 100644
    437     --- a/drivers/mmc/host/sdhci-of-esdhc.c
    438     +++ b/drivers/mmc/host/sdhci-of-esdhc.c
    439     @@ -519,12 +519,16 @@ static void esdhc_of_adma_workaround(struct sdhci_host *host, u32 intmask)
    440    
    441     static int esdhc_of_enable_dma(struct sdhci_host *host)
    442     {
    443     + int ret;
    444     u32 value;
    445     struct device *dev = mmc_dev(host->mmc);
    446    
    447     if (of_device_is_compatible(dev->of_node, "fsl,ls1043a-esdhc") ||
    448     - of_device_is_compatible(dev->of_node, "fsl,ls1046a-esdhc"))
    449     - dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40));
    450     + of_device_is_compatible(dev->of_node, "fsl,ls1046a-esdhc")) {
    451     + ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40));
    452     + if (ret)
    453     + return ret;
    454     + }
    455    
    456     value = sdhci_readl(host, ESDHC_DMA_SYSCTL);
    457    
    458     diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
    459     index e3b25f3109367..ed170d803247a 100644
    460     --- a/drivers/net/bonding/bond_3ad.c
    461     +++ b/drivers/net/bonding/bond_3ad.c
    462     @@ -1013,8 +1013,8 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
    463     if (port->aggregator &&
    464     port->aggregator->is_active &&
    465     !__port_is_enabled(port)) {
    466     -
    467     __enable_port(port);
    468     + *update_slave_arr = true;
    469     }
    470     }
    471     break;
    472     @@ -1770,6 +1770,7 @@ static void ad_agg_selection_logic(struct aggregator *agg,
    473     port = port->next_port_in_aggregator) {
    474     __enable_port(port);
    475     }
    476     + *update_slave_arr = true;
    477     }
    478     }
    479    
    480     diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c
    481     index 7b86240ecd5fe..c4f1fc97987ae 100644
    482     --- a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c
    483     +++ b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c
    484     @@ -418,6 +418,9 @@ static void xgbe_pci_remove(struct pci_dev *pdev)
    485    
    486     pci_free_irq_vectors(pdata->pcidev);
    487    
    488     + /* Disable all interrupts in the hardware */
    489     + XP_IOWRITE(pdata, XP_INT_EN, 0x0);
    490     +
    491     xgbe_free_pdata(pdata);
    492     }
    493    
    494     diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
    495     index be8e6d4e376ec..9bd02766a4bcc 100644
    496     --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
    497     +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
    498     @@ -1979,14 +1979,15 @@ static void ixgbevf_set_rx_buffer_len(struct ixgbevf_adapter *adapter,
    499     if (adapter->flags & IXGBEVF_FLAGS_LEGACY_RX)
    500     return;
    501    
    502     - set_ring_build_skb_enabled(rx_ring);
    503     + if (PAGE_SIZE < 8192)
    504     + if (max_frame > IXGBEVF_MAX_FRAME_BUILD_SKB)
    505     + set_ring_uses_large_buffer(rx_ring);
    506    
    507     - if (PAGE_SIZE < 8192) {
    508     - if (max_frame <= IXGBEVF_MAX_FRAME_BUILD_SKB)
    509     - return;
    510     + /* 82599 can't rely on RXDCTL.RLPML to restrict the size of the frame */
    511     + if (adapter->hw.mac.type == ixgbe_mac_82599_vf && !ring_uses_large_buffer(rx_ring))
    512     + return;
    513    
    514     - set_ring_uses_large_buffer(rx_ring);
    515     - }
    516     + set_ring_build_skb_enabled(rx_ring);
    517     }
    518    
    519     /**
    520     diff --git a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
    521     index 2600ce476d6b2..f8c8451919cb6 100644
    522     --- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
    523     +++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
    524     @@ -677,6 +677,7 @@ nfp_tunnel_del_shared_mac(struct nfp_app *app, struct net_device *netdev,
    525     struct nfp_flower_repr_priv *repr_priv;
    526     struct nfp_tun_offloaded_mac *entry;
    527     struct nfp_repr *repr;
    528     + u16 nfp_mac_idx;
    529     int ida_idx;
    530    
    531     entry = nfp_tunnel_lookup_offloaded_macs(app, mac);
    532     @@ -695,8 +696,6 @@ nfp_tunnel_del_shared_mac(struct nfp_app *app, struct net_device *netdev,
    533     entry->bridge_count--;
    534    
    535     if (!entry->bridge_count && entry->ref_count) {
    536     - u16 nfp_mac_idx;
    537     -
    538     nfp_mac_idx = entry->index & ~NFP_TUN_PRE_TUN_IDX_BIT;
    539     if (__nfp_tunnel_offload_mac(app, mac, nfp_mac_idx,
    540     false)) {
    541     @@ -712,7 +711,6 @@ nfp_tunnel_del_shared_mac(struct nfp_app *app, struct net_device *netdev,
    542    
    543     /* If MAC is now used by 1 repr set the offloaded MAC index to port. */
    544     if (entry->ref_count == 1 && list_is_singular(&entry->repr_list)) {
    545     - u16 nfp_mac_idx;
    546     int port, err;
    547    
    548     repr_priv = list_first_entry(&entry->repr_list,
    549     @@ -740,8 +738,14 @@ nfp_tunnel_del_shared_mac(struct nfp_app *app, struct net_device *netdev,
    550     WARN_ON_ONCE(rhashtable_remove_fast(&priv->tun.offloaded_macs,
    551     &entry->ht_node,
    552     offloaded_macs_params));
    553     +
    554     + if (nfp_flower_is_supported_bridge(netdev))
    555     + nfp_mac_idx = entry->index & ~NFP_TUN_PRE_TUN_IDX_BIT;
    556     + else
    557     + nfp_mac_idx = entry->index;
    558     +
    559     /* If MAC has global ID then extract and free the ida entry. */
    560     - if (nfp_tunnel_is_mac_idx_global(entry->index)) {
    561     + if (nfp_tunnel_is_mac_idx_global(nfp_mac_idx)) {
    562     ida_idx = nfp_tunnel_get_ida_from_global_mac_idx(entry->index);
    563     ida_simple_remove(&priv->tun.mac_off_ids, ida_idx);
    564     }
    565     diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
    566     index 2f6258ca95155..7c73d296b940d 100644
    567     --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
    568     +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
    569     @@ -718,7 +718,7 @@ static int sun8i_dwmac_reset(struct stmmac_priv *priv)
    570    
    571     if (err) {
    572     dev_err(priv->device, "EMAC reset timeout\n");
    573     - return -EFAULT;
    574     + return err;
    575     }
    576     return 0;
    577     }
    578     diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c
    579     index a69317e944229..53420c5312667 100644
    580     --- a/drivers/net/phy/marvell.c
    581     +++ b/drivers/net/phy/marvell.c
    582     @@ -444,9 +444,9 @@ static int m88e1121_config_aneg_rgmii_delays(struct phy_device *phydev)
    583     else
    584     mscr = 0;
    585    
    586     - return phy_modify_paged(phydev, MII_MARVELL_MSCR_PAGE,
    587     - MII_88E1121_PHY_MSCR_REG,
    588     - MII_88E1121_PHY_MSCR_DELAY_MASK, mscr);
    589     + return phy_modify_paged_changed(phydev, MII_MARVELL_MSCR_PAGE,
    590     + MII_88E1121_PHY_MSCR_REG,
    591     + MII_88E1121_PHY_MSCR_DELAY_MASK, mscr);
    592     }
    593    
    594     static int m88e1121_config_aneg(struct phy_device *phydev)
    595     @@ -460,11 +460,13 @@ static int m88e1121_config_aneg(struct phy_device *phydev)
    596     return err;
    597     }
    598    
    599     + changed = err;
    600     +
    601     err = marvell_set_polarity(phydev, phydev->mdix_ctrl);
    602     if (err < 0)
    603     return err;
    604    
    605     - changed = err;
    606     + changed |= err;
    607    
    608     err = genphy_config_aneg(phydev);
    609     if (err < 0)
    610     @@ -886,16 +888,15 @@ static int m88e1118_config_aneg(struct phy_device *phydev)
    611     {
    612     int err;
    613    
    614     - err = genphy_soft_reset(phydev);
    615     + err = marvell_set_polarity(phydev, phydev->mdix_ctrl);
    616     if (err < 0)
    617     return err;
    618    
    619     - err = marvell_set_polarity(phydev, phydev->mdix_ctrl);
    620     + err = genphy_config_aneg(phydev);
    621     if (err < 0)
    622     return err;
    623    
    624     - err = genphy_config_aneg(phydev);
    625     - return 0;
    626     + return genphy_soft_reset(phydev);
    627     }
    628    
    629     static int m88e1118_config_init(struct phy_device *phydev)
    630     diff --git a/drivers/net/phy/mdio-aspeed.c b/drivers/net/phy/mdio-aspeed.c
    631     index 966c3b4ad59d1..e2273588c75b6 100644
    632     --- a/drivers/net/phy/mdio-aspeed.c
    633     +++ b/drivers/net/phy/mdio-aspeed.c
    634     @@ -148,6 +148,7 @@ static const struct of_device_id aspeed_mdio_of_match[] = {
    635     { .compatible = "aspeed,ast2600-mdio", },
    636     { },
    637     };
    638     +MODULE_DEVICE_TABLE(of, aspeed_mdio_of_match);
    639    
    640     static struct platform_driver aspeed_mdio_driver = {
    641     .driver = {
    642     diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
    643     index ec4b148b1e6c3..a06c3924e0396 100644
    644     --- a/drivers/net/usb/ax88179_178a.c
    645     +++ b/drivers/net/usb/ax88179_178a.c
    646     @@ -1361,58 +1361,68 @@ static int ax88179_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
    647     u16 hdr_off;
    648     u32 *pkt_hdr;
    649    
    650     - /* This check is no longer done by usbnet */
    651     - if (skb->len < dev->net->hard_header_len)
    652     + /* At the end of the SKB, there's a header telling us how many packets
    653     + * are bundled into this buffer and where we can find an array of
    654     + * per-packet metadata (which contains elements encoded into u16).
    655     + */
    656     + if (skb->len < 4)
    657     return 0;
    658     -
    659     skb_trim(skb, skb->len - 4);
    660     rx_hdr = get_unaligned_le32(skb_tail_pointer(skb));
    661     -
    662     pkt_cnt = (u16)rx_hdr;
    663     hdr_off = (u16)(rx_hdr >> 16);
    664     +
    665     + if (pkt_cnt == 0)
    666     + return 0;
    667     +
    668     + /* Make sure that the bounds of the metadata array are inside the SKB
    669     + * (and in front of the counter at the end).
    670     + */
    671     + if (pkt_cnt * 2 + hdr_off > skb->len)
    672     + return 0;
    673     pkt_hdr = (u32 *)(skb->data + hdr_off);
    674    
    675     - while (pkt_cnt--) {
    676     + /* Packets must not overlap the metadata array */
    677     + skb_trim(skb, hdr_off);
    678     +
    679     + for (; ; pkt_cnt--, pkt_hdr++) {
    680     u16 pkt_len;
    681    
    682     le32_to_cpus(pkt_hdr);
    683     pkt_len = (*pkt_hdr >> 16) & 0x1fff;
    684    
    685     - /* Check CRC or runt packet */
    686     - if ((*pkt_hdr & AX_RXHDR_CRC_ERR) ||
    687     - (*pkt_hdr & AX_RXHDR_DROP_ERR)) {
    688     - skb_pull(skb, (pkt_len + 7) & 0xFFF8);
    689     - pkt_hdr++;
    690     - continue;
    691     - }
    692     -
    693     - if (pkt_cnt == 0) {
    694     - skb->len = pkt_len;
    695     - /* Skip IP alignment pseudo header */
    696     - skb_pull(skb, 2);
    697     - skb_set_tail_pointer(skb, skb->len);
    698     - skb->truesize = pkt_len + sizeof(struct sk_buff);
    699     - ax88179_rx_checksum(skb, pkt_hdr);
    700     - return 1;
    701     - }
    702     + if (pkt_len > skb->len)
    703     + return 0;
    704    
    705     - ax_skb = skb_clone(skb, GFP_ATOMIC);
    706     - if (ax_skb) {
    707     + /* Check CRC or runt packet */
    708     + if (((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) == 0) &&
    709     + pkt_len >= 2 + ETH_HLEN) {
    710     + bool last = (pkt_cnt == 0);
    711     +
    712     + if (last) {
    713     + ax_skb = skb;
    714     + } else {
    715     + ax_skb = skb_clone(skb, GFP_ATOMIC);
    716     + if (!ax_skb)
    717     + return 0;
    718     + }
    719     ax_skb->len = pkt_len;
    720     /* Skip IP alignment pseudo header */
    721     skb_pull(ax_skb, 2);
    722     skb_set_tail_pointer(ax_skb, ax_skb->len);
    723     ax_skb->truesize = pkt_len + sizeof(struct sk_buff);
    724     ax88179_rx_checksum(ax_skb, pkt_hdr);
    725     +
    726     + if (last)
    727     + return 1;
    728     +
    729     usbnet_skb_return(dev, ax_skb);
    730     - } else {
    731     - return 0;
    732     }
    733    
    734     - skb_pull(skb, (pkt_len + 7) & 0xFFF8);
    735     - pkt_hdr++;
    736     + /* Trim this packet away from the SKB */
    737     + if (!skb_pull(skb, (pkt_len + 7) & 0xFFF8))
    738     + return 0;
    739     }
    740     - return 1;
    741     }
    742    
    743     static struct sk_buff *
    744     diff --git a/drivers/net/veth.c b/drivers/net/veth.c
    745     index 81a79e7132483..10a876f8831c7 100644
    746     --- a/drivers/net/veth.c
    747     +++ b/drivers/net/veth.c
    748     @@ -209,9 +209,10 @@ static void __veth_xdp_flush(struct veth_rq *rq)
    749     {
    750     /* Write ptr_ring before reading rx_notify_masked */
    751     smp_mb();
    752     - if (!rq->rx_notify_masked) {
    753     - rq->rx_notify_masked = true;
    754     - napi_schedule(&rq->xdp_napi);
    755     + if (!READ_ONCE(rq->rx_notify_masked) &&
    756     + napi_schedule_prep(&rq->xdp_napi)) {
    757     + WRITE_ONCE(rq->rx_notify_masked, true);
    758     + __napi_schedule(&rq->xdp_napi);
    759     }
    760     }
    761    
    762     @@ -780,8 +781,10 @@ static int veth_poll(struct napi_struct *napi, int budget)
    763     /* Write rx_notify_masked before reading ptr_ring */
    764     smp_store_mb(rq->rx_notify_masked, false);
    765     if (unlikely(!__ptr_ring_empty(&rq->xdp_ring))) {
    766     - rq->rx_notify_masked = true;
    767     - napi_schedule(&rq->xdp_napi);
    768     + if (napi_schedule_prep(&rq->xdp_napi)) {
    769     + WRITE_ONCE(rq->rx_notify_masked, true);
    770     + __napi_schedule(&rq->xdp_napi);
    771     + }
    772     }
    773     }
    774    
    775     diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
    776     index 9f01af2f03e68..4d615337e6e22 100644
    777     --- a/drivers/nvme/host/multipath.c
    778     +++ b/drivers/nvme/host/multipath.c
    779     @@ -458,8 +458,14 @@ static int nvme_parse_ana_log(struct nvme_ctrl *ctrl, void *data,
    780    
    781     for (i = 0; i < le16_to_cpu(ctrl->ana_log_buf->ngrps); i++) {
    782     struct nvme_ana_group_desc *desc = base + offset;
    783     - u32 nr_nsids = le32_to_cpu(desc->nnsids);
    784     - size_t nsid_buf_size = nr_nsids * sizeof(__le32);
    785     + u32 nr_nsids;
    786     + size_t nsid_buf_size;
    787     +
    788     + if (WARN_ON_ONCE(offset > ctrl->ana_log_size - sizeof(*desc)))
    789     + return -EINVAL;
    790     +
    791     + nr_nsids = le32_to_cpu(desc->nnsids);
    792     + nsid_buf_size = nr_nsids * sizeof(__le32);
    793    
    794     if (WARN_ON_ONCE(desc->grpid == 0))
    795     return -EINVAL;
    796     @@ -479,8 +485,6 @@ static int nvme_parse_ana_log(struct nvme_ctrl *ctrl, void *data,
    797     return error;
    798    
    799     offset += nsid_buf_size;
    800     - if (WARN_ON_ONCE(offset > ctrl->ana_log_size - sizeof(*desc)))
    801     - return -EINVAL;
    802     }
    803    
    804     return 0;
    805     diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
    806     index ff0d06e8ebb53..1eef7ed0c3026 100644
    807     --- a/drivers/nvme/host/tcp.c
    808     +++ b/drivers/nvme/host/tcp.c
    809     @@ -840,7 +840,15 @@ static inline void nvme_tcp_done_send_req(struct nvme_tcp_queue *queue)
    810    
    811     static void nvme_tcp_fail_request(struct nvme_tcp_request *req)
    812     {
    813     - nvme_tcp_end_request(blk_mq_rq_from_pdu(req), NVME_SC_HOST_PATH_ERROR);
    814     + if (nvme_tcp_async_req(req)) {
    815     + union nvme_result res = {};
    816     +
    817     + nvme_complete_async_event(&req->queue->ctrl->ctrl,
    818     + cpu_to_le16(NVME_SC_HOST_PATH_ERROR), &res);
    819     + } else {
    820     + nvme_tcp_end_request(blk_mq_rq_from_pdu(req),
    821     + NVME_SC_HOST_PATH_ERROR);
    822     + }
    823     }
    824    
    825     static int nvme_tcp_try_send_data(struct nvme_tcp_request *req)
    826     diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
    827     index 0b69f4f713778..1bf7a4152b34b 100644
    828     --- a/drivers/scsi/lpfc/lpfc.h
    829     +++ b/drivers/scsi/lpfc/lpfc.h
    830     @@ -870,6 +870,16 @@ struct lpfc_hba {
    831     uint32_t cfg_hostmem_hgp;
    832     uint32_t cfg_log_verbose;
    833     uint32_t cfg_enable_fc4_type;
    834     +#define LPFC_ENABLE_FCP 1
    835     +#define LPFC_ENABLE_NVME 2
    836     +#define LPFC_ENABLE_BOTH 3
    837     +#if (IS_ENABLED(CONFIG_NVME_FC))
    838     +#define LPFC_MAX_ENBL_FC4_TYPE LPFC_ENABLE_BOTH
    839     +#define LPFC_DEF_ENBL_FC4_TYPE LPFC_ENABLE_BOTH
    840     +#else
    841     +#define LPFC_MAX_ENBL_FC4_TYPE LPFC_ENABLE_FCP
    842     +#define LPFC_DEF_ENBL_FC4_TYPE LPFC_ENABLE_FCP
    843     +#endif
    844     uint32_t cfg_aer_support;
    845     uint32_t cfg_sriov_nr_virtfn;
    846     uint32_t cfg_request_firmware_upgrade;
    847     @@ -892,9 +902,6 @@ struct lpfc_hba {
    848     uint32_t cfg_ras_fwlog_func;
    849     uint32_t cfg_enable_bbcr; /* Enable BB Credit Recovery */
    850     uint32_t cfg_enable_dpp; /* Enable Direct Packet Push */
    851     -#define LPFC_ENABLE_FCP 1
    852     -#define LPFC_ENABLE_NVME 2
    853     -#define LPFC_ENABLE_BOTH 3
    854     uint32_t cfg_enable_pbde;
    855     struct nvmet_fc_target_port *targetport;
    856     lpfc_vpd_t vpd; /* vital product data */
    857     diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
    858     index 1c541a600149b..d034fe78bf93e 100644
    859     --- a/drivers/scsi/lpfc/lpfc_attr.c
    860     +++ b/drivers/scsi/lpfc/lpfc_attr.c
    861     @@ -3839,8 +3839,8 @@ LPFC_ATTR_R(nvmet_mrq_post,
    862     * 3 - register both FCP and NVME
    863     * Supported values are [1,3]. Default value is 3
    864     */
    865     -LPFC_ATTR_R(enable_fc4_type, LPFC_ENABLE_BOTH,
    866     - LPFC_ENABLE_FCP, LPFC_ENABLE_BOTH,
    867     +LPFC_ATTR_R(enable_fc4_type, LPFC_DEF_ENBL_FC4_TYPE,
    868     + LPFC_ENABLE_FCP, LPFC_MAX_ENBL_FC4_TYPE,
    869     "Enable FC4 Protocol support - FCP / NVME");
    870    
    871     /*
    872     diff --git a/drivers/scsi/myrs.c b/drivers/scsi/myrs.c
    873     index cfc3f8b4174ab..2d3d14aa46b4b 100644
    874     --- a/drivers/scsi/myrs.c
    875     +++ b/drivers/scsi/myrs.c
    876     @@ -2272,7 +2272,8 @@ static void myrs_cleanup(struct myrs_hba *cs)
    877     myrs_unmap(cs);
    878    
    879     if (cs->mmio_base) {
    880     - cs->disable_intr(cs);
    881     + if (cs->disable_intr)
    882     + cs->disable_intr(cs);
    883     iounmap(cs->mmio_base);
    884     cs->mmio_base = NULL;
    885     }
    886     diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c
    887     index 4e8a284e606c0..d02d1ef0d0116 100644
    888     --- a/drivers/scsi/qedf/qedf_io.c
    889     +++ b/drivers/scsi/qedf/qedf_io.c
    890     @@ -2253,6 +2253,7 @@ int qedf_initiate_cleanup(struct qedf_ioreq *io_req,
    891     io_req->tm_flags == FCP_TMF_TGT_RESET) {
    892     clear_bit(QEDF_CMD_OUTSTANDING, &io_req->flags);
    893     io_req->sc_cmd = NULL;
    894     + kref_put(&io_req->refcount, qedf_release_cmd);
    895     complete(&io_req->tm_done);
    896     }
    897    
    898     diff --git a/drivers/staging/fbtft/fbtft.h b/drivers/staging/fbtft/fbtft.h
    899     index 9b6bdb62093d7..736cd4955b733 100644
    900     --- a/drivers/staging/fbtft/fbtft.h
    901     +++ b/drivers/staging/fbtft/fbtft.h
    902     @@ -332,7 +332,10 @@ static int __init fbtft_driver_module_init(void) \
    903     ret = spi_register_driver(&fbtft_driver_spi_driver); \
    904     if (ret < 0) \
    905     return ret; \
    906     - return platform_driver_register(&fbtft_driver_platform_driver); \
    907     + ret = platform_driver_register(&fbtft_driver_platform_driver); \
    908     + if (ret < 0) \
    909     + spi_unregister_driver(&fbtft_driver_spi_driver); \
    910     + return ret; \
    911     } \
    912     \
    913     static void __exit fbtft_driver_module_exit(void) \
    914     diff --git a/drivers/target/iscsi/iscsi_target_tpg.c b/drivers/target/iscsi/iscsi_target_tpg.c
    915     index 8075f60fd02c3..2d5cf1714ae05 100644
    916     --- a/drivers/target/iscsi/iscsi_target_tpg.c
    917     +++ b/drivers/target/iscsi/iscsi_target_tpg.c
    918     @@ -443,6 +443,9 @@ static bool iscsit_tpg_check_network_portal(
    919     break;
    920     }
    921     spin_unlock(&tpg->tpg_np_lock);
    922     +
    923     + if (match)
    924     + break;
    925     }
    926     spin_unlock(&tiqn->tiqn_tpg_lock);
    927    
    928     diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
    929     index f9c584244f72c..6a55f06c0af26 100644
    930     --- a/drivers/tty/n_tty.c
    931     +++ b/drivers/tty/n_tty.c
    932     @@ -1377,7 +1377,7 @@ handle_newline:
    933     put_tty_queue(c, ldata);
    934     smp_store_release(&ldata->canon_head, ldata->read_head);
    935     kill_fasync(&tty->fasync, SIGIO, POLL_IN);
    936     - wake_up_interruptible_poll(&tty->read_wait, EPOLLIN);
    937     + wake_up_interruptible_poll(&tty->read_wait, EPOLLIN | EPOLLRDNORM);
    938     return 0;
    939     }
    940     }
    941     @@ -1658,7 +1658,7 @@ static void __receive_buf(struct tty_struct *tty, const unsigned char *cp,
    942    
    943     if (read_cnt(ldata)) {
    944     kill_fasync(&tty->fasync, SIGIO, POLL_IN);
    945     - wake_up_interruptible_poll(&tty->read_wait, EPOLLIN);
    946     + wake_up_interruptible_poll(&tty->read_wait, EPOLLIN | EPOLLRDNORM);
    947     }
    948     }
    949    
    950     diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
    951     index 167c72726c5a0..312857168dad3 100644
    952     --- a/drivers/tty/vt/vt_ioctl.c
    953     +++ b/drivers/tty/vt/vt_ioctl.c
    954     @@ -691,6 +691,7 @@ int vt_ioctl(struct tty_struct *tty,
    955     ret = -ENXIO;
    956     else {
    957     arg--;
    958     + arg = array_index_nospec(arg, MAX_NR_CONSOLES);
    959     console_lock();
    960     ret = vc_allocate(arg);
    961     console_unlock();
    962     @@ -715,9 +716,9 @@ int vt_ioctl(struct tty_struct *tty,
    963     if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)
    964     ret = -ENXIO;
    965     else {
    966     - vsa.console = array_index_nospec(vsa.console,
    967     - MAX_NR_CONSOLES + 1);
    968     vsa.console--;
    969     + vsa.console = array_index_nospec(vsa.console,
    970     + MAX_NR_CONSOLES);
    971     console_lock();
    972     ret = vc_allocate(vsa.console);
    973     if (ret == 0) {
    974     diff --git a/drivers/usb/common/ulpi.c b/drivers/usb/common/ulpi.c
    975     index 5a4d08de546fe..c42c152bbc335 100644
    976     --- a/drivers/usb/common/ulpi.c
    977     +++ b/drivers/usb/common/ulpi.c
    978     @@ -132,6 +132,7 @@ static const struct attribute_group *ulpi_dev_attr_groups[] = {
    979    
    980     static void ulpi_dev_release(struct device *dev)
    981     {
    982     + of_node_put(dev->of_node);
    983     kfree(to_ulpi_dev(dev));
    984     }
    985    
    986     @@ -248,12 +249,16 @@ static int ulpi_register(struct device *dev, struct ulpi *ulpi)
    987     return ret;
    988    
    989     ret = ulpi_read_id(ulpi);
    990     - if (ret)
    991     + if (ret) {
    992     + of_node_put(ulpi->dev.of_node);
    993     return ret;
    994     + }
    995    
    996     ret = device_register(&ulpi->dev);
    997     - if (ret)
    998     + if (ret) {
    999     + put_device(&ulpi->dev);
    1000     return ret;
    1001     + }
    1002    
    1003     dev_dbg(&ulpi->dev, "registered ULPI PHY: vendor %04x, product %04x\n",
    1004     ulpi->id.vendor, ulpi->id.product);
    1005     @@ -300,7 +305,6 @@ EXPORT_SYMBOL_GPL(ulpi_register_interface);
    1006     */
    1007     void ulpi_unregister_interface(struct ulpi *ulpi)
    1008     {
    1009     - of_node_put(ulpi->dev.of_node);
    1010     device_unregister(&ulpi->dev);
    1011     }
    1012     EXPORT_SYMBOL_GPL(ulpi_unregister_interface);
    1013     diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
    1014     index 249e8e6aa9282..379bbf27c7ce8 100644
    1015     --- a/drivers/usb/dwc2/gadget.c
    1016     +++ b/drivers/usb/dwc2/gadget.c
    1017     @@ -4979,7 +4979,7 @@ int dwc2_hsotg_suspend(struct dwc2_hsotg *hsotg)
    1018     hsotg->gadget.speed = USB_SPEED_UNKNOWN;
    1019     spin_unlock_irqrestore(&hsotg->lock, flags);
    1020    
    1021     - for (ep = 0; ep < hsotg->num_of_eps; ep++) {
    1022     + for (ep = 1; ep < hsotg->num_of_eps; ep++) {
    1023     if (hsotg->eps_in[ep])
    1024     dwc2_hsotg_ep_disable_lock(&hsotg->eps_in[ep]->ep);
    1025     if (hsotg->eps_out[ep])
    1026     diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
    1027     index 39a9ad12cbbc8..2367bf5a13107 100644
    1028     --- a/drivers/usb/dwc3/gadget.c
    1029     +++ b/drivers/usb/dwc3/gadget.c
    1030     @@ -1020,6 +1020,19 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
    1031     if (usb_endpoint_xfer_bulk(dep->endpoint.desc) && dep->stream_capable)
    1032     trb->ctrl |= DWC3_TRB_CTRL_SID_SOFN(stream_id);
    1033    
    1034     + /*
    1035     + * As per data book 4.2.3.2TRB Control Bit Rules section
    1036     + *
    1037     + * The controller autonomously checks the HWO field of a TRB to determine if the
    1038     + * entire TRB is valid. Therefore, software must ensure that the rest of the TRB
    1039     + * is valid before setting the HWO field to '1'. In most systems, this means that
    1040     + * software must update the fourth DWORD of a TRB last.
    1041     + *
    1042     + * However there is a possibility of CPU re-ordering here which can cause
    1043     + * controller to observe the HWO bit set prematurely.
    1044     + * Add a write memory barrier to prevent CPU re-ordering.
    1045     + */
    1046     + wmb();
    1047     trb->ctrl |= DWC3_TRB_CTRL_HWO;
    1048    
    1049     dwc3_ep_inc_enq(dep);
    1050     diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
    1051     index c5acf5c39fb18..a3106b179562c 100644
    1052     --- a/drivers/usb/gadget/composite.c
    1053     +++ b/drivers/usb/gadget/composite.c
    1054     @@ -1944,6 +1944,9 @@ unknown:
    1055     if (w_index != 0x5 || (w_value >> 8))
    1056     break;
    1057     interface = w_value & 0xFF;
    1058     + if (interface >= MAX_CONFIG_INTERFACES ||
    1059     + !os_desc_cfg->interface[interface])
    1060     + break;
    1061     buf[6] = w_index;
    1062     count = count_ext_prop(os_desc_cfg,
    1063     interface);
    1064     diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
    1065     index 2bea33b41553b..5fd4fc49aef9f 100644
    1066     --- a/drivers/usb/gadget/function/f_fs.c
    1067     +++ b/drivers/usb/gadget/function/f_fs.c
    1068     @@ -1729,16 +1729,24 @@ static void ffs_data_put(struct ffs_data *ffs)
    1069    
    1070     static void ffs_data_closed(struct ffs_data *ffs)
    1071     {
    1072     + struct ffs_epfile *epfiles;
    1073     + unsigned long flags;
    1074     +
    1075     ENTER();
    1076    
    1077     if (atomic_dec_and_test(&ffs->opened)) {
    1078     if (ffs->no_disconnect) {
    1079     ffs->state = FFS_DEACTIVATED;
    1080     - if (ffs->epfiles) {
    1081     - ffs_epfiles_destroy(ffs->epfiles,
    1082     - ffs->eps_count);
    1083     - ffs->epfiles = NULL;
    1084     - }
    1085     + spin_lock_irqsave(&ffs->eps_lock, flags);
    1086     + epfiles = ffs->epfiles;
    1087     + ffs->epfiles = NULL;
    1088     + spin_unlock_irqrestore(&ffs->eps_lock,
    1089     + flags);
    1090     +
    1091     + if (epfiles)
    1092     + ffs_epfiles_destroy(epfiles,
    1093     + ffs->eps_count);
    1094     +
    1095     if (ffs->setup_state == FFS_SETUP_PENDING)
    1096     __ffs_ep0_stall(ffs);
    1097     } else {
    1098     @@ -1785,14 +1793,27 @@ static struct ffs_data *ffs_data_new(const char *dev_name)
    1099    
    1100     static void ffs_data_clear(struct ffs_data *ffs)
    1101     {
    1102     + struct ffs_epfile *epfiles;
    1103     + unsigned long flags;
    1104     +
    1105     ENTER();
    1106    
    1107     ffs_closed(ffs);
    1108    
    1109     BUG_ON(ffs->gadget);
    1110    
    1111     - if (ffs->epfiles) {
    1112     - ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
    1113     + spin_lock_irqsave(&ffs->eps_lock, flags);
    1114     + epfiles = ffs->epfiles;
    1115     + ffs->epfiles = NULL;
    1116     + spin_unlock_irqrestore(&ffs->eps_lock, flags);
    1117     +
    1118     + /*
    1119     + * potential race possible between ffs_func_eps_disable
    1120     + * & ffs_epfile_release therefore maintaining a local
    1121     + * copy of epfile will save us from use-after-free.
    1122     + */
    1123     + if (epfiles) {
    1124     + ffs_epfiles_destroy(epfiles, ffs->eps_count);
    1125     ffs->epfiles = NULL;
    1126     }
    1127    
    1128     @@ -1940,12 +1961,15 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
    1129    
    1130     static void ffs_func_eps_disable(struct ffs_function *func)
    1131     {
    1132     - struct ffs_ep *ep = func->eps;
    1133     - struct ffs_epfile *epfile = func->ffs->epfiles;
    1134     - unsigned count = func->ffs->eps_count;
    1135     + struct ffs_ep *ep;
    1136     + struct ffs_epfile *epfile;
    1137     + unsigned short count;
    1138     unsigned long flags;
    1139    
    1140     spin_lock_irqsave(&func->ffs->eps_lock, flags);
    1141     + count = func->ffs->eps_count;
    1142     + epfile = func->ffs->epfiles;
    1143     + ep = func->eps;
    1144     while (count--) {
    1145     /* pending requests get nuked */
    1146     if (likely(ep->ep))
    1147     @@ -1963,14 +1987,18 @@ static void ffs_func_eps_disable(struct ffs_function *func)
    1148    
    1149     static int ffs_func_eps_enable(struct ffs_function *func)
    1150     {
    1151     - struct ffs_data *ffs = func->ffs;
    1152     - struct ffs_ep *ep = func->eps;
    1153     - struct ffs_epfile *epfile = ffs->epfiles;
    1154     - unsigned count = ffs->eps_count;
    1155     + struct ffs_data *ffs;
    1156     + struct ffs_ep *ep;
    1157     + struct ffs_epfile *epfile;
    1158     + unsigned short count;
    1159     unsigned long flags;
    1160     int ret = 0;
    1161    
    1162     spin_lock_irqsave(&func->ffs->eps_lock, flags);
    1163     + ffs = func->ffs;
    1164     + ep = func->eps;
    1165     + epfile = ffs->epfiles;
    1166     + count = ffs->eps_count;
    1167     while(count--) {
    1168     ep->ep->driver_data = ep;
    1169    
    1170     diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
    1171     index dd960cea642f3..11cc6056b5902 100644
    1172     --- a/drivers/usb/gadget/function/f_uac2.c
    1173     +++ b/drivers/usb/gadget/function/f_uac2.c
    1174     @@ -176,7 +176,7 @@ static struct uac2_input_terminal_descriptor io_in_it_desc = {
    1175    
    1176     .bDescriptorSubtype = UAC_INPUT_TERMINAL,
    1177     /* .bTerminalID = DYNAMIC */
    1178     - .wTerminalType = cpu_to_le16(UAC_INPUT_TERMINAL_UNDEFINED),
    1179     + .wTerminalType = cpu_to_le16(UAC_INPUT_TERMINAL_MICROPHONE),
    1180     .bAssocTerminal = 0,
    1181     /* .bCSourceID = DYNAMIC */
    1182     .iChannelNames = 0,
    1183     @@ -204,7 +204,7 @@ static struct uac2_output_terminal_descriptor io_out_ot_desc = {
    1184    
    1185     .bDescriptorSubtype = UAC_OUTPUT_TERMINAL,
    1186     /* .bTerminalID = DYNAMIC */
    1187     - .wTerminalType = cpu_to_le16(UAC_OUTPUT_TERMINAL_UNDEFINED),
    1188     + .wTerminalType = cpu_to_le16(UAC_OUTPUT_TERMINAL_SPEAKER),
    1189     .bAssocTerminal = 0,
    1190     /* .bSourceID = DYNAMIC */
    1191     /* .bCSourceID = DYNAMIC */
    1192     diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c
    1193     index 04c142c130759..ab827c1badc50 100644
    1194     --- a/drivers/usb/gadget/function/rndis.c
    1195     +++ b/drivers/usb/gadget/function/rndis.c
    1196     @@ -637,14 +637,17 @@ static int rndis_set_response(struct rndis_params *params,
    1197     rndis_set_cmplt_type *resp;
    1198     rndis_resp_t *r;
    1199    
    1200     + BufLength = le32_to_cpu(buf->InformationBufferLength);
    1201     + BufOffset = le32_to_cpu(buf->InformationBufferOffset);
    1202     + if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
    1203     + (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
    1204     + return -EINVAL;
    1205     +
    1206     r = rndis_add_response(params, sizeof(rndis_set_cmplt_type));
    1207     if (!r)
    1208     return -ENOMEM;
    1209     resp = (rndis_set_cmplt_type *)r->buf;
    1210    
    1211     - BufLength = le32_to_cpu(buf->InformationBufferLength);
    1212     - BufOffset = le32_to_cpu(buf->InformationBufferOffset);
    1213     -
    1214     #ifdef VERBOSE_DEBUG
    1215     pr_debug("%s: Length: %d\n", __func__, BufLength);
    1216     pr_debug("%s: Offset: %d\n", __func__, BufOffset);
    1217     diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
    1218     index b6653bc7acc26..0bbd180022aa7 100644
    1219     --- a/drivers/usb/gadget/udc/renesas_usb3.c
    1220     +++ b/drivers/usb/gadget/udc/renesas_usb3.c
    1221     @@ -2363,6 +2363,8 @@ static void handle_ext_role_switch_states(struct device *dev,
    1222     switch (role) {
    1223     case USB_ROLE_NONE:
    1224     usb3->connection_state = USB_ROLE_NONE;
    1225     + if (cur_role == USB_ROLE_HOST)
    1226     + device_release_driver(host);
    1227     if (usb3->driver)
    1228     usb3_disconnect(usb3);
    1229     usb3_vbus_out(usb3, false);
    1230     diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
    1231     index a82ba9cc0c724..a5c10fe9f72a1 100644
    1232     --- a/drivers/usb/serial/ch341.c
    1233     +++ b/drivers/usb/serial/ch341.c
    1234     @@ -84,6 +84,7 @@ static const struct usb_device_id id_table[] = {
    1235     { USB_DEVICE(0x1a86, 0x5523) },
    1236     { USB_DEVICE(0x1a86, 0x7522) },
    1237     { USB_DEVICE(0x1a86, 0x7523) },
    1238     + { USB_DEVICE(0x2184, 0x0057) },
    1239     { USB_DEVICE(0x4348, 0x5523) },
    1240     { USB_DEVICE(0x9986, 0x7523) },
    1241     { },
    1242     diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
    1243     index 50f289b124d0d..dfa7c504befe8 100644
    1244     --- a/drivers/usb/serial/cp210x.c
    1245     +++ b/drivers/usb/serial/cp210x.c
    1246     @@ -52,6 +52,7 @@ static int cp210x_port_remove(struct usb_serial_port *);
    1247     static void cp210x_dtr_rts(struct usb_serial_port *p, int on);
    1248    
    1249     static const struct usb_device_id id_table[] = {
    1250     + { USB_DEVICE(0x0404, 0x034C) }, /* NCR Retail IO Box */
    1251     { USB_DEVICE(0x045B, 0x0053) }, /* Renesas RX610 RX-Stick */
    1252     { USB_DEVICE(0x0471, 0x066A) }, /* AKTAKOM ACE-1001 cable */
    1253     { USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */
    1254     @@ -69,6 +70,7 @@ static const struct usb_device_id id_table[] = {
    1255     { USB_DEVICE(0x0FCF, 0x1004) }, /* Dynastream ANT2USB */
    1256     { USB_DEVICE(0x0FCF, 0x1006) }, /* Dynastream ANT development board */
    1257     { USB_DEVICE(0x0FDE, 0xCA05) }, /* OWL Wireless Electricity Monitor CM-160 */
    1258     + { USB_DEVICE(0x106F, 0x0003) }, /* CPI / Money Controls Bulk Coin Recycler */
    1259     { USB_DEVICE(0x10A6, 0xAA26) }, /* Knock-off DCU-11 cable */
    1260     { USB_DEVICE(0x10AB, 0x10C5) }, /* Siemens MC60 Cable */
    1261     { USB_DEVICE(0x10B5, 0xAC70) }, /* Nokia CA-42 USB */
    1262     diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
    1263     index 1ec623e46214b..48323165139ad 100644
    1264     --- a/drivers/usb/serial/ftdi_sio.c
    1265     +++ b/drivers/usb/serial/ftdi_sio.c
    1266     @@ -969,6 +969,7 @@ static const struct usb_device_id id_table_combined[] = {
    1267     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_023_PID) },
    1268     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_034_PID) },
    1269     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_101_PID) },
    1270     + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_159_PID) },
    1271     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_1_PID) },
    1272     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_2_PID) },
    1273     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_3_PID) },
    1274     @@ -977,12 +978,14 @@ static const struct usb_device_id id_table_combined[] = {
    1275     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_6_PID) },
    1276     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_7_PID) },
    1277     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_8_PID) },
    1278     + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_235_PID) },
    1279     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_257_PID) },
    1280     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_1_PID) },
    1281     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_2_PID) },
    1282     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_3_PID) },
    1283     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_4_PID) },
    1284     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_313_PID) },
    1285     + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_320_PID) },
    1286     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_324_PID) },
    1287     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_1_PID) },
    1288     { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_2_PID) },
    1289     diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
    1290     index 755858ca20bac..d1a9564697a4b 100644
    1291     --- a/drivers/usb/serial/ftdi_sio_ids.h
    1292     +++ b/drivers/usb/serial/ftdi_sio_ids.h
    1293     @@ -1506,6 +1506,9 @@
    1294     #define BRAINBOXES_VX_023_PID 0x1003 /* VX-023 ExpressCard 1 Port RS422/485 */
    1295     #define BRAINBOXES_VX_034_PID 0x1004 /* VX-034 ExpressCard 2 Port RS422/485 */
    1296     #define BRAINBOXES_US_101_PID 0x1011 /* US-101 1xRS232 */
    1297     +#define BRAINBOXES_US_159_PID 0x1021 /* US-159 1xRS232 */
    1298     +#define BRAINBOXES_US_235_PID 0x1017 /* US-235 1xRS232 */
    1299     +#define BRAINBOXES_US_320_PID 0x1019 /* US-320 1xRS422/485 */
    1300     #define BRAINBOXES_US_324_PID 0x1013 /* US-324 1xRS422/485 1Mbaud */
    1301     #define BRAINBOXES_US_606_1_PID 0x2001 /* US-606 6 Port RS232 Serial Port 1 and 2 */
    1302     #define BRAINBOXES_US_606_2_PID 0x2002 /* US-606 6 Port RS232 Serial Port 3 and 4 */
    1303     diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
    1304     index 2397d83434931..81e7833910ca8 100644
    1305     --- a/drivers/usb/serial/option.c
    1306     +++ b/drivers/usb/serial/option.c
    1307     @@ -1649,6 +1649,8 @@ static const struct usb_device_id option_ids[] = {
    1308     .driver_info = RSVD(2) },
    1309     { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
    1310     { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1481, 0xff, 0x00, 0x00) }, /* ZTE MF871A */
    1311     + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1485, 0xff, 0xff, 0xff), /* ZTE MF286D */
    1312     + .driver_info = RSVD(5) },
    1313     { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
    1314     { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
    1315     { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },
    1316     diff --git a/fs/nfs/callback.h b/fs/nfs/callback.h
    1317     index 8f34daf85f703..5d5227ce4d91e 100644
    1318     --- a/fs/nfs/callback.h
    1319     +++ b/fs/nfs/callback.h
    1320     @@ -168,7 +168,7 @@ struct cb_devicenotifyitem {
    1321     };
    1322    
    1323     struct cb_devicenotifyargs {
    1324     - int ndevs;
    1325     + uint32_t ndevs;
    1326     struct cb_devicenotifyitem *devs;
    1327     };
    1328    
    1329     diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c
    1330     index fc775b0b5194f..b8a7b223b5b18 100644
    1331     --- a/fs/nfs/callback_proc.c
    1332     +++ b/fs/nfs/callback_proc.c
    1333     @@ -364,7 +364,7 @@ __be32 nfs4_callback_devicenotify(void *argp, void *resp,
    1334     struct cb_process_state *cps)
    1335     {
    1336     struct cb_devicenotifyargs *args = argp;
    1337     - int i;
    1338     + uint32_t i;
    1339     __be32 res = 0;
    1340     struct nfs_client *clp = cps->clp;
    1341     struct nfs_server *server = NULL;
    1342     diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
    1343     index 73a5a5ea29766..90b5511c4c440 100644
    1344     --- a/fs/nfs/callback_xdr.c
    1345     +++ b/fs/nfs/callback_xdr.c
    1346     @@ -258,11 +258,9 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp,
    1347     void *argp)
    1348     {
    1349     struct cb_devicenotifyargs *args = argp;
    1350     + uint32_t tmp, n, i;
    1351     __be32 *p;
    1352     __be32 status = 0;
    1353     - u32 tmp;
    1354     - int n, i;
    1355     - args->ndevs = 0;
    1356    
    1357     /* Num of device notifications */
    1358     p = xdr_inline_decode(xdr, sizeof(uint32_t));
    1359     @@ -271,7 +269,7 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp,
    1360     goto out;
    1361     }
    1362     n = ntohl(*p++);
    1363     - if (n <= 0)
    1364     + if (n == 0)
    1365     goto out;
    1366     if (n > ULONG_MAX / sizeof(*args->devs)) {
    1367     status = htonl(NFS4ERR_BADXDR);
    1368     @@ -330,19 +328,21 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp,
    1369     dev->cbd_immediate = 0;
    1370     }
    1371    
    1372     - args->ndevs++;
    1373     -
    1374     dprintk("%s: type %d layout 0x%x immediate %d\n",
    1375     __func__, dev->cbd_notify_type, dev->cbd_layout_type,
    1376     dev->cbd_immediate);
    1377     }
    1378     + args->ndevs = n;
    1379     + dprintk("%s: ndevs %d\n", __func__, args->ndevs);
    1380     + return 0;
    1381     +err:
    1382     + kfree(args->devs);
    1383     out:
    1384     + args->devs = NULL;
    1385     + args->ndevs = 0;
    1386     dprintk("%s: status %d ndevs %d\n",
    1387     __func__, ntohl(status), args->ndevs);
    1388     return status;
    1389     -err:
    1390     - kfree(args->devs);
    1391     - goto out;
    1392     }
    1393    
    1394     static __be32 decode_sessionid(struct xdr_stream *xdr,
    1395     diff --git a/fs/nfs/client.c b/fs/nfs/client.c
    1396     index af838d1ed281c..35abe63655a9d 100644
    1397     --- a/fs/nfs/client.c
    1398     +++ b/fs/nfs/client.c
    1399     @@ -176,6 +176,7 @@ struct nfs_client *nfs_alloc_client(const struct nfs_client_initdata *cl_init)
    1400     INIT_LIST_HEAD(&clp->cl_superblocks);
    1401     clp->cl_rpcclient = ERR_PTR(-EINVAL);
    1402    
    1403     + clp->cl_flags = cl_init->init_flags;
    1404     clp->cl_proto = cl_init->proto;
    1405     clp->cl_nconnect = cl_init->nconnect;
    1406     clp->cl_net = get_net(cl_init->net);
    1407     @@ -419,7 +420,6 @@ struct nfs_client *nfs_get_client(const struct nfs_client_initdata *cl_init)
    1408     list_add_tail(&new->cl_share_link,
    1409     &nn->nfs_client_list);
    1410     spin_unlock(&nn->nfs_client_lock);
    1411     - new->cl_flags = cl_init->init_flags;
    1412     return rpc_ops->init_client(new, cl_init);
    1413     }
    1414    
    1415     diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
    1416     index 5708b5a636f19..ebd77a301057e 100644
    1417     --- a/fs/nfs/nfs4_fs.h
    1418     +++ b/fs/nfs/nfs4_fs.h
    1419     @@ -279,7 +279,8 @@ struct vfsmount *nfs4_submount(struct nfs_server *, struct dentry *,
    1420     struct nfs_fh *, struct nfs_fattr *);
    1421     int nfs4_replace_transport(struct nfs_server *server,
    1422     const struct nfs4_fs_locations *locations);
    1423     -
    1424     +size_t nfs_parse_server_name(char *string, size_t len, struct sockaddr *sa,
    1425     + size_t salen, struct net *net);
    1426     /* nfs4proc.c */
    1427     extern int nfs4_handle_exception(struct nfs_server *, int, struct nfs4_exception *);
    1428     extern int nfs4_async_handle_error(struct rpc_task *task,
    1429     diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
    1430     index 8cace8350fa3d..3671a51fe5ebc 100644
    1431     --- a/fs/nfs/nfs4client.c
    1432     +++ b/fs/nfs/nfs4client.c
    1433     @@ -1293,8 +1293,11 @@ int nfs4_update_server(struct nfs_server *server, const char *hostname,
    1434     }
    1435     nfs_put_client(clp);
    1436    
    1437     - if (server->nfs_client->cl_hostname == NULL)
    1438     + if (server->nfs_client->cl_hostname == NULL) {
    1439     server->nfs_client->cl_hostname = kstrdup(hostname, GFP_KERNEL);
    1440     + if (server->nfs_client->cl_hostname == NULL)
    1441     + return -ENOMEM;
    1442     + }
    1443     nfs_server_insert_lists(server);
    1444    
    1445     return nfs_probe_destination(server);
    1446     diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c
    1447     index 2e460c33ae487..768258848a684 100644
    1448     --- a/fs/nfs/nfs4namespace.c
    1449     +++ b/fs/nfs/nfs4namespace.c
    1450     @@ -121,8 +121,8 @@ static int nfs4_validate_fspath(struct dentry *dentry,
    1451     return 0;
    1452     }
    1453    
    1454     -static size_t nfs_parse_server_name(char *string, size_t len,
    1455     - struct sockaddr *sa, size_t salen, struct net *net)
    1456     +size_t nfs_parse_server_name(char *string, size_t len, struct sockaddr *sa,
    1457     + size_t salen, struct net *net)
    1458     {
    1459     ssize_t ret;
    1460    
    1461     diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
    1462     index ea680f619438b..aa2caba38a014 100644
    1463     --- a/fs/nfs/nfs4state.c
    1464     +++ b/fs/nfs/nfs4state.c
    1465     @@ -2070,6 +2070,9 @@ static int nfs4_try_migration(struct nfs_server *server, const struct cred *cred
    1466     }
    1467    
    1468     result = -NFS4ERR_NXIO;
    1469     + if (!locations->nlocations)
    1470     + goto out;
    1471     +
    1472     if (!(locations->fattr.valid & NFS_ATTR_FATTR_V4_LOCATIONS)) {
    1473     dprintk("<-- %s: No fs_locations data, migration skipped\n",
    1474     __func__);
    1475     diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
    1476     index 9a022a4fb9643..2b7741fe42ead 100644
    1477     --- a/fs/nfs/nfs4xdr.c
    1478     +++ b/fs/nfs/nfs4xdr.c
    1479     @@ -3683,8 +3683,6 @@ static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, st
    1480     if (unlikely(!p))
    1481     goto out_eio;
    1482     n = be32_to_cpup(p);
    1483     - if (n <= 0)
    1484     - goto out_eio;
    1485     for (res->nlocations = 0; res->nlocations < n; res->nlocations++) {
    1486     u32 m;
    1487     struct nfs4_fs_location *loc;
    1488     @@ -4187,10 +4185,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
    1489     } else
    1490     printk(KERN_WARNING "%s: label too long (%u)!\n",
    1491     __func__, len);
    1492     + if (label && label->label)
    1493     + dprintk("%s: label=%.*s, len=%d, PI=%d, LFS=%d\n",
    1494     + __func__, label->len, (char *)label->label,
    1495     + label->len, label->pi, label->lfs);
    1496     }
    1497     - if (label && label->label)
    1498     - dprintk("%s: label=%s, len=%d, PI=%d, LFS=%d\n", __func__,
    1499     - (char *)label->label, label->len, label->pi, label->lfs);
    1500     return status;
    1501     }
    1502    
    1503     diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
    1504     index cea68d8411ac5..bb97c020c96b1 100644
    1505     --- a/fs/nfsd/nfs3proc.c
    1506     +++ b/fs/nfsd/nfs3proc.c
    1507     @@ -195,6 +195,11 @@ nfsd3_proc_write(struct svc_rqst *rqstp)
    1508     (unsigned long long) argp->offset,
    1509     argp->stable? " stable" : "");
    1510    
    1511     + resp->status = nfserr_fbig;
    1512     + if (argp->offset > (u64)OFFSET_MAX ||
    1513     + argp->offset + argp->len > (u64)OFFSET_MAX)
    1514     + return rpc_success;
    1515     +
    1516     fh_copy(&resp->fh, &argp->fh);
    1517     resp->committed = argp->stable;
    1518     nvecs = svc_fill_write_vector(rqstp, rqstp->rq_arg.pages,
    1519     diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
    1520     index 4798667af647c..452ed633a2c76 100644
    1521     --- a/fs/nfsd/nfs4proc.c
    1522     +++ b/fs/nfsd/nfs4proc.c
    1523     @@ -992,8 +992,9 @@ nfsd4_write(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
    1524     unsigned long cnt;
    1525     int nvecs;
    1526    
    1527     - if (write->wr_offset >= OFFSET_MAX)
    1528     - return nfserr_inval;
    1529     + if (write->wr_offset > (u64)OFFSET_MAX ||
    1530     + write->wr_offset + write->wr_buflen > (u64)OFFSET_MAX)
    1531     + return nfserr_fbig;
    1532    
    1533     cnt = write->wr_buflen;
    1534     trace_nfsd_write_start(rqstp, &cstate->current_fh,
    1535     diff --git a/fs/nfsd/trace.h b/fs/nfsd/trace.h
    1536     index b073bdc2e6e89..127db5351d016 100644
    1537     --- a/fs/nfsd/trace.h
    1538     +++ b/fs/nfsd/trace.h
    1539     @@ -53,14 +53,14 @@ TRACE_EVENT(nfsd_compound_status,
    1540     DECLARE_EVENT_CLASS(nfsd_io_class,
    1541     TP_PROTO(struct svc_rqst *rqstp,
    1542     struct svc_fh *fhp,
    1543     - loff_t offset,
    1544     - unsigned long len),
    1545     + u64 offset,
    1546     + u32 len),
    1547     TP_ARGS(rqstp, fhp, offset, len),
    1548     TP_STRUCT__entry(
    1549     __field(u32, xid)
    1550     __field(u32, fh_hash)
    1551     - __field(loff_t, offset)
    1552     - __field(unsigned long, len)
    1553     + __field(u64, offset)
    1554     + __field(u32, len)
    1555     ),
    1556     TP_fast_assign(
    1557     __entry->xid = be32_to_cpu(rqstp->rq_xid);
    1558     @@ -68,7 +68,7 @@ DECLARE_EVENT_CLASS(nfsd_io_class,
    1559     __entry->offset = offset;
    1560     __entry->len = len;
    1561     ),
    1562     - TP_printk("xid=0x%08x fh_hash=0x%08x offset=%lld len=%lu",
    1563     + TP_printk("xid=0x%08x fh_hash=0x%08x offset=%llu len=%u",
    1564     __entry->xid, __entry->fh_hash,
    1565     __entry->offset, __entry->len)
    1566     )
    1567     @@ -77,8 +77,8 @@ DECLARE_EVENT_CLASS(nfsd_io_class,
    1568     DEFINE_EVENT(nfsd_io_class, nfsd_##name, \
    1569     TP_PROTO(struct svc_rqst *rqstp, \
    1570     struct svc_fh *fhp, \
    1571     - loff_t offset, \
    1572     - unsigned long len), \
    1573     + u64 offset, \
    1574     + u32 len), \
    1575     TP_ARGS(rqstp, fhp, offset, len))
    1576    
    1577     DEFINE_NFSD_IO_EVENT(read_start);
    1578     diff --git a/include/linux/suspend.h b/include/linux/suspend.h
    1579     index cd97d2c8840cc..194e64cb25850 100644
    1580     --- a/include/linux/suspend.h
    1581     +++ b/include/linux/suspend.h
    1582     @@ -428,15 +428,7 @@ struct platform_hibernation_ops {
    1583    
    1584     #ifdef CONFIG_HIBERNATION
    1585     /* kernel/power/snapshot.c */
    1586     -extern void __register_nosave_region(unsigned long b, unsigned long e, int km);
    1587     -static inline void __init register_nosave_region(unsigned long b, unsigned long e)
    1588     -{
    1589     - __register_nosave_region(b, e, 0);
    1590     -}
    1591     -static inline void __init register_nosave_region_late(unsigned long b, unsigned long e)
    1592     -{
    1593     - __register_nosave_region(b, e, 1);
    1594     -}
    1595     +extern void register_nosave_region(unsigned long b, unsigned long e);
    1596     extern int swsusp_page_is_forbidden(struct page *);
    1597     extern void swsusp_set_page_free(struct page *);
    1598     extern void swsusp_unset_page_free(struct page *);
    1599     @@ -453,7 +445,6 @@ extern struct pbe *restore_pblist;
    1600     int pfn_is_nosave(unsigned long pfn);
    1601     #else /* CONFIG_HIBERNATION */
    1602     static inline void register_nosave_region(unsigned long b, unsigned long e) {}
    1603     -static inline void register_nosave_region_late(unsigned long b, unsigned long e) {}
    1604     static inline int swsusp_page_is_forbidden(struct page *p) { return 0; }
    1605     static inline void swsusp_set_page_free(struct page *p) {}
    1606     static inline void swsusp_unset_page_free(struct page *p) {}
    1607     @@ -491,14 +482,14 @@ extern void ksys_sync_helper(void);
    1608    
    1609     /* drivers/base/power/wakeup.c */
    1610     extern bool events_check_enabled;
    1611     -extern unsigned int pm_wakeup_irq;
    1612     extern suspend_state_t pm_suspend_target_state;
    1613    
    1614     extern bool pm_wakeup_pending(void);
    1615     extern void pm_system_wakeup(void);
    1616     extern void pm_system_cancel_wakeup(void);
    1617     -extern void pm_wakeup_clear(bool reset);
    1618     +extern void pm_wakeup_clear(unsigned int irq_number);
    1619     extern void pm_system_irq_wakeup(unsigned int irq_number);
    1620     +extern unsigned int pm_wakeup_irq(void);
    1621     extern bool pm_get_wakeup_count(unsigned int *count, bool block);
    1622     extern bool pm_save_wakeup_count(unsigned int count);
    1623     extern void pm_wakep_autosleep_enabled(bool set);
    1624     diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h
    1625     index 14efa0ded75dd..adab27ba1ecbf 100644
    1626     --- a/include/net/dst_metadata.h
    1627     +++ b/include/net/dst_metadata.h
    1628     @@ -123,8 +123,20 @@ static inline struct metadata_dst *tun_dst_unclone(struct sk_buff *skb)
    1629    
    1630     memcpy(&new_md->u.tun_info, &md_dst->u.tun_info,
    1631     sizeof(struct ip_tunnel_info) + md_size);
    1632     +#ifdef CONFIG_DST_CACHE
    1633     + /* Unclone the dst cache if there is one */
    1634     + if (new_md->u.tun_info.dst_cache.cache) {
    1635     + int ret;
    1636     +
    1637     + ret = dst_cache_init(&new_md->u.tun_info.dst_cache, GFP_ATOMIC);
    1638     + if (ret) {
    1639     + metadata_dst_free(new_md);
    1640     + return ERR_PTR(ret);
    1641     + }
    1642     + }
    1643     +#endif
    1644     +
    1645     skb_dst_drop(skb);
    1646     - dst_hold(&new_md->dst);
    1647     skb_dst_set(skb, &new_md->dst);
    1648     return new_md;
    1649     }
    1650     diff --git a/init/Kconfig b/init/Kconfig
    1651     index f23e90d9935f5..e6216dc2a1d1c 100644
    1652     --- a/init/Kconfig
    1653     +++ b/init/Kconfig
    1654     @@ -1609,6 +1609,16 @@ config BPF_JIT_ALWAYS_ON
    1655     Enables BPF JIT and removes BPF interpreter to avoid
    1656     speculative execution of BPF instructions by the interpreter
    1657    
    1658     +config BPF_UNPRIV_DEFAULT_OFF
    1659     + bool "Disable unprivileged BPF by default"
    1660     + depends on BPF_SYSCALL
    1661     + help
    1662     + Disables unprivileged BPF by default by setting the corresponding
    1663     + /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
    1664     + still reenable it by setting it to 0 later on, or permanently
    1665     + disable it by setting it to 1 (from which no other transition to
    1666     + 0 is possible anymore).
    1667     +
    1668     config USERFAULTFD
    1669     bool "Enable userfaultfd() system call"
    1670     depends on MMU
    1671     diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
    1672     index bf03d04a9e2f8..9ebdcdaa5f162 100644
    1673     --- a/kernel/bpf/syscall.c
    1674     +++ b/kernel/bpf/syscall.c
    1675     @@ -39,7 +39,8 @@ static DEFINE_SPINLOCK(prog_idr_lock);
    1676     static DEFINE_IDR(map_idr);
    1677     static DEFINE_SPINLOCK(map_idr_lock);
    1678    
    1679     -int sysctl_unprivileged_bpf_disabled __read_mostly;
    1680     +int sysctl_unprivileged_bpf_disabled __read_mostly =
    1681     + IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
    1682    
    1683     static const struct bpf_map_ops * const bpf_map_types[] = {
    1684     #define BPF_PROG_TYPE(_id, _ops)
    1685     diff --git a/kernel/events/core.c b/kernel/events/core.c
    1686     index 7e124f9abb18b..f720a40ccaf5f 100644
    1687     --- a/kernel/events/core.c
    1688     +++ b/kernel/events/core.c
    1689     @@ -799,7 +799,7 @@ static DEFINE_PER_CPU(struct list_head, cgrp_cpuctx_list);
    1690     */
    1691     static void perf_cgroup_switch(struct task_struct *task, int mode)
    1692     {
    1693     - struct perf_cpu_context *cpuctx;
    1694     + struct perf_cpu_context *cpuctx, *tmp;
    1695     struct list_head *list;
    1696     unsigned long flags;
    1697    
    1698     @@ -810,7 +810,7 @@ static void perf_cgroup_switch(struct task_struct *task, int mode)
    1699     local_irq_save(flags);
    1700    
    1701     list = this_cpu_ptr(&cgrp_cpuctx_list);
    1702     - list_for_each_entry(cpuctx, list, cgrp_cpuctx_entry) {
    1703     + list_for_each_entry_safe(cpuctx, tmp, list, cgrp_cpuctx_entry) {
    1704     WARN_ON_ONCE(cpuctx->ctx.nr_cgroups == 0);
    1705    
    1706     perf_ctx_lock(cpuctx, cpuctx->task_ctx);
    1707     diff --git a/kernel/power/main.c b/kernel/power/main.c
    1708     index e26de7af520be..718884857830b 100644
    1709     --- a/kernel/power/main.c
    1710     +++ b/kernel/power/main.c
    1711     @@ -472,7 +472,10 @@ static ssize_t pm_wakeup_irq_show(struct kobject *kobj,
    1712     struct kobj_attribute *attr,
    1713     char *buf)
    1714     {
    1715     - return pm_wakeup_irq ? sprintf(buf, "%u\n", pm_wakeup_irq) : -ENODATA;
    1716     + if (!pm_wakeup_irq())
    1717     + return -ENODATA;
    1718     +
    1719     + return sprintf(buf, "%u\n", pm_wakeup_irq());
    1720     }
    1721    
    1722     power_attr_ro(pm_wakeup_irq);
    1723     diff --git a/kernel/power/process.c b/kernel/power/process.c
    1724     index 4b6a54da7e65b..e9f4def4d2915 100644
    1725     --- a/kernel/power/process.c
    1726     +++ b/kernel/power/process.c
    1727     @@ -134,7 +134,7 @@ int freeze_processes(void)
    1728     if (!pm_freezing)
    1729     atomic_inc(&system_freezing_cnt);
    1730    
    1731     - pm_wakeup_clear(true);
    1732     + pm_wakeup_clear(0);
    1733     pr_info("Freezing user space processes ... ");
    1734     pm_freezing = true;
    1735     error = try_to_freeze_tasks(true);
    1736     diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
    1737     index d65f2d5ab6942..46455aa7951ec 100644
    1738     --- a/kernel/power/snapshot.c
    1739     +++ b/kernel/power/snapshot.c
    1740     @@ -945,8 +945,7 @@ static void memory_bm_recycle(struct memory_bitmap *bm)
    1741     * Register a range of page frames the contents of which should not be saved
    1742     * during hibernation (to be used in the early initialization code).
    1743     */
    1744     -void __init __register_nosave_region(unsigned long start_pfn,
    1745     - unsigned long end_pfn, int use_kmalloc)
    1746     +void __init register_nosave_region(unsigned long start_pfn, unsigned long end_pfn)
    1747     {
    1748     struct nosave_region *region;
    1749    
    1750     @@ -962,18 +961,12 @@ void __init __register_nosave_region(unsigned long start_pfn,
    1751     goto Report;
    1752     }
    1753     }
    1754     - if (use_kmalloc) {
    1755     - /* During init, this shouldn't fail */
    1756     - region = kmalloc(sizeof(struct nosave_region), GFP_KERNEL);
    1757     - BUG_ON(!region);
    1758     - } else {
    1759     - /* This allocation cannot fail */
    1760     - region = memblock_alloc(sizeof(struct nosave_region),
    1761     - SMP_CACHE_BYTES);
    1762     - if (!region)
    1763     - panic("%s: Failed to allocate %zu bytes\n", __func__,
    1764     - sizeof(struct nosave_region));
    1765     - }
    1766     + /* This allocation cannot fail */
    1767     + region = memblock_alloc(sizeof(struct nosave_region),
    1768     + SMP_CACHE_BYTES);
    1769     + if (!region)
    1770     + panic("%s: Failed to allocate %zu bytes\n", __func__,
    1771     + sizeof(struct nosave_region));
    1772     region->start_pfn = start_pfn;
    1773     region->end_pfn = end_pfn;
    1774     list_add_tail(&region->list, &nosave_regions);
    1775     diff --git a/kernel/power/suspend.c b/kernel/power/suspend.c
    1776     index 27f149f5d4a9f..5dea2778a3dbb 100644
    1777     --- a/kernel/power/suspend.c
    1778     +++ b/kernel/power/suspend.c
    1779     @@ -138,8 +138,6 @@ static void s2idle_loop(void)
    1780     break;
    1781     }
    1782    
    1783     - pm_wakeup_clear(false);
    1784     -
    1785     s2idle_enter();
    1786     }
    1787    
    1788     diff --git a/kernel/seccomp.c b/kernel/seccomp.c
    1789     index 1d62fa2b6b918..b2e1981663b88 100644
    1790     --- a/kernel/seccomp.c
    1791     +++ b/kernel/seccomp.c
    1792     @@ -28,6 +28,9 @@
    1793     #include <linux/syscalls.h>
    1794     #include <linux/sysctl.h>
    1795    
    1796     +/* Not exposed in headers: strictly internal use only. */
    1797     +#define SECCOMP_MODE_DEAD (SECCOMP_MODE_FILTER + 1)
    1798     +
    1799     #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
    1800     #include <asm/syscall.h>
    1801     #endif
    1802     @@ -706,6 +709,7 @@ static void __secure_computing_strict(int this_syscall)
    1803     #ifdef SECCOMP_DEBUG
    1804     dump_stack();
    1805     #endif
    1806     + current->seccomp.mode = SECCOMP_MODE_DEAD;
    1807     seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL_THREAD, true);
    1808     do_exit(SIGKILL);
    1809     }
    1810     @@ -892,6 +896,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
    1811     case SECCOMP_RET_KILL_THREAD:
    1812     case SECCOMP_RET_KILL_PROCESS:
    1813     default:
    1814     + current->seccomp.mode = SECCOMP_MODE_DEAD;
    1815     seccomp_log(this_syscall, SIGSYS, action, true);
    1816     /* Dump core only if this is the last remaining thread. */
    1817     if (action == SECCOMP_RET_KILL_PROCESS ||
    1818     @@ -944,6 +949,11 @@ int __secure_computing(const struct seccomp_data *sd)
    1819     return 0;
    1820     case SECCOMP_MODE_FILTER:
    1821     return __seccomp_filter(this_syscall, sd, false);
    1822     + /* Surviving SECCOMP_RET_KILL_* must be proactively impossible. */
    1823     + case SECCOMP_MODE_DEAD:
    1824     + WARN_ON_ONCE(1);
    1825     + do_exit(SIGKILL);
    1826     + return -1;
    1827     default:
    1828     BUG();
    1829     }
    1830     diff --git a/kernel/sysctl.c b/kernel/sysctl.c
    1831     index eae6a078619f9..8494d5a706bb5 100644
    1832     --- a/kernel/sysctl.c
    1833     +++ b/kernel/sysctl.c
    1834     @@ -250,6 +250,28 @@ static int sysrq_sysctl_handler(struct ctl_table *table, int write,
    1835    
    1836     #endif
    1837    
    1838     +#ifdef CONFIG_BPF_SYSCALL
    1839     +static int bpf_unpriv_handler(struct ctl_table *table, int write,
    1840     + void *buffer, size_t *lenp, loff_t *ppos)
    1841     +{
    1842     + int ret, unpriv_enable = *(int *)table->data;
    1843     + bool locked_state = unpriv_enable == 1;
    1844     + struct ctl_table tmp = *table;
    1845     +
    1846     + if (write && !capable(CAP_SYS_ADMIN))
    1847     + return -EPERM;
    1848     +
    1849     + tmp.data = &unpriv_enable;
    1850     + ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
    1851     + if (write && !ret) {
    1852     + if (locked_state && unpriv_enable != 1)
    1853     + return -EPERM;
    1854     + *(int *)table->data = unpriv_enable;
    1855     + }
    1856     + return ret;
    1857     +}
    1858     +#endif
    1859     +
    1860     static struct ctl_table kern_table[];
    1861     static struct ctl_table vm_table[];
    1862     static struct ctl_table fs_table[];
    1863     @@ -1255,10 +1277,9 @@ static struct ctl_table kern_table[] = {
    1864     .data = &sysctl_unprivileged_bpf_disabled,
    1865     .maxlen = sizeof(sysctl_unprivileged_bpf_disabled),
    1866     .mode = 0644,
    1867     - /* only handle a transition from default "0" to "1" */
    1868     - .proc_handler = proc_dointvec_minmax,
    1869     - .extra1 = SYSCTL_ONE,
    1870     - .extra2 = SYSCTL_ONE,
    1871     + .proc_handler = bpf_unpriv_handler,
    1872     + .extra1 = SYSCTL_ZERO,
    1873     + .extra2 = &two,
    1874     },
    1875     {
    1876     .procname = "bpf_stats_enabled",
    1877     diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
    1878     index 0dd8984a261da..f085b1648e66c 100644
    1879     --- a/net/bridge/br_device.c
    1880     +++ b/net/bridge/br_device.c
    1881     @@ -33,7 +33,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
    1882     struct pcpu_sw_netstats *brstats = this_cpu_ptr(br->stats);
    1883     const struct nf_br_ops *nf_ops;
    1884     const unsigned char *dest;
    1885     - struct ethhdr *eth;
    1886     u16 vid = 0;
    1887    
    1888     rcu_read_lock();
    1889     @@ -53,15 +52,14 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
    1890     BR_INPUT_SKB_CB(skb)->frag_max_size = 0;
    1891    
    1892     skb_reset_mac_header(skb);
    1893     - eth = eth_hdr(skb);
    1894     skb_pull(skb, ETH_HLEN);
    1895    
    1896     if (!br_allowed_ingress(br, br_vlan_group_rcu(br), skb, &vid))
    1897     goto out;
    1898    
    1899     if (IS_ENABLED(CONFIG_INET) &&
    1900     - (eth->h_proto == htons(ETH_P_ARP) ||
    1901     - eth->h_proto == htons(ETH_P_RARP)) &&
    1902     + (eth_hdr(skb)->h_proto == htons(ETH_P_ARP) ||
    1903     + eth_hdr(skb)->h_proto == htons(ETH_P_RARP)) &&
    1904     br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) {
    1905     br_do_proxy_suppress_arp(skb, br, vid, NULL);
    1906     } else if (IS_ENABLED(CONFIG_IPV6) &&
    1907     diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
    1908     index d71935618871e..2da6896080363 100644
    1909     --- a/net/ipv4/ipmr.c
    1910     +++ b/net/ipv4/ipmr.c
    1911     @@ -259,7 +259,9 @@ static int __net_init ipmr_rules_init(struct net *net)
    1912     return 0;
    1913    
    1914     err2:
    1915     + rtnl_lock();
    1916     ipmr_free_table(mrt);
    1917     + rtnl_unlock();
    1918     err1:
    1919     fib_rules_unregister(ops);
    1920     return err;
    1921     diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
    1922     index dd41313d7fa50..aee1f6bc039ab 100644
    1923     --- a/net/ipv6/ip6mr.c
    1924     +++ b/net/ipv6/ip6mr.c
    1925     @@ -246,7 +246,9 @@ static int __net_init ip6mr_rules_init(struct net *net)
    1926     return 0;
    1927    
    1928     err2:
    1929     + rtnl_lock();
    1930     ip6mr_free_table(mrt);
    1931     + rtnl_unlock();
    1932     err1:
    1933     fib_rules_unregister(ops);
    1934     return err;
    1935     diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
    1936     index e70f990334083..6f36df85d23d8 100644
    1937     --- a/net/sched/sch_api.c
    1938     +++ b/net/sched/sch_api.c
    1939     @@ -1195,7 +1195,7 @@ static struct Qdisc *qdisc_create(struct net_device *dev,
    1940    
    1941     err = -ENOENT;
    1942     if (!ops) {
    1943     - NL_SET_ERR_MSG(extack, "Specified qdisc not found");
    1944     + NL_SET_ERR_MSG(extack, "Specified qdisc kind is unknown");
    1945     goto err_out;
    1946     }
    1947    
    1948     diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
    1949     index 836e629e8f4ab..661bc2551a0a2 100644
    1950     --- a/net/tipc/name_distr.c
    1951     +++ b/net/tipc/name_distr.c
    1952     @@ -290,7 +290,7 @@ static bool tipc_update_nametbl(struct net *net, struct distr_item *i,
    1953     pr_warn_ratelimited("Failed to remove binding %u,%u from %x\n",
    1954     type, lower, node);
    1955     } else {
    1956     - pr_warn("Unrecognized name table message received\n");
    1957     + pr_warn_ratelimited("Unknown name table message received\n");
    1958     }
    1959     return false;
    1960     }
    1961     diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
    1962     index 68571c40d61f6..a3e6fccff7123 100644
    1963     --- a/security/integrity/ima/ima_fs.c
    1964     +++ b/security/integrity/ima/ima_fs.c
    1965     @@ -494,12 +494,12 @@ int __init ima_fs_init(void)
    1966    
    1967     return 0;
    1968     out:
    1969     + securityfs_remove(ima_policy);
    1970     securityfs_remove(violations);
    1971     securityfs_remove(runtime_measurements_count);
    1972     securityfs_remove(ascii_runtime_measurements);
    1973     securityfs_remove(binary_runtime_measurements);
    1974     securityfs_remove(ima_symlink);
    1975     securityfs_remove(ima_dir);
    1976     - securityfs_remove(ima_policy);
    1977     return -1;
    1978     }
    1979     diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
    1980     index e725d41872713..a073e49d5cd7d 100644
    1981     --- a/security/integrity/ima/ima_policy.c
    1982     +++ b/security/integrity/ima/ima_policy.c
    1983     @@ -1382,6 +1382,14 @@ int ima_policy_show(struct seq_file *m, void *v)
    1984    
    1985     rcu_read_lock();
    1986    
    1987     + /* Do not print rules with inactive LSM labels */
    1988     + for (i = 0; i < MAX_LSM_RULES; i++) {
    1989     + if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
    1990     + rcu_read_unlock();
    1991     + return 0;
    1992     + }
    1993     + }
    1994     +
    1995     if (entry->action & MEASURE)
    1996     seq_puts(m, pt(Opt_measure));
    1997     if (entry->action & DONT_MEASURE)
    1998     diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
    1999     index 6aa6408603e33..2283051d063bc 100644
    2000     --- a/security/integrity/ima/ima_template.c
    2001     +++ b/security/integrity/ima/ima_template.c
    2002     @@ -29,6 +29,7 @@ static struct ima_template_desc builtin_templates[] = {
    2003    
    2004     static LIST_HEAD(defined_templates);
    2005     static DEFINE_SPINLOCK(template_list);
    2006     +static int template_setup_done;
    2007    
    2008     static const struct ima_template_field supported_fields[] = {
    2009     {.field_id = "d", .field_init = ima_eventdigest_init,
    2010     @@ -82,10 +83,11 @@ static int __init ima_template_setup(char *str)
    2011     struct ima_template_desc *template_desc;
    2012     int template_len = strlen(str);
    2013    
    2014     - if (ima_template)
    2015     + if (template_setup_done)
    2016     return 1;
    2017    
    2018     - ima_init_template_list();
    2019     + if (!ima_template)
    2020     + ima_init_template_list();
    2021    
    2022     /*
    2023     * Verify that a template with the supplied name exists.
    2024     @@ -109,6 +111,7 @@ static int __init ima_template_setup(char *str)
    2025     }
    2026    
    2027     ima_template = template_desc;
    2028     + template_setup_done = 1;
    2029     return 1;
    2030     }
    2031     __setup("ima_template=", ima_template_setup);
    2032     @@ -117,7 +120,7 @@ static int __init ima_template_fmt_setup(char *str)
    2033     {
    2034     int num_templates = ARRAY_SIZE(builtin_templates);
    2035    
    2036     - if (ima_template)
    2037     + if (template_setup_done)
    2038     return 1;
    2039    
    2040     if (template_desc_init_fields(str, NULL, NULL) < 0) {
    2041     @@ -128,6 +131,7 @@ static int __init ima_template_fmt_setup(char *str)
    2042    
    2043     builtin_templates[num_templates - 1].fmt = str;
    2044     ima_template = builtin_templates + num_templates - 1;
    2045     + template_setup_done = 1;
    2046    
    2047     return 1;
    2048     }
    2049     diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
    2050     index 5109173839cc5..c7f0f82a9a110 100644
    2051     --- a/security/integrity/integrity_audit.c
    2052     +++ b/security/integrity/integrity_audit.c
    2053     @@ -36,6 +36,8 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
    2054     return;
    2055    
    2056     ab = audit_log_start(audit_context(), GFP_KERNEL, audit_msgno);
    2057     + if (!ab)
    2058     + return;
    2059     audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",
    2060     task_pid_nr(current),
    2061     from_kuid(&init_user_ns, current_cred()->uid),
    2062     diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
    2063     index 6357ac508ad1e..67b7d2af1755d 100644
    2064     --- a/tools/perf/util/probe-event.c
    2065     +++ b/tools/perf/util/probe-event.c
    2066     @@ -2954,6 +2954,9 @@ static int find_probe_trace_events_from_map(struct perf_probe_event *pev,
    2067     for (j = 0; j < num_matched_functions; j++) {
    2068     sym = syms[j];
    2069    
    2070     + if (sym->type != STT_FUNC)
    2071     + continue;
    2072     +
    2073     tev = (*tevs) + ret;
    2074     tp = &tev->point;
    2075     if (ret == num_matched_functions) {